Add function to allow user's to set/reset their kerberos password

Remove some unused calls to retrieve the current realm

ipa-admintools/ipa-adduser

@@ -43,6 +43,8 @@ def parse_options():
                       help="User's first name")
     parser.add_option("-l", "--lastname", dest="sn",
                       help="User's last name")
+    parser.add_option("-p", "--password", dest="password",
+                      help="Set user's password")
     parser.add_option("-s", "--shell", dest="shell",
                       help="Set user's login shell to shell")
     parser.add_option("--usage", action="store_true",
@@ -75,10 +77,11 @@ def main():
     else:
         user.setValue('loginshell', "/bin/bash")
 
+    username = args[1]
+
     try:
         client = ipaclient.IPAClient()
         client.add_user(user)
-        print args[1] + " successfully added"
     except xmlrpclib.Fault, f:
         print f.faultString
         return 1
@@ -92,6 +95,14 @@ def main():
         print "%s" % (e.message)
         return 1
 
+    if options.password is not None:
+        try:
+            client.modifyPassword(username, None, options.password)
+        except ipa.ipaerror.IPAError, e:
+            print "%s" % (e.message)
+            return 1
+
+    print username + " successfully added"
     return 0
 
 main()

ipa-python/ipaclient.py

@@ -65,8 +65,6 @@ class IPAClient:
     def add_user(self,user,user_container=None):
         """Add a user. user is a ipa.user.User object"""
 
-        realm = config.config.get_realm()
-
         user_dict = user.toDict()
 
         # dn is set on the server-side
@@ -110,24 +108,25 @@ class IPAClient:
     def update_user(self,user):
         """Update a user entry."""
 
-        realm = config.config.get_realm()
-
         result = self.transport.update_user(user.origDataDict(), user.toDict())
         return result
 
     def delete_user(self,uid):
         """Delete a user entry."""
 
-        realm = config.config.get_realm()
-
         result = self.transport.delete_user(uid)
         return result
 
+    def modifyPassword(self,uid,oldpass,newpass):
+        """Modify a user's password"""
+
+        result = self.transport.modifyPassword(uid,oldpass,newpass)
+
+        return result
+
     def mark_user_deleted(self,uid):
         """Set a user as inactive by uid."""
 
-        realm = config.config.get_realm()
-
         result = self.transport.mark_user_deleted(uid)
         return result
 
@@ -150,8 +149,6 @@ class IPAClient:
     def add_group(self,group,group_container=None):
         """Add a group. group is a ipa.group.Group object"""
 
-        realm = config.config.get_realm()
-
         group_dict = group.toDict()
 
         # dn is set on the server-side

ipa-python/rpcclient.py

@@ -195,6 +195,22 @@ class RPCClient:
 
         return result
 
+    def modifyPassword(self,uid,oldpass,newpass):
+        """Modify a user's password"""
+        server = self.setup_server()
+
+        if oldpass is None:
+            oldpass = "__NONE__"
+    
+        try:
+            result = server.modifyPassword(uid,oldpass,newpass)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return result
+
     def mark_user_deleted(self,uid):
         """Mark a user as deleted/inactive"""
         server = self.setup_server()

ipa-server/ipaserver/ipaldap.py

@@ -469,6 +469,24 @@ class IPAdmin(SimpleLDAPObject):
             raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e)
         return "Success"
 
+    def modifyPassword(self,dn,oldpass,newpass):
+        """Set the user password using RFC 3062, LDAP Password Modify Extended
+           Operation. This ends up calling the IPA password slapi plugin 
+           handler so the Kerberos password gets set properly.
+
+           oldpass is not mandatory
+        """
+
+        sctrl = self.__get_server_controls__()
+
+        try:
+            if sctrl is not None:
+                self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl)
+            self.passwd_s(dn, oldpass, newpass)
+        except ldap.LDAPError, e:
+            raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e)
+        return "Success"
+
     def __wrapmethods(self):
         """This wraps all methods of SimpleLDAPObject, so that we can intercept
         the methods that deal with entries.  Instead of using a raw list of tuples

ipa-server/xmlrpc-server/funcs.py

@@ -524,6 +524,24 @@ class IPAServer:
             self.releaseConnection(conn)
         return res
 
+    def modifyPassword (self, uid, oldpass, newpass, opts=None):
+        """Set/Reset a user's password
+
+           uid tells us who's password to change
+           oldpass is the old password (if available)
+           newpass is the new password
+        """
+        user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], opts)
+        if user_dn is None:
+            raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+
+        conn = self.getConnection(opts)
+        try:
+            res = conn.modifyPassword(user_dn['dn'], oldpass, newpass)
+        finally:
+            self.releaseConnection(conn)
+        return res
+
 # Group support
 
     def __is_group_unique(self, cn, opts):

ipa-server/xmlrpc-server/ipaxmlrpc.py

@@ -308,6 +308,7 @@ def handler(req, profiling=False):
             h.register_function(f.update_user)
             h.register_function(f.delete_user)
             h.register_function(f.mark_user_deleted)
+            h.register_function(f.modifyPassword)
             h.register_function(f.get_group_by_cn)
             h.register_function(f.get_group_by_dn)
             h.register_function(f.add_group)