aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr/share/doc/laps/changes3
-rw-r--r--src/usr/share/doc/laps/version.txt2
-rwxr-xr-xsrc/usr/share/laps/laps.sh285
3 files changed, 34 insertions, 256 deletions
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
index 867a14a..c7067e3 100644
--- a/src/usr/share/doc/laps/changes
+++ b/src/usr/share/doc/laps/changes
@@ -10,3 +10,6 @@
* May 29 2019 B Stack <bgstack15@gmail.com> - 0.0.4-1
- fix #6 document the -i interactive flag
- fix #7 add LAPS_KINIT_HOST_SCRIPT_OPTS
+
+* Thu Jul 18 2019 B Stack <bgstack15@gmail.com> - 0.0.5-1
+- move library functions out of laps
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index 81340c7..bbdeab6 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.4
+0.0.5
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index daa0d2f..1023dc4 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -7,12 +7,12 @@
# Purpose: LAPS Equivalent for GNU/Linux
# Package: laps
# History: see upstream project at https://gitlab.com/bgstack15/laps
-# Usage:
+# Usage:
# Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a
# Improve:
# Dependencies:
# bundled: dependencies/datetime.py
-# framework.sh, kinit-host (bgscripts-core >= 1.4.3)
+# framework.sh, kinit-host, shldap >= 20190717 (bgscripts-core >= 1.4.4)
# kinit, klist (krb5-workstation)
# ldapsearch, ldapmodify (openldap-clients)
# passwd (passwd)
@@ -23,7 +23,7 @@
# sed (sed)
# awk (gawk)
fiversion="2018-09-12a"
-lapsversion="2019-05-29a"
+lapsversion="2019-07-17a"
usage() {
${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
@@ -82,16 +82,16 @@ debuglevoutput() {
}
read_workflow() {
-
+
# 1. get user kerberos ticket
get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}"
# 2. fetch and display host password
- get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
+ get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
# 3. fetch and display expiration if the various debug levels
# this is called for the debuglev actions inside it, not for the output directly
- wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null
+ wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 1>/dev/null
}
@@ -108,7 +108,7 @@ main_workflow() {
get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" || { ferror "${0}: unable to get host kerberos ticket. Aborted." ; exit 6 ; }
# 2. fetch timestamp from ldap
- LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )"
+ LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )"
LAPS_epoch_response="$?"
test ${LAPS_epoch_response} -eq 0 || return "${LAPS_epoch_response}"
@@ -120,7 +120,7 @@ main_workflow() {
LAPS_timestamp="$( get_current_filetime "${LAPS_DATETIME_PY}" "${LAPS_TIMELIMIT}" )"
# 5. update ldap
- wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}"
+ update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" ":" "${LAPS_ATTRIB_PW}:${LAPS_ATTRIB_TIME}" "${LAPS_phrase}:${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
# 6. if ^ was successful, change password for configured user
wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}"
@@ -130,105 +130,8 @@ main_workflow() {
}
-get_host_keytab() {
- # call: get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}"
- # returns: nothing.
- # action: get host kerberos ticket-granting ticket
- debuglev 10 && ferror "get_host_keytab $@"
- ___ghk_kinit_host_script="${1}"
- ___ghk_kinit_host_script_opts="${2}"
- ___ghk_klist_bin="${3}"
- ___ghk_krb5cc_tmpfile="${4}"
-
- test -z "${___ghk_kinit_host_script}" && ___ghk_kinit_host_script="${LAPS_KINIT_HOST_SCRIPT_DEFAULT}"
-
- if test -e "${___ghk_kinit_host_script}" ;
- then
- KRB5CCNAME=FILE:"${___ghk_krb5cc_tmpfile}" "${___ghk_kinit_host_script}" ${___ghk_kinit_host_script_opts}
- else
- debuglev 3 && ferror "debug3: Using built-in logic to fetch host kerberos ticket because unable to find LAPS_KINIT_HOST_SCRIPT=${___ghk_kinit_host_script}"
- # do internal logic here
- # find kinit
- ___ghk_kinit_bin="$( find "${LAPS_KINIT_BIN}" /usr/bin/kinit /bin/kinit /usr/local/bin/kinit -print -quit 2>/dev/null | head -n1 )"
- if ! test -e "${___ghk_kinit_bin}" ;
- then
- ferror "${scriptname}: 4 fatal! Unable to find kinit. Please use variable LAPS_KINIT_BIN. Aborted."
