restore ldap_password_renew_pr

Signed-off-by: Roger Szabo <roger.szabo@web.de>

15 files changed, 475 insertions, 36 deletions

diff --git a/apps/user_ldap/lib/AppInfo/Application.php b/apps/user_ldap/lib/AppInfo/Application.php
new file mode 100644
index 00000000000..7932984a7d2
--- /dev/null
+++ b/apps/user_ldap/lib/AppInfo/Application.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\AppInfo;
+
+use OCA\User_LDAP\Controller\RenewPasswordController;
+use OCP\AppFramework\App;
+use OCP\AppFramework\IAppContainer;
+
+class Application extends App {
+	public function __construct () {
+		parent::__construct('user_ldap');
+		$container = $this->getContainer();
+
+		/**
+		 * Controller
+		 */
+		$container->registerService('RenewPasswordController', function(IAppContainer $c) {
+			/** @var \OC\Server $server */
+			$server = $c->query('ServerContainer');
+
+			return new RenewPasswordController(
+				$c->getAppName(),
+				$server->getRequest(),
+				$c->query('UserManager'),
+				$server->getConfig(),
+				$c->query('OCP\IL10N'),
+				//$c->query('Session'),
+				$server->getURLGenerator()
+			);
+		});
+	}
+}
diff --git a/apps/user_ldap/lib/Command/Search.php b/apps/user_ldap/lib/Command/Search.php
index 57970b1ac5d..463ad2eaeb4 100644
--- a/apps/user_ldap/lib/Command/Search.php
+++ b/apps/user_ldap/lib/Command/Search.php
@@ -120,7 +120,7 @@ class Search extends Command {
 				$limit = null;
 			}
 		} else {
-			$proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig);
+			$proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig, \OC::$server->getNotificationManager());
 			$getMethod = 'getDisplayNames';
 			$printID = true;
 		}
diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 65ee9c70807..654a63cdc73 100644
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -93,6 +93,7 @@ class Configuration {
 		'ldapPagingSize' => null,
 		'turnOnPasswordChange' => false,
 		'ldapDynamicGroupMemberURL' => null,
+		'ldapDefaultPPolicyDN' => null,
 	);
 
 	/**
@@ -457,6 +458,7 @@ class Configuration {
 			'ldap_turn_on_pwd_change'           => 0,
 			'ldap_experienced_admin'            => 0,
 			'ldap_dynamic_group_member_url'     => '',
+			'ldap_default_ppolicy_dn'           => '',
 		);
 	}
 
