s4/net: Make pwsettings a net subcommand.

author: Jelmer Vernooij <jelmer@samba.org> 2009-12-28 16:04:19 +0100
committer: Jelmer Vernooij <jelmer@ganieda.vernstok.nl> 2009-12-29 16:26:19 +0100
commit: eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d (patch)
tree: 51b1485e9aa403f5e54f6b686d62ead0b3f6eff1 /source4/scripting
parent: 8c19cd2dea470b5f4a981bfbd4b9e33c11bfde39 (diff)
download: samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.tar.gz
samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.tar.bz2
samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.zip
1 files changed, 187 insertions, 0 deletions
diff --git a/source4/scripting/python/samba/netcmd/pwsettings.py b/source4/scripting/python/samba/netcmd/pwsettings.py
new file mode 100755
index 0000000000..724c28e5f9
--- /dev/null
+++ b/source4/scripting/python/samba/netcmd/pwsettings.py
@@ -0,0 +1,187 @@
+#!/usr/bin/python
+#
+# Sets password settings.
+# (Password complexity, history length, minimum password length, the minimum 
+# and maximum password age) on a Samba4 server
+#
+# Copyright Matthias Dieter Wallnoefer 2009
+# Copyright Andrew Kroeger 2009
+# Copyright Jelmer Vernooij 2009
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+
+import samba.getopt as options
+import optparse
+import ldb
+
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
+from samba.netcmd import Command, CommandError, Option
+
+class cmd_pwsettings(Command):
+    """Sets password settings.
+
+    Password complexity, history length, minimum password length, the minimum 
+    and maximum password age) on a Samba4 server.
+    """
+
+    synopsis = "(show | set <options>)"
+
+    takes_optiongroups = [
+        options.SambaOptions,
+        options.VersionOptions,
+        options.CredentialsOptions,
+        ]
+
+    takes_options = [
+        Option("-H", help="LDB URL for database or target server", type=str),
+        Option("--quiet", help="Be quiet", action="store_true"),
+        Option("--complexity", type="choice", choices=["on","off","default"],
+          help="The password complexity (on | off | default). Default is 'on'"),
+        Option("--history-length",
+          help="The password history length (<integer> | default).  Default is 24.", type=str),
+        Option("--min-pwd-length",
+          help="The minimum password length (<integer> | default).  Default is 7.", type=str),
+        Option("--min-pwd-age",
+          help="The minimum password age (<integer in days> | default).  Default is 0.", type=str),
+        Option("--max-pwd-age",
+          help="The maximum password age (<integer in days> | default).  Default is 43.", type=str),
+          ]
+
+    def run(self, H=None, min_pwd_age=None, max_pwd_age=None, quiet=False,
+            complexity=None, history_length=None, min_pwd_length=None,
+            username=None, simple_bind_dn=None, no_pass=None, workgroup=None,
+            kerberos=None, configfile=None, password=None):
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        if H is not None:
+            url = H
+        else:
+            url = lp.get("sam database")
+
+        samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
+        domain_dn = SamDB.domain_dn(samdb)
+        res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
+          attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
+          "maxPwdAge"])
+        assert(len(res) == 1)
+        try:
+            pwd_props = int(res[0]["pwdProperties"][0])
+            pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
+            min_pwd_len = int(res[0]["minPwdLength"][0])
+            # ticks -> days
+            min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+            max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+        except KeyError:
+            raise CommandError("Could not retrieve password properties!")
+
+        if args[0] == "show":
+            self.message("Password informations for domain '%s'" % domain_dn)
+            self.message("")
+            if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
+                self.message("Password complexity: on")
+            else:
+                self.message("Password complexity: off")
+            self.message("Password history length: %d" % pwd_hist_len)
+            self.message("Minimum password length: %d" % min_pwd_len)
+            self.message("Minimum password age (days): %d" % min_pwd_age)
+            self.message("Maximum password age (days): %d" % max_pwd_age)
+        elif args[0] == "set":
+            msgs = []
+            m = ldb.Message()
+            m.dn = ldb.Dn(samdb, domain_dn)
+
+            if complexity is not None:
+                if complexity == "on" or complexity == "default":
+                    pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
+                    msgs.append("Password complexity activated!")
+                elif complexity == "off":
+                    pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
+                    msgs.append("Password complexity deactivated!")
+
+                m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
+                  ldb.FLAG_MOD_REPLACE, "pwdProperties")
+
+            if history_length is not None:
+                if history_length == "default":
+                    pwd_hist_len = 24
+                else:
+                    pwd_hist_len = int(history_length)
+
+                if pwd_hist_len < 0 or pwd_hist_len > 24:
+                    raise CommandError("Password history length must be in the range of 0 to 24!")
+
+                m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
+                  ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
+                msgs.append("Password history length changed!")
+
+            if min_pwd_length is not None:
+                if min_pwd_length == "default":
+                    min_pwd_len = 7
+                else:
+                    min_pwd_len = int(min_pwd_length)
+
+                if min_pwd_len < 0 or min_pwd_len > 14:
+                    raise CommandError("Minimum password length must be in the range of 0 to 14!")
+
+                m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
+                  ldb.FLAG_MOD_REPLACE, "minPwdLength")
+                msgs.append("Minimum password length changed!")
+
+            if min_pwd_age is not None:
+                if min_pwd_age == "default":
+                    min_pwd_age = 0
+                else:
+                    min_pwd_age = int(min_pwd_age)
+
+                if min_pwd_age < 0 or min_pwd_age > 998:
+                    raise CommandError("Minimum password age must be in the range of 0 to 998!")
+
+                # days -> ticks
+                min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
+
+                m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
+                  ldb.FLAG_MOD_REPLACE, "minPwdAge")
+                msgs.append("Minimum password age changed!")
+
+            if max_pwd_age is not None:
+                if max_pwd_age == "default":
+                    max_pwd_age = 43
+                else:
+                    max_pwd_age = int(max_pwd_age)
+
+                if max_pwd_age < 0 or max_pwd_age > 999:
+                    raise CommandError("Maximum password age must be in the range of 0 to 999!")
+
+                # days -> ticks
+                max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
+
+                m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
+                  ldb.FLAG_MOD_REPLACE, "maxPwdAge")
+                msgs.append("Maximum password age changed!")
+
+            if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
+                raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
+
+            samdb.modify(m)
+            msgs.append("All changes applied successfully!")
+            self.message("\n".join(msgs))
+        else:
+            raise CommandError("Wrong argument '" + args[0] + "'!")
author	Jelmer Vernooij <jelmer@samba.org>	2009-12-28 16:04:19 +0100
committer	Jelmer Vernooij <jelmer@ganieda.vernstok.nl>	2009-12-29 16:26:19 +0100
commit	eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d (patch)
tree	51b1485e9aa403f5e54f6b686d62ead0b3f6eff1 /source4/scripting
parent	8c19cd2dea470b5f4a981bfbd4b9e33c11bfde39 (diff)
download	samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.tar.gz samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.tar.bz2 samba-eaf4a9afb24f2cc3cd1a268dda4ad37637821f9d.zip