Attachment #9405 for bug #32082

View | Details | Raw Unified | Return to bug 32082
Collapse All | Expand All




	object = s4connector._object_mapping(key, ucs_object, 'ucs')
	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet'])

	if s4connector.isInCreationList(object['dn']):
		s4connector.removeFromCreationList(object['dn'])
		ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.")
		return

	pwdLastSet = None
	if 'pwdLastSet' in s4_object_attributes:
		pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])

	# if s4_object_attributes.has_key('objectSid'):
	# 	rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])

	### get current Samba/AD attribute values
	filter_expr = format_escaped('(objectSid={0!e})', objectSid)
	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])
	s4_search_attributes = res[0][1]
	msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]
	supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]

	### get current OpenLDAP attribute values
	ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService'])
	krb5Principal = ucs_object_attributes.get('krb5PrincipalName', [''])[0]
	krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]
	krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])

	### First handle the KeyVersionNumber, even if the user was just created
	modlist = []
	if krb5Principal:
		if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber):
			modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber))

	if s4connector.isInCreationList(object['dn']):
		s4connector.removeFromCreationList(object['dn'])
		ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.")
		if len(modlist) > 0:
			# ud.debug(ud.LDAP, ud.PROCESS, 'password_sync_s4_to_ucs: Only synchronizing KeyVersionNumber.')
			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist)
			s4connector.lo.lo.modify(ucs_object['dn'], modlist)
		return

	if unicodePwd_attr:
		ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()


		if dBCSPwd:
			lmPwd = binascii.b2a_hex(dBCSPwd).upper()

		supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
		msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]

		ntPwd_ucs = ''
		lmPwd_ucs = ''
		krb5Principal = ''
		userPassword = ''
		modlist = []
		ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService'])

		services = ucs_object_attributes.get('univentionService', [])
		if 'S4 SlavePDC' in services:

			ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0]
		if 'sambaLMPassword' in ucs_object_attributes:
			lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0]
		if 'krb5PrincipalName' in ucs_object_attributes:
			krb5Principal = ucs_object_attributes['krb5PrincipalName'][0]
		if 'userPassword' in ucs_object_attributes:
			userPassword = ucs_object_attributes['userPassword'][0]
		sambaPwdLastSet = None

		if 'sambaPwdMustChange' in ucs_object_attributes:
			sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]
		ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)
		krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])
		userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]
		krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]

		pwd_changed = False
		if ntPwd != ntPwd_ucs:

			if krb5Principal:
				# decoding of Samba4 supplementalCredentials
				krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))

				modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))
				if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber):
					modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber))

			# Append modification as well to modlist, to apply in one transaction
			if modifyUserPassword:

Return to bug 32082

Lines 668-678 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here

(-)a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py (-19 / +25 lines)
668	object = s4connector._object_mapping(key, ucs_object, 'ucs')	668	object = s4connector._object_mapping(key, ucs_object, 'ucs')
669	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet'])	669	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet'])
670		670
671	if s4connector.isInCreationList(object['dn']):
672	s4connector.removeFromCreationList(object['dn'])
673	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.")
674	return
675
676	pwdLastSet = None	671	pwdLastSet = None
677	if 'pwdLastSet' in s4_object_attributes:	672	if 'pwdLastSet' in s4_object_attributes:
678	pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])	673	pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])
Lines 683-693 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here
683	# if s4_object_attributes.has_key('objectSid'):	678	# if s4_object_attributes.has_key('objectSid'):
684	# rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])	679	# rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])
685		680
		681	### get current Samba/AD attribute values
686	filter_expr = format_escaped('(objectSid={0!e})', objectSid)	682	filter_expr = format_escaped('(objectSid={0!e})', objectSid)
687	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])	683	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])
688	s4_search_attributes = res[0][1]	684	s4_search_attributes = res[0][1]
689		685	msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]
		686	supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
690	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]	687	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]
		688
		689	### get current OpenLDAP attribute values
		690	ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService'])
		691	krb5Principal = ucs_object_attributes.get('krb5PrincipalName', [''])[0]
		692	krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]
		693	krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])
		694
		695	### First handle the KeyVersionNumber, even if the user was just created
		696	modlist = []
		697	if krb5Principal:
		698	if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber):
		699	modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber))
		700
		701	if s4connector.isInCreationList(object['dn']):
		702	s4connector.removeFromCreationList(object['dn'])
		703	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.")
		704	if len(modlist) > 0:
		705	# ud.debug(ud.LDAP, ud.PROCESS, 'password_sync_s4_to_ucs: Only synchronizing KeyVersionNumber.')
		706	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist)
		707	s4connector.lo.lo.modify(ucs_object['dn'], modlist)
		708	return
		709
691	if unicodePwd_attr:	710	if unicodePwd_attr:
692	ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()	711	ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()
693		712
Lines 696-710 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here
696	if dBCSPwd:	715	if dBCSPwd:
697	lmPwd = binascii.b2a_hex(dBCSPwd).upper()	716	lmPwd = binascii.b2a_hex(dBCSPwd).upper()
698		717
699	supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
700	msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]
701
702	ntPwd_ucs = ''	718	ntPwd_ucs = ''
703	lmPwd_ucs = ''	719	lmPwd_ucs = ''
704	krb5Principal = ''
705	userPassword = ''	720	userPassword = ''
706	modlist = []
707	ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService'])
708		721
709	services = ucs_object_attributes.get('univentionService', [])	722	services = ucs_object_attributes.get('univentionService', [])
710	if 'S4 SlavePDC' in services:	723	if 'S4 SlavePDC' in services:
Lines 715-722 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here
715	ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0]	728	ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0]
716	if 'sambaLMPassword' in ucs_object_attributes:	729	if 'sambaLMPassword' in ucs_object_attributes:
717	lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0]	730	lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0]
718	if 'krb5PrincipalName' in ucs_object_attributes:
719	krb5Principal = ucs_object_attributes['krb5PrincipalName'][0]
720	if 'userPassword' in ucs_object_attributes:	731	if 'userPassword' in ucs_object_attributes:
721	userPassword = ucs_object_attributes['userPassword'][0]	732	userPassword = ucs_object_attributes['userPassword'][0]
722	sambaPwdLastSet = None	733	sambaPwdLastSet = None
Lines 727-735 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here
727	if 'sambaPwdMustChange' in ucs_object_attributes:	738	if 'sambaPwdMustChange' in ucs_object_attributes:
728	sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]	739	sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]
729	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)	740	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)
730	krb5Key_ucs = ucs_object_attributes.get('krb5Key', [])
731	userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]	741	userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]
732	krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]
733		742
734	pwd_changed = False	743	pwd_changed = False
735	if ntPwd != ntPwd_ucs:	744	if ntPwd != ntPwd_ucs:
Lines 744-753 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru Link Here
744	if krb5Principal:	753	if krb5Principal:
745	# decoding of Samba4 supplementalCredentials	754	# decoding of Samba4 supplementalCredentials
746	krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))	755	krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))
747
748	modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))	756	modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))
749	if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber):
750	modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber))
751		757
752	# Append modification as well to modlist, to apply in one transaction	758	# Append modification as well to modlist, to apply in one transaction
753	if modifyUserPassword:	759	if modifyUserPassword: