WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new type API

This commit is contained in:
Roland Gruber 2017-05-06 15:22:27 +02:00
parent b886074693
commit 40b701a8bf
1 changed files with 37 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
lam/lib/modules/windowsUser.inc
View File

@ -1,4 +1,5 @@
<?php <?php
use \LAM\TYPES\TypeManager;
/* /*
$Id$ $Id$
@ -3404,26 +3405,30 @@ if (interface_exists('\LAM\JOB\Job', false)) {
* @return array options ('maxpwdage' => max age in ns) * @return array options ('maxpwdage' => max age in ns)
*/ */
protected function getPolicyOptions() { protected function getPolicyOptions() {
$userSuffix = $_SESSION['config']->get_Suffix('user'); $typeManager = new TypeManager();
if (empty($userSuffix)) { $maxPwdAge = array();
logNewMessage(LOG_ERR, 'No user suffix set in server profile.'); foreach ($typeManager->getConfiguredTypesForScope('user') as $type) {
return array(); $userSuffix = $type->getSuffix();
if (empty($userSuffix)) {
logNewMessage(LOG_ERR, 'No user suffix set in server profile for ' . $type->getAlias() . '.');
continue;
}
// extract base DN from user suffix
$domainRoot = strtolower(substr($userSuffix, stripos($userSuffix, 'dc=')));
if (empty($domainRoot)) {
logNewMessage(LOG_ERR, "No domain root found in $userSuffix.");
continue;
}
logNewMessage(LOG_DEBUG, "Using $domainRoot as domain root");
$policyDN = 'cn=builtin,' . $domainRoot;
$policyAttrs = ldapGetDN($policyDN, array('maxPwdAge'));
if (empty($policyAttrs['maxpwdage'][0])) {
logNewMessage(LOG_ERR, 'No maxPwdAge found for this domain in ' . $type->getAlias() . '.');
continue;
}
$maxPwdAge[$domainRoot] = $policyAttrs['maxpwdage'][0];
logNewMessage(LOG_DEBUG, "Using maxPwdAge = " . $maxPwdAge[$domainRoot] . ".");
} }
// extract base DN from user suffix
$domainRoot = substr($userSuffix, stripos($userSuffix, 'dc='));
if (empty($domainRoot)) {
logNewMessage(LOG_ERR, "No domain root found in $userSuffix.");
return array();
}
logNewMessage(LOG_DEBUG, "Using $domainRoot as domain root");
$policyDN = 'cn=builtin,' . $domainRoot;
$policyAttrs = ldapGetDN($policyDN, array('maxPwdAge'));
if (empty($policyAttrs['maxpwdage'][0])) {
logNewMessage(LOG_ERR, 'No maxPwdAge found for this domain.');
return array();
}
$maxPwdAge = $policyAttrs['maxpwdage'][0];
logNewMessage(LOG_DEBUG, "Using maxPwdAge = $maxPwdAge.");
return array('maxpwdage' => $maxPwdAge); return array('maxpwdage' => $maxPwdAge);
} }
@ -3455,30 +3460,32 @@ if (interface_exists('\LAM\JOB\Job', false)) {
* @param boolean $isDryRun just do a dry run, nothing is modified * @param boolean $isDryRun just do a dry run, nothing is modified
*/ */
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) { protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$dn = $user['dn'];
$domainRoot = strtolower(substr($dn, stripos($dn, 'dc=')));
// skip if password does not expire at all // skip if password does not expire at all
if (windowsUser::isNeverExpiring($user)) { if (windowsUser::isNeverExpiring($user)) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' does not expire.'); logNewMessage(LOG_DEBUG, $dn . ' does not expire.');
return; return;
} }
// skip if no information about last password change // skip if no information about last password change
if (empty($user['pwdlastset'][0]) || ($user['pwdlastset'][0] < 1)) { if (empty($user['pwdlastset'][0]) || ($user['pwdlastset'][0] < 1)) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' has no valid "pwdLastSet".'); logNewMessage(LOG_DEBUG, $dn . ' has no valid "pwdLastSet".');
return; return;
} }
