From e5c1dac402e025a51fa561bb4e62156e49a99a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 29 Oct 2024 18:39:17 +0100 Subject: [PATCH 01/10] Hook command is specific for password reset --- htdocs/resetpassword.php | 12 ++++-------- lib/hook.inc.php | 18 ++++++++++++++---- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index db9e5650..a69fb7c0 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -45,15 +45,11 @@ if ($ldap) { if ( isset($prehook) || isset($posthook) ) { - $login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login)); - $login_entry = ldap_first_entry( $ldap, $login_search ); if ( isset($prehook_login) ) { - $prehook_login_values = ldap_get_values( $ldap, $login_entry, $prehook_login ); - $prehook_login_value = $prehook_login_values[0]; + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); } if ( isset($posthook_login) ) { - $posthook_login_values = ldap_get_values( $ldap, $login_entry, $posthook_login ); - $posthook_login_value = $posthook_login_values[0]; + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); } } @@ -100,7 +96,7 @@ $prehook_return = 255; $prehook_message = "No login found, cannot execute prehook script"; } else { - $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); + $command = password_hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); exec($command, $prehook_output, $prehook_return); $prehook_message = $prehook_output[0]; } @@ -124,7 +120,7 @@ $posthook_return = 255; $posthook_message = "No login found, cannot execute posthook script"; } else { - $command = hook_command($posthook, $posthook_login_value, $password, null, $posthook_password_encodebase64); + $command = password_hook_command($posthook, $posthook_login_value, $password, null, $posthook_password_encodebase64); exec($command, $posthook_output, $posthook_return); $posthook_message = $posthook_output[0]; } diff --git a/lib/hook.inc.php b/lib/hook.inc.php index ec35b2a5..4b96d6da 100644 --- a/lib/hook.inc.php +++ b/lib/hook.inc.php @@ -2,16 +2,16 @@ # Code taken from LTB Self Service Password -/* @function string hook_command(string $hook, string $login, string $newpassword, null|string $oldpassword, null|boolean $hook_password_encodebase64) - Creates the command line to execute for the prehook/posthook process. Passwords will be base64 encoded if configured. Base64 encoding will prevent passwords with special +/* @function string password_hook_command(string $hook, string $login, string $newpassword, null|string $oldpassword, null|boolean $hook_password_encodebase64) + Creates the command line to execute for the prehook/posthook for password reste. Passwords will be base64 encoded if configured. Base64 encoding will prevent passwords with special characters to be modified by the escapeshellarg() function. @param $hook string script/command to execute for procesing hook data @param $login string username to change/set password for @param $newpassword string new passwword for given login @param $oldpassword string old password for given login @param hook_password_encodebase64 boolean set to true if passwords are to be converted to base64 encoded strings -*/ -function hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_password_encodebase64 = false) { + */ +function password_hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_password_encodebase64 = false) { $command = ''; if ( isset($hook_password_encodebase64) && $hook_password_encodebase64 ) { @@ -31,4 +31,14 @@ function hook_command($hook, $login, $newpassword, $oldpassword = null, $hook_pa return $command; } +/* @function string hook_command(string $hook, string $login) + Creates hook command line passing login as parameter + @param $hook string script/command to execute for procesing hook data + @param $login string username + */ +function hook_command($hook, $login) { + $command = escapeshellcmd($hook).' '.escapeshellarg($login); + return $command; +} + ?> From 93cbbb4f4b4251a48c5b84032c54811254dc94f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 29 Oct 2024 18:39:35 +0100 Subject: [PATCH 02/10] WIP hook for unlock event --- conf/config.inc.php | 42 +++++++++++++++++++++------- htdocs/unlockaccount.php | 60 +++++++++++++++++++++++++++++++++++++--- templates/display.tpl | 6 ++++ 3 files changed, 94 insertions(+), 14 deletions(-) diff --git a/conf/config.inc.php b/conf/config.inc.php index e232141f..c2301e33 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -258,13 +258,18 @@ # Debug mode $debug = false; -## Pre Hook -# Launch a prehook script before changing password. -# Script should return with 0, to allow password change. -# Any other exit code would abort password modification -#$prehook = "/usr/share/service-desk/prehook.sh"; +### Prehooks + +# Launch a prehook script before an action. +# Script should return with 0, else action will be aborted, unless error is ignored + # LDAP attribute used as login in posthook script -#$prehook_login = "uid"; +$prehook_login = "uid"; + +## Password reset + +#$prehook = "/usr/share/service-desk/prehook.sh"; + # Display prehook error #$display_prehook_error = true; # Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true. @@ -273,17 +278,34 @@ # Ignore prehook error. This will allow to change password even if prehook script fails. #$ignore_prehook_error = true; -## Post Hook -# Launch a posthook script after successful password change -#$posthook = "/usr/share/service-desk/posthook.sh"; +## Unlock + +#$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; +#$display_prehook_unlock_error = true; +#$ignore_prehook_unlock_error = true; + +### Posthooks + +# The posthook is only launched if the action was successful + # LDAP attribute used as login in posthook script -#$posthook_login = "uid"; +$posthook_login = "uid"; + +## Password reset + +#$posthook = "/usr/share/service-desk/posthook.sh"; + # Display posthook error #$display_posthook_error = true; # Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true. # To read the actual password in the posthook script, use a base64_decode function/tool #$posthook_password_encodebase64 = false; +## Unlock + +#$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; +#$display_posthook_unlock_error = true; + # The name of an HTTP Header that may hold a reference to an extra config file to include. #$header_name_extra_config="SSP-Extra-Config"; diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 388e6ba7..4ef9fbe7 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -7,6 +7,12 @@ $dn = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; @@ -28,6 +34,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -36,10 +43,48 @@ $result = $ldap_connection[1]; if ($ldap) { - if ( $directory->unlockAccount($ldap, $dn) ) { - $result = "accountunlocked"; + + if ( isset($prehook_unlock) || isset($posthook_unlock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + + if ( isset($prehook_unlock) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_unlock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_unlock_return) { + $result = "hookerror"; } else { - $result = "ldaperror"; + if ( $directory->unlockAccount($ldap, $dn) ) { + $result = "accountunlocked"; + } else { + $result = "ldaperror"; + } + } + + if ( $result === "accountunlocked" && isset($posthook_unlock) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_unlock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } } @@ -48,4 +93,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "unlockaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_unlock_error and $prehook_return > 0 ) { + $location .= '&prehookunlockresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_unlock_error and $posthook_return > 0 ) { + $location .= '&posthookunlockresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/templates/display.tpl b/templates/display.tpl index fda7a7e6..06a51456 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -224,6 +224,12 @@ {/if} {if $show_lockstatus} + {if $prehookunlockresult} +
{$prehookunlockresult}
+ {/if} + {if $posthookunlockresult} +
{$posthookunlockresult}
+ {/if} {if $isLocked}
From 743f7e64595e48f56b98aeff8a02ce1a45b52052 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Wed, 30 Oct 2024 08:30:07 +0100 Subject: [PATCH 03/10] Unlock prehook and posthook --- htdocs/display.php | 12 ++++++++++++ htdocs/unlockaccount.php | 2 +- lang/en.inc.php | 1 + lang/fr.inc.php | 1 + templates/display.tpl | 20 +++++++++++++------- 5 files changed, 28 insertions(+), 8 deletions(-) diff --git a/htdocs/display.php b/htdocs/display.php index 8413070b..06f48336 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -13,6 +13,8 @@ $accountlockresult= ""; $prehookresult= ""; $posthookresult= ""; +$prehookunlockresult= ""; +$posthookunlockresult= ""; $ldapExpirationDate=""; $canLockAccount=""; $isAccountEnabled = ""; @@ -50,6 +52,14 @@ $posthookresult = $_GET["posthookresult"]; } +if (isset($_GET["prehookunlockresult"]) and $_GET["prehookunlockresult"]) { + $prehookunlockresult = $_GET["prehookunlockresult"]; +} + +if (isset($_GET["posthookunlockresult"]) and $_GET["posthookunlockresult"]) { + $posthookunlockresult = $_GET["posthookunlockresult"]; +} + if ($result === "") { require_once("../conf/config.inc.php"); @@ -144,6 +154,8 @@ $smarty->assign("accountlockresult", $accountlockresult); $smarty->assign("prehookresult", $prehookresult); $smarty->assign("posthookresult", $posthookresult); +$smarty->assign("prehookunlockresult", $prehookunlockresult); +$smarty->assign("posthookunlockresult", $posthookunlockresult); if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); } $smarty->assign("isAccountEnabled", $isAccountEnabled); if (isset($messages[$resetpasswordresult])) { diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 4ef9fbe7..2f285fbc 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -65,7 +65,7 @@ } } - if ( $prehook_return > 0 and !$ignore_prehook_unlock_return) { + if ( $prehook_return > 0 and !$ignore_prehook_unlock_error) { $result = "hookerror"; } else { if ( $directory->unlockAccount($ldap, $dn) ) { diff --git a/lang/en.inc.php b/lang/en.inc.php index ca8e65d7..c45ee6de 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -37,6 +37,7 @@ $messages['expiredaccounts'] = "Passwords expired"; $messages['false'] = "No"; $messages['forcereset'] = "Force reset at next connection"; +$messages['hookerror'] = "An error occured in the hook"; $messages['idleaccounts'] = "Idle accounts"; $messages['idleaccountstitle'] = "Accounts idle for more than $idledays days"; $messages['insert_comment'] = "Insert comment"; diff --git a/lang/fr.inc.php b/lang/fr.inc.php index f9d27a03..9a4221b2 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -37,6 +37,7 @@ $messages['expiredaccounts'] = "Mots de passe expirés"; $messages['false'] = "Non"; $messages['forcereset'] = "Forcer la réinitialisation à la prochaine connexion"; +$messages['hookerror'] = "Une erreur s'est produite dans le hook"; $messages['idleaccounts'] = "Comptes inactifs"; $messages['idleaccountstitle'] = "Comptes inactifs depuis plus de $idledays jours"; $messages['insert_comment'] = "Insérer un commentaire"; diff --git a/templates/display.tpl b/templates/display.tpl index 06a51456..6578713e 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -224,12 +224,6 @@ {/if} {if $show_lockstatus} - {if $prehookunlockresult} -
{$prehookunlockresult}
- {/if} - {if $posthookunlockresult} -
{$posthookunlockresult}
- {/if} {if $isLocked}
@@ -240,6 +234,12 @@
+ {if $prehookunlockresult} +
{$prehookunlockresult}
+ {/if} + {if $posthookunlockresult} +
{$posthookunlockresult}
+ {/if} {if $unlockDate}

{$msg_unlockdate} {$unlockDate|date_format:{$date_specifiers}}

{/if} @@ -277,8 +277,14 @@

- {if $use_lockaccount} + {if $use_lockaccount || $prehookunlockresult || $posthookunlockresult}
+ {if $prehookunlockresult} +
{$prehookunlockresult}
+ {/if} + {if $posthookunlockresult} +
{$posthookunlockresult}
+ {/if} {if $lockaccountresult eq 'ldaperror'}
{$msg_accountnotlocked}
{/if} From 9e92a0af3ac1a9f7eb4cbf9a06e60ff6d60acd96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Wed, 30 Oct 2024 08:40:28 +0100 Subject: [PATCH 04/10] Doc for unlock hooks --- docs/hook.rst | 53 +++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/docs/hook.rst b/docs/hook.rst index 260ff145..40b01df1 100644 --- a/docs/hook.rst +++ b/docs/hook.rst @@ -1,26 +1,34 @@ Hook ==== -Hook feature allows to run a script before or after the password modification. +Hook feature allows to run a script before or after an action: +* Password reset +* Password unlock -The script is called with two parameters: login and new password. +The script must return 