Use password policy configuration from Directory interface

conf/config.inc.php

@@ -39,7 +39,10 @@
 $ldap_lastauth_attribute = "authTimestamp";
 #$ldap_network_timeout = 10;
 $ldap_type = "openldap";
-#$ldap_lockout_duration = 3600;
+
+# Override LDAP password policy configuration
+#$ldap_lockout_duration = 3600; # 1 hour
+#$ldap_password_max_age = 7889400; # 3 months
 
 # How display attributes
 $attributes_map = array(

htdocs/display.php

@@ -94,26 +94,23 @@
             $entry[0][$attr] = $values;
         }
 
-        # Include default password policy
-        if ( !$entry[0]['pwdpolicysubentry'] and $ldap_default_ppolicy) {
-            $entry[0]['pwdpolicysubentry'][] = $ldap_default_ppolicy;
-        }
-        $pwdPolicy = $entry[0]['pwdpolicysubentry'][0];
+        # Get password policy configuration
+        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
+        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
 
         if ($display_edit_link) {
             # Replace {dn} in URL
             $edit_link = str_replace("{dn}", urlencode($dn), $display_edit_link);
         }
 
-        $lockoutDuration = $directory->getLockoutDuration($ldap, $dn, array('pwdPolicy' => $pwdPolicy, 'lockoutDuration' => $ldap_lockout_duration));
         $lockDate = $directory->getLockDate($ldap, $dn);
-        $unlockDate = $directory->getUnlockDate($ldap, $dn, array('lockoutDuration' => $lockoutDuration));
-        $isLocked = $directory->isLocked($ldap, $dn, array('lockoutDuration'  => $lockoutDuration));
-        $canLockAccount = $directory->canLockAccount($ldap, $dn, array('pwdPolicy' => $pwdPolicy));
+        $unlockDate = $directory->getUnlockDate($ldap, $dn, $pwdPolicyConfiguration);
+        $isLocked = $directory->isLocked($ldap, $dn, $pwdPolicyConfiguration);
+        $canLockAccount = $pwdPolicyConfiguration["lockout_enabled"];
 
-        $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $dn, array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age));
-        $expirationDate = $directory->getPasswordExpirationDate($ldap, $dn, array('pwdMaxAge' => $pwdMaxAge));
-        $isExpired = $directory->isPasswordExpired($ldap, $dn, array('pwdMaxAge' => $pwdMaxAge));
+        $expirationDate = $directory->getPasswordExpirationDate($ldap, $dn, $pwdPolicyConfiguration);
+        $isExpired = $directory->isPasswordExpired($ldap, $dn, $pwdPolicyConfiguration);
 
         $resetAtNextConnection = $directory->resetAtNextConnection($ldap, $dn);
 

htdocs/lockaccount.php

@@ -28,28 +28,20 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    $pwdPolicy = NULL;
-
     if ($ldap)
     {
-        $search_ppolicysubentry = ldap_read($ldap, $dn, "(objectClass=*)", array('pwdpolicysubentry'));
-        $user_entry = ldap_get_entries($ldap, $search_ppolicysubentry);
-
-        # Search active password policy
-        $pwdPolicy = "";
-        if (isset($user_entry[0]['pwdpolicysubentry'][0])) {
-            $pwdPolicy = $user_entry[0]['pwdpolicysubentry'][0];
-        } elseif (isset($ldap_default_ppolicy)) {
-            $pwdPolicy = $ldap_default_ppolicy;
-        }
-    }
-
-    # Apply the modification only the password can be locked
-    if ($ldap and $directory->canLockAccount($ldap, $dn, array('pwdPolicy' => $pwdPolicy))) {
-        if ( $directory->lockAccount($ldap, $dn) ) {
-            $result = "accountlocked";
-        } else {
-            $result = "ldaperror";
+        # Get password policy configuration
+        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
+        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
+
+        # Apply the modification only the password can be locked
+        if ($pwdPolicyConfiguration["lockout_enabled"]) {
+            if ( $directory->lockAccount($ldap, $dn) ) {
+                $result = "accountlocked";
+            } else {
+                $result = "ldaperror";
+            }
         }
     }
 }

htdocs/searchexpired.php

@@ -6,24 +6,19 @@
 require_once("../conf/config.inc.php");
 require __DIR__ . '/../vendor/autoload.php';
 
-[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
+[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
 
 if ( !empty($entries) )
 {
     # Check if entry is expired
     foreach($entries as $entry_key => $entry) {
 
-        # Search active password policy
-        $pwdPolicy = "";
-        if (isset($entry['pwdpolicysubentry'][0])) {
-            $pwdPolicy = $entry['pwdpolicysubentry'][0];
-        } elseif (isset($ldap_default_ppolicy)) {
-            $pwdPolicy = $ldap_default_ppolicy;
-        }
+        # Get password policy configuration
+        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy);
+        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
 
-        $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $entry["dn"], array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age));
-        $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge));
-        $isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge));
+        $isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], $pwdPolicyConfiguration);
 
         if ( $isExpired === false ) {
             unset($entries[$entry_key]);

htdocs/searchlocked.php

@@ -6,22 +6,20 @@
 require_once("../conf/config.inc.php");
 require __DIR__ . '/../vendor/autoload.php';
 
-[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
+[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
 
 if ( !empty($entries) )
 {
 
     # Check if entry is still locked
     foreach($entries as $entry_key => $entry) {
-        # Search active password policy
-        $pwdPolicy = "";
-        if (isset($entry['pwdpolicysubentry'][0])) {
-            $pwdPolicy = $entry['pwdpolicysubentry'][0];
-        } elseif (isset($ldap_default_ppolicy)) {
-            $pwdPolicy = $ldap_default_ppolicy;
-        }
-        $lockoutDuration = $directory->getLockoutDuration($ldap, $entry['dn'], array('pwdPolicy' => $pwdPolicy, 'lockoutDuration' => $ldap_lockout_duration));
-        $isLocked = $directory->isLocked($ldap, $entry['dn'], array('lockoutDuration'  => $lockoutDuration));
+
+        # Get password policy configuration
+        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy);
+        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
+
+        $isLocked = $directory->isLocked($ldap, $entry['dn'], $pwdPolicyConfiguration);
 
         if ( $isLocked === false ) {
             unset($entries[$entry_key]);

htdocs/searchwillexpire.php

@@ -6,24 +6,20 @@
 require_once("../conf/config.inc.php");
 require __DIR__ . '/../vendor/autoload.php';
 
-[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
+[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
 
 if ( !empty($entries) )
 {
     # Check if entry will soon expire
     foreach($entries as $entry_key => $entry) {
 
-        # Search active password policy
-        $pwdPolicy = "";
-        if (isset($entry['pwdpolicysubentry'][0])) {
-            $pwdPolicy = $entry['pwdpolicysubentry'][0];
-        } elseif (isset($ldap_default_ppolicy)) {
-            $pwdPolicy = $ldap_default_ppolicy;
-        }
+        # Get password policy configuration
+        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy);
+        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
 
         $isWillExpire = false;
-        $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $entry["dn"], array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age));
-        $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge));
+        $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], $pwdPolicyConfiguration);
 
         if ($expirationDate) {
             $expirationDateClone = clone $expirationDate;