- fi
- # cannot use requested server name here. root@localhost can only use its own kerberos ticket.
- # observe that no domain name is given (after the dollar sign). This will force kerberos to choose, based on the default_realm value in /etc/krb5.conf.
- "${___ghk_kinit_bin}" -k -c "${___ghk_krb5cc_tmpfile}" "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$" | debuglevoutput 7
- fi
-
- # return true if klist returns true
- "${___ghk_klist_bin}" -c "${___ghk_krb5cc_tmpfile}" | debuglevoutput 7
-
-}
-
-get_attrib_from_ldap() {
- # call: get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}"
- debuglev 10 && ferror "get_attrib_from_ldap $@"
- ___gtfl_ldapsearch_bin="${1}"
- ___gtfl_ldapsearch_flags="${2}"
- ___gtfl_ldapsearch_filter="${3}"
- ___gtfl_attrib="${4}"
- ___gtfl_ldapconf="${5}"
- ___gtfl_krb5cc_tmpfile="${6}"
-
- # execute for the purpose of displaying when debug level is high enough
- {
- debuglev 8 && set -x
- KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8
- set +x
- } 1>&2
-
- # execute to check for ldap or kerberos errors
- ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
- ___gtfl_stderr_response="$?"
- if test ${___gtfl_stderr_response} -ne 0 ;
- then
- if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
- then
- ferror "Fatal: Kerberos ticket expired."
- return 1;
- elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ;
- then
- ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf."
- return 1;
- elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ;
- then
- ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf."
- return 1;
- else
- {
- echo "Fatal: other ldap error:"
- echo "${___gtfl_stderr}"
- } | debuglevoutput 9
- return 1;
- fi
- fi
-
- # execute for actually fetching the value
- ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \
- "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \
- "${___gtfl_attrib}" 2>/dev/null ; \
- echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \
- } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )"
- ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )"
- if test "${___gtfl_ldap_success}" != "0" ;
- then
- ferror "Fatal: LDAP lookup failed"
- return 1
- fi
-
- # here we can be sure that an empty value means there was no attribute by
- # that name defined or it had an actual empty value.
-
- echo "${___gtfl_attrib}"
-
-}
-
wrapper_get_timestamp_from_ldap() {
- # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}"
+ # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}"
debuglev 10 && ferror "wrapper_get_timestamp_from_ldap $@"
___wgtfl_ldapsearch_bin="${1}"
___wgtfl_ldapsearch_flags="${2}"
@@ -237,8 +140,9 @@ wrapper_get_timestamp_from_ldap() {
___wgtfl_ldapconf="${5}"
___wgtfl_datetime_py="${6}"
___wgtfl_krb5cc_tmpfile="${7}"
+ ___wgtfl_ldapsearch_status_tmpfile="${8}"
- ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )"
+ ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" "${___wgtfl_ldapsearch_status_tmpfile}" )"
ts_filetime_response="$?"
test ${ts_filetime_response} -eq 0 || return "${ts_filetime_response}"
@@ -324,7 +228,7 @@ get_current_filetime() {
___gcf_timelimit="${2}"
___gcf_timestamp="$( "${___gcf_datetime_py}" -f "$( date -u -d "now+${___gcf_timelimit}" "+%s" )" )"
-
+
if ! fisnum "${___gcf_timestamp}" ;
then
ferror "${scriptfile}: 4 fatal! Could not generate valid timestamp. Aborted."