@@ -514,6 +516,7 @@ class Configuration {
 			'ldap_turn_on_pwd_change'           => 'turnOnPasswordChange',
 			'ldap_experienced_admin'            => 'ldapExperiencedAdmin',
 			'ldap_dynamic_group_member_url'     => 'ldapDynamicGroupMemberURL',
+			'ldap_default_ppolicy_dn'           => 'ldapDefaultPPolicyDN',
 		);
 		return $array;
 	}
diff --git a/apps/user_ldap/lib/Controller/RenewPasswordController.php b/apps/user_ldap/lib/Controller/RenewPasswordController.php
new file mode 100644
index 00000000000..79708e99fa0
--- /dev/null
+++ b/apps/user_ldap/lib/Controller/RenewPasswordController.php
@@ -0,0 +1,185 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Controller;
+
+use OC\HintException;
+use OC_Util;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IURLGenerator;
+use OCP\IUser;
+use OCP\IUserManager;
+
+class RenewPasswordController extends Controller {
+	/** @var IUserManager */
+	private $userManager;
+	/** @var IConfig */
+	private $config;
+	/** @var IL10N */
+	protected $l10n;
+	/** @var ISession */
+	private $session;
+	/** @var IURLGenerator */
+	private $urlGenerator;
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param IUserManager $userManager
+	 * @param IConfig $config
+	 * @param IURLGenerator $urlGenerator
+	 */
+	function __construct($appName,
+						 IRequest $request,
+						 IUserManager $userManager,
+						 IConfig $config,
+						 IL10N $l10n,
+						 ISession $session,
+						 IURLGenerator $urlGenerator) {
+		parent::__construct($appName, $request);
+		$this->userManager = $userManager;
+		$this->config = $config;
+		$this->l10n = $l10n;
+		$this->session = $session;
+		$this->urlGenerator = $urlGenerator;
+	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 *
+	 * @return RedirectResponse
+	 */
+	public function cancel() {
+		return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 * @UseSession
+	 *
+	 * @param string $user
+	 *
+	 * @return TemplateResponse|RedirectResponse
+	 */
+	public function showRenewPasswordForm($user) {
+		if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') {
+			return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		}
+		$parameters = array();
+		$renewPasswordMessages = $this->session->get('renewPasswordMessages');
+		$errors = [];
+		$messages = [];
+		if (is_array($renewPasswordMessages)) {
+			list($errors, $messages) = $renewPasswordMessages;
+		}
+		$this->session->remove('renewPasswordMessages');
+		foreach ($errors as $value) {
+			$parameters[$value] = true;
+		}
+
+		$parameters['messages'] = $messages;
+		$parameters['user'] = $user;
+
+		$parameters['canResetPassword'] = true;
+		$parameters['resetPasswordLink'] = $this->config->getSystemValue('lost_password_link', '');
+		if (!$parameters['resetPasswordLink']) {
+			$userObj = $this->userManager->get($user);
+			if ($userObj instanceof IUser) {
+				$parameters['canResetPassword'] = $userObj->canChangePassword();
+			}
+		}
+		$parameters['cancelLink'] = $this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm');
+
+		return new TemplateResponse(
+			$this->appName, 'renewpassword', $parameters, 'guest'
+		);
+	}
+
+	/**
+	 * @PublicPage
+	 * @UseSession
+	 *
+	 * @param string $user
+	 * @param string $oldPassword
+	 * @param string $newPassword
+	 *
+	 * @return RedirectResponse
+	 */
+	public function tryRenewPassword($user, $oldPassword, $newPassword) {
+		if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') {
+			return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		}
+		$args = !is_null($user) ? ['user' => $user] : [];
+		$loginResult = $this->userManager->checkPassword($user, $oldPassword);
+		if ($loginResult === false) {
+			$this->session->set('renewPasswordMessages', [
+				['invalidpassword'], []
+			]);
+			return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args));
+		}
+		
+		try {
+			if (!is_null($newPassword) && \OC_User::setPassword($user, $newPassword)) {
+				$this->session->set('loginMessages', [
+					[], [$this->l10n->t("Please login with the new password")]
+				]);
+				$this->session->remove('needPasswordRenewal');
+				return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
+			} else {
+				$this->session->set('renewPasswordMessages', [
+					['internalexception'], []
+				]);
+			}
+		} catch (HintException $e) {
+			$this->session->set('renewPasswordMessages', [
+				[], [$e->getHint()]
+			]);
+		}
+
+		return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args));
+	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 * @UseSession
+	 *
+	 * @return RedirectResponse
+	 */
+	public function showLoginFormInvalidPassword($user) {
+		$args = !is_null($user) ? ['user' => $user] : [];
+		$this->session->set('loginMessages', [
+			['invalidpassword'], []
+		]);
+		return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
+	}
+
+}
diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
index 997b01b2d4e..586a80b9ebe 100644
--- a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
+++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (c) 2016 Roger Szabo <roger.szabo@web.de>
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
  *
  * @author Roger Szabo <roger.szabo@web.de>
  *
diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php
index f1186ffa310..83b2f05f1d2 100644
--- a/apps/user_ldap/lib/Helper.php
+++ b/apps/user_ldap/lib/Helper.php
@@ -293,9 +293,10 @@ class Helper {
 		$configPrefixes = $helper->getServerConfigurationPrefixes(true);
 		$ldapWrapper = new LDAP();
 		$ocConfig = \OC::$server->getConfig();
+		$notificationManager = \OC::$server->getNotificationManager();
 
 		$userBackend  = new User_Proxy(
-			$configPrefixes, $ldapWrapper, $ocConfig
+			$configPrefixes, $ldapWrapper, $ocConfig, $notificationManager
 		);
 		$uid = $userBackend->loginName2UserName($param['uid'] );
 		if($uid !== false) {
diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php
index e69d24dfd06..a4dd4ba32ad 100644
--- a/apps/user_ldap/lib/Jobs/CleanUp.php
+++ b/apps/user_ldap/lib/Jobs/CleanUp.php
@@ -98,7 +98,8 @@ class CleanUp extends TimedJob {
 			$this->userBackend =  new User_Proxy(
 				$this->ldapHelper->getServerConfigurationPrefixes(true),
 				new LDAP(),
-				$this->ocConfig
+				$this->ocConfig,
+				\OC::$server->getNotificationManager()
 			);
 		}
 
