public void Modify_DNNull() { Assert.ThrowsAsync <ArgumentNullException>(async() => { var mods = new LdapModification(LdapModificationOp.Replace, new LdapAttribute("ui")); await Connection.Modify(null, new[] { mods }); }); }
void UpdatePassword() { string ldapPwd = LDAPUtils.EncodeSSHA(passData.NewPassword); var pwdMod = new LdapModification(LdapModification.Replace, new LdapAttribute("userPassword", ldapPwd)); Startup.ldap.Connection.Modify(User.FindFirstValue(ClaimTypes.NameIdentifier), pwdMod); }
private static void ChangePasswordReplace(string newPassword, ILdapConnection ldap, string userDN) { // If you don't have the rights to Add and/or Delete the Attribute, you might have the right to change the password-attribute. // In this case uncomment the next 2 lines and comment the region 'Change Password by Delete/Add' var attribute = new LdapAttribute("userPassword", newPassword); var ldapReplace = new LdapModification(LdapModification.REPLACE, attribute); ldap.Modify(userDN, new[] { ldapReplace }); // Change with Replace }
private SignInResult ChangePassword(string uid, string newPassword) { using (var ldap = CreateLdap()) { LdapAttribute attr = new LdapAttribute("userPassword", ToMd5(newPassword)); LdapModification mod = new LdapModification(LdapModification.REPLACE, attr); ldap.Modify(string.Format("uid={0},{1}", uid, settings.Options.LdapPeopleOU), mod); } return(SignInResult.Success); }
private SignInResult ChangeMail(string uid, string newEmail) { using (var ldap = CreateLdap()) { LdapAttribute attr = new LdapAttribute("mail", newEmail); LdapModification mod = new LdapModification(LdapModification.REPLACE, attr); ldap.Modify(string.Format("uid={0},{1}", uid, settings.Options.LdapPeopleOU), mod); } return(SignInResult.Success); }
/// <summary> /// change the password /// </summary> /// <param name="dn">sn for which change is to be done</param> /// <param name="password">password</param> /// <returns>true if changed successfully</returns> public bool ChangePassword(string dn, string password) { // TODO: Modify this to support Active Directory. LdapAttribute attribute = new LdapAttribute("userPassword", password); LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute); connection.Modify(dn, modification); return(true); }
public static bool _AddUserToGroup(LdapConnection conn, System.String userdn, System.String groupdn) { // modifications for group and user LdapModification[] modGroup = new LdapModification[2]; LdapModification[] modUser = new LdapModification[2]; // Add modifications to modUser LdapAttribute membership = new LdapAttribute("groupMembership", groupdn); modUser[0] = new LdapModification(LdapModification.ADD, membership); LdapAttribute security = new LdapAttribute("securityEquals", groupdn); modUser[1] = new LdapModification(LdapModification.ADD, security); // Add modifications to modGroup LdapAttribute member = new LdapAttribute("uniqueMember", userdn); modGroup[0] = new LdapModification(LdapModification.ADD, member); LdapAttribute equivalent = new LdapAttribute("equivalentToMe", userdn); modGroup[1] = new LdapModification(LdapModification.ADD, equivalent); try { // Modify the user's attributes conn.Modify(userdn, modUser); System.Console.Out.WriteLine("Modified the user's attribute."); } catch (LdapException e) { System.Console.Out.WriteLine("Failed to modify user's attributes: " + e.LdapErrorMessage); return(false); } try { // Modify the group's attributes conn.Modify(groupdn, modGroup); System.Console.Out.WriteLine("Modified the group's attribute."); } catch (LdapException e) { System.Console.Out.WriteLine("Failed to modify group's attributes: " + e.LdapErrorMessage); doCleanup(conn, userdn, groupdn); return(false); } catch (Exception e) { Console.WriteLine("Error:" + e.Message); return(false); } return(true); }
private static void ChangePasswordDelAdd(string currentPassword, string newPassword, ILdapConnection ldap, string userDN) { var oldPassBytes = Encoding.Unicode.GetBytes($@"""{currentPassword}"""); var newPassBytes = Encoding.Unicode.GetBytes($@"""{newPassword}"""); var oldAttr = new LdapAttribute("unicodePwd", oldPassBytes); var newAttr = new LdapAttribute("unicodePwd", newPassBytes); var ldapDel = new LdapModification(LdapModification.Delete, oldAttr); var ldapAdd = new LdapModification(LdapModification.Add, newAttr); ldap.Modify(userDN, new[] { ldapDel, ldapAdd }); // Change with Delete/Add }
public async Task Modify_OfNotExistingEntry_ShouldThrowNoSuchObject() { var ldapEntry = LdapEntryHelper.NewLdapEntry(); var ldapException = await Assert.ThrowsAsync <LdapException>( () => TestHelper.WithAuthenticatedLdapConnectionAsync(async ldapConnection => { var newAttribute = new LdapAttribute("givenName", "blah"); var modification = new LdapModification(LdapModification.Replace, newAttribute); await ldapConnection.ModifyAsync(ldapEntry.Dn, modification); })); Assert.Equal(LdapException.NoSuchObject, ldapException.ResultCode); }
public void Modify_OfNotExistingEntry_ShouldThrowNoSuchObject() { var ldapEntry = LdapEntryHelper.NewLdapEntry(); var ldapException = Assert.Throws <LdapException>( () => TestHelper.WithAuthenticatedLdapConnection(ldapConnection => { var newAttribute = new LdapAttribute("givenName", "blah"); var modification = new LdapModification(LdapModification.REPLACE, newAttribute); ldapConnection.Modify(ldapEntry.DN, modification); }) ); Assert.Equal(LdapException.NO_SUCH_OBJECT, ldapException.ResultCode); }
static void MainTest(string[] args) { if (args.Length != 5) { Console.WriteLine("Usage: mono ModifyEntry <host name> <ldap port> <login dn>" + " <password> <Modify dn>"); Console.WriteLine("Example: mono ModifyEntry Acme.com 389" + " \"cn=admin,o=Acme\"" + " secret \"cn=ksmith,o=Acme\""); return; } string ldapHost = args[0]; int ldapPort = System.Convert.ToInt32(args[1]); String loginDN = args[2]; String password = args[3]; String dn = args[4]; try { Console.WriteLine("Connecting to:" + ldapHost); LdapConnection conn = new LdapConnection(); ArrayList modList = new ArrayList(); String desc = "This object belongs to test user"; // Add a new value to the description attribute LdapAttribute attribute = new LdapAttribute("description", desc); modList.Add(new LdapModification(LdapModification.ADD, attribute)); String email = "*****@*****.**"; attribute = new LdapAttribute("mail", email); modList.Add(new LdapModification(LdapModification.REPLACE, attribute)); LdapModification[] mods = new LdapModification[modList.Count]; mods = (LdapModification[])modList.ToArray(typeof(LdapModification)); conn.Connect(ldapHost, ldapPort); conn.Bind(loginDN, password); conn.Modify(dn, mods); Console.WriteLine(" Entry: " + dn + "Modified Successfully"); conn.Disconnect(); } catch (LdapException e) { Console.WriteLine("Error:" + e.LdapErrorMessage); return; } catch (Exception e) { Console.WriteLine("Error:" + e.Message); return; } }
public void AddNewAttribute_ToExistingEntry_ShouldWork() { var existingEntry = LdapOps.AddEntry(); var value = Guid.NewGuid().ToString(); const string attrName = "description"; TestHelper.WithAuthenticatedLdapConnection(ldapConnection => { var newAttribute = new LdapAttribute(attrName, value); var modification = new LdapModification(LdapModification.ADD, newAttribute); ldapConnection.Modify(existingEntry.DN, modification); }); var modifiedEntry = LdapOps.GetEntry(existingEntry.DN); Assert.Equal(value, modifiedEntry.getAttribute(attrName).StringValue); }
