use domain policy to calculate can/must change password time (2919236)

This commit is contained in:
Roland Gruber 2010-01-19 18:16:52 +00:00
parent 38a91eeb25
commit df896333c2
1 changed files with 67 additions and 150 deletions

View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz Copyright (C) 2003 - 2006 Tilo Lutz
2005 - 2009 Roland Gruber 2005 - 2010 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -98,8 +98,6 @@ class sambaSamAccount extends baseModule implements passwordService {
$this->messages['noPassword'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_noPassword', _('This value can only be \"true\" or \"false\"!')); $this->messages['noPassword'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_noPassword', _('This value can only be \"true\" or \"false\"!'));
$this->messages['noExpire'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_noExpire', _('This value can only be \"true\" or \"false\"!')); $this->messages['noExpire'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_noExpire', _('This value can only be \"true\" or \"false\"!'));
$this->messages['deactivated'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_deactivated', _('This value can only be \"true\" or \"false\"!')); $this->messages['deactivated'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_deactivated', _('This value can only be \"true\" or \"false\"!'));
$this->messages['pwdCanChange'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_pwdCanChange', _('Please enter a valid date in format DD-MM-YYYY.'));
$this->messages['pwdMustChange'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_pwdMustChange', _('Please enter a valid date in format DD-MM-YYYY.'));
$this->messages['expireDate'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_expireDate', _('Please enter a valid date in format DD-MM-YYYY.')); $this->messages['expireDate'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_expireDate', _('Please enter a valid date in format DD-MM-YYYY.'));
$this->messages['homeDrive'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_homeDrive', _('Please enter a valid drive letter.')); $this->messages['homeDrive'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_homeDrive', _('Please enter a valid drive letter.'));
$this->messages['domain'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_domain', _('LAM was unable to find a domain with this name!')); $this->messages['domain'][0] = array('ERROR', _('Account %s:') . ' sambaSamAccount_domain', _('LAM was unable to find a domain with this name!'));
@ -134,7 +132,7 @@ class sambaSamAccount extends baseModule implements passwordService {
$return['objectClasses'] = array('sambaSamAccount'); $return['objectClasses'] = array('sambaSamAccount');
// managed attributes // managed attributes
$return['attributes'] = array('uid', 'sambaSID', 'sambaLMPassword', 'sambaNTPassword', 'sambaPwdLastSet', $return['attributes'] = array('uid', 'sambaSID', 'sambaLMPassword', 'sambaNTPassword', 'sambaPwdLastSet',
'sambaLogonTime', 'sambaLogoffTime', 'sambaKickoffTime', 'sambaPwdCanChange', 'sambaPwdMustChange', 'sambaAcctFlags', 'sambaLogonTime', 'sambaLogoffTime', 'sambaKickoffTime', 'sambaAcctFlags',
'sambaPwdLastSet', 'displayName', 'sambaHomePath', 'sambaHomeDrive', 'sambaLogonScript', 'sambaProfilePath', 'sambaPwdLastSet', 'displayName', 'sambaHomePath', 'sambaHomeDrive', 'sambaLogonScript', 'sambaProfilePath',
'sambaUserWorkstations', 'sambaPrimaryGroupSID', 'sambaDomainName', 'sambaLogonHours', 'sambaMungedDial'); 'sambaUserWorkstations', 'sambaPrimaryGroupSID', 'sambaDomainName', 'sambaLogonHours', 'sambaMungedDial');
// PHP extensions // PHP extensions
@ -167,14 +165,6 @@ class sambaSamAccount extends baseModule implements passwordService {
'type' => 'ext_preg', 'type' => 'ext_preg',
'regex' => 'sambaLogonHours', 'regex' => 'sambaLogonHours',
