From 6089935a71d364bee735a1b7ecc5d73f228fed0c Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Thu, 26 May 2016 20:08:08 +0200 Subject: [PATCH] check password minimum age for Samba 3 --- lam/HISTORY | 1 + lam/docs/manual-sources/howto.xml | 21 +++++++++++++++++- .../images/selfServiceSambaDomains.png | Bin 0 -> 6813 bytes lam/lib/modules/sambaSamAccount.inc | 17 +++++++++++--- 4 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 lam/docs/manual-sources/images/selfServiceSambaDomains.png diff --git a/lam/HISTORY b/lam/HISTORY index 818f0748..74013c41 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -4,6 +4,7 @@ June 2016 5.4 -> New module for 389ds unlocking and deactivation status -> Self registration: support for Google reCAPTCHA -> Password notification jobs support CC and BCC + -> Self Service: Samba 3 supports password history and minimum age check 21.03.2016 5.3 diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index aa5d4039..391f6d1b 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -997,7 +997,7 @@ Have fun! Version specific upgrade instructions
- 5.1 -> 5.3 + 5.1 -> 5.4 No special actions needed.
@@ -8412,6 +8412,25 @@ OK (10 msec) +
+ Samba 3 + + LAM Pro can check the password history and minimum age for Samba + 3 password changes. In this case please provide the LDAP suffix where + your Samba 3 domain(s) are stored. + + If you leave the field empty then no history and age checks will + be done. + + + + + + + + +
+
Password self reset diff --git a/lam/docs/manual-sources/images/selfServiceSambaDomains.png b/lam/docs/manual-sources/images/selfServiceSambaDomains.png new file mode 100644 index 0000000000000000000000000000000000000000..c9f57ac82c30cc53c99f0c73b67b1151885f5bca GIT binary patch literal 6813 zcmbtZcT`i$x5jI`bdd|FAY4#Eig1-C-4X#nZAz=|&5;a)y4 zQmsb7hYSqF2il2S!S3Lqod(Uy$5Jm{>>a~f1cM))yo(NQCK=sGIri66-kIi{TZJpie3<)4@HfA>Em^*?m4NsW7v>N~{#)gM-*A|lfJLZ_e}VJsBg zL^VqFQrE=?P>VwonQ2G4%2F+Z8=PlOlIBP4J?8wtJ|fCy8R%+MwTf4Ej2zla@ti_< z&WMNNYJieC#7w2Ly4)zc0F^o&q`3Kr(Y zrTUZxmi5kv;D0-7e$+MRqA^ogEz~b%H$mi^0AFA5zlOFNZGJ^=ou)i%SW$ zM<(M`e5YCyz?oVfT?iZRu09but!vkFkL!`$%^4EK+}MFXDS>Y=q_Y}DCyjiswy@o! z$S93lKL;nkF=+BMt6{vDtRHFG(IKmVHP#RPoF^Z-tr-*)ODVj+e(I8^DIsh*c8C5R ziA0u{m&5vtU&$E7egQ%xR$>meu{4~Lk|L=MUymXJ<0EWRqa{>sTSMBo_UrGaZn|Pu z-_q`+7Poj(d`gf_^50C9_RpwU<5*Vq6^zRAn_(elY7b!J^=P zkOtUNbLu-t6x<3`UkV%jl!pxu5H-C2{o^w?RbAaE294Sv z(UpGjLMd3}WH$(z2OJPa-J8!KFOJE~wWFt}lt(o5cp5R=8r^OP& z8Pt8zOX}(h7U{oO6gLG01uKk3N#xqBcSdC;`hrt&QPE(jy*a45rY2JZ7PLO!%Z$n4 zx>j1qcV88YI^Mf5kWgx02JNDoyh^{L=})`xfI6(XH{1-SM*qF>gz)5jn4Z?8P;mR# z5AzF}1#-SaMI6I5jgGYs8ex{i4-9YRv<1;cc$cDR1PlOHYy*hyb*EO*> zMxPuNR=w>0>EQv7_N4I|Z>wBG1hgwXu!om_Z*PsfKNk9H;&aDah20t{t}B1tI#A{+ zIAyyN3O{D6FalNQlc~1AZGJ6$?c%$PYZaHjD#XhxL19$uct!M#Bd`@|QsPo7a`_-s zy#ac(OS`ogbxFVlGJE>E+hT7;REjpB!1Hkx0RFJruV%1TeBuoNqYP9*);j zQu;;@d4X)1{80N%x8Y7M&6hB>tZEoBc@ijiHr$_K6=O{Z? z=yyK#UZ9aUeMRO^9zUKX=hA>#Ut_Cq(~KQN>=)7X+^XMbX_&XqWPZr4#`9nmu$}2I ztYAT|Q}p%z*U;sKb-%w(Dm>r3LZx1SEbh2m(m1!%=!|uuw9z8>yL6oJaH4z5bDS?l z)ul0He{Z|s#;d5=4DaWHlCwsQ&~8j^ZSC?X9_xg!c#xQMMDP^S^udEl**YAA>$$1Y|OEMX!#N{#qaqg;n_b z(=HPi1H@%Zyzr(87Eg`x-C3ufx$zRPX99#wrlxP$4tT_p1O_Y5^5=xIe?ChqhKYm9 zYb+wb0YQ?Q^y`!a{!O~$5?6&UP-^RXXq z3^n##o9*^e3IneGBefzaKqziA#+7EC^78T~N~pnqROTVKVwxXUaR*_2`*7{>c{H#z z_fq-WR2?dRDtB~?cPke=3Ar4{ch`LOHM4BKyw)}&l4in;d2?HR*!}4pbP4Lbxr%vV zJ--m6d3R+lCmKH2lP#S*_vz6=EOBGx;emsD@p5u*BL@LzUQ1f%TN7?w!<657Eu8fp#}8RuI0eH*$xyZ=U5ps7#Lh+hcoxP3R}) zjHxG6H(NL5j(c`0hm|)6coX%G%(minp=DlAhnICo3>WsZ@bP55#UDa*oKpH5h6vtj z%&>!H8uIik=&a&7H0RFs>yF>5QC`A9&!0&t>o23cWn#maONNLjU}^84(v)M=vjf!K zq{NN~S%CK0UkBo)rPX7$D(maN7MK`3n0sf!_fmC|*ljOa+0UEQ;8CM?!Kz`)9QAOsxtf?du2ZTvu5MIDRXLt3eu?}* zEwngjzVsk{PX8Bc7mqh>Wc4XG#y>Mj)z~jdU{K(FtS+JWc;N<;bBXxJwPiL7G~MVx zDXdI#M53$wl5#e%OO9ujrZ#e3x*FnJDeBGhOk4KrS!s1zwcYFPN)_5^VR92L`lmrS z&8B$sAlLq*w~P99i0S-SMzLel8^YI4hngEzwgO3G#x~P!Q2S!!r${@G44;YmF$Oxr z1{^-{Vhrt#Ady8``zZ|t6^qAyZZEW_?gnW$>YJ&ETrZ^vSe1^;f0bTTCz>U29I&== zTr-~zpH^&&iyQ}P%_p>ou@M&@yGn;6uJa9WVK3&(c!(**)TS?l)kiufDzd0}GW z@L*89^ms`Ue0P7ga}Ez%OCD4WPM$-ai0lnZ{kvgRaKC~s)St#+ROO*;&^D#%T9RCc ztm#u2H&QH%;C0I8-a0di*%OrQF7kZ!eb{MQ@vgp(++;p1ABHJTY(K+VS{V}5UIa_H z<|BeSWHj6S{zg0ftn?&gjkLhcQO7%vciNyyq#J?$T3pTV`kp;Ai5zbWX}z5I0@!X6 z+)q3ssV-)QNV}41BilWrd7WZx3B|JG%TtXq^L^2M2uy{*c;(6B&fvjwafjjy6VFZk)gjU$ z68IwP7?#>2z=v0%(aQwc+L3`+E@*pLn*WCbQA4EVGI2H)4WEIOx}QWr;fjmkMWbkXC-0xph?@-O7$xv#GDDH9t7 zGfAFi)hmPLblAlo#=9*PKB=#Lz0I8Ah#-spL1JD5yW2S!NwjS2V{{O)J z|C1a1r~9xH;bAGgH6d%;O_f%Mz>Y4LEZyNjfge<|`^+V&-)j&d7O%cl06}7R8iaij zJ_YLO%3#dQ&N_z4^7O=yE)UnjyxBW~jUg2!^wR21V5aO3^_ER_bAlq_@O`gt42wRh zcIi?z@W@&V0)dR;{mo60n?(+uvP zmeo}Zl4$Z|!Ew_^j*xsr6Uh`Z?PzHDSXONg8*GPRd!D#w&Um!0 znhz!K^}gc5LPRQ~PR0E3;~0WaN!*2sjqaWAuqR16kLiPeXG-&~*y6x!KBME9P#08P z(>16nedZ61wfx!{-tI(NuN4M&v-uSPb6EJdUH-5tVtK6j>=kuk$()_O@&T(^ zqRr393D+u(dy-o9SL6>^|M()%UUyIyF-nj7nGRl@2QMCx=|Cge3o$MA`L`-ZJy>RZ zdJ$jtb3;tL907W)G; z%l2tKVWj!IO`lC>+^W)kb%pjuGoxKb`>%|=U(o(~OT*ml@2>*`d0qI7)GkjxI@+%4 zf?kn%Qy0-@u$fefwBrBNwlJ+JvOJZl?iL(v-~FePLq++B(qdRg^5~e{ar!?(Ijutp-NX8Ji8OdkPoN4B45OGE^)G7~VdD=dHqE<|KC>Fmp zu8DpS|sjS=bl^`HveF7%9v5ko=nV)4wu;^OZ3F#sWso;BL!HF z*3FE5Imo}J=IT$aou8C_a>Gc6rJ}i;R>wEA!j~hF^^YN|SHioAzLwF@5J|Sc7|eFa z7Hyv&DtASUeq>|X+BFlC3ClyVbl)Kq)b0Ss#~ui_{rI@KO&Wqipa`ylGo6E3gSl}V zkk1_^$x_?7DQDh})+PA%Z6!TA2e4v*-^Af``u6oHJKN@{w&ETsDY{L9Bl9GyrdIf?uuLJooxAPzz*5<)kXfx z^fHe((D&TPa(wgVEn6XLM)ykG`xgegvC4h8du_}a+xHeZmti)E;t9Z1W$Y~#-gtEi z=QDl>^jr{8KPRaDGWT+Cb@^bKL$iML#+l@#^I>n~E)9K@WPX3*k$YA`y^lf9_sL<_Pte81W?)dSudO|00axiUSo=gPwHl$1$;F{@p+ z!