|
41 |
from ldap.filter import filter_format |
41 |
from ldap.filter import filter_format |
42 |
import univention.admin.uexceptions as udm_errors |
42 |
import univention.admin.uexceptions as udm_errors |
|
|
43 |
import univention.admin.handlers.users.user as udm_user |
43 |
from .acl import ACLs, LDAP_ACLs |
44 |
from .acl import ACLs, LDAP_ACLs |
44 |
from .auth import AuthHandler |
45 |
from .auth import AuthHandler |
45 |
from .category import Manager as CategoryManager |
46 |
from .category import Manager as CategoryManager |
46 |
from .config import MODULE_DEBUG_LEVEL, ucr |
47 |
from .config import MODULE_DEBUG_LEVEL, ucr |
47 |
from .error import ServiceUnavailable |
48 |
from .error import ServiceUnavailable, UMC_Error |
48 |
from .ldap import get_machine_connection, reset_cache as reset_ldap_connection_cache |
49 |
from .ldap import get_machine_connection, reset_cache as reset_ldap_connection_cache |
49 |
from .log import CORE |
50 |
from .log import CORE |
50 |
from .message import Request |
51 |
from .message import Request |
51 |
from .module import Manager as ModuleManager |
52 |
from .module import Manager as ModuleManager |
|
|
53 |
from .pam import AuthenticationFailed, PasswordChangeFailed, PasswordExpired |
52 |
try: |
54 |
try: |
Lines 153-166
class Session(object):
|
Link Here
|
---|
|
153 |
return result |
155 |
return result |
154 |
async def change_password(self, args): |
156 |
async def change_password(self, args): |
155 |
from .server import pool |
|
|
156 |
pam = self.__auth.get_handler(args['locale']) |
157 |
username = args['username'] |
157 |
username = args['username'] |
158 |
password = args['password'] |
158 |
locale = args['locale'] |
159 |
new_password = args['new_password'] |
159 |
language = locale.split('_', 1)[0] |
160 |
future = pool.submit(pam.change_password, username, password, new_password) |
160 |
new_password = args.pop('new_password') |
161 |
await asyncio.wrap_future(future) |
161 |
|
|
|
162 |
from .server import pool |
163 |
pam = self.__auth.get_handler(locale) |
164 |
try: |
165 |
future = pool.submit(self.__auth.authenticate, pam, args) |
166 |
result = await asyncio.wrap_future(future) |
167 |
authenticated = bool(result) |
168 |
CORE.info("Authentication for %s: %s" % (username, str(result))) |
169 |
except PasswordExpired as exc: |
170 |
CORE.warn("Password for user %s is expired: %s" % (username, str(exc))) |
171 |
authenticated = True |
172 |
except AuthenticationFailed as exc: |
173 |
CORE.error("Authentication failed: %s" % (str(exc),)) |
174 |
authenticated = False |
162 |
pam.end() |
175 |
pam.end() |
|
|
176 |
|
177 |
if not authenticated: |
178 |
message = pam._('The entered password does not match the current one.') |
179 |
raise PasswordChangeFailed(message) |
180 |
|
181 |
CORE.info("Setting new password for user: %s" % (username,)) |
182 |
lo = get_machine_connection(write=True)[0] |
183 |
if lo: |
184 |
user_dn = lo.searchDn(filter_format('(&(uid=%s)(objectClass=person))', (username,)))[0] |
185 |
CORE.info("User dn: %s" % (user_dn,)) |
186 |
user = udm_user.object(None, lo, None, user_dn) |
187 |
user.open() |
188 |
user["password"] = new_password |
189 |
user["pwdChangeNextLogin"] = 0 |
190 |
try: |
191 |
user.modify() |
192 |
except (udm_errors.pwToShort, udm_errors.pwQuality) as exc: |
193 |
password_complexity_message = ucr.get('umc/login/password-complexity-message/%s' % (language,), ucr.get('umc/login/password-complexity-message/en', exc)) |
194 |
raise UMC_Error(password_complexity_message) |
195 |
except udm_errors.pwalreadyused as exc: |
196 |
raise UMC_Error(exc.message) |
197 |
except Exception as exc: |
198 |
CORE.error(f"udm_set_password(): failed to set password: {traceback.format_exc()}") |
199 |
raise PasswordChangeFailed(str(exc)) |
200 |
else: |
201 |
CORE.info("User modify succeeded!") |
202 |
else: |
203 |
raise PasswordChangeFailed("LDAP connection failed") |
204 |
|
163 |
self.set_credentials(username, new_password, None) |
205 |
self.set_credentials(username, new_password, None) |
164 |
def set_credentials(self, username, password, auth_type): |
206 |
def set_credentials(self, username, password, auth_type): |