Merge branch 'adexpirywarn'

* adexpirywarn: make sure AD pass expiry message is never shown twice do not hardcode profile link in AD pass expire message translatable AD expiry warning and link to update profile page Don't return any data for non-existant users do not query AD for empty user name always check expire time when configured Check password expiry times in Active Directory backend
author: Andreas Gohr <andi@splitbrain.org> 2012-03-10 16:24:48 +0100
committer: Andreas Gohr <andi@splitbrain.org> 2012-03-10 16:24:48 +0100
commit: c9f847f625f0f4094fe46392a06e4f4169f7d44c (patch)
tree: 340adc99aa6ac48603b6019b27058932019d06d2
parent: 70f8c497b285679b9e4450e496b717ccc409af03 (diff)
parent: 1e5105f90f56d0f57111eff37a535480115920c5 (diff)
download: rpg-c9f847f625f0f4094fe46392a06e4f4169f7d44c.tar.gz
rpg-c9f847f625f0f4094fe46392a06e4f4169f7d44c.tar.bz2
4 files changed, 65 insertions, 5 deletions
diff --git a/inc/adLDAP.php b/inc/adLDAP.php
index a64096b85..24be6e475 100644
--- a/inc/adLDAP.php
+++ b/inc/adLDAP.php
@@ -1021,6 +1021,26 @@ class adLDAP {
     }
 
     /**
+     * Return info about the domain itself
+     *
+     * @authot Andreas Gohr <gohr@cosmocode.de>
+     * @param array $fields The fields to query
+     * @return array
+     */
+    public function domain_info($fields){
+        if (!$this->_bind){ return (false); }
+
+        $sr = ldap_read($this->_conn, $this->_base_dn, 'objectclass=*', $fields);
+        if (!$sr) {
+            return false;
+        }
+        $info = ldap_get_entries($this->_conn, $sr);
+        if(count($info)) return $info[0];
+
+        return false;
+    }
+
+    /**
     * Determine a user's password expiry date
     *
     * @param string $username The username to query
diff --git a/inc/auth/ad.class.php b/inc/auth/ad.class.php
index 1fddad243..cc080dc93 100644
--- a/inc/auth/ad.class.php
+++ b/inc/auth/ad.class.php
@@ -26,6 +26,8 @@
  *   $conf['auth']['ad']['use_ssl']            = 1;
  *   $conf['auth']['ad']['use_tls']            = 1;
  *   $conf['auth']['ad']['debug']              = 1;
+ *   // warn user about expiring password this many days in advance:
+ *   $conf['auth']['ad']['expirywarn']         = 5;
  *
  *   // get additional information to the userinfo array
  *   // add a list of comma separated ldap contact fields.
@@ -44,6 +46,7 @@ class auth_ad extends auth_basic {
     var $opts = null;
     var $adldap = null;
     var $users = null;
+    var $msgshown = false;
 
     /**
      * Constructor
@@ -146,9 +149,13 @@ class auth_ad extends auth_basic {
      */
    function getUserData($user){
         global $conf;
+        global $lang;
+        global $ID;
         if(!$this->_init()) return false;
 
-        $fields = array('mail','displayname','samaccountname');
+        if($user == '') return array();
+
+        $fields = array('mail','displayname','samaccountname','lastpwd','pwdlastset','useraccountcontrol');
 
         // add additional fields to read
         $fields = array_merge($fields, $this->cnf['additional']);
@@ -156,11 +163,19 @@ class auth_ad extends auth_basic {
 
         //get info for given user
         $result = $this->adldap->user_info($user, $fields);
+        if($result == false){
+            return array();
+        }
+
         //general user info
-        $info['name'] = $result[0]['displayname'][0];
-        $info['mail'] = $result[0]['mail'][0];
-        $info['uid']  = $result[0]['samaccountname'][0];
-        $info['dn']   = $result[0]['dn'];
+        $info['name']    = $result[0]['displayname'][0];
+        $info['mail']    = $result[0]['mail'][0];
+        $info['uid']     = $result[0]['samaccountname'][0];
+        $info['dn']      = $result[0]['dn'];
+        //last password set (Windows counts from January 1st 1601)
+        $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600;
+        //will it expire?
+        $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD
 
