3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Based on the original in EJS:
7 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 """Convenience functions for using the SAM."""
28 from samba
.idmap
import IDmapDB
33 __docformat__
= "restructuredText"
35 class SamDB(samba
.Ldb
):
36 """The SAM database."""
38 def __init__(self
, url
=None, lp
=None, modules_dir
=None, session_info
=None,
39 credentials
=None, flags
=0, options
=None):
40 """Opens the Sam Database.
41 For parameter meanings see the super class (samba.Ldb)
46 url
= lp
.get("sam database")
48 super(SamDB
, self
).__init
__(url
=url
, lp
=lp
, modules_dir
=modules_dir
,
49 session_info
=session_info
, credentials
=credentials
, flags
=flags
,
52 glue
.dsdb_set_global_schema(self
)
54 def connect(self
, url
=None, flags
=0, options
=None):
55 super(SamDB
, self
).connect(url
=self
.lp
.private_path(url
), flags
=flags
,
58 def enable_account(self
, user_dn
):
61 :param user_dn: Dn of the account to enable.
63 res
= self
.search(user_dn
, ldb
.SCOPE_BASE
, None, ["userAccountControl"])
65 userAccountControl
= int(res
[0]["userAccountControl"][0])
66 if (userAccountControl
& 0x2):
67 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
68 if (userAccountControl
& 0x20):
69 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
74 replace: userAccountControl
75 userAccountControl: %u
76 """ % (user_dn
, userAccountControl
)
79 def force_password_change_at_next_login(self
, user_dn
):
80 """Force a password change at next login
82 :param user_dn: Dn of the account to force password change on
93 # find the DNs for the domain
94 res
= self
.search(base
="",
96 expression
="(defaultNamingContext=*)",
97 attrs
=["defaultNamingContext"])
98 assert(len(res
) == 1 and res
[0]["defaultNamingContext"] is not None)
99 return res
[0]["defaultNamingContext"][0]
101 def newuser(self
, username
, unixname
, password
, force_password_change_at_next_login
=False):
102 """add a new user record.
104 :param username: Name of the new user.
105 :param unixname: Name of the unix user to map to.
106 :param password: Password for the new user
109 self
.transaction_start()
111 user_dn
= "CN=%s,CN=Users,%s" % (username
, self
.domain_dn())
114 # the new user record. note the reliance on the samdb module to
115 # fill in a sid, guid etc
118 self
.add({"dn": user_dn
,
119 "sAMAccountName": username
,
120 "userPassword": password
,
121 "objectClass": "user"})
123 res
= self
.search(user_dn
, scope
=ldb
.SCOPE_BASE
,
124 expression
="objectclass=*",
127 user_sid
= self
.schema_format_value("objectSid", res
[0]["objectSid"][0])
130 idmap
= IDmapDB(lp
=self
.lp
)
132 user
= pwd
.getpwnam(unixname
)
133 # setup ID mapping for this UID
135 idmap
.setup_name_mapping(user_sid
, idmap
.TYPE_UID
, user
[2])
140 if force_password_change_at_next_login
:
141 self
.force_password_change_at_next_login(user_dn
)
143 # modify the userAccountControl to remove the disabled bit
144 self
.enable_account(user_dn
)
146 self
.transaction_cancel()
148 self
.transaction_commit()
150 def setpassword(self
, filter, password
, force_password_change_at_next_login
=False):
151 """Set a password on a user record
153 :param filter: LDAP filter to find the user (eg samccountname=name)
154 :param password: Password for the user
157 self
.transaction_start()
159 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
160 expression
=filter, attrs
=[])
161 assert(len(res
) == 1)
167 replace: userPassword
169 """ % (user_dn
, base64
.b64encode(password
))
171 self
.modify_ldif(setpw
)
173 if force_password_change_at_next_login
:
174 self
.force_password_change_at_next_login(user_dn
)
176 # modify the userAccountControl to remove the disabled bit
177 self
.enable_account(user_dn
)
179 self
.transaction_cancel()
181 self
.transaction_commit()
183 def setexpiry(self
, user
, expiry_seconds
, noexpiry
):
184 """Set the account expiry for a user
186 :param expiry_seconds: expiry time from now in seconds
187 :param noexpiry: if set, then don't expire password
189 self
.transaction_start()
191 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
192 expression
=("(samAccountName=%s)" % user
),
193 attrs
=["userAccountControl", "accountExpires"])
195 userAccountControl
= int(res
[0]["userAccountControl"][0])
196 accountExpires
= int(res
[0]["accountExpires"][0])
198 userAccountControl
= userAccountControl |
0x10000
201 userAccountControl
= userAccountControl
& ~
0x10000
202 accountExpires
= glue
.unix2nttime(expiry_seconds
+ int(time
.time()))
207 replace: userAccountControl
208 userAccountControl: %u
209 replace: accountExpires
211 """ % (res
[0].dn
, userAccountControl
, accountExpires
)
212 # now change the database
213 self
.modify_ldif(mod
)
215 self
.transaction_cancel()
217 self
.transaction_commit();