aboutsummaryrefslogtreecommitdiff
path: root/src/usr
diff options
context:
space:
mode:
Diffstat (limited to 'src/usr')
-rw-r--r--src/usr/share/doc/laps/changes4
-rwxr-xr-xsrc/usr/share/laps/laps.sh34
2 files changed, 34 insertions, 4 deletions
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
new file mode 100644
index 0000000..9566fdc
--- /dev/null
+++ b/src/usr/share/doc/laps/changes
@@ -0,0 +1,4 @@
+* Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
+- fix $2 read action should provide date of expiration on -d 1
+- fix #3 add readme.md to front directory
+- fix #4 laps does not recognize expired kerberos tickets
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index ef206c8..b3f9b98 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -23,7 +23,7 @@
# sed (sed)
# awk (gawk)
fiversion="2018-09-12a"
-lapsversion="2018-10-22a"
+lapsversion="2018-10-24a"
usage() {
${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -31,7 +31,7 @@ laps is the Local Administrator Password Solution for GNU/Linux.
usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]]
version ${lapsversion}
-d debug Show debugging info, including parsed variables.
- -u usage Show this usage block.
+ --usage Show this usage block.
-V version Show script version number.
-c conf Read in this config file. Default is /etc/laps/laps.conf
-f force Skip the time check and just update the password regardless.
@@ -88,6 +88,10 @@ read_workflow() {
# 2. fetch and display host password
get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
+ # 3. fetch and display expiration if the various debug levels
+ # this is called for the debuglev actions inside it, not for the output directly
+ wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null
+
}
main_workflow() {
@@ -165,12 +169,34 @@ get_attrib_from_ldap() {
___gtfl_ldapconf="${5}"
___gtfl_krb5cc_tmpfile="${6}"
+ # execute for the purpose of displaying when debug level is high enough
{
debuglev 8 && set -x
KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8
set +x
} 1>&2
+
+ # execute to check for ldap or kerberos errors
+ ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
+ if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
+ then
+ ferror "Kerberos ticket expired. Any values from ldap will be garbage."
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
+ then
+ ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage."
+ elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
+ then
+ ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage."
+ else
+ {
+ echo "other ldap error:"
+ echo "${___gtfl_stderr}"
+ } | debuglevoutput 9
+ fi
+
+ # execute for actually fetching the value
___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
+
# no value means either the ldap connection malfunctioned or there was no attribute by that name defined.
echo "${___gtfl_attrib}"
@@ -458,7 +484,7 @@ get_user_kerberos_ticket() {
echo "klist_krb5cc=${___gukt_klist_krb5cc}"
echo "klist_user=${___gukt_klist_user}"
echo "klist_krbtgt=${___gukt_klist_krbtgt}"
- } | debuglevoutput 3
+ } | debuglevoutput 5
if test -z "${___gukt_klist_krbtgt}" ;
then
@@ -661,7 +687,7 @@ debuglev 5 && {
# MAIN LOOP
#{
- echo "action ${LAPS_ACTION}" | debuglevoutput 1
+ echo "action ${LAPS_ACTION}" | debuglevoutput 4
case "${LAPS_ACTION}" in
read)
read_workflow
bgstack15