diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc
index f6f92859d077f86d8acba54909d120ec731980f8..e8d37e1faf80309b230a42c46b9dc5cfb65b0d9b 100644
--- a/include/class_userinfo.inc
+++ b/include/class_userinfo.inc
@@ -912,6 +912,28 @@ class userinfo
if (!$ldap->success()) {
return PPOLICY_ACCOUNT_EXPIRED;
}
+
+ try {
+ list($policy, $attrs) = user::fetchPpolicy($this->dn);
+ if (
+ isset($policy['pwdExpireWarning'][0]) &&
+ isset($policy['pwdMaxAge'][0]) &&
+ isset($attrs['pwdChangedTime'][0])
+ ) {
+ $now = new DateTime('now', timezone::utc());
+ $pwdExpireWarningSeconds = intval($policy['pwdExpireWarning'][0]);
+ $maxAge = $policy['pwdMaxAge'][0];
+ /* Build expiration date from pwdChangedTime and max age */
+ $expDate = LdapGeneralizedTime::fromString($attrs['pwdChangedTime'][0]);
+ $expDate->setTimezone(timezone::utc());
+ $expDate->add(new DateInterval('PT'.$maxAge.'S'));
+ if ($expDate->getTimeStamp() < ($now->getTimeStamp() + $pwdExpireWarningSeconds)) {
+ return POSIX_WARN_ABOUT_EXPIRATION;
+ }
+ }
+ } catch (NonExistingLdapNodeException $e) {
+ /* ppolicy not found in the LDAP */
+ }
}
if ($config->get_cfg_value('handleExpiredAccounts') != 'TRUE') {
diff --git a/plugins/personal/generic/class_user.inc b/plugins/personal/generic/class_user.inc
index b751ed3973ca21cd00a4df0bc7647e76a27d8b7a..39317d3d75448fa0855fbe5f69c37d76391c3229 100644
--- a/plugins/personal/generic/class_user.inc
+++ b/plugins/personal/generic/class_user.inc
@@ -416,7 +416,7 @@ class user extends simplePlugin
$policy = NULL;
if (!empty($ppolicydn)) {
- $ldap->cat($ppolicydn, ['pwdAllowUserChange', 'pwdMinLength', 'pwdMinAge', 'pwdSafeModify']);
+ $ldap->cat($ppolicydn, ['pwdAllowUserChange', 'pwdMinLength', 'pwdMinAge', 'pwdSafeModify', 'pwdExpireWarning', 'pwdMaxAge']);
$policy = $ldap->fetch();
if (!$policy) {
throw new NonExistingLdapNodeException(sprintf(_('Ppolicy "%s" could not be found in the LDAP!'), $ppolicydn));