diff --git a/apps/user_ldap/lib/Jobs/UpdateGroups.php b/apps/user_ldap/lib/Jobs/UpdateGroups.php
index b4259425fcc..4c9a06a5f68 100644
--- a/apps/user_ldap/lib/Jobs/UpdateGroups.php
+++ b/apps/user_ldap/lib/Jobs/UpdateGroups.php
@@ -185,7 +185,8 @@ class UpdateGroups extends \OC\BackgroundJob\TimedJob {
 				\OC::$server->getAvatarManager(),
 				new \OCP\Image(),
 				$dbc,
-				\OC::$server->getUserManager());
+				\OC::$server->getUserManager(),
+				\OC::$server->getNotificationManager());
 			$connector = new Connection($ldapWrapper, $configPrefixes[0]);
 			$ldapAccess = new Access($connector, $ldapWrapper, $userManager, $helper);
 			$groupMapper = new GroupMapping($dbc);
diff --git a/apps/user_ldap/lib/Migration/UUIDFixGroup.php b/apps/user_ldap/lib/Migration/UUIDFixGroup.php
index cbc38366984..6aacb37257e 100644
--- a/apps/user_ldap/lib/Migration/UUIDFixGroup.php
+++ b/apps/user_ldap/lib/Migration/UUIDFixGroup.php
@@ -32,6 +32,7 @@ use OCP\IConfig;
 class UUIDFixGroup extends UUIDFix {
 	public function __construct(GroupMapping $mapper, LDAP $ldap, IConfig $config, Helper $helper) {
 		$this->mapper = $mapper;
-		$this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config);
+		$this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config, 
+			\OC::$server->getNotificationManager());
 	}
 }
diff --git a/apps/user_ldap/lib/Notification/Notifier.php b/apps/user_ldap/lib/Notification/Notifier.php
new file mode 100644
index 00000000000..a6053cfcb19
--- /dev/null
+++ b/apps/user_ldap/lib/Notification/Notifier.php
@@ -0,0 +1,71 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Notification;
+
+
+use OCP\IUser;
+use OCP\IUserManager;
+use OCP\L10N\IFactory;
+use OCP\Notification\INotification;
+use OCP\Notification\INotifier;
+
+class Notifier implements INotifier {
+
+	/** @var IFactory */
+	protected $l10nFactory;
+
+	/**
+	 * @param IFactory $l10nFactory
+	 */
+	 public function __construct(\OCP\L10N\IFactory $l10nFactory) {
+		$this->l10nFactory = $l10nFactory;
+	}
+
+	/**
+	 * @param INotification $notification
+	 * @param string $languageCode The code of the language that should be used to prepare the notification
+	 * @return INotification
+	 * @throws \InvalidArgumentException When the notification was not prepared by a notifier
+	 */
+	public function prepare(INotification $notification, $languageCode) {
+		if ($notification->getApp() !== 'user_ldap') {
+			// Not my app => throw
+			throw new \InvalidArgumentException();
+		}
+
+		// Read the language from the notification
+		$l = $this->l10nFactory->get('user_ldap', $languageCode);
+
+		switch ($notification->getSubject()) {
+			// Deal with known subjects
+			case 'pwd_exp_warn_days':
+				$notification->setParsedSubject($l->t('Your password will expire within %s day(s).', $notification->getSubjectParameters()));
+				return $notification;
+
+			default:
+				// Unknown subject => Unknown notification => throw
+				throw new \InvalidArgumentException();
+		}
+	}
+}
diff --git a/apps/user_ldap/lib/Proxy.php b/apps/user_ldap/lib/Proxy.php
index 7f998314e20..96bb670b789 100644
--- a/apps/user_ldap/lib/Proxy.php
+++ b/apps/user_ldap/lib/Proxy.php
@@ -64,6 +64,7 @@ abstract class Proxy {
 		static $groupMap;
 		static $db;
 		static $coreUserManager;
+		static $coreNotificationManager;
 		if(is_null($fs)) {
 			$ocConfig = \OC::$server->getConfig();
 			$fs       = new FilesystemHelper();
@@ -73,9 +74,11 @@ abstract class Proxy {
 			$userMap  = new UserMapping($db);
 			$groupMap = new GroupMapping($db);
 			$coreUserManager = \OC::$server->getUserManager();
+			$coreNotificationManager = \OC::$server->getNotificationManager();
 		}
 		$userManager =
-			new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db, $coreUserManager);
+			new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db,
+				$coreUserManager, $coreNotificationManager);
 		$connector = new Connection($this->ldap, $configPrefix);
 		$access = new Access($connector, $this->ldap, $userManager, new Helper(\OC::$server->getConfig()));
 		$access->setUserMapper($userMap);
diff --git a/apps/user_ldap/lib/User/Manager.php b/apps/user_ldap/lib/User/Manager.php
index 1a9138176b0..3887d7cae12 100644
--- a/apps/user_ldap/lib/User/Manager.php
+++ b/apps/user_ldap/lib/User/Manager.php
@@ -34,6 +34,7 @@ use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\Image;
 use OCP\IUserManager;
+use OCP\Notification\IManager as INotificationManager;
 
