From eeeabbf6940b0a91ffd5ca0ede352e4d5b14f865 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Mon, 26 Aug 2024 19:34:55 +0200 Subject: [PATCH] Use password policy configuration from Directory interface --- conf/config.inc.php | 5 ++++- htdocs/display.php | 21 +++++++++------------ htdocs/lockaccount.php | 32 ++++++++++++-------------------- htdocs/searchexpired.php | 17 ++++++----------- htdocs/searchlocked.php | 18 ++++++++---------- htdocs/searchwillexpire.php | 16 ++++++---------- 6 files changed, 45 insertions(+), 64 deletions(-) diff --git a/conf/config.inc.php b/conf/config.inc.php index e6651dd..e673a5a 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -39,7 +39,10 @@ $ldap_lastauth_attribute = "authTimestamp"; #$ldap_network_timeout = 10; $ldap_type = "openldap"; -#$ldap_lockout_duration = 3600; + +# Override LDAP password policy configuration +#$ldap_lockout_duration = 3600; # 1 hour +#$ldap_password_max_age = 7889400; # 3 months # How display attributes $attributes_map = array( diff --git a/htdocs/display.php b/htdocs/display.php index 7969b21..754515b 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -94,26 +94,23 @@ $entry[0][$attr] = $values; } - # Include default password policy - if ( !$entry[0]['pwdpolicysubentry'] and $ldap_default_ppolicy) { - $entry[0]['pwdpolicysubentry'][] = $ldap_default_ppolicy; - } - $pwdPolicy = $entry[0]['pwdpolicysubentry'][0]; + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } if ($display_edit_link) { # Replace {dn} in URL $edit_link = str_replace("{dn}", urlencode($dn), $display_edit_link); } - $lockoutDuration = $directory->getLockoutDuration($ldap, $dn, array('pwdPolicy' => $pwdPolicy, 'lockoutDuration' => $ldap_lockout_duration)); $lockDate = $directory->getLockDate($ldap, $dn); - $unlockDate = $directory->getUnlockDate($ldap, $dn, array('lockoutDuration' => $lockoutDuration)); - $isLocked = $directory->isLocked($ldap, $dn, array('lockoutDuration' => $lockoutDuration)); - $canLockAccount = $directory->canLockAccount($ldap, $dn, array('pwdPolicy' => $pwdPolicy)); + $unlockDate = $directory->getUnlockDate($ldap, $dn, $pwdPolicyConfiguration); + $isLocked = $directory->isLocked($ldap, $dn, $pwdPolicyConfiguration); + $canLockAccount = $pwdPolicyConfiguration["lockout_enabled"]; - $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $dn, array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age)); - $expirationDate = $directory->getPasswordExpirationDate($ldap, $dn, array('pwdMaxAge' => $pwdMaxAge)); - $isExpired = $directory->isPasswordExpired($ldap, $dn, array('pwdMaxAge' => $pwdMaxAge)); + $expirationDate = $directory->getPasswordExpirationDate($ldap, $dn, $pwdPolicyConfiguration); + $isExpired = $directory->isPasswordExpired($ldap, $dn, $pwdPolicyConfiguration); $resetAtNextConnection = $directory->resetAtNextConnection($ldap, $dn); diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index 9239887..ad22e95 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -28,28 +28,20 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - $pwdPolicy = NULL; - if ($ldap) { - $search_ppolicysubentry = ldap_read($ldap, $dn, "(objectClass=*)", array('pwdpolicysubentry')); - $user_entry = ldap_get_entries($ldap, $search_ppolicysubentry); - - # Search active password policy - $pwdPolicy = ""; - if (isset($user_entry[0]['pwdpolicysubentry'][0])) { - $pwdPolicy = $user_entry[0]['pwdpolicysubentry'][0]; - } elseif (isset($ldap_default_ppolicy)) { - $pwdPolicy = $ldap_default_ppolicy; - } - } - - # Apply the modification only the password can be locked - if ($ldap and $directory->canLockAccount($ldap, $dn, array('pwdPolicy' => $pwdPolicy))) { - if ( $directory->lockAccount($ldap, $dn) ) { - $result = "accountlocked"; - } else { - $result = "ldaperror"; + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + # Apply the modification only the password can be locked + if ($pwdPolicyConfiguration["lockout_enabled"]) { + if ( $directory->lockAccount($ldap, $dn) ) { + $result = "accountlocked"; + } else { + $result = "ldaperror"; + } } } } diff --git a/htdocs/searchexpired.php b/htdocs/searchexpired.php index 0487fa4..8676733 100644 --- a/htdocs/searchexpired.php +++ b/htdocs/searchexpired.php @@ -6,24 +6,19 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; -[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); +[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); if ( !empty($entries) ) { # Check if entry is expired foreach($entries as $entry_key => $entry) { - # Search active password policy - $pwdPolicy = ""; - if (isset($entry['pwdpolicysubentry'][0])) { - $pwdPolicy = $entry['pwdpolicysubentry'][0]; - } elseif (isset($ldap_default_ppolicy)) { - $pwdPolicy = $ldap_default_ppolicy; - } + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } - $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $entry["dn"], array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age)); - $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge)); - $isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge)); + $isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], $pwdPolicyConfiguration); if ( $isExpired === false ) { unset($entries[$entry_key]); diff --git a/htdocs/searchlocked.php b/htdocs/searchlocked.php index d23be77..8b10b35 100644 --- a/htdocs/searchlocked.php +++ b/htdocs/searchlocked.php @@ -6,22 +6,20 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; -[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); +[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); if ( !empty($entries) ) { # Check if entry is still locked foreach($entries as $entry_key => $entry) { - # Search active password policy - $pwdPolicy = ""; - if (isset($entry['pwdpolicysubentry'][0])) { - $pwdPolicy = $entry['pwdpolicysubentry'][0]; - } elseif (isset($ldap_default_ppolicy)) { - $pwdPolicy = $ldap_default_ppolicy; - } - $lockoutDuration = $directory->getLockoutDuration($ldap, $entry['dn'], array('pwdPolicy' => $pwdPolicy, 'lockoutDuration' => $ldap_lockout_duration)); - $isLocked = $directory->isLocked($ldap, $entry['dn'], array('lockoutDuration' => $lockoutDuration)); + + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + $isLocked = $directory->isLocked($ldap, $entry['dn'], $pwdPolicyConfiguration); if ( $isLocked === false ) { unset($entries[$entry_key]); diff --git a/htdocs/searchwillexpire.php b/htdocs/searchwillexpire.php index 1238a27..75c609d 100644 --- a/htdocs/searchwillexpire.php +++ b/htdocs/searchwillexpire.php @@ -6,24 +6,20 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; -[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array('pwdpolicysubentry'), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); +[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); if ( !empty($entries) ) { # Check if entry will soon expire foreach($entries as $entry_key => $entry) { - # Search active password policy - $pwdPolicy = ""; - if (isset($entry['pwdpolicysubentry'][0])) { - $pwdPolicy = $entry['pwdpolicysubentry'][0]; - } elseif (isset($ldap_default_ppolicy)) { - $pwdPolicy = $ldap_default_ppolicy; - } + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } $isWillExpire = false; - $pwdMaxAge = $directory->getPasswordMaxAge($ldap, $entry["dn"], array('pwdPolicy' => $pwdPolicy, 'pwdMaxAge' => $ldap_password_max_age)); - $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], array('pwdMaxAge' => $pwdMaxAge)); + $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], $pwdPolicyConfiguration); if ($expirationDate) { $expirationDateClone = clone $expirationDate;