diff options
| -rwxr-xr-x | src/usr/share/laps/laps.sh | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index 9780b9e..132e2e9 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -108,6 +108,7 @@ main_workflow() { # 2. fetch timestamp from ldap LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )" + test $? -eq 0 || return 1 # 3. check timestamp to see if close to expiration check_ts_against_expiration_threshold "${LAPS_THRESHOLD}" "${LAPS_epoch}" "${LAPS_FORCE}" @@ -178,26 +179,42 @@ get_attrib_from_ldap() { # execute to check for ldap or kerberos errors ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" + if test "$?" -ne 0 ; then if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; then ferror "Kerberos ticket expired. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; then ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; then ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; else { echo "other ldap error:" echo "${___gtfl_stderr}" } | debuglevoutput 9 + return 1; + fi fi # execute for actually fetching the value - ___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \ + "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \ + "${___gtfl_attrib}" 2>/dev/null ; \ + echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \ + } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )" + if test "$___gtfl_ldap_success" -ne 0 ; then + ferror "LDAP lookup failed" + return 1 + fi - # no value means either the ldap connection malfunctioned or there was no attribute by that name defined. + # here we can be sure that an empty value means there was no attribute by + # that name defined or it had an actual empty value. echo "${___gtfl_attrib}" @@ -215,6 +232,8 @@ wrapper_get_timestamp_from_ldap() { ___wgtfl_krb5cc_tmpfile="${7}" ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )" + test "$?" -eq 0 || return 1 + ts_epoch=0 if test -n "$ts_filetime" ; then debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}" @@ -637,6 +656,7 @@ test -z "${LAPS_TMPDIR}" && LAPS_TMPDIR="$( mktemp -d /tmp/laps.XXXXXXXXXX )" test -z "${LAPS_KRB5CC_TMPFILE}" && LAPS_KRB5CC_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" +test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh" define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh" |