From 226789c29c411cf37e264f735c4b2988a5cfed32 Mon Sep 17 00:00:00 2001 From: konvergence Date: Mon, 21 Aug 2017 18:29:52 +0200 Subject: [PATCH 01/17] Create checkexpiration.php checkexpiration.php replace the "Shell script" to schedule mail notification in case of password expiration The page can be call with CURL in POST with a login/password member of a group admin --- pages/checkexpiration.php | 1 + 1 file changed, 1 insertion(+) create mode 100644 pages/checkexpiration.php diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/pages/checkexpiration.php @@ -0,0 +1 @@ + From 6cefaba48a13855a3c0de3757bd35cc9018d2b35 Mon Sep 17 00:00:00 2001 From: konvergence Date: Mon, 21 Aug 2017 18:31:05 +0200 Subject: [PATCH 02/17] Update checkexpiration.php --- pages/checkexpiration.php | 371 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 371 insertions(+) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index 8b137891..e89789d0 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -1 +1,372 @@ +ClearAllRecipients(); + + # Use first available mail adress in ldap + $mail = ldap_get_values($ldap, $entry, $mail_attribute); + if(count($mail) > 0) $mail = $mail[0]; + + $login = ldap_get_values($ldap, $entry, $ldap_login_attribute); + if(count($login)> 0 )$login = $login[0]; + + $pwdChangedTime = ldap_get_values($ldap, $entry, "pwdChangedTime"); + if( $pwdChangedTime ) $pwdChangedTime=$pwdChangedTime[0]; + + $pwdPolicySubentry = ldap_get_values($ldap, $entry, "pwdPolicySubentry"); + if( $pwdPolicySubentry ){ + $pwdPolicySubentry= $pwdPolicySubentry[0]; + }else{ + if ( $ldap_defaultpolicydn) { + $pwdPolicySubentry=$ldap_defaultpolicydn; + }else{ + $pwdPolicySubentry="cn=default,ou=policies," . $ldap_base; + } + } + + error_log("LDAP - user $login with pwdPolicySubentry=$pwdPolicySubentry and pwdChangedTime=$pwdChangedTime"); + + + # if user as pwdChangedTime compare with now + if ( $pwdChangedTime ) { + $changeDateTime = DateTime::createFromFormat('YmdHis', substr($pwdChangedTime, 0, -1)); + $nowDateTime = new DateTime(); + + $search_policy = ldap_search($ldap, $pwdPolicySubentry, "(cn=*)"); + $ppolicy_entry = ldap_first_entry($ldap, $search_policy); + + $pwdMaxAge = ldap_get_values($ldap, $ppolicy_entry, "pwdMaxAge"); + if( !$pwdMaxAge) { + $pwdMaxAge = 0; + }else{ + $pwdMaxAge = (int)$pwdMaxAge[0]; + } + + + $pwdExpireWarning = ldap_get_values($ldap, $ppolicy_entry, "pwdExpireWarning"); + if (! $pwdExpireWarning) { + if( ! $expire_warning) $expire_warning=1209600; + $pwdExpireWarning = $expire_warning; + }else{ + $pwdExpireWarning = (int)$pwdExpireWarning[0]; + } + + + $expireDateTime = clone $changeDateTime; $expireDateTime->modify('+'. $pwdMaxAge . ' seconde'); + $warningDateTime = clone $changeDateTime; $warningDateTime->modify('+'. $pwdMaxAge . ' seconde'); $warningDateTime->modify('-'. $pwdExpireWarning . ' seconde'); + + + error_log( "checkexpiration - user $login - policy MaxAge=$pwdMaxAge,ExpireWarning=$pwdExpireWarning - Current:" . $nowDateTime->format("Y-m-d H:i:s") . ", Changed:" . $changeDateTime->format("Y-m-d H:i:s") . ", Warning:" . $warningDateTime->format("Y-m-d