diff --git a/conf/config.inc.php b/conf/config.inc.php index 7ddcb2b..9a50322 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -86,6 +86,9 @@ 'pwdfailuretime' => array( 'attribute' => 'pwdfailuretime', 'faclass' => 'lock', 'type' => 'date' ), 'pwdlastsuccess' => array( 'attribute' => 'pwdlastsuccess', 'faclass' => 'lock', 'type' => 'date' ), 'pwdpolicysubentry' => array( 'attribute' => 'pwdpolicysubentry', 'faclass' => 'lock', 'type' => 'ppolicy_dn' ), + 'pwdgraceusetime' => array( 'attribute' => ' pwdgraceusetime', 'faclass' => 'lock', 'type' => 'date' ), + 'starttime' => array( 'attribute' => ' pwdstarttime', 'faclass' => 'lock', 'type' => 'date' ), + 'endtime' => array( 'attribute' => ' pwdendtime', 'faclass' => 'lock', 'type' => 'date' ), ); $activedirectory_attributes_map = array( 'authtimestamp' => array( 'attribute' => 'lastlogon', 'faclass' => 'lock', 'type' => 'ad_date' ), @@ -93,6 +96,7 @@ 'pwdaccountlockedtime' => array( 'attribute' => 'lockouttime', 'faclass' => 'lock', 'type' => 'ad_date' ), 'pwdchangedtime' => array( 'attribute' => 'pwdlastset', 'faclass' => 'lock', 'type' => 'ad_date' ), 'pwdfailuretime' => array( 'attribute' => 'badpasswordtime', 'faclass' => 'lock', 'type' => 'ad_date' ), + 'endtime' => array( 'attribute' => 'accountexpires', 'faclass' => 'lock', 'type' => 'ad_date' ), ); # Search @@ -112,7 +116,7 @@ $display_items = array('identifier', 'firstname', 'lastname', 'title', 'businesscategory', 'employeenumber', 'employeetype', 'mail', 'mailquota', 'phone', 'mobile', 'fax', 'postaladdress', 'street', 'postalcode', 'l', 'state', 'organizationalunit', 'organization', 'manager', 'secretary' ); $display_title = "fullname"; $display_show_undefined = false; -$display_password_items = array('pwdchangedtime', 'pwdfailuretime','pwdpolicysubentry', 'authtimestamp', 'pwdlastsuccess', 'created', 'modified'); +$display_password_items = array('pwdchangedtime', 'pwdfailuretime','pwdpolicysubentry', 'authtimestamp', 'pwdlastsuccess', 'pwdgraceusetime', 'starttime', 'endtime', 'created', 'modified'); $display_password_expiration_date = true; # Features @@ -137,6 +141,8 @@ $use_searchlocked = true; +$use_searchdisabled = true; + $use_searchexpired = true; $use_searchwillexpire = true; @@ -149,6 +155,12 @@ $use_disableaccount = false; $show_enablestatus = false; +$use_enablecomment = false; +$use_enablecomment_required = false; +$use_disablecomment = false; +$use_disablecomment_required = false; + + # Local password policy # This is applied before directory password policy # Minimal length diff --git a/docs/enableaccount.rst b/docs/enableaccount.rst index 8b88451..e7f6dee 100644 --- a/docs/enableaccount.rst +++ b/docs/enableaccount.rst @@ -31,3 +31,25 @@ To enable this feature: .. code-block:: php $use_disableaccount = true; + +Insert comment +-------------- + +This feature displays a comment pop-up when enabling and disabling user accounts. + +To enable this feature: + +.. code-block:: php + + $use_enablecomment = true; + $use_disablecomment = true; + +Comment required +---------------- + +This feature ensures a comment is required before enabling/disabling a user. + +.. code-block:: php + + $use_enablecomment_required = true; + $use_disablecomment_required = true; diff --git a/htdocs/checkpassword.php b/htdocs/checkpassword.php index 1ed709f..7322625 100644 --- a/htdocs/checkpassword.php +++ b/htdocs/checkpassword.php @@ -30,21 +30,29 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($use_checkpasswordhistory) { - $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory"); - foreach ($password_history as $previous_password) { - preg_match("/(?<={).*(?=})/", $previous_password, $algorithm); - preg_match("/{(?<={).