ljr/livejournal/cgi-bin/LJ/LDAP.pm

#!/usr/bin/perl
#

package LJ::LDAP;

use strict;
use Net::LDAP;
use Digest::MD5 qw(md5);
use Digest::SHA1 qw(sha1);
use MIME::Base64;

sub load_ldap_user {
    my ($user) = @_;
    return undef unless $user =~ /^[\w ]+$/;

    my $ldap = Net::LDAP->new($LJ::LDAP_HOST)
        or return undef;
    my $mesg = $ldap->bind;    # an anonymous bind

    my $uid = $LJ::LDAP_UID || "uid";

    my $urec = $ldap->search( # perform a search
                              base   => $LJ::LDAP_BASE,
                              scope  => "sub",
                              filter => "$uid=$user",
                              #filter => "(&(sn=Barr) (o=Texas Instruments))"
                              )->pop_entry
                              or return undef;

    my $up = $urec->get_value('userPassword')
        or return undef;

    my ($nick, $email) = ($urec->get_value('gecos'), $urec->get_value('mailLocalAddress'));
    unless ($nick && $email) {
        $@ = "Necessary information not found in LDAP record: name=$nick; email=$email";
        return undef;
    }

    # $res comes out as...?
    my $res = {
        name => $user,
        nick => $nick,
        email => $email,
        ldap_pass => $up,
    };

    return $res;
}

sub is_good_ldap
{
    my ($user, $pass) = @_;
    my $lrec = load_ldap_user($user)
        or return undef;

    # get auth type and data, then decode it
    return undef unless $lrec->{ldap_pass} =~ /^\{(\w+)\}(.+)$/;
    my ($auth, $data) = ($1, decode_base64($2));

    if ($auth eq 'MD5') {
        unless ($data eq md5($pass)) {
            $@ = "Password mismatch (MD5) from LDAP server; is your password correct?";
            return undef;
        }
    } elsif ($auth eq 'SSHA') {
        my $salt = substr($data, 20);
        my $orig = substr($data, 0, 20);
        unless ($orig eq sha1($pass, $salt)) {
            $@ = "Password mismatch (SSHA) from LDAP server; is your password correct?";
            return undef;
        }

    } elsif ($auth eq 'SMD5') {
        # this didn't work
        my $salt = substr($data, 16);
        my $orig = substr($data, 0, 16);
        unless ($orig eq md5($pass, $salt)) {
            $@ = "Password mismatch (SMD5) from LDAP server; is your password correct?";
            return undef;
        }

    } else {
        print STDERR "Unsupported LDAP auth method: $auth\n";
        $@ = "userPassword field from LDAP server not of supported format; type: $auth"
;
        return undef;
    }

    return $lrec;
}


1;
init 2019-02-05 21:49:12 +00:00			`#!/usr/bin/perl`
			`#`

			`package LJ::LDAP;`

			`use strict;`
			`use Net::LDAP;`
			`use Digest::MD5 qw(md5);`
			`use Digest::SHA1 qw(sha1);`
			`use MIME::Base64;`

			`sub load_ldap_user {`
			`my ($user) = @_;`
			`return undef unless $user =~ /^[\w ]+$/;`

			`my $ldap = Net::LDAP->new($LJ::LDAP_HOST)`
			`or return undef;`
			`my $mesg = $ldap->bind; # an anonymous bind`

			`my $uid = $LJ::LDAP_UID \|\| "uid";`

			`my $urec = $ldap->search( # perform a search`
			`base => $LJ::LDAP_BASE,`
			`scope => "sub",`
			`filter => "$uid=$user",`
			`#filter => "(&(sn=Barr) (o=Texas Instruments))"`
			`)->pop_entry`
			`or return undef;`

			`my $up = $urec->get_value('userPassword')`
			`or return undef;`

			`my ($nick, $email) = ($urec->get_value('gecos'), $urec->get_value('mailLocalAddress'));`
			`unless ($nick && $email) {`
			`$@ = "Necessary information not found in LDAP record: name=$nick; email=$email";`
			`return undef;`
			`}`

			`# $res comes out as...?`
			`my $res = {`
			`name => $user,`
			`nick => $nick,`
			`email => $email,`
			`ldap_pass => $up,`
			`};`

			`return $res;`
			`}`

			`sub is_good_ldap`
			`{`
			`my ($user, $pass) = @_;`
			`my $lrec = load_ldap_user($user)`
			`or return undef;`

			`# get auth type and data, then decode it`
			`return undef unless $lrec->{ldap_pass} =~ /^\{(\w+)\}(.+)$/;`
			`my ($auth, $data) = ($1, decode_base64($2));`

			`if ($auth eq 'MD5') {`
			`unless ($data eq md5($pass)) {`
			`$@ = "Password mismatch (MD5) from LDAP server; is your password correct?";`
			`return undef;`
			`}`
			`} elsif ($auth eq 'SSHA') {`
			`my $salt = substr($data, 20);`
			`my $orig = substr($data, 0, 20);`
			`unless ($orig eq sha1($pass, $salt)) {`
			`$@ = "Password mismatch (SSHA) from LDAP server; is your password correct?";`
			`return undef;`
			`}`

			`} elsif ($auth eq 'SMD5') {`
			`# this didn't work`
			`my $salt = substr($data, 16);`
			`my $orig = substr($data, 0, 16);`
			`unless ($orig eq md5($pass, $salt)) {`
			`$@ = "Password mismatch (SMD5) from LDAP server; is your password correct?";`
			`return undef;`
			`}`

			`} else {`
			`print STDERR "Unsupported LDAP auth method: $auth\n";`
			`$@ = "userPassword field from LDAP server not of supported format; type: $auth"`
			`;`
			`return undef;`
			`}`

			`return $lrec;`
			`}`


			`1;`