H:i:s") .", Expired:" . $expireDateTime->format("Y-m-d H:i:s") ); + + #if password is in expire periode, send notify it the 1st day of warning, and the last day + if( $nowDateTime >= $warningDateTime && $nowDateTime < $expireDateTime) { + #error_log( "checkexpiration - user $login - warning, your password will expired in " . $warningDateTime->diff($nowDateTime)->format('%R%a days')); + + $expireInUnits = (int)(($expireDateTime->getTimestamp() - $nowDateTime->getTimestamp()) / $policy_expire_unit) ; + error_log( "checkexpiration - user $login - warning, your password will expired in " . $expireInUnits . " units - warning :" . (int)( $pwdExpireWarning/$policy_expire_unit)); + $nb_warning_users=$nb_warning_users+1; + $warning_users[$login] = "password warning, ever emailed"; + + # notify the first day and the last day + if( $$expire_always_mail || $expireInUnits == 1 || $expireInUnits == (int)( $pwdExpireWarning/$policy_expire_unit)+1 ) { + $url= generate_url($reset_url, "change"); + $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; + # Send message + if ( ! send_mail($mailer, $mail, $mail_from, $mail_from_name, $messages["warningexpiresubject"], $messages["warningexpiremessage"].$mail_signature, $data) ) { + error_log("checkexpiration - Error while sending token to $mail (user $login)"); + $warning_users[$login] = "password warning, error emailed"; + }else{ + error_log( "checkexpiration - send email to $mail (user $login) to change password"); + $warning_users[$login] = "password warning, emailed"; + } + } + }else{ + # if password is expired, the notify the 1st day of expiration + if ( $nowDateTime >= $expireDateTime) { + #error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireDateTime->diff($nowDateTime)->format('%R%a days')); + + $expireInUnits = (int)(($nowDateTime->getTimestamp() - $expireDateTime->getTimestamp()) / $policy_expire_unit); + error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireInUnits . " units"); + $nb_expired_users=$nb_expired_users+1; + $expired_users[$login] = "password expired, ever emailed"; + + + # notify the first day of expire + if( $expire_always_mail || $expireInUnits == 0){ + $url= generate_url("sendtoken"); + $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; + # Send message + if ( ! send_mail($mailer, $mail, $mail_from, $mail_from_name, $messages["alertexpiresubject"], $messages["alertexpiremessage"].$mail_signature, $data) ) { + error_log("checkexpiration - Error while sending token to $mail (user $login)"); + $expired_users[$login] = "password expired, error emailed"; + }else{ + error_log( "checkexpiration - send email to $mail (user $login) to reset password"); + $expired_users[$login] = "password expired, emailed"; + } + } + }else{ + error_log( "checkexpiration - user $login - notice, password is still available"); + } + } + } + + + $entry = ldap_next_entry($ldap, $entry); + } + $result = "expirechecked"; + } + } + } +} +}}} + +#============================================================================== +# HTML +#============================================================================== +?> + +
+

