diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-09-16 15:08:17 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-10-04 15:16:38 +0200 |
commit | 844d4ff8bfb933ad8121d32343ae8418a79839cd (patch) | |
tree | 68e072ceb4d924a8d38afc1c33d655e4155aae00 /ipaserver | |
parent | 651534087c1e45f4a3f501b80bc1b43dbef3a6a5 (diff) | |
download | freeipa-844d4ff8bfb933ad8121d32343ae8418a79839cd.tar.gz freeipa-844d4ff8bfb933ad8121d32343ae8418a79839cd.tar.xz freeipa-844d4ff8bfb933ad8121d32343ae8418a79839cd.zip |
Require current password when using passwd to change your own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index a2e592d30..b12403b93 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -899,6 +899,17 @@ class ldap2(CrudBackend, Encoder): def modify_password(self, dn, new_pass, old_pass=''): """Set user password.""" dn = self.normalize_dn(dn) + + # The python-ldap passwd command doesn't verify the old password + # so we'll do a simple bind to validate it. + if old_pass != '': + try: + conn = _ldap.initialize(self.ldap_uri) + conn.simple_bind_s(dn, old_pass) + conn.unbind() + except _ldap.LDAPError, e: + _handle_errors(e, **{}) + try: self.conn.passwd_s(dn, old_pass, new_pass) except _ldap.LDAPError, e: |