def get_current_password(principal): """ If the user is changing their own password then return None so the current password is prompted for, otherwise return a fixed value to be ignored later. """ current_principal = util.get_current_principal() if current_principal == normalize_principal(principal): return None else: return MAGIC_VALUE
class passwd(Command): __doc__ = _("Set a user's password.") takes_args = ( Str( 'principal', validate_principal, cli_name='user', label=_('User name'), primary_key=True, autofill=True, default_from=lambda: util.get_current_principal(), normalizer=lambda value: normalize_principal(value), ), Password( 'password', label=_('New Password'), ), Password( 'current_password', label=_('Current Password'), confirm=False, default_from=lambda principal: get_current_password(principal), autofill=True, sortorder=-1, ), ) has_output = output.standard_value msg_summary = _('Changed password for "%(value)s"') def execute(self, principal, password, current_password): """ Execute the passwd operation. The dn should not be passed as a keyword argument as it is constructed by this method. Returns the entry :param principal: The login name or principal of the user :param password: the new password :param current_password: the existing password, if applicable """ ldap = self.api.Backend.ldap2 (dn, entry_attrs) = ldap.find_entry_by_attr( 'krbprincipalname', principal, 'posixaccount', [''], DN(api.env.container_user, api.env.basedn)) if principal == getattr(context, 'principal') and \ current_password == MAGIC_VALUE: # No cheating self.log.warn( 'User attempted to change password using magic value') raise errors.ACIError(info=_('Invalid credentials')) if current_password == MAGIC_VALUE: ldap.modify_password(dn, password) else: ldap.modify_password(dn, password, current_password) return dict( result=True, value=principal, )