class SamDB(samba.Ldb):
"""The SAM database."""
- def __init__(self, url=None, session_info=None, credentials=None,
- modules_dir=None, lp=None):
- """Open the Sam Database.
-
- :param url: URL of the database.
+ def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
+ credentials=None, flags=0, options=None):
+ """Opens the Sam Database.
+ For parameter meanings see the super class (samba.Ldb)
"""
+
self.lp = lp
- super(SamDB, self).__init__(session_info=session_info, credentials=credentials,
- modules_dir=modules_dir, lp=lp)
+ if url is None:
+ url = lp.get("sam database")
+
+ super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
+ session_info=session_info, credentials=credentials, flags=flags,
+ options=options)
+
glue.dsdb_set_global_schema(self)
- if url:
- self.connect(url)
- else:
- self.connect(lp.get("sam database"))
-
- def connect(self, url):
- super(SamDB, self).connect(self.lp.private_path(url))
-
- def add_foreign(self, domaindn, sid, desc):
- """Add a foreign security principle."""
- add = """
-dn: CN=%s,CN=ForeignSecurityPrincipals,%s
-objectClass: top
-objectClass: foreignSecurityPrincipal
-description: %s
-""" % (sid, domaindn, desc)
- # deliberately ignore errors from this, as the records may
- # already exist
- for msg in self.parse_ldif(add):
- self.add(msg[1])
-
- def add_stock_foreign_sids(self):
- domaindn = self.domain_dn()
- self.add_foreign(domaindn, "S-1-5-7", "Anonymous")
- self.add_foreign(domaindn, "S-1-1-0", "World")
- self.add_foreign(domaindn, "S-1-5-2", "Network")
- self.add_foreign(domaindn, "S-1-5-18", "System")
- self.add_foreign(domaindn, "S-1-5-11", "Authenticated Users")
+
+ def connect(self, url=None, flags=0, options=None):
+ super(SamDB, self).connect(url=self.lp.private_path(url), flags=flags,
+ options=options)
def enable_account(self, user_dn):
"""Enable an account.
"""
res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"])
assert len(res) == 1
- userAccountControl = res[0]["userAccountControl"][0]
- userAccountControl = int(userAccountControl)
+ userAccountControl = int(res[0]["userAccountControl"][0])
if (userAccountControl & 0x2):
userAccountControl = userAccountControl & ~0x2 # remove disabled bit
if (userAccountControl & 0x20):
userAccountControl: %u
""" % (user_dn, userAccountControl)
self.modify_ldif(mod)
+
+ def force_password_change_at_next_login(self, user_dn):
+ """Force a password change at next login
+
+ :param user_dn: Dn of the account to force password change on
+ """
+ mod = """
+dn: %s
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+""" % (user_dn)
+ self.modify_ldif(mod)
def domain_dn(self):
- # find the DNs for the domain and the domain users group
- res = self.search("", scope=ldb.SCOPE_BASE,
+ # find the DNs for the domain
+ res = self.search(base="",
+ scope=ldb.SCOPE_BASE,
expression="(defaultNamingContext=*)",
attrs=["defaultNamingContext"])
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
return res[0]["defaultNamingContext"][0]
- def newuser(self, username, unixname, password):
+ def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
"""add a new user record.
:param username: Name of the new user.
# connect to the sam
self.transaction_start()
try:
- domain_dn = self.domain_dn()
- assert(domain_dn is not None)
- user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn)
+ user_dn = "CN=%s,CN=Users,%s" % (username, self.domain_dn())
#
# the new user record. note the reliance on the samdb module to
except KeyError:
pass
+ if force_password_change_at_next_login:
+ self.force_password_change_at_next_login(user_dn)
+
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
except:
raise
self.transaction_commit()
- def setpassword(self, filter, password):
+ def setpassword(self, filter, password, force_password_change_at_next_login=False):
"""Set a password on a user record
:param filter: LDAP filter to find the user (eg samccountname=name)
# connect to the sam
self.transaction_start()
try:
- # find the DNs for the domain
- res = self.search("", scope=ldb.SCOPE_BASE,
- expression="(defaultNamingContext=*)",
- attrs=["defaultNamingContext"])
- assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
- domain_dn = res[0]["defaultNamingContext"][0]
- assert(domain_dn is not None)
-
- res = self.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
- expression=filter,
- attrs=[])
+ res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=filter, attrs=[])
assert(len(res) == 1)
user_dn = res[0].dn
- setpw = """
-dn: %s
-changetype: modify
-replace: userPassword
-userPassword:: %s
-""" % (user_dn, base64.b64encode(password))
+ mod = ldb.Message()
+ mod.dn = user_dn
+
+ glue.samdb_set_password(samdb=self, user_dn=str(user_dn),
+ dom_dn=self.domain_dn(), mod=mod, new_password=password,
+ user_change=False)
+
+ self.modify(mod)
- self.modify_ldif(setpw)
+ if force_password_change_at_next_login:
+ self.force_password_change_at_next_login(user_dn)
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
raise
self.transaction_commit()
- def set_domain_sid(self, sid):
- """Change the domain SID used by this SamDB.
-
- :param sid: The new domain sid to use.
- """
- glue.samdb_set_domain_sid(self, sid)
-
- def attach_schema_from_ldif(self, pf, df):
- glue.dsdb_attach_schema_from_ldif(self, pf, df)
-
- def convert_schema_to_openldap(self, target, mapping):
- return glue.dsdb_convert_schema_to_openldap(self, target, mapping)
-
- def set_invocation_id(self, invocation_id):
- """Set the invocation id for this SamDB handle.
-
- :param invocation_id: GUID of the invocation id.
- """
- glue.dsdb_set_ntds_invocation_id(self, invocation_id)
-
def setexpiry(self, user, expiry_seconds, noexpiry):
- """Set the password expiry for a user
+ """Set the account expiry for a user
:param expiry_seconds: expiry time from now in seconds
:param noexpiry: if set, then don't expire password
self.transaction_cancel()
raise
self.transaction_commit();
+