Merge branch 'dev' into 'master'

Version 0.0.5

See merge request bgstack15/laps!6

4 files changed, 37 insertions, 259 deletions

diff --git a/laps.spec b/laps.spec
index 9fce9fb..2b8bf26 100644
--- a/laps.spec
+++ b/laps.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 Name:		laps
-Version:	0.0.4
+Version:	0.0.5
 Release:	1
 Summary:	local administrator password solution
 
@@ -11,7 +11,7 @@ Source0:	laps-%{version}.tgz
 
 BuildArch:	noarch
 BuildRequires:	coreutils
-Requires:	bgscripts-core >= 1.4.3
+Requires:	bgscripts-core >= 1.4.4
 Requires:	krb5-workstation
 Requires:	openldap-clients
 Requires:	passwd
@@ -44,5 +44,5 @@ cp -pr %{name}*/src/* "%{buildroot}"
 %{_datadir}/%{name}
 
 %changelog
-* Fri Mar  1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1
+* Thu Jul 18 2019 B Stack <bgstack15@gmail.com> 0.0.5-1
 - rpm built
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
index 867a14a..c7067e3 100644
--- a/src/usr/share/doc/laps/changes
+++ b/src/usr/share/doc/laps/changes
@@ -10,3 +10,6 @@
 * May 29 2019 B Stack <bgstack15@gmail.com> - 0.0.4-1
 - fix #6 document the -i interactive flag
 - fix #7 add LAPS_KINIT_HOST_SCRIPT_OPTS
+
+* Thu Jul 18 2019 B Stack <bgstack15@gmail.com> - 0.0.5-1
+- move library functions out of laps
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index 81340c7..bbdeab6 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.4
+0.0.5
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index daa0d2f..1023dc4 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -7,12 +7,12 @@
 # Purpose: LAPS Equivalent for GNU/Linux
 # Package: laps
 # History: see upstream project at https://gitlab.com/bgstack15/laps
-# Usage: 
+# Usage:
 # Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a
 # Improve:
 # Dependencies:
 #    bundled: dependencies/datetime.py
-#    framework.sh, kinit-host (bgscripts-core >= 1.4.3)
+#    framework.sh, kinit-host, shldap >= 20190717 (bgscripts-core >= 1.4.4)
 #    kinit, klist (krb5-workstation)
 #    ldapsearch, ldapmodify (openldap-clients)
 #    passwd (passwd)
@@ -23,7 +23,7 @@
 #    sed (sed)
 #    awk (gawk)
 fiversion="2018-09-12a"
-lapsversion="2019-05-29a"
+lapsversion="2019-07-17a"
 
 usage() {
    ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -82,16 +82,16 @@ debuglevoutput() {
 }
 
 read_workflow() {
-   
+
    # 1. get user kerberos ticket
    get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}"
 
    # 2. fetch and display host password
-   get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
+   get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
 
    # 3. fetch and display expiration if the various debug levels
    # this is called for the debuglev actions inside it, not for the output directly
-   wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null
+   wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 1>/dev/null
 
 }
 
@@ -108,7 +108,7 @@ main_workflow() {
    get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" || { ferror "${0}: unable to get host kerberos ticket. Aborted." ; exit 6 ; }
 
    # 2. fetch timestamp from ldap
-   LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )"
+   LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )"
    LAPS_epoch_response="$?"
    test ${LAPS_epoch_response} -eq 0 || return "${LAPS_epoch_response}"
 
@@ -120,7 +120,7 @@ main_workflow() {
    LAPS_timestamp="$( get_current_filetime "${LAPS_DATETIME_PY}" "${LAPS_TIMELIMIT}" )"
 
    # 5. update ldap
-   wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}"
+   update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" ":" "${LAPS_ATTRIB_PW}:${LAPS_ATTRIB_TIME}" "${LAPS_phrase}:${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
 
    # 6. if ^ was successful, change password for configured user
    wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}"
@@ -130,105 +130,8 @@ main_workflow() {
 
