Read password policy configuration in directory

src/Ltb/Directory.php

@@ -20,16 +20,6 @@ public function getLockDate($ldap, $dn) : ?DateTime;
      */
     public function getUnlockDate($ldap, $dn, $config) : ?DateTime;
 
-    /*
-     * Lock duration (in seconds)
-     */
-    public function getLockoutDuration($ldap, $dn, $config) : ?int;
-
-    /*
-     * Can account be locked?
-     */
-    public function canLockAccount($ldap, $dn, $config) : bool;
-
     /*
      * Lock account
      */
@@ -45,11 +35,6 @@ public function unlockAccount($ldap, $dn) : bool;
      */
     public function isPasswordExpired($ldap, $dn, $config) : bool;
 
-    /*
-     * Password max age (in seconds)
-     */
-    public function getPasswordMaxAge($ldap, $dn, $config) : ?int;
-
     /*
      * Date when password will be expired
      */
@@ -84,4 +69,9 @@ public function isAccountEnabled($ldap, $dn) : bool;
      * Get LDAP date from PHP date
      */
     public function getLdapDate($date) : string;
+
+    /*
+     * Get password policy configuration
+     */
+    public function getPwdPolicyConfiguration($ldap, $entry_dn, $default_ppolicy_dn) : Array;
 }

src/Ltb/Directory/ActiveDirectory.php

@@ -75,7 +75,7 @@ public function getUnlockDate($ldap, $dn, $config) : ?DateTime {
         }
 
         # Get lockout duration
-        $lockoutDuration = $config["lockoutDuration"];
+        $lockoutDuration = $config["lockout_duration"];
 
         # Compute unlock date
         if (isset($lockoutDuration) and ($lockoutDuration > 0)) {
@@ -85,16 +85,6 @@ public function getUnlockDate($ldap, $dn, $config) : ?DateTime {
         return $unlockDate;
     }
 
-    public function getLockoutDuration($ldap, $dn, $config) : ?int {
-        return $config['lockoutDuration'];
-    }
-
-    public function canLockAccount($ldap, $dn, $config) : bool {
-
-        // Not supported by AD
-        return false;
-    }
-
     public function lockAccount($ldap, $dn) : bool {
 
         // Not supported by AD
@@ -172,7 +162,7 @@ public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime {
         }
 
         # Get pwdMaxAge
-        $pwdMaxAge = $config["pwdMaxAge"];
+        $pwdMaxAge = $config["password_max_age"];
 
         # Compute expiration date
         if ($pwdMaxAge) {
@@ -183,10 +173,6 @@ public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime {
         return $expirationDate;
     }
 
-    public function getPasswordMaxAge($ldap, $dn, $config) : ?int {
-        return $config['pwdMaxAge'];
-    }
-
     public function modifyPassword($ldap, $dn, $password, $forceReset) : bool {
 
         $adPassword = \Ltb\Password::make_ad_password($password);
@@ -309,4 +295,27 @@ public function isAccountEnabled($ldap, $dn) : bool {
     public function getLdapDate($date) : string {
         return \Ltb\Date::timestamp2adDate( $date->getTimeStamp() );
     }
+
+    public function getPwdPolicyConfiguration($ldap, $entry_dn, $default_ppolicy_dn) : Array {
+
+        $ppolicyConfig = array();
+
+        # Get values from default ppolicy
+        $search = \Ltb\PhpLDAP::ldap_read($ldap, $default_ppolicy_dn, "(objectClass=*)", array('lockoutDuration', 'maxPwdAge'));
+        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
+
+        if ( $errno ) {
+            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
+            return $ppolicyConfig;
+        } else {
+            $entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
+        }
+
+        $ppolicyConfig["dn"] = $entry[0]["dn"];
+        $ppolicyConfig["lockout_duration"] = $entry[0]["lockoutduration"][0] / -10000000 ;
+        $ppolicyConfig["password_max_age"] = $entry[0]["maxpwdage"][0] / -10000000;
+        $ppolicyConfig["lockout_enabled"] = false;
+
+        return $ppolicyConfig;
+    }
 }

src/Ltb/Directory/OpenLDAP.php

@@ -77,7 +77,7 @@ public function getUnlockDate($ldap, $dn, $config) : ?DateTime {
         }
 
         # Get lockout duration
-        $lockoutDuration = $config["lockoutDuration"];
+        $lockoutDuration = $config["lockout_duration"];
 
         if (isset($lockoutDuration) and ($lockoutDuration > 0)) {
             $unlockDate = date_add( $lockDate, new DateInterval('PT'.$lockoutDuration.'S'));
@@ -86,54 +86,6 @@ public function getUnlockDate($ldap, $dn, $config) : ?DateTime {
         return $unlockDate;
     }
 
