/*
* Unix SMB/CIFS implementation.
* account policy storage
* Copyright (C) Jean François Micouleau 1998-2001
* Copyright (C) Andrew Bartlett 2002
* Copyright (C) Guenther Deschner 2004-2005
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include "includes.h"
#include "system/filesys.h"
#include "passdb.h"
#include "dbwrap/dbwrap.h"
#include "dbwrap/dbwrap_open.h"
#include "../libcli/security/security.h"
#include "lib/privileges.h"
#include "lib/gencache.h"
#include "lib/util/smb_strtox.h"
static struct db_context *db;
/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
* after this period if admins do not use pdbedit or usermanager but manipulate
* ldap directly) - gd */
#define DATABASE_VERSION 3
#define AP_TTL 60
struct ap_table {
enum pdb_policy_type type;
const char *string;
uint32_t default_val;
const char *description;
const char *ldap_attr;
};
static const struct ap_table account_policy_names[] = {
{PDB_POLICY_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
"Minimal password length (default: 5)",
"sambaMinPwdLength" },
{PDB_POLICY_PASSWORD_HISTORY, "password history", 0,
"Length of Password History Entries (default: 0 => off)",
"sambaPwdHistoryLength" },
{PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
"Force Users to logon for password change (default: 0 => off, 2 => on)",
"sambaLogonToChgPwd" },
{PDB_POLICY_MAX_PASSWORD_AGE, "maximum password age", (uint32_t) -1,
"Maximum password age, in seconds (default: -1 => never expire passwords)",
"sambaMaxPwdAge" },
{PDB_POLICY_MIN_PASSWORD_AGE,"minimum password age", 0,
"Minimal password age, in seconds (default: 0 => allow immediate password change)",
"sambaMinPwdAge" },
{PDB_POLICY_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
"Lockout duration in minutes (default: 30, -1 => forever)",
"sambaLockoutDuration" },
{PDB_POLICY_RESET_COUNT_TIME, "reset count minutes", 30,
"Reset time after lockout in minutes (default: 30)",
"sambaLockoutObservationWindow" },
{PDB_POLICY_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
"Lockout users after bad logon attempts (default: 0 => off)",
"sambaLockoutThreshold" },
{PDB_POLICY_TIME_TO_LOGOUT, "disconnect time", (uint32_t) -1,
"Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
"sambaForceLogoff" },
{PDB_POLICY_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
"Allow Machine Password changes (default: 0 => off)",
"sambaRefuseMachinePwdChange" },
{0, NULL, 0, "", NULL}
};
void account_policy_names_list(TALLOC_CTX *mem_ctx, const char ***names, int *num_names)
{
const char **nl;
int i, count = ARRAY_SIZE(account_policy_names);
nl = talloc_array(mem_ctx, const char *, count);
if (!nl) {
*num_names = 0;
return;
}
for (i=0; i