diff options
| -rw-r--r-- | ipa_server/plugins/b_ldap.py | 3 | ||||
| -rw-r--r-- | ipa_server/servercore.py | 5 | ||||
| -rw-r--r-- | ipalib/plugins/f_passwd.py | 82 |
3 files changed, 89 insertions, 1 deletions
diff --git a/ipa_server/plugins/b_ldap.py b/ipa_server/plugins/b_ldap.py index 3a470b3f7..e63865bbf 100644 --- a/ipa_server/plugins/b_ldap.py +++ b/ipa_server/plugins/b_ldap.py @@ -143,6 +143,9 @@ class ldap(CrudBackend): return (exact_match_filter, partial_match_filter) + def modify_password(self, dn, **kw): + return servercore.modify_password(dn, kw.get('oldpass'), kw.get('newpass')) + # The CRUD operations def create(self, **kw): diff --git a/ipa_server/servercore.py b/ipa_server/servercore.py index ed3c093e4..1f41d410f 100644 --- a/ipa_server/servercore.py +++ b/ipa_server/servercore.py @@ -161,7 +161,7 @@ def get_entry_by_cn (cn, sattrs): """ # logging.info("IPA: get_entry_by_cn '%s'" % cn) # cn = self.__safe_filter(cn) - searchfilter = "(cn=%s)" % cn + searchfilter = "(cn=%s)" % cn return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs) def get_user_by_uid(uid, sattrs): @@ -311,6 +311,9 @@ def get_ipa_config(): return config +def modify_password(dn, oldpass, newpass): + return context.conn.getConn().modifyPassword(dn, oldpass, newpass) + def mark_entry_active (dn): """Mark an entry as active in LDAP.""" diff --git a/ipalib/plugins/f_passwd.py b/ipalib/plugins/f_passwd.py new file mode 100644 index 000000000..b1f907322 --- /dev/null +++ b/ipalib/plugins/f_passwd.py @@ -0,0 +1,82 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2008 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Frontend plugins for password changes. +""" + +from ipalib import frontend +from ipalib.frontend import Param +from ipalib import api +from ipalib import errors +from ipalib import ipa_types +import krbV + +def get_current_principal(): + try: + return krbV.default_context().default_ccache().principal().name + except krbV.Krb5Error: + #TODO: do a kinit + print "Unable to get kerberos principal" + return None + +class passwd(frontend.Command): + 'Edit existing password policy.' + takes_args = ( + Param('principal', + cli_name='user', + primary_key=True, + default_from=get_current_principal, + ), + ) + def execute(self, principal, **kw): + """ + Execute the passwd operation. + + The dn should not be passed as a keyword argument as it is constructed + by this method. + + Returns the entry + + :param param uid: The login name of the user being updated. + :param kw: Not used. + """ + ldap = self.api.Backend.ldap + + if principal.find('@') < 0: + u = principal.split('@') + if len(u) > 2 or len(u) == 0: + print "Invalid user name (%s)" % principal + if len(u) == 1: + principal = principal+"@"+self.api.env.realm + else: + principal = principal + + dn = ldap.find_entry_dn("krbprincipalname", principal, "person") + + # FIXME: we need a way to prompt for passwords using getpass + kw['newpass'] = "password" + + return ldap.modify_password(dn, **kw) + + def output_for_cli(self, ret): + if ret: + print "Password change successful" + +api.register(passwd) |