389ds locking

This commit is contained in:
Roland Gruber 2016-06-19 17:12:00 +02:00
parent f4f6b7c34c
commit b5afb21b21
7 changed files with 70 additions and 5 deletions

View File

@ -2,7 +2,7 @@ June 2016 5.4
- Unix: support magic numbers for UIDs/GIDs (e.g. 389 server DNA plugin) - Unix: support magic numbers for UIDs/GIDs (e.g. 389 server DNA plugin)
- Samba 3: support for Samba password history (RFE 133) - Samba 3: support for Samba password history (RFE 133)
- LAM Pro: - LAM Pro:
-> New module for 389ds unlocking and deactivation status -> New module for 389ds unlocking and account (de)activation
-> Self registration: support for Google reCAPTCHA -> Self registration: support for Google reCAPTCHA
-> Password notification jobs support CC and BCC -> Password notification jobs support CC and BCC
-> Self Service: Samba 3 supports password history and minimum age check -> Self Service: Samba 3 supports password history and minimum age check

View File

@ -3710,6 +3710,17 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
server profile and activate the "Password policy" module for the user server profile and activate the "Password policy" module for the user
type.</para> type.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/ppolicyUser2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>You can select the password policy and force a password change
on next login. Accounts can also be (un)locked.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
@ -3729,6 +3740,58 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
Otherwise, it will have no effect.</para> Otherwise, it will have no effect.</para>
</section> </section>
<section>
<title>Locking status for 389ds (LAM Pro)</title>
<para>This module allows you to display if users are locked by 389ds
server. You can also (de)activate users.</para>
<para>Requirements: 389ds LDAP server</para>
<para><emphasis role="bold">Configuration</emphasis></para>
<para>Please add the user module "Locking status
(locking389ds)".</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/mod_389dsLocking1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>This will show the number of failed login attempts and till when
the user is locked by the system.</para>
<para>The limit of failed login attempts and lockout duration is
configured on your server and not within LAM.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/mod_389dsLocking2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>You can unlock the user by clicking on the lock icon.</para>
<para>Here you can also (de)activate the account.</para>
<para>Note: Accounts are only locked by the LDAP server due to failed
password attempts. You cannot manually lock an account. Deactivate it
in case you want to disable login for a user.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/mod_389dsLocking3.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section> <section>
<title>FreeRadius</title> <title>FreeRadius</title>

Binary file not shown.

After

Width:  |  Height:  |  Size: 54 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 54 KiB

View File

@ -227,10 +227,10 @@ class user extends baseType {
$is389dsAvailable = ($container->getAccountModule('locking389ds') != null); $is389dsAvailable = ($container->getAccountModule('locking389ds') != null);
$is389dsLocked = $is389dsAvailable && $container->getAccountModule('locking389ds')->isLocked(); $is389dsLocked = $is389dsAvailable && $container->getAccountModule('locking389ds')->isLocked();
$is389dsDeactivated = $is389dsAvailable && $container->getAccountModule('locking389ds')->isDeactivated(); $is389dsDeactivated = $is389dsAvailable && $container->getAccountModule('locking389ds')->isDeactivated();
if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsDeactivated && !$is389dsLocked) { if (!$unixAvailable && !$sambaAvailable && !$ppolicyAvailable && !$windowsAvailable && !$is389dsAvailable) {
return ''; return '';
} }
$isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsLocked); $isEditable = checkIfWriteAccessIsAllowed('user') && ($unixAvailable || $sambaAvailable || $ppolicyAvailable || $windowsAvailable || $is389dsAvailable);
// get locking status // get locking status
$unixLocked = false; $unixLocked = false;
if ($unixAvailable && $container->getAccountModule('posixAccount')->isLocked()) { if ($unixAvailable && $container->getAccountModule('posixAccount')->isLocked()) {
@ -300,8 +300,10 @@ class user extends baseType {
$statusTable .= '<tr><td>' . _('Locked') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/lock.png&quot;></td></tr>'; $statusTable .= '<tr><td>' . _('Locked') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/lock.png&quot;></td></tr>';
} }
// 389ds deactivated // 389ds deactivated
if ($is389dsDeactivated) { if ($is389dsAvailable) {
$statusTable .= '<tr><td>' . _('Deactivated') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/lock.png&quot;></td></tr>'; $text389dsActivation = $is389dsDeactivated ? _('Deactivated') : _('Active');
$icon389dsActivation = $is389dsDeactivated ? 'lock.png' : 'unlocked.png';
$statusTable .= '<tr><td>' . $text389dsActivation . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/' . $icon389dsActivation . '&quot;></td></tr>';
} }
$statusTable .= '</table>'; $statusTable .= '</table>';
$tipContent = $statusTable; $tipContent = $statusTable;