Active Directory Support

[coudot]

To be compatible with Active Directory, we introduce a new ltb-common component : Directory

Directory is a PHP interface, with 2 implementations for now:

• OpenLDAP
• Active Directory

Tasks identified:

• Get account lock status
• Get account unlock date
• Get account lock date
• Get password expiration status
• Get password expiration date
• Display if password must be reset at next connection
• Lock account
• Unlock account
• Update password
• Enable account
• Disable account
• Get password policy parameters
• Get LDAP date from PHP date
• Unit tests

[coudot]

Working on this since several days, I dig into password policy in Active Directory to see how it can match Service Desk features and what we have in OpenLDAP.

What I found for the moment is that Active Directory manage several status:

• Account lock: account can be locked after several bad password attemps. We can configure how much time the account stay locket. This is quite similar as OpenLDAP
• Password expiration: a password can have a maximum age, so we can know the password expiration date by adding the password last set date and the password max age. Same the OpenLDAP, except there is no "magic" value to say the the account is locked permanently
• Account enable/disable: this is different from account lock, we have a flag in userAccountControl to know if the account is enabled or disabled. I don't think there is any equivalent in OpenLDAP.
• Account expiration: there is a account expiration date, different from the password expiration date. This would match the new pwdEndTime attribute in OpenLDAP and the "blocking" feature we want to implement.

It's not very clear for now how to get these information in AD (userAccountControl or other attributes).