diff --git a/lam/HISTORY b/lam/HISTORY
index 818f0748..74013c41 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -4,6 +4,7 @@ June 2016 5.4
-> New module for 389ds unlocking and deactivation status
-> Self registration: support for Google reCAPTCHA
-> Password notification jobs support CC and BCC
+ -> Self Service: Samba 3 supports password history and minimum age check
21.03.2016 5.3
diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index aa5d4039..391f6d1b 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -997,7 +997,7 @@ Have fun!
Version specific upgrade instructions
- 5.1 -> 5.3
+ 5.1 -> 5.4
No special actions needed.
@@ -8412,6 +8412,25 @@ OK (10 msec)
+
+ Samba 3
+
+ LAM Pro can check the password history and minimum age for Samba
+ 3 password changes. In this case please provide the LDAP suffix where
+ your Samba 3 domain(s) are stored.
+
+ If you leave the field empty then no history and age checks will
+ be done.
+
+
+
+
+
+
+
+
+
+
Password self reset
diff --git a/lam/docs/manual-sources/images/selfServiceSambaDomains.png b/lam/docs/manual-sources/images/selfServiceSambaDomains.png
new file mode 100644
index 00000000..c9f57ac8
Binary files /dev/null and b/lam/docs/manual-sources/images/selfServiceSambaDomains.png differ
diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc
index 0a530c69..412d3766 100644
--- a/lam/lib/modules/sambaSamAccount.inc
+++ b/lam/lib/modules/sambaSamAccount.inc
@@ -2374,8 +2374,10 @@ class sambaSamAccount extends baseModule implements passwordService {
private function doSelfServicePasswordHistoryAndMinAge($attributes, &$return) {
if (!empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0])) {
$sambaDomain = $this->getUserDomain($attributes, $_SESSION['ldapHandle'], $this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0]);
- if (($sambaDomain != null)
- && !empty($sambaDomain->pwdHistoryLength)
+ if ($sambaDomain == null) {
+ return;
+ }
+ if (!empty($sambaDomain->pwdHistoryLength)
&& is_numeric($sambaDomain->pwdHistoryLength)
&& ($sambaDomain->pwdHistoryLength > 0)) {
if (sambaSamAccount::oldPasswordUsed($return['info']['sambaUserPasswordClearText'][0], $attributes, $sambaDomain)) {
@@ -2397,7 +2399,16 @@ class sambaSamAccount extends baseModule implements passwordService {
}
}
}
- // TODO check min age
+ // check min age
+ if (!empty($sambaDomain->minPwdAge) && ($sambaDomain->minPwdAge > 0) && !empty($attributes['sambaPwdLastSet'][0])) {
+ $timeVal = $attributes['sambaPwdLastSet'][0] + $sambaDomain->minPwdAge;
+ $time = new DateTime('@' . $timeVal, new DateTimeZone('UTC'));
+ $time->setTimezone(getTimeZone());
+ $now = new DateTime(null, getTimeZone());
+ if ($time > $now) {
+ $return['messages'][] = array('ERROR', _('You are not yet allowed to change your password.'));
+ }
+ }
}
}