|
Lines 565-570
def password_sync_ucs_to_s4(s4connector, key, object):
Link Here
|
| 565 |
else: |
565 |
else: |
| 566 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4") |
566 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4") |
| 567 |
|
567 |
|
|
|
568 |
supplementalCredentials_new = None |
| 569 |
if krb5Principal: |
| 570 |
# encoding of Samba4 supplementalCredentials |
| 571 |
if krb5Key: |
| 572 |
supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) |
| 573 |
|
| 568 |
modlist = [] |
574 |
modlist = [] |
| 569 |
if krb5Principal != userPrincipalName_attr: |
575 |
if krb5Principal != userPrincipalName_attr: |
| 570 |
if krb5Principal: |
576 |
if krb5Principal: |
|
Lines 597-602
def password_sync_ucs_to_s4(s4connector, key, object):
Link Here
|
| 597 |
if pwd_set and unicodePwd_new: |
603 |
if pwd_set and unicodePwd_new: |
| 598 |
modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new)) |
604 |
modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new)) |
| 599 |
|
605 |
|
|
|
606 |
if supplementalCredentials_new: |
| 607 |
if supplementalCredentials_new != supplementalCredentials: |
| 608 |
pwd_set = True |
| 609 |
modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) |
| 610 |
# if supplementalCredentials: |
| 611 |
# modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
| 612 |
# else: |
| 613 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
| 614 |
else: |
| 615 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") |
| 616 |
|
| 600 |
if not ucsLMhash == s4LMhash: |
617 |
if not ucsLMhash == s4LMhash: |
| 601 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash)) |
618 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash)) |
| 602 |
pwd_set = True |
619 |
pwd_set = True |
|
Lines 608-626
def password_sync_ucs_to_s4(s4connector, key, object):
Link Here
|
| 608 |
# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr)) |
625 |
# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr)) |
| 609 |
|
626 |
|
| 610 |
if pwd_set or not supplementalCredentials: |
627 |
if pwd_set or not supplementalCredentials: |
| 611 |
if krb5Principal: |
|
|
| 612 |
# encoding of Samba4 supplementalCredentials |
| 613 |
if krb5Key: |
| 614 |
supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) |
| 615 |
if supplementalCredentials_new: |
| 616 |
modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new)) |
| 617 |
else: |
| 618 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new") |
| 619 |
# if supplementalCredentials: |
| 620 |
# modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
| 621 |
# else: |
| 622 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
| 623 |
|
| 624 |
if sambaPwdLastSet is None: |
628 |
if sambaPwdLastSet is None: |
| 625 |
sambaPwdLastSet = int(time.time()) |
629 |
sambaPwdLastSet = int(time.time()) |
| 626 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
630 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
|
Lines 689-703
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
Link Here
|
| 689 |
s4_search_attributes = res[0][1] |
693 |
s4_search_attributes = res[0][1] |
| 690 |
|
694 |
|
| 691 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
695 |
unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] |
| 692 |
if unicodePwd_attr: |
696 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
| 693 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
697 |
if supplementalCredentials or unicodePwd_attr: |
|
|
698 |
ntPwd = '' |
| 699 |
if unicodePwd_attr: |
| 700 |
ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() |
| 694 |
|
701 |
|
| 695 |
lmPwd = '' |
702 |
lmPwd = '' |
| 696 |
dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] |
703 |
dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] |
| 697 |
if dBCSPwd: |
704 |
if dBCSPwd: |
| 698 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
705 |
lmPwd = binascii.b2a_hex(dBCSPwd).upper() |
| 699 |
|
706 |
|
| 700 |
supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] |
|
|
| 701 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
707 |
msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] |
| 702 |
|
708 |
|
| 703 |
ntPwd_ucs = '' |
709 |
ntPwd_ucs = '' |
|
Lines 732-756
def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
Link Here
|
| 732 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
738 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
| 733 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
739 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
| 734 |
|
740 |
|
|
|
741 |
krb5Key_new = '' |
| 742 |
if supplementalCredentials: |
| 743 |
if krb5Principal: |
| 744 |
# decoding of Samba4 supplementalCredentials |
| 745 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
| 746 |
|
| 735 |
pwd_changed = False |
747 |
pwd_changed = False |
| 736 |
if ntPwd != ntPwd_ucs: |
748 |
if ntPwd != ntPwd_ucs: |
| 737 |
pwd_changed = True |
749 |
pwd_changed = True |
| 738 |
modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd))) |
750 |
modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd))) |
| 739 |
|
751 |
|
| 740 |
if lmPwd != lmPwd_ucs: |
752 |
if supplementalCredentials != krb5Key_new: |
| 741 |
pwd_changed = True |
|
|
| 742 |
modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) |
| 743 |
|
| 744 |
if pwd_changed: |
| 745 |
if krb5Principal: |
753 |
if krb5Principal: |
| 746 |
# decoding of Samba4 supplementalCredentials |
754 |
pwd_changed = True |
| 747 |
krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) |
|
|
| 748 |
|
| 749 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
755 |
modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) |
| 750 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
756 |
if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): |
| 751 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
757 |
modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) |
| 752 |
|
758 |
|
| 753 |
# Append modification as well to modlist, to apply in one transaction |
759 |
if lmPwd != lmPwd_ucs: |
|
|
760 |
pwd_changed = True |
| 761 |
modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd))) |
| 762 |
|
| 763 |
if pwd_changed: |
| 754 |
if modifyUserPassword: |
764 |
if modifyUserPassword: |
| 755 |
modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) |
765 |
modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) |
| 756 |
else: |
766 |
else: |