-    public function getLockoutDuration($ldap, $dn, $config) : ?int {
-
-        $lockoutDuration = 0;
-
-        # If lockoutDuration is forced in config
-        if (isset($config['lockoutDuration'])) {
-            return $config['lockoutDuration'];
-        }
-
-        # Else get password policy configuration
-        $ppolicy_search = \Ltb\PhpLDAP::ldap_read($ldap, $config['pwdPolicy'], "(objectClass=*)", array('pwdlockout', 'pwdlockoutduration'));
-        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
-
-        if ( $errno ) {
-            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
-            return $lockoutDuration;
-        } else {
-            $ppolicy_entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $ppolicy_search);
-        }
-
-        $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
-        $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0];
-
-        if ($pwdLockout) {
-            $lockoutDuration = $pwdLockoutDuration;
-        }
-
-        return $lockoutDuration;
-    }
-
-    public function canLockAccount($ldap, $dn, $config) : bool {
-
-        # Search password policy
-        $ppolicy_search = \Ltb\PhpLDAP::ldap_read($ldap, $config['pwdPolicy'], "(objectClass=*)", array('pwdlockout'));
-        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
-
-        if ( $errno ) {
-            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
-            return false;
-        } else {
-            $ppolicy_entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $ppolicy_search);
-        }
-
-        $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
-
-        return $pwdLockout;
-    }
-
     public function lockAccount($ldap, $dn) : bool {
 
         $modification = \Ltb\PhpLdap::ldap_mod_replace($ldap, $dn, array("pwdAccountLockedTime" => array("000001010000Z")));
@@ -218,7 +170,7 @@ public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime {
         }
 
         # Get pwdMaxAge
-        $pwdMaxAge = $config["pwdMaxAge"];
+        $pwdMaxAge = $config["password_max_age"];
 
         # Compute expiration date
         if ($pwdMaxAge) {
@@ -229,33 +181,6 @@ public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime {
         return $expirationDate;
     }
 
-    public function getPasswordMaxAge($ldap, $dn, $config) : ?int {
-
-        $pwdMaxAge = 0;
-
-        # If pwdMaxAge is forced in config
-        if (isset($config['pwdMaxAge'])) {
-            return $config['pwdMaxAge'];
-        }
-
-        # Else get password policy configuration
-        $ppolicy_search = \Ltb\PhpLDAP::ldap_read($ldap, $config['pwdPolicy'], "(objectClass=*)", array('pwdmaxage'));
-        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
-
-        if ( $errno ) {
-            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
-            return $pwdMaxAge;
-        } else {
-            $ppolicy_entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $ppolicy_search);
-        }
-
-        if ( $ppolicy_entry[0]['pwdmaxage'] ) {
-            $pwdMaxAge =  $ppolicy_entry[0]['pwdmaxage'][0];
-        }
-
-        return $pwdMaxAge;
-    }
-
     public function modifyPassword($ldap, $dn, $password, $forceReset) : bool {
 
         $changes = array('userPassword' => $password);
@@ -313,4 +238,41 @@ public function isAccountEnabled($ldap, $dn) : bool {
     public function getLdapDate($date) : string {
         return \Ltb\Date::string2ldapDate( $date->format('d/m/Y') );
     }
+
+    public function getPwdPolicyConfiguration($ldap, $entry_dn, $default_ppolicy_dn) : Array {
+
+        $ppolicyConfig = array();
+
+        # Check pwdPolicySubEntry
+        $search_user = \Ltb\PhpLDAP::ldap_read($ldap, $entry_dn, "(objectClass=*)", array('pwdpolicysubentry'));
+        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
+
+        if ( $errno ) {
+            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
+            return $ppolicyConfig;
+        } else {
+            $user_entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search_user);
+        }
+
+        $ppolicy_dn = $user_entry[0]['pwdpolicysubentry'] ? $user_entry[0]['pwdpolicysubentry'][0] : $default_ppolicy_dn;
+
+        # Get values from ppolicy
+        $search = \Ltb\PhpLDAP::ldap_read($ldap, $ppolicy_dn, "(objectClass=pwdPolicy)", array('pwdLockoutDuration', 'pwdMaxAge', 'pwdLockout'));
+        $errno = \Ltb\PhpLDAP::ldap_errno($ldap);
+
+        if ( $errno ) {
+            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
+            return $ppolicyConfig;
+        } else {
+            $entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
+        }
+
+        $ppolicyConfig["dn"] = $entry[0]["dn"];
+        $ppolicyConfig["lockout_duration"] = $entry[0]["pwdlockoutduration"][0];
+        $ppolicyConfig["password_max_age"] = $entry[0]["pwdmaxage"][0];
+        $ppolicyConfig["lockout_enabled"] = strtolower($entry[0]['pwdlockout'][0]) == "true" ? true : false;
+
+        return $ppolicyConfig;
+    }
+
 }