added job to move or delete expired accounts

This commit is contained in:
Roland Gruber 2016-07-16 09:52:09 +02:00
parent 1a3f0f5d8a
commit 0bb6888ad0
5 changed files with 131 additions and 44 deletions

BIN
lam/graphics/trashBig.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

View File

@ -333,6 +333,18 @@ $helpArray = array (
"Headline" => _('BCC address'),
"Text" => _('This email address will be set as BCC address of all mails.')
),
'807' => array(
"Headline" => _('Delay'),
"Text" => _('Delay this action by a number of days after account expiry.')
),
'808' => array(
"Headline" => _('Action'),
"Text" => _('You can delete or move expired accounts.')
),
'809' => array(
"Headline" => _('Target DN'),
"Text" => _('The expired accounts will be moved to this DN.')
),
);
/* This is a sample help entry. Just copy this line an modify the values between the [] brackets.

View File

@ -802,6 +802,49 @@ function ldapGetDN($dn, $attributes = array('dn'), $handle = null) {
return $return;
}
/**
* Deletes a DN and all child entries.
*
* @param string $dn DN to delete
* @param boolean $recursive recursive delete also child entries
* @return array error messages
*/
function deleteDN($dn, $recursive) {
$errors = array();
if (($dn == null) || ($dn == '')) {
$errors[] = array('ERROR', _('Entry does not exist'));
return $errors;
}
if ($recursive) {
$sr = @ldap_list($_SESSION['ldap']->server(), $dn, 'objectClass=*', array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
if ($sr) {
$entries = ldap_get_entries($_SESSION['ldap']->server(), $sr);
cleanLDAPResult($entries);
for ($i = 0; $i < sizeof($entries); $i++) {
// delete recursively
$subErrors = deleteDN($entries[$i]['dn'], $recursive);
for ($e = 0; $e < sizeof($subErrors); $e++) $errors[] = $subErrors[$e];
}
}
else {
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
return $errors;
}
}
// delete parent DN
$success = @ldap_delete($_SESSION['ldap']->server(), $dn);
$ldapUser = $_SESSION['ldap']->decrypt_login();
$ldapUser = $ldapUser[0];
if (!$success) {
logNewMessage(LOG_ERR, '[' . $ldapUser .'] Unable to delete DN: ' . $dn . ' (' . ldap_error($_SESSION['ldap']->server()) . ').');
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
}
else {
logNewMessage(LOG_NOTICE, '[' . $ldapUser .'] Deleted DN: ' . $dn);
}
return $errors;
}
/**
* Returns the parameters for a StatusMessage of the last LDAP search.
*

View File

@ -772,7 +772,8 @@ class shadowAccount extends baseModule implements passwordService {
*/
public function getSupportedJobs(&$config) {
return array(
new ShadowAccountPasswordNotifyJob()
new ShadowAccountPasswordNotifyJob(),
new ShadowAccountExpirationCleanupJob()
);
}
@ -894,6 +895,80 @@ if (interface_exists('\LAM\JOB\Job', false)) {
}
/**
* Job to delete or move users on account expiration.
*
* @package jobs
*/
class ShadowAccountExpirationCleanupJob extends \LAM\JOB\AccountExpirationCleanupJob {
/**
* Returns the alias name of the job.
*
* @return String name
*/
public function getAlias() {
return _('Shadow') . ': ' . _('Cleanup expired user accounts');
}
/**
* Returns the description of the job.
*
* @return String description
*/
public function getDescription() {
return _('This job deletes or moves user accounts when they expire.');
}
/**
* Searches for users in LDAP.
*
* @param String $jobID unique job identifier
* @param array $options config options (name => value)
* @return array list of user attributes
*/
protected function findUsers($jobID, $options) {
// read users
$attrs = array('shadowExpire');
$userResults = searchLDAPByFilter('(shadowExpire=*)', $attrs, array('user'));
return $userResults;
}
/**
* Checks if a user needs to change his password.
*
* @param integer $jobID job ID
* @param array $options job settings
* @param PDO $pdo PDO
* @param DateTime $now current time
* @param array $policyOptions list of policy options by getPolicyOptions()
* @param array $user user attributes
* @param boolean $isDryRun just do a dry run, nothing is modified
*/
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$expireTimeUnix = $user['shadowexpire'][0] * 3600 * 24;
$expireTime = new DateTime('@' . $expireTimeUnix, new DateTimeZone('UTC'));
logNewMessage(LOG_DEBUG, "Expiration on " . $expireTime->format('Y-m-d'));
$delay = 0;
if (!empty($options[$this->getConfigPrefix() . '_delay' . $jobID][0])) {
$delay = $options[$this->getConfigPrefix() . '_delay' . $jobID][0];
}
if (!empty($user['shadowwarning'][0]) && ($user['shadowwarning'][0] > 0)) {
$numDaysToWarn += $user['shadowwarning'][0];
}
$actionTime = clone $expireTime;
if ($delay != 0) {
$actionTime->add(new DateInterval('P' . $delay . 'D'));
}
$actionTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Action time on " . $actionTime->format('Y-m-d'));
if ($actionTime <= $now) {
$this->performAction($jobID, $options, $user, $isDryRun);
}
}
}
}
?>

View File

@ -328,47 +328,4 @@ function getChildCount($dn) {
return (sizeof($entries) - 1);
}
/**
* Deletes a DN and all child entries.
*
* @param string $dn DN to delete
* @param boolean $recursive recursive delete also child entries
* @return array error messages
*/
function deleteDN($dn, $recursive) {
$errors = array();
if (($dn == null) || ($dn == '')) {
$errors[] = array('ERROR', _('Entry does not exist'));
return $errors;
}
if ($recursive) {
$sr = @ldap_list($_SESSION['ldap']->server(), $dn, 'objectClass=*', array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
if ($sr) {
$entries = ldap_get_entries($_SESSION['ldap']->server(), $sr);
cleanLDAPResult($entries);
for ($i = 0; $i < sizeof($entries); $i++) {
// delete recursively
$subErrors = deleteDN($entries[$i]['dn'], $recursive);
for ($e = 0; $e < sizeof($subErrors); $e++) $errors[] = $subErrors[$e];
}
}
else {
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
return $errors;
}
}
// delete parent DN
$success = @ldap_delete($_SESSION['ldap']->server(), $dn);
$ldapUser = $_SESSION['ldap']->decrypt_login();
$ldapUser = $ldapUser[0];
if (!$success) {
logNewMessage(LOG_ERR, '[' . $ldapUser .'] Unable to delete DN: ' . $dn . ' (' . ldap_error($_SESSION['ldap']->server()) . ').');
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
}
else {
logNewMessage(LOG_NOTICE, '[' . $ldapUser .'] Deleted DN: ' . $dn);
}
return $errors;
}
?>