From c634b273615b210ea08c32d5541bb63b6ad6acce Mon Sep 17 00:00:00 2001 From: hickert Date: Mon, 5 Jul 2010 14:32:49 +0000 Subject: [PATCH] Updated posixAccount status detection. git-svn-id: https://oss.gonicus.de/repositories/gosa/branches/2.6@18931 594d385d-05f5-0310-b6e9-bd551577e9d8 --- gosa-core/html/index.php | 2 +- gosa-core/html/main.php | 4 +- gosa-core/include/functions.inc | 181 +++++++++--------- .../personal/password/class_password.inc | 2 +- 4 files changed, 95 insertions(+), 94 deletions(-) diff --git a/gosa-core/html/index.php b/gosa-core/html/index.php index f8743b060..8cb5003dc 100644 --- a/gosa-core/html/index.php +++ b/gosa-core/html/index.php @@ -365,7 +365,7 @@ if (($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) || $htacces if ($config->get_cfg_value("handleExpiredAccounts") == "true"){ $expired= ldap_expired_account($config, $ui->dn, $ui->username); - if ($expired == 1){ + if ($expired == POSIX_ACCOUNT_EXPIRED){ $message= _("Account locked. Please contact your system administrator!"); $smarty->assign ('nextfield', 'password'); new log("security","login","",array(),"Account for user \"$username\" has expired") ; diff --git a/gosa-core/html/main.php b/gosa-core/html/main.php index 97c3c9bd8..a7dda33df 100644 --- a/gosa-core/html/main.php +++ b/gosa-core/html/main.php @@ -191,12 +191,12 @@ $plist->gen_menu(); $smarty->assign("hideMenus", FALSE); if ($config->get_cfg_value("handleExpiredAccounts") == "true"){ $expired= ldap_expired_account($config, $ui->dn, $ui->username); - if ($expired == 2){ + if ($expired == POSIX_WARN_ABOUT_EXPIRATION){ // The users password is about to xpire soon, display a warning message. new log("security","gosa","",array(),"password for user \"$ui->username\" is about to expire") ; msg_dialog::display(_("Password change"), _("Your password is about to expire, please change your password!"), INFO_DIALOG); - } elseif ($expired == 3){ + } elseif ($expired == POSIX_FORCE_PASSWORD_CHANGE){ // The password is expired, we are now going to enforce a new one from the user. diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc index d89d0fb22..9e9a6d3ed 100644 --- a/gosa-core/include/functions.inc +++ b/gosa-core/include/functions.inc @@ -90,6 +90,13 @@ define ("DEBUG_SI", 256); /*! Debug level for communication with gosa-si */ define ("DEBUG_MAIL", 512); /*! Debug level for all about mail (mailAccounts, imap, sieve etc.) */ define ("DEBUG_FAI", 1024); // FAI (incomplete) + +// Define shadow states +define ("POSIX_ACCOUNT_EXPIRED", 1); +define ("POSIX_WARN_ABOUT_EXPIRATION", 2); +define ("POSIX_FORCE_PASSWORD_CHANGE", 4); +define ("POSIX_DISALLOW_PASSWORD_CHANGE", 8); + /* Rewrite german 'umlauts' and spanish 'accents' to get better results */ $REWRITE= array( "ä" => "ae", @@ -645,108 +652,102 @@ function ldap_login_user ($username, $password) } -/*! \brief Test if account is about to expire +/*! \brief Checks the posixAccount status by comparing the shadow attributes. * - * \param string 'userdn' the DN of the user - * \param string 'username' the username - * \return int Can be one of the following values: - * - 1 the account is locked - * - 2 warn the user that the password is about to expire and he should change - * his password - * - 3 force the user to change his password - * - 4 user should not be able to change his password - * */ + * @param Object The GOsa configuration object. + * @param String The 'dn' of the user to test the account status for. + * @param String The 'uid' of the user we're going to test. + * @return Const + * POSIX_ACCOUNT_EXPIRED - If the account is expired. + * POSIX_WARN_ABOUT_EXPIRATION - If the account is going to expire. + * POSIX_FORCE_PASSWORD_CHANGE - The password has to be changed. + * POSIX_DISALLOW_PASSWORD_CHANGE - The password cannot be changed right now. + * + */ function ldap_expired_account($config, $userdn, $username) { $ldap= $config->get_ldap_link(); + $ldap->cd($config->current['BASE']); $ldap->cat($userdn); $attrs= $ldap->fetch(); - - /* default value no errors */ - $expired = 0; - - $sExpire = 0; - $sLastChange = 0; - $sMax = 0; - $sMin = 0; - $sInactive = 0; - $sWarning = 0; - - $current= date("U"); - - $current= floor($current /60 /60 /24); - - /* special case of the admin, should never been locked */ - /* FIXME should allow any name as user admin */ - if($username != "admin") - { + $current= floor($date("U") /60 /60 /24); - if(isset($attrs['shadowExpire'][0])){ - $sExpire= $attrs['shadowExpire'][0]; - } else { - $sExpire = 0; - } - - if(isset($attrs['shadowLastChange'][0])){ - $sLastChange= $attrs['shadowLastChange'][0]; - } else { - $sLastChange = 