more to the issue: fix to regard the password-last-changed information from the auth system - if provided, and thus be able to react on forced password changes triggered by auth system

admin/inc/class.boaccounts.inc.php

@@ -451,7 +451,7 @@
 
 			if($_userData['account_passwd'])
 			{
-				$auth =& CreateObject('phpgwapi.auth');
+				$auth = CreateObject('phpgwapi.auth');
 				$auth->change_password($old_passwd, $_userData['account_passwd'], $_userData['account_id']);
 				$GLOBALS['hook_values']['account_id'] = $_userData['account_id'];
 				$GLOBALS['hook_values']['old_passwd'] = $old_passwd;
@@ -466,10 +466,15 @@
 					// so we need to reset that to 0 as Admin required the change of password upon next login
 					unset($_userData['account_passwd']);
 					$this->save_user($_userData);
-					// maybe we should call that with NULL for 2nd Parameter as we are doing an admin action.
-					if (method_exists($auth,'setLastPwdChange')) $auth->setLastPwdChange($_userData['account_id'], $_userData['account_passwd'], $_userData['account_lastpwd_change']);
 				}
 			}
+			if ($_userData['account_lastpwd_change']==0)
+			{
+				if (!isset($auth)) $auth = CreateObject('phpgwapi.auth');
+				// we call that with NULL for 2nd Parameter as we are doing an admin action.
+error_log(__METHOD__.array2string($_userData));
+				$auth->setLastPwdChange($_userData['account_id'],NULL, $_userData['account_lastpwd_change']);
+			}
 
 			$apps =& CreateObject('phpgwapi.applications',(int)$_userData['account_id']);
 			if($_userData['account_permissions'])

phpgwapi/inc/class.auth.inc.php

@@ -163,6 +163,32 @@ class auth
 		return true;
 	}
 
+	/**
+	 * fetch the last pwd change for the user
+	 *
+	 * @param string $username username of account to authenticate
+	 * @return mixed false or shadowlastchange*24*3600 
+	 */
+	function getLastPwdChange($username)
+	{
+		if (method_exists($this->backend,'getLastPwdChange')) return $this->backend->getLastPwdChange($username);
+		return false;
+	}
+
+	/**
+	 * changes account_lastpwd_change in ldap datababse
+	 *
+	 * @param int $account_id account id of user whose passwd should be changed
+	 * @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
+	 * @param int $lastpwdchange must be a unixtimestamp
+	 * @return boolean true if account_lastpwd_change successful changed, false otherwise
+	 */
+	function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
+	{
+		if (method_exists($this->backend,'setLastPwdChange')) return $this->backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
+		return false;
+	}
+
 	/**
 	 * password authentication against password stored in sql datababse
 	 *

phpgwapi/inc/class.auth_ldap.inc.php

@@ -203,7 +203,7 @@ class auth_ldap implements auth_backend
 		$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
 		$allValues = ldap_get_entries($ds, $sri);
 
-		$entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
+		$entry['shadowlastchange'] = (is_null($lastpwdchange) || $lastpwdchange<0 ? round((time()-date('Z')) / (24*3600)):$lastpwdchange);
 
 		$dn = $allValues[0]['dn'];
 

phpgwapi/inc/class.auth_sql.inc.php

@@ -175,9 +175,8 @@ class auth_sql implements auth_backend
 		{
 			return false;
 		}
-
 		$this->db->update($this->table,array(
-			'account_lastpwd_change' => ($lastpwdchange==NULL || $lastpwdchange<0 ? time():$lastpwdchange),
+			'account_lastpwd_change' => (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange),
 		),array(
 			'account_id' => $account_id,
 		),__LINE__,__FILE__);