fix changing password with non-existent user

This commit is contained in:
2025-09-27 23:02:54 +02:00
parent fe0e8f8d0c
commit 6bc05bcca3
2 changed files with 12 additions and 2 deletions

View File

@@ -272,6 +272,10 @@ class LUSER():
# Search LDAP entries that have object class inetOrgPerson and uid attribute equal to given user field
self.ldapconnection.search(search_base=self.base,search_filter=f'(&(objectClass=inetOrgPerson)(uid={user}))', attributes=['userPassword'])
## Check if user exists
if self.ldapconnection.response == []:
return False;
# Return userPassword attribute from the response
userpass = self.ldapconnection.response[0]['attributes']['userPassword'][0]

View File

@@ -36,8 +36,14 @@ def changepassword():
# Create a LUSER connection
luser = LUSER(LDAPHOST,LDAPADMINNAME,LDAPPASS,USERBASE,ALTUSERBASE)
if ldap_salted_sha1.verify(oldpassword, luser.getpassword(username)) == False and oldpassword != LDAPPASS:
return 'Wrong username/password combination'
# Retrive current password
currentpassword = luser.getpassword(username)
if currentpassword == False:
return 'User doesn't exist'
if ldap_salted_sha1.verify(oldpassword, currentpassword) == False and oldpassword != LDAPPASS:
return 'Wrong username/password combination'
ldaphash = ldap_salted_sha1.hash(newpassword)
althash = sha512_crypt.hash(newpassword)