fix style, document changes, and bump version

fix #5 document the recommended use of "-f" for first run
author: B Stack <bgstack15@gmail.com> 2019-03-01 16:38:57 -0500
committer: B Stack <bgstack15@gmail.com> 2019-03-01 16:38:57 -0500
commit: c4dbd6d6c318002150c329abcdc663f8aecbf0e4 (patch)
tree: a592e601f48eaf51c1c1f747c7a2c39fbd9c91a5
parent: Capture and handle ldapsearch error (diff)
download: laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.gz
laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.bz2
laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.zip
5 files changed, 44 insertions, 33 deletions
diff --git a/laps.spec b/laps.spec
index da57c47..303a66d 100644
--- a/laps.spec
+++ b/laps.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 Name:		laps
-Version:	0.0.2
+Version:	0.0.3
 Release:	1
 Summary:	local administrator password solution
 
@@ -44,5 +44,5 @@ cp -pr %{name}*/src/* "%{buildroot}"
 %{_datadir}/%{name}
 
 %changelog
-* Wed Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
-- initial rpm built
+* Fri Mar  1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1
+- rpm built
diff --git a/src/usr/share/doc/laps/README.md b/src/usr/share/doc/laps/README.md
index 204b97d..7b5c95f 100644
--- a/src/usr/share/doc/laps/README.md
+++ b/src/usr/share/doc/laps/README.md
@@ -12,6 +12,10 @@ See /etc/laps/laps.conf.example for how to configure the client.
 
 The administrator needs to write **/etc/laps/laps.conf** and **/etc/laps/lapsldap.conf**. Copying and modifying the example config files is the recommended way to provide the configs.
 
+For first use, use the -f flag to force the password change so the timestamp is initialized.
+
+    /usr/share/laps/laps.sh -f
+
 # Prepare the domain
 The OU where the Linux systems are placed in the domain will need some ACLS set up, which are identical to what the LAPS documentation describes. For a brief summary:
 
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
index 9566fdc..51a0c15 100644
--- a/src/usr/share/doc/laps/changes
+++ b/src/usr/share/doc/laps/changes
@@ -2,3 +2,7 @@
 - fix $2 read action should provide date of expiration on -d 1
 - fix #3 add readme.md to front directory
 - fix #4 laps does not recognize expired kerberos tickets
+
+* Mar  1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1
+- fix #5 document the recommended use of "-f" for first run
+- merge !1 handle empty password change timestamp LDAP attribute
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index 4e379d2..bcab45a 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.2
+0.0.3
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index 132e2e9..c81e7a4 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -6,7 +6,7 @@
 # Title: Local Administrator Password Solution for Linux
 # Purpose: LAPS Equivalent for GNU/Linux
 # Package: laps
-# History: 
+# History: see upstream project at https://gitlab.com/bgstack15/laps
 # Usage: 
 # Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a
 # Improve:
@@ -23,7 +23,7 @@
 #    sed (sed)
 #    awk (gawk)
 fiversion="2018-09-12a"
-lapsversion="2018-10-24b"
+lapsversion="2019-03-01a"
 
 usage() {
    ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -179,26 +179,27 @@ get_attrib_from_ldap() {
 
    # execute to check for ldap or kerberos errors
    ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
-   if test "$?" -ne 0 ; then
-   if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+   if test "$?" -ne 0 ;
    then
-      ferror "Kerberos ticket expired. Any values from ldap will be garbage."
-      return 1;
-   elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
-   then
-      ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage."
-      return 1;
-   elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
-   then
-      ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage."
-      return 1;
-   else
-      {
-         echo "other ldap error:"
-         echo "${___gtfl_stderr}"
-      } | debuglevoutput 9
-      return 1;
-   fi
+      if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+      then
+         ferror "Fatal: Kerberos ticket expired."
+         return 1;
+      elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
+      then
+         ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf."
+         return 1;
+      elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
+      then
+         ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf."
+         return 1;
+      else
+         {
+            echo "Fatal: other ldap error:"
+            echo "${___gtfl_stderr}"
+         } | debuglevoutput 9
+         return 1;
+      fi
    fi
 
    # execute for actually fetching the value
@@ -207,9 +208,10 @@ get_attrib_from_ldap() {
          "${___gtfl_attrib}" 2>/dev/null ; \
          echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \
       } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
-   ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )"
-   if test "$___gtfl_ldap_success" -ne 0 ; then
-      ferror "LDAP lookup failed"
+   ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )"
+   if test "${___gtfl_ldap_success}" != "0" ;
+   then
+      ferror "Fatal: LDAP lookup failed"
       return 1
    fi
 
@@ -235,7 +237,8 @@ wrapper_get_timestamp_from_ldap() {
    test "$?" -eq 0 || return 1
 
    ts_epoch=0
-   if test -n "$ts_filetime" ; then
+   if test -n "$ts_filetime" ;
+   then
       debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}"
       ts_epoch="$( "${___wgtfl_datetime_py}" -e "${ts_filetime}" )"
    fi
@@ -395,7 +398,7 @@ wrapper_change_password() {
    then
       echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}"
    else
-    ___wcp_stdout="$( { echo "${___wcp_phrase}" ; echo "${___wcp_phrase}" ; } | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
+    ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
    fi
    ___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
 
@@ -405,7 +408,7 @@ wrapper_change_password() {
          debuglev 4 && ferror "${___wcp_stdout}"
          ;;
       *)
-         # successful operation
+         # failed operation
          ferror "${scriptfile}: 8 fatal! Unable to change password for ${___wcp_user}:\n${___wcp_stdout}"
          exit 8
          ;;
@@ -526,8 +529,8 @@ clean_laps() {
    # Delayed cleanup
    if test -z "${LAPS_NO_CLEAN}" ;
    then
-      nohup /bin/bash <<EOF 1>/dev/null 2>&1 &
-sleep "${LAPS_CLEANUP_SEC:-300}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ;
+      nohup /bin/sh <<EOF 1>/dev/null 2>&1 &
+sleep "${LAPS_CLEANUP_SEC:-3}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ;
 EOF
    fi
 }
author	B Stack <bgstack15@gmail.com>	2019-03-01 16:38:57 -0500
committer	B Stack <bgstack15@gmail.com>	2019-03-01 16:38:57 -0500
commit	c4dbd6d6c318002150c329abcdc663f8aecbf0e4 (patch)
tree	a592e601f48eaf51c1c1f747c7a2c39fbd9c91a5
parent	Capture and handle ldapsearch error (diff)
download	laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.gz laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.bz2 laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.zip