 /**
  * Manager
@@ -51,6 +52,12 @@ class Manager {
 	/** @var IDBConnection */
 	protected $db;
 
+	/** @var IUserManager */
+	protected $userManager;
+
+	/** @var INotificationManager */
+	protected $notificationManager;
+
 	/** @var FilesystemHelper */
 	protected $ocFilesystem;
 
@@ -85,17 +92,19 @@ class Manager {
 	public function __construct(IConfig $ocConfig,
 								FilesystemHelper $ocFilesystem, LogWrapper $ocLog,
 								IAvatarManager $avatarManager, Image $image,
-								IDBConnection $db, IUserManager $userManager) {
-
-		$this->ocConfig      = $ocConfig;
-		$this->ocFilesystem  = $ocFilesystem;
-		$this->ocLog         = $ocLog;
-		$this->avatarManager = $avatarManager;
-		$this->image         = $image;
-		$this->db            = $db;
-		$this->userManager   = $userManager;
-		$this->usersByDN     = new CappedMemoryCache();
-		$this->usersByUid    = new CappedMemoryCache();
+								IDBConnection $db, IUserManager $userManager,
+								INotificationManager $notificationManager) {
+
+		$this->ocConfig            = $ocConfig;
+		$this->ocFilesystem        = $ocFilesystem;
+		$this->ocLog               = $ocLog;
+		$this->avatarManager       = $avatarManager;
+		$this->image               = $image;
+		$this->db                  = $db;
+		$this->userManager         = $userManager;
+		$this->notificationManager = $notificationManager;
+		$this->usersByDN           = new CappedMemoryCache();
+		$this->usersByUid          = new CappedMemoryCache();
 	}
 
 	/**
@@ -118,7 +127,8 @@ class Manager {
 		$this->checkAccess();
 		$user = new User($uid, $dn, $this->access, $this->ocConfig,
 			$this->ocFilesystem, clone $this->image, $this->ocLog,
-			$this->avatarManager, $this->userManager);
+			$this->avatarManager, $this->userManager, 
+			$this->notificationManager);
 		$this->usersByDN[$dn]   = $user;
 		$this->usersByUid[$uid] = $user;
 		return $user;
diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php
index 5d4af1fd09c..24abab7b460 100644
--- a/apps/user_ldap/lib/User/User.php
+++ b/apps/user_ldap/lib/User/User.php
@@ -7,6 +7,7 @@
  * @author Morris Jobke <hey@morrisjobke.de>
  * @author Thomas Müller <thomas.mueller@tmit.eu>
  * @author Jörn Friedrich Dreyer <jfd@butonic.de>
+ * @author Roger Szabo <roger.szabo@web.de>
  *
  * @license AGPL-3.0
  *
@@ -34,6 +35,7 @@ use OCP\IConfig;
 use OCP\Image;
 use OCP\IUserManager;
 use OCP\Util;
+use OCP\Notification\IManager as INotificationManager;
 