*/", $previous_password, $hash); - if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) { - $result = "passwordinhistory"; + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + + if ($use_checkpasswordhistory) { + $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory"); + foreach ($password_history as $previous_password) { + preg_match("/(?<={).*(?=})/", $previous_password, $algorithm); + preg_match("/{(?<={).*/", $previous_password, $hash); + if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) { + $result = "passwordinhistory"; + } } } - } - if (!$result) { - $bind = ldap_bind($ldap, $dn, $password); - $result = $bind ? "passwordok" : "ldaperror"; - } + if (!$result) { + $bind = ldap_bind($ldap, $dn, $password); + $result = $bind ? "passwordok" : "ldaperror"; + } + + } } if ($audit_log_file) { diff --git a/htdocs/disableaccount.php b/htdocs/disableaccount.php index f54b424..916d9a8 100644 --- a/htdocs/disableaccount.php +++ b/htdocs/disableaccount.php @@ -6,6 +6,12 @@ $result = ""; $dn = ""; $password = ""; +$comment = ""; +$returnto = "display"; + +if (isset($_POST["returnto"]) and $_POST["returnto"]) { + $returnto = $_POST["returnto"]; +} if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; @@ -13,6 +19,11 @@ $result = "dnrequired"; } +if (isset($_POST["comment"]) and $_POST["comment"]) { + $comment = $_POST["comment"]; +} + + if (!$use_disableaccount) { $result = "actionforbidden"; } @@ -28,7 +39,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( $directory->disableAccount($ldap, $dn) ) { $result = "accountdisabled"; } else { @@ -38,7 +53,7 @@ } if ($audit_log_file) { - auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result); + auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result, $comment); } -header('Location: index.php?page=display&dn='.$dn.'&disableaccountresult='.$result); +header('Location: index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result); diff --git a/htdocs/display.php b/htdocs/display.php index 2e90c15..f080261 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -84,6 +84,12 @@ if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + # Search attributes $attributes = array(); $search_items = array_merge($display_items, $display_password_items); @@ -100,8 +106,8 @@ $result = "ldaperror"; error_log("LDAP - Search error $errno (".ldap_error($ldap).")"); } else { - $entry = ldap_get_entries($ldap, $search); - } + + $entry = ldap_get_entries($ldap, $search); # Sort attributes values foreach ($entry[0] as $attr => $values) { @@ -116,8 +122,8 @@ # Get password policy configuration $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; } + if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } if ($display_edit_link) { # Replace {dn} in URL @@ -138,7 +144,7 @@ $isAccountEnabled = $directory->isAccountEnabled($ldap, $dn); } - } + }}} } $smarty->assign("entry", $entry[0]); diff --git a/htdocs/enableaccount.php b/htdocs/enableaccount.php index 0756186..166eeef 100644 --- a/htdocs/enableaccount.php +++ b/htdocs/enableaccount.php @@ -5,16 +5,27 @@ $result = ""; $dn = ""; -$password = ""; +$comment = ""; +$returnto = "display"; + +if (isset($_POST["returnto"]) and $_POST["returnto"]) { + $returnto = $_POST["returnto"]; +} if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; +} else if (isset($_GET["dn"]) and $_GET["dn"]) { + $dn = $_GET["dn"]; } else { $result = "dnrequired"; } -if (!$use_enableaccount) { - $result = "actionforbidden"; +if (isset($_GET["returnto"]) and $_GET["returnto"]) { + $returnto = $_GET["returnto"]; +} + +if (isset($_POST["comment"]) and $_POST["comment"]) { + $comment = $_POST["comment"]; } if ($result === "") { @@ -28,7 +39,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( $directory->enableAccount($ldap, $dn) ) { $result = "accountenabled"; } else { @@ -38,7 +53,7 @@ } if ($audit_log_file) { - auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result); + auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result, $comment); } -header('Location: index.php?page=display&dn='.