search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4/net: Add domainlevel subcommand.
[Samba/eduardoll.git] / source4 / scripting / python / samba / netcmd / pwsettings.py
blob0568ea78e607d6b17d91b8ec76c739fccc45e290
1 #!/usr/bin/python
2 #
3 # Sets password settings.
4 # (Password complexity, history length, minimum password length, the minimum
5 # and maximum password age) on a Samba4 server
6 #
7 # Copyright Matthias Dieter Wallnoefer 2009
8 # Copyright Andrew Kroeger 2009
9 # Copyright Jelmer Vernooij 2009
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #
24
25 import sys
26
27 import samba.getopt as options
28 import optparse
29 import ldb
30
31 from samba.auth import system_session
32 from samba.samdb import SamDB
33 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
34 from samba.netcmd import Command, CommandError, Option
35
36 class cmd_pwsettings(Command):
37 """Sets password settings.
38
39 Password complexity, history length, minimum password length, the minimum
40 and maximum password age) on a Samba4 server.
41 """
42
43 synopsis = "(show | set <options>)"
44
45 takes_optiongroups = {
46 "sambaopts": options.SambaOptions,
47 "versionopts": options.VersionOptions,
48 "credopts": options.CredentialsOptions,
49 }
50
51 takes_options = [
52 Option("-H", help="LDB URL for database or target server", type=str),
53 Option("--quiet", help="Be quiet", action="store_true"),
54 Option("--complexity", type="choice", choices=["on","off","default"],
55 help="The password complexity (on | off | default). Default is 'on'"),
56 Option("--history-length",
57 help="The password history length (<integer> | default). Default is 24.", type=str),
58 Option("--min-pwd-length",
59 help="The minimum password length (<integer> | default). Default is 7.", type=str),
60 Option("--min-pwd-age",
61 help="The minimum password age (<integer in days> | default). Default is 0.", type=str),
62 Option("--max-pwd-age",
63 help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
64 ]
65
66 takes_args = ["subcommand"]
67
68 def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
69 quiet=False, complexity=None, history_length=None,
70 min_pwd_length=None, credopts=None, sambaopts=None,
71 versionopts=None):
72 lp = sambaopts.get_loadparm()
73 creds = credopts.get_credentials(lp)
74
75 if H is not None:
76 url = H
77 else:
78 url = lp.get("sam database")
79
80 samdb = SamDB(url=url, session_info=system_session(),
81 credentials=creds, lp=lp)
82
83 domain_dn = SamDB.domain_dn(samdb)
84 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
85 attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
86 "minPwdAge", "maxPwdAge"])
87 assert(len(res) == 1)
88 try:
89 pwd_props = int(res[0]["pwdProperties"][0])
90 pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
91 min_pwd_len = int(res[0]["minPwdLength"][0])
92 # ticks -> days
93 min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
94 max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
95 except KeyError:
96 raise CommandError("Could not retrieve password properties!")
97
98 if subcommand == "show":
99 self.message("Password informations for domain '%s'" % domain_dn)
100 self.message("")
101 if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
102 self.message("Password complexity: on")
103 else:
104 self.message("Password complexity: off")
105 self.message("Password history length: %d" % pwd_hist_len)
106 self.message("Minimum password length: %d" % min_pwd_len)
107 self.message("Minimum password age (days): %d" % min_pwd_age)
108 self.message("Maximum password age (days): %d" % max_pwd_age)
109 elif subcommand == "set":
110 msgs = []
111 m = ldb.Message()
112 m.dn = ldb.Dn(samdb, domain_dn)
113
114 if complexity is not None:
115 if complexity == "on" or complexity == "default":
116 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
117 msgs.append("Password complexity activated!")
118 elif complexity == "off":
119 pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
120 msgs.append("Password complexity deactivated!")
121
122 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
123 ldb.FLAG_MOD_REPLACE, "pwdProperties")
124
125 if history_length is not None:
126 if history_length == "default":
127 pwd_hist_len = 24
128 else:
129 pwd_hist_len = int(history_length)
130
131 if pwd_hist_len < 0 or pwd_hist_len > 24:
132 raise CommandError("Password history length must be in the range of 0 to 24!")
133
134 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
135 ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
136 msgs.append("Password history length changed!")
137
138 if min_pwd_length is not None:
139 if min_pwd_length == "default":
140 min_pwd_len = 7
141 else:
142 min_pwd_len = int(min_pwd_length)
143
144 if min_pwd_len < 0 or min_pwd_len > 14:
145 raise CommandError("Minimum password length must be in the range of 0 to 14!")
146
147 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
148 ldb.FLAG_MOD_REPLACE, "minPwdLength")
149 msgs.append("Minimum password length changed!")
150
151 if min_pwd_age is not None:
152 if min_pwd_age == "default":
153 min_pwd_age = 0
154 else:
155 min_pwd_age = int(min_pwd_age)
156
157 if min_pwd_age < 0 or min_pwd_age > 998:
158 raise CommandError("Minimum password age must be in the range of 0 to 998!")
159
160 # days -> ticks
161 min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
162
163 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
164 ldb.FLAG_MOD_REPLACE, "minPwdAge")
165 msgs.append("Minimum password age changed!")
166
167 if max_pwd_age is not None:
168 if max_pwd_age == "default":
169 max_pwd_age = 43
170 else:
171 max_pwd_age = int(max_pwd_age)
172
173 if max_pwd_age < 0 or max_pwd_age > 999:
174 raise CommandError("Maximum password age must be in the range of 0 to 999!")
175
176 # days -> ticks
177 max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
178
179 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
180 ldb.FLAG_MOD_REPLACE, "maxPwdAge")
181 msgs.append("Maximum password age changed!")
182
183 if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
184 raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
185
186 samdb.modify(m)
187 msgs.append("All changes applied successfully!")
188 self.message("\n".join(msgs))
189 else:
190 raise CommandError("Wrong argument '%s'!" % subcommand)
Eduardo's samba4 branches