|
503 |
sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0]) |
503 |
sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0]) |
504 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet) |
504 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet) |
505 |
|
505 |
|
506 |
sambaPwdMustChange = -1 |
|
|
507 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
506 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
508 |
sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0]) |
507 |
sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0]) |
509 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdMustChange: %s" % sambaPwdMustChange) |
508 |
ud.debug(ud.LDAP, ud.WARN, "password_sync_ucs_to_s4: Ignoring sambaPwdMustChange: %s" % sambaPwdMustChange) |
510 |
|
509 |
|
511 |
ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0] |
510 |
ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0] |
512 |
ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0] |
511 |
ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0] |
|
607 |
# else: |
606 |
# else: |
608 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
607 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
609 |
|
608 |
|
610 |
if sambaPwdMustChange >= 0 and sambaPwdMustChange < time.time(): |
609 |
if sambaPwdLastSet is None: |
611 |
# password expired, must be changed on next login |
610 |
sambaPwdLastSet = int(time.time()) |
|
|
611 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
612 |
elif sambaPwdLastSet in [0, 1]: |
612 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0") |
613 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0") |
613 |
newpwdlastset = "0" |
614 |
newpwdlastset = "0" |
614 |
else: |
615 |
else: |
615 |
if sambaPwdLastSet is None: |
616 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
616 |
sambaPwdLastSet = int(time.time()) |
|
|
617 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
618 |
elif sambaPwdLastSet in [0, 1]: |
619 |
newpwdlastset = "0" |
620 |
else: |
621 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
622 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset) |
617 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset) |
623 |
modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset)) |
618 |
modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset)) |
624 |
modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0')) |
619 |
modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0')) |
|
716 |
sambaPwdMustChange = '' |
711 |
sambaPwdMustChange = '' |
717 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
712 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
718 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
713 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
719 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) |
714 |
ud.debug(ud.LDAP, ud.WARN, "password_sync_s4_to_ucs: Found sambaPwdMustChange: %s" % sambaPwdMustChange) |
720 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
715 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
721 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
716 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
722 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
717 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
|
774 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") |
769 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") |
775 |
|
770 |
|
776 |
if pwd_changed and (pwdLastSet or pwdLastSet == 0): |
771 |
if pwd_changed and (pwdLastSet or pwdLastSet == 0): |
777 |
newSambaPwdMustChange = sambaPwdMustChange |
|
|
778 |
if pwdLastSet == 0: # pwd change on next login |
772 |
if pwdLastSet == 0: # pwd change on next login |
779 |
newSambaPwdMustChange = str(pwdLastSet) |
|
|
780 |
newSambaPwdLastSet = str(pwdLastSet) |
773 |
newSambaPwdLastSet = str(pwdLastSet) |
781 |
else: |
774 |
else: |
782 |
newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet)) |
775 |
newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet)) |
|
784 |
if not userobject: |
777 |
if not userobject: |
785 |
ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS") |
778 |
ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS") |
786 |
return False |
779 |
return False |
787 |
sambaPwdMustChange = sambaPwdMustChange.strip() |
780 |
|
788 |
if not sambaPwdMustChange.isdigit(): |
781 |
if pwd_changed: |
789 |
pass |
|
|
790 |
elif pwd_changed or (long(sambaPwdMustChange) < time.time() and not pwdLastSet == 0): |
791 |
pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory') |
782 |
pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory') |
792 |
try: |
783 |
try: |
793 |
expiryInterval = int(pwhistoryPolicy['expiryInterval']) |
784 |
expiryInterval = int(pwhistoryPolicy['expiryInterval']) |
794 |
newSambaPwdMustChange = str(long(newSambaPwdLastSet) + (expiryInterval * 3600 * 24)) |
|
|
795 |
except: # FIXME: which exception is to be caught? |
785 |
except: # FIXME: which exception is to be caught? |
796 |
# expiryInterval is empty or no legal int-string |
786 |
# expiryInterval is empty or no legal int-string |
797 |
pwhistoryPolicy['expiryInterval'] = '' |
787 |
pwhistoryPolicy['expiryInterval'] = '' |
798 |
expiryInterval = -1 |
788 |
expiryInterval = -1 |
799 |
newSambaPwdMustChange = '' |
|
|
800 |
|
789 |
|
801 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval) |
790 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval) |
802 |
|
791 |
|
|
808 |
modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet)) |
797 |
modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet)) |
809 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet) |
798 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet) |
810 |
|
799 |
|
811 |
if sambaPwdMustChange != newSambaPwdMustChange: |
800 |
if sambaPwdMustChange: |
812 |
# change if password has changed or "change pwd on next login" is not set |
801 |
modlist.append(('sambaPwdMustChange', sambaPwdMustChange, '')) |
813 |
# set sambaPwdMustChange regarding to the univention-policy |
802 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Removing sambaPwdMustChange: %s" % newSambaPwdMustChange) |
814 |
if sambaPwdMustChange: |
|
|
815 |
modlist.append(('sambaPwdMustChange', sambaPwdMustChange, newSambaPwdMustChange)) |
816 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (replace): %s" % newSambaPwdMustChange) |
817 |
else: |
818 |
modlist.append(('sambaPwdMustChange', '', newSambaPwdMustChange)) |
819 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): %s" % newSambaPwdMustChange) |
820 |
|
803 |
|
821 |
if len(modlist) > 0: |
804 |
if len(modlist) > 0: |
822 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) |
805 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) |