Attachment #9152 for bug #45282

View | Details | Raw Unified | Return to bug 45282
Collapse All | Expand All




		sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0])
	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet)

	sambaPwdMustChange = -1
	if 'sambaPwdMustChange' in ucs_object_attributes:
		sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0])
		ud.debug(ud.LDAP, ud.WARN, "password_sync_ucs_to_s4: Ignoring sambaPwdMustChange: %s" % sambaPwdMustChange)

	ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0]
	ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0]

				# else:
				#	modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))

		if sambaPwdLastSet is None:
			sambaPwdLastSet = int(time.time())
			newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
		elif sambaPwdLastSet in [0, 1]:
			ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0")
			newpwdlastset = "0"
		else:
			newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
				sambaPwdLastSet = int(time.time())
				newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
			elif sambaPwdLastSet in [0, 1]:
				newpwdlastset = "0"
			else:
				newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
		ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset)
		modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset))
		modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0'))

		sambaPwdMustChange = ''
		if 'sambaPwdMustChange' in ucs_object_attributes:
			sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]
		ud.debug(ud.LDAP, ud.WARN, "password_sync_s4_to_ucs: Found sambaPwdMustChange: %s" % sambaPwdMustChange)
		krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])
		userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]
		krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]

			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS")

		if pwd_changed and (pwdLastSet or pwdLastSet == 0):
			newSambaPwdMustChange = sambaPwdMustChange
			if pwdLastSet == 0:  # pwd change on next login
				newSambaPwdMustChange = str(pwdLastSet)
				newSambaPwdLastSet = str(pwdLastSet)
			else:
				newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet))

				if not userobject:
					ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS")
					return False

				if pwd_changed:
					pass
				elif pwd_changed or (long(sambaPwdMustChange) < time.time() and not pwdLastSet == 0):
					pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory')
					try:
						expiryInterval = int(pwhistoryPolicy['expiryInterval'])
						newSambaPwdMustChange = str(long(newSambaPwdLastSet) + (expiryInterval * 3600 * 24))
					except:  # FIXME: which exception is to be caught?
						# expiryInterval is empty or no legal int-string
						pwhistoryPolicy['expiryInterval'] = ''
						expiryInterval = -1
						newSambaPwdMustChange = ''

					ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval)


				modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet))
				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet)

			if sambaPwdMustChange:
				modlist.append(('sambaPwdMustChange', sambaPwdMustChange, ''))
				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Removing sambaPwdMustChange: %s" % newSambaPwdMustChange)
				if sambaPwdMustChange:
					modlist.append(('sambaPwdMustChange', sambaPwdMustChange, newSambaPwdMustChange))
					ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (replace): %s" % newSambaPwdMustChange)
				else:
					modlist.append(('sambaPwdMustChange', '', newSambaPwdMustChange))
					ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): %s" % newSambaPwdMustChange)

		if len(modlist) > 0:
			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist)

