Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed bug 2012

Started work with bug 2007
Bug 1969 is partacaly fixed. ldap-module supports now password expiration.
Some work with bugs 761 and 1730

Changes in login/index.php
Reordered some code to make variables reusable in multiple places.
Added redirection in case of expired password
  • Loading branch information...
commit 089b19f63109285b3fed84bdeeb6f112cbbd86fa 1 parent 86fd04f
paca70 authored
View
7 auth/ldap/config.html
@@ -241,7 +241,6 @@
<tr>
<td colspan="2">
<h4><?php print_string("auth_ldap_passwdexpire_settings", "auth") ?> </h4>
- <p> NOTE! This just configuration interface for expiration, code does not support expiration yet.!</p>
</td>
</tr>
@@ -249,9 +248,9 @@
<td align="right"><P>ldap_expiration:</td>
<td>
<?php
- $expiration['internal'] = "No";
- $expiration['ldap'] = "LDAP";
- choose_from_menu($expiration, "ldap_expriration", $config->ldap_expiration, "");
+ $expiration['0'] = "No";
+ $expiration['1'] = "LDAP";
+ choose_from_menu($expiration, "ldap_expiration", $config->ldap_expiration, "");
if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]);
?>
</td>
View
112 auth/ldap/lib.php
@@ -257,6 +257,40 @@ function auth_get_users($filter='*') {
return $fresult;
}
+function auth_password_expire($username) {
+// returns number of days to password expiration
+// 0 if passowrd does not expire
+// or negative value if password is already expired
+ global $CFG ;
+ $result = false;
+
+ $ldapconnection = auth_ldap_connect();
+ $user_dn = auth_ldap_find_userdn($ldapconnection, $username);
+ $search_attribs = array($CFG->ldap_expireattr);
+ $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
+ if ($sr) {
+ $info=ldap_get_entries($ldapconnection, $sr);
+ if ( empty($info[0][strtolower($CFG->ldap_expireattr)][0])) {
+ //error_log("ldap: no expiration value".$info[0][$CFG->ldap_expireattr]);
+ // no expiration attribute, password does not expire
+ $result = 0;
+ } else {
+ $now = time();
+ $expiretime = auth_ldap_expirationtime2unix($info[0][strtolower($CFG->ldap_expireattr)][0]);
+ if ($expiretime > $now) {
+ $result = ceil(($expiretime - $now) / DAYSECS);
+ } else {
+ $result = floor(($expiretime - $now) / DAYSECS);
+ }
+ }
+ } else {
+ error_log("ldap: auth_password_expire did't find expiration time!.");
+ }
+
+ //error_log("ldap: auth_password_expire user $user_dn expires in $result days!");
+ return $result;
+}
+
function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) {
//Syncronizes userdb with ldap
//This will add, rename
@@ -545,7 +579,7 @@ function auth_ldap_init () {
global $CFG;
$default['ldap_objectclass'] = array(
- 'edir' => 'inetOrgPerson',
+ 'edir' => 'User',
'posix' => 'posixAccount',
'samba' => 'sambaSamAccount',
'ad' => 'user',
@@ -559,12 +593,28 @@ function auth_ldap_init () {
'default' => 'cn'
);
$default['ldap_memberattribute'] = array(
- 'edir' => 'groupMembership',
+ 'edir' => 'member',
'posix' => 'member',
'samba' => 'member',
'ad' => 'member', //is this right?
'default' => 'member'
);
+ $default['ldap_memberattribute_isdn'] = array(
+ 'edir' => '1',
+ 'posix' => '0',
+ 'samba' => '0', //is this right?
+ 'ad' => '0', //is this right?
+ 'default' => '0'
+ );
+ $default['ldap_expireattr'] = array (
+ 'edir' => 'passwordExpirationTime',
+ 'posix' => 'shadowExpire',
+ 'samba' => '', //No support yet
+ 'ad' => '', //No support yet
+ 'default' => ''
+ );
+
+
foreach ($default as $key => $value) {
//set defaults if overriding fields not set
@@ -572,7 +622,7 @@ function auth_ldap_init () {
if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) {
$CFG->{$key} = $default[$key][$CFG->ldap_user_type];
}else {
- //use defaut value if user_type not set
+ //use default value if user_type not set
if(!empty($default[$key]['default'])){
$CFG->$key = $default[$key]['default'];
}else {
@@ -589,29 +639,63 @@ function auth_ldap_init () {
//all chages go in $CFG , no need to return value
}
+function auth_ldap_expirationtime2unix ($time) {
+// takes expriration timestamp readed from ldap
+// returns it as unix seconds
+// depends on $CFG->usertype variable
+
+ global $CFG;
+ $result = false;
+ switch ($CFG->ldap_user_type) {
+ case 'edir':
+ $yr=substr($time,0,4);
+ $mo=substr($time,4,2);
+ $dt=substr($time,6,2);
+ $hr=substr($time,8,2);
+ $min=substr($time,10,2);
+ $sec=substr($time,12,2);
+ $result = mktime($hr,$min,$sec,$mo,dt,$yr);
+ break;
+ case 'posix':
+ $result = $time * DAYSECS ; //The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date
+ break;
+ default:
+ error('CFG->ldap_user_type not defined or function auth_ldap_expirationtime2unix does not support selected type!');
+ }
+ return $result;
+}
+
function auth_ldap_isgroupmember ($username='', $groupdns='') {
// Takes username and groupdn(s) , separated by ;
// Returns true if user is member of any given groups
- global $CFG, $USER;
-
-
+ global $CFG ;
+ $result = false;
+ $ldapconnection = auth_ldap_connect();
+
if (empty($username) OR empty($groupdns)) {