$dn.'&enableaccountresult='.$result); +header('Location: index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result); diff --git a/htdocs/index.php b/htdocs/index.php index c2a48f4..a1f6dbb 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -18,12 +18,11 @@ #============================================================================== # Language #============================================================================== -require_once("../lib/detectbrowserlanguage.php"); # Available languages $files = glob("../lang/*.php"); $languages = str_replace(".inc.php", "", $files); $languages = str_replace("../lang/", "", $languages); -$lang = detectLanguage($lang, $allowed_lang ? array_intersect($languages, $allowed_lang) : $languages); +$lang = \Ltb\Language::detect_language($lang, $allowed_lang ? array_intersect($languages,$allowed_lang) : $languages); require_once("../lang/$lang.inc.php"); if (file_exists("../conf/$lang.inc.php")) { require_once("../conf/$lang.inc.php"); @@ -86,6 +85,8 @@ break; } +$dnAttribute = $directory->getDnAttribute(); + #============================================================================== # Other default values #============================================================================== @@ -131,6 +132,12 @@ $smarty->setCompileDir($compile_dir); $smarty->setCacheDir($cache_dir); $smarty->debugging = $smarty_debug; +function sha256($string) +{ + return hash("sha256",$string); +} +$smarty->registerPlugin("modifier","sha256", "sha256"); +$smarty->registerPlugin("modifier","is_array", "is_array"); if(isset($smarty_debug) && $smarty_debug == true ) { @@ -179,6 +186,7 @@ $smarty->assign('show_expirestatus',$show_expirestatus); $smarty->assign('display_password_expiration_date',$display_password_expiration_date); $smarty->assign('use_searchlocked',$use_searchlocked); +$smarty->assign('use_searchdisabled',$use_searchdisabled); $smarty->assign('use_searchexpired',$use_searchexpired); $smarty->assign('use_searchwillexpire',$use_searchwillexpire); $smarty->assign('use_searchidle',$use_searchidle); @@ -187,6 +195,10 @@ $smarty->assign('use_enableaccount',$use_enableaccount); $smarty->assign('use_disableaccount',$use_disableaccount); $smarty->assign('show_enablestatus',$show_enablestatus); +$smarty->assign('use_enablecomment',$use_enablecomment); +$smarty->assign('use_enablecomment_required',$use_enablecomment_required); +$smarty->assign('use_disablecomment',$use_disablecomment); +$smarty->assign('use_disablecomment_required',$use_disablecomment_required); # Assign messages @@ -241,7 +253,9 @@ if ( $page === "checkpassword" and !$use_checkpassword ) { $page = "welcome"; } if ( $page === "resetpassword" and !$use_resetpassword ) { $page = "welcome"; } if ( $page === "unlockaccount" and !$use_unlockaccount ) { $page = "welcome"; } +if ( $page === "enableaccount" and !$use_enableaccount ) { $page = "welcome"; } if ( $page === "searchlocked" and !$use_searchlocked ) { $page = "welcome"; } +if ( $page === "searchdisabled" and !$use_searchdisabled ) { $page = "welcome"; } if ( $page === "searchexpired" and !$use_searchexpired ) { $page = "welcome"; } if ( $page === "searchwillexpire" and !$use_searchwillexpire ) { $page = "welcome"; } if ( $page === "searchidle" and !