'error_message' => $this->messages['logonHours'][0]); 'error_message' => $this->messages['logonHours'][0]);
$return['profile_checks']['sambaSamAccount_pwdCanChange'] = array(
'type' => 'ext_preg',
'regex' => 'digit',
'error_message' => $this->messages['profileCanMustChange'][0]);
$return['profile_checks']['sambaSamAccount_pwdMustChange'] = array(
'type' => 'ext_preg',
'regex' => 'digit',
'error_message' => $this->messages['profileCanMustChange'][0]);
// profile mappings // profile mappings
$return['profile_mappings'] = array( $return['profile_mappings'] = array(
'sambaSamAccount_sambaDomainName' => 'sambaDomainName', 'sambaSamAccount_sambaDomainName' => 'sambaDomainName',
@ -235,8 +225,6 @@ class sambaSamAccount extends baseModule implements passwordService {
'syncNTPassword' => _('Sync Samba NT password with Unix password'), 'syncNTPassword' => _('Sync Samba NT password with Unix password'),
'syncLMPassword' => _('Sync Samba LM password with Unix password'), 'syncLMPassword' => _('Sync Samba LM password with Unix password'),
'syncSambaPwdLastSet' => _('Update attribute "sambaPwdLastSet" on password change'), 'syncSambaPwdLastSet' => _('Update attribute "sambaPwdLastSet" on password change'),
'syncSambaPwdMustChange' => _('Update attribute "sambaPwdMustChange" on password change'),
'syncSambaPwdCanChange' => _('Update attribute "sambaPwdCanChange" on password change')
); );
// help Entries // help Entries
$return['help'] = array ( $return['help'] = array (
@ -281,9 +269,9 @@ class sambaSamAccount extends baseModule implements passwordService {
"Text" => _("If you set this option then the user has to change his password at the next login.")), "Text" => _("If you set this option then the user has to change his password at the next login.")),
"pwdCanChange" => array( "pwdCanChange" => array(
"Headline" => _("User can change password"), "Headline" => _("User can change password"),
"Text" => _("Date after the user is able to change his password. Format: DD-MM-YYYY")), "Text" => _("Date after the user is able to change his password.")),
"pwdMustChange" => array ("Headline" => _("User must change password"), "pwdMustChange" => array ("Headline" => _("User must change password"),
"Text" => _("Date after the user must change his password. Format: DD-MM-YYYY")), "Text" => _("Date after the user must change his password.")),
"homeDrive" => array( "homeDrive" => array(
"Headline" => _("Home drive"), "Headline" => _("Home drive"),
"Text" => _("The home directory will be connected under this drive letter.")), "Text" => _("The home directory will be connected under this drive letter.")),
@ -375,9 +363,6 @@ class sambaSamAccount extends baseModule implements passwordService {
'terminalServer' => array ( 'terminalServer' => array (
"Headline" => _("Terminal server options"), "Headline" => _("Terminal server options"),
"Text" => _("Here you can change the settings for the terminal server access.")), "Text" => _("Here you can change the settings for the terminal server access.")),
'profilePwdCanMustChange' => array (
"Headline" => _("User can/must change password"),
"Text" => _("This is the number of seconds after when the user may or has to change his password.")),
'lmHash' => array ( 'lmHash' => array (
"Headline" => _("Disable LM hashes"), "Headline" => _("Disable LM hashes"),
"Text" => _("Windows password hashes are saved by default as NT and LM hashes. LM hashes are insecure and only needed for old versions of Windows. You should disable them unless you really need them.")), "Text" => _("Windows password hashes are saved by default as NT and LM hashes. LM hashes are insecure and only needed for old versions of Windows. You should disable them unless you really need them.")),
@ -444,20 +429,6 @@ class sambaSamAccount extends baseModule implements passwordService {
'values' => 'true, false', 'values' => 'true, false',
