summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xsource4/scripting/python/samba/netcmd/pwsettings.py187
-rwxr-xr-xsource4/setup/pwsettings198
2 files changed, 187 insertions, 198 deletions
diff --git a/source4/scripting/python/samba/netcmd/pwsettings.py b/source4/scripting/python/samba/netcmd/pwsettings.py
new file mode 100755
index 0000000000..724c28e5f9
--- /dev/null
+++ b/source4/scripting/python/samba/netcmd/pwsettings.py
@@ -0,0 +1,187 @@
+#!/usr/bin/python
+#
+# Sets password settings.
+# (Password complexity, history length, minimum password length, the minimum
+# and maximum password age) on a Samba4 server
+#
+# Copyright Matthias Dieter Wallnoefer 2009
+# Copyright Andrew Kroeger 2009
+# Copyright Jelmer Vernooij 2009
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+
+import samba.getopt as options
+import optparse
+import ldb
+
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
+from samba.netcmd import Command, CommandError, Option
+
+class cmd_pwsettings(Command):
+ """Sets password settings.
+
+ Password complexity, history length, minimum password length, the minimum
+ and maximum password age) on a Samba4 server.
+ """
+
+ synopsis = "(show | set <options>)"
+
+ takes_optiongroups = [
+ options.SambaOptions,
+ options.VersionOptions,
+ options.CredentialsOptions,
+ ]
+
+ takes_options = [
+ Option("-H", help="LDB URL for database or target server", type=str),
+ Option("--quiet", help="Be quiet", action="store_true"),
+ Option("--complexity", type="choice", choices=["on","off","default"],
+ help="The password complexity (on | off | default). Default is 'on'"),
+ Option("--history-length",
+ help="The password history length (<integer> | default). Default is 24.", type=str),
+ Option("--min-pwd-length",
+ help="The minimum password length (<integer> | default). Default is 7.", type=str),
+ Option("--min-pwd-age",
+ help="The minimum password age (<integer in days> | default). Default is 0.", type=str),
+ Option("--max-pwd-age",
+ help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
+ ]
+
+ def run(self, H=None, min_pwd_age=None, max_pwd_age=None, quiet=False,
+ complexity=None, history_length=None, min_pwd_length=None,
+ username=None, simple_bind_dn=None, no_pass=None, workgroup=None,
+ kerberos=None, configfile=None, password=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ if H is not None:
+ url = H
+ else:
+ url = lp.get("sam database")
+
+ samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
+ domain_dn = SamDB.domain_dn(samdb)
+ res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
+ attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
+ "maxPwdAge"])
+ assert(len(res) == 1)
+ try:
+ pwd_props = int(res[0]["pwdProperties"][0])
+ pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
+ min_pwd_len = int(res[0]["minPwdLength"][0])
+ # ticks -> days
+ min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ except KeyError:
+ raise CommandError("Could not retrieve password properties!")
+
+ if args[0] == "show":
+ self.message("Password informations for domain '%s'" % domain_dn)
+ self.message("")
+ if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
+ self.message("Password complexity: on")
+ else:
+ self.message("Password complexity: off")
+ self.message("Password history length: %d" % pwd_hist_len)
+ self.message("Minimum password length: %d" % min_pwd_len)
+ self.message("Minimum password age (days): %d" % min_pwd_age)
+ self.message("Maximum password age (days): %d" % max_pwd_age)
+ elif args[0] == "set":
+ msgs = []
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, domain_dn)
+
+ if complexity is not None:
+ if complexity == "on" or complexity == "default":
+ pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
+ msgs.append("Password complexity activated!")
+ elif complexity == "off":
+ pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
+ msgs.append("Password complexity deactivated!")
+
+ m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
+ ldb.FLAG_MOD_REPLACE, "pwdProperties")
+
+ if history_length is not None:
+ if history_length == "default":
+ pwd_hist_len = 24
+ else:
+ pwd_hist_len = int(history_length)
+
+ if pwd_hist_len < 0 or pwd_hist_len > 24:
+ raise CommandError("Password history length must be in the range of 0 to 24!")
+
+ m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
+ ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
+ msgs.append("Password history length changed!")
+
+ if min_pwd_length is not None:
+ if min_pwd_length == "default":
+ min_pwd_len = 7
+ else:
+ min_pwd_len = int(min_pwd_length)
+
+ if min_pwd_len < 0 or min_pwd_len > 14:
+ raise CommandError("Minimum password length must be in the range of 0 to 14!")
+
+ m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
+ ldb.FLAG_MOD_REPLACE, "minPwdLength")
+ msgs.append("Minimum password length changed!")
+
+ if min_pwd_age is not None:
+ if min_pwd_age == "default":
+ min_pwd_age = 0
+ else:
+ min_pwd_age = int(min_pwd_age)
+
+ if min_pwd_age < 0 or min_pwd_age > 998:
+ raise CommandError("Minimum password age must be in the range of 0 to 998!")
+
+ # days -> ticks
+ min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
+
+ m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
+ ldb.FLAG_MOD_REPLACE, "minPwdAge")
+ msgs.append("Minimum password age changed!")
+
+ if max_pwd_age is not None:
+ if max_pwd_age == "default":
+ max_pwd_age = 43
+ else:
+ max_pwd_age = int(max_pwd_age)
+
+ if max_pwd_age < 0 or max_pwd_age > 999:
+ raise CommandError("Maximum password age must be in the range of 0 to 999!")
+
+ # days -> ticks
+ max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
+
+ m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
+ ldb.FLAG_MOD_REPLACE, "maxPwdAge")
+ msgs.append("Maximum password age changed!")