$use_searchidle ) { $page = "welcome"; } diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index 026739d..c0dcc5e 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -6,6 +6,7 @@ $result = ""; $dn = ""; $comment = ""; +$returnto = "display"; $prehook_login_value = ""; $prehook_message = ""; $prehook_return = 0; @@ -13,6 +14,10 @@ $posthook_message = ""; $posthook_return = 0; +if (isset($_POST["returnto"]) and $_POST["returnto"]) { + $returnto = $_POST["returnto"]; +} + if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; } else { @@ -36,58 +41,62 @@ $result = $ldap_connection[1]; if ($ldap) { - - if ( isset($prehook_lock) || isset($posthook_lock) ) { - if ( isset($prehook_login) ) { - $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); - } - if ( isset($posthook_login) ) { - $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + if ( isset($prehook_lock) || isset($posthook_lock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } } - } - if ( isset($prehook_lock) ) { + if ( isset($prehook_lock) ) { - if ( !isset($prehook_login_value) ) { - $prehook_return = 255; - $prehook_message = "No login found, cannot execute prehook script"; - } else { - $command = hook_command($prehook_lock, $prehook_login_value); - exec($command, $prehook_output, $prehook_return); - $prehook_message = $prehook_output[0]; + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_lock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } } - } - if ( $prehook_return > 0 and !$ignore_prehook_lock_error) { - $result = "hookerror"; - } else { - # Get password policy configuration - $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } - - # Apply the modification only if the password can be locked - if ($pwdPolicyConfiguration["lockout_enabled"]) { - if ( $directory->lockAccount($ldap, $dn) ) { - $result = "accountlocked"; - } else { - $result = "ldaperror"; + if ( $prehook_return > 0 and !$ignore_prehook_lock_error) { + $result = "hookerror"; + } else { + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + # Apply the modification only if the password can be locked + if ($pwdPolicyConfiguration["lockout_enabled"]) { + if ( $directory->lockAccount($ldap, $dn) ) { + $result = "accountlocked"; + } else { + $result = "ldaperror"; + } } } - } - if ( $result === "accountlocked" && isset($posthook_lock) ) { + if ( $result === "accountlocked" && isset($posthook_lock) ) { - if ( !isset($posthook_login_value) ) { - $posthook_return = 255; - $posthook_message = "No login found, cannot execute posthook script"; - } else { - $command = hook_command($posthook_lock, $posthook_login_value); - exec($command, $posthook_output, $posthook_return); - $posthook_message = $posthook_output[0]; + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_lock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } - } } @@ -95,7 +104,7 @@ auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment); } -$location = 'index.php?page=display&dn='.$dn.'&lockaccountresult='.$result; +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&lockaccountresult='.$result; if ( isset($prehook_return) and $display_prehook_lock_error and $prehook_return > 0 ) { $location .= '&prehooklockresult='.$prehook_message; } diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index a69fb7c..a383829 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -42,8 +42,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { - + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( isset($prehook) || isset($posthook) ) { if ( isset($prehook_login) ) { $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); diff --git a/htdocs/searchdisabled.php b/htdocs/searchdisabled.php new file mode 100644 index 0000000..cc3d66f --- /dev/null +++ b/htdocs/searchdisabled.php @@ -0,0 +1,45 @@ +search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope); + +if ( !empty($entries) ) +{ + + # Check if entry is still locked + foreach($entries as $entry_key => $entry) { + + $isEnabled = $directory->isAccountEnabled($ldap, $entry['dn']); + + if ( $isEnabled === true ) { + unset($entries[$entry_key]); + $nb_entries--; + } + + } + + $smarty->assign("page_title", "disabledaccounts"); + if ($nb_entries === 0) { + $result = "noentriesfound"; + } else { + $smarty->assign("nb_entries", $nb_entries); + $smarty->assign("entries", $entries); + $smarty->assign("size_limit_reached", $size_limit_reached); + + $columns = $search_result_items; + if (! in_array($search_result_title, $columns)) array_unshift($columns, $search_result_title); + $smarty->assign("listing_columns", $columns); + $smarty->assign("listing_linkto", isset($search_result_linkto) ? $search_result_linkto : array($search_result_title)); + $smarty->assign("listing_sortby", array_search($search_result_sortby, $columns)); + $smarty->assign("show_undef", $search_result_show_undefined); + $smarty->assign("truncate_value_after", $search_result_truncate_value_after); + if ($use_enableaccount) { $smarty->assign("display_enable_button", true); } + } +} + +?