From bd227b356280f54f48bc01901275833a51f87fd7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 16 Sep 2011 15:08:17 -0400
Subject: Require current password when using passwd to change your own
 password.

Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808
---
 ipaserver/plugins/ldap2.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'ipaserver/plugins/ldap2.py')

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index a2e592d3..b12403b9 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -899,6 +899,17 @@ class ldap2(CrudBackend, Encoder):
     def modify_password(self, dn, new_pass, old_pass=''):
         """Set user password."""
         dn = self.normalize_dn(dn)
+
+        # The python-ldap passwd command doesn't verify the old password
+        # so we'll do a simple bind to validate it.
+        if old_pass != '':
+            try:
+                conn = _ldap.initialize(self.ldap_uri)
+                conn.simple_bind_s(dn, old_pass)
+                conn.unbind()
+            except _ldap.LDAPError, e:
+                _handle_errors(e, **{})
+
         try:
             self.conn.passwd_s(dn, old_pass, new_pass)
         except _ldap.LDAPError, e:
-- 
cgit