 /**
  * User
@@ -74,6 +76,10 @@ class User {
 	 */
 	protected $userManager;
 	/**
+	 * @var INotificationManager
+	 */
+	protected $notificationManager;
+	/**
 	 * @var string
 	 */
 	protected $dn;
@@ -108,11 +114,13 @@ class User {
 	 * @param LogWrapper $log
 	 * @param IAvatarManager $avatarManager
 	 * @param IUserManager $userManager
+	 * @param INotificationManager $notificationManager
 	 */
 	public function __construct($username, $dn, IUserTools $access,
 		IConfig $config, FilesystemHelper $fs, Image $image,
-		LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager) {
-
+		LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager,
+		INotificationManager $notificationManager) {
+	
 		if ($username === null) {
 			$log->log("uid for '$dn' must not be null!", Util::ERROR);
 			throw new \InvalidArgumentException('uid must not be null!');
@@ -121,16 +129,19 @@ class User {
 			throw new \InvalidArgumentException('uid must not be an empty string!');
 		}
 
-		$this->access        = $access;
-		$this->connection    = $access->getConnection();
-		$this->config        = $config;
-		$this->fs            = $fs;
-		$this->dn            = $dn;
-		$this->uid           = $username;
-		$this->image         = $image;
-		$this->log           = $log;
-		$this->avatarManager = $avatarManager;
-		$this->userManager   = $userManager;
+		$this->access              = $access;
+		$this->connection          = $access->getConnection();
+		$this->config              = $config;
+		$this->fs                  = $fs;
+		$this->dn                  = $dn;
+		$this->uid                 = $username;
+		$this->image               = $image;
+		$this->log                 = $log;
+		$this->avatarManager       = $avatarManager;
+		$this->userManager         = $userManager;
+		$this->notificationManager = $notificationManager;
+
+		\OCP\Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry');
 	}
 
 	/**
@@ -587,4 +598,84 @@ class User {
 		}
 	}
 
+	/**
+	 * called by a post_login hook to handle password expiry
+	 *
+	 * @param array $params
+	 */
+	public function handlePasswordExpiry($params) {
+		$ppolicyDN = $this->connection->ldapDefaultPPolicyDN;
+		if (empty($ppolicyDN) || (intval($this->connection->turnOnPasswordChange) !== 1)) {
+			return;//password expiry handling disabled
+		}
+		$uid = $params['uid'];
+		if(isset($uid) && $uid === $this->getUsername()) {
+			//handle grace login
+			$pwdGraceUseTime = $this->access->readAttribute($this->dn, 'pwdGraceUseTime');
+			$pwdGraceUseTimeCount = count($pwdGraceUseTime);
+			if($pwdGraceUseTime && $pwdGraceUseTimeCount > 0) { //was this a grace login?
+				$pwdGraceAuthNLimit = $this->access->readAttribute($ppolicyDN, 'pwdGraceAuthNLimit');
+				if($pwdGraceAuthNLimit 
+					&& (count($pwdGraceAuthNLimit) > 0)
+					&&($pwdGraceUseTimeCount < intval($pwdGraceAuthNLimit[0]))) { //at least one more grace login available?
+					$this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true');
+					header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+					'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid)));
+				} else { //no more grace login available
+					header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+					'user_ldap.renewPassword.showLoginFormInvalidPassword', array('user' => $uid)));
+				}
+				exit();
+			}
+			//handle pwdReset attribute
+			$pwdReset = $this->access->readAttribute($this->dn, 'pwdReset');
+			if($pwdReset && (count($pwdReset) > 0) && $pwdReset[0] === 'TRUE') { //user must change his password
+					$this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true');
+					header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+					'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid)));
+					exit();
+			}
+			//handle password expiry warning
+			$pwdChangedTime  = $this->access->readAttribute($this->dn, 'pwdChangedTime');//for efficiency read only 1 attribute first
+			if($pwdChangedTime && (count($pwdChangedTime) > 0)) {
+				$pwdPolicySubentry = $this->access->readAttribute($this->dn, 'pwdPolicySubentry');
+				if($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)){
+					$ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN
+				}
+				$pwdMaxAge = $this->access->readAttribute($ppolicyDN, 'pwdMaxAge');
+				$pwdExpireWarning = $this->access->readAttribute($ppolicyDN, 'pwdExpireWarning');
+				if($pwdMaxAge && (count($pwdMaxAge) > 0)
+					&& $pwdExpireWarning && (count($pwdExpireWarning) > 0)) {
+					$pwdMaxAgeInt = intval($pwdMaxAge[0]);
+					$pwdExpireWarningInt = intval($pwdExpireWarning[0]);
+					//pwdMaxAge=0 -> password never expires
+					//pwdExpireWarning=0 -> don't warn about expiry
+					if($pwdMaxAgeInt > 0 && $pwdExpireWarningInt > 0){
+						$pwdChangedTimeDt = \DateTime::createFromFormat('YmdHisZ', $pwdChangedTime[0]);
+						$pwdChangedTimeDt->add(new \DateInterval('PT'.$pwdMaxAgeInt.'S'));
+						$currentDateTime = new \DateTime();
+						$secondsToExpiry = $pwdChangedTimeDt->getTimestamp() - $currentDateTime->getTimestamp();
+						if($secondsToExpiry <= $pwdExpireWarningInt) {
+							//remove last password expiry warning if any
+							$notification = $this->notificationManager->createNotification();
+							$notification->setApp('user_ldap')
+								->setUser($uid)
+								->setObject('pwd_exp_warn', $uid)
+							;
+							$this->notificationManager->markProcessed($notification);
+							//create new password expiry warning
+							$notification = $this->notificationManager->createNotification();
+							$notification->setApp('user_ldap')
+								->setUser($uid)
+								->setDateTime($currentDateTime)
+								->setObject('pwd_exp_warn', $uid) 
+								->setSubject('pwd_exp_warn_days', [strval(ceil($secondsToExpiry / 60 / 60 / 24))])
+							;
+							$this->notificationManager->notify($notification);
+						}
+					}
+				}
+			}
+		}
+	}
 }
diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php
index cfd2450a122..8fbbd4e3940 100644
--- a/apps/user_ldap/lib/User_LDAP.php
+++ b/apps/user_ldap/lib/User_LDAP.php
@@ -41,6 +41,7 @@ use OCA\User_LDAP\Exceptions\NotOnLDAP;
 use OCA\User_LDAP\User\OfflineUser;
 use OCA\User_LDAP\User\User;
 use OCP\IConfig;
+use OCP\Notification\IManager as INotificationManager;
 use OCP\Util;
 
