WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added shadow account expiration notification job

This commit is contained in:
Roland Gruber 2019-03-03 10:16:45 +01:00
parent 8af9661254
commit dd2fb80375
4 changed files with 187 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lam/HISTORY
View File

@ -5,6 +5,7 @@ March 2019
- LAM Pro: - LAM Pro:
-> New self service fields: Mail routing (Local address) and Windows (Proxy-Addresses) -> New self service fields: Mail routing (Local address) and Windows (Proxy-Addresses)
-> Bind DLZ: support DNAME+XFR records and descriptions in records (requires latest LDAP schema) -> Bind DLZ: support DNAME+XFR records and descriptions in records (requires latest LDAP schema)
-> Cron jobs: added Shadow account expiration notification jobs
- Fixed bugs: - Fixed bugs:
-> Allow tree-only configurations without any other tab -> Allow tree-only configurations without any other tab

89
lam/docs/manual-sources/chapter-configuration.xml
View File

@ -969,6 +969,11 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
move expired accounts</link></para> move expired accounts</link></para>
</listitem> </listitem>
<listitem>
<para><link linkend="job_shadow_account_expiration_note">Shadow:
Notify users about account expiration</link></para>
</listitem>
<listitem> <listitem>
<para><link linkend="job_windows_password_expire">Windows: Notify <para><link linkend="job_windows_password_expire">Windows: Notify
users about password expiration</link></para> users about password expiration</link></para>
@ -1364,6 +1369,90 @@ mysql&gt; GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
</table> </table>
</section> </section>
<section id="job_shadow_account_expiration_note">
<title>Shadow: Notify users about account expiration</title>
<para>This will send your users an email reminder before their whole
account expires.</para>
<para>You need to activate the Shadow module for users to be able to
add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</para>
<screenshot>
<graphic fileref="images/jobs_shadow3.png"/>
</screenshot>
<para><table>
<title>Options</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Option</emphasis></entry>
<entry><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>From address</entry>
<entry>The email address to set as FROM.</entry>
</row>
<row>
<entry>Reply-to address</entry>
<entry>Optional Reply-to address for email.</entry>
</row>
<row>
<entry>CC address</entry>
<entry>Optional CC mail address.</entry>
</row>
<row>
<entry>BCC address</entry>
<entry>Optional BCC mail address.</entry>
</row>
<row>
<entry>Subject</entry>
<entry>The email subject line. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Text</entry>
<entry>The email body text. Supports wildcards, see
below.</entry>
</row>
<row>
<entry>Notification period</entry>
<entry>Number of days to notify before account
expires.</entry>
</row>
</tbody>
</tgroup>
</table>Wildcards:</para>
<para>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</para>
<para>There are also two special wildcards for the expiration date.
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
"2016-12-31".</para>
</section>
<section id="job_windows_password_expire"> <section id="job_windows_password_expire">
<title>Windows: Notify users about password expiration</title> <title>Windows: Notify users about password expiration</title>

BIN
lam/docs/manual-sources/images/jobs_shadow3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

99
lam/lib/modules/shadowAccount.inc
View File

@ -3,7 +3,7 @@
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz Copyright (C) 2003 - 2006 Tilo Lutz
Copyright (C) 2007 - 2018 Roland Gruber Copyright (C) 2007 - 2019 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -762,7 +762,8 @@ class shadowAccount extends baseModule implements passwordService {
public function getSupportedJobs(&$config) { public function getSupportedJobs(&$config) {
return array( return array(
new ShadowAccountPasswordNotifyJob(), new ShadowAccountPasswordNotifyJob(),
new ShadowAccountExpirationCleanupJob() new ShadowAccountExpirationCleanupJob(),
new ShadowAccountExpirationNotifyJob()
); );
} }
@ -914,6 +915,100 @@ if (interface_exists('\LAM\JOB\Job', false)) {
} }
/**
* Job to notify users about account expiration.
*
* @package jobs
*/
class ShadowAccountExpirationNotifyJob extends \LAM\JOB\PasswordExpirationJob {
/**
* Returns the alias name of the job.
*
* @return String name
*/
public function getAlias() {
return _('Shadow') . ': ' . _('Notify users about acoount expiration');
}
/**
* {@inheritDoc}
* @see \LAM\JOB\PasswordExpirationJob::getDescription()
*/
public function getDescription() {
return _('This job sends out emails to inform your users that their account will expire soon.');
}
/**
* Searches for users in LDAP.
*
* @param String $jobID unique job identifier
* @param array $options config options (name => value)
* @return array list of user attributes
*/
protected function findUsers($jobID, $options) {
// read users
$sysattrs = array('mail', 'shadowExpire');
$attrs = $this->getAttrWildcards($jobID, $options);
$attrs = array_values(array_unique(array_merge($attrs, $sysattrs)));
return searchLDAPByFilter('(&(shadowExpire=*)(mail=*))', $attrs, array('user'));
}
/**
* Checks if a user needs to change his password.
*
* @param integer $jobID job ID
* @param array $options job settings
* @param PDO $pdo PDO
* @param DateTime $now current time
* @param array $policyOptions list of max age values (policy DN => maxAge)
* @param array $user user attributes
* @param boolean $isDryRun just do a dry run, nothing is modified
*/
protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
$dn = $user['dn'];
$expireTimeUnix = $user['shadowexpire'][0] * 3600 * 24;
$expireTime = new DateTime('@' . $expireTimeUnix, new DateTimeZone('UTC'));
$this->jobResultLog->logDebug("Expiration on " . $expireTime->format('Y-m-d'));
if ($expireTime <= $now) {
$this->jobResultLog->logDebug($dn . ' already expired');
return;
}
$numDaysToWarn = 0;
if (!empty($options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0])) {
$numDaysToWarn = $options[$this->getConfigPrefix() . '_mailNotificationPeriod' . $jobID][0];
}
$actionTime = clone $expireTime;
if ($numDaysToWarn != 0) {
$actionTime->sub(new DateInterval('P' . $numDaysToWarn . 'D'));
}
$actionTime->setTimeZone(getTimeZone());
$this->jobResultLog->logDebug("Action time on " . $actionTime->format('Y-m-d'));
if ($actionTime > $now) {
$this->jobResultLog->logDebug($dn . ' does not need notification yet.');
return;
}
$dbLastChange = $this->getDBLastPwdChangeTime($jobID, $pdo, $user['dn']);
// skip entries where mail was already sent
if ($dbLastChange == $user['shadowexpire'][0]) {
$this->jobResultLog->logDebug($dn . ' was already notified.');
return;
}
if ($isDryRun) {
// no action for dry run
$this->jobResultLog->logInfo('Not sending email to ' . $dn . ' because of dry run.');
return;
}
// send email
$success = $this->sendMail($options, $jobID, $user, $expireTime);
// update DB if mail was sent successfully
if ($success) {
$this->setDBLastPwdChangeTime($jobID, $pdo, $dn, $user['shadowexpire'][0]);
}
}
}
/** /**
* Job to delete or move users on account expiration. * Job to delete or move users on account expiration.
* *