aboutsummaryrefslogtreecommitdiff
path: root/src/usr
diff options
context:
space:
mode:
authorB Stack <bgstack15@gmail.com>2019-03-01 16:38:57 -0500
committerB Stack <bgstack15@gmail.com>2019-03-01 16:38:57 -0500
commitc4dbd6d6c318002150c329abcdc663f8aecbf0e4 (patch)
treea592e601f48eaf51c1c1f747c7a2c39fbd9c91a5 /src/usr
parentCapture and handle ldapsearch error (diff)
downloadlaps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.gz
laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.tar.bz2
laps-c4dbd6d6c318002150c329abcdc663f8aecbf0e4.zip
fix style, document changes, and bump version
fix #5 document the recommended use of "-f" for first run
Diffstat (limited to 'src/usr')
-rw-r--r--src/usr/share/doc/laps/README.md4
-rw-r--r--src/usr/share/doc/laps/changes4
-rw-r--r--src/usr/share/doc/laps/version.txt2
-rwxr-xr-xsrc/usr/share/laps/laps.sh61
4 files changed, 41 insertions, 30 deletions
diff --git a/src/usr/share/doc/laps/README.md b/src/usr/share/doc/laps/README.md
index 204b97d..7b5c95f 100644
--- a/src/usr/share/doc/laps/README.md
+++ b/src/usr/share/doc/laps/README.md
@@ -12,6 +12,10 @@ See /etc/laps/laps.conf.example for how to configure the client.
The administrator needs to write **/etc/laps/laps.conf** and **/etc/laps/lapsldap.conf**. Copying and modifying the example config files is the recommended way to provide the configs.
+For first use, use the -f flag to force the password change so the timestamp is initialized.
+
+ /usr/share/laps/laps.sh -f
+
# Prepare the domain
The OU where the Linux systems are placed in the domain will need some ACLS set up, which are identical to what the LAPS documentation describes. For a brief summary:
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
index 9566fdc..51a0c15 100644
--- a/src/usr/share/doc/laps/changes
+++ b/src/usr/share/doc/laps/changes
@@ -2,3 +2,7 @@
- fix $2 read action should provide date of expiration on -d 1
- fix #3 add readme.md to front directory
- fix #4 laps does not recognize expired kerberos tickets
+
+* Mar 1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1
+- fix #5 document the recommended use of "-f" for first run
+- merge !1 handle empty password change timestamp LDAP attribute
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index 4e379d2..bcab45a 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.2
+0.0.3
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index 132e2e9..c81e7a4 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -6,7 +6,7 @@
# Title: Local Administrator Password Solution for Linux
# Purpose: LAPS Equivalent for GNU/Linux
# Package: laps
-# History:
+# History: see upstream project at https://gitlab.com/bgstack15/laps
# Usage:
# Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a
# Improve:
@@ -23,7 +23,7 @@
# sed (sed)
# awk (gawk)
fiversion="2018-09-12a"
-lapsversion="2018-10-24b"
+lapsversion="2019-03-01a"
usage() {
${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -179,26 +179,27 @@ get_attrib_from_ldap() {
# execute to check for ldap or kerberos errors
___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
- if test "$?" -ne 0 ; then
- if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+ if test "$?" -ne 0 ;
then
- ferror "Kerberos ticket expired. Any values from ldap will be garbage."
- return 1;
- elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
- then
- ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage."
- return 1;
- elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
- then
- ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage."
- return 1;
- else
- {
- echo "other ldap error:"
- echo "${___gtfl_stderr}"
- } | debuglevoutput 9
- return 1;
- fi
+ if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+ then
+ ferror "Fatal: Kerberos ticket expired."
+ return 1;
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
+ then
+ ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf."
+ return 1;
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
+ then
+ ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf."
+ return 1;
+ else
+ {
+ echo "Fatal: other ldap error:"
+ echo "${___gtfl_stderr}"
+ } | debuglevoutput 9
+ return 1;
+ fi
fi
# execute for actually fetching the value
@@ -207,9 +208,10 @@ get_attrib_from_ldap() {
"${___gtfl_attrib}" 2>/dev/null ; \
echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \
} | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
- ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )"
- if test "$___gtfl_ldap_success" -ne 0 ; then
- ferror "LDAP lookup failed"
+ ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )"
+ if test "${___gtfl_ldap_success}" != "0" ;
+ then
+ ferror "Fatal: LDAP lookup failed"
return 1
fi
@@ -235,7 +237,8 @@ wrapper_get_timestamp_from_ldap() {
test "$?" -eq 0 || return 1
ts_epoch=0
- if test -n "$ts_filetime" ; then
+ if test -n "$ts_filetime" ;
+ then
debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}"
ts_epoch="$( "${___wgtfl_datetime_py}" -e "${ts_filetime}" )"
fi
@@ -395,7 +398,7 @@ wrapper_change_password() {
then
echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}"
else
- ___wcp_stdout="$( { echo "${___wcp_phrase}" ; echo "${___wcp_phrase}" ; } | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
+ ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
fi
___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
@@ -405,7 +408,7 @@ wrapper_change_password() {
debuglev 4 && ferror "${___wcp_stdout}"
;;
*)
- # successful operation
+ # failed operation
ferror "${scriptfile}: 8 fatal! Unable to change password for ${___wcp_user}:\n${___wcp_stdout}"
exit 8
;;
@@ -526,8 +529,8 @@ clean_laps() {
# Delayed cleanup
if test -z "${LAPS_NO_CLEAN}" ;
then
- nohup /bin/bash <<EOF 1>/dev/null 2>&1 &
-sleep "${LAPS_CLEANUP_SEC:-300}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ;
+ nohup /bin/sh <<EOF 1>/dev/null 2>&1 &
+sleep "${LAPS_CLEANUP_SEC:-3}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ;
EOF
fi
}
bgstack15