Skip to content

68 optimize ldap functions #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davidcoutadeur merged 6 commits into from
Oct 16, 2025
Merged

68 optimize ldap functions #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d11db1c
add a method for getting operational attributes (#68)
Oct 13, 2025
198ec37
add function for getting all password policies (#68)
Oct 14, 2025
4749329
refactor isLocked, getLockDate and getUnlockDate functions (#68)
Oct 14, 2025
3c6de17
refactor isAccountEnabled function to use local entry (#68)
Oct 16, 2025
984c1d8
refactor getPasswordExpirationDate and isPasswordExpired functions (#68)
Oct 16, 2025
282e2d2
refactor isAccountValid, getStartDate and getEndDate functions (#68)
Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 20 additions & 9 deletions src/Ltb/Directory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,26 @@

interface Directory
{

/*
* Get specific operational attributes
*/
public function getOperationalAttributes() : array;

/*
* Is account locked?
*/
public function isLocked($ldap, $dn, $config) : bool;
public function isLocked($entry, $pwdPolicyConfiguration) : bool;

/*
* Date when account has been locked
*/
public function getLockDate($ldap, $dn) : ?DateTime;
public function getLockDate($entry, $pwdPolicyConfiguration) : ?DateTime;

/*
* Date when account will be automatically unlocked
*/
public function getUnlockDate($ldap, $dn, $config) : ?DateTime;
public function getUnlockDate($entry, $pwdPolicyConfiguration) : ?DateTime;

/*
* Lock account
Expand All @@ -33,12 +39,12 @@ public function unlockAccount($ldap, $dn) : bool;
/*
* Is password expired?
*/
public function isPasswordExpired($ldap, $dn, $config) : bool;
public function isPasswordExpired($entry, $pwdPolicyConfiguration) : bool;

/*
* Date when password will be expired
*/
public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime;
public function getPasswordExpirationDate($entry, $pwdPolicyConfiguration) : ?DateTime;

/*
* Modify the password
Expand All @@ -63,7 +69,7 @@ public function disableAccount($ldap, $dn) : bool;
/*
* Is account enabled?
*/
public function isAccountEnabled($ldap, $dn) : bool;
public function isAccountEnabled($entry) : bool;

/*
* Get LDAP date from PHP date
Expand All @@ -75,6 +81,11 @@ public function getLdapDate($date) : string;
*/
public function getPhpDate($date) : ?DateTime;

/*
* Parses all entries and returns an array of all password policies
*/
public function getPwdPolicies($ldap, $entries, $default_ppolicy_dn) : array;

/*
* Get password policy configuration
*/
Expand All @@ -88,15 +99,15 @@ public function getDnAttribute() : string;
/*
* Is account valid? Relies on start and end validity dates
*/
public function isAccountValid($ldap, $dn) : bool;
public function isAccountValid($entry, $pwdPolicyConfiguration) : bool;

/*
* Get validity start date
*/
public function getStartDate($ldap, $dn) : ?DateTime;
public function getStartDate($entry, $pwdPolicyConfiguration) : ?DateTime;

/*
* Get validity end date
*/
public function getEndDate($ldap, $dn) : ?DateTime;
public function getEndDate($entry, $pwdPolicyConfiguration) : ?DateTime;
}
139 changes: 52 additions & 87 deletions src/Ltb/Directory/ActiveDirectory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,25 @@

class ActiveDirectory implements \Ltb\Directory
{
public function isLocked($ldap, $dn, $config) : bool {

# Get entry
$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('lockouttime'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);
private $operationalAttributes = array(
'lockouttime',
'useraccountcontrol',
'pwdlastset',
'accountExpires'
);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return false;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
public function getOperationalAttributes() : array {
return $this->operationalAttributes;
}

}
public function isLocked($entry, $pwdPolicyConfiguration) : bool {

# Get lockoutTime
$lockoutTime = $entry[0]['lockouttime'][0] ?? 0;
$lockoutTime = $entry['lockouttime'][0] ?? 0;

# Get unlock date
$unlockDate = $this->getUnlockDate($ldap, $dn, $config);
$unlockDate = $this->getUnlockDate($entry, $pwdPolicyConfiguration);

if ($lockoutTime > 0 and !$unlockDate) {
return true;
Expand All @@ -37,23 +37,12 @@ public function isLocked($ldap, $dn, $config) : bool {
return false;
}

public function getLockDate($ldap, $dn) : ?DateTime {
public function getLockDate($entry, $pwdPolicyConfiguration) : ?DateTime {

$lockDate = NULL;

# Get entry
$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('lockouttime'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return $unlockDate;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
}

# Get lockoutTime
$lockoutTime = $entry[0]['lockouttime'][0] ?? 0;
$lockoutTime = $entry['lockouttime'][0] ?? 0;

if ( !$lockoutTime or $lockoutTime === 0) {
return $lockDate;
Expand All @@ -63,19 +52,19 @@ public function getLockDate($ldap, $dn) : ?DateTime {
return $lockDate;
}

public function getUnlockDate($ldap, $dn, $config) : ?DateTime {
public function getUnlockDate($entry, $pwdPolicyConfiguration) : ?DateTime {

$unlockDate = NULL;

# Get lock date
$lockDate = $this->getLockDate($ldap, $dn);
$lockDate = $this->getLockDate($entry, $pwdPolicyConfiguration);

if ( !$lockDate ) {
return $unlockDate;
}

# Get lockout duration
$lockoutDuration = $config["lockout_duration"];
$lockoutDuration = $pwdPolicyConfiguration["lockout_duration"];