+
+ if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
+ raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
+
+ samdb.modify(m)
+ msgs.append("All changes applied successfully!")
+ self.message("\n".join(msgs))
+ else:
+ raise CommandError("Wrong argument '" + args[0] + "'!")
diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings
deleted file mode 100755
index 59ed5d29bf..0000000000
--- a/source4/setup/pwsettings
+++ /dev/null
@@ -1,198 +0,0 @@
-#!/usr/bin/python
-#
-# Sets password settings (Password complexity, history length, minimum password
-# length, the minimum and maximum password age) on a Samba4 server
-#
-# Copyright Matthias Dieter Wallnoefer 2009
-# Copyright Andrew Kroeger 2009
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-import sys
-
-# Find right directory when running from source tree
-sys.path.insert(0, "bin/python")
-
-import samba.getopt as options
-import optparse
-import ldb
-
-from samba.auth import system_session
-from samba.samdb import SamDB
-from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
-
-parser = optparse.OptionParser("pwsettings (show | set <options>)")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-parser.add_option("-H", help="LDB URL for database or target server", type=str)
-parser.add_option("--quiet", help="Be quiet", action="store_true")
-parser.add_option("--complexity", type="choice", choices=["on","off","default"],
- help="The password complexity (on | off | default). Default is 'on'")
-parser.add_option("--history-length",
- help="The password history length (<integer> | default). Default is 24.", type=str)
-parser.add_option("--min-pwd-length",
- help="The minimum password length (<integer> | default). Default is 7.", type=str)
-parser.add_option("--min-pwd-age",
- help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
-parser.add_option("--max-pwd-age",
- help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
-
-opts, args = parser.parse_args()
-
-#
-# print a message if quiet is not set
-#
-def message(text):
- if not opts.quiet:
- print text
-
-if len(args) == 0:
- parser.print_usage()
- sys.exit(1)
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-if opts.H is not None:
- url = opts.H
-else:
- url = lp.get("sam database")
-
-samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
-
-domain_dn = SamDB.domain_dn(samdb)
-res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
- attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
- "maxPwdAge"])
-assert(len(res) == 1)
-try:
- pwd_props = int(res[0]["pwdProperties"][0])
- pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
- min_pwd_len = int(res[0]["minPwdLength"][0])
- # ticks -> days
- min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
- max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
-except KeyError:
- print >>sys.stderr, "ERROR: Could not retrieve password properties!"
- if args[0] == "show":
- print >>sys.stderr, "So no settings can be displayed!"
- sys.exit(1)
-
-if args[0] == "show":
- message("Password informations for domain '" + domain_dn + "'")
- message("")
- if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
- message("Password complexity: on")
- else:
- message("Password complexity: off")
- message("Password history length: " + str(pwd_hist_len))
- message("Minimum password length: " + str(min_pwd_len))
- message("Minimum password age (days): " + str(min_pwd_age))
- message("Maximum password age (days): " + str(max_pwd_age))
-
-elif args[0] == "set":
-
- msgs = []
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
-
- if opts.complexity is not None:
- if opts.complexity == "on" or opts.complexity == "default":
- pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
- msgs.append("Password complexity activated!")
- elif opts.complexity == "off":
- pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
- msgs.append("Password complexity deactivated!")
-
- m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
- ldb.FLAG_MOD_REPLACE, "pwdProperties")
-
- if opts.history_length is not None:
- if opts.history_length == "default":
- pwd_hist_len = 24
- else:
- pwd_hist_len = int(opts.history_length)
-
- if pwd_hist_len < 0 or pwd_hist_len > 24:
- print >>sys.stderr, "ERROR: Password history length must be in the range of 0 to 24!"
- sys.exit(1)
-
- m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
- ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
- msgs.append("Password history length changed!")
-
- if opts.min_pwd_length is not None:
- if opts.min_pwd_length == "default":
- min_pwd_len = 7
- else:
- min_pwd_len = int(opts.min_pwd_length)
-
- if min_pwd_len < 0 or min_pwd_len > 14:
- print >>sys.stderr, "ERROR: Minimum password length must be in the range of 0 to 14!"
- sys.exit(1)
-
- m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
- ldb.FLAG_MOD_REPLACE, "minPwdLength")
- msgs.append("Minimum password length changed!")
-
- if opts.min_pwd_age is not None:
- if opts.min_pwd_age == "default":
- min_pwd_age = 0
- else:
- min_pwd_age = int(opts.min_pwd_age)
-
- if min_pwd_age < 0 or min_pwd_age > 998:
- print >>sys.stderr, "ERROR: Minimum password age must be in the range of 0 to 998!"
- sys.exit(1)
-
- # days -> ticks
- min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
-
- m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
- ldb.FLAG_MOD_REPLACE, "minPwdAge")
- msgs.append("Minimum password age changed!")
-
- if opts.max_pwd_age is not None:
- if opts.max_pwd_age == "default":
- max_pwd_age = 43
- else:
- max_pwd_age = int(opts.max_pwd_age)
-
- if max_pwd_age < 0 or max_pwd_age > 999:
- print >>sys.stderr, "ERROR: Maximum password age must be in the range of 0 to 999!"
- sys.exit(1)
-
- # days -> ticks
- max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
-
- m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
- ldb.FLAG_MOD_REPLACE, "maxPwdAge")
- msgs.append("Maximum password age changed!")
-
- if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
- print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
- sys.exit(1)
-
- samdb.modify(m)
-
- msgs.append("All changes applied successfully!")
-
- message("\n".join(msgs))
-else:
- print >>sys.stderr, "ERROR: Wrong argument '" + args[0] + "'!"
- sys.exit(1)