Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed bug 2012

Started work with bug 2007
Bug 1969 is partacaly fixed. ldap-module supports now password expiration.
Some work with bugs 761 and 1730

Changes in login/index.php
Reordered some code to make variables reusable in multiple places.
Added redirection in case of expired password
  • Loading branch information...
commit 089b19f63109285b3fed84bdeeb6f112cbbd86fa 1 parent 86fd04f
paca70 authored
7 auth/ldap/config.html
View
@@ -241,7 +241,6 @@
<tr>
<td colspan="2">
<h4><?php print_string("auth_ldap_passwdexpire_settings", "auth") ?> </h4>
- <p> NOTE! This just configuration interface for expiration, code does not support expiration yet.!</p>
</td>
</tr>
@@ -249,9 +248,9 @@
<td align="right"><P>ldap_expiration:</td>
<td>
<?php
- $expiration['internal'] = "No";
- $expiration['ldap'] = "LDAP";
- choose_from_menu($expiration, "ldap_expriration", $config->ldap_expiration, "");
+ $expiration['0'] = "No";
+ $expiration['1'] = "LDAP";
+ choose_from_menu($expiration, "ldap_expiration", $config->ldap_expiration, "");
if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]);
?>
</td>
112 auth/ldap/lib.php
View
@@ -257,6 +257,40 @@ function auth_get_users($filter='*') {
return $fresult;
}
+function auth_password_expire($username) {
+// returns number of days to password expiration
+// 0 if passowrd does not expire
+// or negative value if password is already expired
+ global $CFG ;
+ $result = false;
+
+ $ldapconnection = auth_ldap_connect();
+ $user_dn = auth_ldap_find_userdn($ldapconnection, $username);
+ $search_attribs = array($CFG->ldap_expireattr);
+ $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
+ if ($sr) {
+ $info=ldap_get_entries($ldapconnection, $sr);
+ if ( empty($info[0][strtolower($CFG->ldap_expireattr)][0])) {
+ //error_log("ldap: no expiration value".$info[0][$CFG->ldap_expireattr]);
+ // no expiration attribute, password does not expire
+ $result = 0;
+ } else {
+ $now = time();
+ $expiretime = auth_ldap_expirationtime2unix($info[0][strtolower($CFG->ldap_expireattr)][0]);
+ if ($expiretime > $now) {
+ $result = ceil(($expiretime - $now) / DAYSECS);
+ } else {
+ $result = floor(($expiretime - $now) / DAYSECS);
+ }
+ }
+ } else {
+ error_log("ldap: auth_password_expire did't find expiration time!.");
+ }
+
+ //error_log("ldap: auth_password_expire user $user_dn expires in $result days!");
+ return $result;
+}
+
function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) {
//Syncronizes userdb with ldap
//This will add, rename
@@ -545,7 +579,7 @@ function auth_ldap_init () {
global $CFG;
$default['ldap_objectclass'] = array(
- 'edir' => 'inetOrgPerson',
+ 'edir' => 'User',
'posix' => 'posixAccount',
'samba' => 'sambaSamAccount',
'ad' => 'user',
@@ -559,12 +593,28 @@ function auth_ldap_init () {
'default' => 'cn'
);
$default['ldap_memberattribute'] = array(
- 'edir' => 'groupMembership',
+ 'edir' => 'member',
'posix' => 'member',
'samba' => 'member',
'ad' => 'member', //is this right?
'default' => 'member'
);
+ $default['ldap_memberattribute_isdn'] = array(
+ 'edir' => '1',
+ 'posix' => '0',
+ 'samba' => '0', //is this right?
+ 'ad' => '0', //is this right?
+ 'default' => '0'
+ );
+ $default['ldap_expireattr'] = array (
+ 'edir' => 'passwordExpirationTime',
+ 'posix' => 'shadowExpire',
+ 'samba' => '', //No support yet
+ 'ad' => '', //No support yet
+ 'default' => ''
+ );
+
+
foreach ($default as $key => $value) {
//set defaults if overriding fields not set
@@ -572,7 +622,7 @@ function auth_ldap_init () {
if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) {
$CFG->{$key} = $default[$key][$CFG->ldap_user_type];
}else {
- //use defaut value if user_type not set
+ //use default value if user_type not set
if(!empty($default[$key]['default'])){
$CFG->$key = $default[$key]['default'];
}else {
@@ -589,29 +639,63 @@ function auth_ldap_init () {
//all chages go in $CFG , no need to return value
}
+function auth_ldap_expirationtime2unix ($time) {
+// takes expriration timestamp readed from ldap
+// returns it as unix seconds
+// depends on $CFG->usertype variable
+
+ global $CFG;
+ $result = false;
+ switch ($CFG->ldap_user_type) {
+ case 'edir':
+ $yr=substr($time,0,4);
+ $mo=substr($time,4,2);
+ $dt=substr($time,6,2);
+ $hr=substr($time,8,2);
+ $min=substr($time,10,2);
+ $sec=substr($time,12,2);
+ $result = mktime($hr,$min,$sec,$mo,dt,$yr);
+ break;
+ case 'posix':
+ $result = $time * DAYSECS ; //The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date
+ break;
+ default:
+ error('CFG->ldap_user_type not defined or function auth_ldap_expirationtime2unix does not support selected type!');
+ }
+ return $result;
+}
+
function auth_ldap_isgroupmember ($username='', $groupdns='') {
// Takes username and groupdn(s) , separated by ;
// Returns true if user is member of any given groups
- global $CFG, $USER;
-
-
+ global $CFG ;
+ $result = false;
+ $ldapconnection = auth_ldap_connect();
+
if (empty($username) OR empty($groupdns)) {
- return false;
+ return $result;
}
+ if ($CFG->ldap_memberattribute_isdn) {
+ $username=auth_ldap_find_userdn($ldapconnection, $username);
+ }
+
$groups = explode(";",$groupdns);
- //build filter
- $filter = "(& ($CFG->ldap_user_attribute=$username)(|";
foreach ($groups as $group){
- $filter .= "($CFG->ldap_memberattribute=$group)";
+ $search = @ldap_read($ldapconnection, $group, '('.$CFG->ldap_memberattribute.'='.$username.')', array($CFG->ldap_memberattribute));
+ if ($search) {$info = ldap_get_entries($ldapconnection, $search);
+
+ if ($info['count'] > 0 ) {
+ // user is member of group
+ $result = true;
+ break;
+ }
+ }
}
- $filter .= "))";
- //search
- $result = auth_ldap_get_userlist($filter);
- return count($result);
+ return $result;
}
function auth_ldap_connect(){
2  lang/en/auth.php
View
@@ -77,6 +77,8 @@
$string['auth_nonetitle'] = 'No authentication';
$string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install <a href=\"http://www.math.ohio-state.edu/~ccunning/pam_auth/\" target=\"_blank\">PHP4 PAM Authentication</a> in order to use this module.';
$string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)';
+$string['auth_passwordwillexpire'] = 'Your password will expire in $a days. Do you want change your password now?';
+$string['auth_passwordisexpired'] = 'Your password is expired. Do you want change your password now?';
$string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.';
$string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.';
$string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with. (usually INBOX)';
85 login/index.php
View
@@ -20,6 +20,27 @@
notify("Could not create guest user record !!!");
}
}
+
+ //Define variables used in page
+ if (!$site = get_site()) {
+ error("No site found!");
+ }
+
+ if (empty($CFG->langmenu)) {
+ $langmenu = "";
+ } else {
+ $currlang = current_language();
+ $langs = get_list_of_languages();
+ if (empty($CFG->loginhttps)) {
+ $wwwroot = $CFG->wwwroot;
+ } else {
+ $wwwroot = str_replace('http','https',$CFG->wwwroot);
+ }
+ $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
+ }
+
+ $loginsite = get_string("loginsite");
+
$frm = false;
if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) {
@@ -69,13 +90,19 @@
unset($SESSION->lang);
$SESSION->justloggedin = true;
+ //Select password change url
+ if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
+ $passwordchangeurl=$CFG->wwwroot.'/login/change_password.php';
+ } elseif($CFG->changepassword) {
+ $passwordchangeurl=$CFG->changepassword;
+ }
+
+
// check whether the user should be changing password
reload_user_preferences();
if ($USER->preference['auth_forcepasswordchange']){
- if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
- redirect("$CFG->wwwroot/login/change_password.php");
- } elseif($CFG->changepassword) {
- redirect($CFG->changepassword);
+ if (isset($passwordchangeurl)) {
+ redirect($passwordchangeurl);
} else {
error("You cannot proceed without changing your password.
However there is no available page for changing it.
@@ -83,16 +110,39 @@
}
}
+
+
if (user_not_fully_set_up($USER)) {
- redirect("$CFG->wwwroot/user/edit.php?id=$USER->id&amp;course=".SITEID);
+ $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
} else if (strpos($wantsurl, $CFG->wwwroot) === 0) { /// Matches site address
- redirect($wantsurl);
+ $urltogo = $wantsurl;
} else {
- redirect("$CFG->wwwroot/"); /// Go to the standard home page
+ $urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page
}
-
+
+ // check if user password has expired
+ // Currently supported only for ldap-authentication module
+ if (isset($CFG->ldap_expiration) && $CFG->ldap_expiration == 1 ) {
+ if (function_exists('auth_password_expire')){
+ $days2expire = auth_password_expire($USER->username);
+ if (intval($days2expire) > 0 && intval($days2expire) < intval($CFG->{$USER->auth.'_expiration_warning'})) {
+ print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
+ notice_yesno(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
+ print_footer();
+ exit;
+ } elseif (intval($days2expire) < 0 ) {
+ print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
+ notice_yesno(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
+ print_footer();
+ exit;
+ }
+ }
+ }
+
+ redirect($urltogo);
+
reset_login_count();
die;
@@ -128,25 +178,6 @@
$show_instructions = false;
}
- if (!$site = get_site()) {
- error("No site found!");
- }
-
- if (empty($CFG->langmenu)) {
- $langmenu = "";
- } else {
- $currlang = current_language();
- $langs = get_list_of_languages();
- if (empty($CFG->loginhttps)) {
- $wwwroot = $CFG->wwwroot;
- } else {
- $wwwroot = str_replace('http','https',$CFG->wwwroot);
- }
- $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
- }
-
- $loginsite = get_string("loginsite");
-
print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
include("index_form.html");
print_footer();
Please sign in to comment.
Something went wrong with that request. Please try again.