allow password auth as fallback

ldappwd@schorschii/change.py

@@ -36,16 +36,20 @@ def escapeParam(str):
 		)
 except Exception as e:
 	eprint('Unable to bind via Kerberos: '+str(e))
-	pass
+	sys.exit(1)
 
 # bind using username and password
-if(conn == None):
-	conn = ldap3.Connection(server,
-		user=sys.argv[2],
-		password=sys.argv[3],
-		auto_bind=True,
-		receive_timeout=2
-	)
+try:
+	if(conn == None):
+		conn = ldap3.Connection(server,
+			user=sys.argv[2],
+			password=sys.argv[3],
+			auto_bind=True,
+			receive_timeout=2
+		)
+except Exception as e:
+	eprint('Unable to bind using password: '+str(e))
+	sys.exit(1)
 
 # query user dn
 userDn = None

ldappwd@schorschii/desklet.js

@@ -53,6 +53,7 @@ MyDesklet.prototype = {
 		this.settings.bindProperty(Settings.BindingDirection.BIDIRECTIONAL, "server-username", "serverUsername", this.on_setting_changed);
 		this.settings.bindProperty(Settings.BindingDirection.BIDIRECTIONAL, "server-domain", "serverDomain", this.on_setting_changed);
 		this.settings.bindProperty(Settings.BindingDirection.IN, "kerberos-authentication", "kerberosAuthentication", this.on_setting_changed);
+		this.settings.bindProperty(Settings.BindingDirection.IN, "fallback-password-authentication", "fallbackPasswordAuthentication", this.on_setting_changed);
 		this.settings.bindProperty(Settings.BindingDirection.IN, "show-notifications", "showNotifications", this.on_setting_changed);
 		this.settings.bindProperty(Settings.BindingDirection.IN, "show-buttons", "showButtons", this.on_setting_changed);
 		this.settings.bindProperty(Settings.BindingDirection.IN, "hide-decorations", "hide_decorations", this.on_setting_changed);
@@ -163,7 +164,7 @@ MyDesklet.prototype = {
 		this.refreshMenuItem = new PopupMenu.PopupMenuItem(_("Refresh Expiry Date"));
 		this._menu.addMenuItem(this.refreshMenuItem);
 		this.refreshMenuItem.setShowDot(this.angleMode == 0);
-		this.refreshMenuItem.connect("activate", Lang.bind(this, Lang.bind(this, this.refreshPasswordExpiry)));
+		this.refreshMenuItem.connect("activate", Lang.bind(this, Lang.bind(this, this.onClickRefreshPasswordExpiry)));
 
 		this.setMenuItem = new PopupMenu.PopupMenuItem(_("Set New Password"));
 		this._menu.addMenuItem(this.setMenuItem);
@@ -196,7 +197,14 @@ MyDesklet.prototype = {
 			}
 		};
 		if(this.pwdExpiry == 0) {
-			this.showMessageBox("error", _("Cannot query pwdExpiry!"), this.escapeString(err2.toString()));
+			if(password == "" && this.fallbackPasswordAuthentication) {
+				// kerberos auth failed - try with password
+				Main.notifyError(_("Cannot query pwdExpiry!"), err2.toString());
+				this.refreshPasswordExpiry(true);
+			} else {
+				// password auth failed - show error message
+				this.showMessageBox("error", _("Cannot query pwdExpiry!"), this.escapeString(err2.toString()));
+			}
 		}
 
 		// save result in settings
@@ -260,7 +268,7 @@ MyDesklet.prototype = {
 		});
 		buttonRefresh.add_actor(this.image);
 		new Tooltips.Tooltip(buttonRefresh, _("Refresh Expiry Date"));
-		buttonRefresh.connect("clicked", Lang.bind(this, this.refreshPasswordExpiry));
+		buttonRefresh.connect("clicked", Lang.bind(this, this.onClickRefreshPasswordExpiry));
 
 		// set password button
 		let buttonSetPassword = new St.Button({ style_class: "button" });
@@ -296,11 +304,17 @@ MyDesklet.prototype = {
 		this.timeout = Mainloop.timeout_add_seconds(600, Lang.bind(this, this.refreshDesklet));
 	},
 