public void ModifyAttributeValue_OfExistingEntry_ShouldWork() { var existingEntry = LdapOps.AddEntry(); var value = Guid.NewGuid().ToString(); const string attrName = "givenName"; TestHelper.WithAuthenticatedLdapConnection(ldapConnection => { var modifiedAttribute = new LdapAttribute(attrName, value); var modification = new LdapModification(LdapModification.Replace, modifiedAttribute); ldapConnection.Modify(existingEntry.Dn, modification); }); var modifiedEntry = LdapOps.GetEntry(existingEntry.Dn); Assert.Equal(value, modifiedEntry.GetAttribute(attrName).StringValue); }
public void OnOkClicked(object o, EventArgs args) { Connection conn = GetCurrentConnection(); LdapEntry[] sr = conn.Data.Search(conn.DirectoryRoot, searchEntry.Text); foreach (object[] row in modListStore) { string _action = (string)row[0]; string _name = (string)row[1]; string _value = (string)row[2]; LdapAttribute a = new LdapAttribute(_name, _value); LdapModification m = null; switch (_action.ToLower()) { case "add": m = new LdapModification(LdapModification.ADD, a); break; case "delete": m = new LdapModification(LdapModification.DELETE, a); break; case "replace": m = new LdapModification(LdapModification.REPLACE, a); break; default: break; } if (m != null) { _modList.Add(m); } } foreach (LdapEntry e in sr) { Util.ModifyEntry(conn, e.DN, _modList.ToArray()); } massEditDialog.HideAll(); }
public void ModifyPassword_OfExistingEntry_ShouldWork() { var existingEntry = LdapOps.AddEntry(); var newPassword = "******" + new Random().Next(); TestHelper.WithAuthenticatedLdapConnection(ldapConnection => { var newAttribute = new LdapAttribute("userPassword", newPassword); var modification = new LdapModification(LdapModification.Replace, newAttribute); ldapConnection.Modify(existingEntry.Dn, modification); }); TestHelper.WithLdapConnection( ldapConnection => { ldapConnection.Bind(existingEntry.Dn, newPassword); }); }
public async Task AddNewAttribute_ToExistingEntry_ShouldWork() { var existingEntry = await LdapOps.AddEntryAsync(); var value = Guid.NewGuid().ToString(); const string attrName = "description"; await TestHelper.WithAuthenticatedLdapConnectionAsync(async ldapConnection => { var newAttribute = new LdapAttribute(attrName, value); var modification = new LdapModification(LdapModification.Add, newAttribute); await ldapConnection.ModifyAsync(existingEntry.Dn, modification); }); var modifiedEntry = await LdapOps.GetEntryAsync(existingEntry.Dn); Assert.Equal(value, modifiedEntry.GetAttribute(attrName).StringValue); }
void updateGroupMembership() { LdapEntry groupEntry = null; LdapModification[] mods = new LdapModification [1]; foreach (string key in _memberOfGroups.Keys) { LdapAttribute attr = new LdapAttribute("memberUid", usernameEntry.Text); LdapModification lm = new LdapModification(LdapModification.ADD, attr); groupEntry = (LdapEntry)_allGroups[key]; mods[0] = lm; } modifyGroup(groupEntry, mods); }
static void MainTest(string[] args) { if (args.Length != 5) { Console.WriteLine("Usage: mono ModifyPass <host name> <ldap port> <login dn>" + " <old password> <new password>"); Console.WriteLine("Example: mono ModifyPass Acme.com 389" + " \"cn=tjhon,o=Acme\"" + " secret \"newpass\""); return; } string ldapHost = args[0]; int ldapPort = System.Convert.ToInt32(args[1]); String loginDN = args[2]; String opassword = args[3]; String npassword = args[4]; try { LdapConnection conn = new LdapConnection(); Console.WriteLine("Connecting to:" + ldapHost); conn.Connect(ldapHost, ldapPort); conn.Bind(loginDN, opassword); LdapModification[] modifications = new