ldap_write_support
ldap_write_support copied to clipboard
nextcloud
LDAP sambaNTPassword not set by password change
This plugin does not handle LDAP Samba extensions, when used by LDAP server (which is often used)
So I have to modify the code of the plugin to this to work:
public function setPassword($uid, $password) {
$possible = '0123456789'.
'abcdefghijklmnopqrstuvwxyz'.
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.
'./';
$salt = '';
$userdata=array();
while (strlen($salt) < 16)
$salt .= substr($possible, (rand() % strlen($possible)), 1);
// Convert the password from UTF8 to UTF16 (little endian)
$MD4Hash=hash('md4',iconv('UTF-8','UTF-16LE',$password));
// Make it uppercase, not necessary, but it's common to do so with NTLM hashes
$NTLMHash=strtoupper($MD4Hash);
$now = time();
try {
$cr = $this->ldapProvider->getLDAPConnection($uid);
$userDN = $this->getUserDN($uid);
// TODO: check if LDAP contains sambaNTpassword
//$object = ldap_get_attributes($ldap, $entry);
// if (isset($object['sambaNTPassword'])){
$userdata['userPassword'] = '{CRYPT}'.crypt($password, '$6$'.$salt.'$');
$userdata['sambaNTPassword'] = $NTLMHash;
$userdata['sambaPwdLastSet'] = "$now";
return ldap_modify($cr, $userDN, $userdata) !== false;
} catch (\Exception $e) {
$this->logger->error($e->getMessage(), ['exception' => $e, 'app' => Application::APP_ID]);
}
return false;
}
I really would not encourage using NTLM, instead Kerberos would be a more safer authentication. But nevertheless this would be a good follow up on #536
I would like to have this fixed as well. Our nextcloud users are not able to change their LDAP-SAMBA password over nextcloud.