 class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP {
@@ -50,13 +51,18 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
 	/** @var \OCP\IConfig */
 	protected $ocConfig;
 
+	/** @var INotificationManager */
+	protected $notificationManager;
+
 	/**
 	 * @param Access $access
 	 * @param \OCP\IConfig $ocConfig
+	 * @param \OCP\Notification\IManager $notificationManager
 	 */
-	public function __construct(Access $access, IConfig $ocConfig) {
+	public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager) {
 		parent::__construct($access);
 		$this->ocConfig = $ocConfig;
+		$this->notificationManager = $notificationManager;
 	}
 
 	/**
@@ -190,8 +196,19 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
 			throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid .
 				'. Maybe the LDAP entry has no set display name attribute?');
 		}
-		if($user->getUsername() !== false) {
-			return $this->access->setPassword($user->getDN(), $password);
+		if($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) {
+			$ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN;
+			$turnOnPasswordChange = $this->access->connection->turnOnPasswordChange;
+			if (!empty($ldapDefaultPPolicyDN) && (intval($turnOnPasswordChange) === 1)) {
+				//remove last password expiry warning if any
+				$notification = $this->notificationManager->createNotification();
+				$notification->setApp('user_ldap')
+					->setUser($uid)
+					->setObject('pwd_exp_warn', $uid)
+				;
+				$this->notificationManager->markProcessed($notification);
+			}
+			return true;
 		}
 
 		return false;
diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php
index 2cdf401880e..8b058ba6f6e 100644
--- a/apps/user_ldap/lib/User_Proxy.php
+++ b/apps/user_ldap/lib/User_Proxy.php
@@ -31,6 +31,7 @@ namespace OCA\User_LDAP;
 
 use OCA\User_LDAP\User\User;
 use OCP\IConfig;
+use OCP\Notification\IManager as INotificationManager;
 
 class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP {
 	private $backends = array();
@@ -40,11 +41,12 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface,
 	 * Constructor
 	 * @param array $serverConfigPrefixes array containing the config Prefixes
 	 */
-	public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig) {
+	public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig,
+		INotificationManager $notificationManager) {
 		parent::__construct($ldap);
 		foreach($serverConfigPrefixes as $configPrefix) {
 			$this->backends[$configPrefix] =
-				new User_LDAP($this->getAccess($configPrefix), $ocConfig);
+				new User_LDAP($this->getAccess($configPrefix), $ocConfig, $notificationManager);
 			if(is_null($this->refBackend)) {
 				$this->refBackend = &$this->backends[$configPrefix];
 			}