moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 08:26:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed bug 2012

Browse source 
Started work with bug 2007
Bug 1969 is partacaly fixed. ldap-module supports now password expiration.
Some work with bugs 761 and 1730

Changes in login/index.php
Reordered some code to make variables reusable in multiple places.
Added redirection in case of expired password
This commit is contained in:
paca70 2004-09-28 12:39:20 +00:00
parent 86fd04ff4c
commit 089b19f631
4 changed files with 161 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

7
auth/ldap/config.html
View file

@ -241,7 +241,6 @@ if (!function_exists('ldap_connect')){ // Is php4-ldap really there?
<tr> <tr>
<td colspan="2"> <td colspan="2">
<h4><?php print_string("auth_ldap_passwdexpire_settings", "auth") ?> </h4> <h4><?php print_string("auth_ldap_passwdexpire_settings", "auth") ?> </h4>
<p> NOTE! This just configuration interface for expiration, code does not support expiration yet.!</p>
</td> </td>
</tr> </tr>
@ -249,9 +248,9 @@ if (!function_exists('ldap_connect')){ // Is php4-ldap really there?
<td align="right"><P>ldap_expiration:</td> <td align="right"><P>ldap_expiration:</td>
<td> <td>
<?php <?php
$expiration['internal'] = "No"; $expiration['0'] = "No";
$expiration['ldap'] = "LDAP"; $expiration['1'] = "LDAP";
choose_from_menu($expiration, "ldap_expriration", $config->ldap_expiration, ""); choose_from_menu($expiration, "ldap_expiration", $config->ldap_expiration, "");
if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]); if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]);
?> ?>
</td> </td>