@@ -336,62 +240,6 @@ get_current_filetime() {
echo "${___gcf_timestamp}"
}
-wrapper_update_ldap() {
- # call: wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}"
- debuglev 10 && ferror "wrapper_update_ldap $@"
- ___wul_ldapsearch_bin="${1}"
- ___wul_ldapsearch_flags="${2}"
- ___wul_ldapsearch_filter="${3}"
- ___wul_ldapsearch_unique_id="${4}"
- ___wul_ldapconf="${5}"
- ___wul_krb5cc_tmpfile="${6}"
- ___wul_attrib_pw="${7}"
- ___wul_phrase="${8}"
- ___wul_attrib_time="${9}"
- ___wul_timestamp="${10}"
- ___wul_ldif_tmpfile="${11}"
- ___wul_ldapmodify_bin="${12}"
- ___wul_ldapmodify_flags="${13}"
- ___wul_test="${14}"
-
- # learn dn
- ___wul_dn="$( get_attrib_from_ldap "${___wul_ldapsearch_bin}" "${___wul_ldapsearch_flags}" "${___wul_ldapsearch_filter}" "${___wul_ldapsearch_unique_id}" "${___wul_ldapconf}" "${___wul_krb5cc_tmpfile}" )"
-
- # generate ldif
- {
- echo "${___wul_ldapsearch_unique_id}: ${___wul_dn}"
- echo "changetype: modify"
- echo "replace: ${___wul_attrib_pw}"
- echo "${___wul_attrib_pw}: ${___wul_phrase}"
- printf "%s\n" "-"
- echo "replace: ${___wul_attrib_time}"
- echo "${___wul_attrib_time}: ${___wul_timestamp}"
- } > "${___wul_ldif_tmpfile}"
- unset ___wul_ldapmodify_flag_verbose ; debuglev 9 && ___wul_ldapmodify_flag_verbose="-v"
-
- # add -n to this command if flag --test is used.
- unset ___wul_ldapmodify_flag_test ; fistruthy "${___wul_test}" && ___wul_ldapmodify_flag_test="-n"
- {
- KRB5CCNAME="${___wul_krb5cc_tmpfile}" LDAPCONF="${___wul_ldapconf}" "${___wul_ldapmodify_bin}" ${___wul_ldapmodify_flags} "${___wul_ldif_tmpfile}" ${___wul_ldapmodify_flag_verbose} ${___wul_ldapmodify_flag_test} 2>&1
- echo "$?" > "${LAPS_LDAPMODIFY_STATUS_TMPFILE}"
- }| sed -r -e '/^\s*$/d;' | debuglevoutput 1 silent
- ___wul_ldap_success="$( cat "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" )"
-
- case "${___wul_ldap_success}" in
- 0)
- # continue on
- :
- ;;
- *)
- ferror "${scriptfile}: 7 fatal! ldapmodify returned ${___wul_ldap_success}. Unhandled exception. Aborted."
- exit 7
- ;;
- esac
-
- return ${___wul_ldap_success}
-
-}
-
wrapper_change_password() {
# call: wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}"
debuglev 10 && ferror "wrapper_change_password $@"
@@ -404,7 +252,7 @@ wrapper_change_password() {
then
echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}"
else
- ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
+ ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" 2>&1 ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
fi
___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )"
@@ -436,96 +284,6 @@ wrapper_log() {
}
-get_user_kerberos_ticket() {
- # call: get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}"
- debuglev 10 && ferror "get_user_kerberos_ticket $@"
- ___gukt_kerberos_user="${1}"
- ___gukt_user_is_root="${2}"
- ___gukt_krb5cc_tmpfile="${3}"
- ___gukt_interactive="${4}"
- ___gukt_kinit_bin="${5}"
- ___gukt_klist_bin="${6}"
-
- # LAPS on the domain side does not permit a host keytab to read the password attribute, so if user=machine, fail out
- # options:
- # if root, using machine ticket. ACT: fail
- # if root, using user ticket. ACT: check user tgt, then prompt.
- # if user, using machine ticket. ACT: check user tgt, then prompt
- # if user, using user ticket ACT: check user tgt, then prompt
-
- if test "${___gukt_kerberos_user}" = "machine" ;
- then
- if test "${___gukt_user_is_root}" = "1" ;
- then
- ferror "${scriptfile}: 2 fatal! To read the password stored in the domain, you need LDAP_KERBEROS_USER=<username> or -u <username> or run this script as a domain admin user. Aborted."
- exit 2
- else
- ___gukt_kerberos_user="${USER}"
- ferror "Trying with logged in user ${___gukt_kerberos_user}."