+
+ + + +

"; + echo " "; + echo $messages["expirehelp"]; + echo "

"; + echo "\n"; +} +?> + + +
+
+
+ +
+
+ + " /> +
+
+
+
+ +
+
+ + " /> +
+
+
+ + + +
+
+ +
+
+
+
+ + + +"; + echo "

Total Users with a mail and a password policy: " . $nb_users . "

"; + echo "
"; + echo "
\n"; + echo "

Total Users in warning of expiration: " . $nb_warning_users . "

"; + foreach ($warning_users as $key => $value) { + echo "

" . $key . ":" . $value . "

"; + } + echo "

Total Users with a password expired: " . $nb_expired_users . "

"; + foreach ($expired_users as $key => $value) { + echo "

" . $key . ":" . $value . "

"; + } + echo "\n"; + + +} ?> From ebe6617e003f5983e3af651a28a0e55f4cbb1972 Mon Sep 17 00:00:00 2001 From: konvergence Date: Mon, 21 Aug 2017 18:37:09 +0200 Subject: [PATCH 03/17] Update config.inc.php --- conf/config.inc.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/conf/config.inc.php b/conf/config.inc.php index 45abacfc..8fba48ea 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -280,4 +280,28 @@ # Launch a posthook script after successful password change #$posthook = "/usr/share/self-service-password/posthook.sh"; + +## config for checkexpiration batch +# to batch it call the page with curl -F login=xxxx -F password=yyyy + +$ldap_defaultpolicydn="cn=default,ou=policies," . $ldap_base; +$ldap_admingroupdn="cn=administrators,ou=groups," . $ldap_base; + +# if pwdExpireWarning is not define in the default policy, then define 14 days warning before expire +$expire_warning=1209600; + +# if set false: then send mail, 1st day of warning, last day of warning and 1st day of expire +$expire_always_mail = true; + +# message They can also be defined in lang/ files +$messages['emptyexpireform'] = "Checking password expiration for all users"; +$messages["expirehelp"] = "Only administrator can run this page"; +$messages['checkexpiration'] = "Check expiration of passwords"; +$messages['expirechecked'] = "The password expiration check has been completed"; +$messages['warningexpiresubject'] = "Warning - Your password will expired"; +$messages['warningexpiremessage'] = "Hello {login},\n\nYour password will expired in {days} days.\nClick here to change your password:\n{url}\n\n"; +$messages['alertexpiresubject'] = "Alert - Your password is expired"; +$messages['alertexpiremessage'] = "Hello {login},\n\nYour password is expired since {days} days.\nClick here to reset your password:\n{url}\n\n"; + + ?> From 377b35b2ac6b93677a61727a8d83170d5975cbec Mon Sep 17 00:00:00 2001 From: konvergence Date: Mon, 21 Aug 2017 18:41:13 +0200 Subject: [PATCH 04/17] Update index.php --- index.php | 1 + 1 file changed, 1 insertion(+) diff --git a/index.php b/index.php index 403748c4..a0944cce 100644 --- a/index.php +++ b/index.php @@ -103,6 +103,7 @@ if ( $use_questions ) { array_push( $available_actions, "resetbyquestions", "setquestions"); } if ( $use_tokens ) { array_push( $available_actions, "resetbytoken", "sendtoken"); } if ( $use_sms ) { array_push( $available_actions, "resetbytoken", "sendsms"); } +if ( $use_checkexpiration ) { array_push( $available_actions, "checkexpiration"); } # Ensure requested action is available, or fall back to default if ( ! in_array($action, $available_actions) ) { $action = $default_action; } From 13123d0cceedea3d00fe00c9081f296a8d9433f3 Mon Sep 17 00:00:00 2001 From: konvergence Date: Mon, 21 Aug 2017 18:42:52 +0200 Subject: [PATCH 05/17] Update functions.inc.php --- lib/functions.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.inc.php b/lib/functions.inc.php index fb0dea51..ff717ac8 100644 --- a/lib/functions.inc.php +++ b/lib/functions.inc.php @@ -121,7 +121,7 @@ function stripslashes_if_gpc_magic_quotes( $string ) { # Get message criticity function get_criticity( $msg ) { - if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|sshkeyerror/" , $msg ) ) { + if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|sshkeyerror|notinadmingroup/" , $msg ) ) { return "danger"; } From 39b21354a5f19bc26219e25d5aff754fc72c1cc3 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 22 Aug 2017 09:56:21 +0200 Subject: [PATCH 06/17] Update config.inc.php --- conf/config.inc.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/config.inc.php b/conf/config.inc.php index 8fba48ea..5ec50edb 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -284,6 +284,9 @@ ## config for checkexpiration batch # to batch it call the page with curl -F login=xxxx -F password=yyyy +# allow this functionality +$use_checkexpiration=true; + $ldap_defaultpolicydn="cn=default,ou=policies," . $ldap_base; $ldap_admingroupdn="cn=administrators,ou=groups," . $ldap_base; From 323eea8b6696ae5ce2c7b4f979e5de5ca718e76f Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 22 Aug 2017 09:57:20 +0200 Subject: [PATCH 07/17] Update checkexpiration.php --- pages/checkexpiration.