password history

This commit is contained in:
Roland Gruber 2016-07-09 09:31:55 +02:00
parent feaa741096
commit 7ba57d8161
5 changed files with 100 additions and 18 deletions

View File

@ -3405,6 +3405,40 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
<para>LAM supports full Samba 3 user management including logon hours
and terminal server options.</para>
<para>The module is enabled by adding "Samba 3 (sambaSamAccount)" to
your user modules.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/mod_samba3Config2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>In the configuration options you can enable password history
checking. Depending on your LDAP server you might need ascending or
descending order. Just switch the setting if the password history is
not correctly updated.</para>
<para>In case you have no very old Windows clients (e.g. Windows 98)
it is recommended to disable LM hashes. They are considered to be
insecure.</para>
<para>You can also hide some input fields if you do not need
them.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/mod_samba3Config1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>After configuring the module you will see the Samba 3 tab when
you edit a user.</para>
<screenshot>
<mediaobject>
<imageobject>
@ -3413,6 +3447,8 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
</mediaobject>
</screenshot>
<para>Logon hours can be changed.</para>
<screenshot>
<mediaobject>
<imageobject>
@ -3421,6 +3457,8 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
</mediaobject>
</screenshot>
<para>You can also setup terminal server settings.</para>
<screenshot>
<mediaobject>
<imageobject>
@ -8492,6 +8530,10 @@ OK (10 msec)</programlisting>
<para>If you leave the field empty then no history and age checks will
be done.</para>
<para>Password history: depending on your LDAP server you might need
ascending or descending order. Just switch the setting if the password
history is not correctly updated.</para>
<screenshot>
<mediaobject>
<imageobject>

Binary file not shown.

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 49 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 6.7 KiB

After

Width:  |  Height:  |  Size: 12 KiB

View File

@ -253,12 +253,6 @@ class sambaSamAccount extends baseModule implements passwordService {
);
// self service: fields that cannot be relabeled
$return['selfServiceNoRelabelFields'] = array('syncNTPassword', 'syncLMPassword', 'syncSambaPwdLastSet');
// self service options
$selfServiceContainer = new htmlTable();
$selfServiceDomainSuffix = new htmlTableExtendedInputField(_('Domain suffix'), 'sambaSamAccount_domainSuffix');
$selfServiceContainer->addElement($selfServiceDomainSuffix);
$selfServiceContainer->addElement(new htmlHelpLink('domainSuffix', get_class($this)), true);
$return['selfServiceSettings'] = $selfServiceContainer;
// help Entries
$return['help'] = array (
"displayName" => array(
@ -413,7 +407,7 @@ class sambaSamAccount extends baseModule implements passwordService {
"Text" => _("Please enter the LDAP suffix where your Samba domain entries are stored.")),
'history' => array(
"Headline" => _("Password history"),
"Text" => _("Enables password history. Depending on your LDAP server you need to select the right server-side ordering (switch if old passwords are not removed from history).")),
"Text" => _("Enables password history. Depending on your LDAP server you need to select the right server-side ordering (switch ordering here if old passwords are not removed from history).")),
);
// upload dependencies
$return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson');
@ -2265,6 +2259,40 @@ class sambaSamAccount extends baseModule implements passwordService {
return $errors;
}
/**
* Returns a list of self service configuration settings.
*
* Calling this method does not require the existence of an enclosing {@link accountContainer}.<br>
* <br>
* The name attributes are used as keywords to load
* and save settings. We recommend to use the module name as prefix for them
* (e.g. posixAccount_homeDirectory) to avoid naming conflicts.
*
* @param selfServiceProfile $profile currently edited profile
* @return htmlElement meta HTML object
*
* @see baseModule::get_metaData()
* @see htmlElement
*/
public function getSelfServiceSettings($profile) {
$selfServiceContainer = new htmlTable();
// domain suffix
$selfServiceDomainSuffix = new htmlTableExtendedInputField(_('Domain suffix'), 'sambaSamAccount_domainSuffix');
$selfServiceContainer->addElement($selfServiceDomainSuffix);
$selfServiceContainer->addElement(new htmlHelpLink('domainSuffix', get_class($this)), true);
// password history
$historyOptions = array(
_('yes - ordered ascending') => 'yes_deleteLast',
_('yes - ordered descending') => 'yes_deleteFirst',
_('no') => 'no'
);
$historySelect = new htmlTableExtendedSelect('sambaSamAccount_history', $historyOptions, array('yes_deleteLast'), _("Password history"));
$historySelect->setHasDescriptiveElements(true);
$selfServiceContainer->addElement($historySelect);
$selfServiceContainer->addElement(new htmlHelpLink('history', get_class($this)), true);
return $selfServiceContainer;
}
/**
* Returns the meta HTML code for each input field.
* format: array(<field1> => array(<META HTML>), ...)
@ -2423,11 +2451,22 @@ class sambaSamAccount extends baseModule implements passwordService {
}
else {
// update password history
if (sambaSamAccount::isPasswordHistoryEnabled($this->selfServiceSettings->moduleSettings)) {
$sambaPasswordHistory = empty($attributes['sambaPasswordHistory']) ? null : $attributes['sambaPasswordHistory'];
while (sizeof($sambaPasswordHistory) > ($sambaDomain->pwdHistoryLength - 1)) {
if (empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0]) || ($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0] == 'yes_deleteLast')) {
array_pop($sambaPasswordHistory);
}
else {
array_shift($sambaPasswordHistory);
}
}
if (empty($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0]) || ($this->selfServiceSettings->moduleSettings['sambaSamAccount_history'][0] == 'yes_deleteLast')) {
array_unshift($sambaPasswordHistory, sambaSamAccount::createHistoryEntry($return['info']['sambaUserPasswordClearText'][0]));
}
else {
$sambaPasswordHistory[] = sambaSamAccount::createHistoryEntry($return['info']['sambaUserPasswordClearText'][0]);
}
$sambaPasswordHistory = array_values($sambaPasswordHistory);
if (empty($attributes['sambaPasswordHistory'])) {
$return['add']['sambaPasswordHistory'] = $sambaPasswordHistory;
@ -2437,6 +2476,7 @@ class sambaSamAccount extends baseModule implements passwordService {
}
}
}
}
// check min age
if (!empty($sambaDomain->minPwdAge) && ($sambaDomain->minPwdAge > 0) && !empty($attributes['sambaPwdLastSet'][0])) {
$timeVal = $attributes['sambaPwdLastSet'][0] + $sambaDomain->minPwdAge;