'example' => 'false' 'example' => 'false'
), ),
array(
'name' => 'sambaSamAccount_pwdCanChange',
'description' => _('User can change password'),
'help' => 'pwdCanChange',
'default' => '31-12-2030',
'example' => '15-11-2006'
),
array(
'name' => 'sambaSamAccount_pwdMustChange',
'description' => _('User must change password'),
'help' => 'pwdMustChange',
'default' => '31-12-2030',
'example' => '15-10-2006'
),
array( array(
'name' => 'sambaSamAccount_expireDate', 'name' => 'sambaSamAccount_expireDate',
'description' => _('Account expiration date'), 'description' => _('Account expiration date'),
@ -1015,13 +986,7 @@ class sambaSamAccount extends baseModule implements passwordService {
if (($buttonName == '') || (strpos($buttonName, '_back') !== false)) return array(); if (($buttonName == '') || (strpos($buttonName, '_back') !== false)) return array();
// get attribute name // get attribute name
$attr = ''; $attr = '';
if (strpos($buttonName, 'sambaPwdCanChange') !== false) { if (strpos($buttonName, 'sambaKickoffTime') !== false) {
$attr = 'sambaPwdCanChange';
}
elseif (strpos($buttonName, 'sambaPwdMustChange') !== false) {
$attr = 'sambaPwdMustChange';
}
elseif (strpos($buttonName, 'sambaKickoffTime') !== false) {
$attr = 'sambaKickoffTime'; $attr = 'sambaKickoffTime';
} }
if ($attr == '') return array(); if ($attr == '') return array();
@ -1145,38 +1110,16 @@ class sambaSamAccount extends baseModule implements passwordService {
array('kind' => 'input', 'name' => 'passwordIsExpired', 'type' => 'checkbox', 'checked' => $this->expirePassword), array('kind' => 'input', 'name' => 'passwordIsExpired', 'type' => 'checkbox', 'checked' => $this->expirePassword),
array('kind' => 'help', 'value' => 'passwordIsExpired')); array('kind' => 'help', 'value' => 'passwordIsExpired'));
$dateValue = "     -      ";
if (isset($this->attributes['sambaPwdCanChange'][0])) {
if ($this->attributes['sambaPwdCanChange'][0] > 2147483648) {
$dateValue = "     ∞      ";
}
else {
$date = getdate($this->attributes['sambaPwdCanChange'][0]);
$dateValue = $date['mday'] . "." . $date['mon'] . "." . $date['year'];
}
}
$return[] = array( $return[] = array(
array('kind' => 'text', 'text' => _('User can change password')), array('kind' => 'text', 'text' => _('User can change password')),
array('kind' => 'table', 'value' => array(array( array('kind' => 'table', 'value' => array(array(
array('kind' => 'text', 'text' => $dateValue), array('kind' => 'text', 'text' => $this->getPasswordCanChangeTime($sambaDomains, $sel_domain)),
array('kind' => 'input', 'name' => 'form_subpage_sambaSamAccount_time_sambaPwdCanChange', 'type' => 'submit', 'value' => _('Change'))
))), ))),
array('kind' => 'help', 'value' => 'pwdCanChange' )); array('kind' => 'help', 'value' => 'pwdCanChange' ));
$dateValue = "     -      ";
if (isset($this->attributes['sambaPwdMustChange'][0])) {
if ($this->attributes['sambaPwdMustChange'][0] > 2147483648) {
$dateValue = "     ∞      ";
}
else {
$date = getdate($this->attributes['sambaPwdMustChange'][0]);
$dateValue = $date['mday'] . "." . $date['mon'] . "." . $date['year'];
}
}
$return[] = array( $return[] = array(
array('kind' => 'text', 'text' => _('User must change password')), array('kind' => 'text', 'text' => _('User must change password')),
array('kind' => 'table', 'value' => array(array( array('kind' => 'table', 'value' => array(array(
array('kind' => 'text', 'text' => $dateValue), array('kind' => 'text', 'text' => $this->getPasswordMustChangeTime($sambaDomains, $sel_domain)),
array('kind' => 'input', 'name' => 'form_subpage_sambaSamAccount_time_sambaPwdMustChange', 'type' => 'submit', 'value' => _('Change'))
))), ))),
array('kind' => 'help', 'value' => 'pwdMustChange' )); array('kind' => 'help', 'value' => 'pwdMustChange' ));
$dateValue = "     -      "; $dateValue = "     -      ";
@ -1432,16 +1375,6 @@ class sambaSamAccount extends baseModule implements passwordService {
