Require current password when using passwd to change your own password.

Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808

1 files changed, 11 insertions, 0 deletions

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index a2e592d30..b12403b93 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -899,6 +899,17 @@ class ldap2(CrudBackend, Encoder):
     def modify_password(self, dn, new_pass, old_pass=''):
         """Set user password."""
         dn = self.normalize_dn(dn)
+
+        # The python-ldap passwd command doesn't verify the old password
+        # so we'll do a simple bind to validate it.
+        if old_pass != '':
+            try:
+                conn = _ldap.initialize(self.ldap_uri)
+                conn.simple_bind_s(dn, old_pass)
+                conn.unbind()
+            except _ldap.LDAPError, e:
+                _handle_errors(e, **{})
+
         try:
             self.conn.passwd_s(dn, old_pass, new_pass)
         except _ldap.LDAPError, e: