Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Active Directory Support #29

Merged
merged 29 commits into from
Sep 17, 2024
Merged

Active Directory Support #29

merged 29 commits into from
Sep 17, 2024

Conversation

coudot
Copy link
Member

@coudot coudot commented Jul 24, 2024

To be compatible with Active Directory, we introduce a new ltb-common component : Directory

Directory is a PHP interface, with 2 implementations for now:

  • OpenLDAP
  • Active Directory

Tasks identified:

  • Get account lock status
  • Get account unlock date
  • Get account lock date
  • Get password expiration status
  • Get password expiration date
  • Display if password must be reset at next connection
  • Lock account
  • Unlock account
  • Update password
  • Enable account
  • Disable account
  • Get password policy parameters
  • Get LDAP date from PHP date
  • Unit tests

@coudot coudot added the enhancement New feature or request label Jul 24, 2024
@coudot
Copy link
Member Author

coudot commented Jul 24, 2024

Working on this since several days, I dig into password policy in Active Directory to see how it can match Service Desk features and what we have in OpenLDAP.

What I found for the moment is that Active Directory manage several status:

  • Account lock: account can be locked after several bad password attemps. We can configure how much time the account stay locket. This is quite similar as OpenLDAP
  • Password expiration: a password can have a maximum age, so we can know the password expiration date by adding the password last set date and the password max age. Same the OpenLDAP, except there is no "magic" value to say the the account is locked permanently
  • Account enable/disable: this is different from account lock, we have a flag in userAccountControl to know if the account is enabled or disabled. I don't think there is any equivalent in OpenLDAP.
  • Account expiration: there is a account expiration date, different from the password expiration date. This would match the new pwdEndTime attribute in OpenLDAP and the "blocking" feature we want to implement.

It's not very clear for now how to get these information in AD (userAccountControl or other attributes).

@coudot coudot linked an issue Jul 24, 2024 that may be closed by this pull request
@coudot coudot self-assigned this Jul 24, 2024
@coudot coudot added this to the 0.3.0 milestone Jul 24, 2024
@coudot coudot changed the title Draft - Active Directory Support Active Directory Support Sep 17, 2024
@coudot coudot merged commit 6a55a57 into main Sep 17, 2024
2 checks passed
@coudot coudot deleted the 16-active-directory-support branch September 17, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Active Directory support
1 participant