diff options
Diffstat (limited to 'inc/auth/ad.class.php')
| -rw-r--r-- | inc/auth/ad.class.php | 88 |
1 files changed, 62 insertions, 26 deletions
diff --git a/inc/auth/ad.class.php b/inc/auth/ad.class.php index 1fddad243..bc4168527 100644 --- a/inc/auth/ad.class.php +++ b/inc/auth/ad.class.php @@ -26,15 +26,17 @@ * $conf['auth']['ad']['use_ssl'] = 1; * $conf['auth']['ad']['use_tls'] = 1; * $conf['auth']['ad']['debug'] = 1; + * // warn user about expiring password this many days in advance: + * $conf['auth']['ad']['expirywarn'] = 5; * * // get additional information to the userinfo array * // add a list of comma separated ldap contact fields. * $conf['auth']['ad']['additional'] = 'field1,field2'; * - * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) - * @author James Van Lommel <jamesvl@gmail.com> - * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ - * @author Andreas Gohr <andi@splitbrain.org> + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author James Van Lommel <jamesvl@gmail.com> + * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ + * @author Andreas Gohr <andi@splitbrain.org> */ require_once(DOKU_INC.'inc/adLDAP.php'); @@ -44,15 +46,15 @@ class auth_ad extends auth_basic { var $opts = null; var $adldap = null; var $users = null; + var $msgshown = false; /** * Constructor */ - function auth_ad() { + function __construct() { global $conf; $this->cnf = $conf['auth']['ad']; - // additional information fields if (isset($this->cnf['additional'])) { $this->cnf['additional'] = str_replace(' ', '', $this->cnf['additional']); @@ -69,21 +71,21 @@ class auth_ad extends auth_basic { // Prepare SSO if($_SERVER['REMOTE_USER'] && $this->cnf['sso']){ - // remove possible NTLM domain - list($dom,$usr) = explode('\\',$_SERVER['REMOTE_USER'],2); - if(!$usr) $usr = $dom; + // remove possible NTLM domain + list($dom,$usr) = explode('\\',$_SERVER['REMOTE_USER'],2); + if(!$usr) $usr = $dom; - // remove possible Kerberos domain - list($usr,$dom) = explode('@',$usr); + // remove possible Kerberos domain + list($usr,$dom) = explode('@',$usr); - $dom = strtolower($dom); - $_SERVER['REMOTE_USER'] = $usr; + $dom = strtolower($dom); + $_SERVER['REMOTE_USER'] = $usr; - // we need to simulate a login - if(empty($_COOKIE[DOKU_COOKIE])){ - $_REQUEST['u'] = $_SERVER['REMOTE_USER']; - $_REQUEST['p'] = 'sso_only'; - } + // we need to simulate a login + if(empty($_COOKIE[DOKU_COOKIE])){ + $_REQUEST['u'] = $_SERVER['REMOTE_USER']; + $_REQUEST['p'] = 'sso_only'; + } } // prepare adLDAP standard configuration @@ -144,11 +146,15 @@ class auth_ad extends auth_basic { * * @author James Van Lommel <james@nosq.com> */ - function getUserData($user){ + function getUserData($user){ global $conf; + global $lang; + global $ID; if(!$this->_init()) return false; - $fields = array('mail','displayname','samaccountname'); + if($user == '') return array(); + + $fields = array('mail','displayname','samaccountname','lastpwd','pwdlastset','useraccountcontrol'); // add additional fields to read $fields = array_merge($fields, $this->cnf['additional']); @@ -156,11 +162,19 @@ class auth_ad extends auth_basic { //get info for given user $result = $this->adldap->user_info($user, $fields); + if($result == false){ + return array(); + } + //general user info - $info['name'] = $result[0]['displayname'][0]; - $info['mail'] = $result[0]['mail'][0]; - $info['uid'] = $result[0]['samaccountname'][0]; - $info['dn'] = $result[0]['dn']; + $info['name'] = $result[0]['displayname'][0]; + $info['mail'] = $result[0]['mail'][0]; + $info['uid'] = $result[0]['samaccountname'][0]; + $info['dn'] = $result[0]['dn']; + //last password set (Windows counts from January 1st 1601) + $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; + //will it expire? + $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD // additional information foreach ($this->cnf['additional'] as $field) { @@ -183,6 +197,29 @@ class auth_ad extends auth_basic { $info['grps'][] = $conf['defaultgroup']; } + // check expiry time + if($info['expires'] && $this->cnf['expirywarn']){ + $result = $this->adldap->domain_info(array('maxpwdage')); // maximum pass age + $maxage = -1 * $result['maxpwdage'][0] / 10000000; // negative 100 nanosecs + $timeleft = $maxage - (time() - $info['lastpwd']); + $timeleft = round($timeleft/(24*60*60)); + $info['expiresin'] = $timeleft; + + // if this is the current user, warn him (once per request only) + if( ($_SERVER['REMOTE_USER'] == $user) && + ($timeleft <= $this->cnf['expirywarn']) && + !$this->msgshown + ){ + $msg = sprintf($lang['authpwdexpire'],$timeleft); + if($this->canDo('modPass')){ + $url = wl($ID,array('do'=>'profile')); + $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; + } + msg($msg); + $this->msgshown = true; + } + } + return $info; } @@ -259,7 +296,7 @@ class auth_ad extends auth_basic { * @param $user nick of the user to be changed * @param $changes array of field/value pairs to be changed * @return bool - */ + */ function modifyUser($user, $changes) { $return = true; @@ -342,7 +379,6 @@ class auth_ad extends auth_basic { function _constructPattern($filter) { $this->_pattern = array(); foreach ($filter as $item => $pattern) { -// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters } } |