1 files changed, 33 insertions, 6 deletions

diff --git a/main.go b/main.go
index 4e5abce..2b37803 100644
--- a/main.go
+++ b/main.go
@@ -12,8 +12,8 @@ import (
 	"os/signal"
 	"syscall"
 
-	ldap "bottin/ldapserver"
 	message "bottin/goldap"
+	ldap "bottin/ldapserver"
 
 	consul "github.com/hashicorp/consul/api"
 	log "github.com/sirupsen/logrus"
@@ -320,7 +320,6 @@ func (server *Server) init() error {
 		return err
 	}
 
-
 	admin_pass_str, environnement_variable_exist := os.LookupEnv("BOTTIN_DEFAULT_ADMIN_PW")
 	if !environnement_variable_exist {
 		admin_pass := make([]byte, 8)
@@ -329,11 +328,15 @@ func (server *Server) init() error {
 			return err
 		}
 		admin_pass_str = base64.RawURLEncoding.EncodeToString(admin_pass)
-	 } else {
+	} else {
 		server.logger.Debug("BOTTIN_DEFAULT_ADMIN_PW environment variable is set, using it for admin's password")
 	}
 
-	admin_pass_hash := SSHAEncode([]byte(admin_pass_str))
+	admin_pass_hash, err := SSHAEncode(admin_pass_str)
+	if err != nil {
+		server.logger.Error("can't create admin password")
+		panic(err)
+	}
 
 	admin_dn := "cn=admin," + server.config.Suffix
 	admin_attributes := Entry{
@@ -434,8 +437,8 @@ func (server *Server) handleBindInternal(state *State, r *message.BindRequest) (
 	}
 
 	for _, hash := range passwd {
-		valid := SSHAMatches(hash, []byte(r.AuthenticationSimple()))
-		if valid {
+		valid, err := SSHAMatches(hash, string(r.AuthenticationSimple()))
+		if valid && err == nil {
 			groups, err := server.getAttribute(string(r.Name()), ATTR_MEMBEROF)
 			if err != nil {
 				return ldap.LDAPResultOperationsError, err
@@ -444,8 +447,32 @@ func (server *Server) handleBindInternal(state *State, r *message.BindRequest) (
 				user:   string(r.Name()),
 				groups: groups,
 			}
+
+			updatePasswordHash(string(r.AuthenticationSimple()), hash, server, string(r.Name()))
+
 			return ldap.LDAPResultSuccess, nil
+		} else {
+			return ldap.LDAPResultInvalidCredentials, fmt.Errorf("can't authenticate: %w", err)
 		}
 	}
 	return ldap.LDAPResultInvalidCredentials, fmt.Errorf("No password match")
 }
+
+// Update the hash if it's not already SSHA512
+func updatePasswordHash(password string, currentHash string, server *Server, dn string) {
+	hashType, err := determineHashType(currentHash)
+	if err != nil {
+		server.logger.Errorf("can't determine hash type of password")
+		return
+	}
+	if hashType != SSHA512 {
+		reencodedPassword, err := SSHAEncode(password)
+		if err != nil {
+			server.logger.Errorf("can't encode password")
+			return
+		}
+		server.putAttributes(dn, Entry{
+			ATTR_USERPASSWORD: []string{reencodedPassword},
+		})
+	}
+}