s4:pwsettings: Added --quiet option.
[ira/wip.git] / source4 / setup / pwsettings
1 #!/usr/bin/python
2 #
3 #       Sets password settings (Password complexity, history length,
4 #       minimum password length, the minimum and maximum password age) on a
5 #       Samba4 server
6 #
7 #       Copyright Jelmer Vernooij 2008
8 #       Copyright Matthias Dieter Wallnoefer 2009
9 #       Released under the GNU GPL version 3 or later
10 #
11 import os, sys
12
13 sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
14
15 import samba.getopt as options
16 import optparse
17 import pwd
18 import ldb
19
20 from samba.auth import system_session
21 from samba.samdb import SamDB
22 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
23
24 parser = optparse.OptionParser("pwsettings (show | set <options>)")
25 sambaopts = options.SambaOptions(parser)
26 parser.add_option_group(sambaopts)
27 parser.add_option_group(options.VersionOptions(parser))
28 credopts = options.CredentialsOptions(parser)
29 parser.add_option_group(credopts)
30 parser.add_option("--quiet", help="Be quiet", action="store_true")
31 parser.add_option("-H", help="LDB URL for database or target server", type=str)
32 parser.add_option("--complexity",
33   help="The password complexity (on | off). Default is 'on'", type=str)
34 parser.add_option("--history-length",
35   help="The password history length (<integer> | default)", type=str)
36 parser.add_option("--min-pwd-length",
37   help="The minimum password length (<integer> | default)", type=str)
38 parser.add_option("--min-pwd-age",
39   help="The minimum password age (<integer in days> | default)", type=str)
40 parser.add_option("--max-pwd-age",
41   help="The maximum password age (<integer in days> | default)", type=str)
42
43 opts, args = parser.parse_args()
44
45 #
46 #  print a message if quiet is not set
47 #
48 def message(text):
49         if not opts.quiet:
50                 print text
51
52 if len(args) == 0:
53         parser.print_usage()
54         sys.exit(1)
55
56 lp = sambaopts.get_loadparm()
57
58 creds = credopts.get_credentials(lp)
59
60 if opts.H is not None:
61         url = opts.H
62 else:
63         url = lp.get("sam database")
64
65 samdb = SamDB(url=url, session_info=system_session(),
66               credentials=creds, lp=lp)
67
68 domain_dn = SamDB.domain_dn(samdb)
69 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
70   attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
71   "maxPwdAge"])
72 assert(len(res) == 1)
73 try:
74         pwd_props = int(res[0]["pwdProperties"][0])
75         pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
76         min_pwd_len = int(res[0]["minPwdLength"][0])
77         # ticks -> days
78         min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
79         max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
80 except:
81         if args[0] == "show":
82                 print "ERROR: Password informations missing in your AD domain object!"
83                 print "So no settings can be displayed!"
84                 sys.exit(1)
85         else:
86                 pwd_props = 0
87                 message("WARNING: Assuming previous password properties 0 (used for password complexity setting)")
88
89 if args[0] == "show":
90         message("Password informations for domain '" + domain_dn + "'")
91         message("")
92         if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
93                 message("Password complexity: on")
94         else:
95                 message("Password complexity: off")
96         message("Password history length: " + str(pwd_hist_len))
97         message("Minimum password length: " + str(min_pwd_len))
98         message("Minimum password age (days): " + str(min_pwd_age))
99         message("Maximum password age (days): " + str(max_pwd_age))
100
101 elif args[0] == "set":
102         if opts.complexity is not None:
103                 if opts.complexity == "on":
104                         pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
105
106                         m = ldb.Message()
107                         m.dn = ldb.Dn(samdb, domain_dn)
108                         m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
109                           ldb.FLAG_MOD_REPLACE, "pwdProperties")
110                         samdb.modify(m)
111                         message("Password complexity activated!")
112                 elif opts.complexity == "off":
113                         pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
114
115                         m = ldb.Message()
116                         m.dn = ldb.Dn(samdb, domain_dn)
117                         m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
118                           ldb.FLAG_MOD_REPLACE, "pwdProperties")
119                         samdb.modify(m)
120                         message("Password complexity deactivated!")
121                 else:
122                         print "ERROR: Wrong argument '" + opts.complexity + "'!"
123                         sys.exit(1)
124
125         if opts.history_length is not None:
126                 if opts.history_length == "default":
127                         pwd_hist_len = 24
128                 else:
129                         pwd_hist_len = int(opts.history_length)
130
131                 m = ldb.Message()
132                 m.dn = ldb.Dn(samdb, domain_dn)
133                 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
134                   ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
135                 samdb.modify(m)
136                 message("Password history length changed!")
137
138         if opts.min_pwd_length is not None:
139                 if opts.min_pwd_length == "default":
140                         min_pwd_len = 7
141                 else:
142                         min_pwd_len = int(opts.min_pwd_length)
143
144                 m = ldb.Message()
145                 m.dn = ldb.Dn(samdb, domain_dn)
146                 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
147                   ldb.FLAG_MOD_REPLACE, "minPwdLength")
148                 samdb.modify(m)
149                 message("Minimum password length changed!")
150
151         if opts.min_pwd_age is not None:
152                 if opts.min_pwd_age == "default":
153                         min_pwd_age = 0
154                 else:
155                         min_pwd_age = int(opts.min_pwd_age)
156                 # days -> ticks
157                 min_pwd_age = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
158
159                 m = ldb.Message()
160                 m.dn = ldb.Dn(samdb, domain_dn)
161                 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age),
162                   ldb.FLAG_MOD_REPLACE, "minPwdAge")
163                 samdb.modify(m)
164                 message("Minimum password age changed!")
165
166         if opts.max_pwd_age is not None:
167                 if opts.max_pwd_age == "default":
168                         max_pwd_age = 43
169                 else:
170                         max_pwd_age = int(opts.max_pwd_age)
171                 # days -> ticks
172                 max_pwd_age = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
173
174                 m = ldb.Message()
175                 m.dn = ldb.Dn(samdb, domain_dn)
176                 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age),
177                   ldb.FLAG_MOD_REPLACE, "maxPwdAge")
178                 samdb.modify(m)
179                 message("Maximum password age changed!")
180
181         message("All changes applied successfully!")
182
183 else:
184         print "ERROR: Wrong argument '" + args[0] + "'!"
185         sys.exit(1)