Possibility to edit account validity dates (#190)

* Fix typo on new ppolicy attributes

* Display if account is valid or not

* Improve template for account validity

* Display start date and end date

* Update lang keys

* Update validity dates

* Dashboard for invalid accounts

* Update docs

conf/config.inc.php

@@ -86,9 +86,9 @@
     'pwdfailuretime' => array( 'attribute' => 'pwdfailuretime', 'faclass' => 'lock', 'type' => 'date', 'sort' => 'descending' ),
     'pwdlastsuccess' => array( 'attribute' => 'pwdlastsuccess', 'faclass' => 'lock', 'type' => 'date' ),
     'pwdpolicysubentry' => array( 'attribute' => 'pwdpolicysubentry', 'faclass' => 'lock', 'type' => 'ppolicy_dn' ),
-    'pwdgraceusetime' => array( 'attribute' => ' pwdgraceusetime', 'faclass' => 'lock', 'type' => 'date' ),
-    'starttime' => array( 'attribute' => ' pwdstarttime', 'faclass' => 'lock', 'type' => 'date' ),
-    'endtime' => array( 'attribute' => ' pwdendtime', 'faclass' => 'lock', 'type' => 'date' ),
+    'pwdgraceusetime' => array( 'attribute' => 'pwdgraceusetime', 'faclass' => 'lock', 'type' => 'date' ),
+    'starttime' => array( 'attribute' => 'pwdstarttime', 'faclass' => 'lock', 'type' => 'date' ),
+    'endtime' => array( 'attribute' => 'pwdendtime', 'faclass' => 'lock', 'type' => 'date' ),
 );
 $activedirectory_attributes_map = array(
     'authtimestamp' => array( 'attribute' => 'lastlogon', 'faclass' => 'lock', 'type' => 'ad_date' ),
@@ -162,6 +162,10 @@
 $use_disablecomment = false;
 $use_disablecomment_required = false;
 
+$show_validitystatus = true;
+$use_updatestarttime = true;
+$use_updateendtime = true;
+$use_searchinvalid = true;
 
 # Local password policy
 # This is applied before directory password policy

docs/display-parameters.rst

@@ -54,3 +54,12 @@ You can disable the expire status panel:
 .. code-block:: php
 
     $show_expirestatus = false;
+
+Validity status
+---------------
+
+You can disable the validity status panel:
+
+.. code-block:: php
+
+    $show_validitytatus = false;

docs/index.rst

@@ -27,6 +27,7 @@ LDAP Tool Box Service Desk documentation
    resetpassword.rst
    lockaccount.rst
    enableaccount.rst
+   updatestartendtime.rst
    hook.rst
    dashboards.rst
    configuration-mail.rst

docs/presentation.rst

@@ -17,10 +17,12 @@ Features
 * Test current password
 * Reset password and force password change at next connection
 * Lock and unlock account
+* Update account validity dates
 * Create and view audit logs
 * Dashboards:
 
   * Accounts locked
   * Accounts with a password that will soon expire
   * Accounts with an expired password
-  * Accounts idle (never connected or not connected since a number of days)
+  * Accounts idle (never connected or not connected since a number of days)
+  * Accounts invalid (for which start date is in the future, or end date is in the past)

docs/updatestartendtime.rst

@@ -0,0 +1,39 @@
+Update start and end validity dates
+===================================
+
+Some LDAP directories provide attributes to define start and end account validify dates.
+
+For OpenLDAP since 2.5 version, attributes are ``pwdStartTime`` and ``pwdEndTime``.
+
+For Active Directory, only end time is available, in ``accountExpires`` attribute.
+
+Show validity status
+-------------------
+
+Service Desk will display if account is valid or not. To allow this feature:
+
+.. code-block:: php
+
+    $show_validitystatus = true;
+
+Update start date
+-----------------
+
+This feature allows to edit the account start validity date. This requires to have the `starttime` field defined in the attributes map.
+
+To enable this feature:
+
+.. code-block:: php
+
+    $use_updatestarttime = true;
+
+Update end date
+-----------------
+
+This feature allows to edit the account end validity date. This requires to have the `endtime` field defined in the attributes map.
+
+To enable this feature:
+
+.. code-block:: php
+
+    $use_updateendtime = true;

docs/upgrade.rst

@@ -4,7 +4,7 @@ Upgrade
 From 0.5 to 0.6
 ---------------
 
-bundled dependencies
+Bundled dependencies
 ~~~~~~~~~~~~~~~~~~~~
 
 The dependencies are now explicitly listed in the service-desk package, including the bundled ones.
@@ -15,7 +15,7 @@ You can find bundled dependencies list:
 * in Provides field in rpm package
 
 
-configuration
+Configuration
 ~~~~~~~~~~~~~
 
 The configuration files are now in ``/etc/service-desk`` directory.
@@ -29,7 +29,7 @@ Please take in consideration that ``config.inc.php`` is now replaced systematica
 
 Avoid as much as possible editing the ``/etc/service-desk/config.inc.php`` file. Prefer modifying the ``/etc/service-desk/config.inc.local.php``.
 
