Add LDAP attribute to indicate password change (#1156)

2025-09-08 13:04:26 +08:00 · 2025-02-09 15:02:38 +01:00 · 2025-02-09 15:02:38 +01:00 · d8fbb82b6c
commit d8fbb82b6c
parent 83cf1fa0b6
5 changed files with 19 additions and 1 deletions
--- a/crates/directory/src/backend/ldap/config.rs
+++ b/crates/directory/src/backend/ldap/config.rs
@ -72,6 +72,10 @@ impl LdapDirectory {
                .values((&prefix, "attributes.secret"))
                .map(|(_, v)| v.to_string())
                .collect(),
+            attr_secret_changed: config
+                .values((&prefix, "attributes.secret-changed"))
+                .map(|(_, v)| v.to_string())
+                .collect(),
            attr_email_address: config
                .values((&prefix, "attributes.email"))
                .map(|(_, v)| v.to_string())
--- a/crates/directory/src/backend/ldap/lookup.rs
+++ b/crates/directory/src/backend/ldap/lookup.rs
@ -6,6 +6,7 @@

 use ldap3::{Ldap, LdapConnAsync, ResultEntry, Scope, SearchEntry};
 use mail_send::Credentials;
+use store::xxhash_rust;
 use trc::AddContext;

 use crate::{
@ -373,6 +374,15 @@ impl LdapMappings {
                for item in value {
                    principal.append_str(PrincipalField::Secrets, item);
                }
+            } else if self.attr_secret_changed.contains(&attr) {
+                // Create a disabled AppPassword, used to indicate that the password has been changed
+                // but cannot be used for authentication.
+                for item in value {
+                    principal.append_str(
+                        PrincipalField::Secrets,
+                        format!("$app${}$", xxhash_rust::xxh3::xxh3_64(item.as_bytes())),
+                    );
+                }
            } else if self.attr_email_address.contains(&attr) {
                for item in value {
                    principal.prepend_str(PrincipalField::Emails, item.to_lowercase());
--- a/crates/directory/src/backend/ldap/mod.rs
+++ b/crates/directory/src/backend/ldap/mod.rs
@ -29,6 +29,7 @@ pub struct LdapMappings {
    attr_groups: Vec<String>,
    attr_description: Vec<String>,
    attr_secret: Vec<String>,
+    attr_secret_changed: Vec<String>,
    attr_email_address: Vec<String>,
    attr_email_alias: Vec<String>,
    attr_quota: Vec<String>,
--- a/crates/directory/src/core/secret.rs
+++ b/crates/directory/src/core/secret.rs
@ -264,7 +264,9 @@ pub async fn verify_secret_hash(hashed_secret: &str, secret: &str) -> trc::Resul
                .into_err()
                .details(hashed_secret.to_string()))
        }
-    } else {
+    } else if !hashed_secret.is_empty() {
        Ok(hashed_secret == secret)
+    } else {
+        Ok(false)
    }
 }
--- a/crates/store/src/lib.rs
+++ b/crates/store/src/lib.rs
@ -22,6 +22,7 @@ pub use rand;
 pub use roaring;
 use utils::config::cron::SimpleCron;
 use write::{BitmapClass, ValueClass};
+pub use xxhash_rust;

 #[cfg(feature = "s3")]
 use backend::s3::S3Store;