-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow user to change expired password #114
base: master
Are you sure you want to change the base?
Conversation
Thanks a lot for you contribution. I am a little confused about how you check if the password is expired. It may indeed work as if the bind is rejected but passwords are the same it should mean that the password is expired. But as you check the pwdAccountLockedTime, you could also check the pwdChangedTime and compute the expiration date. Anyway, I will think about this and see how to include it in SSP. |
Nice code. Some remarks :
|
Thank you @coudot for your remarks. The way the PR works is:
This covers all the OpenLDAP ppolicy possibilities to lock a user:
Computing the expiration date is actually extremely difficult: it requires the |
Indeed, if the pwdPolicySubentry is defined, you can get pwdMaxAge here, if not, we can have a configuration parameter to set default password max age. Its value will be the one defined in default ppolicy in LDAP server, or no value if no ppolicy (but in this case the password will not be expired).
I don't see the point here, what the link with the expired password? |
We have unit test running with PHP 5.4, so for the moment PHP 5.4 is the minimal version. But it is acceptable to have not compatible code if it's activated only with some options. |
To answer @plewin: You're mostly right, I'll change the code, do a bit of testing on my side and update the PR later.
|
Yes you spotted a useless
To be honest I'm not sure. I researched what is the best way to do this for an other PR. I find it subjectively more simplier and efficient. It was seeing the substr in fusiondirectory's code that convinced me that this should the best way. |
When an admin sets the @plewin: I did all the correction you suggested. Travis still not passing with PHP hhvm, it looks more like a Travis configuration issue. |
Hi @sfieux and @plewin, I think some changes in this PR have been done in other issues (like #115). And also travis file should not be modified. Other suggestion: do not remove the parameter in AD option, but maybe define the parameter before and reuse it after like: $ldap_change_expired_password = false;
...
$ad_options['change_expired_password'] = $ldap_change_expired_password; Note also that If you have some time, could you update the PR? |
Hi, I have noticed the same issue.. I am not able to change expired password. |
As you can see, this PR was not yet accepted. |
Hi,
I really needed to solve the issue #96 so I did it myself. Here is the pull request, feel free to add it to master if you feel like it's a good idea.
I tested the following cases with OpenLDAP:
It might require additional testing with Active Directory for regression testing, and maybe with several other LDAP providers. Also, I did the realtime testing with SSHA-hashed passwords, only the unit test hashes the password with all other possible encryptions.
Thanks @coudot for your help on this one