diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-09-16 15:08:17 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-10-04 15:16:15 +0200 |
commit | bd227b356280f54f48bc01901275833a51f87fd7 (patch) | |
tree | 2a6746e8032067843ce020daa5c642fd46a57e29 /ipaserver/plugins/ldap2.py | |
parent | 28603e0c3ac20390a860347afb7a6ed976166e03 (diff) | |
download | freeipa-bd227b356280f54f48bc01901275833a51f87fd7.tar.gz freeipa-bd227b356280f54f48bc01901275833a51f87fd7.tar.xz freeipa-bd227b356280f54f48bc01901275833a51f87fd7.zip |
Require current password when using passwd to change your own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
Diffstat (limited to 'ipaserver/plugins/ldap2.py')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index a2e592d30..b12403b93 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -899,6 +899,17 @@ class ldap2(CrudBackend, Encoder): def modify_password(self, dn, new_pass, old_pass=''): """Set user password.""" dn = self.normalize_dn(dn) + + # The python-ldap passwd command doesn't verify the old password + # so we'll do a simple bind to validate it. + if old_pass != '': + try: + conn = _ldap.initialize(self.ldap_uri) + conn.simple_bind_s(dn, old_pass) + conn.unbind() + except _ldap.LDAPError, e: + _handle_errors(e, **{}) + try: self.conn.passwd_s(dn, old_pass, new_pass) except _ldap.LDAPError, e: |