1 # Unix SMB/CIFS implementation.
3 # Authentication policy model.
5 # Copyright (C) Catalyst.Net Ltd. 2023
7 # Written by Rob van der Linde <rob@catalyst.net.nz>
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 from enum
import IntEnum
26 from .fields
import (BooleanField
, EnumField
, IntegerField
, SDDLField
,
28 from .model
import Model
30 # Ticket-Granting-Ticket lifetimes.
32 MAX_TGT_LIFETIME
= 2147483647
35 class StrongNTLMPolicy(IntEnum
):
42 return sorted([choice
.capitalize() for choice
in cls
._member
_names
_])
46 return ", ".join(cls
.get_choices())
49 class AuthenticationPolicy(Model
):
50 description
= StringField("description")
51 enforced
= BooleanField("msDS-AuthNPolicyEnforced")
52 strong_ntlm_policy
= EnumField("msDS-StrongNTLMPolicy", StrongNTLMPolicy
)
53 user_allow_ntlm_network_auth
= BooleanField(
54 "msDS-UserAllowedNTLMNetworkAuthentication")
55 user_tgt_lifetime
= IntegerField("msDS-UserTGTLifetime")
56 service_allow_ntlm_network_auth
= BooleanField(
57 "msDS-ServiceAllowedNTLMNetworkAuthentication")
58 service_tgt_lifetime
= IntegerField("msDS-ServiceTGTLifetime")
59 computer_tgt_lifetime
= IntegerField("msDS-ComputerTGTLifetime")
60 user_allowed_to_authenticate_from
= SDDLField(
61 "msDS-UserAllowedToAuthenticateFrom", allow_device_in_sddl
=False)
62 user_allowed_to_authenticate_to
= SDDLField(
63 "msDS-UserAllowedToAuthenticateTo")
64 service_allowed_to_authenticate_from
= SDDLField(
65 "msDS-ServiceAllowedToAuthenticateFrom", allow_device_in_sddl
=False)
66 service_allowed_to_authenticate_to
= SDDLField(
67 "msDS-ServiceAllowedToAuthenticateTo")
68 computer_allowed_to_authenticate_to
= SDDLField(
69 "msDS-ComputerAllowedToAuthenticateTo")
72 def get_base_dn(samdb
):
73 """Return the base DN for the AuthenticationPolicy model.
75 :param samdb: SamDB connection
76 :return: Dn object of container
78 base_dn
= samdb
.get_config_basedn()
80 "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services")
84 def get_object_class():
85 return "msDS-AuthNPolicy"
88 def find(samdb
, name
):
89 """Helper function to return auth policy or raise NotFound.
91 :param samdb: SamDB connection
92 :param name: Either DN or name of Authentication Policy
93 :raises: NotFound if not found
94 :raises: ValueError if name is not set
97 raise ValueError("Attribute 'name' is required.")
100 # It's possible name is already a Dn.
101 dn
= name
if isinstance(name
, Dn
) else Dn(samdb
, name
)
102 policy
= AuthenticationPolicy
.get(samdb
, dn
=dn
)
104 policy
= AuthenticationPolicy
.get(samdb
, cn
=name
)
107 raise LookupError(f
"Authentication policy {name} not found.")