check shadow password expiration
This commit is contained in:
Roland Gruber
parent
f1fc0c1fba
commit
fb08739441
|
|
@ -1,5 +1,6 @@
|
||||||
December 2017
|
December 2017
|
||||||
- PHP 5.6 and Internet Explorer 11 or later required
|
- PHP 5.6 and Internet Explorer 11 or later required
|
||||||
|
- Account status also shows expired accounts
|
||||||
|
|
||||||
|
|
||||||
19.09.2017 6.1
|
19.09.2017 6.1
|
||||||
|
|
|
||||||
|
|
@ -787,6 +787,29 @@ class shadowAccount extends baseModule implements passwordService {
|
||||||
return ($time < $now);
|
return ($time < $now);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns if the given password is expired.
|
||||||
|
*
|
||||||
|
* @param array $attrs LDAP attributes
|
||||||
|
* @return bool expired
|
||||||
|
*/
|
||||||
|
public static function isPasswordExpired($attrs) {
|
||||||
|
$attrs = array_change_key_case($attrs, CASE_LOWER);
|
||||||
|
if (empty($attrs['shadowlastchange'][0]) || empty($attrs['shadowmax'][0])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (($attrs['shadowlastchange'][0] < 1) || ($attrs['shadowmax'][0] < 1)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$time = new DateTime('@' . $attrs['shadowlastchange'][0] * 24 * 3600, new DateTimeZone('UTC'));
|
||||||
|
$time = $time->add(new DateInterval('P' . $attrs['shadowmax'][0] . 'D'));
|
||||||
|
if (!empty($attrs['shadowinactive'][0]) && ($attrs['shadowinactive'][0] > 0)) {
|
||||||
|
$time = $time->add(new DateInterval('P' . $attrs['shadowinactive'][0] . 'D'));
|
||||||
|
}
|
||||||
|
$now = new DateTime(null, getTimeZone());
|
||||||
|
return ($time < $now);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (interface_exists('\LAM\JOB\Job', false)) {
|
if (interface_exists('\LAM\JOB\Job', false)) {
|
||||||
|
|
|
||||||
|
|
@ -355,6 +355,9 @@ class user extends baseType {
|
||||||
if (shadowAccount::isAccountExpired($shadowAttrs)) {
|
if (shadowAccount::isAccountExpired($shadowAttrs)) {
|
||||||
$expiredLabels[] = _('Shadow') . ': ' . _('Account expiration');
|
$expiredLabels[] = _('Shadow') . ': ' . _('Account expiration');
|
||||||
}
|
}
|
||||||
|
elseif (shadowAccount::isPasswordExpired($shadowAttrs)) {
|
||||||
|
$expiredLabels[] = _('Shadow') . ': ' . _('Password expiration');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (!empty($expiredLabels)) {
|
if (!empty($expiredLabels)) {
|
||||||
$expiredTip = '<table border=0>';
|
$expiredTip = '<table border=0>';
|
||||||
|
|
@ -921,6 +924,9 @@ class lamUserList extends lamList {
|
||||||
$attrs[] = 'nsAccountLock';
|
$attrs[] = 'nsAccountLock';
|
||||||
$attrs[] = 'accountUnlockTime';
|
$attrs[] = 'accountUnlockTime';
|
||||||
$attrs[] = 'shadowExpire';
|
$attrs[] = 'shadowExpire';
|
||||||
|
$attrs[] = 'shadowLastChange';
|
||||||
|
$attrs[] = 'shadowMax';
|
||||||
|
$attrs[] = 'shadowInactive';
|
||||||
$attrs[] = 'objectClass';
|
$attrs[] = 'objectClass';
|
||||||
}
|
}
|
||||||
return $attrs;
|
return $attrs;
|
||||||
|
|
@ -954,7 +960,8 @@ class lamUserList extends lamList {
|
||||||
|| ($ppolicyAvailable && !$ppolicyLocked)
|
|| ($ppolicyAvailable && !$ppolicyLocked)
|
||||||
|| ($windowsAvailable && !$windowsLocked);
|
|| ($windowsAvailable && !$windowsLocked);
|
||||||
$shadowExpired = shadowAccount::isAccountExpired($this->entries[$i]);
|
$shadowExpired = shadowAccount::isAccountExpired($this->entries[$i]);
|
||||||
$expired = $shadowExpired;
|
$shadowPasswordExpired = shadowAccount::isPasswordExpired($this->entries[$i]);
|
||||||
|
$expired = $shadowExpired || $shadowPasswordExpired;
|
||||||
$status = self::FILTER_UNLOCKED;
|
$status = self::FILTER_UNLOCKED;
|
||||||
if ($expired) {
|
if ($expired) {
|
||||||
$status = self::FILTER_EXPIRED;
|
