From dc7f8e11b172d5e6f612912dcb8d86bdfe6b74c9 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Sat, 13 Jul 2013 07:51:40 +0000
Subject: [PATCH] * Admin/Active Directory: fixed not working display, setting
 and removing of "must change password upon next login"

---
 admin/inc/class.uiaccounts.inc.php      |  4 ++--
 phpgwapi/inc/class.accounts_ads.inc.php | 12 ++++++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/admin/inc/class.uiaccounts.inc.php b/admin/inc/class.uiaccounts.inc.php
index 45e76682a9..dc81091ca7 100755
--- a/admin/inc/class.uiaccounts.inc.php
+++ b/admin/inc/class.uiaccounts.inc.php
@@ -948,7 +948,7 @@
 			$var['changepassword']    = !$acl->check('nopasswordchange',1,'preferences') ? '&nbsp;&nbsp;X' : '&nbsp;';
 			if (!isset($auth)) $auth =& CreateObject('phpgwapi.auth');
 			$accLPWDC = $auth->getLastPwdChange($userData['account_lid']);
-			if ($accLPWC !== false) $userData['account_lastpwd_change'] = $accLPWDC;
+			if ($accLPWDC !== false) $userData['account_lastpwd_change'] = $accLPWDC;
 			$var['mustchangepassword']= (isset($userData['account_lastpwd_change']) && ((is_string($userData['account_lastpwd_change']) && $userData['account_lastpwd_change']==="0")||(is_int($userData['account_lastpwd_change']) && $userData['account_lastpwd_change']===0)) ? '&nbsp;&nbsp;X' : '&nbsp;');
 			unset($acl);
 
@@ -1318,7 +1318,7 @@
 					$userData['changepassword'] = !$acl->check('nopasswordchange',1,'preferences');
 					if (!isset($auth)) $auth =& CreateObject('phpgwapi.auth');
 					$accLPWDC = $auth->getLastPwdChange($userData['account_lid']);
-					if ($accLPWC !== false) $userData['account_lastpwd_change'] = $accLPWDC;
+					if ($accLPWDC !== false) $userData['account_lastpwd_change'] = $accLPWDC;
 					$userData['mustchangepassword'] = (isset($userData['account_lastpwd_change']) && ((is_string($userData['account_lastpwd_change']) && $userData['account_lastpwd_change']==="0")||(is_int($userData['account_lastpwd_change']) && $userData['account_lastpwd_change']===0))?true:false);
 					unset($acl);
 				}
diff --git a/phpgwapi/inc/class.accounts_ads.inc.php b/phpgwapi/inc/class.accounts_ads.inc.php
index c05ebabb5c..638de8a366 100644
--- a/phpgwapi/inc/class.accounts_ads.inc.php
+++ b/phpgwapi/inc/class.accounts_ads.inc.php
@@ -481,8 +481,8 @@ class accounts_ads
 			'account_status'    => $data['useraccountcontrol'][0] & 2 ? false : 'A',
 			'account_expires'   => !isset($data['accountexpires']) || $data['accountexpires'][0] == self::EXPIRES_NEVER ? -1 :
 				$this->adldap->utilities()->convertWindowsTimeToUnixTime($data['accountexpires'][0]),
-			'account_lastpwd_change' => !isset($data['pwdlastset']) ? null :
-				$this->adldap->utilities()->convertWindowsTimeToUnixTime($data['pwdlastset'][0]),
+			'account_lastpwd_change' => !isset($data['pwdlastset']) ? null : (!$data['pwdlastset'][0] ? 0 :
+				$this->adldap->utilities()->convertWindowsTimeToUnixTime($data['pwdlastset'][0])),
 			'account_created' => !isset($data['whencreated'][0]) ? null :
 				self::_when2ts($data['whencreated'][0]),
 			'account_modified' => !isset($data['whenchanged'][0]) ? null :
@@ -712,7 +712,8 @@ class accounts_ads
 			'account_status'    => 'enabled',
 			'account_primary_group' => 'primarygroupid',
 			'account_expires'   => 'expires',
-			'mustchangepassword'=> 'change_password',
+			//'mustchangepassword'=> 'change_password',	// can only set it, but not reset it, therefore we set pwdlastset direct
+			'account_lastpwd_change' => 'pwdlastset',
 			//'account_phone'   => 'telephone',	not updated by accounts, only read so far
 		);
 		$attributes = $ldap = array();
@@ -759,6 +760,9 @@ class accounts_ads
 					case 'account_status':
 						$attributes[$adldap] = $data[$egw] == 'A';
 						break;
+					case 'account_lastpwd_change':	// AD only allows to set 0 (force pw change) and -1 (reset time)
+						$ldap[$adldap] = !$data[$egw] ? 0 : -1;
+						break;
 					default:
 						$attributes[$adldap] = $data[$egw];
 						break;
@@ -775,7 +779,7 @@ class accounts_ads
 		// attributes not (yet) suppored by adldap
 		if ($ldap && !($ret = @ldap_modify($ds=$this->ldap_connection(), $old['account_dn'], $ldap)))
 		{
-			error_log(__METHOD__."(".array2string($data).") ldap_modify($ds, '$old[account_dn]', ".array2string($ldap).') returned '.array2string($ret).' '.function_backtrace());
+			error_log(__METHOD__."(".array2string($data).") ldap_modify($ds, '$old[account_dn]', ".array2string($ldap).') returned '.array2string($ret).' ('.ldap_error($ds).') '.function_backtrace());
 			return false;
 		}
 		//elseif ($ldap) error_log(__METHOD__."(".array2string($data).") ldap_modify($ds, '$old[account_dn]', ".array2string($ldap).') returned '.array2string($ret).' '.function_backtrace());