function display_html_time() { function display_html_time() {
$return = array(); $return = array();
// determine attribute // determine attribute
if (isset($_POST['form_subpage_sambaSamAccount_time_sambaPwdCanChange'])) {
$attr = 'sambaPwdCanChange';
$text = _('User can change password');
$help = "pwdCanChange";
}
elseif (isset($_POST['form_subpage_sambaSamAccount_time_sambaPwdMustChange'])) {
$attr = 'sambaPwdMustChange';
$text = _('User must change password');
$help = "pwdMustChange";
}
if (isset($_POST['form_subpage_sambaSamAccount_time_sambaKickoffTime'])) { if (isset($_POST['form_subpage_sambaSamAccount_time_sambaKickoffTime'])) {
$attr = 'sambaKickoffTime'; $attr = 'sambaKickoffTime';
$text = _('Account expiration date'); $text = _('Account expiration date');
@ -1637,16 +1570,6 @@ class sambaSamAccount extends baseModule implements passwordService {
) )
)), )),
array('kind' => 'help', 'value' => 'expireDate')); array('kind' => 'help', 'value' => 'expireDate'));
// user can change password
$return[] = array(
array('kind' => 'text', 'text' => _('User can change password')),
array('kind' => 'input', 'name' => 'sambaSamAccount_pwdCanChange', 'type' => 'text', 'size' => '20', 'maxlength' => '10', 'value' => ""),
array('kind' => 'help', 'value' => 'profilePwdCanMustChange'));
// user must change password
$return[] = array(
array('kind' => 'text', 'text' => _('User must change password')),
array('kind' => 'input', 'name' => 'sambaSamAccount_pwdMustChange', 'type' => 'text', 'size' => '20', 'maxlength' => '10', 'value' => ""),
array('kind' => 'help', 'value' => 'profilePwdCanMustChange'));
if (!$this->isBooleanConfigOptionSet('sambaSamAccount_hideHomeDrive')) { if (!$this->isBooleanConfigOptionSet('sambaSamAccount_hideHomeDrive')) {
// letter of home drive // letter of home drive
$drives = array('-'); $drives = array('-');
@ -1825,14 +1748,6 @@ class sambaSamAccount extends baseModule implements passwordService {
} }
} }
} }
// user can change password
if (isset($profile['sambaSamAccount_pwdCanChange'][0]) && ($profile['sambaSamAccount_pwdCanChange'][0] != '')) {
$this->attributes['sambaPwdCanChange'][0] = time() + $profile['sambaSamAccount_pwdCanChange'][0];
}
// user must change password
if (isset($profile['sambaSamAccount_pwdMustChange'][0]) && ($profile['sambaSamAccount_pwdMustChange'][0] != '')) {
$this->attributes['sambaPwdMustChange'][0] = time() + $profile['sambaSamAccount_pwdMustChange'][0];
}
} }
/** /**
@ -2058,32 +1973,6 @@ class sambaSamAccount extends baseModule implements passwordService {
// End character // End character
$flags = $flags . "]"; $flags = $flags . "]";
$partialAccounts[$i]['sambaAcctFlags'] = $flags; $partialAccounts[$i]['sambaAcctFlags'] = $flags;
// passsword can be changed
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdCanChange']] != "") {
if (get_preg($rawAccounts[$i][$ids['sambaSamAccount_pwdCanChange']], 'date')) {
$parts = explode("-", $rawAccounts[$i][$ids['sambaSamAccount_pwdCanChange']]);
$time = mktime(0, 0, 0, intval($parts[1]), intval($parts[0]), intval($parts[2]));
$partialAccounts[$i]['sambaPwdCanChange'] = $time;
}
else {
$errMsg = $this->messages['pwdCanChange'][0];
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
}
// passsword must be changed
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdMustChange']] != "") {
if (get_preg($rawAccounts[$i][$ids['sambaSamAccount_pwdMustChange']], 'date')) {
$parts = explode("-", $rawAccounts[$i][$ids['sambaSamAccount_pwdMustChange']]);
$time = mktime(0, 0, 0, intval($parts[1]), intval($parts[0]), intval($parts[2]));
$partialAccounts[$i]['sambaPwdMustChange'] = $time;
}
else {
$errMsg = $this->messages['pwdMustChange'][0];
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
}
// expiration date // expiration date
