Commit 548cadf8 authored by Andrea Veri's avatar Andrea Veri

Add reset-my-password.py, it will help users retrieve their very first...

Add reset-my-password.py, it will help users retrieve their very first password before resetting it on the FreeIPA Web UI
parent 0eefe125
#!/usr/bin/python
import ldap
import ldap.filter
import string
import hashlib
import smtplib
import sys
import os
import ldap.modlist as modlist
from base64 import b64encode
from email.MIMEText import MIMEText
from random import choice, randrange
LDAP_GROUP_BASE='cn=groups,cn=accounts,dc=gnome,dc=org'
LDAP_USER_BASE='cn=users,cn=accounts,dc=gnome,dc=org'
file = open('/home/admin/secret/freeipa','r')
lines = file.readlines()
for line in lines:
if line.find("ldap_password") > -1:
dirty_password = line.split()
ldap_password = str(dirty_password)
sanitize_file=["ldap_password","=","\"","'","[","]"]
for i in range(len(sanitize_file)):
ldap_password = ldap_password.replace(sanitize_file[i],"")
file.close()
try:
l = ldap.open('localhost')
l.simple_bind("cn=Directory Manager", ldap_password)
except ldap.LDAPError, e:
print >>sys.stderr, e
sys.exit(1)
def _parse_members_from_group(group):
filter = ldap.filter.filter_format('(&(objectClass=posixgroup)(cn=%s))', (group, ))
results = l.search_s(LDAP_GROUP_BASE, ldap.SCOPE_SUBTREE, filter, ('memberUid', ))
members = set()
for entry in results:
id = entry[0]
attr = entry[1]
members.update(attr['memberUid'])
return members
def _get_attributes_from_ldap(userid, attr):
filter = ldap.filter.filter_format('(uid=%s)', (userid, ))
results = l.search_s(LDAP_USER_BASE, ldap.SCOPE_SUBTREE, filter, ('uid', attr, ))
for entry in results:
username = entry[1]['uid']
attribute = entry[1][attr]
userslist = dict(zip(username, attribute))
return userslist
def gen_passwd(length=10, chars=string.letters + string.digits):
urandom = open("/dev/urandom")
# ensure even distribution of randomly selected characters
m = 255 - 255 % len(chars)
buf = ''
pos = 0
pwd = ''
while len(pwd) < length:
if pos == len(buf):
buf = urandom.read(length * 2)
pos = 0
v = ord(buf[pos])
pos += 1
if v > m:
continue
pwd += chars[v % len(chars)]
urandom.close()
return pwd
def check_existing_password(userid):
accountsteam = _parse_members_from_group('accounts')
sysadminteam = _parse_members_from_group('sysadmin')
if _get_attributes_from_ldap(userid, 'uid') == None:
print 'The specified UID does not exist, please get in contact with the GNOME Accounts Team to know more'
sys.exit(1)
if userid in (accountsteam or sysadminteam):
print 'You are not allowed to reset your password, please contact the GNOME Sysadmin Team to know why'
sys.exit(1)
try:
userpassword = _get_attributes_from_ldap(userid, 'userPassword')
except KeyError:
add_new_password(userid)
else:
update_existing_password(userid)
def update_existing_password(userid):
dn = 'uid=%s,%s' % (userid, LDAP_USER_BASE)
getattr_userpassword = _get_attributes_from_ldap(userid, 'userPassword')
getattr_name = _get_attributes_from_ldap(userid, 'cn')
getattr_mail = _get_attributes_from_ldap(userid, 'mail')
old_password = getattr_userpassword[userid]
password = {'userPassword': '%s' % (old_password)}
newpassword = {'userPassword': gen_passwd(length=20)}
ldif = modlist.modifyModlist(password, newpassword)
l.modify_s(dn, ldif)
send_password_to_user(getattr_name[userid], getattr_mail[userid], newpassword['userPassword'])
def add_new_password(userid):
dn = 'uid=%s,%s' % (userid, LDAP_USER_BASE)
getattr_name = _get_attributes_from_ldap(userid, 'cn')
getattr_mail = _get_attributes_from_ldap(userid, 'mail')
nopassword = {'userPassword': ''}
newpassword = {'userPassword': gen_passwd(length=20)}
ldif = modlist.modifyModlist(nopassword, newpassword)
l.modify_s(dn, ldif)
send_password_to_user(getattr_name[userid], getattr_mail[userid], newpassword['userPassword'])
def send_password_to_user(name, email, password):
form_letter = """
Hello %s, your password has been reset successfully and is available here:
%s
Please login at https://account.gnome.org and update your password as soon as possible!
With cordiality,
the GNOME Accounts Team""" % (name, password)
try:
msg = MIMEText(form_letter)
msg['Subject'] = "Your GNOME password has been reset"
msg['From'] = "noreply@gnome.org"
msg['To'] = "%s" % (email)
msg['Reply-To'] = "accounts@gnome.org"
server = smtplib.SMTP("localhost")
server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()
print "Successfully sent your password to the registered email address being %s" % (email)
except smtplib.SMTPException:
print "ERROR: I wasn't able to send the email correctly, please check /var/log/maillog!"
my_userid = os.getenv('USER')
check_existing_password(my_userid)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment