MDL-52387 auth_ldap: add support for fine grained password
authorSimey Lameze <simey@moodle.com>
Wed, 10 Feb 2016 05:30:51 +0000 (13:30 +0800)
committerSimey Lameze <simey@moodle.com>
Tue, 16 Feb 2016 03:03:42 +0000 (11:03 +0800)
Contributed by Matthew Johnson.

auth/ldap/auth.php

index 9d3a4ad..e099e6b 100644 (file)
@@ -2081,7 +2081,21 @@ class auth_plugin_ldap extends auth_plugin_base {
         $entry = ldap_get_entries_moodle($ldapconn, $sr);
         $info = array_change_key_case($entry[0], CASE_LOWER);
         $maxpwdage = $info['maxpwdage'][0];
-
+        if ($sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)', array('msDS-ResultantPSO', 'msDS-MaximumPasswordAge'))) {
+            if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) {
+                $info = array_change_key_case($entry[0], CASE_LOWER);
+                $userpso = $info['msds-resultantpso'][0];
+
+                // If a PSO exists, FGPP is being utilized.
+                // Grab the new maxpwdage from the msDS-MaximumPasswordAge attribute of the PSO.
+                if (!empty($userpso)) {
+                    if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) {
+                        $info = array_change_key_case($entry[0], CASE_LOWER);
+                        $maxpwdage = $info['msds-maximumpasswordage'][0];
+                    }
+                }
+            }
+        }
         // ----------------------------------------------------------------
         // MSDN says that "pwdLastSet contains the number of 100 nanosecond
         // intervals since January 1, 1601 (UTC), stored in a 64 bit integer".