Skip to content

Commit

Permalink
Merge branch 'master' into 132-print-and-export-buttons
Browse files Browse the repository at this point in the history
  • Loading branch information
coudot committed Nov 7, 2024
2 parents 14633b7 + 7d7599a commit 58cc4a4
Show file tree
Hide file tree
Showing 22 changed files with 304 additions and 74 deletions.
8 changes: 8 additions & 0 deletions conf/config.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@

$use_searchlocked = true;

$use_searchdisabled = true;

$use_searchexpired = true;

$use_searchwillexpire = true;
Expand All @@ -153,6 +155,12 @@
$use_disableaccount = false;
$show_enablestatus = false;

$use_enablecomment = false;
$use_enablecomment_required = false;
$use_disablecomment = false;
$use_disablecomment_required = false;


# Local password policy
# This is applied before directory password policy
# Minimal length
Expand Down
22 changes: 22 additions & 0 deletions docs/enableaccount.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,25 @@ To enable this feature:
.. code-block:: php
$use_disableaccount = true;
Insert comment
--------------

This feature displays a comment pop-up when enabling and disabling user accounts.

To enable this feature:

.. code-block:: php
$use_enablecomment = true;
$use_disablecomment = true;
Comment required
----------------

This feature ensures a comment is required before enabling/disabling a user.

.. code-block:: php
$use_enablecomment_required = true;
$use_disablecomment_required = true;
32 changes: 20 additions & 12 deletions htdocs/checkpassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,29 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($use_checkpasswordhistory) {
$password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
foreach ($password_history as $previous_password) {
preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
preg_match("/{(?<={).*/", $previous_password, $hash);
if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
$result = "passwordinhistory";
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {

if ($use_checkpasswordhistory) {
$password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
foreach ($password_history as $previous_password) {
preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
preg_match("/{(?<={).*/", $previous_password, $hash);
if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
$result = "passwordinhistory";
}
}
}
}
if (!$result) {
$bind = ldap_bind($ldap, $dn, $password);
$result = $bind ? "passwordok" : "ldaperror";
}

if (!$result) {
$bind = ldap_bind($ldap, $dn, $password);
$result = $bind ? "passwordok" : "ldaperror";
}

}
}

if ($audit_log_file) {
Expand Down
21 changes: 18 additions & 3 deletions htdocs/disableaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,24 @@
$result = "";
$dn = "";
$password = "";
$comment = "";
$returnto = "display";

if (isset($_POST["returnto"]) and $_POST["returnto"]) {
$returnto = $_POST["returnto"];
}

if (isset($_POST["dn"]) and $_POST["dn"]) {
$dn = $_POST["dn"];
} else {
$result = "dnrequired";
}

if (isset($_POST["comment"]) and $_POST["comment"]) {
$comment = $_POST["comment"];
}


if (!$use_disableaccount) {
$result = "actionforbidden";
}
Expand All @@ -28,7 +39,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( $directory->disableAccount($ldap, $dn) ) {
$result = "accountdisabled";
} else {
Expand All @@ -38,7 +53,7 @@
}

if ($audit_log_file) {
auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result);
auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result, $comment);
}

header('Location: index.php?page=display&dn='.$dn.'&disableaccountresult='.$result);
header('Location: index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result);
16 changes: 11 additions & 5 deletions htdocs/display.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@

if ($ldap) {

# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {

# Search attributes
$attributes = array();
$search_items = array_merge($display_items, $display_password_items);
Expand All @@ -80,8 +86,8 @@
$result = "ldaperror";
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
} else {
$entry = ldap_get_entries($ldap, $search);
}

$entry = ldap_get_entries($ldap, $search);

# Sort attributes values
foreach ($entry[0] as $attr => $values) {
Expand All @@ -96,8 +102,8 @@

# Get password policy configuration
$pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; }
if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }

if ($display_edit_link) {
# Replace {dn} in URL
Expand All @@ -118,7 +124,7 @@
$isAccountEnabled = $directory->isAccountEnabled($ldap, $dn);
}

}
}}}
}

$smarty->assign("entry", $entry[0]);
Expand Down
27 changes: 21 additions & 6 deletions htdocs/enableaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,27 @@

$result = "";
$dn = "";
$password = "";
$comment = "";
$returnto = "display";

if (isset($_POST["returnto"]) and $_POST["returnto"]) {
$returnto = $_POST["returnto"];
}

if (isset($_POST["dn"]) and $_POST["dn"]) {
$dn = $_POST["dn"];
} else if (isset($_GET["dn"]) and $_GET["dn"]) {
$dn = $_GET["dn"];
} else {
$result = "dnrequired";
}

if (!$use_enableaccount) {
$result = "actionforbidden";
if (isset($_GET["returnto"]) and $_GET["returnto"]) {
$returnto = $_GET["returnto"];
}

if (isset($_POST["comment"]) and $_POST["comment"]) {
$comment = $_POST["comment"];
}

if ($result === "") {
Expand All @@ -28,7 +39,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( $directory->enableAccount($ldap, $dn) ) {
$result = "accountenabled";
} else {
Expand All @@ -38,7 +53,7 @@
}

if ($audit_log_file) {
auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result);
auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result, $comment);
}

header('Location: index.php?page=display&dn='.$dn.'&enableaccountresult='.$result);
header('Location: index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result);
15 changes: 15 additions & 0 deletions htdocs/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@
break;
}

$dnAttribute = $directory->getDnAttribute();

