Merge branch 'master' into 168-add-hooks-for-other-actions-than-passw…

…ord-modification
ltb-project · Nov 5, 2024 · 01a41dc · 01a41dc
2 parents 30b8f45 + 7d7599a
commit 01a41dc
Show file tree

Hide file tree

Showing 23 changed files with 387 additions and 182 deletions.
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -86,13 +86,17 @@
     'pwdfailuretime' => array( 'attribute' => 'pwdfailuretime', 'faclass' => 'lock', 'type' => 'date' ),
     'pwdlastsuccess' => array( 'attribute' => 'pwdlastsuccess', 'faclass' => 'lock', 'type' => 'date' ),
     'pwdpolicysubentry' => array( 'attribute' => 'pwdpolicysubentry', 'faclass' => 'lock', 'type' => 'ppolicy_dn' ),
+    'pwdgraceusetime' => array( 'attribute' => ' pwdgraceusetime', 'faclass' => 'lock', 'type' => 'date' ),
+    'starttime' => array( 'attribute' => ' pwdstarttime', 'faclass' => 'lock', 'type' => 'date' ),
+    'endtime' => array( 'attribute' => ' pwdendtime', 'faclass' => 'lock', 'type' => 'date' ),
 );
 $activedirectory_attributes_map = array(
     'authtimestamp' => array( 'attribute' => 'lastlogon', 'faclass' => 'lock', 'type' => 'ad_date' ),
     'identifier' => array( 'attribute' => 'samaccountname', 'faclass' => 'user-o', 'type' => 'text' ),
     'pwdaccountlockedtime' => array( 'attribute' => 'lockouttime', 'faclass' => 'lock', 'type' => 'ad_date' ),
     'pwdchangedtime' => array( 'attribute' => 'pwdlastset', 'faclass' => 'lock', 'type' => 'ad_date' ),
     'pwdfailuretime' => array( 'attribute' => 'badpasswordtime', 'faclass' => 'lock', 'type' => 'ad_date' ),
+    'endtime' => array( 'attribute' => 'accountexpires', 'faclass' => 'lock', 'type' => 'ad_date' ),
 );
 
 # Search
@@ -112,7 +116,7 @@
 $display_items = array('identifier', 'firstname', 'lastname', 'title', 'businesscategory', 'employeenumber', 'employeetype', 'mail', 'mailquota', 'phone', 'mobile', 'fax', 'postaladdress', 'street', 'postalcode', 'l', 'state', 'organizationalunit', 'organization', 'manager', 'secretary' );
 $display_title = "fullname";
 $display_show_undefined = false;
-$display_password_items = array('pwdchangedtime', 'pwdfailuretime','pwdpolicysubentry', 'authtimestamp', 'pwdlastsuccess', 'created', 'modified');
+$display_password_items = array('pwdchangedtime', 'pwdfailuretime','pwdpolicysubentry', 'authtimestamp', 'pwdlastsuccess', 'pwdgraceusetime', 'starttime', 'endtime', 'created', 'modified');
 $display_password_expiration_date = true;
 
 # Features
@@ -137,6 +141,8 @@
 
 $use_searchlocked = true;
 
+$use_searchdisabled = true;
+
 $use_searchexpired = true;
 
 $use_searchwillexpire = true;
@@ -149,6 +155,12 @@
 $use_disableaccount = false;
 $show_enablestatus = false;
 
+$use_enablecomment = false;
+$use_enablecomment_required = false;
+$use_disablecomment = false;
+$use_disablecomment_required = false;
+
+
 # Local password policy
 # This is applied before directory password policy
 # Minimal length

diff --git a/docs/enableaccount.rst b/docs/enableaccount.rst
@@ -31,3 +31,25 @@ To enable this feature:
 .. code-block:: php
 
