aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorB Stack <bgstack15@gmail.com>2018-10-24 15:25:57 -0400
committerB Stack <bgstack15@gmail.com>2018-10-24 15:25:57 -0400
commit6a3dea9f785d0a3412dfd647a3a0123635e0c9c0 (patch)
treed3b827e948263d1dfde9a497fe65d7679332d417
parentrpm spec %install uses %{name}*/ dir (diff)
downloadlaps-6a3dea9f785d0a3412dfd647a3a0123635e0c9c0.tar.gz
laps-6a3dea9f785d0a3412dfd647a3a0123635e0c9c0.tar.bz2
laps-6a3dea9f785d0a3412dfd647a3a0123635e0c9c0.zip
release 0.0.2
fix $2 read action should provide date of expiration on -d 1 fix #3 add readme.md to front directory fix #4 laps does not recognize expired kerberos tickets rpm: actually complete builds with rpkg on copr
-rw-r--r--README.md4
-rw-r--r--laps.spec6
-rw-r--r--src/usr/share/doc/laps/changes4
-rwxr-xr-xsrc/usr/share/laps/laps.sh34
4 files changed, 41 insertions, 7 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fd250cc
--- /dev/null
+++ b/README.md
@@ -0,0 +1,4 @@
+# Overview for laps
+Laps is an open-source implementation of LAPS (Local Administrator Password Solution) for GNU/Linux.
+
+This [repository](https://gitlab.com/bgstack15/laps) is the home for laps4linux, or just *laps*. The [full readme](src/usr/share/doc/laps/README.md) is available farther down in the source tree.
diff --git a/laps.spec b/laps.spec
index ef59c20..da57c47 100644
--- a/laps.spec
+++ b/laps.spec
@@ -1,7 +1,7 @@
%define debug_package %{nil}
Name: laps
-Version: 0.0.1
-Release: 2
+Version: 0.0.2
+Release: 1
Summary: local administrator password solution
Group: system
@@ -44,5 +44,5 @@ cp -pr %{name}*/src/* "%{buildroot}"
%{_datadir}/%{name}
%changelog
-* Tue Oct 23 2018 B Stack <bgstack15@gmail.com> 0.0.1-1
+* Wed Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
- initial rpm built
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
new file mode 100644
index 0000000..9566fdc
--- /dev/null
+++ b/src/usr/share/doc/laps/changes
@@ -0,0 +1,4 @@
+* Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
+- fix $2 read action should provide date of expiration on -d 1
+- fix #3 add readme.md to front directory
+- fix #4 laps does not recognize expired kerberos tickets
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index ef206c8..b3f9b98 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -23,7 +23,7 @@
# sed (sed)
# awk (gawk)
fiversion="2018-09-12a"
-lapsversion="2018-10-22a"
+lapsversion="2018-10-24a"
usage() {
${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -31,7 +31,7 @@ laps is the Local Administrator Password Solution for GNU/Linux.
usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]]
version ${lapsversion}
-d debug Show debugging info, including parsed variables.
- -u usage Show this usage block.
+ --usage Show this usage block.
-V version Show script version number.
-c conf Read in this config file. Default is /etc/laps/laps.conf
-f force Skip the time check and just update the password regardless.
@@ -88,6 +88,10 @@ read_workflow() {
# 2. fetch and display host password
get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
+ # 3. fetch and display expiration if the various debug levels
+ # this is called for the debuglev actions inside it, not for the output directly
+ wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null
+
}
main_workflow() {
@@ -165,12 +169,34 @@ get_attrib_from_ldap() {
___gtfl_ldapconf="${5}"
___gtfl_krb5cc_tmpfile="${6}"
+ # execute for the purpose of displaying when debug level is high enough
{
debuglev 8 && set -x
KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8
set +x
} 1>&2
+
+ # execute to check for ldap or kerberos errors
+ ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
+ if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+ then
+ ferror "Kerberos ticket expired. Any values from ldap will be garbage."
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
+ then
+ ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage."
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
+ then
+ ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage."
+ else
+ {
+ echo "other ldap error:"
+ echo "${___gtfl_stderr}"
+ } | debuglevoutput 9
+ fi
+
+ # execute for actually fetching the value
___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
+
# no value means either the ldap connection malfunctioned or there was no attribute by that name defined.
echo "${___gtfl_attrib}"
@@ -458,7 +484,7 @@ get_user_kerberos_ticket() {
echo "klist_krb5cc=${___gukt_klist_krb5cc}"
echo "klist_user=${___gukt_klist_user}"
echo "klist_krbtgt=${___gukt_klist_krbtgt}"
- } | debuglevoutput 3
+ } | debuglevoutput 5
if test -z "${___gukt_klist_krbtgt}" ;
then
@@ -661,7 +687,7 @@ debuglev 5 && {
# MAIN LOOP
#{
- echo "action ${LAPS_ACTION}" | debuglevoutput 1
+ echo "action ${LAPS_ACTION}" | debuglevoutput 4
case "${LAPS_ACTION}" in
read)
read_workflow
bgstack15