account: only update password as admin when explicitly requested

1 files changed, 9 insertions, 7 deletions

diff --git a/account.py b/account.py
index 0340564..1361669 100644
--- a/account.py
+++ b/account.py
@@ -173,7 +173,7 @@ class AccountService:
         attr = [(ldap.MOD_REPLACE, 'mail', account.mail)]
         dn = self._format_dn([('uid',account.uid),('ou','users')])
         self.connection.modify_s(dn, attr)
-        self._alter_passwords(account)
+        self._alter_passwords(account, as_admin=as_admin)
 
         self._unbind()
 
@@ -251,15 +251,17 @@ class AccountService:
         self.binded = False
 
 
-    def _alter_passwords(self, account):
+    def _alter_passwords(self, account, as_admin=False):
         if account.new_password_root:
             dn = self._format_dn([('uid',account.uid),('ou','users')])
             old, new = account.new_password_root
-            if self.admin:
-              self.connection.passwd_s(dn, None, new)
+            if as_admin:
+                self.connection.passwd_s(dn, None, new)
             else:
-              try: self.connection.passwd_s(dn, old, new)
-              except: raise InvalidPasswordError()
+                try:
+                    self.connection.passwd_s(dn, old, new)
+                except ldap.UNWILLING_TO_PERFORM:
+                    raise InvalidPasswordError()
 
             account.password = new
 
@@ -268,7 +270,7 @@ class AccountService:
         for service, passwords in account.new_password_services.items():
             dn = self._format_dn([('uid',account.uid),('cn',service),('ou','services')])
             old, new = passwords
-            if self.admin:
+            if as_admin:
               self.connection.passwd_s(dn, None, new)
             else:
               self.connection.passwd_s(dn, old, new)