def change_password(self, username, old_password, new_password): # type: (str, str, str) -> None answers = { PAM_TEXT_INFO: '', PAM_ERROR_MSG: '', PAM_PROMPT_ECHO_ON: username, PAM_PROMPT_ECHO_OFF: [old_password, new_password, new_password], # pam_kerberos asks for the old password first and then twice for the new password. # 'Current Kerberos password: '******'New password: '******'Retype new password: '******'LC_ALL=en_US.UTF-8') self.pam.putenv('LC_MESSAGES=en_US.UTF-8') self.pam.putenv('LANG=en_US.UTF-8') try: self.pam.chauthtok() except PAMError as pam_err: AUTH.warn('Changing password failed (%s). Prompts: %r' % (pam_err, prompts)) message = self._parse_error_message_from(pam_err.args, prompts) raise PasswordChangeFailed( '%s %s' % (self._('Changing password failed.'), message))
def __canonicalize_username(self, username): try: lo, po = get_machine_connection(write=False) result = None if lo: attr = 'mailPrimaryAddress' if '@' in username else 'uid' result = lo.search(filter_format('(&(%s=%s)(objectClass=person))', (attr, username)), attr=['uid'], unique=True) if result and result[0][1].get('uid'): username = result[0][1]['uid'][0] AUTH.info('Canonicalized username: %r' % (username,)) except (ldap.LDAPError, udm_errors.ldapError) as exc: # /etc/machine.secret missing or LDAP server not reachable AUTH.warn('Canonicalization of username was not possible: %s' % (exc,)) reset_cache() except: AUTH.error('Canonicalization of username failed: %s' % (traceback.format_exc(),)) finally: # ignore all exceptions, even in except blocks return username