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index e89789d0..332c86e4 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -80,8 +80,8 @@ function generate_url($action) { $nb_warning_users=0; -#$policy_expire_unit=86400; -$policy_expire_unit=60; +$policy_expire_unit=86400; +#$policy_expire_unit=60; @@ -244,7 +244,7 @@ function generate_url($action) { $warning_users[$login] = "password warning, ever emailed"; # notify the first day and the last day - if( $$expire_always_mail || $expireInUnits == 1 || $expireInUnits == (int)( $pwdExpireWarning/$policy_expire_unit)+1 ) { + if( $expire_always_mail || $expireInUnits == 1 || $expireInUnits == (int)( $pwdExpireWarning/$policy_expire_unit)+1 ) { $url= generate_url($reset_url, "change"); $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message From 2ae94f332be5eb8190766eed1c666fb2c787cff9 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 22 Aug 2017 11:11:58 +0200 Subject: [PATCH 08/17] Update checkexpiration.php --- pages/checkexpiration.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index 332c86e4..a57a05c3 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -80,7 +80,7 @@ function generate_url($action) { $nb_warning_users=0; -$policy_expire_unit=86400; +#$policy_expire_unit=86400; #$policy_expire_unit=60; @@ -236,10 +236,11 @@ function generate_url($action) { #if password is in expire periode, send notify it the 1st day of warning, and the last day if( $nowDateTime >= $warningDateTime && $nowDateTime < $expireDateTime) { - #error_log( "checkexpiration - user $login - warning, your password will expired in " . $warningDateTime->diff($nowDateTime)->format('%R%a days')); - - $expireInUnits = (int)(($expireDateTime->getTimestamp() - $nowDateTime->getTimestamp()) / $policy_expire_unit) ; - error_log( "checkexpiration - user $login - warning, your password will expired in " . $expireInUnits . " units - warning :" . (int)( $pwdExpireWarning/$policy_expire_unit)); + + #$expireInUnits = (int)ceil(($expireDateTime->getTimestamp() - $nowDateTime->getTimestamp()) / $policy_expire_unit) ; + $expireInUnits = DateTime::createFromFormat("Ymd",$nowDateTime->format("Ymd"))->diff(DateTime::createFromFormat("Ymd", $expireDateTime->format("Ymd")))->days; + + error_log( "checkexpiration - user $login - warning, your password will expired in " . $expireInUnits . " days - warning :" . (int)( $pwdExpireWarning/$policy_expire_unit)); $nb_warning_users=$nb_warning_users+1; $warning_users[$login] = "password warning, ever emailed"; @@ -259,10 +260,11 @@ function generate_url($action) { }else{ # if password is expired, the notify the 1st day of expiration if ( $nowDateTime >= $expireDateTime) { - #error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireDateTime->diff($nowDateTime)->format('%R%a days')); - $expireInUnits = (int)(($nowDateTime->getTimestamp() - $expireDateTime->getTimestamp()) / $policy_expire_unit); - error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireInUnits . " units"); + #$expireInUnits = (int)ceil(($nowDateTime->getTimestamp() - $expireDateTime->getTimestamp()) / $policy_expire_unit); + $expireInUnits = DateTime::createFromFormat("Ymd", $expireDateTime->format("Ymd"))->diff(DateTime::createFromFormat("Ymd", $nowDateTime->format("Ymd")))->days; + + error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireInUnits . " days"); $nb_expired_users=$nb_expired_users+1; $expired_users[$login] = "password expired, ever emailed"; From b95fd4335698b3495532468552077dc5819f98fe Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 22 Aug 2017 11:16:56 +0200 Subject: [PATCH 09/17] Update checkexpiration.php --- pages/checkexpiration.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index a57a05c3..1590f36d 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -270,7 +270,7 @@ function generate_url($action) { # notify the first day of expire - if( $expire_always_mail || $expireInUnits == 0){ + if( $expire_always_mail || $expireInUnits == 1){ $url= generate_url("sendtoken"); $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message From 24be293a49a5a378917a878f42f74f4b557a7a14 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 22 Aug 2017 16:00:11 +0200 Subject: [PATCH 10/17] Update checkexpiration.php --- pages/checkexpiration.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index 1590f36d..1615ea1b 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -16,7 +16,7 @@ # functions #============================================================================== -function generate_url($action) { +function generate_url($reset_url, $action) { if ( empty($reset_url) ) { @@ -271,7 +271,7 @@ function generate_url($action) { # notify the first day of expire if( $expire_always_mail || $expireInUnits == 1){ - $url= generate_url("sendtoken"); + $url= generate_url($reset_url, "sendtoken"); $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message if ( ! send_mail($mailer, $mail, $mail_from, $mail_from_name, $messages["alertexpiresubject"], $messages["alertexpiremessage"].