From ed6ab17c9c703edb43c92a3205c5536771ce4d4f Mon Sep 17 00:00:00 2001 From: "rcritten@redhat.com" Date: Tue, 11 Sep 2007 02:48:53 -0400 Subject: Add function to allow user's to set/reset their kerberos password Remove some unused calls to retrieve the current realm --- ipa-admintools/ipa-adduser | 13 ++++++++++++- ipa-python/ipaclient.py | 17 +++++++---------- ipa-python/rpcclient.py | 16 ++++++++++++++++ ipa-server/ipaserver/ipaldap.py | 18 ++++++++++++++++++ ipa-server/xmlrpc-server/funcs.py | 18 ++++++++++++++++++ ipa-server/xmlrpc-server/ipaxmlrpc.py | 1 + 6 files changed, 72 insertions(+), 11 deletions(-) diff --git a/ipa-admintools/ipa-adduser b/ipa-admintools/ipa-adduser index 99aadee40..dd99e1e4d 100644 --- a/ipa-admintools/ipa-adduser +++ b/ipa-admintools/ipa-adduser @@ -43,6 +43,8 @@ def parse_options(): help="User's first name") parser.add_option("-l", "--lastname", dest="sn", help="User's last name") + parser.add_option("-p", "--password", dest="password", + help="Set user's password") parser.add_option("-s", "--shell", dest="shell", help="Set user's login shell to shell") parser.add_option("--usage", action="store_true", @@ -75,10 +77,11 @@ def main(): else: user.setValue('loginshell', "/bin/bash") + username = args[1] + try: client = ipaclient.IPAClient() client.add_user(user) - print args[1] + " successfully added" except xmlrpclib.Fault, f: print f.faultString return 1 @@ -92,6 +95,14 @@ def main(): print "%s" % (e.message) return 1 + if options.password is not None: + try: + client.modifyPassword(username, None, options.password) + except ipa.ipaerror.IPAError, e: + print "%s" % (e.message) + return 1 + + print username + " successfully added" return 0 main() diff --git a/ipa-python/ipaclient.py b/ipa-python/ipaclient.py index fcfb29f1d..86f4471b5 100644 --- a/ipa-python/ipaclient.py +++ b/ipa-python/ipaclient.py @@ -65,8 +65,6 @@ class IPAClient: def add_user(self,user,user_container=None): """Add a user. user is a ipa.user.User object""" - realm = config.config.get_realm() - user_dict = user.toDict() # dn is set on the server-side @@ -110,24 +108,25 @@ class IPAClient: def update_user(self,user): """Update a user entry.""" - realm = config.config.get_realm() - result = self.transport.update_user(user.origDataDict(), user.toDict()) return result def delete_user(self,uid): """Delete a user entry.""" - realm = config.config.get_realm() - result = self.transport.delete_user(uid) return result + def modifyPassword(self,uid,oldpass,newpass): + """Modify a user's password""" + + result = self.transport.modifyPassword(uid,oldpass,newpass) + + return result + def mark_user_deleted(self,uid): """Set a user as inactive by uid.""" - realm = config.config.get_realm() - result = self.transport.mark_user_deleted(uid) return result @@ -150,8 +149,6 @@ class IPAClient: def add_group(self,group,group_container=None): """Add a group. group is a ipa.group.Group object""" - realm = config.config.get_realm() - group_dict = group.toDict() # dn is set on the server-side diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py index e0d6e2ee7..bbf2745ed 100644 --- a/ipa-python/rpcclient.py +++ b/ipa-python/rpcclient.py @@ -195,6 +195,22 @@ class RPCClient: return result + def modifyPassword(self,uid,oldpass,newpass): + """Modify a user's password""" + server = self.setup_server() + + if oldpass is None: + oldpass = "__NONE__" + + try: + result = server.modifyPassword(uid,oldpass,newpass) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return result + def mark_user_deleted(self,uid): """Mark a user as deleted/inactive""" server = self.setup_server() diff --git a/ipa-server/ipaserver/ipaldap.py b/ipa-server/ipaserver/ipaldap.py index c0452b05a..27a8903d6 100644 --- a/ipa-server/ipaserver/ipaldap.py +++ b/ipa-server/ipaserver/ipaldap.py @@ -469,6 +469,24 @@ class IPAdmin(SimpleLDAPObject): raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) return "Success" + def modifyPassword(self,dn,oldpass,newpass): + """Set the user password using RFC 3062, LDAP Password Modify Extended + Operation. This ends up calling the IPA password slapi plugin + handler so the Kerberos password gets set properly. + + oldpass is not mandatory + """ + + sctrl = self.__get_server_controls__() + + try: + if sctrl is not None: + self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) + self.passwd_s(dn, oldpass, newpass) + except ldap.LDAPError, e: + raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) + return "Success" + def __wrapmethods(self): """This wraps all methods of SimpleLDAPObject, so that we can intercept the methods that deal with entries. Instead of using a raw list of tuples diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 66fabf4be..79dd04d67 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -524,6 +524,24 @@ class IPAServer: self.releaseConnection(conn) return res + def modifyPassword (self, uid, oldpass, newpass, opts=None): + """Set/Reset a user's password + + uid tells us who's password to change + oldpass is the old password (if available) + newpass is the new password + """ + user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts) + if user_dn is None: + raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + + conn = self.getConnection(opts) + try: + res = conn.modifyPassword(user_dn['dn'], oldpass, newpass) + finally: + self.releaseConnection(conn) + return res + # Group support def __is_group_unique(self, cn, opts): diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py index f2ddd35e8..a4ae4e7c0 100644 --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py @@ -308,6 +308,7 @@ def handler(req, profiling=False): h.register_function(f.update_user) h.register_function(f.delete_user) h.register_function(f.mark_user_deleted) + h.register_function(f.modifyPassword) h.register_function(f.get_group_by_cn) h.register_function(f.get_group_by_dn) h.register_function(f.add_group) -- cgit