$status = self::FILTER_EXPIRED;
|
||||||
|
|
@ -1006,7 +1013,8 @@ class lamUserList extends lamList {
|
||||||
&& (!$ppolicyAvailable || $ppolicyLocked)
|
&& (!$ppolicyAvailable || $ppolicyLocked)
|
||||||
&& (!$windowsAvailable || $windowsLocked);
|
&& (!$windowsAvailable || $windowsLocked);
|
||||||
$shadowExpired = shadowAccount::isAccountExpired($attrs);
|
$shadowExpired = shadowAccount::isAccountExpired($attrs);
|
||||||
$expired = $shadowExpired;
|
$shadowPasswordExpired = shadowAccount::isPasswordExpired($attrs);
|
||||||
|
$expired = $shadowExpired || $shadowPasswordExpired;
|
||||||
$icon = 'unlocked.png';
|
$icon = 'unlocked.png';
|
||||||
if ($expired) {
|
if ($expired) {
|
||||||
$icon = 'expired.png';
|
$icon = 'expired.png';
|
||||||
|
|
@ -1024,6 +1032,9 @@ class lamUserList extends lamList {
|
||||||
if ($shadowExpired) {
|
if ($shadowExpired) {
|
||||||
$tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Account expiration') . ' </td><td><img height=16 width=16 src="../../graphics/expired.png"></td></tr>';
|
$tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Account expiration') . ' </td><td><img height=16 width=16 src="../../graphics/expired.png"></td></tr>';
|
||||||
}
|
}
|
||||||
|
elseif ($shadowPasswordExpired) {
|
||||||
|
$tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Password expiration') . ' </td><td><img height=16 width=16 src="../../graphics/expired.png"></td></tr>';
|
||||||
|
}
|
||||||
// Unix
|
// Unix
|
||||||
if ($unixAvailable) {
|
if ($unixAvailable) {
|
||||||
$unixIcon = 'unlocked.png';
|
$unixIcon = 'unlocked.png';
|
||||||
|
|
|
||||||
|
|
@ -61,6 +61,58 @@
|
||||||
$this->assertTrue(shadowAccount::isAccountExpired($attrs));
|
$this->assertTrue(shadowAccount::isAccountExpired($attrs));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_isPasswordExpired_noAttr() {
|
||||||
|
$attrs = array('objectClass' => array('shadowAccount'));
|
||||||
|
|
||||||
|
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_isPasswordExpired_notExpired() {
|
||||||
|
$change = intval(time() / (24*3600)) - 10;
|
||||||
|
$attrs = array(
|
||||||
|
'objectClass' => array('shadowAccount'),
|
||||||
|
'shadoWlastCHange' => array(0 => $change),
|
||||||
|
'shadowmax' => array(0 => '14'),
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_isPasswordExpired_expired() {
|
||||||
|
$change = intval(time() / (24*3600)) - 10;
|
||||||
|
$attrs = array(
|
||||||
|
'objectClass' => array('shadowAccount'),
|
||||||
|
'shadoWlastCHange' => array(0 => $change),
|
||||||
|
'shadowmax' => array(0 => '7'),
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertTrue(shadowAccount::isPasswordExpired($attrs));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_isPasswordExpired_notExpiredInactiveSet() {
|
||||||
|
$change = intval(time() / (24*3600)) - 10;
|
||||||
|
$attrs = array(
|
||||||
|
'objectClass' => array('shadowAccount'),
|
||||||
|
'shadoWlastCHange' => array(0 => $change),
|
||||||
|
'shadowmax' => array(0 => '7'),
|
||||||
|
'shaDowinactIVe' => array(0 => '14'),
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_isPasswordExpired_expiredInactiveSet() {
|
||||||
|
$change = intval(time() / (24*3600)) - 10;
|
||||||
|
$attrs = array(
|
||||||
|
'objectClass' => array('shadowAccount'),
|
||||||
|
'shadoWlastCHange' => array(0 => $change),
|
||||||
|
'shadowmax' => array(0 => '7'),
|
||||||
|
'shaDowinactIVe' => array(0 => '2'),
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertTrue(shadowAccount::isPasswordExpired($attrs));
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (is_readable('lam/lib/passwordExpirationJob.inc')) {
|
if (is_readable('lam/lib/passwordExpirationJob.inc')) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue