check_pw no longer requires admin bind

jstaf · Jun 10, 2018 · 86ac5ad · 86ac5ad
1 parent fe03361
commit 86ac5ad
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/bin/ezldap b/bin/ezldap
@@ -479,19 +479,22 @@ def change_pw(argv):
 
 
 def check_pw(argv):
-    with ezldap.auto_bind(server_info=False) as con:
-        query = con.get_user(argv.username[0])
-        if query is None:
-            fail('User not found.')
-
-        ssha = query['userPassword'][0]
+    user = argv.username[0]
 
-    print('Enter password to verify...')
-    passwd = getpass.getpass()
+    # make sure the user exists first
+    conf = ezldap.config()
+    with ezldap.Connection(conf['host'], server_info=False) as anon:
+        query = anon.get_user(user)
+        if query is None:
+            fail('User does not exist.')
 
-    if ezldap.ssha_check(ssha, passwd):
-        print(fmt('Passwords match!', 'green'))
-    else:
+    passwd = getpass.getpass('Enter password to verify...')
+    try:
+        # attempt a bind as the user, if successful, passwords match
+        with ezldap.Connection(conf['host'], user=query['dn'][0],
+                               password=passwd, server_info=False) as con:
+            print(fmt('Passwords match!', 'green'))
+    except LDAPBindError:
         fail("Passwords do not match.")