if ($rawAccounts[$i][$ids['sambaSamAccount_expireDate']] != "") { if ($rawAccounts[$i][$ids['sambaSamAccount_expireDate']] != "") {
if (get_preg($rawAccounts[$i][$ids['sambaSamAccount_expireDate']], 'date')) { if (get_preg($rawAccounts[$i][$ids['sambaSamAccount_expireDate']], 'date')) {
@ -2314,38 +2203,6 @@ class sambaSamAccount extends baseModule implements passwordService {
$return['mod']['sambaPwdLastSet'][0] = time(); $return['mod']['sambaPwdLastSet'][0] = time();
} }
} }
if (in_array('syncSambaPwdMustChange', $fields) || in_array('syncSambaPwdCanChange', $fields)) {
$sambaDomains = search_domains($_SESSION['ldapHandle'], $this->selfServiceSettings->LDAPSuffix);
if (($sambaDomains == null) || (sizeof($sambaDomains) == 0)) {
$return['messages'][] = array("ERROR", _('Unable to sync the time when the user can/must change his password because no domain was found.'), '');
return $return;
}
if (!isset($attributes['sambaSID'][0]) || $attributes['sambaSID'][0] == '') {
$return['messages'][] = array("ERROR", _('Unable to read sambaSID attribute.'), '');
return $return;
}
$domainSID = substr($attributes['sambaSID'][0], 0, strrpos($attributes['sambaSID'][0], "-"));
$sel_domain = null;
for ($i = 0; $i < count($sambaDomains); $i++ ) {
if ($domainSID == $sambaDomains[$i]->SID) {
$sel_domain = $sambaDomains[$i];
}
}
if ($sel_domain == null) {
$return['messages'][] = array("ERROR", _('Unable to sync the time when the user can/must change his password because no domain was found.'), $domainSID);
return $return;
}
if (in_array('syncSambaPwdCanChange', $fields)) {
if (($sel_domain != null) && (isset($sel_domain->maxPwdAge))) {
$return['mod']['sambaPwdCanChange'][0] = time() + $sel_domain->minPwdAge;
}
}
if (in_array('syncSambaPwdMustChange', $fields)) {
if (($sel_domain != null) && (isset($sel_domain->maxPwdAge))) {
$return['mod']['sambaPwdMustChange'][0] = time() + $sel_domain->maxPwdAge;
}
}
}
} }
} }
} }
@ -2400,6 +2257,66 @@ class sambaSamAccount extends baseModule implements passwordService {
return null; return null;
} }
/**
* Returns the time when the user needs to change his password.
*
* @param array $domains list of domain objects
* @param String $selectedDomain selected domain name
*/
private function getPasswordMustChangeTime($domains, $selectedDomain) {
if (is_array($selectedDomain) && (sizeof($selectedDomain) > 0)) {
$selectedDomain = $selectedDomain[0];
}
$return = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
// check if password expires at all
if ($this->noexpire) {
return $return;
}
// check if there is a time set for the last password change
if (!isset($this->attributes['sambaPwdLastSet'][0])) {
return $return;
}
for ($i = 0; $i < sizeof($domains); $i++) {
if ($domains[$i]->name == $selectedDomain) {
// check if a domain policy is set
if (!isset($domains[$i]->maxPwdAge) || ($domains[$i]->maxPwdAge < 0)) {
return $return;
}
$time = $this->attributes['sambaPwdLastSet'][0] + $domains[$i]->maxPwdAge;
return date('d.m.Y H:i', $time);
}
}
return $return;
}
/**
* Returns the time when the user can change his password.
*
* @param array $domains list of domain objects
* @param String $selectedDomain selected domain name
*/
private function getPasswordCanChangeTime($domains, $selectedDomain) {
if (is_array($selectedDomain) && (sizeof($selectedDomain) > 0)) {
$selectedDomain = $selectedDomain[0];
}
$return = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
// check if there is a time set for the last password change
if (!isset($this->attributes['sambaPwdLastSet'][0])) {
return $return;
}
for ($i = 0; $i < sizeof($domains); $i++) {
if ($domains[$i]->name == $selectedDomain) {
// check if a domain policy is set
if (!isset($domains[$i]->minPwdAge) || ($domains[$i]->minPwdAge < 0)) {
return $return;
}
$time = $this->attributes['sambaPwdLastSet'][0] + $domains[$i]->minPwdAge;
return date('d.m.Y H:i', $time);
}
}
return $return;
}
} }
?> ?>