-password policy
+Password policy
 ~~~~~~~~~~~~~~~
 
 When you change the password for a user, you can now configure a local password policy for ensuring the password strength is sufficient.
@@ -43,15 +43,15 @@ You can give a look to the :doc:`password policy documentation <ppolicy>` for mo
    The local password policy is now defined in a library: `ltb-common <https://github.com/ltb-project/ltb-common>`_.
 
 
-cache cleaning
+Cache cleaning
 ~~~~~~~~~~~~~~
 
 Now the cache is being cleaned-up during service-desk upgrade / install.
 
 This is intended to avoid smarty problems due to service-desk templates upgrade, and possibly smarty upgrade itself.
 
 
-dependencies update
+Dependencies update
 ~~~~~~~~~~~~~~~~~~~
 
 Removed packaged dependencies:
@@ -117,7 +117,6 @@ Removed bundled dependencies:
 Note that hidden files (.gitignore,...) from bundled dependencies are now removed from packages.
 
 
-
 Last authentication time and idle accounts
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -142,3 +141,18 @@ You can enable this feature by setting a non-zero value to the page size paramet
 .. code-block:: php
 
    $ldap_page_size = 100;
+
+Account validity
+~~~~~~~~~~~~~~~~
+
+Account validity feature is enabled by default. For OpenLDAP it relies on ``pwdStartTime`` and ``pwdEndTime`` attributes available since OpenLDAP 2.5.
+For Active Directory, only the end time is available, in ``accountExpires`` attribute.
+
+You can disable this new feature if you don't want to use it:
+
+.. code-block:: php
+
+   $show_validitystatus = false;
+   $use_updatestarttime = false;
+   $use_updateendtime = false;
+   $use_searchinvalid = false;

htdocs/display.php

@@ -19,6 +19,10 @@
 $canLockAccount="";
 $isAccountEnabled = "";
 $lockDate = "";
+$isAccountValid = "";
+$startDate = "";
+$endDate = "";
+$updatevaliditydatesresult = "";
 
 if (isset($_GET["dn"]) and $_GET["dn"]) {
     $dn = $_GET["dn"];
@@ -60,6 +64,9 @@
     $posthookresult = $_GET["posthookresult"];
 }
 
+if (isset($_GET["updatevaliditydatesresult"]) and $_GET["updatevaliditydatesresult"]) {
+    $updatevaliditydatesresult = $_GET["updatevaliditydatesresult"];
+}
 if ($result === "") {
 
     require_once("../conf/config.inc.php");
@@ -171,6 +178,18 @@
             $isAccountEnabled = $directory->isAccountEnabled($ldap, $dn);
         }
 
+        if ($show_validitystatus) {
+            $isAccountValid = $directory->isAccountValid($ldap, $dn);
+            if ($use_updatestarttime and isset($entry[0][ $attributes_map['starttime']['attribute'] ])) {
+                $starttime = $entry[0][ $attributes_map['starttime']['attribute'] ][0];
+                $startDate = $directory->getPhpDate( $starttime );
+            }
+            if ($use_updateendtime and isset($entry[0][ $attributes_map['endtime']['attribute'] ])) {
+                $endtime = $entry[0][ $attributes_map['endtime']['attribute'] ][0];
+                $endDate = $directory->getPhpDate( $endtime );
+            }
+        }
+
     }}}
 }
 
@@ -206,5 +225,9 @@
 } else {
     $smarty->assign('msg_resetpasswordresult','');
 }
+$smarty->assign("isAccountValid", $isAccountValid);
+$smarty->assign("startDate", $startDate);
+$smarty->assign("endDate", $endDate);
+$smarty->assign("updatevaliditydatesresult", $updatevaliditydatesresult);
 
 ?>

htdocs/index.php

@@ -207,7 +207,10 @@ function sha256($string)
 $smarty->assign('use_enablecomment_required',$use_enablecomment_required);
 $smarty->assign('use_disablecomment',$use_disablecomment);
 $smarty->assign('use_disablecomment_required',$use_disablecomment_required);
-
+$smarty->assign('show_validitystatus',$show_validitystatus);
+$smarty->assign('use_updatestarttime',$attributes_map['starttime'] ? $use_updatestarttime : false);
+$smarty->assign('use_updateendtime',$attributes_map['endtime'] ? $use_updateendtime : false);
+$smarty->assign('use_searchinvalid',$use_searchinvalid);
 
 # Assign messages
 $smarty->assign('lang',$lang);
@@ -268,6 +271,8 @@ function sha256($string)
 if ( $page === "searchwillexpire" and !$use_searchwillexpire ) { $page = "welcome"; }
 if ( $page === "searchidle" and !$use_searchidle ) { $page = "welcome"; }
 if ( $page === "auditlog" and !$use_showauditlog ) { $page = "welcome"; }
+if ( $page === "updatevaliditydates" and !($use_updatestarttime or $use_updateendtime) ) { $page = "welcome"; }