     $use_disableaccount = true;
+
+Insert comment
+--------------
+
+This feature displays a comment pop-up when enabling and disabling user accounts.
+
+To enable this feature:
+
+.. code-block:: php
+
+    $use_enablecomment = true;
+    $use_disablecomment = true;
+
+Comment required
+----------------
+
+This feature ensures a comment is required before enabling/disabling a user.
+
+.. code-block:: php
+
+    $use_enablecomment_required = true;
+    $use_disablecomment_required = true;
diff --git a/htdocs/checkpassword.php b/htdocs/checkpassword.php
@@ -30,21 +30,29 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($use_checkpasswordhistory) {
-        $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
-        foreach ($password_history as $previous_password) {
-            preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
-            preg_match("/{(?<={).*/", $previous_password, $hash);
-            if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
-                $result = "passwordinhistory";
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
+
+        if ($use_checkpasswordhistory) {
+            $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
+            foreach ($password_history as $previous_password) {
+                preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
+                preg_match("/{(?<={).*/", $previous_password, $hash);
+                if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
+                    $result = "passwordinhistory";
+                }
             }
         }
-    }
-    if (!$result) {
-        $bind = ldap_bind($ldap, $dn, $password);
-        $result = $bind ? "passwordok" : "ldaperror";
-    }
 
+        if (!$result) {
+            $bind = ldap_bind($ldap, $dn, $password);
+            $result = $bind ? "passwordok" : "ldaperror";
+        }
+
+    }
 }
 
 if ($audit_log_file) {

diff --git a/htdocs/disableaccount.php b/htdocs/disableaccount.php
@@ -6,13 +6,24 @@
 $result = "";
 $dn = "";
 $password = "";
+$comment = "";
+$returnto = "display";
+
+if (isset($_POST["returnto"]) and $_POST["returnto"]) {
+    $returnto = $_POST["returnto"];
+}
 
 if (isset($_POST["dn"]) and $_POST["dn"]) {
     $dn = $_POST["dn"];
 } else {
     $result = "dnrequired";
 }
 
+if (isset($_POST["comment"]) and $_POST["comment"]) {
+    $comment = $_POST["comment"];
+}
+
+
 if (!$use_disableaccount) {
     $result = "actionforbidden";
 }
@@ -28,7 +39,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( $directory->disableAccount($ldap, $dn) ) {
             $result = "accountdisabled";
         } else {
@@ -38,7 +53,7 @@
 }
 
 if ($audit_log_file) {
-    auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result);
+    auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result, $comment);
 }
 
-header('Location: index.php?page=display&dn='.$dn.'&disableaccountresult='.$result);
+header('Location: index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result);
diff --git a/htdocs/display.php b/htdocs/display.php
@@ -84,6 +84,12 @@
 
     if ($ldap) {
 
+        # DN match
+        if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+            $result = "noentriesfound";
+            error_log("LDAP - $dn not found using the configured search settings, reject request");
+        } else {
+
         # Search attributes
         $attributes = array();
         $search_items = array_merge($display_items, $display_password_items);
@@ -100,8 +106,8 @@
             $result = "ldaperror";
             error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
         } else {
-            $entry = ldap_get_entries($ldap, $search);
-        }
+
+        $entry = ldap_get_entries($ldap, $search);
 
         # Sort attributes values
         foreach ($entry[0] as $attr => $values) {
@@ -116,8 +122,8 @@
 
         # Get password policy configuration
         $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
-        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
-        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
+        if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; }
+        if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
 
         if ($display_edit_link) {
             # Replace {dn} in URL
@@ -138,7 +144,7 @@
             $isAccountEnabled = $directory->isAccountEnabled($ldap, $dn);
         }
 
-    }
+    }}}
 }
 
 $smarty->assign("entry", $entry[0]);

diff --git a/htdocs/enableaccount.php b/htdocs/enableaccount.php
@@ -5,16 +5,27 @@
 
 $result = "";
 $dn = "";
-$password = "";
+$comment = "";
+$returnto = "display";
+
+if (isset($_POST["returnto"]) and $_POST["returnto"]) {
+    $returnto = $_POST["returnto"];
+}
 
 if (isset($_POST["dn"]) and $_POST["dn"]) {
     $dn = $_POST["dn"];
+} else if (isset($_GET["dn"]) and $_GET["dn"]) {
+    $dn = $_GET["dn"];
 } else {
     $result = "dnrequired";
 }
 