- fi
- fi
-
- # Try current user kerberos ticket to see if has a tgt for LAPS_KERBEROS_USER
- ___gukt_klist_stdout="$( "${___gukt_klist_bin}" 2>/dev/null )"
- echo "${___gukt_klist_stdout}" | debuglevoutput 8
- ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )"
- ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs )
- ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )"
- {
- echo "klist_krb5cc=${___guktk_list_krb5cc}"
- echo "klist_user=${___gukt_klist_user}"
- echo "klist_krbtgt=${___gukt_klist_krbtgt}"
- } | debuglevoutput 7
-
- # if we already have a tgt
- if test -n "${___gukt_klist_krbtgt}" ;
- then
- case "${___gukt_klist_user}" in
- # and it is for the requested user
- ${___gukt_kerberos_user})
- # copy it to our temporary location
- debuglev 7 && ferror "Using existing krbtgt for requested user ${___gukt_kerberos_user}"
- /bin/cp -p "${___gukt_klist_krb5cc}" "${___gukt_krb5cc_tmpfile}"
- ;;
- *)
- ferror "Using existing krb5tgt for ${___gukt_klist_user} instead of requested ${___gukt_kerberos_user}"
- ___gukt_kerberos_user="${___gukt_klist_user}"
- ;;
- esac
- else
- # need to get a ticket
- # are we allowed to ormpt?
- if fistruthy "${___gukt_interactive}" ;
- then
- # prompt and save to temp kerberos location
- debuglev 1 && ferror "No krbtgt found. Prompting now..."
- KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_kinit_bin}" "${___gukt_kerberos_user}"
- else
- ferror "${scriptfile}: 2. Need LAPS_INTERACTIVE=1 or -i flag, to allow interactive kinit prompt. Aborted."
- exit 2
- fi
- fi
- # verify that the tgt exists now
- ___gukt_klist_stdout="$( KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_klist_bin}" 2>/dev/null )"
- echo "${___gukt_klist_stdout}" | debuglevoutput 4
- ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )"
- ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs )
- ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )"
- {
- echo "klist_krb5cc=${___gukt_klist_krb5cc}"
- echo "klist_user=${___gukt_klist_user}"
- echo "klist_krbtgt=${___gukt_klist_krbtgt}"
- } | debuglevoutput 5
-
- if test -z "${___gukt_klist_krbtgt}" ;
- then
- # no krbtgt so fail out
- ferror "${scriptfile}: 6 fatal! Failed to get tgt for user ${___gkt_kerberos_user}. Check password or account. Aborted."
- exit 6
- fi
-
-}
-
# DEFINE TRAPS
clean_laps() {
@@ -620,6 +378,22 @@ case ${is_root} in
;;
esac
+# LOAD SHLDAP
+setval 1 LAPS_SHLDAP_discovered <<EOFSENDSH # if $1="1" then setvalout="critical-fail" on failure
+${LAPS_SHLDAP}
+${SHLDAP}
+/usr/share/bgscripts/shldap.sh
+/usr/lib/bgscripts/shldap.sh
+EOFSENDSH
+test "${setvalout}" = "critical-fail" && ferror "${scriptfile}: 4. LAPS_SHLDAP not found. Aborted." && exit 4
+LAPS_SHLDAP_MINIMUM=20190717
+. "${LAPS_SHLDAP_discovered}"
+if ! test $( echo "${SHLDAP_VERSION}" | tr -dc '[[:digit:]]' ) -ge ${LAPS_SHLDAP_MINIMUM} ;
+then
+ ferror "${scriptfile}: 4. Insufficient version of shldap found: ${LAPS_SHLDAP_discovered} ${SHLDAP_VERSION}. Need >= ${LAPS_SHLDAP_MINIMUM}. Aborted."
+ exit 4
+fi
+
# SET CUSTOM SCRIPT AND VALUES
#setval 1 sendsh sendopts<<EOFSENDSH # if $1="1" then setvalout="critical-fail" on failure
#/usr/local/share/bgscripts/send.sh -hs # setvalout maybe be "fail" otherwise
@@ -667,6 +441,7 @@ test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}"
test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
+#test -z "${LAPS_TMPFILE1}" && LAPS_TMPFILE1="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh"
define_if_new LAPS_KINIT_HOST_SCRIPT_OPTS ""
define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh"
bgstack15