+if ( $page === "searchinvalid" and !$use_searchinvalid ) { $page = "welcome"; }
 if ( file_exists($page.".php") ) { require_once($page.".php"); }
 $smarty->assign('page',$page);
 

htdocs/searchinvalid.php

@@ -0,0 +1,44 @@
+<?php
+/*
+ * Search invalid entries in LDAP directory
+ */
+
+require_once("../conf/config.inc.php");
+require __DIR__ . '/../vendor/autoload.php';
+require_once("../lib/date.inc.php");
+
+# Compute idle date
+$date= new DateTime();
+$dateLdap = $directory->getLdapDate($date);
+
+# Search filter
+$ldap_filter = "(&". $ldap_user_filter . "(|";
+if ( isset($attributes_map['starttime']) ) {
+    $ldap_filter .= "(" . $attributes_map['starttime']['attribute'] .">=". $dateLdap .")";
+    $search_result_items[] = "starttime";
+}
+if ( isset($attributes_map['endtime']) ) {
+    $ldap_filter .= "(" . $attributes_map['endtime']['attribute'] ."<=". $dateLdap .")";
+    $search_result_items[] = "endtime";
+}
+$ldap_filter.= "))";
+
+[$ldap,$result,$nb_entries,$entries,$size_limit_reached] = $ldapInstance->search($ldap_filter, array(), $attributes_map, $search_result_title, $search_result_sortby, $search_result_items, $ldap_scope);
+
+if ( !empty($entries) )
+{
+    $smarty->assign("page_title", "invalidaccountstitle");
+    $smarty->assign("nb_entries", $nb_entries);
+    $smarty->assign("entries", $entries);
+    $smarty->assign("size_limit_reached", $size_limit_reached);
+
+    $columns = $search_result_items;
+    if (! in_array($search_result_title, $columns)) array_unshift($columns, $search_result_title);
+    $smarty->assign("listing_columns", $columns);
+    $smarty->assign("listing_linkto",  isset($search_result_linkto) ? $search_result_linkto : array($search_result_title));
+    $smarty->assign("listing_sortby",  array_search($search_result_sortby, $columns));
+    $smarty->assign("show_undef", $search_result_show_undefined);
+    $smarty->assign("truncate_value_after", $search_result_truncate_value_after);
+}
+
+?>

htdocs/updatevaliditydates.php

@@ -0,0 +1,83 @@
+<?php
+/*
+ * Update start time and end time in LDAP directory
+ */
+
+$result = "";
+$dn = "";
+$start_date = "";
+$end_date = "";
+$comment = "";
+$returnto = "display";
+
+if (isset($_POST["returnto"]) and $_POST["returnto"]) {
+    $returnto = $_POST["returnto"];
+}
+
+if (isset($_POST["dn"]) and $_POST["dn"]) {
+    $dn = $_POST["dn"];
+} else {
+    $result = "dnrequired";
+}
+
+if (isset($_POST["comment"]) and $_POST["comment"]) {
+    $comment = $_POST["comment"];
+}
+
+if (isset($_POST["start_date"]) and $_POST["start_date"]) {
+    $start_date = $_POST["start_date"];
+}
+
+if (isset($_POST["end_date"]) and $_POST["end_date"]) {
+    $end_date = $_POST["end_date"];
+}
+
+if (!($use_updatestarttime or $use_updateendtime)) {
+    $result = "actionforbidden";
+}
+
+if ($result === "") {
+
+    require_once("../conf/config.inc.php");
+    require __DIR__ . '/../vendor/autoload.php';
+
+
+    # Connect to LDAP
+    $ldap_connection = $ldapInstance->connect();
+
+    $ldap = $ldap_connection[0];
+    $result = $ldap_connection[1];
+
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
+        if ($use_updatestarttime and $start_date) {
+            $startDate = new DateTime($start_date);
+            $ldapStartDate = $directory->getLdapDate($startDate);
+            $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['starttime']['attribute'] => $ldapStartDate));
+            if ( $update[0] == 0 ) {
+                $result = "validiydatesupdated";
+            } else {
+                $result = "ldaperror";
+            }
+        }
+        if ($use_updateendtime and $end_date) {
+            $endDate = new DateTime($end_date);
+            $ldapEndDate = $directory->getLdapDate($endDate);
+            $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['endtime']['attribute'] => $ldapEndDate));
+            if ( $update[0] == 0 and $result !== "ldaperror" ) {
+                $result = "validiydatesupdated";
+            } else {
+                $result = "ldaperror";
+            }
+       }
+    }
+}
+
+if ($audit_log_file) {
+    auditlog($audit_log_file, $dn, $audit_admin, "updatevaliditydates", $result, $comment);
+}
+
+header('Location: index.php?page='.$returnto.'&dn='.$dn.'&updatevaliditydatesresult='.$result);