# Compute unlock date
if (isset($lockoutDuration) and ($lockoutDuration > 0)) {
Expand Down Expand Up @@ -104,29 +93,17 @@ public function unlockAccount($ldap, $dn) : bool {
}
}

public function isPasswordExpired($ldap, $dn, $config) : bool {

# Get entry
$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('pwdlastset'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return false;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);

}
public function isPasswordExpired($entry, $pwdPolicyConfiguration) : bool {

# Get pwdLastSet
$pwdLastSet = $entry[0]['pwdlastset'][0] ?? null;
$pwdLastSet = $entry['pwdlastset'][0] ?? null;

if (!$pwdLastSet) {
return false;
}

# Get password expiration date
$expirationDate = $this->getPasswordExpirationDate($ldap, $dn, $config);
$expirationDate = $this->getPasswordExpirationDate($entry, $pwdPolicyConfiguration);

if (!$expirationDate) {
return false;
Expand All @@ -139,30 +116,19 @@ public function isPasswordExpired($ldap, $dn, $config) : bool {
return false;
}

public function getPasswordExpirationDate($ldap, $dn, $config) : ?DateTime {
public function getPasswordExpirationDate($entry, $pwdPolicyConfiguration) : ?DateTime {

$expirationDate = NULL;

# Get entry
$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('pwdlastset'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return $expirationDate;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
}

# Get pwdLastSet
$pwdLastSet = $entry[0]['pwdlastset'][0] ?? null;
$pwdLastSet = $entry['pwdlastset'][0] ?? null;

if ( !$pwdLastSet or $pwdLastSet === 0) {
return $expirationDate;
}

# Get pwdMaxAge
$pwdMaxAge = $config["password_max_age"];
$pwdMaxAge = $pwdPolicyConfiguration["password_max_age"];

# Compute expiration date
if ($pwdMaxAge) {
Expand Down Expand Up @@ -273,20 +239,9 @@ public function disableAccount($ldap, $dn) : bool {

}

public function isAccountEnabled($ldap, $dn) : bool {

# Get entry
$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('userAccountControl'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return false;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
}
public function isAccountEnabled($entry) : bool {

if ($entry[0]['useraccountcontrol'] and ( $entry[0]['useraccountcontrol'][0] & 2)) {
if ($entry['useraccountcontrol'] and ( $entry['useraccountcontrol'][0] & 2)) {
return false;
} else {
return true;
Expand All @@ -301,6 +256,26 @@ public function getPhpDate($date) : ?DateTime {
return \Ltb\Date::adDate2phpDate( $date );
}

# Function that parses all entries and returns ppolicies and user's ppolicies
public function getPwdPolicies($ldap, $entries, $default_ppolicy_dn) : array {

$passwordPolicies = array(); # list of unique password policies
$userPolicies = array(); # associative array: user => associated ppolicy

# Get default password policy from LDAP
$defaultPasswordPolicy = $this->getPwdPolicyConfiguration($ldap, null, $default_ppolicy_dn);
# Add the password policy to the list of unique ppolicies
array_push($passwordPolicies, $defaultPasswordPolicy);

# parse entries
foreach($entries as $entry_key => $entry)
{
$userPolicies[$entry['dn']] = &$passwordPolicies[0];
}
# return the list of unique password policies + the mapping user => password policy
return array( $passwordPolicies, $userPolicies);
}

public function getPwdPolicyConfiguration($ldap, $entry_dn, $default_ppolicy_dn) : Array {

$ppolicyConfig = array();
Expand Down Expand Up @@ -330,11 +305,11 @@ public function getDnAttribute() : string {
return "distinguishedName";
}

public function isAccountValid($ldap, $dn) : bool {
public function isAccountValid($entry, $pwdPolicyConfiguration) : bool {

$time = time();
$startdate = $this->getStartDate($ldap, $dn);
$enddate = $this->getEndDate($ldap, $dn);
$startdate = $this->getStartDate($entry, $pwdPolicyConfiguration);
$enddate = $this->getEndDate($entry, $pwdPolicyConfiguration);

if ( isset($startdate) ) {
if ( $time <= $startdate->getTimestamp() ) {
Expand All @@ -351,29 +326,19 @@ public function isAccountValid($ldap, $dn) : bool {
return true;
}

public function getStartDate($ldap, $dn) : ?DateTime {
public function getStartDate($entry, $pwdPolicyConfiguration) : ?DateTime {

// No start date in AD
return null;
}

public function getEndDate($ldap, $dn) : ?DateTime {

$search = \Ltb\PhpLDAP::ldap_read($ldap, $dn, "(objectClass=*)", array('accountExpires'));
$errno = \Ltb\PhpLDAP::ldap_errno($ldap);

if ( $errno ) {
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
return null;
} else {
$entry = \Ltb\PhpLDAP::ldap_get_entries($ldap, $search);
}
public function getEndDate($entry, $pwdPolicyConfiguration) : ?DateTime {

if (!isset($entry[0]['accountexpires']) or ($entry[0]['accountexpires'][0] == 0) or ($entry[0]['accountexpires'][0] == 9223372036854775807)) {
if (!isset($entry['accountexpires']) or ($entry['accountexpires'][0] == 0) or ($entry['accountexpires'][0] == 9223372036854775807)) {
return null;
}

$enddate = \Ltb\Date::adDate2phpDate($entry[0]['accountexpires'][0]);
$enddate = \Ltb\Date::adDate2phpDate($entry['accountexpires'][0]);
return $enddate ? $enddate : null;
}
}
Loading