diff --git a/conf/config.inc.php b/conf/config.inc.php index 66ccea7..2270fd1 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -276,13 +276,18 @@ # Debug mode $debug = false; -## Pre Hook -# Launch a prehook script before changing password. -# Script should return with 0, to allow password change. -# Any other exit code would abort password modification -#$prehook = "/usr/share/service-desk/prehook.sh"; +### Prehooks + +# Launch a prehook script before an action. +# Script should return with 0, else action will be aborted, unless error is ignored + # LDAP attribute used as login in posthook script -#$prehook_login = "uid"; +$prehook_login = "uid"; + +## Password reset + +#$prehook = "/usr/share/service-desk/prehook.sh"; + # Display prehook error #$display_prehook_error = true; # Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true. @@ -291,17 +296,78 @@ # Ignore prehook error. This will allow to change password even if prehook script fails. #$ignore_prehook_error = true; -## Post Hook -# Launch a posthook script after successful password change -#$posthook = "/usr/share/service-desk/posthook.sh"; +## Lock + +#$prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; +#$display_prehook_lock_error = true; +#$ignore_prehook_lock_error = true; + +## Unlock + +#$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; +#$display_prehook_unlock_error = true; +#$ignore_prehook_unlock_error = true; + +## Enable + +#$prehook_enable = "/usr/share/service-desk/prehook_enable.sh"; +#$display_prehook_enable_error = true; +#$ignore_prehook_enable_error = true; + +## Disable + +#$prehook_disable = "/usr/share/service-desk/prehook_disable.sh"; +#$display_prehook_disable_error = true; +#$ignore_prehook_disable_error = true; + +## Update validity + +#$prehook_updatevalidity = "/usr/share/service-desk/prehook_updatevalidity.sh"; +#$display_prehook_updatevalidity_error = true; +#$ignore_prehook_updatevalidity_error = true; + +### Posthooks + +# The posthook is only launched if the action was successful + # LDAP attribute used as login in posthook script -#$posthook_login = "uid"; +$posthook_login = "uid"; + +## Password reset + +#$posthook = "/usr/share/service-desk/posthook.sh"; + # Display posthook error #$display_posthook_error = true; # Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true. # To read the actual password in the posthook script, use a base64_decode function/tool #$posthook_password_encodebase64 = false; +## Lock + +#$posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; +#$display_posthook_lock_error = true; + +## Unlock + +#$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; +#$display_posthook_unlock_error = true; + +## Enable + +#$posthook_enable = "/usr/share/service-desk/posthook_enable.sh"; +#$display_posthook_enable_error = true; + +## Disable + +#$posthook_disable = "/usr/share/service-desk/posthook_disable.sh"; +#$display_posthook_disable_error = true; + +## Update validity + +#$posthook_updatevalidity = "/usr/share/service-desk/posthook_updatevalidity.sh"; +#$display_posthook_updatevalidity_error = true; + # The name of an HTTP Header that may hold a reference to an extra config file to include. #$header_name_extra_config="SSP-Extra-Config"; diff --git a/docs/hook.rst b/docs/hook.rst index 260ff14..35d1ed4 100644 --- a/docs/hook.rst +++ b/docs/hook.rst @@ -1,26 +1,38 @@ Hook ==== -Hook feature allows to run a script before or after the password modification. +Hook feature allows to run a script before or after an action: +* Password reset +* Password lock +* Password unlock +* Account enable +* Account disable +* Update validity dates -The script is called with two parameters: login and new password. +The script must return 0 if no error occured. Any text printed on STDOUT +will be displayed as an error message (see options). -Parameters ----------- +Login +----- -Define prehook or posthook script (and enable the feature): +Define which attribute will be used as login in prehook and posthook scripts: .. code-block:: php - $prehook = "/usr/share/service-desk/prehook.sh"; - $posthook = "/usr/share/service-desk/posthook.sh"; + $prehook_login = "uid"; + $posthook_login = "uid"; -Define which attribute will be used as login: +Password reset +-------------- + +The script is called with two parameters: login and new password. + +Define prehook or posthook script (and enable the feature): .. code-block:: php - $prehook_login = "uid"; - $posthook_login = "uid"; + $prehook = "/usr/share/service-desk/prehook.sh"; + $posthook = "/usr/share/service-desk/posthook.sh"; You can choose to display an error if the script return code is greater than 0: @@ -48,3 +60,128 @@ if it fails, but still try to update password in the