fixing canlogon

skelsec · skelsec · commit 42cdb1e59a08 · 2020-09-15T15:45:25.000-07:00
diff --git a/msldap/_version.py b/msldap/_version.py
@@ -1,5 +1,5 @@
 
-__version__ = "0.3.12"
+__version__ = "0.3.13"
 __banner__ = \
 """
 # msldap %s 
diff --git a/msldap/ldap_objects/adcomp.py b/msldap/ldap_objects/adcomp.py
@@ -4,6 +4,7 @@
 #  Tamas Jos (@skelsec)
 #
 
+import datetime
 from msldap.ldap_objects.common import MSLDAP_UAC, vn
 
 MSADMachine_ATTRS = [
@@ -63,6 +64,53 @@ def __init__(self):
 		self.whenCreated = None
 		self.servicePrincipalName = None
 		self.allowedtodelegateto = None
+
+		## calculated properties
+		self.when_pw_change = None #datetime
+		self.when_pw_expires = None #datetime
+		self.must_change_pw = None #datetime
+		self.canLogon = None #bool
+
+	# https://msdn.microsoft.com/en-us/library/cc245739.aspx
+	def calc_PasswordMustChange(self, adinfo):
+		# Crtieria 1
+		flags = [MSLDAP_UAC.DONT_EXPIRE_PASSWD, MSLDAP_UAC.SMARTCARD_REQUIRED, MSLDAP_UAC.INTERDOMAIN_TRUST_ACCOUNT, MSLDAP_UAC.WORKSTATION_TRUST_ACCOUNT, MSLDAP_UAC.SERVER_TRUST_ACCOUNT]
+		for flag in flags:
+			if flag & self.userAccountControl:
+				return datetime.datetime.max #never
+
+		#criteria 2
+		if self.pwdLastSet == 0:
+			return datetime.datetime.min
+
+		if adinfo.maxPwdAge == 0:
+			return datetime.datetime.max #never
+
+		return (self.pwdLastSet - adinfo.maxPwdAge).replace(tzinfo=None)
+
+
+	# https://msdn.microsoft.com/en-us/library/cc223991.aspx
+	def calc_CanLogon(self):
+		flags = [MSLDAP_UAC.ACCOUNTDISABLE, MSLDAP_UAC.LOCKOUT, MSLDAP_UAC.SMARTCARD_REQUIRED, MSLDAP_UAC.INTERDOMAIN_TRUST_ACCOUNT, MSLDAP_UAC.WORKSTATION_TRUST_ACCOUNT, MSLDAP_UAC.SERVER_TRUST_ACCOUNT]
+		for flag in flags:
+			if flag & self.userAccountControl:
+				return False
+		
+		if (not (MSLDAP_UAC.DONT_EXPIRE_PASSWD & self.userAccountControl)) and (self.accountExpires.replace(tzinfo=None) - datetime.datetime.now()).total_seconds() < 0:
+			return False
+
+		#
+		# TODO: logonHours check!
+		#
+		
+		if self.must_change_pw == datetime.datetime.min:
+			#can logon, but must change the password!
+			return True
+
+		if (self.must_change_pw - datetime.datetime.now()).total_seconds() < 0:
+			return False
+
+		return True
 		
 	@staticmethod
 	def from_ldap(entry, adinfo = None):
@@ -106,6 +154,13 @@ def from_ldap(entry, adinfo = None):
 		temp = entry['attributes'].get('userAccountControl')
 		if temp:
 			adi.userAccountControl = MSLDAP_UAC(temp)
+
+			if adinfo:
+				adi.when_pw_change = (adi.pwdLastSet - adinfo.minPwdAge).replace(tzinfo=None)
+				adi.when_pw_expires = (adi.pwdLastSet - adinfo.maxPwdAge).replace(tzinfo=None) if adinfo.maxPwdAge != 0 else adi.pwdLastSet
+				adi.must_change_pw = adi.calc_PasswordMustChange(adinfo) #datetime
+				adi.canLogon = adi.calc_CanLogon() #bool
+
 		return adi
 		
 	def to_dict(self):
diff --git a/msldap/ldap_objects/aduser.py b/msldap/ldap_objects/aduser.py
@@ -80,7 +80,7 @@ def __init__(self):
 		self.canLogon = None #bool
 
 	# https://msdn.microsoft.com/en-us/library/cc245739.aspx
-	def calc_PasswordMustChange(self):
+	def calc_PasswordMustChange(self, adinfo):
 		# Crtieria 1
 		flags = [MSLDAP_UAC.DONT_EXPIRE_PASSWD, MSLDAP_UAC.SMARTCARD_REQUIRED, MSLDAP_UAC.INTERDOMAIN_TRUST_ACCOUNT, MSLDAP_UAC.WORKSTATION_TRUST_ACCOUNT, MSLDAP_UAC.SERVER_TRUST_ACCOUNT]
 		for flag in flags:
@@ -91,10 +91,10 @@ def calc_PasswordMustChange(self):
 		if self.pwdLastSet == 0:
 			return datetime.datetime.min
 
-		if (self.when_pw_expires - datetime.datetime.now()).total_seconds() > 0:
+		if adinfo.maxPwdAge == 0:
 			return datetime.datetime.max #never
 
-		return self.pwdLastSet.replace(tzinfo=None)
+		return (self.pwdLastSet - adinfo.maxPwdAge).replace(tzinfo=None)
 
 
 	# https://msdn.microsoft.com/en-us/library/cc223991.aspx
@@ -103,8 +103,8 @@ def calc_CanLogon(self):
 		for flag in flags:
 			if flag & self.userAccountControl:
 				return False
-
-		if (self.accountExpires.replace(tzinfo=None) - datetime.datetime.now()).total_seconds() < 0:
+		
+		if (not (MSLDAP_UAC.DONT_EXPIRE_PASSWD & self.userAccountControl)) and (self.accountExpires.replace(tzinfo=None) - datetime.datetime.now()).total_seconds() < 0:
 			return False
 
 		#
@@ -162,11 +162,10 @@ def from_ldap(entry, adinfo = None):
 			adi.userAccountControl = MSLDAP_UAC(temp)
 
 			if adinfo:
-				adi.when_pw_change = (adi.pwdLastSet - adinfo.minPwdAge/10000000).replace(tzinfo=None)
-				adi.when_pw_expires = (adi.pwdLastSet - adinfo.maxPwdAge/10000000).replace(tzinfo=None)
-				adi.must_change_pw = adi.calc_PasswordMustChange() #datetime
-				if adi.sAMAccountName[-1] != '$':
-					adi.canLogon = adi.calc_CanLogon() #bool
+				adi.when_pw_change = (adi.pwdLastSet - adinfo.minPwdAge).replace(tzinfo=None)
+				adi.when_pw_expires = (adi.pwdLastSet - adinfo.maxPwdAge).replace(tzinfo=None) if adinfo.maxPwdAge != 0 else adi.pwdLastSet
+				adi.must_change_pw = adi.calc_PasswordMustChange(adinfo) #datetime
+				adi.canLogon = adi.calc_CanLogon() #bool
 
 
 		return adi
