WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

#140 account expiration notification jobs

This commit is contained in:
Roland Gruber 2018-11-05 20:21:46 +01:00
parent 4b4b982ad9
commit d983e86605
7 changed files with 355 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lam/HISTORY
View File

@ -4,6 +4,7 @@ December 2018 6.6
- Windows users: manage "departmentNumber" (needs to be activated via LAM server profile)
- LAM Pro:
-> Easy setting of background color in self service profile
-> Cron jobs: added Windows/Qmail/FreeRadius account expiration notification jobs
25.09.2018 6.5

268
lam/docs/manual-sources/chapter-configuration.xml
View File

@ -907,6 +907,11 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
users about password expiration</link></para>
</listitem>
<listitem>
<para><link linkend="job_windows_account_expiration_note">Windows:
Notify users about account expiration</link></para>
</listitem>
<listitem>
<para><link linkend="job_windows_move_expired">Windows: Delete or
move expired accounts</link></para>
@ -917,10 +922,21 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
Delete or move expired accounts</link></para>
</listitem>
<listitem>
<para><link
linkend="job_freeradius_account_expiration_notification">FreeRadius:
Notify users about account expiration</link></para>
</listitem>
<listitem>
<para><link linkend="job_qmail_move_expired">Qmail: Delete or move
expired accounts</link></para>
</listitem>
<listitem>
<para><link linkend="job_qmail_account_expire_notify">Qmail:
Notify users about account expiration</link></para>
</listitem>
</itemizedlist>
<section id="job_ppolicy_password_expire">
@ -1373,6 +1389,90 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
"2016-12-31".</para>
</section>
<section id="job_windows_account_expiration_note">
<title>Windows: Notify users about account expiration</title>
<para>This will send your users an email reminder before their whole
account expires.</para>
<para>You need to activate the Windows module for users to be able
to add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</para>
<screenshot>
<graphic fileref="images/jobs_windowsAccountExpiration.png"/>
</screenshot>
<para><table>
<title>Options</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Option</emphasis></entry>
<entry><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>From address</entry>
<entry>The email address to set as FROM.</entry>
</row>
<row>
<entry>Reply-to address</entry>
<entry>Optional Reply-to address for email.</entry>
</row>
<row>
<entry>CC address</entry>
<entry>Optional CC mail address.</entry>
</row>
<row>
<entry>BCC address</entry>
<entry>Optional BCC mail address.</entry>
</row>
<row>
<entry>Subject</entry>
<entry>The email subject line. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Text</entry>
<entry>The email body text. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Notification period</entry>
<entry>Number of days to notify before account
expires.</entry>
</row>
</tbody>
</tgroup>
</table>Wildcards:</para>
<para>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</para>
<para>There are also two special wildcards for the expiration date.
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
"2016-12-31".</para>
</section>
<section id="job_windows_move_expired">
<title>Windows: Delete or move expired accounts</title>
@ -1469,6 +1569,90 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
</table>
</section>
<section id="job_freeradius_account_expiration_notification">
<title>FreeRadius: Notify users about account expiration</title>
<para>This will send your users an email reminder before their
FreeRadius account expires.</para>
<para>You need to activate the FreeRadius module for users to be
able to add this job. The job can be added multiple times (e.g. to
send a second warning at a later time).</para>
<screenshot>
<graphic fileref="images/jobs_freeradiusAccountExpiration.png"/>
</screenshot>
<para><table>
<title>Options</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Option</emphasis></entry>
<entry><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>From address</entry>
<entry>The email address to set as FROM.</entry>
</row>
<row>
<entry>Reply-to address</entry>
<entry>Optional Reply-to address for email.</entry>
</row>
<row>
<entry>CC address</entry>
<entry>Optional CC mail address.</entry>
</row>
<row>
<entry>BCC address</entry>
<entry>Optional BCC mail address.</entry>
</row>
<row>
<entry>Subject</entry>
<entry>The email subject line. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Text</entry>
<entry>The email body text. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Notification period</entry>
<entry>Number of days to notify before account
expires.</entry>
</row>
</tbody>
</tgroup>
</table>Wildcards:</para>
<para>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</para>
<para>There are also two special wildcards for the expiration date.
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
"2016-12-31".</para>
</section>
<section id="job_qmail_move_expired">
<title>Qmail: Delete or move expired accounts</title>
@ -1517,6 +1701,90 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
</tgroup>
</table>
</section>
<section id="job_qmail_account_expire_notify">
<title>Qmail: Notify users about account expiration</title>
<para>This will send your users an email reminder before their Qmail
account expires.</para>
<para>You need to activate the Qmail module for users to be able to
add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</para>
<screenshot>
<graphic fileref="images/jobs_qmailAccountExpiration.png"/>
</screenshot>
<para><table>
<title>Options</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Option</emphasis></entry>
<entry><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>From address</entry>
<entry>The email address to set as FROM.</entry>
</row>
<row>
<entry>Reply-to address</entry>
<entry>Optional Reply-to address for email.</entry>
</row>
<row>
<entry>CC address</entry>
<entry>Optional CC mail address.</entry>
</row>
<row>
<entry>BCC address</entry>
<entry>Optional BCC mail address.</entry>
</row>
<row>
<entry>Subject</entry>
<entry>The email subject line. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Text</entry>
<entry>The email body text. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Notification period</entry>
<entry>Number of days to notify before account
expires.</entry>
</row>
</tbody>
</tgroup>
</table>Wildcards:</para>
<para>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</para>
<para>There are also two special wildcards for the expiration date.
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
"2016-12-31".</para>
</section>
</section>
<section>

