diff options
Diffstat (limited to 'src/usr')
-rw-r--r-- | src/usr/share/doc/laps/changes | 4 | ||||
-rwxr-xr-x | src/usr/share/laps/laps.sh | 34 |
2 files changed, 34 insertions, 4 deletions
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes new file mode 100644 index 0000000..9566fdc --- /dev/null +++ b/src/usr/share/doc/laps/changes @@ -0,0 +1,4 @@ +* Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1 +- fix $2 read action should provide date of expiration on -d 1 +- fix #3 add readme.md to front directory +- fix #4 laps does not recognize expired kerberos tickets diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index ef206c8..b3f9b98 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -23,7 +23,7 @@ # sed (sed) # awk (gawk) fiversion="2018-09-12a" -lapsversion="2018-10-22a" +lapsversion="2018-10-24a" usage() { ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE @@ -31,7 +31,7 @@ laps is the Local Administrator Password Solution for GNU/Linux. usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]] version ${lapsversion} -d debug Show debugging info, including parsed variables. - -u usage Show this usage block. + --usage Show this usage block. -V version Show script version number. -c conf Read in this config file. Default is /etc/laps/laps.conf -f force Skip the time check and just update the password regardless. @@ -88,6 +88,10 @@ read_workflow() { # 2. fetch and display host password get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" + # 3. fetch and display expiration if the various debug levels + # this is called for the debuglev actions inside it, not for the output directly + wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null + } main_workflow() { @@ -165,12 +169,34 @@ get_attrib_from_ldap() { ___gtfl_ldapconf="${5}" ___gtfl_krb5cc_tmpfile="${6}" + # execute for the purpose of displaying when debug level is high enough { debuglev 8 && set -x KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8 set +x } 1>&2 + + # execute to check for ldap or kerberos errors + ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" + if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; + then + ferror "Kerberos ticket expired. Any values from ldap will be garbage." + elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; + then + ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage." + elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; + then + ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage." + else + { + echo "other ldap error:" + echo "${___gtfl_stderr}" + } | debuglevoutput 9 + fi + + # execute for actually fetching the value ___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + # no value means either the ldap connection malfunctioned or there was no attribute by that name defined. echo "${___gtfl_attrib}" @@ -458,7 +484,7 @@ get_user_kerberos_ticket() { echo "klist_krb5cc=${___gukt_klist_krb5cc}" echo "klist_user=${___gukt_klist_user}" echo "klist_krbtgt=${___gukt_klist_krbtgt}" - } | debuglevoutput 3 + } | debuglevoutput 5 if test -z "${___gukt_klist_krbtgt}" ; then @@ -661,7 +687,7 @@ debuglev 5 && { # MAIN LOOP #{ - echo "action ${LAPS_ACTION}" | debuglevoutput 1 + echo "action ${LAPS_ACTION}" | debuglevoutput 4 case "${LAPS_ACTION}" in read) read_workflow |