diff --git a/conf/config.inc.php b/conf/config.inc.php index c2301e3..7ddcb2b 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -278,6 +278,12 @@ # Ignore prehook error. This will allow to change password even if prehook script fails. #$ignore_prehook_error = true; +## Lock + +#$prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; +#$display_prehook_lock_error = true; +#$ignore_prehook_lock_error = true; + ## Unlock #$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; @@ -301,6 +307,11 @@ # To read the actual password in the posthook script, use a base64_decode function/tool #$posthook_password_encodebase64 = false; +## Lock + +#$posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; +#$display_posthook_lock_error = true; + ## Unlock #$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; diff --git a/docs/hook.rst b/docs/hook.rst index 40b01df..e3a209d 100644 --- a/docs/hook.rst +++ b/docs/hook.rst @@ -3,6 +3,7 @@ Hook Hook feature allows to run a script before or after an action: * Password reset +* Password lock * Password unlock The script must return 0 if no error occured. Any text printed on STDOUT @@ -57,6 +58,31 @@ if it fails, but still try to update password in the directory. $ignore_prehook_error = true; +Password lock +------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; + $posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_lock_error = true; + $display_posthook_lock_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_lock_error = true; + Password unlock --------------- diff --git a/htdocs/display.php b/htdocs/display.php index 06f4833..2e90c15 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -13,6 +13,8 @@ $accountlockresult= ""; $prehookresult= ""; $posthookresult= ""; +$prehooklockresult= ""; +$posthooklockresult= ""; $prehookunlockresult= ""; $posthookunlockresult= ""; $ldapExpirationDate=""; @@ -52,6 +54,14 @@ $posthookresult = $_GET["posthookresult"]; } +if (isset($_GET["prehooklockresult"]) and $_GET["prehooklockresult"]) { + $prehooklockresult = $_GET["prehooklockresult"]; +} + +if (isset($_GET["posthooklockresult"]) and $_GET["posthooklockresult"]) { + $posthooklockresult = $_GET["posthooklockresult"]; +} + if (isset($_GET["prehookunlockresult"]) and $_GET["prehookunlockresult"]) { $prehookunlockresult = $_GET["prehookunlockresult"]; } @@ -154,6 +164,8 @@ $smarty->assign("accountlockresult", $accountlockresult); $smarty->assign("prehookresult", $prehookresult); $smarty->assign("posthookresult", $posthookresult); +$smarty->assign("prehooklockresult", $prehooklockresult); +$smarty->assign("posthooklockresult", $posthooklockresult); $smarty->assign("prehookunlockresult", $prehookunlockresult); $smarty->assign("posthookunlockresult", $posthookunlockresult); if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); } diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index ad22e95..026739d 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -6,6 +6,12 @@ $result = ""; $dn = ""; $comment = ""; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; @@ -21,6 +27,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -28,21 +35,59 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) - { - # Get password policy configuration - $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } - - # Apply the modification only the password can be locked - if ($pwdPolicyConfiguration["lockout_enabled"]) { - if ( $directory->lockAccount($ldap, $dn) ) { - $result = "accountlocked"; + if ($ldap) { + + if ( isset($prehook_lock) || isset($posthook_lock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + + if ( isset($prehook_lock) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_lock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_lock_error) { + $result = "hookerror"; + } else { + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + # Apply the modification only if the password can be locked + if ($pwdPolicyConfiguration["lockout_enabled"]) { + if ( $directory->lockAccount($ldap, $dn) ) { + $result = "accountlocked"; + } else { + $result = "ldaperror"; + } + } + } + + if ( $result === "accountlocked" && isset($posthook_lock) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; } else { - $result = "ldaperror"; + $command = hook_command($posthook_lock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; } } + } } @@ -50,4 +95,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment); } -header('Location: index.php?page=display&dn='.$dn.'&lockaccountresult='.$result); +$location = 'index.php?page=display&dn='.$dn.'&lockaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_lock_error and $prehook_return > 0 ) { + $location .= '&prehooklockresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_lock_error and $posthook_return > 0 ) { + $location .= '&posthooklockresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/templates/display.tpl b/templates/display.tpl index 6578713..002c7d5 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -234,6 +234,12 @@
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} {if $prehookunlockresult}
{$prehookunlockresult}
{/if} @@ -277,8 +283,14 @@

- {if $use_lockaccount || $prehookunlockresult || $posthookunlockresult} + {if $use_lockaccount || $prehooklockresult || $posthooklockresult || $prehookunlockresult || $posthookunlockresult}
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} {if $prehookunlockresult}
{$prehookunlockresult}
{/if}