#
# Copyright Jelmer Vernooij 2008
# Copyright Matthias Dieter Wallnoefer 2009
+# Copyright Andrew Kroeger 2009
# Released under the GNU GPL version 3 or later
#
import os, sys
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
+parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("-H", help="LDB URL for database or target server", type=str)
parser.add_option("--complexity",
- help="The password complexity (on | off). Default is 'on'", type=str)
+ help="The password complexity (on | off | default). Default is 'on'", type=str)
parser.add_option("--history-length",
- help="The password history length (<integer> | default)", type=str)
+ help="The password history length (<integer> | default). Default is 24.", type=str)
parser.add_option("--min-pwd-length",
- help="The minimum password length (<integer> | default)", type=str)
+ help="The minimum password length (<integer> | default). Default is 7.", type=str)
parser.add_option("--min-pwd-age",
- help="The minimum password age (<integer in days> | default)", type=str)
+ help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
parser.add_option("--max-pwd-age",
- help="The maximum password age (<integer in days> | default)", type=str)
+ help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
opts, args = parser.parse_args()
pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
- min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (10e7 * 60 * 60 * 24))
- max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (10e7 * 60 * 60 * 24))
+ min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except:
if args[0] == "show":
print "ERROR: Password informations missing in your AD domain object!"
print "So no settings can be displayed!"
sys.exit(1)
else:
- pwd_props = 0
- print "WARNING: Assuming previous password properties 0 (used for password complexity setting)"
+ print "ERROR: Could not retrieve password properties (used for password complexity setting)"
+ sys.exit(1)
if args[0] == "show":
- print "Password informations for domain '" + domain_dn + "'"
- print ""
+ message("Password informations for domain '" + domain_dn + "'")
+ message("")
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
- print "Password complexity: on"
+ message("Password complexity: on")
else:
- print "Password complexity: off"
- print "Password history length: " + str(pwd_hist_len)
- print "Minimum password length: " + str(min_pwd_len)
- print "Minimum password age (days): " + str(min_pwd_age)
- print "Maximum password age (days): " + str(max_pwd_age)
+ message("Password complexity: off")
+ message("Password history length: " + str(pwd_hist_len))
+ message("Minimum password length: " + str(min_pwd_len))
+ message("Minimum password age (days): " + str(min_pwd_age))
+ message("Maximum password age (days): " + str(max_pwd_age))
elif args[0] == "set":
+
+ msgs = []
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, domain_dn)
+
if opts.complexity is not None:
- if opts.complexity == "on":
+ if opts.complexity == "on" or opts.complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
-
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
- m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
- ldb.FLAG_MOD_REPLACE, "pwdProperties")
- samdb.modify(m)
- print "Password complexity activated!"
+ msgs.append("Password complexity activated!")
elif opts.complexity == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
-
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
- m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
- ldb.FLAG_MOD_REPLACE, "pwdProperties")
- samdb.modify(m)
- print "Password complexity deactivated!"
+ msgs.append("Password complexity deactivated!")
else:
print "ERROR: Wrong argument '" + opts.complexity + "'!"
sys.exit(1)
+ m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
+ ldb.FLAG_MOD_REPLACE, "pwdProperties")
+
if opts.history_length is not None:
if opts.history_length == "default":
pwd_hist_len = 24
else:
pwd_hist_len = int(opts.history_length)
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
+ if pwd_hist_len < 0 or pwd_hist_len > 24:
+ print "ERROR: Password history length must be in the range of 0 to 24!"
+ sys.exit(1)
+
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
- samdb.modify(m)
- print "Password history length changed!"
+ msgs.append("Password history length changed!")
if opts.min_pwd_length is not None:
if opts.min_pwd_length == "default":
else:
min_pwd_len = int(opts.min_pwd_length)
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
+ if min_pwd_len < 0 or min_pwd_len > 14:
+ print "ERROR: Minimum password length must be in the range of 0 to 14!"
+ sys.exit(1)
+
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
ldb.FLAG_MOD_REPLACE, "minPwdLength")
- samdb.modify(m)
- print "Minimum password length changed!"
+ msgs.append("Minimum password length changed!")
if opts.min_pwd_age is not None:
if opts.min_pwd_age == "default":
min_pwd_age = 0
else:
min_pwd_age = int(opts.min_pwd_age)
+
+ if min_pwd_age < 0 or min_pwd_age > 998:
+ print "ERROR: Minimum password age must be in the range of 0 to 998!"
+ sys.exit(1)
+
# days -> ticks
- min_pwd_age = -int(min_pwd_age * (24 * 60 * 60 * 10e7))
+ min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
- m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age),
+ m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "minPwdAge")
- samdb.modify(m)
- print "Minimum password age changed!"
+ msgs.append("Minimum password age changed!")
if opts.max_pwd_age is not None:
if opts.max_pwd_age == "default":
max_pwd_age = 43
else:
max_pwd_age = int(opts.max_pwd_age)
+
+ if max_pwd_age < 0 or max_pwd_age > 999:
+ print "ERROR: Maximum password age must be in the range of 0 to 999!"
+ sys.exit(1)
+
# days -> ticks
- max_pwd_age = -int(max_pwd_age * (24 * 60 * 60 * 10e7))
+ max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, domain_dn)
- m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age),
+ m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
- samdb.modify(m)
- print "Maximum password age changed!"
+ msgs.append("Maximum password age changed!")
+
+ if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
+ print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
+ sys.exit(1)
+
+ samdb.modify(m)
- print "All changes applied successfully!"
+ msgs.append("All changes applied successfully!")
+ message("\n".join(msgs))
else:
print "ERROR: Wrong argument '" + args[0] + "'!"
sys.exit(1)