LdapModification[2]; LdapAttribute deletePassword = new LdapAttribute("userPassword", opassword); modifications[0] = new LdapModification(LdapModification.DELETE, deletePassword); LdapAttribute addPassword = new LdapAttribute("userPassword", npassword); modifications[1] = new LdapModification(LdapModification.ADD, addPassword); conn.Modify(loginDN, modifications); System.Console.Out.WriteLine("Your password has been modified."); conn.Disconnect(); } catch (LdapException e) { Console.WriteLine("Error:" + e.LdapErrorMessage); return; } catch (Exception e) { Console.WriteLine("Error:" + e.Message); return; } }
public async Task ModifyPassword_OfExistingEntry_ShouldWork() { var existingEntry = await LdapOps.AddEntryAsync(); var newPassword = "******" + new Random().Next(); await TestHelper.WithAuthenticatedLdapConnectionAsync(async ldapConnection => { var newAttribute = new LdapAttribute("userPassword", newPassword); var modification = new LdapModification(LdapModification.Replace, newAttribute); await ldapConnection.ModifyAsync(existingEntry.Dn, modification); }); await TestHelper.WithLdapConnectionAsync( async ldapConnection => { await ldapConnection.BindAsync(existingEntry.Dn, newPassword); }); }
private void SetAttribute(LdapEntry userEntry, string attr, string attrValue) { using (var ldapClient = new LdapConnection { SecureSocketLayer = _config.UseSsl }) { try { if (_config.SkipSslVerify) { ldapClient.UserDefinedServerCertValidationDelegate += LdapClient_UserDefinedServerCertValidationDelegate; } ldapClient.Connect(_config.LdapServer, _config.LdapPort); if (_config.UseStartTls) { ldapClient.StartTls(); } ldapClient.Bind(_config.LdapBindUser, _config.LdapBindPassword); } catch (Exception e) { _logger.LogError(e, "Failed to Connect or Bind to server"); throw new AuthenticationException("Failed to Connect or Bind to server"); } finally { ldapClient.UserDefinedServerCertValidationDelegate -= LdapClient_UserDefinedServerCertValidationDelegate; } var existingAttr = GetAttribute(userEntry, attr); var ldapModType = existingAttr == null ? LdapModification.Add : LdapModification.Replace; var modification = new LdapModification( ldapModType, new LdapAttribute(attr, attrValue ?? string.Empty) ); ldapClient.Modify(userEntry.Dn, modification); } }
/// <summary> /// Add a new LDAP user /// </summary> /// <param name="entry">OpenLdapUserEntry object</param> /// <returns>True(Success)/False(Fail)</returns> public async Task <bool> UpdateAsync(OpenLdapUserEntry entry) { Func <LdapConnection, bool> action = (ldapConn) => { var existEntry = this.FindAsync(entry.Uid).Result; if (existEntry != null) { var modifiedAttributes = new ArrayList(); // Iterate all properties and add to modifiedAttributes PropertyInfo[] props = typeof(OpenLdapUserEntry).GetProperties(); foreach (PropertyInfo prop in props) { var ldapAttr = Attribute.GetCustomAttributes(prop).FirstOrDefault(a => a.GetType().Equals(typeof(LdapAttrAttribute))) as LdapAttrAttribute; if (ldapAttr != null) { var name = ldapAttr.Name; var value = prop.GetValue(entry, null)?.ToString(); if (!string.IsNullOrEmpty(value)) { modifiedAttributes.Add(new LdapModification(LdapModification.REPLACE, new LdapAttribute(name, value))); } } } var ldapModification = new LdapModification[modifiedAttributes.Count]; ldapModification = (LdapModification[])modifiedAttributes.ToArray(typeof(LdapModification)); ldapConn.Modify(existEntry.DN, ldapModification); return(true); } else { return(false); } }; return(await this.ldapActionAsync(action)); }