 }
 
-get_host_keytab() {
-   # call: get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}"
-   # returns: nothing.
-   # action: get host kerberos ticket-granting ticket
-   debuglev 10 && ferror "get_host_keytab $@"
-   ___ghk_kinit_host_script="${1}"
-   ___ghk_kinit_host_script_opts="${2}"
-   ___ghk_klist_bin="${3}"
-   ___ghk_krb5cc_tmpfile="${4}"
-
-   test -z "${___ghk_kinit_host_script}" && ___ghk_kinit_host_script="${LAPS_KINIT_HOST_SCRIPT_DEFAULT}"
-
-   if test -e "${___ghk_kinit_host_script}" ;
-   then
-      KRB5CCNAME=FILE:"${___ghk_krb5cc_tmpfile}" "${___ghk_kinit_host_script}" ${___ghk_kinit_host_script_opts}
-   else
-      debuglev 3 && ferror "debug3: Using built-in logic to fetch host kerberos ticket because unable to find LAPS_KINIT_HOST_SCRIPT=${___ghk_kinit_host_script}"
-      # do internal logic here
-      # find kinit
-      ___ghk_kinit_bin="$( find "${LAPS_KINIT_BIN}" /usr/bin/kinit /bin/kinit /usr/local/bin/kinit -print -quit 2>/dev/null | head -n1 )"
-      if ! test -e "${___ghk_kinit_bin}" ;
-      then
-         ferror "${scriptname}: 4 fatal! Unable to find kinit. Please use variable LAPS_KINIT_BIN. Aborted."
-      fi
-      # cannot use requested server name here. root@localhost can only use its own kerberos ticket.
-      # observe that no domain name is given (after the dollar sign). This will force kerberos to choose, based on the default_realm value in /etc/krb5.conf.
-      "${___ghk_kinit_bin}" -k -c "${___ghk_krb5cc_tmpfile}" "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$" | debuglevoutput 7
-   fi
-
-   # return true if klist returns true
-   "${___ghk_klist_bin}" -c "${___ghk_krb5cc_tmpfile}" | debuglevoutput 7
-
-}
-
-get_attrib_from_ldap() {
-   # call: get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
-   debuglev 10 && ferror "get_attrib_from_ldap $@"
-   ___gtfl_ldapsearch_bin="${1}"
-   ___gtfl_ldapsearch_flags="${2}"
-   ___gtfl_ldapsearch_filter="${3}"
-   ___gtfl_attrib="${4}"
-   ___gtfl_ldapconf="${5}"
-   ___gtfl_krb5cc_tmpfile="${6}"
-
-   # execute for the purpose of displaying when debug level is high enough
-   {
-      debuglev 8 && set -x
-      KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8
-      set +x
-   } 1>&2
-
-   # execute to check for ldap or kerberos errors
-   ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
-   ___gtfl_stderr_response="$?"
-   if test ${___gtfl_stderr_response} -ne 0 ;
-   then
-      if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
-      then
-         ferror "Fatal: Kerberos ticket expired."
-         return 1;
-      elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
-      then
-         ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf."
-         return 1;
-      elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
-      then
-         ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf."
-         return 1;
-      else
-         {
-            echo "Fatal: other ldap error:"
-            echo "${___gtfl_stderr}"
-         } | debuglevoutput 9
-         return 1;
-      fi
-   fi
-
-   # execute for actually fetching the value
-   ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \
-         "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \
-         "${___gtfl_attrib}" 2>/dev/null ; \
-         echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \
-      } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
-   ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )"
-   if test "${___gtfl_ldap_success}" != "0" ;
-   then
-      ferror "Fatal: LDAP lookup failed"
-      return 1
-   fi
-
-   # here we can be sure that an empty value means there was no attribute by
-   # that name defined or it had an actual empty value.
-
-   echo "${___gtfl_attrib}"
-
-}
-
 wrapper_get_timestamp_from_ldap() {
-   # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}"
+   # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
    debuglev 10 && ferror "wrapper_get_timestamp_from_ldap $@"
    ___wgtfl_ldapsearch_bin="${1}"
    ___wgtfl_ldapsearch_flags="${2}"
@@ -237,8 +140,9 @@ wrapper_get_timestamp_from_ldap() {
    ___wgtfl_ldapconf="${5}"
    ___wgtfl_datetime_py="${6}"
    ___wgtfl_krb5cc_tmpfile="${7}"
+   ___wgtfl_ldapsearch_status_tmpfile="${8}"
 
-   ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )"
+   ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" "${___wgtfl_ldapsearch_status_tmpfile}" )"
    ts_filetime_response="$?"
    test ${ts_filetime_response} -eq 0 || return "${ts_filetime_response}"
 
@@ -324,7 +228,7 @@ get_current_filetime() {
    ___gcf_timelimit="${2}"
 
    ___gcf_timestamp="$( "${___gcf_datetime_py}" -f "$( date -u -d "now+${___gcf_timelimit}" "+%s" )" )"
-   
+
    if ! fisnum "${___gcf_timestamp}" ;
    then
       ferror "${scriptfile}: 4 fatal! Could not generate valid timestamp. Aborted."
@@ -336,62 +240,6 @@ get_current_filetime() {
    echo "${___gcf_timestamp}"
 }
 
