check password minimum age for Samba 3

This commit is contained in:
Roland Gruber 2016-05-26 20:08:08 +02:00
parent 3a2580478d
commit 6089935a71
4 changed files with 35 additions and 4 deletions

View File

@ -4,6 +4,7 @@ June 2016 5.4
-> New module for 389ds unlocking and deactivation status
-> Self registration: support for Google reCAPTCHA
-> Password notification jobs support CC and BCC
-> Self Service: Samba 3 supports password history and minimum age check
21.03.2016 5.3

View File

@ -997,7 +997,7 @@ Have fun!
<title>Version specific upgrade instructions</title>
<section>
<title>5.1 -&gt; 5.3</title>
<title>5.1 -&gt; 5.4</title>
<para>No special actions needed.</para>
</section>
@ -8412,6 +8412,25 @@ OK (10 msec)</programlisting>
</screenshot>
</section>
<section>
<title>Samba 3</title>
<para>LAM Pro can check the password history and minimum age for Samba
3 password changes. In this case please provide the LDAP suffix where
your Samba 3 domain(s) are stored.</para>
<para>If you leave the field empty then no history and age checks will
be done.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/selfServiceSambaDomains.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section id="PasswordSelfReset">
<title>Password self reset</title>

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.7 KiB

View File

@ -2374,8 +2374,10 @@ class sambaSamAccount extends baseModule implements passwordService {
private function doSelfServicePasswordHistoryAndMinAge($attributes, &$return) {
if (!empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0])) {
$sambaDomain = $this->getUserDomain($attributes, $_SESSION['ldapHandle'], $this->selfServiceSettings->moduleSettings['sambaSamAccount_domainSuffix'][0]);
if (($sambaDomain != null)
&& !empty($sambaDomain->pwdHistoryLength)
if ($sambaDomain == null) {
return;
}
if (!empty($sambaDomain->pwdHistoryLength)
&& is_numeric($sambaDomain->pwdHistoryLength)
&& ($sambaDomain->pwdHistoryLength > 0)) {
if (sambaSamAccount::oldPasswordUsed($return['info']['sambaUserPasswordClearText'][0], $attributes, $sambaDomain)) {
@ -2397,7 +2399,16 @@ class sambaSamAccount extends baseModule implements passwordService {
}
}
}
// TODO check min age
// check min age
if (!empty($sambaDomain->minPwdAge) && ($sambaDomain->minPwdAge > 0) && !empty($attributes['sambaPwdLastSet'][0])) {
$timeVal = $attributes['sambaPwdLastSet'][0] + $sambaDomain->minPwdAge;
$time = new DateTime('@' . $timeVal, new DateTimeZone('UTC'));
$time->setTimezone(getTimeZone());
$now = new DateTime(null, getTimeZone());
if ($time > $now) {
$return['messages'][] = array('ERROR', _('You are not yet allowed to change your password.'));
}
}
}
}