BIN
lam/docs/manual-sources/images/jobs_freeradiusAccountExpiration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
lam/docs/manual-sources/images/jobs_qmailAccountExpiration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
lam/docs/manual-sources/images/jobs_windowsAccountExpiration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

86
lam/lib/modules/freeRadius.inc
View File

@ -776,7 +776,8 @@ class freeRadius extends baseModule {
*/
public function getSupportedJobs(&$config) {
return array(
new FreeRadiusAccountExpirationCleanupJob()
new FreeRadiusAccountExpirationCleanupJob(),
new FreeRadiusAccountExpirationNotifyJob()
);
}
@ -856,6 +857,89 @@ if (interface_exists('\LAM\JOB\Job', false)) {
}
/**
* Job to notify users about account expiration.
*
* @package jobs
*/
class FreeRadiusAccountExpirationNotifyJob extends \LAM\JOB\PasswordExpirationJob {
/**
* {@inheritDoc}
* @see \LAM\JOB\Job::getAlias()
*/
public function getAlias() {
return _('FreeRadius') . ': ' . _('Notify users about account expiration');
}
/**
* {@inheritDoc}
* @see \LAM\JOB\PasswordExpirationJob::getDescription()
*/
public function getDescription() {
return _('This job sends out emails to inform your users that their account will expire soon.');
}
/**
* {@inheritDoc}
* @see \LAM\JOB\PasswordExpirationJob::findUsers()
*/
protected function findUsers($jobID, $options) {
// read users
$sysattrs = array('radiusExpiration', 'mail');
$attrs = $this->getAttrWildcards($jobID, $options);
$attrs = array_values(array_unique(array_merge($attrs, $sysattrs)));
$userResults = searchLDAPByFilter('(&(radiusExpiration=*)(mail=*))', $attrs, array('user'));
return $userResults;
}
/**
* {@inheritDoc}
* @see \LAM\JOB\PasswordExpirationJob::checkSingleUser()
*/
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$dn = $user['dn'];
// get time when account expires
$expirationTime = DateTime::createFromFormat('d M Y H:i', $user['radiusexpiration'][0], new DateTimeZone('UTC'));
$this->jobResultLog->logDebug("Account expiration on " . $expirationTime->format('Y-m-d'));
// skip if account itself is expired
if ($expirationTime <= $now) {
$this->jobResultLog->logDebug($dn . ' already expired');
return;
}
$numDaysToWarn = $options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0];
$this->jobResultLog->logDebug("Number of days before warning " . $numDaysToWarn);
// calculate time of notification
$notifyTime = clone $expirationTime;
$notifyTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
$notifyTime->setTimeZone(getTimeZone());
$this->jobResultLog->logDebug("Account expiration notification on " . $notifyTime->format('Y-m-d H:i'));
// skip if notification is in the future
if ($notifyTime > $now) {
$this->jobResultLog->logDebug($dn . ' does not need notification yet.');
return;
}
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $dn);
// skip entries where mail was already sent
if ($dbLastChange == $user['radiusexpiration'][0]) {
$this->jobResultLog->logDebug($dn . ' was already notified.');
return;
}
if ($isDryRun) {
// no action for dry run
$this->jobResultLog->logInfo('Not sending email to ' . $dn . ' because of dry run.');
return;
}
// send email
$success = $this->sendMail($options, $jobID, $user, $expirationTime);
// update DB if mail was sent successfully
if ($success) {
$this->setDBLastPwdChangeTime($jobID, $pdo, $dn, $user['radiusexpiration'][0]);
}
}
}
}

2
lam/lib/modules/windowsUser.inc
View File

@ -3849,7 +3849,7 @@ if (interface_exists('\LAM\JOB\Job', false)) {
$notifyTime = clone $expirationTime;
$notifyTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
$notifyTime->setTimeZone(getTimeZone());
$this->jobResultLog->logDebug("Password notification on " . $notifyTime->format('Y-m-d H:i'));
$this->jobResultLog->logDebug("Account expiration notification on " . $notifyTime->format('Y-m-d H:i'));
// skip if notification is in the future
if ($notifyTime > $now) {
$this->jobResultLog->logDebug($dn . ' does not need notification yet.');