605 |
605 |
message = str(vars(c))
|
606 |
606 |
log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message)
|
607 |
607 |
|
|
608 |
@classmethod
|
|
609 |
def process_modify_password_controls(cls, block, conn, authz_id, ctrls):
|
|
610 |
attributes = cls.get_ppolicy_attributes(block, conn, authz_id)
|
|
611 |
errors = []
|
|
612 |
for c in ctrls:
|
|
613 |
if c.controlType == ppolicy.PasswordPolicyControl.controlType:
|
|
614 |
message = ' '.join(password_policy_control_messages(c, attributes))
|
|
615 |
else:
|
|
616 |
message = str(vars(c))
|
|
617 |
log.info('ldap: fail to modify password of "%s" -> "%s"', authz_id, message)
|
|
618 |
errors.append(message)
|
|
619 |
|
|
620 |
if errors:
|
|
621 |
raise PasswordChangeError(' '.join(errors))
|
|
622 |
|
608 |
623 |
@classmethod
|
609 |
624 |
def check_group_to_role_mappings(cls, block):
|
610 |
625 |
group_to_role_mapping = block.get('group_to_role_mapping')
|
... | ... | |
1769 |
1784 |
@classmethod
|
1770 |
1785 |
def modify_password(cls, conn, block, dn, old_password, new_password):
|
1771 |
1786 |
'''Change user password with adaptation for Active Directory'''
|
1772 |
|
if old_password is not None and (block['use_password_modify'] and not block['active_directory']):
|
1773 |
|
conn.passwd_s(dn, old_password, new_password)
|
1774 |
|
else:
|
1775 |
|
modlist = []
|
1776 |
|
if block['active_directory']:
|
1777 |
|
key = 'unicodePwd'
|
1778 |
|
value = cls.ad_encoding(new_password)
|
1779 |
|
if old_password:
|
1780 |
|
modlist = [
|
1781 |
|
(ldap.MOD_DELETE, key, [cls.ad_encoding(old_password)]),
|
1782 |
|
(ldap.MOD_ADD, key, [value]),
|
1783 |
|
]
|
1784 |
|
else:
|
1785 |
|
modlist = [(ldap.MOD_REPLACE, key, [value])]
|
|
1787 |
serverctrls = []
|
|
1788 |
if block.get('use_controls'):
|
|
1789 |
serverctrls = [ppolicy.PasswordPolicyControl()]
|
|
1790 |
|
|
1791 |
try:
|
|
1792 |
if old_password is not None and (block['use_password_modify'] and not block['active_directory']):
|
|
1793 |
results = conn.passwd_s(dn, old_password, new_password, serverctrls=serverctrls)
|
1786 |
1794 |
else:
|
1787 |
|
key = 'userPassword'
|
1788 |
|
modlist = [(ldap.MOD_REPLACE, key, [new_password.encode('utf8')])]
|
1789 |
|
conn.modify_s(dn, modlist)
|
|
1795 |
modlist = []
|
|
1796 |
if block['active_directory']:
|
|
1797 |
attr = 'unicodePwd'
|
|
1798 |
value = cls.ad_encoding(new_password)
|
|
1799 |
if old_password:
|
|
1800 |
modlist = [
|
|
1801 |
(ldap.MOD_DELETE, attr, [cls.ad_encoding(old_password)]),
|
|
1802 |
(ldap.MOD_ADD, attr, [value]),
|
|
1803 |
]
|
|
1804 |
else:
|
|
1805 |
modlist = [(ldap.MOD_REPLACE, attr, [value])]
|
|
1806 |
else:
|
|
1807 |
key = 'userPassword'
|
|
1808 |
modlist = [(ldap.MOD_REPLACE, key, [new_password.encode('utf8')])]
|
|
1809 |
results = conn.modify_ext_s(dn, modlist, serverctrls=serverctrls)
|
|
1810 |
if block.get('use_controls') and len(results) >= 3:
|
|
1811 |
cls.process_modify_password_controls(block, conn, dn, results[3])
|
|
1812 |
except ldap.LDAPError as e:
|
|
1813 |
if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
|
|
1814 |
cls.process_modify_password_controls(block, conn, dn, DecodeControlTuples(e.args[0]['ctrls']))
|
|
1815 |
raise
|
|
1816 |
|
1790 |
1817 |
log.debug('modified password for dn %r', dn)
|
1791 |
1818 |
|
1792 |
1819 |
@classmethod
|
1793 |
|
-
|