/// <summary> /// Grant Read Rights to the LDAP User on the the LDAP Container /// </summary> /// <param name="userDN">The LDAP User DN</param> /// <param name="containerDN">The LDAP Container DN</param> public void GrantReadRights(string userDN, string containerDN) { if (DirectoryType.Equals(LdapDirectoryType.ActiveDirectory)) { // TODO: Modify this to support Active Directory } else if (DirectoryType.Equals(LdapDirectoryType.OpenLDAP)) { // TODO: Modify this to support OpenLDAP. } else if (DirectoryType.Equals(LdapDirectoryType.eDirectory)) { LdapAttribute attribute = new LdapAttribute("acl", new String[] { String.Format("1#subtree#{0}#[Entry Rights]", userDN), String.Format("3#subtree#{0}#[All Attributes Rights]", userDN) }); LdapModification modification = new LdapModification(LdapModification.ADD, attribute); connection.Modify(containerDN, modification); } }
public bool ChangePassword(string dn, string password) { LdapDirectoryType LdapType = QueryDirectoryType(); switch (LdapType) { case LdapDirectoryType.ActiveDirectory: { string quotedPassword = "******"" + password + "\""; char [] unicodePassword = quotedPassword.ToCharArray(); sbyte [] passwordArray = new sbyte[unicodePassword.Length * 2]; for (int i = 0; i < unicodePassword.Length; i++) { passwordArray[i * 2 + 1] = (sbyte)(unicodePassword[i] >> 8); passwordArray[i * 2 + 0] = (sbyte)(unicodePassword[i] & 0xff); } LdapAttribute attribute = new LdapAttribute("UnicodePwd", passwordArray); LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute); connection.Modify(dn, modification); return(true); } case LdapDirectoryType.OpenLDAP: case LdapDirectoryType.eDirectory: deafult: { LdapAttribute attribute = new LdapAttribute("userPassword", password); LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute); connection.Modify(dn, modification); return(true); } //return false; } return(false); }
/// <summary> /// Changes the users password (Requires privileged bind user). /// </summary> /// <param name="user">The user who's password will be changed.</param> /// <param name="newPassword">The new password to set.</param> /// <returns>Completed Task notification.</returns> /// <exception cref="NotImplementedException">Thrown if AllowPassChange set to false.</exception> /// <exception cref="InvalidOperationException">Thrown if LdapPasswordAttribute field is null or empty.</exception> public Task ChangePassword(User user, string newPassword) { if (!LdapPlugin.Instance.Configuration.AllowPassChange) { throw new NotImplementedException(); } if (string.IsNullOrEmpty(LdapPlugin.Instance.Configuration.LdapPasswordAttribute)) { throw new InvalidOperationException("Password attribute is not set"); } var passAttr = LdapPlugin.Instance.Configuration.LdapPasswordAttribute; var ldapUser = LocateLdapUser(user.Username); using var ldapClient = ConnectToLdap(); var ldapAttr = new LdapAttribute(passAttr, newPassword); var ldapMod = new LdapModification(LdapModification.Replace, ldapAttr); ldapClient.Modify(ldapUser.Dn, ldapMod); return(Task.CompletedTask); }
/// <summary> /// /// </summary> /// <param name="loginName"></param> /// <param name="groupDN"></param> /// <returns></returns> public static bool RemoveUserFromGroup(string loginName, string groupDN) { LdapEntry entry = GetUser(loginName); if (entry == null) { throw new Exception($"名为:{loginName} 的用户在AD中不存在"); } List <string> memberOf = entry.AttrStringValueArray("memberOf"); if (!memberOf.Contains(groupDN)) { throw new Exception($"名为:{loginName} 的用户不存在于组: {groupDN} 中"); } LdapModification[] modGroup = new LdapModification[1]; LdapAttribute member = new LdapAttribute("member", entry.DN); modGroup[0] = new LdapModification(LdapModification.DELETE, member); try { _connection.Modify(groupDN, modGroup); } catch (LdapException e) { System.Console.Error.WriteLine("Failed to delete group's attributes: " + e.LdapErrorMessage); return(false); } catch (Exception e) { Console.Error.WriteLine("RemoveUserFromGroup Error:" + e.Message); return(false); } return(true); }
