Merge branch 'MDL-52387-master' of git://github.com/lameze/moodle
authorDavid Monllao <davidm@moodle.com>
Tue, 16 Feb 2016 03:25:22 +0000 (11:25 +0800)
committerDavid Monllao <davidm@moodle.com>
Tue, 16 Feb 2016 03:25:22 +0000 (11:25 +0800)
1  2 
auth/ldap/auth.php

diff --combined auth/ldap/auth.php
@@@ -113,7 -113,31 +113,7 @@@ class auth_plugin_ldap extends auth_plu
          }
  
          // Hack prefix to objectclass
 -        if (empty($this->config->objectclass)) {
 -            // Can't send empty filter
 -            $this->config->objectclass = '(objectClass=*)';
 -        } else if (stripos($this->config->objectclass, 'objectClass=') === 0) {
 -            // Value is 'objectClass=some-string-here', so just add ()
 -            // around the value (filter _must_ have them).
 -            $this->config->objectclass = '('.$this->config->objectclass.')';
 -        } else if (strpos($this->config->objectclass, '(') !== 0) {
 -            // Value is 'some-string-not-starting-with-left-parentheses',
 -            // which is assumed to be the objectClass matching value.
 -            // So build a valid filter with it.
 -            $this->config->objectclass = '(objectClass='.$this->config->objectclass.')';
 -        } else {
 -            // There is an additional possible value
 -            // '(some-string-here)', that can be used to specify any
 -            // valid filter string, to select subsets of users based
 -            // on any criteria. For example, we could select the users
 -            // whose objectClass is 'user' and have the
 -            // 'enabledMoodleUser' attribute, with something like:
 -            //
 -            //   (&(objectClass=user)(enabledMoodleUser=1))
 -            //
 -            // In this particular case we don't need to do anything,
 -            // so leave $this->config->objectclass as is.
 -        }
 +        $this->config->objectclass = ldap_normalise_objectclass($this->config->objectclass);
      }
  
      /**
          $entry = ldap_get_entries_moodle($ldapconn, $sr);
          $info = array_change_key_case($entry[0], CASE_LOWER);
          $maxpwdage = $info['maxpwdage'][0];
+         if ($sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)', array('msDS-ResultantPSO', 'msDS-MaximumPasswordAge'))) {
+             if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) {
+                 $info = array_change_key_case($entry[0], CASE_LOWER);
+                 $userpso = $info['msds-resultantpso'][0];
+                 // If a PSO exists, FGPP is being utilized.
+                 // Grab the new maxpwdage from the msDS-MaximumPasswordAge attribute of the PSO.
+                 if (!empty($userpso)) {
+                     if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) {
+                         $info = array_change_key_case($entry[0], CASE_LOWER);
+                         $maxpwdage = $info['msds-maximumpasswordage'][0];
+                     }
+                 }
+             }
+         }
          // ----------------------------------------------------------------
          // MSDN says that "pwdLastSet contains the number of 100 nanosecond
          // intervals since January 1, 1601 (UTC), stored in a 64 bit integer".