Return to bug 45282

Lines 503-512 Link Here

(-)modules/univention/s4connector/s4/password.py (-29 / +12 lines)
503	sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0])	503	sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0])
504	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet)	504	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet)
505		505
506	sambaPwdMustChange = -1
507	if 'sambaPwdMustChange' in ucs_object_attributes:	506	if 'sambaPwdMustChange' in ucs_object_attributes:
508	sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0])	507	sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0])
509	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdMustChange: %s" % sambaPwdMustChange)	508	ud.debug(ud.LDAP, ud.WARN, "password_sync_ucs_to_s4: Ignoring sambaPwdMustChange: %s" % sambaPwdMustChange)
510		509
511	ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0]	510	ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0]
512	ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0]	511	ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0]
Lines 607-624 Link Here
607	# else:	606	# else:
608	# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))	607	# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))
609		608
610	if sambaPwdMustChange >= 0 and sambaPwdMustChange < time.time():	609	if sambaPwdLastSet is None:
611	# password expired, must be changed on next login	610	sambaPwdLastSet = int(time.time())
		611	newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
		612	elif sambaPwdLastSet in [0, 1]:
612	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0")	613	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0")
613	newpwdlastset = "0"	614	newpwdlastset = "0"
614	else:	615	else:
615	if sambaPwdLastSet is None:	616	newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
616	sambaPwdLastSet = int(time.time())
617	newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
618	elif sambaPwdLastSet in [0, 1]:
619	newpwdlastset = "0"
620	else:
621	newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
622	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset)	617	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset)
623	modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset))	618	modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset))
624	modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0'))	619	modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0'))
Lines 716-722 Link Here
716	sambaPwdMustChange = ''	711	sambaPwdMustChange = ''
717	if 'sambaPwdMustChange' in ucs_object_attributes:	712	if 'sambaPwdMustChange' in ucs_object_attributes:
718	sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]	713	sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]
719	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)	714	ud.debug(ud.LDAP, ud.WARN, "password_sync_s4_to_ucs: Found sambaPwdMustChange: %s" % sambaPwdMustChange)
720	krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])	715	krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])
721	userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]	716	userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]
722	krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]	717	krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]
Lines 774-782 Link Here
774	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS")	769	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS")
775		770
776	if pwd_changed and (pwdLastSet or pwdLastSet == 0):	771	if pwd_changed and (pwdLastSet or pwdLastSet == 0):
777	newSambaPwdMustChange = sambaPwdMustChange
778	if pwdLastSet == 0: # pwd change on next login	772	if pwdLastSet == 0: # pwd change on next login
779	newSambaPwdMustChange = str(pwdLastSet)
780	newSambaPwdLastSet = str(pwdLastSet)	773	newSambaPwdLastSet = str(pwdLastSet)
781	else:	774	else:
782	newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet))	775	newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet))
Lines 784-802 Link Here
784	if not userobject:	777	if not userobject:
785	ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS")	778	ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS")
786	return False	779	return False
787	sambaPwdMustChange = sambaPwdMustChange.strip()	780
788	if not sambaPwdMustChange.isdigit():	781	if pwd_changed:
789	pass
790	elif pwd_changed or (long(sambaPwdMustChange) < time.time() and not pwdLastSet == 0):
791	pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory')	782	pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory')
792	try:	783	try:
793	expiryInterval = int(pwhistoryPolicy['expiryInterval'])	784	expiryInterval = int(pwhistoryPolicy['expiryInterval'])
794	newSambaPwdMustChange = str(long(newSambaPwdLastSet) + (expiryInterval * 3600 * 24))
795	except: # FIXME: which exception is to be caught?	785	except: # FIXME: which exception is to be caught?
796	# expiryInterval is empty or no legal int-string	786	# expiryInterval is empty or no legal int-string
797	pwhistoryPolicy['expiryInterval'] = ''	787	pwhistoryPolicy['expiryInterval'] = ''
798	expiryInterval = -1	788	expiryInterval = -1
799	newSambaPwdMustChange = ''
800		789
801	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval)	790	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval)
802		791
Lines 808-822 Link Here
808	modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet))	797	modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet))
809	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet)	798	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet)
810		799
811	if sambaPwdMustChange != newSambaPwdMustChange:	800	if sambaPwdMustChange:
812	# change if password has changed or "change pwd on next login" is not set	801	modlist.append(('sambaPwdMustChange', sambaPwdMustChange, ''))
813	# set sambaPwdMustChange regarding to the univention-policy	802	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Removing sambaPwdMustChange: %s" % newSambaPwdMustChange)
814	if sambaPwdMustChange:
815	modlist.append(('sambaPwdMustChange', sambaPwdMustChange, newSambaPwdMustChange))
816	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (replace): %s" % newSambaPwdMustChange)
817	else:
818	modlist.append(('sambaPwdMustChange', '', newSambaPwdMustChange))
819	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): %s" % newSambaPwdMustChange)
820		803
821	if len(modlist) > 0:	804	if len(modlist) > 0:
822	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist)	805	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist)