2021-02-24 19:15:42 +01:00
< ? php
/*******************************************************************************
* Copyright ( C ) 2007 Easter - eggs
2021-04-13 18:04:19 +02:00
* https :// ldapsaisie . org
2021-02-24 19:15:42 +01:00
*
* Author : See AUTHORS file in top - level directory .
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 59 Temple Place - Suite 330 , Boston , MA 02111 - 1307 , USA .
******************************************************************************/
$GLOBALS [ 'LSobjects' ][ 'pwdPolicy' ] = array (
'objectclass' => array (
'top' ,
'device' ,
'pwdPolicy' ,
'pwdPolicyChecker' ,
),
'rdn' => 'cn' ,
'container_dn' => 'ou=ppolicies' ,
'display_name_format' => '%{cn}' ,
'displayAttrName' => true ,
'label' => 'Password policies' ,
'customActions' => array (
'showTechInfo' => array (
'function' => 'showTechInfo' ,
'label' => 'Show technical information' ,
'hideLabel' => True ,
'noConfirmation' => true ,
'disableOnSuccessMsg' => true ,
'icon' => 'tech_info' ,
'rights' => array (
'admin' ,
),
),
),
// LSform
'LSform' => array (
'ajaxSubmit' => 1 ,
// Layout
'layout' => array (
'general' => array (
'label' => 'General information' ,
'args' => array (
'cn' ,
'pwdAttribute' ,
'pwdAllowUserChange' ,
'pwdSafeModify' ,
'pwdInHistory' ,
),
),
'quality' => array (
'label' => 'Password quality' ,
'args' => array (
'pwdCheckQuality' ,
'pwdMinLength' ,
'pwdCheckModule' ,
),
),
'expiration' => array (
'label' => 'Password expiration' ,
'args' => array (
'pwdMaxAge' ,
'pwdMinAge' ,
'pwdExpireWarning' ,
'pwdGraceAuthNLimit' ,
),
),
'bruteforce' => array (
'label' => 'Brute-force attacks protection' ,
'args' => array (
'pwdLockout' ,
'pwdMaxFailure' ,
'pwdMaxRecordedFailure' ,
'pwdLockoutDuration' ,
'pwdFailureCountInterval' ,
'pwdMustChange' ,
),
),
) // fin Layout
), // fin LSform
'LSsearch' => array (
'attrs' => array (
'cn' ,
),
'params' => array (
'sortBy' => 'displayName' ,
),
),
// Attributes
'attrs' => array (
/* ----------- start -----------*/
'cn' => array (
'label' => 'Name' ,
'ldap_type' => 'ascii' ,
'html_type' => 'text' ,
'required' => 1 ,
'validation' => array (
array (
'filter' => 'cn=%{val}' ,
'object_type' => 'pwdPolicy' ,
'result' => 0 ,
'msg' => 'This name is already used.' ,
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdAttribute' => array (
'label' => 'Password attribute' ,
'ldap_type' => 'ascii' ,
'html_type' => 'text' ,
'required' => 1 ,
'default_value' => 'userPassword' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdAllowUserChange' => array (
'label' => 'User can change its password' ,
'ldap_type' => 'boolean' ,
'html_type' => 'boolean' ,
'no_value_label' => 'Yes (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdSafeModify' => array (
'label' => 'User must provide its old password to change it' ,
'help_info' => 'Default: No.' ,
'ldap_type' => 'boolean' ,
'html_type' => 'boolean' ,
'no_value_label' => 'No (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdInHistory' => array (
'label' => 'Number of old passwords kept in history' ,
'help_info' => " User can't reused an old password in its history. Default: zero. " ,
'ldap_type' => 'numeric' ,
'html_type' => 'text' ,
'no_value_label' => 'No history (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/*
*******************************************************************************************
* Check password quality
*******************************************************************************************
*/
/* ----------- start -----------*/
'pwdCheckQuality' => array (
'label' => 'Check password quality' ,
'ldap_type' => 'ascii' ,
'html_type' => 'select_box' ,
'html_options' => array (
'possible_values' => array (
'0' => 'Disabled (default)' ,
'1' => " If password is already hashed (can't check it), accept it " ,
'2' => " If password is already hashed (can't check it), refuse it " ,
),
),
'no_value_label' => 'Disabled (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdMinLength' => array (
'label' => 'Minimum length a password' ,
'help_info' => " If zero (default), no minimum length. Note: if password is provided already hashed, this check could not be performed and the policy define by the attribute <em>pwdCheckQuality</em> is applied. " ,
'ldap_type' => 'numeric' ,
'html_type' => 'text' ,
'no_value_label' => 'No minimum length (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdCheckModule' => array (
'label' => 'Check OpenLDAP module to used' ,
'help_info' => '<strong>Used with caution !</strong> The name of the OpenLDAP module to used to check the password quality.' ,
'ldap_type' => 'ascii' ,
'html_type' => 'text' ,
'no_value_label' => 'Only length check (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/*
*******************************************************************************************
* Password expiration
*******************************************************************************************
*/
/* ----------- start -----------*/
'pwdMaxAge' => array (
'label' => 'Maximum validity duration of a password' ,
2021-03-25 15:35:38 +01:00
'help_info' => " After this delay, the password will expired and must be changed. If zero (default), no password expiration. " ,
