search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:registry: add an extra check for dsize==0 to regdb_fetch_keys_internal()
[Samba/fernandojvsilva.git] / source4 / setup / pwsettings
blob59ed5d29bf4b6f6a61182472e2aa1c0fa04b8e9a
1 #!/usr/bin/python
2 #
3 # Sets password settings (Password complexity, history length, minimum password
4 # length, the minimum and maximum password age) on a Samba4 server
5 #
6 # Copyright Matthias Dieter Wallnoefer 2009
7 # Copyright Andrew Kroeger 2009
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #
22
23 import sys
24
25 # Find right directory when running from source tree
26 sys.path.insert(0, "bin/python")
27
28 import samba.getopt as options
29 import optparse
30 import ldb
31
32 from samba.auth import system_session
33 from samba.samdb import SamDB
34 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
35
36 parser = optparse.OptionParser("pwsettings (show | set <options>)")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
40 credopts = options.CredentialsOptions(parser)
41 parser.add_option_group(credopts)
42 parser.add_option("-H", help="LDB URL for database or target server", type=str)
43 parser.add_option("--quiet", help="Be quiet", action="store_true")
44 parser.add_option("--complexity", type="choice", choices=["on","off","default"],
45 help="The password complexity (on | off | default). Default is 'on'")
46 parser.add_option("--history-length",
47 help="The password history length (<integer> | default). Default is 24.", type=str)
48 parser.add_option("--min-pwd-length",
49 help="The minimum password length (<integer> | default). Default is 7.", type=str)
50 parser.add_option("--min-pwd-age",
51 help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
52 parser.add_option("--max-pwd-age",
53 help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
54
55 opts, args = parser.parse_args()
56
57 #
58 # print a message if quiet is not set
59 #
60 def message(text):
61 if not opts.quiet:
62 print text
63
64 if len(args) == 0:
65 parser.print_usage()
66 sys.exit(1)
67
68 lp = sambaopts.get_loadparm()
69 creds = credopts.get_credentials(lp)
70
71 if opts.H is not None:
72 url = opts.H
73 else:
74 url = lp.get("sam database")
75
76 samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
77
78 domain_dn = SamDB.domain_dn(samdb)
79 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
80 attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
81 "maxPwdAge"])
82 assert(len(res) == 1)
83 try:
84 pwd_props = int(res[0]["pwdProperties"][0])
85 pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
86 min_pwd_len = int(res[0]["minPwdLength"][0])
87 # ticks -> days
88 min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
89 max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
90 except KeyError:
91 print >>sys.stderr, "ERROR: Could not retrieve password properties!"
92 if args[0] == "show":
93 print >>sys.stderr, "So no settings can be displayed!"
94 sys.exit(1)
95
96 if args[0] == "show":
97 message("Password informations for domain '" + domain_dn + "'")
98 message("")
99 if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
100 message("Password complexity: on")
101 else:
102 message("Password complexity: off")
103 message("Password history length: " + str(pwd_hist_len))
104 message("Minimum password length: " + str(min_pwd_len))
105 message("Minimum password age (days): " + str(min_pwd_age))
106 message("Maximum password age (days): " + str(max_pwd_age))
107
108 elif args[0] == "set":
109
110 msgs = []
111 m = ldb.Message()
112 m.dn = ldb.Dn(samdb, domain_dn)
113
114 if opts.complexity is not None:
115 if opts.complexity == "on" or opts.complexity == "default":
116 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
117 msgs.append("Password complexity activated!")
118 elif opts.complexity == "off":
119 pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
120 msgs.append("Password complexity deactivated!")
121
122 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
123 ldb.FLAG_MOD_REPLACE, "pwdProperties")
124
125 if opts.history_length is not None:
126 if opts.history_length == "default":
127 pwd_hist_len = 24
128 else:
129 pwd_hist_len = int(opts.history_length)
130
131 if pwd_hist_len < 0 or pwd_hist_len > 24:
132 print >>sys.stderr, "ERROR: Password history length must be in the range of 0 to 24!"
133 sys.exit(1)
134
135 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
136 ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
137 msgs.append("Password history length changed!")
138
139 if opts.min_pwd_length is not None:
140 if opts.min_pwd_length == "default":
141 min_pwd_len = 7
142 else:
143 min_pwd_len = int(opts.min_pwd_length)
144
145 if min_pwd_len < 0 or min_pwd_len > 14:
146 print >>sys.stderr, "ERROR: Minimum password length must be in the range of 0 to 14!"
147 sys.exit(1)
148
149 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
150 ldb.FLAG_MOD_REPLACE, "minPwdLength")
151 msgs.append("Minimum password length changed!")
152
153 if opts.min_pwd_age is not None:
154 if opts.min_pwd_age == "default":
155 min_pwd_age = 0
156 else:
157 min_pwd_age = int(opts.min_pwd_age)
158
159 if min_pwd_age < 0 or min_pwd_age > 998:
160 print >>sys.stderr, "ERROR: Minimum password age must be in the range of 0 to 998!"
161 sys.exit(1)
162
163 # days -> ticks
164 min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
165
166 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
167 ldb.FLAG_MOD_REPLACE, "minPwdAge")
168 msgs.append("Minimum password age changed!")
169
170 if opts.max_pwd_age is not None:
171 if opts.max_pwd_age == "default":
172 max_pwd_age = 43
173 else:
174 max_pwd_age = int(opts.max_pwd_age)
175
176 if max_pwd_age < 0 or max_pwd_age > 999:
177 print >>sys.stderr, "ERROR: Maximum password age must be in the range of 0 to 999!"
178 sys.exit(1)
179
180 # days -> ticks
181 max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
182
183 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
184 ldb.FLAG_MOD_REPLACE, "maxPwdAge")
185 msgs.append("Maximum password age changed!")
186
187 if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
188 print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
189 sys.exit(1)
190
191 samdb.modify(m)
192
193 msgs.append("All changes applied successfully!")
194
195 message("\n".join(msgs))
196 else:
197 print >>sys.stderr, "ERROR: Wrong argument '" + args[0] + "'!"
198 sys.exit(1)
fernandojvsilva's samba4 branch