- return false;
+ return $result;
}
+ if ($CFG->ldap_memberattribute_isdn) {
+ $username=auth_ldap_find_userdn($ldapconnection, $username);
+ }
+
$groups = explode(";",$groupdns);
- //build filter
- $filter = "(& ($CFG->ldap_user_attribute=$username)(|";
foreach ($groups as $group){
- $filter .= "($CFG->ldap_memberattribute=$group)";
+ $search = @ldap_read($ldapconnection, $group, '('.$CFG->ldap_memberattribute.'='.$username.')', array($CFG->ldap_memberattribute));
+ if ($search) {$info = ldap_get_entries($ldapconnection, $search);
+
+ if ($info['count'] > 0 ) {
+ // user is member of group
+ $result = true;
+ break;
+ }
+ }
}
- $filter .= "))";
- //search
- $result = auth_ldap_get_userlist($filter);
- return count($result);
+ return $result;
}
function auth_ldap_connect(){
View
2  lang/en/auth.php
@@ -77,6 +77,8 @@
$string['auth_nonetitle'] = 'No authentication';
$string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install <a href=\"http://www.math.ohio-state.edu/~ccunning/pam_auth/\" target=\"_blank\">PHP4 PAM Authentication</a> in order to use this module.';
$string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)';
+$string['auth_passwordwillexpire'] = 'Your password will expire in $a days. Do you want change your password now?';
+$string['auth_passwordisexpired'] = 'Your password is expired. Do you want change your password now?';
$string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.';
$string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.';
$string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with. (usually INBOX)';
View
85 login/index.php
@@ -20,6 +20,27 @@
notify("Could not create guest user record !!!");
}
}
+
+ //Define variables used in page
+ if (!$site = get_site()) {
+ error("No site found!");
+ }
+
+ if (empty($CFG->langmenu)) {
+ $langmenu = "";
+ } else {
+ $currlang = current_language();
+ $langs = get_list_of_languages();
+ if (empty($CFG->loginhttps)) {
+ $wwwroot = $CFG->wwwroot;
+ } else {
+ $wwwroot = str_replace('http','https',$CFG->wwwroot);
+ }
+ $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
+ }
+
+ $loginsite = get_string("loginsite");
+
$frm = false;
if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) {
@@ -69,13 +90,19 @@
unset($SESSION->lang);
$SESSION->justloggedin = true;
+ //Select password change url
+ if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
+ $passwordchangeurl=$CFG->wwwroot.'/login/change_password.php';
+ } elseif($CFG->changepassword) {
+ $passwordchangeurl=$CFG->changepassword;
+ }
+
+
// check whether the user should be changing password
reload_user_preferences();
if ($USER->preference['auth_forcepasswordchange']){
- if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
- redirect("$CFG->wwwroot/login/change_password.php");
- } elseif($CFG->changepassword) {
- redirect($CFG->changepassword);
+ if (isset($passwordchangeurl)) {
+ redirect($passwordchangeurl);
} else {
error("You cannot proceed without changing your password.
However there is no available page for changing it.
@@ -83,16 +110,39 @@
}
}
+
+
if (user_not_fully_set_up($USER)) {
- redirect("$CFG->wwwroot/user/edit.php?id=$USER->id&amp;course=".SITEID);
+ $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
} else if (strpos($wantsurl, $CFG->wwwroot) === 0) { /// Matches site address
- redirect($wantsurl);
+ $urltogo = $wantsurl;
} else {
- redirect("$CFG->wwwroot/"); /// Go to the standard home page
+ $urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page
}
-
+
+ // check if user password has expired
+ // Currently supported only for ldap-authentication module
+ if (isset($CFG->ldap_expiration) && $CFG->ldap_expiration == 1 ) {
+ if (function_exists('auth_password_expire')){
+ $days2expire = auth_password_expire($USER->username);
+ if (intval($days2expire) > 0 && intval($days2expire) < intval($CFG->{$USER->auth.'_expiration_warning'})) {
+ print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
+ notice_yesno(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
+ print_footer();
+ exit;
+ } elseif (intval($days2expire) < 0 ) {
+ print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
+ notice_yesno(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
+ print_footer();
+ exit;
+ }
+ }
+ }
+
+ redirect($urltogo);
+
reset_login_count();
die;
@@ -128,25 +178,6 @@
$show_instructions = false;
}
- if (!$site = get_site()) {
- error("No site found!");
- }
-
- if (empty($CFG->langmenu)) {
- $langmenu = "";
- } else {
- $currlang = current_language();
- $langs = get_list_of_languages();
- if (empty($CFG->loginhttps)) {
- $wwwroot = $CFG->wwwroot;
- } else {
- $wwwroot = str_replace('http','https',$CFG->wwwroot);
- }
- $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
- }
-
- $loginsite = get_string("loginsite");
-
print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
include("index_form.html");
print_footer();
Please sign in to comment.
Something went wrong with that request. Please try again.