ldap2: add otp support to modify_password

https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index cfcec7c80..29bb20d41 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -408,18 +408,21 @@ class ldap2(LDAPClient, CrudBackend):
 
         return False
 
-    def modify_password(self, dn, new_pass, old_pass=''):
+    def modify_password(self, dn, new_pass, old_pass='', otp='', skip_bind=False):
         """Set user password."""
 
         assert isinstance(dn, DN)
 
         # The python-ldap passwd command doesn't verify the old password
         # so we'll do a simple bind to validate it.
-        if old_pass != '':
+        if not skip_bind and old_pass != '':
+            pw = old_pass
+            if (otp):
+                pw = old_pass+otp
             with self.error_handler():
                 conn = IPASimpleLDAPObject(
                     self.ldap_uri, force_schema_updates=False)
-                conn.simple_bind_s(dn, old_pass)
+                conn.simple_bind_s(dn, pw)
                 conn.unbind_s()
 
         with self.error_handler():