holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Univention: fix "Must change password upon next login" feature

Browse Source
This commit is contained in:
Ralf Becker 2019-09-16 10:06:57 +02:00
parent b1fae07c75
commit 4f367e6bf1
4 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/Accounts/Ldap.php
View File

@ -620,7 +620,10 @@ class Ldap
}
//error_log(__METHOD__.__LINE__.$data['account_lid'].'#'.$data['account_lastpwd_change'].'#');
if ($data['account_lastpwd_change']) $to_write['shadowlastchange'] = round(($data['account_lastpwd_change']-$utc_diff)/(24*3600));
if (isset($data['account_lastpwd_change']) && $data['account_lastpwd_change']==0) $to_write['shadowlastchange'] = 0;
if ($data['mustchangepassword'] == 1 || isset($data['account_lastpwd_change']) && $data['account_lastpwd_change'] == 0)
{
$to_write['shadowlastchange'] = 0;
}
// lastlogin and lastlogin from are not availible via the shadowAccount object class
// $to_write['phpgwaccountlastlogin'] = $data['lastlogin'];
// $to_write['phpgwaccountlastloginfrom'] = $data['lastloginfrom'];

8
api/src/Accounts/Univention.php
View File

@ -191,14 +191,6 @@ class Univention extends Ldap
$data = [
'account_passwd' => $new_passwd
];
if ($old_passwd)
{
$data['pwdChangeNextLogin'] = false;
}
if ($update_lastchange)
{
// ToDo: $entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
}
$udm->updateUser($dn, $data);

15
api/src/Accounts/Univention/Udm.php
View File

@ -236,7 +236,16 @@ class Udm
$payload = $this->user2udm($data, $this->call('users/user/'.urlencode($dn), 'GET', [], $get_headers));
$headers = [];
return $this->call('users/user/'.urlencode($dn), 'PUT', $payload, $headers, $get_headers['etag'], true);
$ret = $this->call('users/user/'.urlencode($dn), 'PUT', $payload, $headers, $get_headers['etag'], true);
// you can not set the password and force a password change for next login in the same call
// the forced password change will be lost --> call again without password to force the change on next login
if (!empty($data['account_passwd']) && !empty($data['mustchangepassword']))
{
unset($data['account_passwd']);
$ret = $this->updateUser($ret, $data);
}
return $ret;
}
/**
@ -248,6 +257,9 @@ class Udm
*/
protected function user2udm(array $data, array $payload)
{
// gives error: The property passwordexpiry has an invalid value: Value may not change.
unset($payload['properties']['passwordexpiry']);
foreach([
'account_lid' => 'username',
'account_passwd' => 'password',
@ -255,6 +267,7 @@ class Udm
'account_firstname' => 'firstname',
'account_id' => ['uidNumber', 'sambaRID'],
'account_email' => 'mailPrimaryAddress',
'mustchangepassword' => 'pwdChangeNextLogin',
] as $egw => $names)
{
if (!empty($data[$egw]))

12
api/src/Auth/Ldap.php
View File

@ -163,7 +163,7 @@ class Ldap implements Backend
* fetch the last pwd change for the user
*
* @param string $_username username of account to authenticate
* @return mixed false or shadowlastchange*24*3600
* @return mixed false or shadowlastchange*24*3600 or 0, if user must change his password
*/
function getLastPwdChange($_username)
{
@ -180,7 +180,7 @@ class Ldap implements Backend
return false;
}
/* find the dn for this uid, the uid is not always in the dn */
$attributes = array('uid','dn','shadowexpire','shadowlastchange');
$attributes = array('uid','dn','shadowexpire','shadowlastchange','sambaPwdLastSet','krb5PasswordEnd');
$filter = str_replace(array('%user','%domain'),array(Api\Ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
@ -194,6 +194,14 @@ class Ldap implements Backend
if ($allValues['count'] > 0)
{
// there are several schema-specific ways to express the user must change the password
if (isset($allValues[0]['shadowlastchange']) && (string)$allValues[0]['shadowlastchange'][0] === '0' ||
isset($allValues[0]['sambapwdlastset']) && (string)$allValues[0]['sambapwdlastset'][0] === '0' ||
isset($allValues[0]['krb5passwordend']) && Api\DateTime::user2server($allValues[0]['krb5passwordend'][0]) < time())
{
error_log(__METHOD__."('$_username') shadowlastchange={$allValues[0]['shadowlastchange']}, sambapwdlastset={$allValues[0]['sambapwdlastset'][0]}, krb5passwordend={$allValues[0]['krb5passwordend'][0]} --> return 0");
return 0;
}
if (!isset($allValues[0]['shadowlastchange']))
{
if ($this->debug) error_log(__METHOD__."('$username') no shadowlastchange attribute!");