source: branches/samba-3.0/examples/LDAP/smbldap-tools-0.9.2/smbldap-passwd

Last change on this file was 1, checked in by Paul Smedley, 18 years ago

Initial code import
File size: 10.1 KB
Line 
1#!/usr/bin/perl -w
2
3# LDAP to unix password sync script for samba
4# $Id: smbldap-passwd,v 1.19 2005/10/31 15:05:22 jtournier Exp $
5
6# This code was developped by IDEALX (http://IDEALX.org/) and
7# contributors (their names can be found in the CONTRIBUTORS file).
8#
9# Copyright (C) 2001-2002 IDEALX
10#
11# This program is free software; you can redistribute it and/or
12# modify it under the terms of the GNU General Public License
13# as published by the Free Software Foundation; either version 2
14# of the License, or (at your option) any later version.
15#
16# This program is distributed in the hope that it will be useful,
17# but WITHOUT ANY WARRANTY; without even the implied warranty of
18# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19# GNU General Public License for more details.
20#
21# You should have received a copy of the GNU General Public License
22# along with this program; if not, write to the Free Software
23# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
24# USA.
25
26# Purpose :
27# . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP
28# . may also replace /bin/passwd
29
30# untaint environment
31$ENV{'PATH'}= '/bin:/usr/bin';
32$ENV{'SHELL'}= '/bin/sh';
33delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
34
35use strict;
36use FindBin;
37use FindBin qw($RealBin);
38use lib "$RealBin/";
39use smbldap_tools;
40
41use Crypt::SmbHash;
42use Digest::MD5 qw(md5);
43use Digest::SHA1 qw(sha1);
44use MIME::Base64 qw(encode_base64);
45
46# function declaration
47sub make_hash;
48sub make_salt;
49
50my $user= undef;
51my $oldpass= undef;
52
53my $arg;
54my $update_samba_passwd= 1;
55my $update_unix_passwd= 1;
56
57foreach $arg (@ARGV) {
58 if ( substr( $arg, 0, 1 ) eq '-' ) {
59 if ( $arg eq '-h' || $arg eq '-?' || $arg eq '--help' ) {
60 print_banner;
61 print "Usage: $0 [options] [username]\n";
62 print " -h, -?, --help show this help message\n";
63 print " -s update only samba password\n";
64 print " -u update only UNIX password\n";
65 exit (6);
66 } elsif ($arg eq '-s') {
67 $update_samba_passwd= 1; $update_unix_passwd= 0;
68 } elsif ($arg eq '-u') {
69 $update_samba_passwd= 0; $update_unix_passwd= 1;
70 }
71 } else {
72 if ( $< != 0 ) {
73 die "Only root can specify username\n";
74 }
75 $user= $arg; last;
76 }
77}
78
79if (!defined($user)) {
80 $user = getpwuid($<); # $user=$ENV{"USER"};
81}
82
83# check if $user variable is not tainted
84# [TODO] create proper user mask
85$user =~ /^([-\@\ \w.]+\$?)$/ and $user = $1 or
86 die "$0: username '$user' is tainted\n";
87
88
89my ($dn,$ldap_master);
90# First, connecting to the directory
91if ($< != 0) {
92 # non-root user
93 if (!defined($oldpass)) {
94 # prompt for password
95 print "Identity validation...\nenter your UNIX password: ";
96 system "/bin/stty -echo" if (-t STDIN);
97 chomp($oldpass=<STDIN>);
98 system "/bin/stty echo" if (-t STDIN);
99 print "\n";
100
101 $config{masterDN}="uid=$user,$config{usersdn}";
102 $config{masterPw}="$oldpass";
103 $ldap_master=connect_ldap_master();
104 $dn=$config{masterDN};
105 if (!is_user_valid($user, $dn, $oldpass)) {
106 print "Authentication failure\n";
107 exit (10);
108 }
109 }
110} else {
111 # root user
112 $ldap_master=connect_ldap_master();
113 # test existence of user in LDAP
114 my $dn_line;
115 if (!defined($dn_line = get_user_dn($user))) {
116 print "$0: user $user doesn't exist\n";
117 exit (10);
118 }
119 $dn = get_dn_from_line($dn_line);
120}
121
122my $samba = is_samba_user($user);
123
124# Printing verbose message
125if ( $samba and $update_samba_passwd ) {
126 if ( $update_unix_passwd ) {
127 print "Changing UNIX and samba passwords for $user\n";
128 } else {
129 print "Changing samba password for $user\n";
130 }
131} else {
132 if ( $update_unix_passwd ) {
133 print "Changing UNIX password for $user\n";
134 } else {
135 die "Internal error";
136 }
137}
138
139# prompt for new password
140
141my $pass;
142my $pass2;
143
144print "New password: ";
145system "/bin/stty -echo" if (-t STDIN);
146chomp($pass=<STDIN>);
147system "/bin/stty echo" if (-t STDIN);
148print "\n";
149
150print "Retype new password: ";
151system "/bin/stty -echo" if (-t STDIN);
152chomp($pass2=<STDIN>);
153system "/bin/stty echo" if (-t STDIN);
154print "\n";
155
156if ($pass ne $pass2) {
157 print "New passwords don't match!\n";
158 exit (10);
159}
160
161# Prepare '$hash_password' for 'userPassword'
162my $hash_password;
163# Generate password hash
164if ($config{with_slappasswd}) {
165 # checking if password is tainted: nothing is changed!!!!
