search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
python: models: rename argument ldb to samdb
[samba.git] / python / samba / domain / models / auth_policy.py
blobfb4947a93d2bdaece3af84952060635209c8f8d7
1 # Unix SMB/CIFS implementation.
2 #
3 # Authentication policy model.
4 #
5 # Copyright (C) Catalyst.Net Ltd. 2023
6 #
7 # Written by Rob van der Linde <rob@catalyst.net.nz>
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #
22
23 from enum import IntEnum
24 from ldb import Dn
25
26 from .fields import (BooleanField, EnumField, IntegerField, SDDLField,
27 StringField)
28 from .model import Model
29
30 # Ticket-Granting-Ticket lifetimes.
31 MIN_TGT_LIFETIME = 45
32 MAX_TGT_LIFETIME = 2147483647
33
34
35 class StrongNTLMPolicy(IntEnum):
36 DISABLED = 0
37 OPTIONAL = 1
38 REQUIRED = 2
39
40 @classmethod
41 def get_choices(cls):
42 return sorted([choice.capitalize() for choice in cls._member_names_])
43
44 @classmethod
45 def choices_str(cls):
46 return ", ".join(cls.get_choices())
47
48
49 class AuthenticationPolicy(Model):
50 description = StringField("description")
51 enforced = BooleanField("msDS-AuthNPolicyEnforced")
52 strong_ntlm_policy = EnumField("msDS-StrongNTLMPolicy", StrongNTLMPolicy)
53 user_allow_ntlm_network_auth = BooleanField(
54 "msDS-UserAllowedNTLMNetworkAuthentication")
55 user_tgt_lifetime = IntegerField("msDS-UserTGTLifetime")
56 service_allow_ntlm_network_auth = BooleanField(
57 "msDS-ServiceAllowedNTLMNetworkAuthentication")
58 service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime")
59 computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime")
60 user_allowed_to_authenticate_from = SDDLField(
61 "msDS-UserAllowedToAuthenticateFrom", allow_device_in_sddl=False)
62 user_allowed_to_authenticate_to = SDDLField(
63 "msDS-UserAllowedToAuthenticateTo")
64 service_allowed_to_authenticate_from = SDDLField(
65 "msDS-ServiceAllowedToAuthenticateFrom", allow_device_in_sddl=False)
66 service_allowed_to_authenticate_to = SDDLField(
67 "msDS-ServiceAllowedToAuthenticateTo")
68 computer_allowed_to_authenticate_to = SDDLField(
69 "msDS-ComputerAllowedToAuthenticateTo")
70
71 @staticmethod
72 def get_base_dn(samdb):
73 """Return the base DN for the AuthenticationPolicy model.
74
75 :param samdb: SamDB connection
76 :return: Dn object of container
77 """
78 base_dn = samdb.get_config_basedn()
79 base_dn.add_child(
80 "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services")
81 return base_dn
82
83 @staticmethod
84 def get_object_class():
85 return "msDS-AuthNPolicy"
86
87 @staticmethod
88 def find(samdb, name):
89 """Helper function to return auth policy or raise NotFound.
90
91 :param samdb: SamDB connection
92 :param name: Either DN or name of Authentication Policy
93 :raises: NotFound if not found
94 :raises: ValueError if name is not set
95 """
96 if not name:
97 raise ValueError("Attribute 'name' is required.")
98
99 try:
100 # It's possible name is already a Dn.
101 dn = name if isinstance(name, Dn) else Dn(samdb, name)
102 policy = AuthenticationPolicy.get(samdb, dn=dn)
103 except ValueError:
104 policy = AuthenticationPolicy.get(samdb, cn=name)
105
106 if policy is None:
107 raise LookupError(f"Authentication policy {name} not found.")
108
109 return policy
Samba git mirror