389ds locking

lam/HISTORY

@@ -2,7 +2,7 @@ June 2016 5.4
   - Unix: support magic numbers for UIDs/GIDs (e.g. 389 server DNA plugin)
   - Samba 3: support for Samba password history (RFE 133)
   - LAM Pro:
-   -> New module for 389ds unlocking and deactivation status
+   -> New module for 389ds unlocking and account (de)activation
    -> Self registration: support for Google reCAPTCHA
    -> Password notification jobs support CC and BCC
    -> Self Service: Samba 3 supports password history and minimum age check

lam/docs/manual-sources/howto.xml

@@ -3710,6 +3710,17 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
         server profile and activate the "Password policy" module for the user
         type.</para>
 
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/ppolicyUser2.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
+        <para>You can select the password policy and force a password change
+        on next login. Accounts can also be (un)locked.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -3729,6 +3740,58 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
         Otherwise, it will have no effect.</para>
       </section>
 
+      <section>
+        <title>Locking status for 389ds (LAM Pro)</title>
+
+        <para>This module allows you to display if users are locked by 389ds
+        server. You can also (de)activate users.</para>
+
+        <para>Requirements: 389ds LDAP server</para>
+
+        <para><emphasis role="bold">Configuration</emphasis></para>
+
+        <para>Please add the user module "Locking status
+        (locking389ds)".</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_389dsLocking1.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
+        <para>This will show the number of failed login attempts and till when
+        the user is locked by the system.</para>
+
+        <para>The limit of failed login attempts and lockout duration is
+        configured on your server and not within LAM.</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_389dsLocking2.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
+        <para>You can unlock the user by clicking on the lock icon.</para>
+
+        <para>Here you can also (de)activate the account.</para>
+
+        <para>Note: Accounts are only locked by the LDAP server due to failed
+        password attempts. You cannot manually lock an account. Deactivate it
+        in case you want to disable login for a user.</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_389dsLocking3.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+      </section>
+
       <section>
         <title>FreeRadius</title>
 

lam/lib/types/user.inc

@@ -227,10 +227,10 @@ class user extends baseType {
 		$is389dsAvailable = ($container->getAccountModule('locking389ds') != null);
 		$is389dsLocked = $is389dsAvailable && $container->getAccountModule('locking389ds')->isLocked();
 		$is389dsDeactivated = $is389dsAvailable && $container->getAccountModule('locking389ds')->isDeactivated();
-		if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsDeactivated && !$is389dsLocked) {
+		if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsAvailable) {
 			return '';
 		}
-		$isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable  || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsLocked);
+		$isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable  || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsAvailable);
 		// get locking status
 		$unixLocked = false;
 		if ($unixAvailable && $container->getAccountModule('posixAccount')->isLocked()) {
@@ -300,8 +300,10 @@ class user extends baseType {
 			$statusTable .= '<tr><td>' . _('Locked') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/lock.png&quot;></td></tr>';
 		}
 		// 389ds deactivated
-		if ($is389dsDeactivated) {
+		if ($is389dsAvailable) {
-			$statusTable .= '<tr><td>' . _('Deactivated') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/lock.png&quot;></td></tr>';
+			$text389dsActivation = $is389dsDeactivated ? _('Deactivated') : _('Active');
+			$icon389dsActivation = $is389dsDeactivated ? 'lock.png' : 'unlocked.png';
+			$statusTable .= '<tr><td>' . $text389dsActivation . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/' . $icon389dsActivation . '&quot;></td></tr>';
 		}
 		$statusTable .= '</table>';
 		$tipContent = $statusTable;