From c969e730c43666cc73a99065dcf3c4af037c7e9f Mon Sep 17 00:00:00 2001 From: kakwa Date: Thu, 16 Jun 2016 21:49:48 +0200 Subject: [PATCH] fix password setting with Active Directory --- ldapcherry/backend/backendAD.py | 64 +++++++++++++++++++++++++++++++ ldapcherry/backend/backendLdap.py | 12 ++++-- 2 files changed, 72 insertions(+), 4 deletions(-) diff --git a/ldapcherry/backend/backendAD.py b/ldapcherry/backend/backendAD.py index aff0f19..a654e2f 100644 --- a/ldapcherry/backend/backendAD.py +++ b/ldapcherry/backend/backendAD.py @@ -29,6 +29,32 @@ LISTED_ATTRS = 2 ALL_ATTRS = 3 +# UserAccountControl Attribute/Flag Values +# For details, look at: +# https://support.microsoft.com/en-us/kb/305144 +SCRIPT = 0x0001 +ACCOUNTDISABLE = 0x0002 +HOMEDIR_REQUIRED = 0x0008 +LOCKOUT = 0x0010 +PASSWD_NOTREQD = 0x0020 +PASSWD_CANT_CHANGE = 0x0040 +ENCRYPTED_TEXT_PWD_ALLOWED = 0x0080 +TEMP_DUPLICATE_ACCOUNT = 0x0100 +NORMAL_ACCOUNT = 0x0200 +INTERDOMAIN_TRUST_ACCOUNT = 0x0800 +WORKSTATION_TRUST_ACCOUNT = 0x1000 +SERVER_TRUST_ACCOUNT = 0x2000 +DONT_EXPIRE_PASSWORD = 0x10000 +MNS_LOGON_ACCOUNT = 0x20000 +SMARTCARD_REQUIRED = 0x40000 +TRUSTED_FOR_DELEGATION = 0x80000 +NOT_DELEGATED = 0x100000 +USE_DES_KEY_ONLY = 0x200000 +DONT_REQ_PREAUTH = 0x400000 +PASSWORD_EXPIRED = 0x800000 +TRUSTED_TO_AUTH_FOR_DELEGATION = 0x1000000 +PARTIAL_SECRETS_ACCOUNT = 0x04000000 + # Generated by the followin command: # samba-tool group list | \ @@ -139,6 +165,44 @@ class Backend(ldapcherry.backend.backendLdap.Backend): ad_groups.append('cn=' + group + ',' + self.groupdn) return ad_groups + def _set_password(self, cn, password): + unicode_pass = '\"' + password + '\"' + password_value = unicode_pass.encode('utf-16-le') + + ldap_client = self._bind() + + dn = str('CN=%(cn)s,%(user_dn)s' % { + 'cn': cn, + 'user_dn': self.userdn + } + ) + + attrs = {} + + attrs['unicodePwd'] = str(password_value) + + #ldif = modlist.modifyModlist({'unicodePwd': 'asad'}, attrs) + ldif = modlist.modifyModlist({'unicodePwd': 'tmp'}, attrs) + ldap_client.modify_s(dn,ldif) + + del(attrs['unicodePwd']) + attrs['UserAccountControl'] = str(NORMAL_ACCOUNT) + ldif = modlist.modifyModlist({'UserAccountControl': 'tmp'}, attrs) + ldap_client.modify_s(dn,ldif) + + def add_user(self, attrs): + password = attrs['unicodePwd'] + del(attrs['unicodePwd']) + super(Backend, self).add_user(attrs) + self._set_password(attrs['cn'], password) + + def set_attrs(self, username, attrs): + if 'unicodePwd' in attrs: + password = attrs['unicodePwd'] + del(attrs['unicodePwd']) + self._set_password(attrs['cn'], password) + super(Backend, self).set_attrs(username, attrs) + def add_to_groups(self, username, groups): ad_groups = self._build_groupdn(groups) super(Backend, self).add_to_groups(username, ad_groups) diff --git a/ldapcherry/backend/backendLdap.py b/ldapcherry/backend/backendLdap.py index c789a1c..1fe18fa 100644 --- a/ldapcherry/backend/backendLdap.py +++ b/ldapcherry/backend/backendLdap.py @@ -292,15 +292,19 @@ class Backend(ldapcherry.backend.Backend): return True else: return False + + def attrs_pretreatment(self, attrs): + attrs_str = {} + for a in attrs: + attrs_str[self._str(a)] = self._str(attrs[a]) + return attrs_str def add_user(self, attrs): """add a user""" ldap_client = self._bind() - attrs_str = {} # encoding crap - for a in attrs: - attrs_str[self._str(a)] = self._str(attrs[a]) - + attrs_str = self.attrs_pretreatment(attrs) + attrs_str['objectClass'] = self.objectclasses # construct is DN dn = \