directory. .. code-block:: php $ignore_prehook_error = true; + +Password lock +------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; + $posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_lock_error = true; + $display_posthook_lock_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_lock_error = true; + +Password unlock +--------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; + $posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_unlock_error = true; + $display_posthook_unlock_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_unlock_error = true; + +Account enable +-------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_enable = "/usr/share/service-desk/prehook_enable.sh"; + $posthook_enable = "/usr/share/service-desk/posthook_enable.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_enable_error = true; + $display_posthook_enable_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_enable_error = true; + +Account disable +--------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and disable the feature): + +.. code-block:: php + + $prehook_disable = "/usr/share/service-desk/prehook_disable.sh"; + $posthook_disable = "/usr/share/service-desk/posthook_disable.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_disable_error = true; + $display_posthook_disable_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_disable_error = true; + +Update validity dates +--------------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and updatevalidity the feature): + +.. code-block:: php + + $prehook_updatevalidity = "/usr/share/service-desk/prehook_updatevalidity.sh"; + $posthook_updatevalidity = "/usr/share/service-desk/posthook_updatevalidity.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_updatevalidity_error = true; + $display_posthook_updatevalidity_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_updatevalidity_error = true; diff --git a/htdocs/disableaccount.php b/htdocs/disableaccount.php index 916d9a8..232756a 100644 --- a/htdocs/disableaccount.php +++ b/htdocs/disableaccount.php @@ -8,6 +8,12 @@ $password = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -32,6 +38,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -44,11 +51,48 @@ $result = "noentriesfound"; error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { - if ( $directory->disableAccount($ldap, $dn) ) { - $result = "accountdisabled"; + + if ( isset($prehook_disable) || isset($posthook_disable) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + if ( isset($prehook_disable) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_disable, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_disable_error) { + $result = "hookerror"; } else { - $result = "ldaperror"; + if ( $directory->disableAccount($ldap, $dn) ) { + $result = "accountdisabled"; + } else { + $result = "ldaperror"; + } } + if ( $result === "accountdisabled" && isset($posthook_disable) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_disable, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } + } + } } @@ -56,4 +100,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_disable_error and $prehook_return > 0 ) { + $location .= '&prehookdisableresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_disable_error and $posthook_return > 0 ) { + $location .= '&posthookdisableresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/htdocs/display.php b/htdocs/display.php index b433211..22645f3 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -15,6 +15,14 @@ $disableaccountresult= ""; $prehookresult= ""; $posthookresult= ""; +$prehooklockresult= ""; +$posthooklockresult= ""; +$prehookunlockresult= ""; +$posthookunlockresult= ""; +$prehookenableresult= ""; +$posthookenableresult= ""; +$prehookdisableresult= ""; +$posthookdisableresult= ""; $ldapExpirationDate=""; $canLockAccount=""; $isAccountEnabled = ""; @@ -23,6 +31,8 @@ $startDate = ""; $endDate = ""; $updatevaliditydatesresult = ""; +$prehookupdatevalidityresult= ""; +$posthookupdatevalidityresult= ""; if (isset($_GET["dn"]) and $_GET["dn"]) { $dn = $_GET["dn"]; @@ -64,9 +74,50 @@ $posthookresult = $_GET["posthookresult"]; } +if (isset($_GET["prehooklockresult"]) and $_GET["prehooklockresult"]) { + $prehooklockresult = $_GET["prehooklockresult"]; +} + +if (isset($_GET["posthooklockresult"]) and $_GET["posthooklockresult"]) { + $posthooklockresult = $_GET["posthooklockresult"]; +} + +if (isset($_GET["prehookunlockresult"]) and $_GET["prehookunlockresult"]) { + $prehookunlockresult = $_GET["prehookunlockresult"]; +} + +if (isset($_GET["posthookunlockresult"]) and $_GET["posthookunlockresult"]) { + $posthookunlockresult = $_GET["posthookunlockresult"]; +} + +if (isset($_GET["prehookenableresult"]) and $_GET["prehookenableresult"]) { + $prehookenableresult = $_GET["prehookenableresult"]; +} + +if (isset($_GET["posthookenableresult"]) and $_GET["posthookenableresult"]) { + $posthookenableresult = $_GET["posthookenableresult"]; +} + +if (isset($_GET["prehookdisableresult"]) and $_GET["prehookdisableresult"]) { + $prehookdisableresult = $_GET["prehookdisableresult"]; +} + +if (isset($_GET["posthookdisableresult"]) and $_GET["posthookdisableresult"]) { + $posthookdisableresult = $_GET["posthookdisableresult"]; +} + if (isset($_GET["updatevaliditydatesresult"]) and $_GET["updatevaliditydatesresult"]) { $updatevaliditydatesresult = $_GET["updatevaliditydatesresult"]; } + +if (isset($_GET["prehookupdatevalidityresult"]) and $_GET["prehookupdatevalidityresult"]) { + $prehookupdatevalidityresult = $_GET["prehookupdatevalidityresult"]; +} + +if (isset($_GET["posthookupdatevalidityresult"]) and $_GET["posthookupdatevalidityresult"]) { + $posthookupdatevalidityresult = $_GET["posthookupdatevalidityresult"]; +} + if ($result === "") { require_once("../conf/config.inc.php"); @@ -218,8 +269,16 @@ $smarty->assign("disableaccountresult", $disableaccountresult); $smarty->assign("prehookresult", $prehookresult); $smarty->assign("posthookresult", $posthookresult); +$smarty->assign("prehooklockresult", $prehooklockresult); +$smarty->assign("posthooklockresult", $posthooklockresult); +$smarty->assign("prehookunlockresult", $prehookunlockresult); +$smarty->assign("posthookunlockresult", $posthookunlockresult); if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); } $smarty->assign("isAccountEnabled", $isAccountEnabled); +$smarty->assign("prehookenableresult", $prehookenableresult); +$smarty->assign("posthookenableresult", $posthookenableresult); +$smarty->assign("prehookdisableresult", $prehookdisableresult); +$smarty->assign("posthookdisableresult", $posthookdisableresult); if (isset($messages[$resetpasswordresult])) { $smarty->assign('msg_resetpasswordresult', $messages[$resetpasswordresult]); } else { @@ -229,5 +288,7 @@ $smarty->assign("startDate", $startDate); $smarty->assign("endDate", $endDate); $smarty->assign("updatevaliditydatesresult", $updatevaliditydatesresult); +$smarty->assign("prehookupdatevalidityresult", $prehookupdatevalidityresult); +$smarty->assign("posthookupdatevalidityresult", $posthookupdatevalidityresult); ?> diff --git a/htdocs/enableaccount.php b/htdocs/enableaccount.php index 166eeef..6b0cccc 100644 --- a/htdocs/enableaccount.php +++ b/htdocs/enableaccount.php @@ -7,6 +7,12 @@ $dn = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -28,10 +34,15 @@ $comment = $_POST["comment"]; } +if (!$use_enableaccount) { + $result = "actionforbidden"; +} + if ($result === "") { require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -44,10 +55,47 @@ $result = "noentriesfound"; error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { - if ( $directory->enableAccount($ldap, $dn) ) { - $result = "accountenabled"; + + if ( isset($prehook_enable) || isset($posthook_enable) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + if ( isset($prehook_enable) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_enable, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_enable_error) { + $result = "hookerror"; } else { - $result = "ldaperror"; + if ( $directory->enableAccount($ldap, $dn) ) { + $result = "accountenabled"; + } else { + $result = "ldaperror"; + } + } + + if ( $result === "accountenabled" && isset($posthook_enable) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_enable, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } } @@ -56,4 +104,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_enable_error and $prehook_return > 0 ) { + $location .= '&prehookenableresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_enable_error and $posthook_return > 0 ) { + $location .= '&posthookenableresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index 102e5c3..c0dcc5e 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -7,6 +7,12 @@ $dn = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -26,6 +32,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -33,22 +40,61 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - # DN match - if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { - $result = "noentriesfound"; - error_log("LDAP - $dn not found using the configured search settings, reject request"); - } else { - # Get password policy configuration - $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } - - # Apply the modification only the password can be locked - if ($pwdPolicyConfiguration["lockout_enabled"]) { - if ( $directory->lockAccount($ldap, $dn) ) { - $result = "accountlocked"; + if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + