Index: app/controllers/account_controller.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/controllers/account_controller.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/controllers/account_controller.rb	(revision )
@@ -70,12 +70,23 @@
         return
       end
       if request.post?
+        if @user.isExternal?
+          if @user.newExternalPassword(params[:new_password], params[:new_password_confirmation])
+            @token.destroy
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to signin_path
+            return
+          else
+            flash[:error] = l(:notice_external_password_error)
+          end
+        else
-        @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
-        if @user.save
-          @token.destroy
-          flash[:notice] = l(:notice_account_password_updated)
-          redirect_to signin_path
-          return
+          @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+          if @user.save
+            @token.destroy
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to signin_path
+            return
+          end
         end
       end
       render :template => "account/password_recovery"
Index: app/controllers/my_controller.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/controllers/my_controller.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/controllers/my_controller.rb	(revision )
@@ -100,13 +100,25 @@
       elsif params[:password] == params[:new_password]
         flash.now[:error] = l(:notice_new_password_must_be_different)
       else
+
+        if @user.isExternal?
+          if @user.changeExternalPassword(params[:password],params[:new_password], params[:new_password_confirmation])
+            session[:ctime] = Time.now.change(:usec => 0).utc.to_i
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to my_account_path
+          else
+            flash[:error] = l(:notice_external_password_error)
+          end
+        else
-        @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
-        @user.must_change_passwd = false
-        if @user.save
+          @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+          @user.must_change_passwd = false
+          if @user.save
-          # The session token was destroyed by the password change, generate a new one
-          session[:tk] = @user.generate_session_token
+            # Reset the session creation time to not log out this session on next
+            # request due to ApplicationController#force_logout_if_password_changed
+            session[:ctime] = User.current.passwd_changed_on.utc.to_i
-          flash[:notice] = l(:notice_account_password_updated)
-          redirect_to my_account_path
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to my_account_path
+          end
         end
       end
     end
Index: app/helpers/auth_sources_helper.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/helpers/auth_sources_helper.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/helpers/auth_sources_helper.rb	(revision )
@@ -21,4 +21,11 @@
   def auth_source_partial_name(auth_source)
     "form_#{auth_source.class.name.underscore}"
   end
+
+  module Encryption
+    # Return an array of password encryptions
+    def self.encryptiontypes
+      ["MD5","SSHA","CLEAR"]
+    end
+  end
 end
Index: config/locales/en.yml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- config/locales/en.yml	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ config/locales/en.yml	(revision )
@@ -1169,3 +1169,6 @@
   description_date_from: Enter start date
   description_date_to: Enter end date
   text_repository_identifier_info: 'Only lower case letters (a-z), numbers, dashes and underscores are allowed.<br />Once saved, the identifier cannot be changed.'
+  notice_external_password_error: Error changing external password.
+  field_password_encryption: Encryption
+  field_enabled_passwd: Enabled password changing
Index: app/views/auth_sources/_form_auth_source_ldap.html.erb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/views/auth_sources/_form_auth_source_ldap.html.erb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/views/auth_sources/_form_auth_source_ldap.html.erb	(revision )
@@ -14,6 +14,7 @@
   <p><%= f.text_area :filter, :size => 60, :label => :field_auth_source_ldap_filter %></p>
   <p><%= f.text_field :timeout, :size => 4 %></p>
   <p><%= f.check_box :onthefly_register, :label => :field_onthefly %></p>
+  <p><%= f.check_box :enabled_passwd, :label => :field_enabled_passwd %></p>
 </div>
 
 <fieldset class="box tabular"><legend><%=l(:label_attribute_plural)%></legend>
@@ -21,4 +22,5 @@
   <p><%= f.text_field :attr_firstname, :size => 20 %></p>
   <p><%= f.text_field :attr_lastname, :size => 20 %></p>
   <p><%= f.text_field :attr_mail, :size => 20 %></p>
+  <p><%= f.select :password_encryption, AuthSourcesHelper::Encryption.encryptiontypes %></p>
 </fieldset>
Index: config/environments/production.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- config/environments/production.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ config/environments/production.rb	(revision )
@@ -22,4 +22,6 @@
 
