WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #41 from LDAPAccountManager/JobResultLog 

Job result log
This commit is contained in:
gruberroland 2017-10-29 16:37:40 +01:00 committed by GitHub
parent 4cb8aec794 a7f1166ede
commit 0d0cb17ae1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 95 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lam/HISTORY
View File

@ -3,6 +3,8 @@ December 2017
- PHP 5.6 and Internet Explorer 11 or later required
- Account status also shows expired accounts
- Quota: support k/m/g/t/K/M/G/T to specify values in e.g. kB
- LAM Pro:
-> Cron jobs include better logging and support dry-run
19.09.2017 6.1

17
lam/docs/manual-sources/chapter-configuration.xml
View File

@ -84,10 +84,11 @@
<para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
PHP <ulink url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is active. This
adds extra security but also costs performance. If you manage a large
directory you might want to disable this and take other actions to
secure your LAM server.</para>
PHP <ulink
url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is
active. This adds extra security but also costs performance. If you
manage a large directory you might want to disable this and take other
actions to secure your LAM server.</para>
<screenshot>
<mediaobject>
@ -786,6 +787,14 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
configured jobs on a daily basis. The command must be run as the same
user as your webserver is running. You are free to change the starting
time of the script or run it more often.</para>
<para>Dry-run: You can perform a dry-run of the job. This will not
perform any actions but only print what would be done. For this please
put "--dryRun" at the end of the command. E.g.:</para>
<literallayout> /usr/share/ldap-account-manager/lib/cron.sh lam 123456789 --dryRun</literallayout>
<para/>
</section>
<section>

4
lam/lib/modules/freeRadius.inc
View File

@ -850,7 +850,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
*/
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$expireTime = DateTime::createFromFormat('d M Y H:i', $user['radiusexpiration'][0], new DateTimeZone('UTC'));
logNewMessage(LOG_DEBUG, "Expiration on " . $expireTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Expiration on " . $expireTime->format('Y-m-d'));
$delay = 0;
if (!empty($options[$this->getConfigPrefix() . '_delay' . $jobID][0])) {
$delay = $options[$this->getConfigPrefix() . '_delay' . $jobID][0];
@ -860,7 +860,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$actionTime->add(new DateInterval('P' . $delay . 'D'));
}
$actionTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Action time on " . $actionTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Action time on " . $actionTime->format('Y-m-d'));
if ($actionTime <= $now) {
$this->performAction($jobID, $options, $user, $isDryRun);
}

24
lam/lib/modules/shadowAccount.inc
View File

@ -862,11 +862,11 @@ if (interface_exists('\LAM\JOB\Job', false)) {
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
// skip if user is locked
if (!empty($user['userpassword'][0]) && !pwd_is_enabled($user['userpassword'][0])) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' is locked.');
$this->jobResultLog->logDebug($user['dn'] . ' is locked.');
return;
}
if ($user['shadowmax'][0] < 1) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' does not expire.');
$this->jobResultLog->logDebug($user['dn'] . ' does not expire.');
return;
}
@ -874,39 +874,39 @@ if (interface_exists('\LAM\JOB\Job', false)) {
// calculate time when password expires
$lastPwdTimeUnix = $user['shadowlastchange'][0] * 3600 * 24;
$lastPwdTime = new DateTime('@' . $lastPwdTimeUnix, new DateTimeZone('UTC'));
logNewMessage(LOG_DEBUG, "Last password change on " . $lastPwdTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Last password change on " . $lastPwdTime->format('Y-m-d'));
$numDaysToWarn = $options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0];
if (!empty($user['shadowwarning'][0]) && ($user['shadowwarning'][0] > 0)) {
$numDaysToWarn += $user['shadowwarning'][0];
}
logNewMessage(LOG_DEBUG, "Number of days before warning " . $numDaysToWarn);
$this->jobResultLog->logDebug("Number of days before warning " . $numDaysToWarn);
$numDaysToExpire = $user['shadowmax'][0];
$expireTime = $lastPwdTime->add(new DateInterval('P' . $numDaysToExpire . 'D'));
logNewMessage(LOG_DEBUG, "Password expires on " . $expireTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Password expires on " . $expireTime->format('Y-m-d'));
// skip already expired accounts
if ($expireTime <= $now) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' already expired');
$this->jobResultLog->logDebug($user['dn'] . ' already expired');
return;
}
// calculate time of notification
$notifyTime = clone $expireTime;
$notifyTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
$notifyTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Password notification on " . $notifyTime->format('Y-m-d H:i'));
$this->jobResultLog->logDebug("Password notification on " . $notifyTime->format('Y-m-d H:i'));
// skip if notification is in the future
if ($notifyTime > $now) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' does not need notification yet.');
$this->jobResultLog->logDebug($user['dn'] . ' does not need notification yet.');
return;
}
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $user['dn']);
// skip entries where mail was already sent
if ($dbLastChange == $user['shadowlastchange'][0]) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' was already notified.');
$this->jobResultLog->logDebug($user['dn'] . ' was already notified.');
return;
}
if ($isDryRun) {
// no action for dry run
logNewMessage(LOG_NOTICE, 'Not sending email to ' . $user['dn'] . ' because of dry run.');
$this->jobResultLog->logInfo('Not sending email to ' . $user['dn'] . ' because of dry run.');
return;
}
// send email
@ -972,7 +972,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$expireTimeUnix = $user['shadowexpire'][0] * 3600 * 24;
$expireTime = new DateTime('@' . $expireTimeUnix, new DateTimeZone('UTC'));
logNewMessage(LOG_DEBUG, "Expiration on " . $expireTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Expiration on " . $expireTime->format('Y-m-d'));
$delay = 0;
if (!empty($options[$this->getConfigPrefix() . '_delay' . $jobID][0])) {
$delay = $options[$this->getConfigPrefix() . '_delay' . $jobID][0];
@ -982,7 +982,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$actionTime->add(new DateInterval('P' . $delay . 'D'));
}
$actionTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Action time on " . $actionTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Action time on " . $actionTime->format('Y-m-d'));
if ($actionTime <= $now) {
$this->performAction($jobID, $options, $user, $isDryRun);
}