         // additional information
         foreach ($this->cnf['additional'] as $field) {
@@ -183,6 +198,29 @@ class auth_ad extends auth_basic {
             $info['grps'][] = $conf['defaultgroup'];
         }
 
+        // check expiry time
+        if($info['expires'] && $this->cnf['expirywarn']){
+            $result   = $this->adldap->domain_info(array('maxpwdage')); // maximum pass age
+            $maxage   = -1 * $result['maxpwdage'][0] / 10000000; // negative 100 nanosecs
+            $timeleft = $maxage - (time() - $info['lastpwd']);
+            $timeleft = round($timeleft/(24*60*60));
+            $info['expiresin'] = $timeleft;
+
+            // if this is the current user, warn him (once per request only)
+            if( ($_SERVER['REMOTE_USER'] == $user) &&
+                ($timeleft <= $this->cnf['expirywarn']) &&
+                !$this->msgshown
+            ){
+                $msg = sprintf($lang['authpwdexpire'],$timeleft);
+                if($this->canDo('modPass')){
+                    $url = wl($ID,array('do'=>'profile'));
+                    $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>';
+                }
+                msg($msg);
+                $this->msgshown = true;
+            }
+        }
+
         return $info;
     }
 
diff --git a/inc/lang/de/lang.php b/inc/lang/de/lang.php
index a4360b2a4..63ffd3008 100644
--- a/inc/lang/de/lang.php
+++ b/inc/lang/de/lang.php
@@ -273,6 +273,7 @@ $lang['subscr_style_digest']   = 'Zusammenfassung der Änderungen für jede ver�
 $lang['subscr_style_list']     = 'Liste der geänderten Seiten (Alle %.2f Tage)';
 $lang['authmodfailed']         = 'Benutzerüberprüfung nicht möglich. Bitte wenden Sie sich an den Systembetreuer.';
 $lang['authtempfail']          = 'Benutzerüberprüfung momentan nicht möglich. Falls das Problem andauert, wenden Sie sich an den Systembetreuer.';
+$lang['authpwdexpire']         = 'Ihr Passwort läuft in %d Tag(en) ab, Sie sollten es bald ändern.';
 $lang['i_chooselang']          = 'Wählen Sie Ihre Sprache';
 $lang['i_installer']           = 'DokuWiki Installation';
 $lang['i_wikiname']            = 'Wiki-Name';
diff --git a/inc/lang/en/lang.php b/inc/lang/en/lang.php
index e0fe98b86..2ba220e64 100644
--- a/inc/lang/en/lang.php
+++ b/inc/lang/en/lang.php
@@ -280,6 +280,7 @@ $lang['subscr_style_list']          = 'list of changed pages since last email (e
 /* auth.class language support */
 $lang['authmodfailed']         = 'Bad user authentication configuration. Please inform your Wiki Admin.';
 $lang['authtempfail']          = 'User authentication is temporarily unavailable. If this situation persists, please inform your Wiki Admin.';
+$lang['authpwdexpire']         = 'Your password will expire in %d days, you should change it soon.';
 
 /* installer strings */
 $lang['i_chooselang']          = 'Choose your language';
author	Andreas Gohr <andi@splitbrain.org>	2012-03-10 16:24:48 +0100
committer	Andreas Gohr <andi@splitbrain.org>	2012-03-10 16:24:48 +0100
commit	c9f847f625f0f4094fe46392a06e4f4169f7d44c (patch)
tree	340adc99aa6ac48603b6019b27058932019d06d2
parent	70f8c497b285679b9e4450e496b717ccc409af03 (diff)
parent	1e5105f90f56d0f57111eff37a535480115920c5 (diff)
download	rpg-c9f847f625f0f4094fe46392a06e4f4169f7d44c.tar.gz rpg-c9f847f625f0f4094fe46392a06e4f4169f7d44c.tar.bz2