commit 00cd578c56633d97c20c74f6346b4b10092cacec Author: Stefan Gohmann Date: Thu Sep 14 20:50:42 2017 +0200 Bug #44867: Fix password reset for UCS systems joined into a AD domain. The following UCR variables need to be set: - connector/ad/ldap/host: the AD DC FQDN - ad/reset/username: a username of a AD admin who is allowed to reset a password of a user - ad/reset/password: a file which contains the password of the AD admin diff --git a/management/univention-self-service/umc/python/passwordreset/__init__.py b/management/univention-self-service/umc/python/passwordreset/__init__.py index a00e40a..9214bc2 100644 --- a/management/univention-self-service/umc/python/passwordreset/__init__.py +++ b/management/univention-self-service/umc/python/passwordreset/__init__.py @@ -39,6 +39,7 @@ from functools import wraps from ldap.filter import filter_format import pylibmc +import subprocess from univention.lib.i18n import Translation from univention.lib.umc import Client, HTTPError, ConnectionError, Unauthorized @@ -455,9 +456,31 @@ def set_contact_data(self, dn, email, mobile): MODULE.error("set_contact_data(): {}".format(traceback.format_exc())) raise + def admember_set_password(self, username, password): + ldb_url = ucr.get('connector/ad/ldap/host') + ldb_url = 'ldaps://%s' % (ldb_url,) if ucr.is_true('connector/ad/ldap/ldaps') else 'ldap://%s' % (ldb_url,) + reset_username = ucr.get('ad/reset/username') + reset_password_file = ucr.get('ad/reset/password') + reset_password = open(reset_password_file).readline().strip() + cmd = ['samba-tool', 'user', 'setpassword', '--username', reset_username, '--password', reset_password, '--filter', filter_format('samaccountname=%s', (username,)), '--newpassword', password, '-H', ldb_url] + process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + cmd_out, cmd_err = process.communicate() + + if cmd_out: + MODULE.process("STDOUT: {}".format(cmd_out)) + if cmd_err: + MODULE.process("STDERR: {}".format(cmd_err)) + + if process.returncode: + MODULE.error("admember_set_password(): failed to set password. Return code: %s" % (process.returncode,)) + return False + return True + def udm_set_password(self, username, password): + user = self.get_udm_user(username=username, admin=True) + if 'synced' in user.get('objectFlag') and ucr.is_true('ad/member'): + return self.admember_set_password(username, password) try: - user = self.get_udm_user(username=username, admin=True) user["password"] = password user["pwdChangeNextLogin"] = 0 user.modify()