-	refreshPasswordExpiry: function() {
+	onClickRefreshPasswordExpiry: function() {
+		// proxy function for executing refreshPasswordExpiry() via clicking a button
+		// - some other parameters are passed then, which should not be passed to refreshPasswordExpiry()
+		this.refreshPasswordExpiry();
+	},
+
+	refreshPasswordExpiry: function(forceSimpleBind = false) {
 		if(this.serverAddress == "" || this.serverUsername == "" || this.serverDomain == "") {
 			return;
 		}
-		if(this.kerberosAuthentication) {
+		if(this.kerberosAuthentication && !forceSimpleBind) {
 			this.update("");
 		} else {
 			let subprocess = new Gio.Subprocess({
@@ -385,11 +399,17 @@ MyDesklet.prototype = {
 				this.update(newPassword);
 			}
 		} else {
-			this.showMessageBox("error", _("LDAP Password Change Error"),
-				_("Please check if old password is correct, new password conforms to password policy, minimum password age is not violated, and that your account is not locked.")
-				+ "\n\n" + "Error Details: " + this.escapeString(out.toString())
-				+ "\n" + this.escapeString(err.toString())
-			);
+			if(bindPassword == "" && this.fallbackPasswordAuthentication) {
+				// kerberos auth failed - try with password auth
+				Main.notifyError(_("LDAP Password Change Error"), err.toString());
+				this.updatePassword(oldPassword, oldPassword, newPassword);
+			} else {
+				this.showMessageBox("error", _("LDAP Password Change Error"),
+					_("Please check if old password is correct, new password conforms to password policy, minimum password age is not violated, and that your account is not locked.")
+					+ "\n\n" + "Error Details: " + this.escapeString(out.toString())
+					+ "\n" + this.escapeString(err.toString())
+				);
+			}
 		}
 	},
 

ldappwd@schorschii/expiry.py

@@ -39,16 +39,20 @@ def escapeParam(str):
 		)
 except Exception as e:
 	eprint('Unable to bind via Kerberos: '+str(e))
-	pass
+	sys.exit(1)
 
 # bind using username and password
-if(conn == None):
-	conn = ldap3.Connection(server,
-		user=sys.argv[2],
-		password=sys.argv[3],
-		auto_bind=True,
-		receive_timeout=2
-	)
+try:
+	if(conn == None):
+		conn = ldap3.Connection(server,
+			user=sys.argv[2],
+			password=sys.argv[3],
+			auto_bind=True,
+			receive_timeout=2
+		)
+except Exception as e:
+	eprint('Unable to bind using password: '+str(e))
+	sys.exit(1)
 
 # query user pwdLastSet
 conn.search(sys.argv[4],

ldappwd@schorschii/metadata.json

@@ -2,6 +2,6 @@
     "uuid": "ldappwd@schorschii",
     "max-instances": "10",
     "description": "See when your domain password expires and change it.",
-    "version": "1.3",
+    "version": "1.3.1",
     "name": "LDAP Password Expiry Tool"
 }

ldappwd@schorschii/po/de.po

@@ -99,6 +99,9 @@ msgstr "Domäne"
 msgid "Enable Kerberos authentication"
 msgstr "Kerberos-Authentifizierung verwenden"
 
+msgid "Enable password authentication as fallback"
+msgstr "Passwort-Authentifizierung als Fallback verwenden"
+
 msgid "Examples:\nldap://10.1.1.1\nldaps://dc1.example.com\n\nFQDN is required for Kerberos authentication. SSL is required for the password change feature."
 msgstr "Beispiele:\nldap://10.1.1.1\nldaps://dc1.example.com\n\nDer FQDN ist erforderlich für Kerberos-Authentifizierung. SSL ist erforderlich für das Passwort-Ändern-Feature."
 

ldappwd@schorschii/po/ldappwd@schorschii.pot

@@ -107,6 +107,9 @@ msgstr ""
 msgid "Enable Kerberos authentication"
 msgstr ""
 
+msgid "Enable password authentication as fallback"
+msgstr ""
+
 msgid "Visual"
 msgstr ""
 

ldappwd@schorschii/settings-schema.json

@@ -34,6 +34,12 @@
         "default": true,
         "description": "Enable Kerberos authentication"
     },
+    "fallback-password-authentication": {
+        "type": "checkbox",
+        "default": false,
+        "description": "Enable password authentication as fallback",
+        "dependency": "kerberos-authentication"
+    },
 
     "head2": {
         "type": "header",