|
|
|---|
| 503 |
sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0]) |
503 |
sambaPwdLastSet = long(ucs_object_attributes['sambaPwdLastSet'][0]) |
| 504 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet) |
504 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdLastSet: %s" % sambaPwdLastSet) |
| 505 |
|
505 |
|
| 506 |
sambaPwdMustChange = -1 |
|
|
| 507 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
506 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
| 508 |
sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0]) |
507 |
sambaPwdMustChange = long(ucs_object_attributes['sambaPwdMustChange'][0]) |
| 509 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: sambaPwdMustChange: %s" % sambaPwdMustChange) |
508 |
ud.debug(ud.LDAP, ud.WARN, "password_sync_ucs_to_s4: Ignoring sambaPwdMustChange: %s" % sambaPwdMustChange) |
| 510 |
|
509 |
|
| 511 |
ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0] |
510 |
ucsLMhash = ucs_object_attributes.get('sambaLMPassword', [None])[0] |
| 512 |
ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0] |
511 |
ucsNThash = ucs_object_attributes.get('sambaNTPassword', [None])[0] |
|
|
|---|
| 607 |
# else: |
606 |
# else: |
| 608 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
607 |
# modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber)) |
| 609 |
|
608 |
|
| 610 |
if sambaPwdMustChange >= 0 and sambaPwdMustChange < time.time(): |
609 |
if sambaPwdLastSet is None: |
| 611 |
# password expired, must be changed on next login |
610 |
sambaPwdLastSet = int(time.time()) |
|
|
611 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
| 612 |
elif sambaPwdLastSet in [0, 1]: |
| 612 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0") |
613 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: samba pwd expired, set newpwdLastSet to 0") |
| 613 |
newpwdlastset = "0" |
614 |
newpwdlastset = "0" |
| 614 |
else: |
615 |
else: |
| 615 |
if sambaPwdLastSet is None: |
616 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
| 616 |
sambaPwdLastSet = int(time.time()) |
|
|
| 617 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
| 618 |
elif sambaPwdLastSet in [0, 1]: |
| 619 |
newpwdlastset = "0" |
| 620 |
else: |
| 621 |
newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet)) |
| 622 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset) |
617 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdlastset in modlist: %s" % newpwdlastset) |
| 623 |
modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset)) |
618 |
modlist.append((ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset)) |
| 624 |
modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0')) |
619 |
modlist.append((ldap.MOD_REPLACE, 'badPwdCount', '0')) |
|
|
|---|
| 716 |
sambaPwdMustChange = '' |
711 |
sambaPwdMustChange = '' |
| 717 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
712 |
if 'sambaPwdMustChange' in ucs_object_attributes: |
| 718 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
713 |
sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] |
| 719 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) |
714 |
ud.debug(ud.LDAP, ud.WARN, "password_sync_s4_to_ucs: Found sambaPwdMustChange: %s" % sambaPwdMustChange) |
| 720 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
715 |
krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) |
| 721 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
716 |
userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] |
| 722 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
717 |
krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] |
|
|
|---|
| 774 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") |
769 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS") |
| 775 |
|
770 |
|
| 776 |
if pwd_changed and (pwdLastSet or pwdLastSet == 0): |
771 |
if pwd_changed and (pwdLastSet or pwdLastSet == 0): |
| 777 |
newSambaPwdMustChange = sambaPwdMustChange |
|
|
| 778 |
if pwdLastSet == 0: # pwd change on next login |
772 |
if pwdLastSet == 0: # pwd change on next login |
| 779 |
newSambaPwdMustChange = str(pwdLastSet) |
|
|
| 780 |
newSambaPwdLastSet = str(pwdLastSet) |
773 |
newSambaPwdLastSet = str(pwdLastSet) |
| 781 |
else: |
774 |
else: |
| 782 |
newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet)) |
775 |
newSambaPwdLastSet = str(univention.s4connector.s4.s42samba_time(pwdLastSet)) |
|
|
|---|
| 784 |
if not userobject: |
777 |
if not userobject: |
| 785 |
ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS") |
778 |
ud.debug(ud.LDAP, ud.ERROR, "password_sync_s4_to_ucs: couldn't get user-object from UCS") |
| 786 |
return False |
779 |
return False |
| 787 |
sambaPwdMustChange = sambaPwdMustChange.strip() |
780 |
|
| 788 |
if not sambaPwdMustChange.isdigit(): |
781 |
if pwd_changed: |
| 789 |
pass |
|
|
| 790 |
elif pwd_changed or (long(sambaPwdMustChange) < time.time() and not pwdLastSet == 0): |
| 791 |
pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory') |
782 |
pwhistoryPolicy = userobject.loadPolicyObject('policies/pwhistory') |
| 792 |
try: |
783 |
try: |
| 793 |
expiryInterval = int(pwhistoryPolicy['expiryInterval']) |
784 |
expiryInterval = int(pwhistoryPolicy['expiryInterval']) |
| 794 |
newSambaPwdMustChange = str(long(newSambaPwdLastSet) + (expiryInterval * 3600 * 24)) |
|
|
| 795 |
except: # FIXME: which exception is to be caught? |
785 |
except: # FIXME: which exception is to be caught? |
| 796 |
# expiryInterval is empty or no legal int-string |
786 |
# expiryInterval is empty or no legal int-string |
| 797 |
pwhistoryPolicy['expiryInterval'] = '' |
787 |
pwhistoryPolicy['expiryInterval'] = '' |
| 798 |
expiryInterval = -1 |
788 |
expiryInterval = -1 |
| 799 |
newSambaPwdMustChange = '' |
|
|
| 800 |
|
789 |
|
| 801 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval) |
790 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwhistoryPolicy: expiryInterval: %s" % expiryInterval) |
| 802 |
|
791 |
|
|
|
|---|
| 808 |
modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet)) |
797 |
modlist.append(('sambaPwdLastSet', '', newSambaPwdLastSet)) |
| 809 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet) |
798 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet) |
| 810 |
|
799 |
|
| 811 |
if sambaPwdMustChange != newSambaPwdMustChange: |
800 |
if sambaPwdMustChange: |
| 812 |
# change if password has changed or "change pwd on next login" is not set |
801 |
modlist.append(('sambaPwdMustChange', sambaPwdMustChange, '')) |
| 813 |
# set sambaPwdMustChange regarding to the univention-policy |
802 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Removing sambaPwdMustChange: %s" % newSambaPwdMustChange) |
| 814 |
if sambaPwdMustChange: |
|
|
| 815 |
modlist.append(('sambaPwdMustChange', sambaPwdMustChange, newSambaPwdMustChange)) |
| 816 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (replace): %s" % newSambaPwdMustChange) |
| 817 |
else: |
| 818 |
modlist.append(('sambaPwdMustChange', '', newSambaPwdMustChange)) |
| 819 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange in modlist (set): %s" % newSambaPwdMustChange) |
| 820 |
|
803 |
|
| 821 |
if len(modlist) > 0: |
804 |
if len(modlist) > 0: |
| 822 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) |
805 |
ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) |