password history

lam/docs/manual-sources/howto.xml

@@ -3405,6 +3405,40 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
         <para>LAM supports full Samba 3 user management including logon hours
         and terminal server options.</para>
 
+        <para>The module is enabled by adding "Samba 3 (sambaSamAccount)" to
+        your user modules.</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_samba3Config2.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
+        <para>In the configuration options you can enable password history
+        checking. Depending on your LDAP server you might need ascending or
+        descending order. Just switch the setting if the password history is
+        not correctly updated.</para>
+
+        <para>In case you have no very old Windows clients (e.g. Windows 98)
+        it is recommended to disable LM hashes. They are considered to be
+        insecure.</para>
+
+        <para>You can also hide some input fields if you do not need
+        them.</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_samba3Config1.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
+        <para>After configuring the module you will see the Samba 3 tab when
+        you edit a user.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -3413,6 +3447,8 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
           </mediaobject>
         </screenshot>
 
+        <para>Logon hours can be changed.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -3421,6 +3457,8 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
           </mediaobject>
         </screenshot>
 
+        <para>You can also setup terminal server settings.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -8492,6 +8530,10 @@ OK (10 msec)</programlisting>
         <para>If you leave the field empty then no history and age checks will
         be done.</para>
 
+        <para>Password history: depending on your LDAP server you might need
+        ascending or descending order. Just switch the setting if the password
+        history is not correctly updated.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>

lam/lib/modules/sambaSamAccount.inc

@@ -253,12 +253,6 @@ class sambaSamAccount extends baseModule implements passwordService {
 		);
 		// self service: fields that cannot be relabeled
 		$return['selfServiceNoRelabelFields'] = array('syncNTPassword', 'syncLMPassword', 'syncSambaPwdLastSet');
-		// self service options
-		$selfServiceContainer = new htmlTable();
-		$selfServiceDomainSuffix = new htmlTableExtendedInputField(_('Domain suffix'), 'sambaSamAccount_domainSuffix');
-		$selfServiceContainer->addElement($selfServiceDomainSuffix);
-		$selfServiceContainer->addElement(new htmlHelpLink('domainSuffix', get_class($this)), true);
-		$return['selfServiceSettings'] = $selfServiceContainer;
 		// help Entries
 		$return['help'] = array (
 			"displayName" => array(
@@ -413,7 +407,7 @@ class sambaSamAccount extends baseModule implements passwordService {
 				"Text" => _("Please enter the LDAP suffix where your Samba domain entries are stored.")),
 			'history' => array(
 				"Headline" => _("Password history"),
-				"Text" => _("Enables password history. Depending on your LDAP server you need to select the right server-side ordering (switch if old passwords are not removed from history).")),
+				"Text" => _("Enables password history. Depending on your LDAP server you need to select the right server-side ordering (switch ordering here if old passwords are not removed from history).")),
 		);
 		// upload dependencies
 		$return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson');
@@ -2265,6 +2259,40 @@ class sambaSamAccount extends baseModule implements passwordService {
 		return $errors;
 	}
 
+	/**
+	 * Returns a list of self service configuration settings.
+	 *
+	 * Calling this method does not require the existence of an enclosing {@link accountContainer}.<br>
+	 * <br>
+	 * The name attributes are used as keywords to load
+	 * and save settings. We recommend to use the module name as prefix for them
+	 * (e.g. posixAccount_homeDirectory) to avoid naming conflicts.
+	 *
+	 * @param selfServiceProfile $profile currently edited profile
+	 * @return htmlElement meta HTML object
+	 *
+	 * @see baseModule::get_metaData()
+	 * @see htmlElement
+	 */
+	public function getSelfServiceSettings($profile) {
+		$selfServiceContainer = new htmlTable();
+		// domain suffix
+		$selfServiceDomainSuffix = new htmlTableExtendedInputField(_('Domain suffix'), 'sambaSamAccount_domainSuffix');
+		$selfServiceContainer->addElement($selfServiceDomainSuffix);
+		$selfServiceContainer->addElement(new htmlHelpLink('domainSuffix', get_class($this)), true);
+		// password history
+		$historyOptions = array(
+				_('yes - ordered ascending') => 'yes_deleteLast',
+				_('yes - ordered descending') => 'yes_deleteFirst',
+				_('no') => 'no'
+		);
+		$historySelect = new htmlTableExtendedSelect('sambaSamAccount_history', $historyOptions, array('yes_deleteLast'), _("Password history"));
+		$historySelect->setHasDescriptiveElements(true);
+		$selfServiceContainer->addElement($historySelect);
+		$selfServiceContainer->addElement(new htmlHelpLink('history', get_class($this)), true);
+		return $selfServiceContainer;
+	}
+
 	/**
 	 * Returns the meta HTML code for each input field.
 	 * format: array(<field1> => array(<META HTML>), ...)
@@ -2423,17 +2451,29 @@ class sambaSamAccount extends baseModule implements passwordService {
 				}
 				else {
 					// update password history
-					$sambaPasswordHistory = empty($attributes['sambaPasswordHistory']) ? null : $attributes['sambaPasswordHistory'];
+					if (sambaSamAccount::isPasswordHistoryEnabled($this->selfServiceSettings->moduleSettings)) {
-					while (sizeof($sambaPasswordHistory) > ($sambaDomain->pwdHistoryLength - 1)) {
+						$sambaPasswordHistory = empty($attributes['sambaPasswordHistory']) ? null : $attributes['sambaPasswordHistory'];
-						array_pop($sambaPasswordHistory);
+						while (sizeof($sambaPasswordHistory) > ($sambaDomain->pwdHistoryLength - 1)) {
-					}
+							if (empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0]) || ($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0] == 'yes_deleteLast')) {
-					$sambaPasswordHistory[] = sambaSamAccount::createHistoryEntry($return['info']['sambaUserPasswordClearText'][0]);
+								array_pop($sambaPasswordHistory);
-					$sambaPasswordHistory = array_values($sambaPasswordHistory);
+							}
-					if (empty($attributes['sambaPasswordHistory'])) {
+							else {
-						$return['add']['sambaPasswordHistory'] = $sambaPasswordHistory;
+								array_shift($sambaPasswordHistory);
-					}
+							}
-					else {
+						}
-						$return['mod']['sambaPasswordHistory'] = $sambaPasswordHistory;
+						if (empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0]) || ($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0] == 'yes_deleteLast')) {
+							array_unshift($sambaPasswordHistory, sambaSamAccount::createHistoryEntry($return['info']['sambaUserPasswordClearText'][0]));
+						}
+						else {
+							$sambaPasswordHistory[] = sambaSamAccount::createHistoryEntry($return['info']['sambaUserPasswordClearText'][0]);
+						}
+						$sambaPasswordHistory = array_values($sambaPasswordHistory);
+						if (empty($attributes['sambaPasswordHistory'])) {
+							$return['add']['sambaPasswordHistory'] = $sambaPasswordHistory;
+						}
+						else {
+							$return['mod']['sambaPasswordHistory'] = $sambaPasswordHistory;
+						}
 					}
 				}
 			}