Merge branch 'dev' into 'master'

version 0.0.2 Closes #4, #3, and #2 See merge request bgstack15/laps!1
author: B Stack <bgstack15@gmail.com> 2018-10-24 19:56:52 +0000
committer: B Stack <bgstack15@gmail.com> 2018-10-24 19:56:52 +0000
commit: 9962f3e4740c33a903070a2d3ccfaf57b757a61f (patch)
tree: f99d8fc99cfea985cd8fda7181d0643a91731cd9
parent: initial commit and release of v0.0.1 (diff)
parent: fix version.txt and the way build script learns version (diff)
download: laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.tar.gz
laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.tar.bz2
laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.zip
6 files changed, 44 insertions, 9 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fd250cc
--- /dev/null
+++ b/README.md
@@ -0,0 +1,4 @@
+# Overview for laps
+Laps is an open-source implementation of LAPS (Local Administrator Password Solution) for GNU/Linux.
+
+This [repository](https://gitlab.com/bgstack15/laps) is the home for laps4linux, or just *laps*. The [full readme](src/usr/share/doc/laps/README.md) is available farther down in the source tree.
diff --git a/build-laps.sh b/build-laps.sh
index a7fee94..e53486c 100755
--- a/build-laps.sh
+++ b/build-laps.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 test -z "${PACK_PACKAGE}" && PACK_PACKAGE=laps
-test -z "${PACK_VERSION}" && PACK_VERSION=0.0.1
+test -z "${PACK_VERSION}" && PACK_VERSION="$( cat src/usr/share/doc/laps/version.txt )"
 test -z "${PACK_DIR}" && PACK_DIR="$( readlink -f "$( dirname "${0}" )" )"
 test -z "${RPMBUILD_SOURCES_DIR}" && RPMBUILD_SOURCES_DIR="/home/${USER}/rpmbuild/SOURCES"
 
diff --git a/laps.spec b/laps.spec
index 6b6417d..da57c47 100644
--- a/laps.spec
+++ b/laps.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 Name:		laps
-Version:	0.0.1
+Version:	0.0.2
 Release:	1
 Summary:	local administrator password solution
 
@@ -34,7 +34,8 @@ laps provides the GNU/Linux client for the LAPS (Local Administrator Password So
 
 %install
 #make install DESTDIR=%{buildroot}
-cp -pr %{name}/src/* "%{buildroot}"
+# the %%name* allows for either laps-0.0.0/ or laps/ dirname.
+cp -pr %{name}*/src/* "%{buildroot}"
 
 %files
 %doc %{_docdir}/%{name}/*
@@ -43,5 +44,5 @@ cp -pr %{name}/src/* "%{buildroot}"
 %{_datadir}/%{name}
 
 %changelog
-* Tue Oct 23 2018 B Stack <bgstack15@gmail.com> 0.0.1-1
+* Wed Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
 - initial rpm built
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
new file mode 100644
index 0000000..9566fdc
--- /dev/null
+++ b/src/usr/share/doc/laps/changes
@@ -0,0 +1,4 @@
+* Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
+- fix $2 read action should provide date of expiration on -d 1
+- fix #3 add readme.md to front directory
+- fix #4 laps does not recognize expired kerberos tickets
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index 8acdd82..4e379d2 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.1
+0.0.2
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index ef206c8..b3f9b98 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -23,7 +23,7 @@
 #    sed (sed)
 #    awk (gawk)
 fiversion="2018-09-12a"
-lapsversion="2018-10-22a"
+lapsversion="2018-10-24a"
 
 usage() {
    ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -31,7 +31,7 @@ laps is the Local Administrator Password Solution for GNU/Linux.
 usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]]
 version ${lapsversion}
  -d debug   Show debugging info, including parsed variables.
- -u usage   Show this usage block.
+ --usage    Show this usage block.
  -V version Show script version number.
  -c conf    Read in this config file. Default is /etc/laps/laps.conf
  -f force   Skip the time check and just update the password regardless.
@@ -88,6 +88,10 @@ read_workflow() {
    # 2. fetch and display host password
    get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
 
+   # 3. fetch and display expiration if the various debug levels
+   # this is called for the debuglev actions inside it, not for the output directly
+   wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null
+
 }
 
 main_workflow() {
@@ -165,12 +169,34 @@ get_attrib_from_ldap() {
    ___gtfl_ldapconf="${5}"
    ___gtfl_krb5cc_tmpfile="${6}"
 
+   # execute for the purpose of displaying when debug level is high enough
    {
       debuglev 8 && set -x
       KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8
       set +x
    } 1>&2
+
+   # execute to check for ldap or kerberos errors
+   ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
+   if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+   then
+      ferror "Kerberos ticket expired. Any values from ldap will be garbage."
+   elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
+   then
+      ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage."
+   elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
+   then
+      ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage."
+   else
+      {
+         echo "other ldap error:"
+         echo "${___gtfl_stderr}"
+      } | debuglevoutput 9
+   fi
+
+   # execute for actually fetching the value
    ___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
+
    # no value means either the ldap connection malfunctioned or there was no attribute by that name defined.
 
    echo "${___gtfl_attrib}"
@@ -458,7 +484,7 @@ get_user_kerberos_ticket() {
       echo "klist_krb5cc=${___gukt_klist_krb5cc}"
       echo "klist_user=${___gukt_klist_user}"
       echo "klist_krbtgt=${___gukt_klist_krbtgt}"
-   } | debuglevoutput 3
+   } | debuglevoutput 5
 
    if test -z "${___gukt_klist_krbtgt}" ;
    then
@@ -661,7 +687,7 @@ debuglev 5 && {
 
 # MAIN LOOP
 #{
-   echo "action ${LAPS_ACTION}" | debuglevoutput 1
+   echo "action ${LAPS_ACTION}" | debuglevoutput 4
    case "${LAPS_ACTION}" in
       read)
          read_workflow
author	B Stack <bgstack15@gmail.com>	2018-10-24 19:56:52 +0000
committer	B Stack <bgstack15@gmail.com>	2018-10-24 19:56:52 +0000
commit	9962f3e4740c33a903070a2d3ccfaf57b757a61f (patch)
tree	f99d8fc99cfea985cd8fda7181d0643a91731cd9
parent	initial commit and release of v0.0.1 (diff)
parent	fix version.txt and the way build script learns version (diff)
download	laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.tar.gz laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.tar.bz2 laps-9962f3e4740c33a903070a2d3ccfaf57b757a61f.zip