0; - } - - if(isset($attrs['shadowMax'][0])){ - $sMax= $attrs['shadowMax'][0]; - } else { - $smax = 0; - } + // Fetch required attributes + foreach(array('shadowExpire','shadowLastChange','shadowMax','shadowMin', + 'shadowInactive','shadowWarning') as $attr){ + $$attr = (isset($attrs[$attr][0]))? $attrs[$attr][0] : null; + } - if(isset($attrs['shadowMin'][0])){ - $sMin= $attrs['shadowMin'][0]; - } else { - $sMin = 0; - } - - if(isset($attrs['shadowInactive'][0])){ - $sInactive= $attrs['shadowInactive'][0]; - } else { - $sInactive = 0; - } - - if(isset($attrs['shadowWarning'][0])){ - $sWarning= $attrs['shadowWarning'][0]; - } else { - $sWarning = 0; - } - - /* is the account locked */ - /* shadowExpire + shadowInactive (option) */ - if($sExpire >0){ - if($current >= ($sExpire+$sInactive)){ - return(1); - } - } - - /* the user should be warned to change is password */ - if((($sExpire >0) && ($sWarning >0)) && ($sExpire >= $current)){ - if (($sExpire - $current) < $sWarning){ - return(2); + + // Check if the account has expired. + // --------------------------------- + // An account is locked/expired once its expiration date has reached (shadowExpire). + // If the optional attribute (shadowInactive) is set, we've to postpone + // the account expiration by the amount of days specified in (shadowInactive). + if($shadowExpire != null && $shadowExpire >= $current){ + + // The account seems to be inactive, but we've to check 'shadowInactive' additionally. + // ShadowInactive specifies an amount of days we've to reprieve the user. + // It some kind of x days' grace. + if($shadowExpire == null || $shadowExpire + $shadowExpire >= $current){ + + // Finally we've detect that the account is deactivated. + return(POSIX_ACCOUNT_EXPIRED); } - } - - /* force user to change password */ - if(($sLastChange >0) && ($sMax) >0){ - if($current >= ($sLastChange+$sMax)){ - return(3); + } + + // The users password is going to expire. + // -------------------------------------- + // We've to warn the user in the case of an expiring account. + // An account is going to expire when it reaches its expiration date (shadowExpire). + // The user has to be warned, if the days left till expiration, match the + // configured warning period (shadowWarning) + // --> shadowWarning: Warn x days before account expiration. + if($shadowExpire != null && $shadowWarning != null){ + + // Check if the account is still active and not already expired. + if($shadowExpire >= $current){ + + // Check if we've to warn the user by comparing the remaining + // number of days till expiration with the configured amount + // of days in shadowWarning. + if(($shadowExpire - $current) <= $shadowWarning){ + return(POSIX_WARN_ABOUT_EXPIRATION); + } } - } - - /* the user should not be able to change is password */ - if(($sLastChange >0) && ($sMin >0)){ - if (($sLastChange + $sMin) >= $current){ - return(4); + } + + + // Check if we've to force the user to change his password. + // -------------------------------------------------------- + // A password change is enforced when the password is older than + // the configured amount of days (shadowMax). + // The age of the current password (shadowLastChange) plus the maximum + // amount amount of days (shadowMax) has to be smaller than the + // current timestamp. + if($shadowLastChange != null && $shadowMax != null){ + + // Check if we've an outdated password. + if($current >= ($shadowLastChange + $shadowMax)){ + return(POSIX_FORCE_PASSWORD_CHANGE); } - } } - return($expired); + + + // Check if we've to freeze the users password. + // -------------------------------------------- + // Once a user has changed his password, he cannot change it again + // for a given amount of days (shadowMin). + // We should not allow to change the password within GOsa too. + if($shadowLastChange != null && $shadowMin != null){ + + // Check if we've an outdated password. + if(($shadowLastChange + $shadowMin) >= $current){ + return(POSIX_DISALLOW_PASSWORD_CHANGE); + } + } + + return(NULL); } diff --git a/gosa-core/plugins/personal/password/class_password.inc b/gosa-core/plugins/personal/password/class_password.inc index 06e9db7b8..d3a67be21 100644 --- a/gosa-core/plugins/personal/password/class_password.inc +++ b/gosa-core/plugins/personal/password/class_password.inc @@ -70,7 +70,7 @@ class password extends plugin /* Display expiration template */ if ($this->config->get_cfg_value("handleExpiredAccounts") == "true"){ $expired= ldap_expired_account($this->config, $ui->dn, $ui->username); - if($expired == 4){ + if($expired == POSIX_DISALLOW_PASSWORD_CHANGE){ return($smarty->fetch(get_template_path("nochange.tpl", TRUE))); } } -- 2.30.2