^2-9e=J{>vmu17XLwLPj@E`ib}C#*Q21D>-9?u#_dLjf{QbeUx%C_ws~*I3%VJ~r z39XPychn*$=cw?G6X!rn7=xO&(XCgc!)cQ!HZq9)B1nwd){dsdBvvf;=jLuqwy*6) z_Y{aulxL_zyJK|>4P8N}H2f~derYv%E*!nd76y5)sgW!q;h2`mV=0RjjKFc0ftk)+ z?ObuvNxhA)nQ&$R^?RA))$Y0S2Yu?~myru4k0}cS4Z$$8!>VCs30|UkNu=o&jSxK`#pZsqIUylw+A2i$mdFGdxM&Q{J>yoIs3rba0nik0dZdnthWT+oQ56TVU(XE?q&#&reSUX=h2hHC1j|&c+mw%vt=rgK_56-l(jJN`3%2!ER8cH316i7 zx_m9}EBxHr+A7wWCPu9ZYGaBgBplAz8BPV_@0+80Z`m(LCGIBqWxa|L%9t<;apJfFwJdN$ zvD>Z?9twpcLM>s}2L?I{+@je;Ek~9#`{%$eLwVMxr7xYi^uf^;vB{jJ>^hy^3Evr& z{pvQv+CTbLKzi&w%GMxT*JG=aAkb1d>}T~d_SbMnaF34XR>2wh!s6KNwz>9XpnA8r zmF5;>D61LT`fs(%gY?(0f33#LU}ig_*W-*~G+9D==o^%VB1tZe zR-B2ezvsaWFz+Z^GCRO?Wv1U*)v@X*H8UlGCQ9S94cZA7n2`TUDe2GI45)Cfx;LAs z<_U$qFimW26*(hA&^=dVAzDHHH{#yFG_Zqya3y{nc_|?Esu621s@p0K?qh_q z2_X&aBt4L4&(d(2LxpnQMy3`l&DpnI_J@!kXd!yiu-QnCz#+rKsM{0N2Lpaj!hrWcr`{ zVz&V7?_MLgklr2zkTv_;kOGQZ@8mIwck7yEgpfrpY_tcFJRM1%lt~qjcG)zf^PN!> zH$ecda!_%m*LlX727mmrMW2(yIMgwwOT}PJVh50T&K{sY z*m6@{>3c30wDrrK6A&O#Z13AQJvF6F;G4KssG@9SWCapYI&p|{NI8}gM=&u(OQbUEU8 zPq&J-A7o$Z=+<;oD@w%c)Q1M=iZ@9!I>Mgi5pd3mrfWF7L798H@-Q*S;KwaBEyaso zpa@UDj3YT0e$y=;r9-EMxT^lohbjM)(;VTh3z>H3Zb+j6tvol4EkPC6?mqr6(|l2W literal 0 HcmV?d00001 diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc index 0a530c69..412d3766 100644 --- a/lam/lib/modules/sambaSamAccount.inc +++ b/lam/lib/modules/sambaSamAccount.inc @@ -2374,8 +2374,10 @@ class sambaSamAccount extends baseModule implements passwordService { private function doSelfServicePasswordHistoryAndMinAge($attributes, &$return) { if (!empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0])) { $sambaDomain = $this->getUserDomain($attributes, $_SESSION['ldapHandle'], $this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0]); - if (($sambaDomain != null) - && !empty($sambaDomain->pwdHistoryLength) + if ($sambaDomain == null) { + return; + } + if (!empty($sambaDomain->pwdHistoryLength) && is_numeric($sambaDomain->pwdHistoryLength) && ($sambaDomain->pwdHistoryLength > 0)) { if (sambaSamAccount::oldPasswordUsed($return['info']['sambaUserPasswordClearText'][0], $attributes, $sambaDomain)) { @@ -2397,7 +2399,16 @@ class sambaSamAccount extends baseModule implements passwordService { } } } - // TODO check min age + // check min age + if (!empty($sambaDomain->minPwdAge) && ($sambaDomain->minPwdAge > 0) && !empty($attributes['sambaPwdLastSet'][0])) { + $timeVal = $attributes['sambaPwdLastSet'][0] + $sambaDomain->minPwdAge; + $time = new DateTime('@' . $timeVal, new DateTimeZone('UTC')); + $time->setTimezone(getTimeZone()); + $now = new DateTime(null, getTimeZone()); + if ($time > $now) { + $return['messages'][] = array('ERROR', _('You are not yet allowed to change your password.')); + } + } } }