added shadow account expiration notification job
This commit is contained in:
parent
8af9661254
commit
dd2fb80375
|
@ -5,6 +5,7 @@ March 2019
|
||||||
- LAM Pro:
|
- LAM Pro:
|
||||||
-> New self service fields: Mail routing (Local address) and Windows (Proxy-Addresses)
|
-> New self service fields: Mail routing (Local address) and Windows (Proxy-Addresses)
|
||||||
-> Bind DLZ: support DNAME+XFR records and descriptions in records (requires latest LDAP schema)
|
-> Bind DLZ: support DNAME+XFR records and descriptions in records (requires latest LDAP schema)
|
||||||
|
-> Cron jobs: added Shadow account expiration notification jobs
|
||||||
- Fixed bugs:
|
- Fixed bugs:
|
||||||
-> Allow tree-only configurations without any other tab
|
-> Allow tree-only configurations without any other tab
|
||||||
|
|
||||||
|
|
|
@ -969,6 +969,11 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
||||||
move expired accounts</link></para>
|
move expired accounts</link></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><link linkend="job_shadow_account_expiration_note">Shadow:
|
||||||
|
Notify users about account expiration</link></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><link linkend="job_windows_password_expire">Windows: Notify
|
<para><link linkend="job_windows_password_expire">Windows: Notify
|
||||||
users about password expiration</link></para>
|
users about password expiration</link></para>
|
||||||
|
@ -1364,6 +1369,90 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
||||||
</table>
|
</table>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section id="job_shadow_account_expiration_note">
|
||||||
|
<title>Shadow: Notify users about account expiration</title>
|
||||||
|
|
||||||
|
<para>This will send your users an email reminder before their whole
|
||||||
|
account expires.</para>
|
||||||
|
|
||||||
|
<para>You need to activate the Shadow module for users to be able to
|
||||||
|
add this job. The job can be added multiple times (e.g. to send a
|
||||||
|
second warning at a later time).</para>
|
||||||
|
|
||||||
|
<screenshot>
|
||||||
|
<graphic fileref="images/jobs_shadow3.png"/>
|
||||||
|
</screenshot>
|
||||||
|
|
||||||
|
<para><table>
|
||||||
|
<title>Options</title>
|
||||||
|
|
||||||
|
<tgroup cols="2">
|
||||||
|
<tbody>
|
||||||
|
<row>
|
||||||
|
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||||
|
|
||||||
|
<entry><emphasis
|
||||||
|
role="bold">Description</emphasis></entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>From address</entry>
|
||||||
|
|
||||||
|
<entry>The email address to set as FROM.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>Reply-to address</entry>
|
||||||
|
|
||||||
|
<entry>Optional Reply-to address for email.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>CC address</entry>
|
||||||
|
|
||||||
|
<entry>Optional CC mail address.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>BCC address</entry>
|
||||||
|
|
||||||
|
<entry>Optional BCC mail address.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>Subject</entry>
|
||||||
|
|
||||||
|
<entry>The email subject line. Supports wildcards, see
|
||||||
|
below.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>Text</entry>
|
||||||
|
|
||||||
|
<entry>The email body text. Supports wildcards, see
|
||||||
|
below.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry>Notification period</entry>
|
||||||
|
|
||||||
|
<entry>Number of days to notify before account
|
||||||
|
expires.</entry>
|
||||||
|
</row>
|
||||||
|
</tbody>
|
||||||
|
</tgroup>
|
||||||
|
</table>Wildcards:</para>
|
||||||
|
|
||||||
|
<para>You can enter LDAP attributes as wildcards in the form
|
||||||
|
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||||
|
For the common name it would be "@@cn@@".</para>
|
||||||
|
|
||||||
|
<para>There are also two special wildcards for the expiration date.
|
||||||
|
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||||
|
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||||
|
"2016-12-31".</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section id="job_windows_password_expire">
|
<section id="job_windows_password_expire">
|
||||||
<title>Windows: Notify users about password expiration</title>
|
<title>Windows: Notify users about password expiration</title>
|
||||||
|
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 56 KiB |
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||||
Copyright (C) 2003 - 2006 Tilo Lutz
|
Copyright (C) 2003 - 2006 Tilo Lutz
|
||||||
Copyright (C) 2007 - 2018 Roland Gruber
|
Copyright (C) 2007 - 2019 Roland Gruber
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -762,7 +762,8 @@ class shadowAccount extends baseModule implements passwordService {
|
||||||
public function getSupportedJobs(&$config) {
|
public function getSupportedJobs(&$config) {
|
||||||
return array(
|
return array(
|
||||||
new ShadowAccountPasswordNotifyJob(),
|
new ShadowAccountPasswordNotifyJob(),
|
||||||
new ShadowAccountExpirationCleanupJob()
|
new ShadowAccountExpirationCleanupJob(),
|
||||||
|
new ShadowAccountExpirationNotifyJob()
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -914,6 +915,100 @@ if (interface_exists('\LAM\JOB\Job', false)) {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Job to notify users about account expiration.