112
auth/ldap/lib.php
View file

@ -257,6 +257,40 @@ function auth_get_users($filter='*') {
return $fresult; return $fresult;
} }
function auth_password_expire($username) {
// returns number of days to password expiration
// 0 if passowrd does not expire
// or negative value if password is already expired
global $CFG ;
$result = false;
$ldapconnection = auth_ldap_connect();
$user_dn = auth_ldap_find_userdn($ldapconnection, $username);
$search_attribs = array($CFG->ldap_expireattr);
$sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
if ($sr) {
$info=ldap_get_entries($ldapconnection, $sr);
if ( empty($info[0][strtolower($CFG->ldap_expireattr)][0])) {
//error_log("ldap: no expiration value".$info[0][$CFG->ldap_expireattr]);
// no expiration attribute, password does not expire
$result = 0;
} else {
$now = time();
$expiretime = auth_ldap_expirationtime2unix($info[0][strtolower($CFG->ldap_expireattr)][0]);
if ($expiretime > $now) {
$result = ceil(($expiretime - $now) / DAYSECS);
} else {
$result = floor(($expiretime - $now) / DAYSECS);
}
}
} else {
error_log("ldap: auth_password_expire did't find expiration time!.");
}
//error_log("ldap: auth_password_expire user $user_dn expires in $result days!");
return $result;
}
function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) { function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) {
//Syncronizes userdb with ldap //Syncronizes userdb with ldap
//This will add, rename //This will add, rename
@ -545,7 +579,7 @@ function auth_ldap_init () {
global $CFG; global $CFG;
$default['ldap_objectclass'] = array( $default['ldap_objectclass'] = array(
'edir' => 'inetOrgPerson', 'edir' => 'User',
'posix' => 'posixAccount', 'posix' => 'posixAccount',
'samba' => 'sambaSamAccount', 'samba' => 'sambaSamAccount',
'ad' => 'user', 'ad' => 'user',
@ -559,12 +593,28 @@ function auth_ldap_init () {
'default' => 'cn' 'default' => 'cn'
); );
$default['ldap_memberattribute'] = array( $default['ldap_memberattribute'] = array(
'edir' => 'groupMembership', 'edir' => 'member',
'posix' => 'member', 'posix' => 'member',
'samba' => 'member', 'samba' => 'member',
'ad' => 'member', //is this right? 'ad' => 'member', //is this right?
'default' => 'member' 'default' => 'member'
); );
$default['ldap_memberattribute_isdn'] = array(
'edir' => '1',
'posix' => '0',
'samba' => '0', //is this right?
'ad' => '0', //is this right?
'default' => '0'
);
$default['ldap_expireattr'] = array (
'edir' => 'passwordExpirationTime',
'posix' => 'shadowExpire',
'samba' => '', //No support yet
'ad' => '', //No support yet
'default' => ''
);
foreach ($default as $key => $value) { foreach ($default as $key => $value) {
//set defaults if overriding fields not set //set defaults if overriding fields not set
@ -572,7 +622,7 @@ function auth_ldap_init () {
if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) { if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) {
$CFG->{$key} = $default[$key][$CFG->ldap_user_type]; $CFG->{$key} = $default[$key][$CFG->ldap_user_type];
}else { }else {
//use defaut value if user_type not set //use default value if user_type not set
if(!empty($default[$key]['default'])){ if(!empty($default[$key]['default'])){
$CFG->$key = $default[$key]['default']; $CFG->$key = $default[$key]['default'];
}else { }else {
@ -589,29 +639,63 @@ function auth_ldap_init () {
//all chages go in $CFG , no need to return value //all chages go in $CFG , no need to return value
} }
function auth_ldap_expirationtime2unix ($time) {
// takes expriration timestamp readed from ldap
// returns it as unix seconds
// depends on $CFG->usertype variable
global $CFG;
$result = false;
switch ($CFG->ldap_user_type) {
case 'edir':
$yr=substr($time,0,4);
$mo=substr($time,4,2);
$dt=substr($time,6,2);
$hr=substr($time,8,2);
$min=substr($time,10,2);
$sec=substr($time,12,2);
$result = mktime($hr,$min,$sec,$mo,dt,$yr);
break;
case 'posix':
$result = $time * DAYSECS ; //The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date
break;
default:
error('CFG->ldap_user_type not defined or function auth_ldap_expirationtime2unix does not support selected type!');
}
return $result;
}
function auth_ldap_isgroupmember ($username='', $groupdns='') { function auth_ldap_isgroupmember ($username='', $groupdns='') {
// Takes username and groupdn(s) , separated by ; // Takes username and groupdn(s) , separated by ;
// Returns true if user is member of any given groups // Returns true if user is member of any given groups
global $CFG, $USER; global $CFG ;
$result = false;
$ldapconnection = auth_ldap_connect();
if (empty($username) OR empty($groupdns)) { if (empty($username) OR empty($groupdns)) {
return false; return $result;
}
if ($CFG->ldap_memberattribute_isdn) {
$username=auth_ldap_find_userdn($ldapconnection, $username);
} }
$groups = explode(";",$groupdns); $groups = explode(";",$groupdns);
//build filter
$filter = "(& ($CFG->ldap_user_attribute=$username)(|";
foreach ($groups as $group){ foreach ($groups as $group){
$filter .= "($CFG->ldap_memberattribute=$group)"; $search = @ldap_read($ldapconnection, $group, '('.$CFG->ldap_memberattribute.'='.$username.')', array($CFG->ldap_memberattribute));
} if ($search) {$info = ldap_get_entries($ldapconnection, $search);
$filter .= "))";
//search
$result = auth_ldap_get_userlist($filter);
return count($result); if ($info['count'] > 0 ) {
// user is member of group
$result = true;
break;
}
}
}
return $result;
} }
function auth_ldap_connect(){ function auth_ldap_connect(){

2
lang/en/auth.php
View file

@ -77,6 +77,8 @@ $string['auth_nonedescription'] = 'Users can sign in and create valid accounts i
$string['auth_nonetitle'] = 'No authentication'; $string['auth_nonetitle'] = 'No authentication';
$string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install <a href=\"http://www.math.ohio-state.edu/~ccunning/pam_auth/\" target=\"_blank\">PHP4 PAM Authentication</a> in order to use this module.'; $string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install <a href=\"http://www.math.ohio-state.edu/~ccunning/pam_auth/\" target=\"_blank\">PHP4 PAM Authentication</a> in order to use this module.';
$string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)'; $string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)';
$string['auth_passwordwillexpire'] = 'Your password will expire in $a days. Do you want change your password now?';
$string['auth_passwordisexpired'] = 'Your password is expired. Do you want change your password now?';
$string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.'; $string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.';
$string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.'; $string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.';
$string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with. (usually INBOX)'; $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with. (usually INBOX)';

