Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek wrote:
On Mon, 2012-06-11 at 13:52 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
You can use the attached script (changepw.py) to test the PW change
interface from command line (on IPA server).
---
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
It is probably more efficient to change the password using ldap. Simo,
do you know of an advantage of using one over the other? Better password
policy reporting may be reason enough.
Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.
Simo.
Ok, sending a second version of the patch based on password change via
LDAP. The error reporting is indeed easier and with no hard-coded
parsing.
Martin
This patch will only work with SELinux disabled, it seems there is a
regression in SELinux policy which does not allow httpd to connect to
dirsrv socket. I logged a Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=830764
This issue also disables other pages using dirsrv socket, like the
migration page or password-expiration detection in form-based auth.
Martin
For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS.
Fixed.
This works ok and does successfully change passwords but I don't like
the logging very much.
Actually it does, it just did it in DEBUG level.
I adapted the logging style from /ipa/session/login_password WSGI
script, but I see that since this is a special page, it should have a
bit different logging.
Under normal conditions, it now prints a line when
- the WSGI script is started on INFO level, i.e. in httpd error_log by
default
- parameters are validated and we start password change for user (user
is now printed in log too - this will be useful)
- when the WSGI script finishes - with either success or error status
It should say that this is the password request
URI somewhere at a minimum. Having the HTTP response is a bit strange
too, and I don't know if a 400 should be logged as info.
I used bad_request method of HTTP_Status class. It uses info log level
for 400 statuses. I can change that, but it will be changed for all WSGI
scripts using HTTP_Status. So far, judging from what I saw in
rpcserver.py we use error log level when there is a problem on our side
and not in a user request...
I think this test program could be made into a test suite too,
particularly to check the more esoteric parts like checking for missing
options, too many options, etc.
rob
I added a test suite exercising this WSGI script. It is based on
built-in httplib instead of original pyCurl - it has much better output
parsing and is easier to handle.
The new unit test tests bad options, authentication errors and of course
successful password change, including a verification that that the
password was actually changed.
Martin
ACK, pushed to master. I like the tests very much.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
On Mon, 2012-06-11 at 13:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
> >> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
> >>> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > You can use the attached script (changepw.py) to test the PW change
> > interface from command line (on IPA server).
> >
> > ---
> >
> > IPA server web form-based authentication allows logins for users
> > which for some reason cannot use Kerberos authentication. However,
> > when a password for such users expires, they are unable change the
> > password via web interface.
> >
> > This patch adds a new WSGI script attached to URL
> > /ipa/session/change_password which can be accessed without
> > authentication and which provides password change capability
> > for web services.
> >
> > The actual password change in the script is processed with kpasswd
> > to be consistent with /ipa/session/login_password.
> >
> > Password result is passed both in the resulting HTML page, but
> > also in HTTP headers for easier parsing in web services:
> > X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> >
> > https://fedorahosted.org/freeipa/ticket/2276
>
> It is probably more efficient to change the password using ldap. Simo,
> do you know of an advantage of using one over the other? Better password
> policy reporting may be reason enough.
> >>>
> >>> Yes you'll get better error reporting, plus forking out kpasswd is quite
> >>> ugly, the python ldap code should be able to use the ldap passwd extend
> >>> op quite easily.
> >>>
> >>> Simo.
> >>>
> >>
> >> Ok, sending a second version of the patch based on password change via
> >> LDAP. The error reporting is indeed easier and with no hard-coded
> >> parsing.
> >>
> >> Martin
> >
> > This patch will only work with SELinux disabled, it seems there is a
> > regression in SELinux policy which does not allow httpd to connect to
> > dirsrv socket. I logged a Bug:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=830764
> >
> > This issue also disables other pages using dirsrv socket, like the
> > migration page or password-expiration detection in form-based auth.
> >
> > Martin
>
> For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS.
Fixed.
>
> This works ok and does successfully change passwords but I don't like
> the logging very much.
Actually it does, it just did it in DEBUG level.
I adapted the logging style from /ipa/session/login_password WSGI
script, but I see that since this is a special page, it should have a
bit different logging.
Under normal conditions, it now prints a line when
- the WSGI script is started on INFO level, i.e. in httpd error_log by
default
- parameters are validated and we start password change for user (user
is now printed in log too - this will be useful)
- when the WSGI script finishes - with either success or error status
> It should say that this is the password request
> URI somewhere at a minimum. Having the HTTP response is a bit strange
> too, and I don't know if a 400 should be logged as info.
I used bad_request method of HTTP_Status class. It uses info log level
for 400 statuses. I can change that, but it will be changed for all WSGI
scripts using HTTP_Status. So far, judging from what I saw in
rpcserver.py we use error log level when there is a problem on our side
and not in a user request...
>
> I think this test program could be made into a test suite too,
> particularly to check the more esoteric parts like checking for missing
> options, too many options, etc.
>
> rob
I added a test suite exercising this WSGI script. It is based on
built-in httplib instead of original pyCurl - it has much better output
parsing and is easier to handle.
The new unit test tests bad options, authentication errors and of course
successful password change, including a verification that that the
password was actually changed.
Martin
>From c60cd566c7b84ebcd82730d4dfce93d610e4aca9 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Wed, 6 Jun 2012 14:38:08 +0200
Subject: [PATCH] Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed by LDAP
password change command.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pw
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek wrote:
On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
You can use the attached script (changepw.py) to test the PW change
interface from command line (on IPA server).
---
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
It is probably more efficient to change the password using ldap. Simo,
do you know of an advantage of using one over the other? Better password
policy reporting may be reason enough.
Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.
Simo.
Ok, sending a second version of the patch based on password change via
LDAP. The error reporting is indeed easier and with no hard-coded
parsing.
Martin
This patch will only work with SELinux disabled, it seems there is a
regression in SELinux policy which does not allow httpd to connect to
dirsrv socket. I logged a Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=830764
This issue also disables other pages using dirsrv socket, like the
migration page or password-expiration detection in form-based auth.
Martin
For '200 Success' you can use rpcserver.HTTP_STATUS_SUCCESS.
This works ok and does successfully change passwords but I don't like
the logging very much. It should say that this is the password request
URI somewhere at a minimum. Having the HTTP response is a bit strange
too, and I don't know if a 400 should be logged as info.
I think this test program could be made into a test suite too,
particularly to check the more esoteric parts like checking for missing
options, too many options, etc.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
On Mon, 2012-06-11 at 10:36 +0200, Martin Kosek wrote:
> On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
> > On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> > > Martin Kosek wrote:
> > > > You can use the attached script (changepw.py) to test the PW change
> > > > interface from command line (on IPA server).
> > > >
> > > > ---
> > > >
> > > > IPA server web form-based authentication allows logins for users
> > > > which for some reason cannot use Kerberos authentication. However,
> > > > when a password for such users expires, they are unable change the
> > > > password via web interface.
> > > >
> > > > This patch adds a new WSGI script attached to URL
> > > > /ipa/session/change_password which can be accessed without
> > > > authentication and which provides password change capability
> > > > for web services.
> > > >
> > > > The actual password change in the script is processed with kpasswd
> > > > to be consistent with /ipa/session/login_password.
> > > >
> > > > Password result is passed both in the resulting HTML page, but
> > > > also in HTTP headers for easier parsing in web services:
> > > >X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > > >(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> > > >
> > > > https://fedorahosted.org/freeipa/ticket/2276
> > >
> > > It is probably more efficient to change the password using ldap. Simo,
> > > do you know of an advantage of using one over the other? Better password
> > > policy reporting may be reason enough.
> >
> > Yes you'll get better error reporting, plus forking out kpasswd is quite
> > ugly, the python ldap code should be able to use the ldap passwd extend
> > op quite easily.
> >
> > Simo.
> >
>
> Ok, sending a second version of the patch based on password change via
> LDAP. The error reporting is indeed easier and with no hard-coded
> parsing.
>
> Martin
This patch will only work with SELinux disabled, it seems there is a
regression in SELinux policy which does not allow httpd to connect to
dirsrv socket. I logged a Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=830764
This issue also disables other pages using dirsrv socket, like the
migration page or password-expiration detection in form-based auth.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
On Thu, 2012-06-07 at 23:07 -0400, Simo Sorce wrote:
> On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > You can use the attached script (changepw.py) to test the PW change
> > > interface from command line (on IPA server).
> > >
> > > ---
> > >
> > > IPA server web form-based authentication allows logins for users
> > > which for some reason cannot use Kerberos authentication. However,
> > > when a password for such users expires, they are unable change the
> > > password via web interface.
> > >
> > > This patch adds a new WSGI script attached to URL
> > > /ipa/session/change_password which can be accessed without
> > > authentication and which provides password change capability
> > > for web services.
> > >
> > > The actual password change in the script is processed with kpasswd
> > > to be consistent with /ipa/session/login_password.
> > >
> > > Password result is passed both in the resulting HTML page, but
> > > also in HTTP headers for easier parsing in web services:
> > >X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> > >(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> > >
> > > https://fedorahosted.org/freeipa/ticket/2276
> >
> > It is probably more efficient to change the password using ldap. Simo,
> > do you know of an advantage of using one over the other? Better password
> > policy reporting may be reason enough.
>
> Yes you'll get better error reporting, plus forking out kpasswd is quite
> ugly, the python ldap code should be able to use the ldap passwd extend
> op quite easily.
>
> Simo.
>
Ok, sending a second version of the patch based on password change via
LDAP. The error reporting is indeed easier and with no hard-coded
parsing.
