Set sasl password for SSO as well

2 files changed, 28 insertions, 1 deletions

diff --git a/ldap.go b/ldap.go
index e8a72ed..7b6feec 100644
--- a/ldap.go
+++ b/ldap.go
@@ -224,4 +224,22 @@ func calculateFingerprint(ssh_key string) string {
 	//return fmt.Sprintf("SHA256:%x", fingerprint)
 }
 
-//// set_nordunet_ldap_pw_sasl used on sso pw set if change pw fail?
+func (i *LdapInfo) SetSASLPassword(username string) error {
+	l, err := i.LdapConnectBind()
+	if err != nil {
+		return err
+	}
+	defer l.Close()
+
+	sasl := fmt.Sprintf("{SASL}%s@%s", username, pwman.Krb5Conf.Realm)
+
+	change := ldap.NewModifyRequest(i.UserDN(username))
+	change.Replace("userPassword", []string{sasl})
+
+	err = l.Modify(change)
+	if err != nil {
+		return err
+	}
+	log.Println("[INFO] changed ldap password to SASL for", username)
+	return nil
+}
diff --git a/views.go b/views.go
index 1f63036..70b84c6 100644
--- a/views.go
+++ b/views.go
@@ -90,6 +90,15 @@ func (v *views) ChangePassword(what string) http.Handler {
 			}
 			log.Println("AUDIT", "Changed", what, "password for", username)
 
+			if strings.ToUpper(what) == "SSO" {
+				// We need to make sure ldap password is set to sasl as well
+				err = pwman.LdapInfo.SetSASLPassword(username)
+				if err != nil {
+					redirectSameFlash(w, req, err.Error(), "error")
+					return
+				}
+			}
+
 			redirectSameFlash(w, req, fmt.Sprintf("Password %s successfully updated", what), "success")
 		}
 	})