#==============================================================================
# Other default values
#==============================================================================
Expand Down Expand Up @@ -130,6 +132,12 @@
$smarty->setCompileDir($compile_dir);
$smarty->setCacheDir($cache_dir);
$smarty->debugging = $smarty_debug;
function sha256($string)
{
return hash("sha256",$string);
}
$smarty->registerPlugin("modifier","sha256", "sha256");
$smarty->registerPlugin("modifier","is_array", "is_array");

if(isset($smarty_debug) && $smarty_debug == true )
{
Expand Down Expand Up @@ -178,6 +186,7 @@
$smarty->assign('show_expirestatus',$show_expirestatus);
$smarty->assign('display_password_expiration_date',$display_password_expiration_date);
$smarty->assign('use_searchlocked',$use_searchlocked);
$smarty->assign('use_searchdisabled',$use_searchdisabled);
$smarty->assign('use_searchexpired',$use_searchexpired);
$smarty->assign('use_searchwillexpire',$use_searchwillexpire);
$smarty->assign('use_searchidle',$use_searchidle);
Expand All @@ -186,6 +195,10 @@
$smarty->assign('use_enableaccount',$use_enableaccount);
$smarty->assign('use_disableaccount',$use_disableaccount);
$smarty->assign('show_enablestatus',$show_enablestatus);
$smarty->assign('use_enablecomment',$use_enablecomment);
$smarty->assign('use_enablecomment_required',$use_enablecomment_required);
$smarty->assign('use_disablecomment',$use_disablecomment);
$smarty->assign('use_disablecomment_required',$use_disablecomment_required);


# Assign messages
Expand Down Expand Up @@ -240,7 +253,9 @@
if ( $page === "checkpassword" and !$use_checkpassword ) { $page = "welcome"; }
if ( $page === "resetpassword" and !$use_resetpassword ) { $page = "welcome"; }
if ( $page === "unlockaccount" and !$use_unlockaccount ) { $page = "welcome"; }
if ( $page === "enableaccount" and !$use_enableaccount ) { $page = "welcome"; }
if ( $page === "searchlocked" and !$use_searchlocked ) { $page = "welcome"; }
if ( $page === "searchdisabled" and !$use_searchdisabled ) { $page = "welcome"; }
if ( $page === "searchexpired" and !$use_searchexpired ) { $page = "welcome"; }
if ( $page === "searchwillexpire" and !$use_searchwillexpire ) { $page = "welcome"; }
if ( $page === "searchidle" and !$use_searchidle ) { $page = "welcome"; }
Expand Down
16 changes: 12 additions & 4 deletions htdocs/lockaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
$result = "";
$dn = "";
$comment = "";
$returnto = "display";

if (isset($_POST["returnto"]) and $_POST["returnto"]) {
$returnto = $_POST["returnto"];
}

if (isset($_POST["dn"]) and $_POST["dn"]) {
$dn = $_POST["dn"];
Expand All @@ -28,11 +33,14 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap)
{
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
# Get password policy configuration
$pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; }
if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }

# Apply the modification only the password can be locked
Expand All @@ -50,4 +58,4 @@
auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment);
}

header('Location: index.php?page=display&dn='.$dn.'&lockaccountresult='.$result);
header('Location: index.php?page='.$returnto.'&dn='.$dn.'&lockaccountresult='.$result);
7 changes: 5 additions & 2 deletions htdocs/resetpassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {

# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( isset($prehook) || isset($posthook) ) {
$login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login));
$login_entry = ldap_first_entry( $ldap, $login_search );
Expand Down
45 changes: 45 additions & 0 deletions htdocs/searchdisabled.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?php
/*
* Search disabled entries in LDAP directory
*/

require_once("../conf/config.inc.php");
require __DIR__ . '/../vendor/autoload.php';

[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_user_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);

if ( !empty($entries) )
{

# Check if entry is still locked
foreach($entries as $entry_key => $entry) {

$isEnabled = $directory->isAccountEnabled($ldap, $entry['dn']);

if ( $isEnabled === true ) {
unset($entries[$entry_key]);
$nb_entries--;
}

}

$smarty->assign("page_title", "disabledaccounts");
if ($nb_entries === 0) {
$result = "noentriesfound";
} else {
$smarty->assign("nb_entries", $nb_entries);
$smarty->assign("entries", $entries);
$smarty->assign("size_limit_reached", $size_limit_reached);

$columns = $search_result_items;
if (! in_array($search_result_title, $columns)) array_unshift($columns, $search_result_title);
$smarty->assign("listing_columns", $columns);
$smarty->assign("listing_linkto", isset($search_result_linkto) ? $search_result_linkto : array($search_result_title));
$smarty->assign("listing_sortby", array_search($search_result_sortby, $columns));
$smarty->assign("show_undef", $search_result_show_undefined);
$smarty->assign("truncate_value_after", $search_result_truncate_value_after);
if ($use_enableaccount) { $smarty->assign("display_enable_button", true); }
}
}

?>
4 changes: 2 additions & 2 deletions htdocs/searchexpired.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@

# Get password policy configuration
$pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $entry["dn"], $ldap_default_ppolicy);
if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
if (isset($ldap_lockout_duration) and $ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; }
if (isset($ldap_password_max_age) and $ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }

$isExpired = $directory->isPasswordExpired($ldap, $entry["dn"], $pwdPolicyConfiguration);

Expand Down
Loading

0 comments on commit 58cc4a4

Please sign in to comment.