   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
+
+  # config.log_level = :info
 end
Index: app/models/auth_source_ldap.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/models/auth_source_ldap.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/models/auth_source_ldap.rb	(revision )
@@ -18,6 +18,8 @@
 require 'net/ldap'
 require 'net/ldap/dn'
 require 'timeout'
+require 'digest'
+require 'base64'
 
 class AuthSourceLdap < AuthSource
   NETWORK_EXCEPTIONS = [
@@ -68,7 +70,98 @@
 
   def auth_method_name
     "LDAP"
+  end
+
+  def allow_password_changes?
+    return self.enabled_passwd
+  end
+
+  def encode_password(clear_password)
+    chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+    salt = ''
+    10.times { |i| salt << chars[rand(chars.size-1)] }
+
+    if self.password_encryption == "MD5"
+      logger.debug "Encode as md5"
+      return "{MD5}"+Base64.encode64(Digest::MD5.digest(clear_password)).chomp!
+    end
+    if self.password_encryption == "SSHA"
+       logger.debug "Encode as ssha"
+      return "{SSHA}"+Base64.encode64(Digest::SHA1.digest(clear_password+salt)+salt).chomp!
+    end
+
+    if self.password_encryption == "CLEAR"
+       logger.debug "Encode as cleartype"
+      return clear_password
+    end
+    #
+  end
+
+  # change password
+  def change_password(login,password,newPassword)
+    begin
+      attrs = get_user_dn(login, password)
+      if attrs
+        if self.account.blank? || self.account_password.blank?
+          logger.debug "Binding with user account"
+          ldap_con = initialize_ldap_con(attrs[:dn], password)
+        else
+          logger.debug "Binding with administrator account"
+          ldap_con = initialize_ldap_con(self.account, self.account_password)
+        end
+
+        ops = [
+              [:delete, :userPassword, password],
+              [:add, :userPassword, newPassword]
+        ]
+        #return ldap_con.modify :dn => attrs[:dn], :operations => ops
+        # This is another password change method, probably more common
+        newPassword = encode_password(newPassword)
+        # logger.info("NEW PASSWORD #{newPassword}")
+        if newPassword.blank?
+          logger.debug "Invaild password"
+          return false
+        else
+          logger.debug "Try to change password"
+          return ldap_con.replace_attribute attrs[:dn], :userPassword, newPassword
+        end
+      end
+    rescue
+      return false
+    end
+    return false
+  end
+
+  def lost_password(login,newPassword)
+      begin
+          attrs = get_user_dn_nopass(login)
+          if attrs
+                     ldap_con = initialize_ldap_con(self.account, self.account_password)
+                     return ldap_con.replace_attribute attrs[:dn], :userPassword, encode_password(newPassword)
+                   end
+         rescue
+                    return false
+                 end
+      return false
+  end
+
+  def get_user_dn_nopass(login)
+      ldap_con = nil
+      ldap_con = initialize_ldap_con(self.account, self.account_password)
+      attrs = {}
+      search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
+      ldap_con.search( :base => self.base_dn,
+                                             :filter => search_filter,
+                                             :attributes=> search_attributes) do |entry|
+          if onthefly_register?
+                     attrs = get_user_attributes_from_ldap_entry(entry)
+                   else
+                              attrs = {:dn => entry.dn}
+                            end
+          logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug?
+        end
+      attrs
-  end
+    end
 
   # Returns true if this source can be searched for users
   def searchable?
Index: app/views/layouts/base.html.erb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/views/layouts/base.html.erb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/views/layouts/base.html.erb	(revision )
@@ -112,7 +112,7 @@
 <div id="ajax-modal" style="display:none;"></div>
 
 <div id="footer">
-  <div class="bgl"><div class="bgr">
+  <div class="bgl"><div class="bgr" style="display: none">
     Powered by <%= link_to Redmine::Info.app_name, Redmine::Info.url %> &copy; 2006-2016 Jean-Philippe Lang
   </div></div>
 </div>
Index: app/models/user.rb
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- app/models/user.rb	(revision 1cadb0037ce575d4c504c0c2407ac2793750a906)
+++ app/models/user.rb	(revision )
@@ -756,6 +756,28 @@
     end
   end
 
+  def isExternal?
+    return auth_source_id.present?
+  end
+
+  def changeExternalPassword(password,newPassword,newPasswordConfirm)
+    return false if newPassword == "" || newPassword.length < Setting.password_min_length.to_i
+    return false if newPassword != newPasswordConfirm
+    if (self.isExternal?)
+      return self.auth_source.change_password(self.login,password,newPassword)
+    end
+    return false
+  end
+
+  def newExternalPassword(newPassword,newPasswordConfirm)
+      return false if newPassword == "" || newPassword.length < 4
+      return false if newPassword != newPasswordConfirm
+      if (self.isExternal?)
+               return self.auth_source.lost_password(self.login,newPassword)
+             end
+      return false
+  end
+
   protected
 
   def validate_password_length