void ChangePassword(LdapEntry entry, PasswordDialog pd) { List <LdapModification> mods = new List <LdapModification> (); LdapAttribute la; LdapModification lm; la = new LdapAttribute("userPassword", pd.UnixPassword); lm = new LdapModification(LdapModification.REPLACE, la); mods.Add(lm); if (Util.CheckSamba(entry)) { la = new LdapAttribute("sambaLMPassword", pd.LMPassword); lm = new LdapModification(LdapModification.REPLACE, la); mods.Add(lm); la = new LdapAttribute("sambaNTPassword", pd.NTPassword); lm = new LdapModification(LdapModification.REPLACE, la); mods.Add(lm); } Util.ModifyEntry(conn, entry.DN, mods.ToArray()); }
public static void doCleanup(LdapConnection conn, System.String userdn, System.String groupdn) { // since we have modified the user's attributes and failed to // modify the group's attribute, we need to delete the modified // user's attribute values. // modifications for user LdapModification[] modUser = new LdapModification[2]; // Delete the groupdn from the user's attributes LdapAttribute membership = new LdapAttribute("groupMembership", groupdn); modUser[0] = new LdapModification(LdapModification.DELETE, membership); LdapAttribute security = new LdapAttribute("securityEquals", groupdn); modUser[1] = new LdapModification(LdapModification.DELETE, security); try { // Modify the user's attributes conn.Modify(userdn, modUser); System.Console.Out.WriteLine("Deleted the modified user's attribute values."); } catch (LdapException e) { System.Console.Out.WriteLine("Could not delete modified user's attributes: " + e.LdapErrorMessage); } catch (Exception e) { Console.WriteLine("Error:" + e.Message); return; } return; }
public ApiErrorItem PerformPasswordChange(string username, string currentPassword, string newPassword) { var cleanUsername = username; var atindex = cleanUsername.IndexOf("@"); if (atindex >= 0) { cleanUsername = cleanUsername.Substring(0, atindex); } // Must sanitize the username to eliminate the possibility of injection attacks: // * https://docs.microsoft.com/en-us/windows/desktop/adschema/a-samaccountname // * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10) var samInvalid = "\"/\\[]:;|=,+*?<>"; var miscInvalid = "\r\n\t"; var invalid = (samInvalid + miscInvalid).ToCharArray(); var invalidIndex = cleanUsername.IndexOfAny(invalid); if (invalidIndex >= 0) { var msg = "username contains one or more invalid characters"; _logger.LogWarning(msg); return(new ApiErrorItem { ErrorCode = ApiErrorCode.InvalidCredentials, FieldName = nameof(username), Message = msg, }); } // LDAP filters require escaping of some special chars: // * http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm var escape = "()&|=><!*/\\".ToCharArray(); var escapeIndex = cleanUsername.IndexOfAny(escape); if (escapeIndex >= 0) { var buff = new StringBuilder(); var maxLen = cleanUsername.Length; var copyFrom = 0; while (escapeIndex >= 0) { buff.Append(cleanUsername.Substring(copyFrom, escapeIndex)); buff.Append(string.Format("\\{0:X}", (int)cleanUsername[escapeIndex])); copyFrom = escapeIndex + 1; escapeIndex = cleanUsername.IndexOfAny(escape, copyFrom); } if (copyFrom < maxLen) { buff.Append(cleanUsername.Substring(copyFrom)); } cleanUsername = buff.ToString(); _logger.LogWarning("had to clean username: [{0}] => [{1}]", username, cleanUsername); } // Based on: // * https://www.cs.bham.ac.uk/~smp/resources/ad-passwds/ // * https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through // * https://ltb-project.org/documentation/self-service-password/latest/config_ldap#active_directory // * https://technet.microsoft.com/en-us/library/ff848710.aspx?f=255&MSPPError=-2147217396 using (var ldap = BindToLdap()) { // First find user DN by username (SAM Account Name) var searchConstraints = new LdapSearchConstraints( 0, 0, LdapSearchConstraints.DEREF_NEVER, 1000, true, 1, null, 10); var searchFilter = $"(sAMAccountName={cleanUsername})"; var search = ldap.Search( _options.LdapSearchBase, LdapConnection.SCOPE_SUB, searchFilter, new[] { "distinguishedName" }, false, searchConstraints); // We cannot use search.Count here -- apparently it does not // wait for the results to return before resolving the count // but fortunately hasMore seems to block until final result if (!search.hasMore()) { _logger.LogWarning("unable to find username: [{0}]", cleanUsername); if (_options.HideUserNotFound) { return(new ApiErrorItem { ErrorCode = ApiErrorCode.InvalidCredentials, FieldName = nameof(currentPassword), Message = "invalid credentials", }); } else { return(new ApiErrorItem { ErrorCode = ApiErrorCode.UserNotFound, FieldName = nameof(username), Message = "username could not be located", }); } } if (search.Count > 1) { _logger.LogWarning("found multiple with same username: [{0}]", cleanUsername); // Hopefully this should not ever happen if AD is preserving SAM Account Name // uniqueness constraint, but just in case, handling this corner case return(new ApiErrorItem { ErrorCode = ApiErrorCode.UserNotFound, FieldName = nameof(username), Message = "multiple matching user entries resolved", }); } var userDN = search.next().DN; var oldPassBytes = Encoding.Unicode.GetBytes($@"""{currentPassword}""") .Select(x => (sbyte)x).ToArray(); var newPassBytes = Encoding.Unicode.GetBytes($@"""{newPassword}""") .Select(x => (sbyte)x).ToArray(); var oldAttr = new LdapAttribute("unicodePwd", oldPassBytes); var newAttr = new LdapAttribute("unicodePwd", newPassBytes); var ldapDel = new LdapModification(LdapModification.DELETE, oldAttr); var ldapAdd = new LdapModification(LdapModification.ADD, newAttr); try { ldap.Modify(userDN, new[] { ldapDel, ldapAdd }); } catch (LdapException ex) { _logger.LogWarning("failed to update password", ex); return(ParseLdapException(ex)); } ldap.StopTls(); ldap.Disconnect(); } // Everything seems to have worked: return(null); }
public ApiErrorItem PerformPasswordChange(string username, string currentPassword, string newPassword) { string cleanUsername = username; try { cleanUsername = CleaningUsername(username); } catch (ApiErrorException ex) { return(ex.ErrorItem); } catch (Exception ex) { return(new ApiErrorItem { ErrorCode = ApiErrorCode.UserNotFound, FieldName = nameof(username), Message = "Some error in cleaning username: "******"{Username}")) { searchFilter = searchFilter.Replace("{Username}", cleanUsername); } } catch (Exception ex) { string msg = "ldapSearchFilter could not be parsed. Be sure {Username} is included: " + ex.Message; _logger.LogCritical(msg); throw new ArgumentException(msg); } try { using (var ldap = BindToLdap()) { var search = ldap.Search( _options.LdapSearchBase, LdapConnection.SCOPE_SUB, searchFilter, new[] { "distinguishedName" }, false, searchConstraints); // We cannot use search.Count here -- apparently it does not // wait for the results to return before resolving the count // but fortunately hasMore seems to block until final result if (!search.hasMore()) { _logger.LogWarning("unable to find username: [{0}]", cleanUsername); if (_options.HideUserNotFound) { return(new ApiErrorItem { ErrorCode = ApiErrorCode.InvalidCredentials, FieldName = nameof(username), Message = "invalid credentials", }); } else { return(new ApiErrorItem { ErrorCode = ApiErrorCode.UserNotFound, FieldName = nameof(username), Message = "username could not be located", }); } } if (search.Count > 1) { _logger.LogWarning("found multiple with same username: [{0}]", cleanUsername); // Hopefully this should not ever happen if AD is preserving SAM Account Name // uniqueness constraint, but just in case, handling this corner case return(new ApiErrorItem { ErrorCode = ApiErrorCode.UserNotFound, FieldName = nameof(username), Message = "multiple matching user entries resolved", }); } var userDN = search.next().DN; try { if (_options.LdapChangePasswortWithDelAdd) { #region Change Password by Delete/Add var oldPassBytes = Encoding.Unicode.GetBytes($@"""{currentPassword}""") .Select(x => (sbyte)x).ToArray(); var newPassBytes = Encoding.Unicode.GetBytes($@"""{newPassword}""") .Select(x => (sbyte)x).ToArray(); var oldAttr = new LdapAttribute("unicodePwd", oldPassBytes); var newAttr = new LdapAttribute("unicodePwd", newPassBytes); var ldapDel = new LdapModification(LdapModification.DELETE, oldAttr); var ldapAdd = new LdapModification(LdapModification.ADD, newAttr); ldap.Modify(userDN, new[] { ldapDel, ldapAdd }); // Change with Delete/Add #endregion } else { #region Change Password by Replace // If you don't have the rights to Add and/or Delete the Attribute, you might have the right to change the password-attribute. // In this case uncomment the next 2 lines and comment the region 'Change Password by Delete/Add' var replAttr = new LdapAttribute("userPassword", newPassword); var ldapReplace = new LdapModification(LdapModification.REPLACE, replAttr); ldap.Modify(userDN, new[] { ldapReplace }); // Change with Replace #endregion } } catch (LdapException ex) { _logger.LogWarning("failed to update password", ex); return(ParseLdapException(ex)); } if (this._options.LdapStartTls) { ldap.StopTls(); } ldap.Disconnect(); } } catch (ApiErrorException ex) { return(ex.ErrorItem); } catch (Exception ex) { return(new ApiErrorItem { ErrorCode = ApiErrorCode.InvalidCredentials, FieldName = nameof(username), Message = "failed to update password: " + ex.Message, }); } // Everything seems to have worked: return(null); }
void OnApplyClicked(object o, EventArgs args) { List <LdapModification> modList = new List <LdapModification> (); NameValueCollection newAttributes = new NameValueCollection(); foreach (object[] row in this.store) { string newValue = row[1].ToString(); if (newValue == "" || newValue == null) { continue; } newAttributes.Add(row[0].ToString(), newValue); } foreach (string key in newAttributes.AllKeys) { string[] newValues = newAttributes.GetValues(key); string[] oldValues = currentAttributes.GetValues(key); LdapAttribute la = new LdapAttribute(key, newValues); if (oldValues == null) { LdapModification lm = new LdapModification(LdapModification.ADD, la); modList.Add(lm); } else { foreach (string nv in newValues) { bool foundMatch = false; foreach (string ov in oldValues) { if (ov == nv) { foundMatch = true; } } if (!foundMatch) { LdapModification lm = new LdapModification(LdapModification.REPLACE, la); modList.Add(lm); } } } } foreach (string key in currentAttributes.AllKeys) { string[] newValues = newAttributes.GetValues(key); if (newValues == null) { string[] oldValues = currentAttributes.GetValues(key); LdapAttribute la = new LdapAttribute(key, oldValues); LdapModification lm = new LdapModification(LdapModification.DELETE, la); modList.Add(lm); } else { LdapAttribute la = new LdapAttribute(key, newValues); LdapModification lm = new LdapModification(LdapModification.REPLACE, la); modList.Add(lm); } } Util.ModifyEntry(conn, currentDN, modList.ToArray()); }