def setUserPassword(self, user, object_dn, password):
"""
Set a new password for a user
"""
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "userPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w")
)
raise ACLException(C.make_error("PERMISSION_ACCESS", topic, target=object_dn))
user = ObjectProxy(object_dn)
method = user.passwordMethod
# Try to detect the responsible password method-class
pwd_o = self.get_method_by_method_type(method)
if not pwd_o:
raise PasswordException(C.make_error("PASSWORD_UNKNOWN_HASH", type=method))
# Generate the new password hash usind the detected method
pwd_str = pwd_o.generate_password_hash(password, method)
# Set the password and commit the changes
user.userPassword = pwd_str
user.commit()
def lockAccountPassword(self, user, object_dn):
"""
Locks the account password for the given DN
"""
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "userPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w")
)
raise ACLException(C.make_error("PERMISSION_ACCESS", topic, target=object_dn))
# Get the object for the given dn
user = ObjectProxy(object_dn)
# Check if there is a userPasswort available and set
if not "userPassword" in user.get_attributes():
raise PasswordException(C.make_error("PASSWORD_NO_ATTRIBUTE"))
if not user.userPassword:
raise PasswordException(C.make_error("PASSWORD_NOT_AVAILABLE"))
# Try to detect the responsible password method-class
pwd_o = self.detect_method_by_hash(user.userPassword)
if not pwd_o:
raise PasswordException(C.make_error("PASSWORD_METHOD_UNKNOWN"))
# Lock the hash and save it
user.userPassword = pwd_o.lock_account(user.userPassword)
user.commit()
def setSambaPassword(self, user, object_dn, password):
"""
Set a new samba-password for a user
"""
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "sambaNTPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w")
)
raise ACLException(C.make_error("PERMISSION_ACCESS", topic, target=object_dn))
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "sambaLMPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w")
)
raise ACLException(C.make_error("PERMISSION_ACCESS", topic, target=object_dn))
# Set the password and commit the changes
lm, nt = smbpasswd.hash(password)
user = ObjectProxy(object_dn)
user.sambaNTPassword = nt
user.sambaLMPassword = lm
user.commit()
