diff --git services/univention-s4-connector/modules/univention/s4connector/s4/password.py services/univention-s4-connector/modules/univention/s4connector/s4/password.py index 9267cf2d3d..a642444d2b 100644 --- services/univention-s4-connector/modules/univention/s4connector/s4/password.py +++ services/univention-s4-connector/modules/univention/s4connector/s4/password.py @@ -34,6 +34,7 @@ import time import ldap +import univention.admin.password import univention.debug2 as ud import univention.s4connector.s4 from univention.s4connector.s4 import compatible_modstring @@ -877,12 +878,13 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object): modlist = [] try: - ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaAcctFlags', 'sambaBadPasswordTime'], required=True) + ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaAcctFlags', 'sambaBadPasswordTime', 'userPassword'], required=True) except ldap.NO_SUCH_OBJECT: ud.debug(ud.LDAP, ud.WARN, "%s: The UCS object (%s) was not found. The object was removed." % (function_name, ucs_object['dn'])) return sambaAcctFlags = ucs_object_attributes.get('sambaAcctFlags', [''])[0] sambaBadPasswordTime = ucs_object_attributes.get('sambaBadPasswordTime', ["0"])[0] + old_password_hash = ucs_object_attributes.get('userPassword', [''])[0] lockoutTime = ucs_object['attributes'].get('lockoutTime', ['0'])[0] if lockoutTime != "0": @@ -898,6 +900,10 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object): if sambaBadPasswordTime: ud.debug(ud.LDAP, ud.INFO, "%s: Old sambaBadPasswordTime: %s" % (function_name, sambaBadPasswordTime)) modlist.append(('sambaBadPasswordTime', sambaBadPasswordTime, badPasswordTime)) + + new_password_hash = univention.admin.password.lock_password(old_password_hash) + if new_password_hash != old_password_hash: + modlist.append(('userPassword', old_password_hash, new_password_hash)) else: if "L" in sambaAcctFlags: acctFlags = univention.admin.samba.acctFlags(sambaAcctFlags) @@ -909,6 +915,9 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object): ud.debug(ud.LDAP, ud.PROCESS, "%s: Unsetting sambaBadPasswordTime: %s" % (function_name, sambaBadPasswordTime)) modlist.append(('sambaBadPasswordTime', sambaBadPasswordTime, "0")) + new_password_hash = univention.admin.password.unlock_password(old_password_hash) + if new_password_hash != old_password_hash: + modlist.append(('userPassword', old_password_hash, new_password_hash)) if modlist: ud.debug(ud.LDAP, ud.ALL, "%s: modlist: %s" % (function_name, modlist)) s4connector.lo.lo.modify(ucs_object['dn'], modlist)