2021-02-24 19:15:42 +01:00
'ldap_type' => 'numeric' ,
2021-03-25 15:35:38 +01:00
'html_type' => 'valueWithUnit' ,
'html_options' => array (
'units' => array (
1 => 'seconds' ,
60 => 'minutes' ,
3600 => 'hours' ,
86400 => 'days' ,
),
),
2021-02-24 19:15:42 +01:00
'no_value_label' => 'No password expiration (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdMinAge' => array (
'label' => 'Minimum time between two password changes' ,
2021-03-25 15:35:38 +01:00
'help_info' => " If zero (default), no minimum time. " ,
2021-02-24 19:15:42 +01:00
'ldap_type' => 'numeric' ,
2021-03-25 15:35:38 +01:00
'html_type' => 'valueWithUnit' ,
'html_options' => array (
'units' => array (
1 => 'seconds' ,
60 => 'minutes' ,
3600 => 'hours' ,
86400 => 'days' ,
),
),
2021-02-24 19:15:42 +01:00
'no_value_label' => 'No minimum time (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdExpireWarning' => array (
'label' => 'Warning delay before password expiration' ,
2021-03-25 15:35:38 +01:00
'help_info' => 'Put zero to disabled.' ,
2021-02-24 19:15:42 +01:00
'ldap_type' => 'numeric' ,
2021-03-25 15:35:38 +01:00
'html_type' => 'valueWithUnit' ,
'html_options' => array (
'units' => array (
1 => 'seconds' ,
60 => 'minutes' ,
3600 => 'hours' ,
86400 => 'days' ,
),
),
2021-02-24 19:15:42 +01:00
'no_value_label' => 'No warning (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdGraceAuthNLimit' => array (
'label' => 'Grace delay after password expiration' ,
'help_info' => " Number of time that a user can log in with its expired password. If zero (default), no grace delay and the user can't log in with its expired password. " ,
'ldap_type' => 'numeric' ,
'html_type' => 'text' ,
'no_value_label' => 'No grace delay (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/*
*******************************************************************************************
* Blocking brute - force attacks ,
*******************************************************************************************
*/
/* ----------- start -----------*/
'pwdLockout' => array (
'label' => 'Lock account after too many login failures' ,
'help_info' => 'The limit is configured using <em>pwdMaxFailure</em> attribute.' ,
'ldap_type' => 'boolean' ,
'html_type' => 'boolean' ,
'no_value_label' => 'No (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdMaxFailure' => array (
'label' => 'Maximum allowed login failures' ,
'help_info' => " After the number of login failures, the action defined by attribute <em>pwdLockout</em> will be executed. If zero (default), no limit. " ,
'ldap_type' => 'numeric' ,
'html_type' => 'text' ,
'no_value_label' => 'No limit (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdMaxRecordedFailure' => array (
'label' => 'Maximum number of failed connections to store' ,
'help_info' => " Define the maximum number of failed connections to store for a user. If zero (default), the <em>Maximum allowed login failures (pwdMaxFailure)</em> value is used, or 5 if it's also zero. " ,
'ldap_type' => 'numeric' ,
'html_type' => 'text' ,
'no_value_label' => 'Default (see pwdMaxFailure if defined, otherwise: 5)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'min' => 0 ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdLockoutDuration' => array (
'label' => 'Lock duration of an account' ,
2021-03-25 15:35:38 +01:00
'help_info' => " After this delay, the account will be automatically unlocked. If zero (default), the account will be locked until an administrator manually unlock it. " ,
2021-02-24 19:15:42 +01:00
'ldap_type' => 'numeric' ,
2021-03-25 15:35:38 +01:00
'html_type' => 'valueWithUnit' ,
'html_options' => array (
'units' => array (
1 => 'seconds' ,
60 => 'minutes' ,
3600 => 'hours' ,
86400 => 'days' ,
),
),
2021-02-24 19:15:42 +01:00
'no_value_label' => 'Until an administrator manually unlock it (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdFailureCountInterval' => array (
'label' => 'Delay before reseting authentication fail count' ,
2021-03-25 15:35:38 +01:00
'help_info' => 'After this delay, authentication fail count will be reseted if no fail occured in the meantime. If zero (default), authentication fail count will be reseted only after a successful connection.' ,
2021-02-24 19:15:42 +01:00
'ldap_type' => 'numeric' ,
2021-03-25 15:35:38 +01:00
'html_type' => 'valueWithUnit' ,
'html_options' => array (
'units' => array (
1 => 'seconds' ,
60 => 'minutes' ,
3600 => 'hours' ,
86400 => 'days' ,
),
),
2021-02-24 19:15:42 +01:00
'no_value_label' => 'After successful connection (default)' ,
'check_data' => array (
'integer' => array (
'msg' => " Must be a positive integer. " ,
'params' => array ( 'positive' => true ),
),
),
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'pwdMustChange' => array (
'label' => 'User must change its password after administrator unlock it' ,
'help_info' => 'Default: No. Note: if the <em>pwdReset</em> attribute of the account is defined, its value override this parameter.' ,
'ldap_type' => 'boolean' ,
'html_type' => 'boolean' ,
'no_value_label' => 'No (default)' ,
'rights' => array (
'admin' => 'w' ,
),
'view' => 1 ,
'form' => array (
'modify' => 1 ,
'create' => 1 ,
),
),
/* ----------- end -----------*/
) // Fin args
);
