Lines 565-570
def password_sync_ucs_to_s4(s4connector, key, object):
|
Link Here
|
---|
|
565 |
else: |
565 |
else: |
566 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4") |
566 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4") |
567 |
|
567 |
|
|
|
568 |
supplementalCredentials_new = None |
569 |
if krb5Principal: |
570 |
# encoding of Samba4 supplementalCredentials |
571 |
if krb5Key: |
572 |
supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) |
573 |
|
568 |
modlist = [] |
574 |
modlist = [] |
569 |
if krb5Principal != userPrincipalName_attr: |
575 |
if krb5Principal != userPrincipalName_attr: |
570 |
if krb5Principal: |
576 |
if krb5Principal: |
Lines 597-602
def password_sync_ucs_to_s4(s4connector, key, object):
|
Link Here
|
---|
|
597 |
if pwd_set and unicodePwd_new: |
603 |
if pwd_set and unicodePwd_new: |
598 |
modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new)) |
604 |
modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new)) |
599 |
|
605 |
|
|
|
606 |
if supplementalCredentials_new: |
607 |
if supplementalCredentials_new != supplementalCredentials: |
608 |
pwd_set = True |
609 |
modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) |
610 |
# if supplementalCredentials: |
611 |
# modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
612 |
# else: |
613 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
614 |
else: |
615 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") |
616 |
|
600 |
if not ucsLMhash == s4LMhash: |
617 |
if not ucsLMhash == s4LMhash: |
601 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash)) |
618 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash)) |
602 |
pwd_set = True |
619 |
pwd_set = True |
Lines 608-626
def password_sync_ucs_to_s4(s4connector, key, object):
|
Link Here
|
---|
|
608 |
# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr)) |
625 |
# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr)) |
609 |
|
626 |
|
610 |
if pwd_set or not supplementalCredentials: |
627 |
if pwd_set or not supplementalCredentials: |
611 |
if krb5Principal: |
|
|
612 |
# encoding of Samba4 supplementalCredentials |
613 |
if krb5Key: |
614 |
supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) |
615 |
if supplementalCredentials_new: |
616 |
modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) |
617 |
else: |
618 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") |
619 |
# if supplementalCredentials: |
620 |
# modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
621 |
# else: |
622 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
623 |
|
624 |
if sambaPwdLastSet is None: |
628 |
if sambaPwdLastSet is None: |
625 |
sambaPwdLastSet = int(time.time()) |
629 |
sambaPwdLastSet = int(time.time()) |
626 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
630 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
Lines 689-703
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
689 |
s4_search_attributes = res[0][1] |
693 |
s4_search_attributes = res[0][1] |
690 |
|
694 |
|
691 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
695 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
692 |
if unicodePwd_attr: |
696 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
693 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
697 |
if supplementalCredentials or unicodePwd_attr: |
|
|
698 |
ntPwd = '' |
699 |
if unicodePwd_attr: |
700 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
694 |
|
701 |
|
695 |
lmPwd = '' |
702 |
lmPwd = '' |
696 |
dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] |
703 |
dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] |
697 |
if dBCSPwd: |
704 |
if dBCSPwd: |
698 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
705 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
699 |
|
706 |
|
700 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
|
|
701 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
707 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
702 |
|
708 |
|
703 |
ntPwd_ucs = '' |
709 |
ntPwd_ucs = '' |
Lines 732-756
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
732 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
738 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
733 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
739 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
734 |
|
740 |
|
|
|
741 |
krb5Key_new = '' |
742 |
if supplementalCredentials: |
743 |
if krb5Principal: |
744 |
# decoding of Samba4 supplementalCredentials |
745 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
746 |
|
735 |
pwd_changed = False |
747 |
pwd_changed = False |
736 |
if ntPwd != ntPwd_ucs: |
748 |
if ntPwd != ntPwd_ucs: |
737 |
pwd_changed = True |
749 |
pwd_changed = True |
738 |
modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd))) |
750 |
modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd))) |
739 |
|
751 |
|
740 |
if lmPwd != lmPwd_ucs: |
752 |
if supplementalCredentials != krb5Key_new: |
741 |
pwd_changed = True |
|
|
742 |
modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) |
743 |
|
744 |
if pwd_changed: |
745 |
if krb5Principal: |
753 |
if krb5Principal: |
746 |
# decoding of Samba4 supplementalCredentials |
754 |
pwd_changed = True |
747 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
|
|
748 |
|
749 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
755 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
750 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
756 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
751 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
757 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
752 |
|
758 |
|
753 |
# Append modification as well to modlist, to apply in one transaction |
759 |
if lmPwd != lmPwd_ucs: |
|
|
760 |
pwd_changed = True |
761 |
modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) |
762 |
|
763 |
if pwd_changed: |
754 |
if modifyUserPassword: |
764 |
if modifyUserPassword: |
755 |
modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) |
765 |
modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) |
756 |
else: |
766 |
else: |