|
||||||
|
*
|
||||||
|
* @package jobs
|
||||||
|
*/
|
||||||
|
class ShadowAccountExpirationNotifyJob extends \LAM\JOB\PasswordExpirationJob {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the alias name of the job.
|
||||||
|
*
|
||||||
|
* @return String name
|
||||||
|
*/
|
||||||
|
public function getAlias() {
|
||||||
|
return _('Shadow') . ': ' . _('Notify users about acoount expiration');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* {@inheritDoc}
|
||||||
|
* @see \LAM\JOB\PasswordExpirationJob::getDescription()
|
||||||
|
*/
|
||||||
|
public function getDescription() {
|
||||||
|
return _('This job sends out emails to inform your users that their account will expire soon.');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Searches for users in LDAP.
|
||||||
|
*
|
||||||
|
* @param String $jobID unique job identifier
|
||||||
|
* @param array $options config options (name => value)
|
||||||
|
* @return array list of user attributes
|
||||||
|
*/
|
||||||
|
protected function findUsers($jobID, $options) {
|
||||||
|
// read users
|
||||||
|
$sysattrs = array('mail', 'shadowExpire');
|
||||||
|
$attrs = $this->getAttrWildcards($jobID, $options);
|
||||||
|
$attrs = array_values(array_unique(array_merge($attrs, $sysattrs)));
|
||||||
|
return searchLDAPByFilter('(&(shadowExpire=*)(mail=*))', $attrs, array('user'));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if a user needs to change his password.
|
||||||
|
*
|
||||||
|
* @param integer $jobID job ID
|
||||||
|
* @param array $options job settings
|
||||||
|
* @param PDO $pdo PDO
|
||||||
|
* @param DateTime $now current time
|
||||||
|
* @param array $policyOptions list of max age values (policy DN => maxAge)
|
||||||
|
* @param array $user user attributes
|
||||||
|
* @param boolean $isDryRun just do a dry run, nothing is modified
|
||||||
|
*/
|
||||||
|
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
|
||||||
|
$dn = $user['dn'];
|
||||||
|
$expireTimeUnix = $user['shadowexpire'][0] * 3600 * 24;
|
||||||
|
$expireTime = new DateTime('@' . $expireTimeUnix, new DateTimeZone('UTC'));
|
||||||
|
$this->jobResultLog->logDebug("Expiration on " . $expireTime->format('Y-m-d'));
|
||||||
|
if ($expireTime <= $now) {
|
||||||
|
$this->jobResultLog->logDebug($dn . ' already expired');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$numDaysToWarn = 0;
|
||||||
|
if (!empty($options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0])) {
|
||||||
|
$numDaysToWarn = $options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0];
|
||||||
|
}
|
||||||
|
$actionTime = clone $expireTime;
|
||||||
|
if ($numDaysToWarn != 0) {
|
||||||
|
$actionTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
|
||||||
|
}
|
||||||
|
$actionTime->setTimeZone(getTimeZone());
|
||||||
|
$this->jobResultLog->logDebug("Action time on " . $actionTime->format('Y-m-d'));
|
||||||
|
if ($actionTime > $now) {
|
||||||
|
$this->jobResultLog->logDebug($dn . ' does not need notification yet.');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $user['dn']);
|
||||||
|
// skip entries where mail was already sent
|
||||||
|
if ($dbLastChange == $user['shadowexpire'][0]) {
|
||||||
|
$this->jobResultLog->logDebug($dn . ' was already notified.');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if ($isDryRun) {
|
||||||
|
// no action for dry run
|
||||||
|
$this->jobResultLog->logInfo('Not sending email to ' . $dn . ' because of dry run.');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// send email
|
||||||
|
$success = $this->sendMail($options, $jobID, $user, $expireTime);
|
||||||
|
// update DB if mail was sent successfully
|
||||||
|
if ($success) {
|
||||||
|
$this->setDBLastPwdChangeTime($jobID, $pdo, $dn, $user['shadowexpire'][0]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Job to delete or move users on account expiration.
|
* Job to delete or move users on account expiration.
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in New Issue