Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed bug 2012

Started work with bug 2007
Bug 1969 is partacaly fixed. ldap-module supports now password expiration.
Some work with bugs 761 and 1730

Changes in login/index.php
Reordered some code to make variables reusable in multiple places.
Added redirection in case of expired password
  • Loading branch information...
commit 089b19f63109285b3fed84bdeeb6f112cbbd86fa 1 parent 86fd04f
authored
7  auth/ldap/config.html
@@ -241,7 +241,6 @@
241 241
 <tr>
242 242
    <td colspan="2">
243 243
         <h4><?php print_string("auth_ldap_passwdexpire_settings", "auth") ?> </h4>
244  
-        <p> NOTE! This just configuration interface for expiration, code does not support expiration yet.!</p>
245 244
    </td>
246 245
 </tr>
247 246
 
@@ -249,9 +248,9 @@
249 248
     <td align="right"><P>ldap_expiration:</td>
250 249
     <td>
251 250
     <?php
252  
-       $expiration['internal'] = "No";
253  
-       $expiration['ldap'] = "LDAP";
254  
-       choose_from_menu($expiration, "ldap_expriration", $config->ldap_expiration, "");
  251
+       $expiration['0'] = "No";
  252
+       $expiration['1'] = "LDAP";
  253
+       choose_from_menu($expiration, "ldap_expiration", $config->ldap_expiration, "");
255 254
        if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]); 
256 255
     ?>
257 256
     </td>
112  auth/ldap/lib.php
@@ -257,6 +257,40 @@ function auth_get_users($filter='*') {
257 257
     return $fresult;
258 258
 }
259 259
 
  260
+function auth_password_expire($username) {
  261
+// returns number of days to password expiration
  262
+// 0 if passowrd does not expire
  263
+// or negative value if password is already expired
  264
+    global $CFG ;
  265
+    $result = false;
  266
+    
  267
+    $ldapconnection = auth_ldap_connect();
  268
+    $user_dn = auth_ldap_find_userdn($ldapconnection, $username);
  269
+    $search_attribs = array($CFG->ldap_expireattr);
  270
+    $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
  271
+    if ($sr)  {
  272
+        $info=ldap_get_entries($ldapconnection, $sr);
  273
+        if ( empty($info[0][strtolower($CFG->ldap_expireattr)][0])) {
  274
+            //error_log("ldap: no expiration value".$info[0][$CFG->ldap_expireattr]);
  275
+            // no expiration attribute, password does not expire
  276
+            $result = 0;
  277
+        } else {
  278
+            $now = time();
  279
+            $expiretime = auth_ldap_expirationtime2unix($info[0][strtolower($CFG->ldap_expireattr)][0]);
  280
+            if ($expiretime > $now) {
  281
+                $result = ceil(($expiretime - $now) / DAYSECS);
  282
+            } else {
  283
+                $result = floor(($expiretime - $now) / DAYSECS);
  284
+            }    
  285
+        }
  286
+    } else {    
  287
+        error_log("ldap: auth_password_expire did't find expiration time!.");
  288
+    }    
  289
+
  290
+    //error_log("ldap: auth_password_expire user $user_dn expires in $result days!");
  291
+    return $result;
  292
+}
  293
+
260 294
 function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) {
261 295
 //Syncronizes userdb with ldap
262 296
 //This will add, rename 
@@ -545,7 +579,7 @@ function auth_ldap_init () {
545 579
 
546 580
     global $CFG;
547 581
     $default['ldap_objectclass'] = array(
548  
-                        'edir' => 'inetOrgPerson',
  582
+                        'edir' => 'User',
549 583
                         'posix' => 'posixAccount',
550 584
                         'samba' => 'sambaSamAccount',
551 585
                         'ad' => 'user',
@@ -559,12 +593,28 @@ function auth_ldap_init () {
559 593
                         'default' => 'cn'
560 594
                         );
561 595
     $default['ldap_memberattribute'] = array(
562  
-                        'edir' => 'groupMembership',
  596
+                        'edir' => 'member',
563 597
                         'posix' => 'member',
564 598
                         'samba' => 'member',
565 599
                         'ad' => 'member', //is this right?
566 600
                         'default' => 'member'
567 601
                         );
  602
+    $default['ldap_memberattribute_isdn'] = array(
  603
+                        'edir' => '1',
  604
+                        'posix' => '0',
  605
+                        'samba' => '0', //is this right?
  606
+                        'ad' => '0', //is this right?
  607
+                        'default' => '0'
  608
+                        );
  609
+    $default['ldap_expireattr'] = array (
  610
+                        'edir' => 'passwordExpirationTime',
  611
+                        'posix' => 'shadowExpire',
  612
+                        'samba' => '', //No support yet
  613
+                        'ad' => '', //No support yet
  614
+                        'default' => ''
  615
+                        );
  616
+  
  617
+
568 618
 
