From 2108fc3fbdba5afab3cdcd6a831e979ed14be07a Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Thu, 14 Oct 2021 17:56:56 +0200 Subject: [PATCH] ldap: do not crash if password change is not allowed (#57733) --- src/authentic2/backends/ldap_backend.py | 3 +++ tests/test_ldap.py | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py index 7bcb4f4e..17ea02d4 100644 --- a/src/authentic2/backends/ldap_backend.py +++ b/src/authentic2/backends/ldap_backend.py @@ -479,6 +479,9 @@ class LDAPUser(User): except ldap.STRONG_AUTH_REQUIRED: log.warning('ldap: set_password failed, STRONG_AUTH_REQUIRED') return + except (ldap.UNWILLING_TO_PERFORM, ldap.INSUFFICIENT_ACCESS): + log.warning('ldap: set_password failed, password change not allowed') + return self._current_password = new_password self.keep_password_in_session(new_password) if self.block['keep_password']: diff --git a/tests/test_ldap.py b/tests/test_ldap.py index 578175bf..99695b35 100644 --- a/tests/test_ldap.py +++ b/tests/test_ldap.py @@ -1247,7 +1247,7 @@ def test_user_attributes(slapd, settings, client, db): client.session.flush() -def test_set_password(slapd, settings, db): +def test_set_password(slapd, settings, db, caplog): settings.LDAP_AUTH_SETTINGS = [ { 'url': [slapd.ldap_url], @@ -1263,6 +1263,12 @@ def test_set_password(slapd, settings, db): user2 = authenticate(username='etienne.michu', password='àbon') assert user.pk == user2.pk + with mock.patch( + 'authentic2.backends.ldap_backend.LDAPBackend.modify_password', side_effect=ldap.UNWILLING_TO_PERFORM + ): + user.set_password('passé') + assert 'password change not allowed' in caplog.text + def test_login_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, app): settings.LDAP_AUTH_SETTINGS = [ -- 2.30.2