> diff --git a/htdocs/searchexpired.php b/htdocs/searchexpired.php index 8676733..658f3e0 100644 --- a/htdocs/searchexpired.php +++ b/htdocs/searchexpired.php @@ -15,8 +15,8 @@ # Get password policy configuration $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; } + if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } $isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], $pwdPolicyConfiguration); diff --git a/htdocs/searchlocked.php b/htdocs/searchlocked.php index 8b10b35..f16edfc 100644 --- a/htdocs/searchlocked.php +++ b/htdocs/searchlocked.php @@ -16,8 +16,8 @@ # Get password policy configuration $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; } + if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } $isLocked = $directory->isLocked($ldap, $entry['dn'], $pwdPolicyConfiguration); diff --git a/htdocs/searchwillexpire.php b/htdocs/searchwillexpire.php index 75c609d..2f9523d 100644 --- a/htdocs/searchwillexpire.php +++ b/htdocs/searchwillexpire.php @@ -15,8 +15,8 @@ # Get password policy configuration $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; } + if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } $isWillExpire = false; $expirationDate = $directory->getPasswordExpirationDate($ldap, $entry["dn"], $pwdPolicyConfiguration); diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 2f285fb..e13223a 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -14,6 +14,10 @@ $posthook_message = ""; $posthook_return = 0; +if (isset($_POST["returnto"]) and $_POST["returnto"]) { + $returnto = $_POST["returnto"]; +} + if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; } else if (isset($_GET["dn"]) and $_GET["dn"]) { @@ -43,47 +47,53 @@ $result = $ldap_connection[1]; if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { - if ( isset($prehook_unlock) || isset($posthook_unlock) ) { - if ( isset($prehook_login) ) { - $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + if ( isset($prehook_unlock) || isset($posthook_unlock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } } - if ( isset($posthook_login) ) { - $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); - } - } - if ( isset($prehook_unlock) ) { + if ( isset($prehook_unlock) ) { - if ( !isset($prehook_login_value) ) { - $prehook_return = 255; - $prehook_message = "No login found, cannot execute prehook script"; - } else { - $command = hook_command($prehook_unlock, $prehook_login_value); - exec($command, $prehook_output, $prehook_return); - $prehook_message = $prehook_output[0]; + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_unlock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } } - } - if ( $prehook_return > 0 and !$ignore_prehook_unlock_error) { - $result = "hookerror"; - } else { - if ( $directory->unlockAccount($ldap, $dn) ) { - $result = "accountunlocked"; + if ( $prehook_return > 0 and !