28
lam/lib/modules/windowsUser.inc
View File

@ -3484,60 +3484,60 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$domainRoot = strtolower(substr($dn, stripos($dn, 'dc=')));
// skip if password does not expire at all
if (windowsUser::isNeverExpiring($user)) {
logNewMessage(LOG_DEBUG, $dn . ' does not expire.');
$this->jobResultLog->logDebug($dn . ' does not expire.');
return;
}
// skip if no information about last password change
if (empty($user['pwdlastset'][0]) || ($user['pwdlastset'][0] < 1)) {
logNewMessage(LOG_DEBUG, $dn . ' has no valid "pwdLastSet".');
$this->jobResultLog->logDebug($dn . ' has no valid "pwdLastSet".');
return;
}
// skip if account itself is expired
if (!empty($user['accountexpires'][0])) {
$accountExpiration = windowsUser::getFileTime($user['accountexpires'][0]);
if ($accountExpiration <= $now) {
logNewMessage(LOG_DEBUG, $dn . ' already expired');
$this->jobResultLog->logDebug($dn . ' already expired');
return;
}
}
// skip if account is deactivated
if (windowsUser::isDeactivated($user)) {
logNewMessage(LOG_DEBUG, $dn . ' is deactivated.');
$this->jobResultLog->logDebug($dn . ' is deactivated.');
return;
}
$maxPwdAge = $policyOptions['maxpwdage'][$domainRoot];
// calculate time when password expires
$lastPwdTime = windowsUser::getFileTime($user['pwdlastset'][0]);
logNewMessage(LOG_DEBUG, "Last password change on " . $lastPwdTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Last password change on " . $lastPwdTime->format('Y-m-d'));
$numDaysToWarn = $options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0];
logNewMessage(LOG_DEBUG, "Number of days before warning " . $numDaysToWarn);
$this->jobResultLog->logDebug("Number of days before warning " . $numDaysToWarn);
// expiration date = pwdLastSet - maxpwdage
$expireTime = windowsUser::getFileTime($user['pwdlastset'][0] - $maxPwdAge);
logNewMessage(LOG_DEBUG, "Password expires on " . $expireTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Password expires on " . $expireTime->format('Y-m-d'));
// skip already expired accounts
if ($expireTime <= $now) {
logNewMessage(LOG_DEBUG, $dn . ' already expired');
$this->jobResultLog->logDebug($dn . ' already expired');
return;
}
// calculate time of notification
$notifyTime = clone $expireTime;
$notifyTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
$notifyTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Password notification on " . $notifyTime->format('Y-m-d H:i'));
$this->jobResultLog->logDebug("Password notification on " . $notifyTime->format('Y-m-d H:i'));
// skip if notification is in the future
if ($notifyTime > $now) {
logNewMessage(LOG_DEBUG, $dn . ' does not need notification yet.');
$this->jobResultLog->logDebug($dn . ' does not need notification yet.');
return;
}
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $dn);
// skip entries where mail was already sent
if ($dbLastChange == $user['pwdlastset'][0]) {
logNewMessage(LOG_DEBUG, $dn . ' was already notified.');
$this->jobResultLog->logDebug($dn . ' was already notified.');
return;
}
if ($isDryRun) {
// no action for dry run
logNewMessage(LOG_NOTICE, 'Not sending email to ' . $dn . ' because of dry run.');
$this->jobResultLog->logInfo('Not sending email to ' . $dn . ' because of dry run.');
return;
}
// send email
@ -3605,7 +3605,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$expireTime = new DateTime('1601-01-01', new DateTimeZone('UTC'));
$expireTime->add(new DateInterval('PT' . $seconds . 'S'));
$expireTime->setTimezone(getTimeZone());
logNewMessage(LOG_DEBUG, "Expiration on " . $expireTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Expiration on " . $expireTime->format('Y-m-d'));
$delay = 0;
if (!empty($options[$this->getConfigPrefix() . '_delay' . $jobID][0])) {
$delay = $options[$this->getConfigPrefix() . '_delay' . $jobID][0];
@ -3615,7 +3615,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$actionTime->add(new DateInterval('P' . $delay . 'D'));
}
$actionTime->setTimeZone(getTimeZone());
logNewMessage(LOG_DEBUG, "Action time on " . $actionTime->format('Y-m-d'));
$this->jobResultLog->logDebug("Action time on " . $actionTime->format('Y-m-d'));
if ($actionTime <= $now) {
$this->performAction($jobID, $options, $user, $isDryRun);
}

11
lam/lib/security.inc
View File

@ -208,6 +208,17 @@ function logoffAndBackToLoginPage() {
die();
}
/**
* Returns if debug messages are to be logged.
*
* @return boolean debug enabled
*/
function isDebugLoggingEnabled() {
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
else $cfg = new LAMCfgMain();
return $cfg->logLevel >= LOG_DEBUG;
}
/**
* Puts a new message in the log file.
*