// skip if account itself is expired // skip if account itself is expired
if (!empty($user['accountexpires'][0])) { if (!empty($user['accountexpires'][0])) {
$accountExpiration = windowsUser::getFileTime($user['accountexpires'][0]); $accountExpiration = windowsUser::getFileTime($user['accountexpires'][0]);
if ($accountExpiration <= $now) { if ($accountExpiration <= $now) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' already expired'); logNewMessage(LOG_DEBUG, $dn . ' already expired');
return; return;
} }
} }
// skip if account is deactivated // skip if account is deactivated
if (windowsUser::isDeactivated($user)) { if (windowsUser::isDeactivated($user)) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' is deactivated.'); logNewMessage(LOG_DEBUG, $dn . ' is deactivated.');
return; return;
} }
$maxPwdAge = $policyOptions['maxpwdage']; $maxPwdAge = $policyOptions['maxpwdage'][$domainRoot];
// calculate time when password expires // calculate time when password expires
$lastPwdTime = windowsUser::getFileTime($user['pwdlastset'][0]); $lastPwdTime = windowsUser::getFileTime($user['pwdlastset'][0]);
logNewMessage(LOG_DEBUG, "Last password change on " . $lastPwdTime->format('Y-m-d')); logNewMessage(LOG_DEBUG, "Last password change on " . $lastPwdTime->format('Y-m-d'));
@ -3489,7 +3496,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
logNewMessage(LOG_DEBUG, "Password expires on " . $expireTime->format('Y-m-d')); logNewMessage(LOG_DEBUG, "Password expires on " . $expireTime->format('Y-m-d'));
// skip already expired accounts // skip already expired accounts
if ($expireTime <= $now) { if ($expireTime <= $now) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' already expired'); logNewMessage(LOG_DEBUG, $dn . ' already expired');
return; return;
} }
// calculate time of notification // calculate time of notification
@ -3499,25 +3506,25 @@ if (interface_exists('\LAM\JOB\Job', false)) {
logNewMessage(LOG_DEBUG, "Password notification on " . $notifyTime->format('Y-m-d H:i')); logNewMessage(LOG_DEBUG, "Password notification on " . $notifyTime->format('Y-m-d H:i'));
// skip if notification is in the future // skip if notification is in the future
if ($notifyTime > $now) { if ($notifyTime > $now) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' does not need notification yet.'); logNewMessage(LOG_DEBUG, $dn . ' does not need notification yet.');
return; return;
} }
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $user['dn']); $dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $dn);
// skip entries where mail was already sent // skip entries where mail was already sent
if ($dbLastChange == $user['pwdlastset'][0]) { if ($dbLastChange == $user['pwdlastset'][0]) {
logNewMessage(LOG_DEBUG, $user['dn'] . ' was already notified.'); logNewMessage(LOG_DEBUG, $dn . ' was already notified.');
return; return;
} }
if ($isDryRun) { if ($isDryRun) {
// no action for dry run // no action for dry run
logNewMessage(LOG_NOTICE, 'Not sending email to ' . $user['dn'] . ' because of dry run.'); logNewMessage(LOG_NOTICE, 'Not sending email to ' . $dn . ' because of dry run.');
return; return;
} }
// send email // send email
$success = $this->sendMail($options, $jobID, $user, $expireTime); $success = $this->sendMail($options, $jobID, $user, $expireTime);
// update DB if mail was sent successfully // update DB if mail was sent successfully
if ($success) { if ($success) {
$this->setDBLastPwdChangeTime($jobID, $pdo, $user['dn'], $user['pwdlastset'][0]); $this->setDBLastPwdChangeTime($jobID, $pdo, $dn, $user['pwdlastset'][0]);
} }
} }