0 if no error occured. Any text printed on STDOUT +will be displayed as an error message (see options). -Parameters ----------- +Login +----- -Define prehook or posthook script (and enable the feature): +Define which attribute will be used as login in prehook and posthook scripts: .. code-block:: php - $prehook = "/usr/share/service-desk/prehook.sh"; - $posthook = "/usr/share/service-desk/posthook.sh"; + $prehook_login = "uid"; + $posthook_login = "uid"; -Define which attribute will be used as login: +Password reset +-------------- + +The script is called with two parameters: login and new password. + +Define prehook or posthook script (and enable the feature): .. code-block:: php - $prehook_login = "uid"; - $posthook_login = "uid"; + $prehook = "/usr/share/service-desk/prehook.sh"; + $posthook = "/usr/share/service-desk/posthook.sh"; You can choose to display an error if the script return code is greater than 0: @@ -48,3 +56,28 @@ if it fails, but still try to update password in the directory. .. code-block:: php $ignore_prehook_error = true; + +Password unlock +--------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; + $posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_unlock_error = true; + $display_posthook_unlock_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_unlock_error = true; From 30b8f458bb639b896f38f5e4ed0ebac5193c3f4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Wed, 30 Oct 2024 09:40:44 +0100 Subject: [PATCH 05/10] Add hooks for lock password --- conf/config.inc.php | 11 ++++++ docs/hook.rst | 26 ++++++++++++++ htdocs/display.php | 12 +++++++ htdocs/lockaccount.php | 78 +++++++++++++++++++++++++++++++++++------- templates/display.tpl | 14 +++++++- 5 files changed, 127 insertions(+), 14 deletions(-) diff --git a/conf/config.inc.php b/conf/config.inc.php index c2301e33..7ddcb2b8 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -278,6 +278,12 @@ # Ignore prehook error. This will allow to change password even if prehook script fails. #$ignore_prehook_error = true; +## Lock + +#$prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; +#$display_prehook_lock_error = true; +#$ignore_prehook_lock_error = true; + ## Unlock #$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh"; @@ -301,6 +307,11 @@ # To read the actual password in the posthook script, use a base64_decode function/tool #$posthook_password_encodebase64 = false; +## Lock + +#$posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; +#$display_posthook_lock_error = true; + ## Unlock #$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; diff --git a/docs/hook.rst b/docs/hook.rst index 40b01df1..e3a209da 100644 --- a/docs/hook.rst +++ b/docs/hook.rst @@ -3,6 +3,7 @@ Hook Hook feature allows to run a script before or after an action: * Password reset +* Password lock * Password unlock The script must return 0 if no error occured. Any text printed on STDOUT @@ -57,6 +58,31 @@ if it fails, but still try to update password in the directory. $ignore_prehook_error = true; +Password lock +------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and enable the feature): + +.. code-block:: php + + $prehook_lock = "/usr/share/service-desk/prehook_lock.sh"; + $posthook_lock = "/usr/share/service-desk/posthook_lock.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_lock_error = true; + $display_posthook_lock_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_lock_error = true; + Password unlock --------------- diff --git a/htdocs/display.php b/htdocs/display.php index 06f48336..2e90c150 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -13,6 +13,8 @@ $accountlockresult= ""; $prehookresult= ""; $posthookresult= ""; +$prehooklockresult= ""; +$posthooklockresult= ""; $prehookunlockresult= ""; $posthookunlockresult= ""; $ldapExpirationDate=""; @@ -52,6 +54,14 @@ $posthookresult = $_GET["posthookresult"]; } +if (isset($_GET["prehooklockresult"]) and $_GET["prehooklockresult"]) { + $prehooklockresult = $_GET["prehooklockresult"]; +} + +if (isset($_GET["posthooklockresult"]) and $_GET["posthooklockresult"]) { + $posthooklockresult = $_GET["posthooklockresult"]; +} + if (isset($_GET["prehookunlockresult"]) and $_GET["prehookunlockresult"]) { $prehookunlockresult = $_GET["prehookunlockresult"]; } @@ -154,6 +164,8 @@ $smarty->assign("accountlockresult", $accountlockresult); $smarty->assign("prehookresult", $prehookresult); $smarty->assign("posthookresult", $posthookresult); +$smarty->assign("prehooklockresult", $prehooklockresult); +$smarty->assign("posthooklockresult", $posthooklockresult); $smarty->assign("prehookunlockresult", $prehookunlockresult); $smarty->assign("posthookunlockresult", $posthookunlockresult); if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); } diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index ad22e959..026739d9 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -6,6 +6,12 @@ $result = ""; $dn = ""; $comment = ""; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; @@ -21,6 +27,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; + require_once("../lib/hook.inc.php"); # Connect to LDAP $ldap_connection = $ldapInstance->connect(); @@ -28,21 +35,59 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) - { - # Get password policy configuration - $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); - if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } - if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } - - # Apply the modification only the password can be locked - if ($pwdPolicyConfiguration["lockout_enabled"]) { - if ( $directory->lockAccount($ldap, $dn) ) { - $result = "accountlocked"; + if ($ldap) { + + if ( isset($prehook_lock) || isset($posthook_lock) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + + if ( isset($prehook_lock) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_lock, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_lock_error) { + $result = "hookerror"; + } else { + # Get password policy configuration + $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); + if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } + if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; } + + # Apply the modification only if the password can be locked + if ($pwdPolicyConfiguration["lockout_enabled"]) { + if ( $directory->lockAccount($ldap, $dn) ) { + $result = "accountlocked"; + } else { + $result = "ldaperror"; + } + } + } + + if ( $result === "accountlocked" && isset($posthook_lock) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; } else { - $result = "ldaperror"; + $command = hook_command($posthook_lock, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; } } + } } @@ -50,4 +95,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment); } -header('Location: index.php?page=display&dn='.$dn.'&lockaccountresult='.$result); +$location = 'index.php?page=display&dn='.$dn.'&lockaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_lock_error and $prehook_return > 0 ) { + $location .= '&prehooklockresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_lock_error and $posthook_return > 0 ) { + $location .= '&posthooklockresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/templates/display.tpl b/templates/display.tpl index 6578713e..002c7d55 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -234,6 +234,12 @@
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} {if $prehookunlockresult}
{$prehookunlockresult}
{/if} @@ -277,8 +283,14 @@

- {if $use_lockaccount || $prehookunlockresult || $posthookunlockresult} + {if $use_lockaccount || $prehooklockresult || $posthooklockresult || $prehookunlockresult || $posthookunlockresult}
+ {if $prehooklockresult} +
{$prehooklockresult}
+ {/if} + {if $posthooklockresult} +
{$posthooklockresult}
+ {/if} {if $prehookunlockresult}
{$prehookunlockresult}
