diff options
| author | Michael Weiser <michael.weiser@gmx.de> | 2019-02-27 13:07:54 +0000 |
|---|---|---|
| committer | Michael Weiser <michael.weiser@gmx.de> | 2019-02-28 15:10:58 +0000 |
| commit | 13ae94695852169a06207a9e1380f9f2ef836e21 (patch) | |
| tree | 827afd64f49f35a139a74d3574c1a61e31061b5c | |
| parent | Do not trap SIGCHLD for dash compatibility (diff) | |
| download | laps-13ae94695852169a06207a9e1380f9f2ef836e21.tar.gz laps-13ae94695852169a06207a9e1380f9f2ef836e21.tar.bz2 laps-13ae94695852169a06207a9e1380f9f2ef836e21.zip | |
Capture and handle ldapsearch error
Since the value of $? survives command substitution and variable
assignment, we can capture and evaluate it. The next hurdle is that
by default only the return code of the last command in a pipe is
returned which is an awk in our case that will always succeed
because it'll just get no input if ldapsearch fails. This can be
worked around using shell option pipefail but this is a bashism. Instead
we go the route of writing it to a temporary file in a group command as
elsewhere in the code.
| -rwxr-xr-x | src/usr/share/laps/laps.sh | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index 9780b9e..132e2e9 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -108,6 +108,7 @@ main_workflow() { # 2. fetch timestamp from ldap LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )" + test $? -eq 0 || return 1 # 3. check timestamp to see if close to expiration check_ts_against_expiration_threshold "${LAPS_THRESHOLD}" "${LAPS_epoch}" "${LAPS_FORCE}" @@ -178,26 +179,42 @@ get_attrib_from_ldap() { # execute to check for ldap or kerberos errors ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" + if test "$?" -ne 0 ; then if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; then ferror "Kerberos ticket expired. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; then ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; then ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; else { echo "other ldap error:" echo "${___gtfl_stderr}" } | debuglevoutput 9 + return 1; + fi fi # execute for actually fetching the value - ___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \ + "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \ + "${___gtfl_attrib}" 2>/dev/null ; \ + echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \ + } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )" + if test "$___gtfl_ldap_success" -ne 0 ; then + ferror "LDAP lookup failed" + return 1 + fi - # no value means either the ldap connection malfunctioned or there was no attribute by that name defined. + # here we can be sure that an empty value means there was no attribute by + # that name defined or it had an actual empty value. echo "${___gtfl_attrib}" @@ -215,6 +232,8 @@ wrapper_get_timestamp_from_ldap() { ___wgtfl_krb5cc_tmpfile="${7}" ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )" + test "$?" -eq 0 || return 1 + ts_epoch=0 if test -n "$ts_filetime" ; then debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}" @@ -637,6 +656,7 @@ test -z "${LAPS_TMPDIR}" && LAPS_TMPDIR="$( mktemp -d /tmp/laps.XXXXXXXXXX )" test -z "${LAPS_KRB5CC_TMPFILE}" && LAPS_KRB5CC_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" +test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh" define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh" |