569 619
     foreach ($default as $key => $value) {
570 620
         //set defaults if overriding fields not set
@@ -572,7 +622,7 @@ function auth_ldap_init () {
572 622
             if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) {
573 623
                 $CFG->{$key} = $default[$key][$CFG->ldap_user_type];
574 624
             }else {
575  
-                //use defaut value if user_type not set
  625
+                //use default value if user_type not set
576 626
                 if(!empty($default[$key]['default'])){
577 627
                     $CFG->$key = $default[$key]['default'];
578 628
                 }else {
@@ -589,29 +639,63 @@ function auth_ldap_init () {
589 639
     //all chages go in $CFG , no need to return value
590 640
 }
591 641
 
  642
+function auth_ldap_expirationtime2unix ($time) {
  643
+// takes expriration timestamp readed from ldap
  644
+// returns it as unix seconds
  645
+// depends on $CFG->usertype variable
  646
+
  647
+    global $CFG;
  648
+    $result = false;
  649
+    switch ($CFG->ldap_user_type) {
  650
+        case 'edir':
  651
+            $yr=substr($time,0,4);
  652
+            $mo=substr($time,4,2);
  653
+            $dt=substr($time,6,2);
  654
+            $hr=substr($time,8,2);
  655
+            $min=substr($time,10,2);
  656
+            $sec=substr($time,12,2);
  657
+            $result = mktime($hr,$min,$sec,$mo,dt,$yr); 
  658
+            break;
  659
+        case 'posix':
  660
+            $result = $time * DAYSECS ; //The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date
  661
+            break;
  662
+        default:  
  663
+            error('CFG->ldap_user_type not defined or function auth_ldap_expirationtime2unix does not support selected type!');
  664
+    }        
  665
+    return $result;
  666
+}
  667
+
592 668
 function auth_ldap_isgroupmember ($username='', $groupdns='') {
593 669
 // Takes username and groupdn(s) , separated by ;
594 670
 // Returns true if user is member of any given groups
595 671
 
596  
-    global $CFG, $USER;
597  
-
598  
-   
  672
+    global $CFG ;
  673
+    $result = false;
  674
+    $ldapconnection = auth_ldap_connect();
  675
+    
599 676
     if (empty($username) OR empty($groupdns)) {
600  
-        return false;
  677
+        return $result;
601 678
     }
602 679
     
  680
+    if ($CFG->ldap_memberattribute_isdn) {
  681
+        $username=auth_ldap_find_userdn($ldapconnection, $username);
  682
+    }
  683
+
603 684
     $groups = explode(";",$groupdns);
604 685
 
605  
-    //build filter
606  
-    $filter = "(& ($CFG->ldap_user_attribute=$username)(|";
607 686
     foreach ($groups as $group){
608  
-        $filter .= "($CFG->ldap_memberattribute=$group)";
  687
+        $search = @ldap_read($ldapconnection, $group,  '('.$CFG->ldap_memberattribute.'='.$username.')', array($CFG->ldap_memberattribute));
  688
+        if ($search) {$info = ldap_get_entries($ldapconnection, $search);
  689
+        
  690
+            if ($info['count'] > 0 ) {
  691
+                // user is member of group
  692
+                $result = true;
  693
+                break;
  694
+            }
  695
+        }    
609 696
     }
610  
-    $filter .= "))";
611  
-    //search
612  
-    $result = auth_ldap_get_userlist($filter);
613 697
    
614  
-    return count($result);
  698
+    return $result;
615 699
 
616 700
 }
617 701
 function auth_ldap_connect(){
2  lang/en/auth.php
@@ -77,6 +77,8 @@
77 77
 $string['auth_nonetitle'] = 'No authentication';
78 78
 $string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install <a href=\"http://www.math.ohio-state.edu/~ccunning/pam_auth/\" target=\"_blank\">PHP4 PAM Authentication</a> in order to use this module.';
79 79
 $string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)';
  80
+$string['auth_passwordwillexpire'] = 'Your password will expire in $a days. Do you want change your password now?';
  81
+$string['auth_passwordisexpired'] = 'Your password is expired. Do you want change your password now?';
80 82
 $string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.';
81 83
 $string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.';
82 84
 $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with.  (usually INBOX)';
85  login/index.php
@@ -20,6 +20,27 @@
20 20
             notify("Could not create guest user record !!!");
21 21
         }
22 22
     }
  23
+    
  24
+    //Define variables used in page
  25
+    if (!$site = get_site()) {
  26
+        error("No site found!");
  27
+    }
  28
+
  29
+    if (empty($CFG->langmenu)) {
  30
+        $langmenu = "";
  31
+    } else {
  32
+        $currlang = current_language();
  33
+        $langs    = get_list_of_languages();
  34
+        if (empty($CFG->loginhttps)) {
  35
+            $wwwroot = $CFG->wwwroot;
  36
+        } else {
  37
+            $wwwroot = str_replace('http','https',$CFG->wwwroot);
  38
+        }
  39
+        $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
  40
+    }
  41
+
  42
+    $loginsite = get_string("loginsite");
  43
+
23 44
 
