1 files changed, 27 insertions, 28 deletions

diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 27bc813..5b3e76a 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -25,7 +25,7 @@ def get_bound_ldapuser(request, password=None):
                 'Secondary password not available (no strong auth?)')
 
     bound_cls = LDAPUser.bind_as(
-        alias='ldap_%s' % username,
+        alias='ldap_%s' % request.session.cache_key,
         username=username,
         password=password,
     )
@@ -34,22 +34,21 @@ def get_bound_ldapuser(request, password=None):
 
 def set_secondary_password(request, password):
     """ Generate a secondary passsword and encrypt it in the session """
-    user = get_bound_ldapuser(request, password)
-
-    secondary_password = Random.get_random_bytes(48)
-    request.session['secondary_password'] = cipher.encrypt(secondary_password)
-    # Clean up possible leftover secondary passwords from the LDAP account
-    if len(user.password) > 1:
-        for hash in list(user.password):
-            try:
-                if not ldap_md5_crypt.verify(password, hash):
-                    user.password.remove(hash)
-            except ValueError:
-                # don't remove unknown hashes
-                pass
-    # Add a new generated encrypted password to LDAP
-    user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
-    user.save()
+    with get_bound_ldapuser(request, password) as user:
+        secondary_password = Random.get_random_bytes(48)
+        request.session['secondary_password'] = cipher.encrypt(secondary_password)
+        # Clean up possible leftover secondary passwords from the LDAP account
+        if len(user.password) > 1:
+            for hash in list(user.password):
+                try:
+                    if not ldap_md5_crypt.verify(password, hash):
+                        user.password.remove(hash)
+                except ValueError:
+                    # don't remove unknown hashes
+                    pass
+        # Add a new generated encrypted password to LDAP
+        user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
+        user.save()
 
 
 def remove_secondary_password(request):
@@ -59,15 +58,15 @@ def remove_secondary_password(request):
             request.session['secondary_password'], 48))
     except KeyError:
         return
-    user = get_bound_ldapuser(request, password)
 
-    if len(user.password) > 1:
-        for hash in list(user.password):
-            try:
-                if ldap_md5_crypt.verify(password, hash):
-                    user.password.remove(hash)
-                    break
-            except ValueError:
-                # ignore unknown hashes
-                pass
-    user.save()
+    with get_bound_ldapuser(request, password) as user:
+        if len(user.password) > 1:
+            for hash in list(user.password):
+                try:
+                    if ldap_md5_crypt.verify(password, hash):
+                        user.password.remove(hash)
+                        break
+                except ValueError:
+                    # ignore unknown hashes
+                    pass
+        user.save()