diff --git a/lam/HISTORY b/lam/HISTORY index d1b6177f..3e3624f1 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -2,7 +2,7 @@ June 2016 5.4 - Unix: support magic numbers for UIDs/GIDs (e.g. 389 server DNA plugin) - Samba 3: support for Samba password history (RFE 133) - LAM Pro: - -> New module for 389ds unlocking and deactivation status + -> New module for 389ds unlocking and account (de)activation -> Self registration: support for Google reCAPTCHA -> Password notification jobs support CC and BCC -> Self Service: Samba 3 supports password history and minimum age check diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 391f6d1b..32cd1db7 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -3710,6 +3710,17 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; server profile and activate the "Password policy" module for the user type. + + + + + + + + + You can select the password policy and force a password change + on next login. Accounts can also be (un)locked. + @@ -3729,6 +3740,58 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; Otherwise, it will have no effect. +
+ Locking status for 389ds (LAM Pro) + + This module allows you to display if users are locked by 389ds + server. You can also (de)activate users. + + Requirements: 389ds LDAP server + + Configuration + + Please add the user module "Locking status + (locking389ds)". + + + + + + + + + + This will show the number of failed login attempts and till when + the user is locked by the system. + + The limit of failed login attempts and lockout duration is + configured on your server and not within LAM. + + + + + + + + + + You can unlock the user by clicking on the lock icon. + + Here you can also (de)activate the account. + + Note: Accounts are only locked by the LDAP server due to failed + password attempts. You cannot manually lock an account. Deactivate it + in case you want to disable login for a user. + + + + + + + + +
+
FreeRadius diff --git a/lam/docs/manual-sources/images/mod_389dsLocking1.png b/lam/docs/manual-sources/images/mod_389dsLocking1.png new file mode 100644 index 00000000..b6ca5c5c Binary files /dev/null and b/lam/docs/manual-sources/images/mod_389dsLocking1.png differ diff --git a/lam/docs/manual-sources/images/mod_389dsLocking2.png b/lam/docs/manual-sources/images/mod_389dsLocking2.png new file mode 100644 index 00000000..fd1d16ba Binary files /dev/null and b/lam/docs/manual-sources/images/mod_389dsLocking2.png differ diff --git a/lam/docs/manual-sources/images/mod_389dsLocking3.png b/lam/docs/manual-sources/images/mod_389dsLocking3.png new file mode 100644 index 00000000..fc862a4d Binary files /dev/null and b/lam/docs/manual-sources/images/mod_389dsLocking3.png differ diff --git a/lam/docs/manual-sources/images/ppolicyUser2.png b/lam/docs/manual-sources/images/ppolicyUser2.png new file mode 100644 index 00000000..d8819ee2 Binary files /dev/null and b/lam/docs/manual-sources/images/ppolicyUser2.png differ diff --git a/lam/lib/types/user.inc b/lam/lib/types/user.inc index 1a61c282..0fbd9552 100644 --- a/lam/lib/types/user.inc +++ b/lam/lib/types/user.inc @@ -227,10 +227,10 @@ class user extends baseType { $is389dsAvailable = ($container->getAccountModule('locking389ds') != null); $is389dsLocked = $is389dsAvailable && $container->getAccountModule('locking389ds')->isLocked(); $is389dsDeactivated = $is389dsAvailable && $container->getAccountModule('locking389ds')->isDeactivated(); - if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsDeactivated && !$is389dsLocked) { + if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsAvailable) { return ''; } - $isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsLocked); + $isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsAvailable); // get locking status $unixLocked = false; if ($unixAvailable && $container->getAccountModule('posixAccount')->isLocked()) { @@ -300,8 +300,10 @@ class user extends baseType { $statusTable .= '' . _('Locked') . '  '; } // 389ds deactivated - if ($is389dsDeactivated) { - $statusTable .= '' . _('Deactivated') . '  '; + if ($is389dsAvailable) { + $text389dsActivation = $is389dsDeactivated ? _('Deactivated') : _('Active'); + $icon389dsActivation = $is389dsDeactivated ? 'lock.png' : 'unlocked.png'; + $statusTable .= '' . $text389dsActivation . '  '; } $statusTable .= ''; $tipContent = $statusTable;