oidnum = oidnum + 1
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'userAccountControl' DESC 'AD user account control' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )" % oidnum)
oidnum = oidnum + 1
ad.addObjClass("( 2.16.840.1.113730.3.2.%d NAME 'adPerson' DESC 'AD person mixin' SUP top AUXILIARY MAY ( samAccountName $ objectGUID $ name $ userAccountControl ) )" % oidnum)
oidnum = oidnum + 1
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'groupType' DESC 'AD group type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape NT Synchronization' )" % oidnum)
oidnum = oidnum + 1
ad.addObjClass("( 2.16.840.1.113730.3.2.%d NAME 'group' DESC 'AD group' SUP top STRUCTURAL MAY ( samAccountName $ groupType $ objectGUID $ name $ member $ ou $ cn $ description ) )" % oidnum)
oidnum = oidnum + 1
aduserObjClasses = ['adPerson']
else:
aduserObjClasses = ['top', 'person', 'organizationalperson', 'user']
ad = DSAdmin(host2, port2, nobind=True)
# require TLS/SSL for password updates
ad.start_tls_s()
ad.simple_bind_s(root2, rootpw2)
# the list of users we want to check to see if they were synced
userids = {}
# All IPA users must have these objectclasses - they should be
# the same as in the cn=ipaConfig ipaUserObjectClasses list
# ntUser either by the winsync code, or when you want an
# existing IPA user to be synced with AD
userObjClasses = [
'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'ntUser'
]
if ipawinsync:
userObjClasses.extend(['inetUser', 'posixAccount', 'krbPrincipalAux'])
'passwordLockout': 'on'
}
m1.setPwdPolicy(pwdpolicy)
m2.setPwdPolicy(pwdpolicy)
#m1.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
#m2.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
opattrs = [
'passwordRetryCount', 'retryCountResetTime', 'accountUnlockTime',
'passwordExpirationTime', 'modifyTimestamp', 'modifiersName'
]
print "Do %d attempts to bind with incorrect password . . ." % nattempts
userconn = DSAdmin(host1, port1)
for xx in range(0, nattempts + 1):
try:
userconn.simple_bind_s(userdn, "boguspassword")
except ldap.INVALID_CREDENTIALS:
print "password was not correct"
except ldap.CONSTRAINT_VIOLATION:
print "too many password attempts"
print "m1 pwd attrs"
print "%s" % m1.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)",
opattrs)
print "m2 pwd attrs"
print "%s" % m2.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)",
opattrs)
mymod = [(ldap.MOD_REPLACE, "description", "changed %d" % xx)]
m1.modify_s(userdn, mymod)
userconn.unbind()
print "sleep to let repl propagate . . ."
oidnum = oidnum + 1
ad.addAttr(
"( 2.16.840.1.113730.3.1.%d NAME 'groupType' DESC 'AD group type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape NT Synchronization' )"
% oidnum)
oidnum = oidnum + 1
ad.addObjClass(
"( 2.16.840.1.113730.3.2.%d NAME 'group' DESC 'AD group' SUP top STRUCTURAL MAY ( samAccountName $ groupType $ objectGUID $ name $ member $ ou $ cn $ description ) )"
% oidnum)
oidnum = oidnum + 1
aduserObjClasses = ['adPerson']
else:
aduserObjClasses = ['top', 'person', 'organizationalperson', 'user']
ad = DSAdmin(host2, port2, nobind=True)
# require TLS/SSL for password updates
ad.start_tls_s()
ad.simple_bind_s(root2, rootpw2)
# the list of users we want to check to see if they were synced
userids = {}
# All IPA users must have these objectclasses - they should be
# the same as in the cn=ipaConfig ipaUserObjectClasses list
# ntUser either by the winsync code, or when you want an
# existing IPA user to be synced with AD
userObjClasses = [
'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'ntUser'
]
if ipawinsync:
userObjClasses.extend(['inetUser', 'posixAccount', 'krbPrincipalAux'])
'passwordLockoutDuration': 1800,
'passwordResetFailureCount': 1800,
'passwordMaxFailure': nattempts,
'passwordLockout': 'on'
}
m1.setPwdPolicy(pwdpolicy)
m2.setPwdPolicy(pwdpolicy)
#m1.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
#m2.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
opattrs = [ 'passwordRetryCount', 'retryCountResetTime', 'accountUnlockTime', 'passwordExpirationTime', 'modifyTimestamp', 'modifiersName' ]
print "Do %d attempts to bind with incorrect password . . ." % nattempts
userconn = DSAdmin(host1, port1)
for xx in range(0, nattempts+1):
try:
userconn.simple_bind_s(userdn, "boguspassword")
except ldap.INVALID_CREDENTIALS: print "password was not correct"
except ldap.CONSTRAINT_VIOLATION: print "too many password attempts"
print "m1 pwd attrs"
print "%s" % m1.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)", opattrs)
print "m2 pwd attrs"
print "%s" % m2.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)", opattrs)
mymod = [(ldap.MOD_REPLACE, "description", "changed %d" % xx)]
m1.modify_s(userdn, mymod)
userconn.unbind()
print "sleep to let repl propagate . . ."
time.sleep(5)
print "do a mod to see if replication is still working . . ."
mymod = [(ldap.MOD_REPLACE, "description", "changed back")]
def genpwd(pwd, salt):
sha = hashlib.sha1(pwd)
sha.update(salt)
return '{SSHA}' + base64.b64encode(sha.digest() + salt)
pwd = 'averylongpassword'
for ii in xrange(0, 100):
dn = 'cn=user%d,ou=people,%s' % (ii, basedn)
try:
srv.delete_s(dn)
except ldap.NO_SUCH_OBJECT:
pass
ent = Entry(dn)
ent.setValues('objectclass', 'person')
ent.setValues('sn', 'User' + str(ii))
if ii > 0:
salt = 'a' * ii
pwdstr = genpwd(pwd, salt)
else:
pwdstr = pwd
ent.setValues('userPassword', pwdstr)
srv.add_s(ent)
for ii in xrange(0, 100):
dn = 'cn=user%d,ou=people,%s' % (ii, basedn)
srv.simple_bind_s(dn, pwd)
ents = srv.search_s("", ldap.SCOPE_BASE, '(objectclass=*)',
['vendorVersion'])
print dn, 'successfully read', ents[0].vendorVersion
