Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

LAPS for Linux

A famous non-free operating system vendor provides a Local Administrator Password Solution for its flagship OS. Here is my attempt at a GNU/Linux client for the same thing. This tool can help store unique local admin passwords in ldap. Some Unix environments still suffer from using the same single root password for everything. Here is the fix for that. Please note that the domain-side configuration actions are still required. This is only the client-side utility.

laps for linux

https://gitlab.com/bgstack15/laps Updated 2018-12-07 : Now you can just download the rpm from my copr. This is written in shell, and designed and tested on CentOS 7. An rpm spec is provided if you want to bundle it in that format. Contributions are welcome, of any sort. There are two main ways to use my laps4linux.

laps is the Local Administrator Password Solution for GNU/Linux.
usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u ] [-h ]]
version 2018-10-22a
 -d debug   Show debugging info, including parsed variables.
 -- usage   Show this usage block.
 -V version Show script version number.
 -c conf    Read in this config file. Default is /etc/laps/laps.conf
 -f force   Skip the time check and just update the password regardless.
 --noforce  Do not force. Overrides environment variable LAPS_FORCE.
 -t test    Dry run only. Useful with debugging on.
 -a apply   Turn off dry run. Default.
 -r read    Read password; do not set it. Can only be used by a domain admin. Can only be used with -u.
 -u user    Connect with kerberos ticket for this user. Default is "machine" to use host keytab.
 -h   Read this hostname instead of $( hostname -s )
Debug levels:
 0 Silent
 9 displays sensitive info, specifically the generated password
10 function trace
Environment variables:
 See documentation at /usr/share/doc/laps/ for full explanation.

Additional notes

When implementing laps in your environment, you will want to ensure the ldap connectivity is working. I particularly had trouble with the kerberos auth to the domain controllers for ldaps. To use for the first time for a Linux client, you will want to use the -f flag, because the undefined expirationTime ldap attribute will cause an error during the time comparison. Maybe something like this could be implemented in FreeIPA. It's just a simple schema extension, oh, and some ACLs. I don't know if FreeIPA has ACLs on attributes, but it sounds like a logical thing to have.

Comments