Univention Bugzilla – Attachment 9608 Details for
Bug 47391
Password reset is not correctly synced from s4toucs if the same password is used again
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Bug47391_untested_proposal.patch
Bug47391_untested_proposal.patch (text/plain), 9.05 KB, created by
Arvid Requate
on 2018-07-24 13:27:15 CEST
(
hide
)
Description:
Bug47391_untested_proposal.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2018-07-24 13:27:15 CEST
Size:
9.05 KB
patch
obsolete
>From 300985b91bdc8cc383b51276bf2c27e6d70d0006 Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Tue, 24 Jul 2018 12:57:18 +0200 >Subject: [PATCH 1/2] Bug #47391: Cleanup: Don't s4search twice > >--- > .../modules/univention/s4connector/s4/password.py | 39 +++++++--------------- > 1 file changed, 12 insertions(+), 27 deletions(-) > >diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >index 948bfe627f..583c4a55bf 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >@@ -532,26 +532,20 @@ def password_sync_ucs_to_s4(s4connector, key, object): > > # ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Password-Hash from UCS: %s" % ucsNThash) > >- s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['pwdLastSet', 'objectSid']) >+ s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['pwdLastSet', 'unicodePwd', 'userPrincipalName', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) > pwdLastSet = None > if 'pwdLastSet' in s4_object_attributes: > pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) > objectSid = univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]) > ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdLastSet from S4 : %s" % pwdLastSet) >- # rid = None >- # if s4_object_attributes.has_key('objectSid'): >- # rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) > > pwd_set = False >- filter_expr = format_escaped('(objectSid={0!e})', objectSid) >- res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'userPrincipalName', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) >- s4_search_attributes = res[0][1] >- >- unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] >- dBCSPwd_attr = s4_search_attributes.get('dBCSPwd', [None])[0] >- userPrincipalName_attr = s4_search_attributes.get('userPrincipalName', [None])[0] >- supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] >- msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] >+ >+ unicodePwd_attr = s4_object_attributes.get('unicodePwd', [None])[0] >+ dBCSPwd_attr = s4_object_attributes.get('dBCSPwd', [None])[0] >+ userPrincipalName_attr = s4_object_attributes.get('userPrincipalName', [None])[0] >+ supplementalCredentials = s4_object_attributes.get('supplementalCredentials', [None])[0] >+ msDS_KeyVersionNumber = s4_object_attributes.get('msDS-KeyVersionNumber', [0])[0] > # ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Password-Hash from S4: %s" % unicodePwd_attr) > > s4NThash = None >@@ -666,7 +660,7 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > return > > object = s4connector._object_mapping(key, ucs_object, 'ucs') >- s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet']) >+ s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['pwdLastSet', 'unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) > > if s4connector.isInCreationList(object['dn']): > s4connector.removeFromCreationList(object['dn']) >@@ -677,27 +671,18 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > if 'pwdLastSet' in s4_object_attributes: > pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) > ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwdLastSet from S4: %s (%s)" % (pwdLastSet, s4_object_attributes)) >- objectSid = univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]) >- >- # rid = None >- # if s4_object_attributes.has_key('objectSid'): >- # rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) >- >- filter_expr = format_escaped('(objectSid={0!e})', objectSid) >- res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) >- s4_search_attributes = res[0][1] > >- unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] >+ unicodePwd_attr = s4_object_attributes.get('unicodePwd', [None])[0] > if unicodePwd_attr: > ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() > > lmPwd = '' >- dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0] >+ dBCSPwd = s4_object_attributes.get('dBCSPwd', [None])[0] > if dBCSPwd: > lmPwd = binascii.b2a_hex(dBCSPwd).upper() > >- supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] >- msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] >+ supplementalCredentials = s4_object_attributes.get('supplementalCredentials', [None])[0] >+ msDS_KeyVersionNumber = s4_object_attributes.get('msDS-KeyVersionNumber', [0])[0] > > ntPwd_ucs = '' > lmPwd_ucs = '' >-- >2.11.0 > > >From 7fd75260f61042825db1053597c45ce4f92f93c7 Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Tue, 24 Jul 2018 13:18:27 +0200 >Subject: [PATCH 2/2] Bug #47391: sync_to_ucs: update shadowLastChange if > pwdLastSet changed, even if the hashes didn't > >--- > .../modules/univention/s4connector/__init__.py | 1 + > .../modules/univention/s4connector/s4/password.py | 17 ++++++++++++----- > 2 files changed, 13 insertions(+), 5 deletions(-) > >diff --git a/services/univention-s4-connector/modules/univention/s4connector/__init__.py b/services/univention-s4-connector/modules/univention/s4connector/__init__.py >index a1ef180c33..9e18f955bb 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/__init__.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/__init__.py >@@ -1554,6 +1554,7 @@ class ucs: > ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: old_s4_object: %s" % old_s4_object) > ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: new_s4_object: %s" % original_object['attributes']) > if old_s4_object: >+ object['old_s4_object'] = old_s4_object > for attr in original_object['attributes']: > if old_s4_object.get(attr) != original_object['attributes'].get(attr): > object['changed_attributes'].append(attr) >diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >index 583c4a55bf..2556fe1d38 100644 >--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py >@@ -737,12 +737,22 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > # Append modification as well to modlist, to apply in one transaction > if modifyUserPassword: > modlist.append(('userPassword', userPassword_ucs, '{K5KEY}')) >+ else: >+ ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") >+ >+ try: >+ old_pwdLastSet = object['old_s4_object']['pwdLastSet'][0] >+ except (KeyError, IndexError): >+ old_pwdLastSet = None > >+ if pwdLastSet != old_pwdLastSet: >+ ud.debug(ud.LDAP, ud.ALL, "password_sync_s4_to_ucs: updating shadowLastChange") > # Update password expiry interval > # > # update shadowLastChange to now > old_shadowLastChange = ucs_object_attributes.get('shadowLastChange', [None])[0] >- new_shadowLastChange = str(long(time.time()) / 3600 / 24) >+ pwdLastSet_unix = univention.s4connector.s4.s42unix_time(pwdLastSet) >+ new_shadowLastChange = str(pwdLastSet_unix) > ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowLastChange to %s for %s" % (new_shadowLastChange, ucs_object['dn'])) > modlist.append(('shadowLastChange', old_shadowLastChange, new_shadowLastChange)) > # shadowMax (set to value of univentionPWExpiryInterval, otherwise delete) >@@ -758,17 +768,14 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru > pwexp_value = pwexp.get('value', [None])[0] > if pwexp_value: > new_shadowMax = pwexp_value >- new_krb5end = time.strftime("%Y%m%d000000Z", time.gmtime((long(time.time()) + (int(pwexp_value) * 3600 * 24)))) >+ new_krb5end = time.strftime("%Y%m%d000000Z", pwdLastSet_unix + (int(pwexp_value) * 3600 * 24)))) > if old_shadowMax or new_shadowMax: > ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowMax to %s for %s" % (new_shadowMax, ucs_object['dn'])) > modlist.append(('shadowMax', old_shadowMax, new_shadowMax)) > if old_krb5end or new_krb5end: > ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update krb5PasswordEnd to %s for %s" % (new_krb5end, ucs_object['dn'])) > modlist.append(('krb5PasswordEnd', old_krb5end, new_krb5end)) >- else: >- ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") > >- if pwd_changed and (pwdLastSet or pwdLastSet == 0): > newSambaPwdMustChange = sambaPwdMustChange > if pwdLastSet == 0: # pwd change on next login > newSambaPwdMustChange = str(pwdLastSet) >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9608">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 47391
:
9604
|
9605
|
9606
|
9607
| 9608 |
9623