def change_password(self, username, old_password,
new_password): # type: (str, str, str) -> None
answers = {
PAM_TEXT_INFO: '',
PAM_ERROR_MSG: '',
PAM_PROMPT_ECHO_ON: username,
PAM_PROMPT_ECHO_OFF: [old_password, new_password, new_password],
# pam_kerberos asks for the old password first and then twice for the new password.
# 'Current Kerberos password: '******'New password: '******'Retype new password: '******'LC_ALL=en_US.UTF-8')
self.pam.putenv('LC_MESSAGES=en_US.UTF-8')
self.pam.putenv('LANG=en_US.UTF-8')
try:
self.pam.chauthtok()
except PAMError as pam_err:
AUTH.warn('Changing password failed (%s). Prompts: %r' %
(pam_err, prompts))
message = self._parse_error_message_from(pam_err.args, prompts)
raise PasswordChangeFailed(
'%s %s' % (self._('Changing password failed.'), message))
def __canonicalize_username(self, username):
try:
lo, po = get_machine_connection(write=False)
result = None
if lo:
attr = 'mailPrimaryAddress' if '@' in username else 'uid'
result = lo.search(filter_format('(&(%s=%s)(objectClass=person))', (attr, username)), attr=['uid'], unique=True)
if result and result[0][1].get('uid'):
username = result[0][1]['uid'][0]
AUTH.info('Canonicalized username: %r' % (username,))
except (ldap.LDAPError, udm_errors.ldapError) as exc:
# /etc/machine.secret missing or LDAP server not reachable
AUTH.warn('Canonicalization of username was not possible: %s' % (exc,))
reset_cache()
except:
AUTH.error('Canonicalization of username failed: %s' % (traceback.format_exc(),))
finally: # ignore all exceptions, even in except blocks
return username