24 45
     $frm = false;
25 46
     if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) {
@@ -69,13 +90,19 @@
69 90
             unset($SESSION->lang);
70 91
             $SESSION->justloggedin = true;
71 92
 
  93
+            //Select password change url
  94
+            if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
  95
+                $passwordchangeurl=$CFG->wwwroot.'/login/change_password.php';
  96
+            } elseif($CFG->changepassword) {
  97
+                $passwordchangeurl=$CFG->changepassword;
  98
+            } 
  99
+            
  100
+
72 101
             // check whether the user should be changing password
73 102
             reload_user_preferences();
74 103
             if ($USER->preference['auth_forcepasswordchange']){
75  
-                if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
76  
-                    redirect("$CFG->wwwroot/login/change_password.php");
77  
-                } elseif($CFG->changepassword) {
78  
-                    redirect($CFG->changepassword);
  104
+                if (isset($passwordchangeurl)) {
  105
+                    redirect($passwordchangeurl);
79 106
                 } else {
80 107
                     error("You cannot proceed without changing your password. 
81 108
                            However there is no available page for changing it.
@@ -83,16 +110,39 @@
83 110
                 }
84 111
             }
85 112
 
  113
+            
  114
+            
86 115
             if (user_not_fully_set_up($USER)) {
87  
-                redirect("$CFG->wwwroot/user/edit.php?id=$USER->id&amp;course=".SITEID);
  116
+                $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
88 117
 
89 118
             } else if (strpos($wantsurl, $CFG->wwwroot) === 0) {   /// Matches site address
90  
-                redirect($wantsurl);
  119
+                $urltogo = $wantsurl;
91 120
 
92 121
             } else {
93  
-                redirect("$CFG->wwwroot/");      /// Go to the standard home page
  122
+                $urltogo = $CFG->wwwroot.'/';      /// Go to the standard home page
94 123
             }
95  
-    
  124
+
  125
+            // check if user password has expired
  126
+            // Currently supported only for ldap-authentication module
  127
+            if (isset($CFG->ldap_expiration) && $CFG->ldap_expiration == 1 ) {
  128
+                if (function_exists('auth_password_expire')){
  129
+                    $days2expire = auth_password_expire($USER->username);
  130
+                    if (intval($days2expire) > 0 && intval($days2expire) < intval($CFG->{$USER->auth.'_expiration_warning'})) {
  131
+                        print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>"); 
  132
+                        notice_yesno(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo); 
  133
+                        print_footer();
  134
+                        exit;
  135
+                    } elseif (intval($days2expire) < 0 ) {
  136
+                        print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>"); 
  137
+                        notice_yesno(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
  138
+                        print_footer();
  139
+                        exit;
  140
+                    }    
  141
+                }
  142
+            }
  143
+
  144
+            redirect($urltogo);
  145
+            
96 146
             reset_login_count();
97 147
 
98 148
             die;
@@ -128,25 +178,6 @@
128 178
         $show_instructions = false;
129 179
     }
130 180
     
131  
-    if (!$site = get_site()) {
132  
-        error("No site found!");
133  
-    }
134  
-
135  
-    if (empty($CFG->langmenu)) {
136  
-        $langmenu = "";
137  
-    } else {
138  
-        $currlang = current_language();
139  
-        $langs    = get_list_of_languages();
140  
-        if (empty($CFG->loginhttps)) {
141  
-            $wwwroot = $CFG->wwwroot;
142  
-        } else {
143  
-            $wwwroot = str_replace('http','https',$CFG->wwwroot);
144  
-        }
145  
-        $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
146  
-    }
147  
-
148  
-    $loginsite = get_string("loginsite");
149  
-
150 181
     print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>"); 
151 182
     include("index_form.html");
152 183
     print_footer();

0 notes on commit 089b19f

Please sign in to comment.
Something went wrong with that request. Please try again.