[sysadmin-bin] Add reset-my-password.py, it will help users retrieve their very first password before resetting it
- From: Andrea Veri <av src gnome org>
- To: gnome-sysadmin gnome org,commits-list gnome org
- Subject: [sysadmin-bin] Add reset-my-password.py, it will help users retrieve their very first password before resetting it
- Date: Fri, 3 Oct 2014 10:43:02 +0000 (UTC)
commit 548cadf8c88c145497f2d71966492556c0c5c60f
Author: Andrea Veri <av gnome org>
Date: Fri Oct 3 12:42:57 2014 +0200
Add reset-my-password.py, it will help users retrieve their very first password before resetting it on
the FreeIPA Web UI
reset-my-password.py | 174 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 174 insertions(+), 0 deletions(-)
---
diff --git a/reset-my-password.py b/reset-my-password.py
new file mode 100755
index 0000000..e1ad587
--- /dev/null
+++ b/reset-my-password.py
@@ -0,0 +1,174 @@
+#!/usr/bin/python
+
+import ldap
+import ldap.filter
+import string
+import hashlib
+import smtplib
+import sys
+import os
+import ldap.modlist as modlist
+from base64 import b64encode
+from email.MIMEText import MIMEText
+from random import choice, randrange
+
+LDAP_GROUP_BASE='cn=groups,cn=accounts,dc=gnome,dc=org'
+LDAP_USER_BASE='cn=users,cn=accounts,dc=gnome,dc=org'
+
+
+file = open('/home/admin/secret/freeipa','r')
+lines = file.readlines()
+
+for line in lines:
+ if line.find("ldap_password") > -1:
+ dirty_password = line.split()
+ ldap_password = str(dirty_password)
+
+ sanitize_file=["ldap_password","=","\"","'","[","]"]
+ for i in range(len(sanitize_file)):
+ ldap_password = ldap_password.replace(sanitize_file[i],"")
+file.close()
+
+
+try:
+ l = ldap.open('localhost')
+ l.simple_bind("cn=Directory Manager", ldap_password)
+except ldap.LDAPError, e:
+ print >>sys.stderr, e
+ sys.exit(1)
+
+
+def _parse_members_from_group(group):
+
+ filter = ldap.filter.filter_format('(&(objectClass=posixgroup)(cn=%s))', (group, ))
+ results = l.search_s(LDAP_GROUP_BASE, ldap.SCOPE_SUBTREE, filter, ('memberUid', ))
+
+ members = set()
+ for entry in results:
+ id = entry[0]
+ attr = entry[1]
+
+ members.update(attr['memberUid'])
+
+
+ return members
+
+
+def _get_attributes_from_ldap(userid, attr):
+ filter = ldap.filter.filter_format('(uid=%s)', (userid, ))
+ results = l.search_s(LDAP_USER_BASE, ldap.SCOPE_SUBTREE, filter, ('uid', attr, ))
+
+ for entry in results:
+ username = entry[1]['uid']
+ attribute = entry[1][attr]
+
+ userslist = dict(zip(username, attribute))
+
+ return userslist
+
+
+def gen_passwd(length=10, chars=string.letters + string.digits):
+ urandom = open("/dev/urandom")
+ # ensure even distribution of randomly selected characters
+ m = 255 - 255 % len(chars)
+
+ buf = ''
+ pos = 0
+ pwd = ''
+ while len(pwd) < length:
+ if pos == len(buf):
+ buf = urandom.read(length * 2)
+ pos = 0
+ v = ord(buf[pos])
+ pos += 1
+
+ if v > m:
+ continue
+ pwd += chars[v % len(chars)]
+
+ urandom.close()
+
+ return pwd
+
+
+def check_existing_password(userid):
+ accountsteam = _parse_members_from_group('accounts')
+ sysadminteam = _parse_members_from_group('sysadmin')
+
+ if _get_attributes_from_ldap(userid, 'uid') == None:
+ print 'The specified UID does not exist, please get in contact with the GNOME Accounts Team to know
more'
+ sys.exit(1)
+
+ if userid in (accountsteam or sysadminteam):
+ print 'You are not allowed to reset your password, please contact the GNOME Sysadmin Team to know why'
+ sys.exit(1)
+
+ try:
+ userpassword = _get_attributes_from_ldap(userid, 'userPassword')
+ except KeyError:
+ add_new_password(userid)
+ else:
+ update_existing_password(userid)
+
+
+def update_existing_password(userid):
+ dn = 'uid=%s,%s' % (userid, LDAP_USER_BASE)
+
+ getattr_userpassword = _get_attributes_from_ldap(userid, 'userPassword')
+ getattr_name = _get_attributes_from_ldap(userid, 'cn')
+ getattr_mail = _get_attributes_from_ldap(userid, 'mail')
+ old_password = getattr_userpassword[userid]
+
+ password = {'userPassword': '%s' % (old_password)}
+ newpassword = {'userPassword': gen_passwd(length=20)}
+
+ ldif = modlist.modifyModlist(password, newpassword)
+ l.modify_s(dn, ldif)
+
+
+ send_password_to_user(getattr_name[userid], getattr_mail[userid], newpassword['userPassword'])
+
+
+def add_new_password(userid):
+ dn = 'uid=%s,%s' % (userid, LDAP_USER_BASE)
+
+ getattr_name = _get_attributes_from_ldap(userid, 'cn')
+ getattr_mail = _get_attributes_from_ldap(userid, 'mail')
+
+ nopassword = {'userPassword': ''}
+ newpassword = {'userPassword': gen_passwd(length=20)}
+
+ ldif = modlist.modifyModlist(nopassword, newpassword)
+ l.modify_s(dn, ldif)
+
+
+ send_password_to_user(getattr_name[userid], getattr_mail[userid], newpassword['userPassword'])
+
+
+def send_password_to_user(name, email, password):
+ form_letter = """
+Hello %s, your password has been reset successfully and is available here:
+
+%s
+
+Please login at https://account.gnome.org and update your password as soon as possible!
+
+With cordiality,
+
+the GNOME Accounts Team""" % (name, password)
+
+ try:
+ msg = MIMEText(form_letter)
+ msg['Subject'] = "Your GNOME password has been reset"
+ msg['From'] = "noreply gnome org"
+ msg['To'] = "%s" % (email)
+ msg['Reply-To'] = "accounts gnome org"
+ server = smtplib.SMTP("localhost")
+ server.sendmail(msg['From'], msg['To'], msg.as_string())
+ server.quit()
+ print "Successfully sent your password to the registered email address being %s" % (email)
+ except smtplib.SMTPException:
+ print "ERROR: I wasn't able to send the email correctly, please check /var/log/maillog!"
+
+my_userid = os.getenv('USER')
+check_existing_password(my_userid)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