$mail_signature, $data) ) { From 5db482f3924fff20b27172bf6b68fadaef537543 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 29 Aug 2017 14:15:23 +0200 Subject: [PATCH 11/17] Update functions.inc.php --- lib/functions.inc.php | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/lib/functions.inc.php b/lib/functions.inc.php index ff717ac8..4611ec93 100644 --- a/lib/functions.inc.php +++ b/lib/functions.inc.php @@ -19,6 +19,44 @@ # #============================================================================== +# Generate URL according to the action +function generate_url($reset_url, $action) { + if ( empty($reset_url) ) { + $server_name = $_SERVER['SERVER_NAME']; + $server_port = $_SERVER['SERVER_PORT']; + $script_name = $_SERVER['SCRIPT_NAME']; + # Build reset by token URL + $method = "http"; + if( !empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')){ + $method .= "s"; + } + # change servername if HTTP_X_FORWARDED_HOST is set + if( isset($_SERVER['HTTP_X_FORWARDED_HOST'])){ + $server_name = $_SERVER['HTTP_X_FORWARDED_HOST']; + } + # Force server port if non standard port + if ( ( $method === "http" and $server_port != "80" ) + or ( $method === "https" and $server_port != "443" ) + ) { + if( isset($_SERVER['HTTP_X_FORWARDED_PORT'])) { + $server_name .= ":".$_SERVER['HTTP_X_FORWARDED_PORT']; + } else { + $server_name .= ":".$server_port; + } + } + $reset_url = $method."://".$server_name.$script_name; + } + $url = $reset_url . "?action=".$action; + if ( !empty($reset_request_log) ) { + error_log("Genrated URL $url \n\n", 3, $reset_request_log); + } else { + error_log("Genrated URL $url"); + } + return $url; + +} + + # Create SSHA password function make_ssha_password($password) { $salt = random_bytes(4); From b07c06b5369b2c97522c6bde3c039a7b8b3fbf74 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 29 Aug 2017 14:18:02 +0200 Subject: [PATCH 12/17] Update checkexpiration.php --- pages/checkexpiration.php | 51 --------------------------------------- 1 file changed, 51 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index 1615ea1b..c3e86f69 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -12,57 +12,6 @@ # This page is called to batch email to all password in warning expiration or expired -#============================================================================== -# functions -#============================================================================== - -function generate_url($reset_url, $action) { - - if ( empty($reset_url) ) { - - $server_name = $_SERVER['SERVER_NAME']; - $server_port = $_SERVER['SERVER_PORT']; - $script_name = $_SERVER['SCRIPT_NAME']; - - # Build reset by token URL - $method = "http"; - if( !empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')){ - $method .= "s"; - } - - - # change servername if HTTP_X_FORWARDED_HOST is set - if( isset($_SERVER['HTTP_X_FORWARDED_HOST'])){ - $server_name = $_SERVER['HTTP_X_FORWARDED_HOST']; - } - - # Force server port if non standard port - if ( ( $method === "http" and $server_port != "80" ) - or ( $method === "https" and $server_port != "443" ) - ) { - if( isset($_SERVER['HTTP_X_FORWARDED_PORT'])) { - $server_name .= ":".$_SERVER['HTTP_X_FORWARDED_PORT']; - } else { - $server_name .= ":".$server_port; - } - - } - - $reset_url = $method."://".$server_name.$script_name; - } - - $url = $reset_url . "?action=".$action; - - if ( !empty($reset_request_log) ) { - error_log("Genrated URL $url \n\n", 3, $reset_request_log); - } else { - error_log("Genrated URL $url"); - } - - return $url; - -} - #============================================================================== # POST parameters From bc8d84c6a99e4b76223e737600d6c63bdb9258d5 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 29 Aug 2017 16:05:54 +0200 Subject: [PATCH 13/17] Update checkexpiration.php --- pages/checkexpiration.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index c3e86f69..b52f5de6 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -154,8 +154,11 @@ # if user as pwdChangedTime compare with now if ( $pwdChangedTime ) { - $changeDateTime = DateTime::createFromFormat('YmdHis', substr($pwdChangedTime, 0, -1)); - $nowDateTime = new DateTime(); + # any changeDateTime is reported to the day at 00h00 + $changeDateTime = DateTime::createFromFormat('YmdHis', substr($pwdChangedTime, 0, 8). "000000"); + + # now is reported to the current day at 00h00 + $nowDateTime = DateTime::createFromFormat("YmdHis",(new DateTime())->format("Ymd")."000000"); $search_policy = ldap_search($ldap, $pwdPolicySubentry, "(cn=*)"); $ppolicy_entry = ldap_first_entry($ldap, $search_policy); @@ -186,8 +189,7 @@ #if password is in expire periode, send notify it the 1st day of warning, and the last day if( $nowDateTime >= $warningDateTime && $nowDateTime < $expireDateTime) { - #$expireInUnits = (int)ceil(($expireDateTime->getTimestamp() - $nowDateTime->getTimestamp()) / $policy_expire_unit) ; - $expireInUnits = DateTime::createFromFormat("Ymd",$nowDateTime->format("Ymd"))->diff(DateTime::createFromFormat("Ymd", $expireDateTime->format("Ymd")))->days; + $expireInUnits = $nowDateTime->diff($expireDateTime)->days; error_log( "checkexpiration - user $login - warning, your password will expired in " . $expireInUnits . " days - warning :" . (int)( $pwdExpireWarning/$policy_expire_unit)); $nb_warning_users=$nb_warning_users+1; @@ -210,8 +212,7 @@ # if password is expired, the notify the 1st day of expiration if ( $nowDateTime >= $expireDateTime) { - #$expireInUnits = (int)ceil(($nowDateTime->getTimestamp() - $expireDateTime->getTimestamp()) / $policy_expire_unit); - $expireInUnits = DateTime::createFromFormat("Ymd", $expireDateTime->format("Ymd"))->diff(DateTime::createFromFormat("Ymd", $nowDateTime->format("Ymd")))->days; + $expireInUnits = $expireDateTime->diff($nowDateTime)->days; error_log( "checkexpiration - user $login - alert, your password is expired since " . $expireInUnits . " days"); $nb_expired_users=$nb_expired_users+1; From cfe4c6f753d3633ddef2eeeb7e6c19adde962a75 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 29 Aug 2017 16:15:06 +0200 Subject: [PATCH 14/17] Update checkexpiration.php --- pages/checkexpiration.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index b52f5de6..ccdf7921 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -197,7 +197,7 @@ # notify the first day and the last day if( $expire_always_mail || $expireInUnits == 1 || $expireInUnits == (int)( $pwdExpireWarning/$policy_expire_unit)+1 ) { - $url= generate_url($reset_url, "change"); + $url= generate_url($reset_url, "change") . "&login=" . $login; $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message if ( ! send_mail($mailer, $mail, $mail_from, $mail_from_name, $messages["warningexpiresubject"], $messages["warningexpiremessage"].$mail_signature, $data) ) { @@ -221,7 +221,7 @@ # notify the first day of expire if( $expire_always_mail || $expireInUnits == 1){ - $url= generate_url($reset_url, "sendtoken"); + $url= generate_url($reset_url, "sendtoken") . "&login=" . $login ; $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message if ( ! send_mail($mailer, $mail, $mail_from, $mail_from_name, $messages["alertexpiresubject"], $messages["alertexpiremessage"].$mail_signature, $data) ) { From 2844078a010642971c4843dea73705a05b541040 Mon Sep 17 00:00:00 2001 From: konvergence Date: Tue, 29 Aug 2017 16:21:18 +0200 Subject: [PATCH 15/17] Update functions.inc.php --- lib/functions.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/functions.inc.php b/lib/functions.inc.php index 4611ec93..ef013a4d 100644 --- a/lib/functions.inc.php +++ b/lib/functions.inc.php @@ -18,6 +18,10 @@ # GPL License: http://www.gnu.org/licenses/gpl.txt # #============================================================================== +# missed defines in php 5 +if ( !defined("LDAP_OPT_DIAGNOSTIC_MESSAGE") ) { + define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032); +} # Generate URL according to the action function generate_url($reset_url, $action) { From 2d460b2788d5988e53858fe58a18680b1c7d2cf9 Mon Sep 17 00:00:00 2001 From: konvergence Date: Thu, 31 Aug 2017 06:29:38 +0200 Subject: [PATCH 16/17] Update checkexpiration.php Notify expired password when $expireInUnits == 0 So the day of expiration --- pages/checkexpiration.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index ccdf7921..022c1e46 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -220,7 +220,7 @@ # notify the first day of expire - if( $expire_always_mail || $expireInUnits == 1){ + if( $expire_always_mail || $expireInUnits == 0){ $url= generate_url($reset_url, "sendtoken") . "&login=" . $login ; $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message From 6a10e80509777a8dc09b7c0dd88bc8a0ae49a0ca Mon Sep 17 00:00:00 2001 From: konvergence Date: Thu, 31 Aug 2017 08:12:37 +0200 Subject: [PATCH 17/17] Update checkexpiration.php --- pages/checkexpiration.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/checkexpiration.php b/pages/checkexpiration.php index 022c1e46..ccdf7921 100644 --- a/pages/checkexpiration.php +++ b/pages/checkexpiration.php @@ -220,7 +220,7 @@ # notify the first day of expire - if( $expire_always_mail || $expireInUnits == 0){ + if( $expire_always_mail || $expireInUnits == 1){ $url= generate_url($reset_url, "sendtoken") . "&login=" . $login ; $data = array( "login" => $login, "mail" => $mail, "url" => $url, "days" => $expireInUnits ) ; # Send message