-wrapper_update_ldap() {
-   # call: wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}"
-   debuglev 10 && ferror "wrapper_update_ldap $@"
-   ___wul_ldapsearch_bin="${1}"
-   ___wul_ldapsearch_flags="${2}"
-   ___wul_ldapsearch_filter="${3}"
-   ___wul_ldapsearch_unique_id="${4}"
-   ___wul_ldapconf="${5}"
-   ___wul_krb5cc_tmpfile="${6}"
-   ___wul_attrib_pw="${7}"
-   ___wul_phrase="${8}"
-   ___wul_attrib_time="${9}"
-   ___wul_timestamp="${10}"
-   ___wul_ldif_tmpfile="${11}"
-   ___wul_ldapmodify_bin="${12}"
-   ___wul_ldapmodify_flags="${13}"
-   ___wul_test="${14}"
-
-   # learn dn
-   ___wul_dn="$( get_attrib_from_ldap "${___wul_ldapsearch_bin}" "${___wul_ldapsearch_flags}" "${___wul_ldapsearch_filter}" "${___wul_ldapsearch_unique_id}" "${___wul_ldapconf}" "${___wul_krb5cc_tmpfile}" )"
-
-   # generate ldif
-   {
-      echo "${___wul_ldapsearch_unique_id}: ${___wul_dn}"
-      echo "changetype: modify"
-      echo "replace: ${___wul_attrib_pw}"
-      echo "${___wul_attrib_pw}: ${___wul_phrase}"
-      printf "%s\n" "-"
-      echo "replace: ${___wul_attrib_time}"
-      echo "${___wul_attrib_time}: ${___wul_timestamp}"
-   } > "${___wul_ldif_tmpfile}"
-   unset ___wul_ldapmodify_flag_verbose ; debuglev 9 && ___wul_ldapmodify_flag_verbose="-v"
-
-   # add -n to this command if flag --test is used.
-   unset ___wul_ldapmodify_flag_test ; fistruthy "${___wul_test}" && ___wul_ldapmodify_flag_test="-n"
-   {
-      KRB5CCNAME="${___wul_krb5cc_tmpfile}" LDAPCONF="${___wul_ldapconf}" "${___wul_ldapmodify_bin}" ${___wul_ldapmodify_flags} "${___wul_ldif_tmpfile}" ${___wul_ldapmodify_flag_verbose} ${___wul_ldapmodify_flag_test} 2>&1 
-      echo "$?" > "${LAPS_LDAPMODIFY_STATUS_TMPFILE}"
-   }| sed -r -e '/^\s*$/d;' | debuglevoutput 1 silent
-   ___wul_ldap_success="$( cat "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" )"
-
-   case "${___wul_ldap_success}" in
-      0)
-         # continue on
-         :
-         ;;
-      *)
-         ferror "${scriptfile}: 7 fatal! ldapmodify returned ${___wul_ldap_success}. Unhandled exception. Aborted."
-         exit 7
-         ;;
-   esac
-
-   return ${___wul_ldap_success}
-
-}
-
 wrapper_change_password() {
    # call: wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}"
    debuglev 10 && ferror "wrapper_change_password $@"
@@ -404,7 +252,7 @@ wrapper_change_password() {
    then
       echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}"
    else
-    ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
+      ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" 2>&1 ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
    fi
    ___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
 
@@ -436,96 +284,6 @@ wrapper_log() {
 
 }
 
-get_user_kerberos_ticket() {
-   # call: get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}"
-   debuglev 10 && ferror "get_user_kerberos_ticket $@"
-   ___gukt_kerberos_user="${1}"
-   ___gukt_user_is_root="${2}"
-   ___gukt_krb5cc_tmpfile="${3}"
-   ___gukt_interactive="${4}"
-   ___gukt_kinit_bin="${5}"
-   ___gukt_klist_bin="${6}"
-
-   # LAPS on the domain side does not permit a host keytab to read the password attribute, so if user=machine, fail out
-   # options:
-   # if root, using machine ticket. ACT: fail
-   # if root, using user ticket.    ACT: check user tgt, then prompt.
-   # if user, using machine ticket. ACT: check user tgt, then prompt
-   # if user, using user ticket     ACT: check user tgt, then prompt
-
-   if test "${___gukt_kerberos_user}" = "machine" ;
-   then
-      if test "${___gukt_user_is_root}" = "1" ;
-      then
-         ferror "${scriptfile}: 2 fatal! To read the password stored in the domain, you need LDAP_KERBEROS_USER=<username> or -u <username> or run this script as a domain admin user. Aborted."
-         exit 2
-      else
-         ___gukt_kerberos_user="${USER}"
-         ferror "Trying with logged in user ${___gukt_kerberos_user}."
-      fi
-   fi
-
-   # Try current user kerberos ticket to see if has a tgt for LAPS_KERBEROS_USER
-   ___gukt_klist_stdout="$( "${___gukt_klist_bin}" 2>/dev/null )"
-   echo "${___gukt_klist_stdout}" | debuglevoutput 8
-   ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )"
-   ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs )
-   ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )"
-   {
-      echo "klist_krb5cc=${___guktk_list_krb5cc}"
-      echo "klist_user=${___gukt_klist_user}"
-      echo "klist_krbtgt=${___gukt_klist_krbtgt}"
-   } | debuglevoutput 7
-
-   # if we already have a tgt
-   if test -n "${___gukt_klist_krbtgt}" ;
-   then
-      case "${___gukt_klist_user}" in
-         # and it is for the requested user
-         ${___gukt_kerberos_user}) 
-            # copy it to our temporary location
-            debuglev 7 && ferror "Using existing krbtgt for requested user ${___gukt_kerberos_user}"
-            /bin/cp -p "${___gukt_klist_krb5cc}" "${___gukt_krb5cc_tmpfile}"
-            ;;
-         *)
-            ferror "Using existing krb5tgt for ${___gukt_klist_user} instead of requested ${___gukt_kerberos_user}"
-            ___gukt_kerberos_user="${___gukt_klist_user}"
-            ;;
-      esac
-   else
-      # need to get a ticket
-      # are we allowed to ormpt?
-      if fistruthy "${___gukt_interactive}" ;
-      then
-         # prompt and save to temp kerberos location
-         debuglev 1 && ferror "No krbtgt found. Prompting now..."
-         KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_kinit_bin}" "${___gukt_kerberos_user}"
-      else
-         ferror "${scriptfile}: 2. Need LAPS_INTERACTIVE=1 or -i flag, to allow interactive kinit prompt. Aborted."
-         exit 2
-      fi
-   fi
-   # verify that the tgt exists now
-   ___gukt_klist_stdout="$( KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_klist_bin}" 2>/dev/null )"
-   echo "${___gukt_klist_stdout}" | debuglevoutput 4
-   ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )"
-   ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs )
-   ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )"
-   {
-      echo "klist_krb5cc=${___gukt_klist_krb5cc}"
-      echo "klist_user=${___gukt_klist_user}"
-      echo "klist_krbtgt=${___gukt_klist_krbtgt}"
-   } | debuglevoutput 5
-
-   if test -z "${___gukt_klist_krbtgt}" ;
-   then
-      # no krbtgt so fail out
-      ferror "${scriptfile}: 6 fatal! Failed to get tgt for user ${___gkt_kerberos_user}. Check password or account. Aborted."
-      exit 6
-   fi
-
-}
-
 # DEFINE TRAPS
 
 clean_laps() {
@@ -620,6 +378,22 @@ case ${is_root} in
       ;;
 esac
 
+# LOAD SHLDAP
+setval 1 LAPS_SHLDAP_discovered <<EOFSENDSH     # if $1="1" then setvalout="critical-fail" on failure
+${LAPS_SHLDAP}
+${SHLDAP}
+/usr/share/bgscripts/shldap.sh
+/usr/lib/bgscripts/shldap.sh
+EOFSENDSH
+test "${setvalout}" = "critical-fail" && ferror "${scriptfile}: 4. LAPS_SHLDAP not found. Aborted." && exit 4
+LAPS_SHLDAP_MINIMUM=20190717
+. "${LAPS_SHLDAP_discovered}"
+if ! test $( echo "${SHLDAP_VERSION}" | tr -dc '[[:digit:]]' ) -ge ${LAPS_SHLDAP_MINIMUM} ;
+then
+   ferror "${scriptfile}: 4. Insufficient version of shldap found: ${LAPS_SHLDAP_discovered} ${SHLDAP_VERSION}. Need >= ${LAPS_SHLDAP_MINIMUM}. Aborted."
+   exit 4
+fi
+
 # SET CUSTOM SCRIPT AND VALUES
 #setval 1 sendsh sendopts<<EOFSENDSH     # if $1="1" then setvalout="critical-fail" on failure
 #/usr/local/share/bgscripts/send.sh -hs  # setvalout maybe be "fail" otherwise
@@ -667,6 +441,7 @@ test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}"
 test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
 test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
 test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
+#test -z "${LAPS_TMPFILE1}" && LAPS_TMPFILE1="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
 define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh"
 define_if_new LAPS_KINIT_HOST_SCRIPT_OPTS ""
 define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh"