Projet

Général

Profil

0005-ldap-handle-ppolicy-control-changing-reseting-passwo.patch

Benjamin Renard, 10 novembre 2022 23:36

Télécharger (4,1 ko)

Voir les différences:

Subject: [PATCH 5/6] ldap: handle ppolicy control changing/reseting password

Licence: MIT
 src/authentic2/backends/ldap_backend.py | 61 ++++++++++++++++++-------
 1 file changed, 44 insertions(+), 17 deletions(-)
src/authentic2/backends/ldap_backend.py
605 605
                message = str(vars(c))
606 606
            log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message)
607 607

  
608
    @classmethod
609
    def process_modify_password_controls(cls, block, conn, authz_id, ctrls):
610
        attributes = cls.get_ppolicy_attributes(block, conn, authz_id)
611
        errors = []
612
        for c in ctrls:
613
            if c.controlType == ppolicy.PasswordPolicyControl.controlType:
614
                message = ' '.join(password_policy_control_messages(c, attributes))
615
            else:
616
                message = str(vars(c))
617
            log.info('ldap: fail to modify password of "%s" -> "%s"', authz_id, message)
618
            errors.append(message)
619

  
620
        if errors:
621
            raise PasswordChangeError(' '.join(errors))
622

  
608 623
    @classmethod
609 624
    def check_group_to_role_mappings(cls, block):
610 625
        group_to_role_mapping = block.get('group_to_role_mapping')
......
1769 1784
    @classmethod
1770 1785
    def modify_password(cls, conn, block, dn, old_password, new_password):
1771 1786
        '''Change user password with adaptation for Active Directory'''
1772
        if old_password is not None and (block['use_password_modify'] and not block['active_directory']):
1773
            conn.passwd_s(dn, old_password, new_password)
1774
        else:
1775
            modlist = []
1776
            if block['active_directory']:
1777
                key = 'unicodePwd'
1778
                value = cls.ad_encoding(new_password)
1779
                if old_password:
1780
                    modlist = [
1781
                        (ldap.MOD_DELETE, key, [cls.ad_encoding(old_password)]),
1782
                        (ldap.MOD_ADD, key, [value]),
1783
                    ]
1784
                else:
1785
                    modlist = [(ldap.MOD_REPLACE, key, [value])]
1787
        serverctrls = []
1788
        if block.get('use_controls'):
1789
            serverctrls = [ppolicy.PasswordPolicyControl()]
1790

  
1791
        try:
1792
            if old_password is not None and (block['use_password_modify'] and not block['active_directory']):
1793
                results = conn.passwd_s(dn, old_password, new_password, serverctrls=serverctrls)
1786 1794
            else:
1787
                key = 'userPassword'
1788
                modlist = [(ldap.MOD_REPLACE, key, [new_password.encode('utf8')])]
1789
            conn.modify_s(dn, modlist)
1795
                modlist = []
1796
                if block['active_directory']:
1797
                    attr = 'unicodePwd'
1798
                    value = cls.ad_encoding(new_password)
1799
                    if old_password:
1800
                        modlist = [
1801
                            (ldap.MOD_DELETE, attr, [cls.ad_encoding(old_password)]),
1802
                            (ldap.MOD_ADD, attr, [value]),
1803
                        ]
1804
                    else:
1805
                        modlist = [(ldap.MOD_REPLACE, attr, [value])]
1806
                else:
1807
                    key = 'userPassword'
1808
                    modlist = [(ldap.MOD_REPLACE, key, [new_password.encode('utf8')])]
1809
                results = conn.modify_ext_s(dn, modlist, serverctrls=serverctrls)
1810
            if block.get('use_controls') and len(results) >= 3:
1811
                cls.process_modify_password_controls(block, conn, dn, results[3])
1812
        except ldap.LDAPError as e:
1813
            if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
1814
                cls.process_modify_password_controls(block, conn, dn, DecodeControlTuples(e.args[0]['ctrls']))
1815
            raise
1816

  
1790 1817
        log.debug('modified password for dn %r', dn)
1791 1818

  
1792 1819
    @classmethod
1793
-