check password expiration

conf/config.inc.php

@@ -280,4 +280,31 @@
 # Launch a posthook script after successful password change
 #$posthook = "/usr/share/self-service-password/posthook.sh";
 
+
+## config for checkexpiration batch
+# to batch it call the page with curl -F login=xxxx -F password=yyyy
+
+# allow this functionality
+$use_checkexpiration=true;
+
+$ldap_defaultpolicydn="cn=default,ou=policies," . $ldap_base;
+$ldap_admingroupdn="cn=administrators,ou=groups," . $ldap_base;
+
+# if pwdExpireWarning is not define in the default policy, then define 14 days warning before expire 
+$expire_warning=1209600;
+
+# if set false: then send mail, 1st day of warning, last day of warning and 1st day of expire
+$expire_always_mail = true;
+
+# message They can also be defined in lang/ files
+$messages['emptyexpireform'] = "Checking password expiration for all users";
+$messages["expirehelp"] = "Only administrator can run this page";
+$messages['checkexpiration'] = "Check expiration of passwords";
+$messages['expirechecked'] = "The password expiration check has been completed";
+$messages['warningexpiresubject'] = "Warning - Your password will expired";
+$messages['warningexpiremessage'] = "Hello {login},\n\nYour password will expired in {days} days.\nClick here to change your password:\n{url}\n\n";
+$messages['alertexpiresubject'] = "Alert - Your password is expired";
+$messages['alertexpiremessage'] = "Hello {login},\n\nYour password is expired since {days} days.\nClick here to reset your password:\n{url}\n\n";
+
+
 ?>

index.php

@@ -103,6 +103,7 @@
 if ( $use_questions ) { array_push( $available_actions, "resetbyquestions", "setquestions"); }
 if ( $use_tokens ) { array_push( $available_actions, "resetbytoken", "sendtoken"); }
 if ( $use_sms ) { array_push( $available_actions, "resetbytoken", "sendsms"); }
+if ( $use_checkexpiration ) { array_push( $available_actions, "checkexpiration"); }
 
 # Ensure requested action is available, or fall back to default
 if ( ! in_array($action, $available_actions) ) { $action = $default_action; }

lib/functions.inc.php

@@ -18,6 +18,48 @@
 # GPL License: http://www.gnu.org/licenses/gpl.txt
 #
 #==============================================================================
+# missed defines in php 5
+if ( !defined("LDAP_OPT_DIAGNOSTIC_MESSAGE") ) {
+    define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032);
+}
+
+# Generate URL according to the action
+function generate_url($reset_url, $action) {
+    if ( empty($reset_url) ) {
+        $server_name = $_SERVER['SERVER_NAME'];
+        $server_port = $_SERVER['SERVER_PORT'];
+        $script_name = $_SERVER['SCRIPT_NAME'];
+        # Build reset by token URL
+        $method = "http";
+        if( !empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')){
+           $method .= "s";
+        }
+        # change servername if HTTP_X_FORWARDED_HOST is set
+        if( isset($_SERVER['HTTP_X_FORWARDED_HOST'])){
+            $server_name = $_SERVER['HTTP_X_FORWARDED_HOST'];
+        }
+        # Force server port if non standard port
+        if (   ( $method === "http"  and $server_port != "80"  )
+            or ( $method === "https" and $server_port != "443" )
+        ) {
+           if( isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
+                $server_name .= ":".$_SERVER['HTTP_X_FORWARDED_PORT'];
+            } else {
+               $server_name .= ":".$server_port;
+            }
+        }
+        $reset_url = $method."://".$server_name.$script_name;
+    }
+    $url = $reset_url . "?action=".$action;
+    if ( !empty($reset_request_log) ) {
+        error_log("Genrated URL $url \n\n", 3, $reset_request_log);
+    } else {
+        error_log("Genrated URL $url");
+    }
+    return $url;
+
+}
+
 
 # Create SSHA password
 function make_ssha_password($password) {
@@ -121,7 +163,7 @@ function stripslashes_if_gpc_magic_quotes( $string ) {
 # Get message criticity
 function get_criticity( $msg ) {
 
-    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|sshkeyerror/" , $msg ) ) {
+    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|sshkeyerror|notinadmingroup/" , $msg ) ) {
     return "danger";
     }