$ignore_prehook_unlock_error) { + $result = "hookerror"; } else { - $result = "ldaperror"; + if ( $directory->unlockAccount($ldap, $dn) ) { + $result = "accountunlocked"; + } else { + $result = "ldaperror"; + } } - } - if ( $result === "accountunlocked" && isset($posthook_unlock) ) { + if ( $result === "accountunlocked" && isset($posthook_unlock) ) { - if ( !isset($posthook_login_value) ) { - $posthook_return = 255; - $posthook_message = "No login found, cannot execute posthook script"; - } else { - $command = hook_command($posthook_unlock, $posthook_login_value); - exec($command, $posthook_output, $posthook_return); - $posthook_message = $posthook_output[0]; + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_unlock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } } diff --git a/lang/en.inc.php b/lang/en.inc.php index c45ee6d..1d1d03e 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -26,6 +26,7 @@ $messages['currentpassword'] = "Current password"; $messages['dashboards'] = "Dashboards"; $messages['disableaccount'] = "Disable account"; +$messages['disabledaccounts'] = "Disabled accounts"; $messages['displayentry'] = "Display entry"; $messages['dnrequired'] = "Entry identifier required"; $messages['editentry'] = "Edit entry"; @@ -56,6 +57,7 @@ $messages['label_done_by'] = "Done by"; $messages['label_employeenumber'] = "Employee number"; $messages['label_employeetype'] = "Employee type"; +$messages['label_endtime'] = "End of validity"; $messages['label_expirationdate'] = "Expiration date"; $messages['label_fax'] = "Fax"; $messages['label_firstname'] = "First name"; @@ -78,10 +80,12 @@ $messages['label_pwdaccountlockedtime'] = "Locking date"; $messages['label_pwdchangedtime'] = "Last password change"; $messages['label_pwdfailuretime'] = "Last authentication failures"; +$messages['label_pwdgraceusetime'] = "Last grace authentications"; $messages['label_pwdpolicysubentry'] = "Associated password policy"; $messages['label_pwdreset'] = "Reset password at next connection"; $messages['label_result'] = "Result"; $messages['label_secretary'] = "Secretary"; +$messages['label_starttime'] = "Start of validity"; $messages['label_state'] = "State"; $messages['label_street'] = "Street"; $messages['label_title'] = "Title"; diff --git a/lang/fr.inc.php b/lang/fr.inc.php index 9a4221b..ba25cf0 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -8,13 +8,13 @@ $messages['accountdisabled'] = "Le compte est désactivé"; $messages['auditlogs'] = "Audit"; $messages['auditlogtitle'] = "Traces d'audit pour les $audit_log_days derniers jours"; -$messages['accountlocked'] = "Le compte est bloqué"; +$messages['accountlocked'] = "Le compte est verrouillé"; $messages['accountnotdisabled'] = "Échec de la désactivation du compte"; $messages['accountnotenabled'] = "Échec de l'activation du compte"; -$messages['accountnotlocked'] = "Échec de blocage du compte"; -$messages['accountnotunlocked'] = "Échec de déblocage du compte"; +$messages['accountnotlocked'] = "Échec de verrouillage du compte"; +$messages['accountnotunlocked'] = "Échec de déverrouillage du compte"; $messages['accountstatus'] = "Statut du compte"; -$messages['accountunlocked'] = "Le compte n'est pas bloqué"; +$messages['accountunlocked'] = "Le compte n'est pas verrouillé"; $messages['actionforbidden'] = "Action interdite"; $messages['changesubject'] = "Votre mot de passe a été changé"; $messages['changesubjectforadmin'] = "Le mot de passe d'un utilisateur a été changé"; @@ -26,6 +26,7 @@ $messages['currentpassword'] = "Mot de passe actuel"; $messages['dashboards'] = "Tableaux de bord"; $messages['disableaccount'] = "Désactiver le compte"; +$messages['disabledaccounts'] = "Comptes désactivés"; $messages['displayentry'] = "Afficher l'entrée"; $messages['dnrequired'] = "L'identifiant de l'entrée est requis"; $messages['editentry'] = "Modifier l'entrée"; @@ -56,6 +57,7 @@ $messages['label_done_by'] = "Fait par"; $messages['label_employeenumber'] = "Numéro d'employé"; $messages['label_employeetype'] = "Type d'employé"; +$messages['label_endtime'] = "Fin de validité"; $messages['label_expirationdate'] = "Date d'expiration"; $messages['label_fax'] = "Télécopie"; $messages['label_firstname'] = "Prénom"; @@ -75,20 +77,22 @@ $messages['label_phone'] = "Téléphone"; $messages['label_postaladdress'] = "Adresse"; $messages['label_postalcode'] = "Code postal"; -$messages['label_pwdaccountlockedtime'] = "Date de blocage"; +$messages['label_pwdaccountlockedtime'] = "Date de verrouillage"; $messages['label_pwdchangedtime'] = "Dernier changement de mot de passe"; $messages['label_pwdfailuretime'] = "Derniers échecs d'authentification"; +$messages['label_pwdgraceusetime'] = "Dernières authentifications en grâce"; $messages['label_pwdpolicysubentry'] = "Politique des mots de passe associée"; $messages['label_pwdreset'] = "Réinitialisation du mot de passe à la prochaine connexion"; $messages['label_result'] = "Résultat"; $messages['label_secretary'] = "Secrétaire"; +$messages['label_starttime'] = "Début de validité"; $messages['label_state'] = "État"; $messages['label_street'] = "Voie"; $messages['label_title'] = "Titre"; $messages['label_user_dn'] = "Utilisateur"; $messages['ldaperror'] = "Erreur de communication avec l'annuaire LDAP"; -$messages['lockaccount'] = "Bloquer le compte"; -$messages['lockedaccounts'] = "Comptes bloqués"; +$messages['lockaccount'] = "Verrouiller le compte"; +$messages['lockedaccounts'] = "Comptes verrouillés"; $messages['logout'] = "Déconnexion"; $messages['newpassword'] = "Nouveau mot de passe"; $messages['noentriesfound'] = "Aucune entrée trouvée"; @@ -112,7 +116,7 @@ $messages['tooltip_emailto'] = "Envoyer un email"; $messages['tooltip_phoneto'] = "Composer ce numéro"; $messages['true'] = "Oui"; -$messages['unlockaccount'] = "Débloquer le compte"; +$messages['unlockaccount'] = "Déverrouiller le compte"; $messages['unlockdate'] = "Date de déblocage automatique :"; $messages['welcome'] = "Bienvenue sur le guichet de service LDAP Tool Box"; $messages['willexpireaccounts'] = "Mots de passe bientôt expirés"; diff --git a/lib/audit.inc.php b/lib/audit.inc.php index 05e4b70..33ef1d7 100644 --- a/lib/audit.inc.php +++ b/lib/audit.inc.php @@ -44,8 +44,8 @@ function displayauditlog($audit_log_file, $audit_log_days, $audit_log_sortby, $a } function dateSort(array &$events, $sortkey, $audit_log_reverse) { - $reverse_order = fn($a, $b) => strtotime($a[$sortkey]) < strtotime($b[$sortkey]); - $normal_order = fn($a, $b) => strtotime($a[$sortkey]) > strtotime($b[$sortkey]); + $reverse_order = fn($a, $b) => strtotime($b[$sortkey]) <=> strtotime($a[$sortkey]); + $normal_order = fn($a, $b) => strtotime($a[$sortkey]) <=> strtotime($b[$sortkey]); if ($audit_log_reverse) { usort($events, $reverse_order); diff --git a/lib/detectbrowserlanguage.php b/lib/detectbrowserlanguage.php deleted file mode 100644 index 902a56a..0000000 --- a/lib/detectbrowserlanguage.php +++ /dev/null @@ -1,37 +0,0 @@ - - * @license http://www.php.net/license/3_01.txt PHP license - */ - -/** - * split request header Accept-Language to determine the UserAgent's - * prefered language - * - * @param string $defaultLanguage preselected default language - * @return string returns the default language or a match from $availableLanguages - */ -function detectLanguage($defaultLanguage, $availableLanguages) -{ - $acceptedLanguages = $_SERVER['HTTP_ACCEPT_LANGUAGE'] ? htmlspecialchars($_SERVER['HTTP_ACCEPT_LANGUAGE']) : ""; - $languageList = explode(',', $acceptedLanguages); - $choosenLanguage = $defaultLanguage; - foreach($languageList as $currentLanguage) { - $currentLanguage = explode(';', $currentLanguage); - if (preg_match('/(..)-?.*/', $currentLanguage[0], $reg)) { - foreach($reg as $checkLang) { - if ($match = preg_grep('/'.$checkLang.'/i', $availableLanguages)) { - $choosenLanguage= $match[key($match)]; - break 2; - } - } - } - } - return $choosenLanguage; -} - - /** - * vim: sts=4 ts=4 sw=4 cindent fdm=marker expandtab nu - */ diff --git a/templates/comment.tpl b/templates/comment.tpl index 8550a87..505552c 100644 --- a/templates/comment.tpl +++ b/templates/comment.tpl @@ -1,13 +1,20 @@
-