Martin
>From 4d80c102a0c06a8f7be92fb0f5c38e2629200e28 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Wed, 6 Jun 2012 14:38:08 +0200
Subject: [PATCH] Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed by LDAP
password change command.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
---
install/conf/ipa.conf |8 +++-
ipaserver/plugins/xmlserver.py |3 +-
ipaserver/rpcserver.py | 107 +++-
3 files changed, 115 insertions(+), 3 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 89c9849ca6656ae3da585a72392d5d2463f4d892..b52d9d2ff722c77c37619cc4a4c0fb7cebd5354f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
@@ -72,6 +72,12 @@ KrbConstrainedDelegationLock ipa
Allow from all
+
+ Satisfy Any
+ Order Deny,Allow
+ Allow from all
+
+
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index 4ae914950b3dc4f593f03853dc1450d1dfea78d5..bd9eb1fdf72a1b8f5cab727d63070de377df07c9 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -25,10 +25,11 @@ Loads WSGI server plugins.
from ipalib import api
if 'in_server' in api.env and api.env.in_server is True:
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password
api.register(wsgi_dispatch)
api.register(xmlserver)
api.register(jsonserver_kerb)
api.register(jsonserver_session)
api.register(login_kerberos)
api.register(login_password)
+api.register(change_password)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index f9a549f4e8e0135e68c3a2ae8a9e876cac0d88df..eeed9c7426678ca1445032c956e3656fd39124a9 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -28,7 +28,7 @@ from xml.sax.saxutils import escape
from xmlrpclib import Fault
from ipalib import plugable
from ipalib.backend import Executioner
-from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError, InvalidSessionPassword
+from ipalib.errors i
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
On Thu, 2012-06-07 at 22:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > You can use the attached script (changepw.py) to test the PW change
> > interface from command line (on IPA server).
> >
> > ---
> >
> > IPA server web form-based authentication allows logins for users
> > which for some reason cannot use Kerberos authentication. However,
> > when a password for such users expires, they are unable change the
> > password via web interface.
> >
> > This patch adds a new WSGI script attached to URL
> > /ipa/session/change_password which can be accessed without
> > authentication and which provides password change capability
> > for web services.
> >
> > The actual password change in the script is processed with kpasswd
> > to be consistent with /ipa/session/login_password.
> >
> > Password result is passed both in the resulting HTML page, but
> > also in HTTP headers for easier parsing in web services:
> >X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
> >(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
> >
> > https://fedorahosted.org/freeipa/ticket/2276
>
> It is probably more efficient to change the password using ldap. Simo,
> do you know of an advantage of using one over the other? Better password
> policy reporting may be reason enough.
Yes you'll get better error reporting, plus forking out kpasswd is quite
ugly, the python ldap code should be able to use the ldap passwd extend
op quite easily.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
Martin Kosek wrote:
You can use the attached script (changepw.py) to test the PW change
interface from command line (on IPA server).
---
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
It is probably more efficient to change the password using ldap. Simo,
do you know of an advantage of using one over the other? Better password
policy reporting may be reason enough.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 274 Password change capability for form-based auth
You can use the attached script (changepw.py) to test the PW change
interface from command line (on IPA server).
---
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
>From a30303b5f3098d745bacf7c6a6e4a836e3e231d2 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Wed, 6 Jun 2012 14:38:08 +0200
Subject: [PATCH] Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed with kpasswd
to be consistent with /ipa/session/login_password.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
---
install/conf/ipa.conf |8 ++-
ipaserver/plugins/xmlserver.py |3 +-
ipaserver/rpcserver.py | 169
3 files changed, 178 insertions(+), 2 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 89c9849ca6656ae3da585a72392d5d2463f4d892..b52d9d2ff722c77c37619cc4a4c0fb7cebd5354f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
@@ -72,6 +72,12 @@ KrbConstrainedDelegationLock ipa
Allow from all
+
+ Satisfy Any
+ Order Deny,Allow
+ Allow from all
+
+
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index 4ae914950b3dc4f593f03853dc1450d1dfea78d5..bd9eb1fdf72a1b8f5cab727d63070de377df07c9 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -25,10 +25,11 @@ Loads WSGI server plugins.
from ipalib import api
if 'in_server' in api.env and api.env.in_server is True:
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password
api.register(wsgi_dispatch)
api.register(xmlserver)
api.register(jsonserver_kerb)
api.register(jsonserver_session)
api.register(login_kerberos)
api.register(login_password)
+api.register(change_password)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index f9a549f4e8e0135e68c3a2ae8a9e876cac0d88df..2f639f229c7be53bf157d97f4c209ad449268bea 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -100,6 +100,18 @@ _unauthorized_template = """
"""
+_pwchange_template = """
+
+200 Success
+
+
+%(title)s
+
+%(message)s
+
+
+"""
+
class HTTP_Status(plugable.Plugin):
def not_found(self, environ, start_response, url, message):
"""
@@ -992,3 +1004,160 @@ class login_password(Backend, KerberosSession, HTTP_Status):
if returncode != 0:
raise InvalidSessionPassword(principal=principal, message=unicode(stderr))
+class KpasswdError(StandardError):
+def __init__(self, error_message, principal):
+self.error_message = error_message
+self.principal = principal
+
+class PasswordPolicyError(KpasswdError):
+def __init__(self, error_message, principal, rejection_reason):
+super(PasswordPolicyError, self).__init__(error_message, principal)
+self.rejection_reason = rejection_reason
+
+class InvalidPasswordError(KpasswdError):
+pass
+
+class change_password(Backend, HTTP_Status):
+
+content_type = 'text/plain'
+key = '/session/change_password'
+
+def __init__(self):
+super(change_password, self).__init_
