check shadow password expiration

This commit is contained in:
Roland Gruber 2017-10-17 17:46:04 +02:00
parent f1fc0c1fba
commit fb08739441
4 changed files with 89 additions and 2 deletions

View File

@ -1,5 +1,6 @@
December 2017 December 2017
- PHP 5.6 and Internet Explorer 11 or later required - PHP 5.6 and Internet Explorer 11 or later required
- Account status also shows expired accounts
19.09.2017 6.1 19.09.2017 6.1

View File

@ -787,6 +787,29 @@ class shadowAccount extends baseModule implements passwordService {
return ($time < $now); return ($time < $now);
} }
/**
* Returns if the given password is expired.
*
* @param array $attrs LDAP attributes
* @return bool expired
*/
public static function isPasswordExpired($attrs) {
$attrs = array_change_key_case($attrs, CASE_LOWER);
if (empty($attrs['shadowlastchange'][0]) || empty($attrs['shadowmax'][0])) {
return false;
}
if (($attrs['shadowlastchange'][0] < 1) || ($attrs['shadowmax'][0] < 1)) {
return;
}
$time = new DateTime('@' . $attrs['shadowlastchange'][0] * 24 * 3600, new DateTimeZone('UTC'));
$time = $time->add(new DateInterval('P' . $attrs['shadowmax'][0] . 'D'));
if (!empty($attrs['shadowinactive'][0]) && ($attrs['shadowinactive'][0] > 0)) {
$time = $time->add(new DateInterval('P' . $attrs['shadowinactive'][0] . 'D'));
}
$now = new DateTime(null, getTimeZone());
return ($time < $now);
}
} }
if (interface_exists('\LAM\JOB\Job', false)) { if (interface_exists('\LAM\JOB\Job', false)) {

View File

@ -355,6 +355,9 @@ class user extends baseType {
if (shadowAccount::isAccountExpired($shadowAttrs)) { if (shadowAccount::isAccountExpired($shadowAttrs)) {
$expiredLabels[] = _('Shadow') . ': ' . _('Account expiration'); $expiredLabels[] = _('Shadow') . ': ' . _('Account expiration');
} }
elseif (shadowAccount::isPasswordExpired($shadowAttrs)) {
$expiredLabels[] = _('Shadow') . ': ' . _('Password expiration');
}
} }
if (!empty($expiredLabels)) { if (!empty($expiredLabels)) {
$expiredTip = '<table border=0>'; $expiredTip = '<table border=0>';
@ -921,6 +924,9 @@ class lamUserList extends lamList {
$attrs[] = 'nsAccountLock'; $attrs[] = 'nsAccountLock';
$attrs[] = 'accountUnlockTime'; $attrs[] = 'accountUnlockTime';
$attrs[] = 'shadowExpire'; $attrs[] = 'shadowExpire';
$attrs[] = 'shadowLastChange';
$attrs[] = 'shadowMax';
$attrs[] = 'shadowInactive';
$attrs[] = 'objectClass'; $attrs[] = 'objectClass';
} }
return $attrs; return $attrs;
@ -954,7 +960,8 @@ class lamUserList extends lamList {
|| ($ppolicyAvailable && !$ppolicyLocked) || ($ppolicyAvailable && !$ppolicyLocked)
|| ($windowsAvailable && !$windowsLocked); || ($windowsAvailable && !$windowsLocked);
$shadowExpired = shadowAccount::isAccountExpired($this->entries[$i]); $shadowExpired = shadowAccount::isAccountExpired($this->entries[$i]);
$expired = $shadowExpired; $shadowPasswordExpired = shadowAccount::isPasswordExpired($this->entries[$i]);
$expired = $shadowExpired || $shadowPasswordExpired;
$status = self::FILTER_UNLOCKED; $status = self::FILTER_UNLOCKED;
if ($expired) { if ($expired) {
$status = self::FILTER_EXPIRED; $status = self::FILTER_EXPIRED;
@ -1006,7 +1013,8 @@ class lamUserList extends lamList {
&& (!$ppolicyAvailable || $ppolicyLocked) && (!$ppolicyAvailable || $ppolicyLocked)
&& (!$windowsAvailable || $windowsLocked); && (!$windowsAvailable || $windowsLocked);
$shadowExpired = shadowAccount::isAccountExpired($attrs); $shadowExpired = shadowAccount::isAccountExpired($attrs);
$expired = $shadowExpired; $shadowPasswordExpired = shadowAccount::isPasswordExpired($attrs);
$expired = $shadowExpired || $shadowPasswordExpired;
$icon = 'unlocked.png'; $icon = 'unlocked.png';
if ($expired) { if ($expired) {
$icon = 'expired.png'; $icon = 'expired.png';
@ -1024,6 +1032,9 @@ class lamUserList extends lamList {
if ($shadowExpired) { if ($shadowExpired) {
$tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Account expiration') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/expired.png&quot;></td></tr>'; $tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Account expiration') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/expired.png&quot;></td></tr>';
} }
elseif ($shadowPasswordExpired) {
$tipContent .= '<tr><td>' . _('Shadow') . ': ' . _('Password expiration') . '&nbsp;&nbsp;</td><td><img height=16 width=16 src=&quot;../../graphics/expired.png&quot;></td></tr>';
}
// Unix // Unix
if ($unixAvailable) { if ($unixAvailable) {
$unixIcon = 'unlocked.png'; $unixIcon = 'unlocked.png';

View File

@ -61,6 +61,58 @@
$this->assertTrue(shadowAccount::isAccountExpired($attrs)); $this->assertTrue(shadowAccount::isAccountExpired($attrs));
} }
public function test_isPasswordExpired_noAttr() {
$attrs = array('objectClass' => array('shadowAccount'));
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
}
public function test_isPasswordExpired_notExpired() {
$change = intval(time() / (24*3600)) - 10;
$attrs = array(
'objectClass' => array('shadowAccount'),
'shadoWlastCHange' => array(0 => $change),
'shadowmax' => array(0 => '14'),
);
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
}
public function test_isPasswordExpired_expired() {
$change = intval(time() / (24*3600)) - 10;
$attrs = array(
'objectClass' => array('shadowAccount'),
'shadoWlastCHange' => array(0 => $change),
'shadowmax' => array(0 => '7'),
);
$this->assertTrue(shadowAccount::isPasswordExpired($attrs));
}
public function test_isPasswordExpired_notExpiredInactiveSet() {
$change = intval(time() / (24*3600)) - 10;
$attrs = array(
'objectClass' => array('shadowAccount'),
'shadoWlastCHange' => array(0 => $change),
'shadowmax' => array(0 => '7'),
'shaDowinactIVe' => array(0 => '14'),
);
$this->assertFalse(shadowAccount::isPasswordExpired($attrs));
}
public function test_isPasswordExpired_expiredInactiveSet() {
$change = intval(time() / (24*3600)) - 10;
$attrs = array(
'objectClass' => array('shadowAccount'),
'shadoWlastCHange' => array(0 => $change),
'shadowmax' => array(0 => '7'),
'shaDowinactIVe' => array(0 => '2'),
);
$this->assertTrue(shadowAccount::isPasswordExpired($attrs));
}
} }
if (is_readable('lam/lib/passwordExpirationJob.inc')) { if (is_readable('lam/lib/passwordExpirationJob.inc')) {