{/if} From 2ee5a7868780bec392ff0e4c7ecc95efac136abf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Fri, 29 Nov 2024 17:55:44 +0100 Subject: [PATCH 06/10] Prehook and Posthook for enable account --- conf/config.inc.php | 11 ++++++++ htdocs/display.php | 12 ++++++++ htdocs/enableaccount.php | 59 +++++++++++++++++++++++++++++++++++++--- templates/display.tpl | 16 +++++++++-- 4 files changed, 92 insertions(+), 6 deletions(-) diff --git a/conf/config.inc.php b/conf/config.inc.php index 2dfc2de4..94f0a6ef 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -308,6 +308,12 @@ #$display_prehook_unlock_error = true; #$ignore_prehook_unlock_error = true; +## Enable + +#$prehook_enable = "/usr/share/service-desk/prehook_enable.sh"; +#$display_prehook_enable_error = true; +#$ignore_prehook_enable_error = true; + ### Posthooks # The posthook is only launched if the action was successful @@ -335,6 +341,11 @@ #$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh"; #$display_posthook_unlock_error = true; +## Enable + +#$posthook_enable = "/usr/share/service-desk/posthook_enable.sh"; +#$display_posthook_enable_error = true; + # The name of an HTTP Header that may hold a reference to an extra config file to include. #$header_name_extra_config="SSP-Extra-Config"; diff --git a/htdocs/display.php b/htdocs/display.php index ce483008..99eaa93d 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -19,6 +19,8 @@ $posthooklockresult= ""; $prehookunlockresult= ""; $posthookunlockresult= ""; +$prehookenableresult= ""; +$posthookenableresult= ""; $ldapExpirationDate=""; $canLockAccount=""; $isAccountEnabled = ""; @@ -84,6 +86,14 @@ $posthookunlockresult = $_GET["posthookunlockresult"]; } +if (isset($_GET["prehookenableresult"]) and $_GET["prehookenableresult"]) { + $prehookenableresult = $_GET["prehookenableresult"]; +} + +if (isset($_GET["posthookenableresult"]) and $_GET["posthookenableresult"]) { + $posthookenableresult = $_GET["posthookenableresult"]; +} + if (isset($_GET["updatevaliditydatesresult"]) and $_GET["updatevaliditydatesresult"]) { $updatevaliditydatesresult = $_GET["updatevaliditydatesresult"]; } @@ -245,6 +255,8 @@ $smarty->assign("posthookunlockresult", $posthookunlockresult); if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); } $smarty->assign("isAccountEnabled", $isAccountEnabled); +$smarty->assign("prehookenableresult", $prehookenableresult); +$smarty->assign("posthookenableresult", $posthookenableresult); if (isset($messages[$resetpasswordresult])) { $smarty->assign('msg_resetpasswordresult', $messages[$resetpasswordresult]); } else { diff --git a/htdocs/enableaccount.php b/htdocs/enableaccount.php index 166eeefe..889e2ffd 100644 --- a/htdocs/enableaccount.php +++ b/htdocs/enableaccount.php @@ -7,6 +7,12 @@ $dn = ""; $comment = ""; $returnto = "display"; +$prehook_login_value = ""; +$prehook_message = ""; +$prehook_return = 0; +$posthook_login_value = ""; +$posthook_message = ""; +$posthook_return = 0; if (isset($_POST["returnto"]) and $_POST["returnto"]) { $returnto = $_POST["returnto"]; @@ -38,16 +44,54 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; + require_once("../lib/hook.inc.php"); # DN match if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { $result = "noentriesfound"; error_log("LDAP - $dn not found using the configured search settings, reject request"); } else { - if ( $directory->enableAccount($ldap, $dn) ) { - $result = "accountenabled"; + + if ( isset($prehook_enable) || isset($posthook_enable) ) { + if ( isset($prehook_login) ) { + $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login); + } + if ( isset($posthook_login) ) { + $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login); + } + } + if ( isset($prehook_enable) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook_enable, $prehook_login_value); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_enable_error) { + $result = "hookerror"; } else { - $result = "ldaperror"; + if ( $directory->enableAccount($ldap, $dn) ) { + $result = "accountenabled"; + } else { + $result = "ldaperror"; + } + } + + if ( $result === "accountenabled" && isset($posthook_enable) ) { + + if ( !isset($posthook_login_value) ) { + $posthook_return = 255; + $posthook_message = "No login found, cannot execute posthook script"; + } else { + $command = hook_command($posthook_enable, $posthook_login_value); + exec($command, $posthook_output, $posthook_return); + $posthook_message = $posthook_output[0]; + } } } } @@ -56,4 +100,11 @@ auditlog($audit_log_file, $dn, $audit_admin, "enableaccount", $result, $comment); } -header('Location: index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result); +$location = 'index.php?page='.$returnto.'&dn='.$dn.'&enableaccountresult='.$result; +if ( isset($prehook_return) and $display_prehook_enable_error and $prehook_return > 0 ) { + $location .= '&prehookenableresult='.$prehook_message; +} +if ( isset($posthook_return) and $display_posthook_enable_error and $posthook_return > 0 ) { + $location .= '&posthookenableresult='.$posthook_message; +} +header('Location: '.$location); diff --git a/templates/display.tpl b/templates/display.tpl index 7a69bffc..39a169cf 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -344,11 +344,17 @@ {$msg_accountenabled}

- {if $use_disableaccount} + {if $use_disableaccount || $prehookenableresult || posthookenableresult}
{if $disableaccountresult eq 'ldaperror' or $disableaccountresult eq 'actionforbidden'}
{$msg_accountnotdisabled}
{/if} + {if $prehookenableresult} +
{$prehookenableresult}
+ {/if} + {if $posthookenableresult} +
{$posthookenableresult}
+ {/if} {if $use_disablecomment}
- {if $use_enableaccount} + {if $use_enableaccount || $prehookenableresult || $posthookenableresult}
{if $enableaccountresult eq 'ldaperror' or $enableaccountresult eq 'actionforbidden'}
{$msg_accountnotenabled}
{/if} + {if $prehookenableresult} +
{$prehookenableresult}
+ {/if} + {if $posthookenableresult} +
{$posthookenableresult}
+ {/if} {if $use_enablecomment}
- {if $use_disableaccount || $prehookenableresult || posthookenableresult} + {if $use_disableaccount || $prehookenableresult || posthookenableresult || $prehookdisableresult || $posthookdisableresult}
{if $disableaccountresult eq 'ldaperror' or $disableaccountresult eq 'actionforbidden'}
{$msg_accountnotdisabled}
@@ -355,6 +355,12 @@ {if $posthookenableresult}
{$posthookenableresult}
{/if} + {if $prehookdisableresult} +
{$prehookdisableresult}
+ {/if} + {if $posthookdisableresult} +
{$posthookdisableresult}
+ {/if} {if $use_disablecomment}
- {if $use_enableaccount || $prehookenableresult || $posthookenableresult} + {if $use_enableaccount || $prehookenableresult || $posthookenableresult || $prehookdisableresult || $posthookdisableresult}
{if $enableaccountresult eq 'ldaperror' or $enableaccountresult eq 'actionforbidden'}
{$msg_accountnotenabled}
@@ -393,6 +399,12 @@ {if $posthookenableresult}
{$posthookenableresult}
{/if} + {if $prehookdisableresult} +
{$prehookdisableresult}
+ {/if} + {if $posthookdisableresult} +
{$posthookdisableresult}
+ {/if} {if $use_enablecomment}
- {if $use_updatestarttime or $use_updateendtime} + {if $use_updatestarttime || $use_updateendtime || $prehookupdatevalidityresult || $posthookupdatevalidityresult}
{if $updatevaliditydatesresult eq 'ldaperror' or $updatevaliditydatesresult eq 'actionforbidden'}
{$msg_validitydatesnotupdated}
@@ -443,6 +443,12 @@ {if $updatevaliditydatesresult eq 'validiydatesupdated'}
{$msg_validitydatesupdated}
{/if} + {if $prehookupdatevalidityresult} +
{$prehookupdatevalidityresult}
+ {/if} + {if $posthookupdatevalidityresult} +
{$posthookupdatevalidityresult}
+ {/if}
{if $use_updatestarttime} From 74e963614786c906125337dda14fd9412f03b4fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Fri, 29 Nov 2024 18:55:31 +0100 Subject: [PATCH 10/10] Doc for hook update validity dates --- docs/hook.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/hook.rst b/docs/hook.rst index 33b70d51..35d1ed45 100644 --- a/docs/hook.rst +++ b/docs/hook.rst @@ -7,6 +7,7 @@ Hook feature allows to run a script before or after an action: * Password unlock * Account enable * Account disable +* Update validity dates The script must return 0 if no error occured. Any text printed on STDOUT will be displayed as an error message (see options). @@ -159,3 +160,28 @@ To ignore prehook error: .. code-block:: php $ignore_prehook_disable_error = true; + +Update validity dates +--------------------- + +The script is called with one parameter: login. + +Define prehook or posthook script (and updatevalidity the feature): + +.. code-block:: php + + $prehook_updatevalidity = "/usr/share/service-desk/prehook_updatevalidity.sh"; + $posthook_updatevalidity = "/usr/share/service-desk/posthook_updatevalidity.sh"; + +To display hook error: + +.. code-block:: php + + $display_prehook_updatevalidity_error = true; + $display_posthook_updatevalidity_error = true; + +To ignore prehook error: + +.. code-block:: php + + $ignore_prehook_updatevalidity_error = true;