83
login/index.php
View file

@ -21,6 +21,27 @@
} }
} }
//Define variables used in page
if (!$site = get_site()) {
error("No site found!");
}
if (empty($CFG->langmenu)) {
$langmenu = "";
} else {
$currlang = current_language();
$langs = get_list_of_languages();
if (empty($CFG->loginhttps)) {
$wwwroot = $CFG->wwwroot;
} else {
$wwwroot = str_replace('http','https',$CFG->wwwroot);
}
$langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
}
$loginsite = get_string("loginsite");
$frm = false; $frm = false;
if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) { if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) {
/// Log in as guest automatically (idea from Zbigniew Fiedorowicz) /// Log in as guest automatically (idea from Zbigniew Fiedorowicz)
@ -69,13 +90,19 @@
unset($SESSION->lang); unset($SESSION->lang);
$SESSION->justloggedin = true; $SESSION->justloggedin = true;
//Select password change url
if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){
$passwordchangeurl=$CFG->wwwroot.'/login/change_password.php';
} elseif($CFG->changepassword) {
$passwordchangeurl=$CFG->changepassword;
}
// check whether the user should be changing password // check whether the user should be changing password
reload_user_preferences(); reload_user_preferences();
if ($USER->preference['auth_forcepasswordchange']){ if ($USER->preference['auth_forcepasswordchange']){
if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){ if (isset($passwordchangeurl)) {
redirect("$CFG->wwwroot/login/change_password.php"); redirect($passwordchangeurl);
} elseif($CFG->changepassword) {
redirect($CFG->changepassword);
} else { } else {
error("You cannot proceed without changing your password. error("You cannot proceed without changing your password.
However there is no available page for changing it. However there is no available page for changing it.
@ -83,16 +110,39 @@
} }
} }
if (user_not_fully_set_up($USER)) { if (user_not_fully_set_up($USER)) {
redirect("$CFG->wwwroot/user/edit.php?id=$USER->id&amp;course=".SITEID); $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
} else if (strpos($wantsurl, $CFG->wwwroot) === 0) { /// Matches site address } else if (strpos($wantsurl, $CFG->wwwroot) === 0) { /// Matches site address
redirect($wantsurl); $urltogo = $wantsurl;
} else { } else {
redirect("$CFG->wwwroot/"); /// Go to the standard home page $urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page
} }
// check if user password has expired
// Currently supported only for ldap-authentication module
if (isset($CFG->ldap_expiration) && $CFG->ldap_expiration == 1 ) {
if (function_exists('auth_password_expire')){
$days2expire = auth_password_expire($USER->username);
if (intval($days2expire) > 0 && intval($days2expire) < intval($CFG->{$USER->auth.'_expiration_warning'})) {
print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
notice_yesno(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
print_footer();
exit;
} elseif (intval($days2expire) < 0 ) {
print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
notice_yesno(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
print_footer();
exit;
}
}
}
redirect($urltogo);
reset_login_count(); reset_login_count();
die; die;
@ -128,25 +178,6 @@
$show_instructions = false; $show_instructions = false;
} }
if (!$site = get_site()) {
error("No site found!");
}
if (empty($CFG->langmenu)) {
$langmenu = "";
} else {
$currlang = current_language();
$langs = get_list_of_languages();
if (empty($CFG->loginhttps)) {
$wwwroot = $CFG->wwwroot;
} else {
$wwwroot = str_replace('http','https',$CFG->wwwroot);
}
$langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true);
}
$loginsite = get_string("loginsite");
print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>"); print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "<div align=\"right\">$langmenu</div>");
include("index_form.html"); include("index_form.html");
print_footer(); print_footer();