-if (!$use_enableaccount) {
-    $result = "actionforbidden";
+if (isset($_GET["returnto"]) and $_GET["returnto"]) {
+    $returnto = $_GET["returnto"];
+}
+
+if (isset($_POST["comment"]) and $_POST["comment"]) {
+    $comment = $_POST["comment"];
 }
 
 if ($result === "") {
@@ -28,7 +39,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( $directory->enableAccount($ldap, $dn) ) {
             $result = "accountenabled";
         } else {
@@ -38,7 +53,7 @@
 }
 
 if ($audit_log_file) {
-    auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result);
+    auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result, $comment);
 }
 
-header('Location: index.php?page=display&dn='.$dn.'&enableaccountresult='.$result);
+header('Location: index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result);
diff --git a/htdocs/index.php b/htdocs/index.php
@@ -18,12 +18,11 @@
 #==============================================================================
 # Language
 #==============================================================================
-require_once("../lib/detectbrowserlanguage.php");
 # Available languages
 $files = glob("../lang/*.php");
 $languages = str_replace(".inc.php", "", $files);
 $languages = str_replace("../lang/", "", $languages);
-$lang = detectLanguage($lang, $allowed_lang ? array_intersect($languages, $allowed_lang) : $languages);
+$lang = \Ltb\Language::detect_language($lang, $allowed_lang ? array_intersect($languages,$allowed_lang) : $languages);
 require_once("../lang/$lang.inc.php");
 if (file_exists("../conf/$lang.inc.php")) {
     require_once("../conf/$lang.inc.php");
@@ -86,6 +85,8 @@
   break;
 }
 
+$dnAttribute = $directory->getDnAttribute();
+
 #==============================================================================
 # Other default values
 #==============================================================================
@@ -131,6 +132,12 @@
 $smarty->setCompileDir($compile_dir);
 $smarty->setCacheDir($cache_dir);
 $smarty->debugging = $smarty_debug;
+function sha256($string)
+{
+    return hash("sha256",$string);
+}
+$smarty->registerPlugin("modifier","sha256", "sha256");
+$smarty->registerPlugin("modifier","is_array", "is_array");
 
 if(isset($smarty_debug) && $smarty_debug == true )
 {
@@ -179,6 +186,7 @@
 $smarty->assign('show_expirestatus',$show_expirestatus);
 $smarty->assign('display_password_expiration_date',$display_password_expiration_date);
 $smarty->assign('use_searchlocked',$use_searchlocked);
+$smarty->assign('use_searchdisabled',$use_searchdisabled);
 $smarty->assign('use_searchexpired',$use_searchexpired);
 $smarty->assign('use_searchwillexpire',$use_searchwillexpire);
 $smarty->assign('use_searchidle',$use_searchidle);
@@ -187,6 +195,10 @@
 $smarty->assign('use_enableaccount',$use_enableaccount);
 $smarty->assign('use_disableaccount',$use_disableaccount);
 $smarty->assign('show_enablestatus',$show_enablestatus);
+$smarty->assign('use_enablecomment',$use_enablecomment);
+$smarty->assign('use_enablecomment_required',$use_enablecomment_required);
+$smarty->assign('use_disablecomment',$use_disablecomment);
+$smarty->assign('use_disablecomment_required',$use_disablecomment_required);
 
 
 # Assign messages
@@ -241,7 +253,9 @@
 if ( $page === "checkpassword" and !$use_checkpassword ) { $page = "welcome"; }
 if ( $page === "resetpassword" and !$use_resetpassword ) { $page = "welcome"; }
 if ( $page === "unlockaccount" and !$use_unlockaccount ) { $page = "welcome"; }
+if ( $page === "enableaccount" and !$use_enableaccount ) { $page = "welcome"; }
 if ( $page === "searchlocked" and !$use_searchlocked ) { $page = "welcome"; }
+if ( $page === "searchdisabled" and !$use_searchdisabled ) { $page = "welcome"; }
 if ( $page === "searchexpired" and !$use_searchexpired ) { $page = "welcome"; }
 if ( $page === "searchwillexpire" and !$use_searchwillexpire ) { $page = "welcome"; }
 if ( $page === "searchidle" and !$use_searchidle ) { $page = "welcome"; }