if ( isset($prehook_lock) || isset($posthook_lock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + + if ( isset($prehook_lock) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_lock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_lock_error) { + $result = "hookerror"; } else { - $result = "ldaperror"; + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + # Apply the modification only if the password can be locked + if ($pwdPolicyConfiguration["lockout_enabled"]) { + if ( $directory->lockAccount($ldap, $dn) ) { + $result = "accountlocked"; + } else { + $result = "ldaperror"; + } + } + } + + if ( $result === "accountlocked" && isset($posthook_lock) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_lock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } } @@ -58,4 +104,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&lockaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&lockaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_lock_error and $prehook_return > 0 ) { + $location .= '&prehooklockresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_lock_error and $posthook_return > 0 ) { + $location .= '&posthooklockresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index f442038..a383829 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -48,15 +48,11 @@ error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { if ( isset($prehook) || isset($posthook) ) { - $login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login)); - $login_entry = ldap_first_entry( $ldap, $login_search ); if ( isset($prehook_login) ) { - $prehook_login_values = ldap_get_values( $ldap, $login_entry, $prehook_login ); - $prehook_login_value = $prehook_login_values[0]; + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); } if ( isset($posthook_login) ) { - $posthook_login_values = ldap_get_values( $ldap, $login_entry, $posthook_login ); - $posthook_login_value = $posthook_login_values[0]; + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); } } @@ -103,7 +99,7 @@ $prehook_return = 255; $prehook_message = "No login found, cannot execute prehook script"; } else { - $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); + $command = password_hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); exec($command, $prehook_output, $prehook_return); $prehook_message = $prehook_output[0]; } @@ -127,7 +123,7 @@ $posthook_return = 255; $posthook_message = "No login found, cannot execute posthook script"; } else { - $command = hook_command($posthook, $posthook_login_value, $password, null, $posthook_password_encodebase64); + $command = password_hook_command($posthook, $posthook_login_value, $password, null, $posthook_password_encodebase64); exec($command, $posthook_output, $posthook_return); $posthook_message = $posthook_output[0]; } diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 0f1664b..e13223a 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -7,6 +7,12 @@ $dn = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -32,6 +38,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -39,15 +46,55 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - # DN match - if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { - $result = "noentriesfound"; - error_log("LDAP - $dn not found using the configured search settings, reject request"); - } else { - if ( $directory->unlockAccount($ldap, $dn) ) { - $result = "accountunlocked"; + if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { - $result = "ldaperror"; + + if ( isset($prehook_unlock) || isset($posthook_unlock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + + if ( isset($prehook_unlock) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_unlock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_unlock_error) { + $result = "hookerror"; + } else { + if ( $directory->unlockAccount($ldap, $dn) ) { + $result = "accountunlocked"; + } else { + $result = "ldaperror"; + } + } + + if ( $result === "accountunlocked" && isset($posthook_unlock) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_unlock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } + } } } } @@ -56,4 +103,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "unlockaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_unlock_error and $prehook_return > 0 ) { + $location .= '&prehookunlockresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_unlock_error and $posthook_return > 0 ) { + $location .= '&posthookunlockresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/htdocs/updatevaliditydates.php b/htdocs/updatevaliditydates.php index 8926fe7..570bc67 100644 --- a/htdocs/updatevaliditydates.php +++ b/htdocs/updatevaliditydates.php @@ -9,6 +9,12 @@ $end_date = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -40,7 +46,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; - + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -53,26 +59,65 @@ $result = "noentriesfound"; error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { - if ($use_updatestarttime and $start_date) { - $startDate = new DateTime($start_date); - $ldapStartDate = $directory->getLdapDate($startDate); - $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['starttime']['attribute'] => $ldapStartDate)); - if ( $update[0] == 0 ) { - $result = "validiydatesupdated"; + + if ( isset($prehook_updatevalidity) || isset($posthook_updatevalidity) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + if ( isset($prehook_updatevalidity) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; } else { - $result = "ldaperror"; + $command = validity_hook_command($prehook_updatevalidity, $prehook_login_value, $start_date, $end_date); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; } } - if ($use_updateendtime and $end_date) { - $endDate = new DateTime($end_date); - $ldapEndDate = $directory->getLdapDate($endDate); - $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['endtime']['attribute'] => $ldapEndDate)); - if ( $update[0] == 0 and $result !== "ldaperror" ) { - $result = "validiydatesupdated"; + + if ( $prehook_return > 0 and !$ignore_prehook_updatevalidity_error) { + $result = "hookerror"; + } else { + + if ($use_updatestarttime and $start_date) { + $startDate = new DateTime($start_date); + $ldapStartDate = $directory->getLdapDate($startDate); + $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['starttime']['attribute'] => $ldapStartDate)); + if ( $update[0] == 0 ) { + $result = "validiydatesupdated"; + } else { + $result = "ldaperror"; + } + } + if ($use_updateendtime and $end_date) { + $endDate = new DateTime($end_date); + $ldapEndDate = $directory->getLdapDate($endDate); + $update = $ldapInstance->modify_attributes($dn, array( $attributes_map['endtime']['attribute'] => $ldapEndDate)); + if ( $update[0] == 0 and $result !== "ldaperror" ) { + $result = "validiydatesupdated"; + } else { + $result = "ldaperror"; + } + } + } + + if ( $result === "validiydatesupdated" && isset($posthook_updatevalidity) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; } else { - $result = "ldaperror"; + $command = validiy_hook_command($posthook_updatevalidity, $posthook_login_value, $start_date, $end_date); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; } - } + } + } } @@ -80,4 +125,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "updatevaliditydates", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&updatevaliditydatesresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&updatevaliditydatesresult='.$result; +if ( isset($prehook_return) and $display_prehook_updatevalidity_error and $prehook_return > 0 ) { + $location .= '&prehookupdatevalidityresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_updatevalidity_error and $posthook_return > 0 ) { + $location .= '&posthookupdatevalidityresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/lang/en.inc.php b/lang/en.inc.php index e8a944f..3091aa9 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -41,6 +41,7 @@ $messages['expiredaccounts'] = "Passwords expired"; $messages['false'] = "No"; $messages['forcereset'] = "Force reset at next connection"; +$messages['hookerror'] = "An error occured in the hook"; $messages['idleaccounts'] = "Idle accounts"; $messages['idleaccountstitle'] = "Accounts idle for more than $idledays days"; $messages['insert_comment'] = "Insert comment"; diff --git a/lang/fr.inc.php b/lang/fr.inc.php index afe2b13..ce9bddf 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -41,6 +41,7 @@ $messages['expiredaccounts'] = "Mots de passe expirés"; $messages['false'] = "Non"; $messages['forcereset'] = "Forcer la réinitialisation à la prochaine connexion"; +$messages['hookerror'] = "Une erreur s'est produite dans le hook"; $messages['idleaccounts'] = "Comptes inactifs"; $messages['idleaccountstitle'] = "Comptes inactifs depuis plus de $idledays jours"; $messages['insert_comment'] = "Insérer un commentaire"; diff --git a/lib/hook.inc.php b/lib/hook.inc.php index ec35b2a..2fc8895 100644 --- a/lib/hook.inc.php +++ b/lib/hook.inc.php @@ -2,16 +2,16 @@ # Code taken from LTB Self Service Password -/* @function string hook_command(string $hook, string $login, string $newpassword, null|string $oldpassword, null|boolean $hook_password_encodebase64) - Creates the command line to execute for the prehook/posthook process. Passwords will be base64 encoded if configured. Base64 encoding will prevent passwords with special +/* @function string password_hook_command(string $hook, string $login, string $newpassword, null|string $oldpassword, null|boolean $hook_password_encodebase64) + Creates the command line to execute for the prehook/posthook for password reste. Passwords will be base64 encoded if configured. Base64 encoding will prevent passwords with special characters to be modified by the escapeshellarg() function. @param $hook string script/command to execute for procesing hook data @param $login string username to change/set password for @param $newpassword string new passwword for given login @param $oldpassword string old password for given login @param hook_password_encodebase64 boolean set to true if passwords are to be converted to base64 encoded strings -*/ -function hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_password_encodebase64 = false) { + */ +function password_hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_password_encodebase64 = false) { $command = ''; if ( isset($hook_password_encodebase64) && $hook_password_encodebase64 ) { @@ -31,4 +31,28 @@ function hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_pa return $command; } +/* @function string hook_command(string $hook, string $login) + Creates hook command line passing login as parameter + @param $hook string script/command to execute for procesing hook data + @param $login string username + */ +function hook_command($hook, $login) { + $command = escapeshellcmd($hook).' '.escapeshellarg($login); + return $command; +} + +/* @function string validity_hook_command(string $hook, string $login, string $start_date, string $end_date) + Creates hook command line passing login and dates as parameter + @param $hook string script/command to execute for procesing hook data + @param $login string username + @param $start_date string start date YYYY-MM-DD + @param $end_date string end date YYYY-MM-DD + */ +function validity_hook_command($hook, $login, $start_date, $end_date) { + if (!$start_date) { $start_date = "0000-00-00"; } + if (!$end_date) { $end_date = "0000-00-00"; } + $command = escapeshellcmd($hook).' '.escapeshellarg($login).' '.escapeshellarg($start_date).' '.escapeshellarg($end_date); + return $command; +} + ?> diff --git a/templates/display.tpl b/templates/display.tpl index b4e93be..2fdfb7e 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -234,6 +234,18 @@
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} + {if $prehookunlockresult} +
{$prehookunlockresult}
+ {/if} + {if $posthookunlockresult} +
{$posthookunlockresult}
+ {/if} {if $unlockDate}

{$msg_unlockdate} {$unlockDate|date_format:{$date_specifiers}}

{/if} @@ -271,8 +283,20 @@

- {if $use_lockaccount} + {if $use_lockaccount || $prehooklockresult || $posthooklockresult || $prehookunlockresult || $posthookunlockresult}
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} + {if $prehookunlockresult} +
{$prehookunlockresult}
+ {/if} + {if $posthookunlockresult} +
{$posthookunlockresult}
+ {/if} {if $lockaccountresult eq 'ldaperror'}
{$msg_accountnotlocked}
{/if} @@ -320,11 +344,23 @@ {$msg_accountenabled}

- {if $use_disableaccount} + {if $use_disableaccount || $prehookenableresult || posthookenableresult || $prehookdisableresult || $posthookdisableresult}
{if $disableaccountresult eq 'ldaperror' or $disableaccountresult eq 'actionforbidden'}
{$msg_accountnotdisabled}
{/if} + {if $prehookenableresult} +
{$prehookenableresult}
+ {/if} + {if $posthookenableresult} +
{$posthookenableresult}
+ {/if} + {if $prehookdisableresult} +
{$prehookdisableresult}
+ {/if} + {if $posthookdisableresult} +
{$posthookdisableresult}
+ {/if} {if $use_disablecomment}
- {if $use_enableaccount} + {if $use_enableaccount || $prehookenableresult || $posthookenableresult || $prehookdisableresult || $posthookdisableresult}
{if $enableaccountresult eq 'ldaperror' or $enableaccountresult eq 'actionforbidden'}
{$msg_accountnotenabled}
{/if} + {if $prehookenableresult} +
{$prehookenableresult}
+ {/if} + {if $posthookenableresult} +
{$posthookenableresult}
+ {/if} + {if $prehookdisableresult} +
{$prehookdisableresult}
+ {/if} + {if $posthookdisableresult} +
{$posthookdisableresult}
+ {/if} {if $use_enablecomment}
- {if $use_updatestarttime or $use_updateendtime} + {if $use_updatestarttime || $use_updateendtime || $prehookupdatevalidityresult || $posthookupdatevalidityresult}
{if $updatevaliditydatesresult eq 'ldaperror' or $updatevaliditydatesresult eq 'actionforbidden'}
{$msg_validitydatesnotupdated}
@@ -395,6 +443,12 @@ {if $updatevaliditydatesresult eq 'validiydatesupdated'}
{$msg_validitydatesupdated}
{/if} + {if $prehookupdatevalidityresult} +
{$prehookupdatevalidityresult}
+ {/if} + {if $posthookupdatevalidityresult} +
{$posthookupdatevalidityresult}
+ {/if}
{if $use_updatestarttime}