Lines 668-678
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
668 |
object = s4connector._object_mapping(key, ucs_object, 'ucs') |
668 |
object = s4connector._object_mapping(key, ucs_object, 'ucs') |
669 |
s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet']) |
669 |
s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet']) |
670 |
|
670 |
|
671 |
if s4connector.isInCreationList(object['dn']): |
|
|
672 |
s4connector.removeFromCreationList(object['dn']) |
673 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") |
674 |
return |
675 |
|
676 |
pwdLastSet = None |
671 |
pwdLastSet = None |
677 |
if 'pwdLastSet' in s4_object_attributes: |
672 |
if 'pwdLastSet' in s4_object_attributes: |
678 |
pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) |
673 |
pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) |
Lines 683-693
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
683 |
# if s4_object_attributes.has_key('objectSid'): |
678 |
# if s4_object_attributes.has_key('objectSid'): |
684 |
# rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) |
679 |
# rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) |
685 |
|
680 |
|
|
|
681 |
### get current Samba/AD attribute values |
686 |
filter_expr = format_escaped('(objectSid={0!e})', objectSid) |
682 |
filter_expr = format_escaped('(objectSid={0!e})', objectSid) |
687 |
res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) |
683 |
res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) |
688 |
s4_search_attributes = res[0][1] |
684 |
s4_search_attributes = res[0][1] |
689 |
|
685 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
|
|
686 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
690 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
687 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
|
|
688 |
|
689 |
### get current OpenLDAP attribute values |
690 |
ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) |
691 |
krb5Principal = ucs_object_attributes.get('krb5PrincipalName', [''])[0] |
692 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
693 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
694 |
|
695 |
### First handle the KeyVersionNumber, even if the user was just created |
696 |
modlist = [] |
697 |
if krb5Principal: |
698 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
699 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
700 |
|
701 |
if s4connector.isInCreationList(object['dn']): |
702 |
s4connector.removeFromCreationList(object['dn']) |
703 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") |
704 |
if len(modlist) > 0: |
705 |
# ud.debug(ud.LDAP, ud.PROCESS, 'password_sync_s4_to_ucs: Only synchronizing KeyVersionNumber.') |
706 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) |
707 |
s4connector.lo.lo.modify(ucs_object['dn'], modlist) |
708 |
return |
709 |
|
691 |
if unicodePwd_attr: |
710 |
if unicodePwd_attr: |
692 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
711 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
693 |
|
712 |
|
Lines 696-710
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
696 |
if dBCSPwd: |
715 |
if dBCSPwd: |
697 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
716 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
698 |
|
717 |
|
699 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
|
|
700 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
701 |
|
702 |
ntPwd_ucs = '' |
718 |
ntPwd_ucs = '' |
703 |
lmPwd_ucs = '' |
719 |
lmPwd_ucs = '' |
704 |
krb5Principal = '' |
|
|
705 |
userPassword = '' |
720 |
userPassword = '' |
706 |
modlist = [] |
|
|
707 |
ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) |
708 |
|
721 |
|
709 |
services = ucs_object_attributes.get('univentionService', []) |
722 |
services = ucs_object_attributes.get('univentionService', []) |
710 |
if 'S4 SlavePDC' in services: |
723 |
if 'S4 SlavePDC' in services: |
Lines 715-722
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
715 |
ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0] |
728 |
ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0] |
716 |
if 'sambaLMPassword' in ucs_object_attributes: |
729 |
if 'sambaLMPassword' in ucs_object_attributes: |
717 |
lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0] |
730 |
lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0] |
718 |
if 'krb5PrincipalName' in ucs_object_attributes: |
|
|
719 |
krb5Principal = ucs_object_attributes['krb5PrincipalName'][0] |
720 |
if 'userPassword' in ucs_object_attributes: |
731 |
if 'userPassword' in ucs_object_attributes: |
721 |
userPassword = ucs_object_attributes['userPassword'][0] |
732 |
userPassword = ucs_object_attributes['userPassword'][0] |
722 |
sambaPwdLastSet = None |
733 |
sambaPwdLastSet = None |
Lines 727-735
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
727 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
738 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
728 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
739 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
729 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) |
740 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) |
730 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
|
|
731 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
741 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
732 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
|
|
733 |
|
742 |
|
734 |
pwd_changed = False |
743 |
pwd_changed = False |
735 |
if ntPwd != ntPwd_ucs: |
744 |
if ntPwd != ntPwd_ucs: |
Lines 744-753
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
|
Link Here
|
---|
|
744 |
if krb5Principal: |
753 |
if krb5Principal: |
745 |
# decoding of Samba4 supplementalCredentials |
754 |
# decoding of Samba4 supplementalCredentials |
746 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
755 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
747 |
|
|
|
748 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
756 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
749 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
|
|
750 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
751 |
|
757 |
|
752 |
# Append modification as well to modlist, to apply in one transaction |
758 |
# Append modification as well to modlist, to apply in one transaction |
753 |
if modifyUserPassword: |
759 |
if modifyUserPassword: |