166 # essential for perl 5.8
167 ($pass =~ /^(.*)$/ and $pass=$1) or
168 die "$0: user password is tainted\n";
169
170 # use slappasswd to generate hash
171 if ( $config{hash_encrypt} eq "CRYPT" && defined($config{crypt_salt_format}) ) {
172 open BUF, "-|" or
173 exec "$config{slappasswd}",
174 "-h","{$config{hash_encrypt}}",
175 "-c","$config{crypt_salt_format}",
176 "-s","$pass";
177 $hash_password = <BUF>;
178 close BUF;
179 } else {
180 open(BUF, "-|") or
181 exec "$config{slappasswd}",
182 "-h","{$config{hash_encrypt}}",
183 "-s","$pass";
184 $hash_password = <BUF>;
185 close BUF;
186 }
187} else {
188 # use perl libraries to generate hash
189 $hash_password = make_hash($pass,$config{hash_encrypt},$config{crypt_salt_format});
190}
191# check if a hash was generated, otherwise die
192defined($hash_password) or
193 die "I cannot generate the proper hash!\n";
194chomp($hash_password);
195
196# First, connecting to the directory
197if ($< != 0) {
198 # if we are not root, we close the connection to re-open it as a normal user
199 $ldap_master->unbind;
200 $config{masterDN}="uid=$user,$config{usersdn}";
201 $config{masterPw}="$oldpass";
202 $ldap_master=connect_ldap_master();
203}
204
205# only modify smb passwords if smb user
206if ( $samba and $update_samba_passwd ) {
207 if (!$config{with_smbpasswd}) {
208 # generate LanManager and NT clear text passwords
209 my ($sambaLMPassword,$sambaNTPassword) = ntlmgen $pass;
210 # the sambaPwdLastSet must be updating
211 my $date=time;
212 my @mods;
213 push(@mods, 'sambaLMPassword' => $sambaLMPassword);
214 push(@mods, 'sambaNTPassword' => $sambaNTPassword);
215 push(@mods, 'sambaPwdLastSet' => $date);
216 if (defined $config{defaultMaxPasswordAge}) {
217 my $new_sambaPwdMustChange=$date+$config{defaultMaxPasswordAge}*24*60*60;
218 push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange);
219 if ($< ==0) {
220 push(@mods, 'sambaAcctFlags' => '[U]');
221 }
222 }
223 # Let's change nt/lm passwords
224 my $modify = $ldap_master->modify ( "$dn",
225 'replace' => { @mods }
226 );
227 $modify->code && warn "failed to modify entry: ", $modify->error ;
228
229 } else {
230 if ($< != 0) {
231 my $FILE="|$config{smbpasswd} -s >/dev/null";
232 open (FILE, $FILE) || die "$!\n";
233 print FILE <<EOF;
234$oldpass
235$pass
236$pass
237EOF
238 ;
239 close FILE;
240 } else {
241 open FILE,"|-" or
242 exec "$config{smbpasswd}","$user","-s";
243 local $SIG{PIPE} = sub {die "buffer pipe terminated" };
244 print FILE <<EOF;
245$pass
246$pass
247EOF
248 ;
249 close FILE;
250 }
251 }
252}
253
254# Update 'userPassword' field
255if ( $update_unix_passwd ) {
256 my $modify = $ldap_master->modify ( "$dn",
257 changes => [
258 replace => [userPassword => "$hash_password"]
259 ]
260 );
261 $modify->code && warn "Unable to change password: ", $modify->error ;
262}
263
264# take down session
265$ldap_master->unbind;
266
267exit 0;
268
269# Generates hash to be one of the following RFC 2307 schemes:
270# CRYPT, MD5, SMD5, SHA, SSHA, and CLEARTEXT
271# SSHA is default
272# '%s' is a default crypt_salt_format
273# A substitute for slappasswd tool
274sub make_hash
275 {
276 my $hash_encrypt;
277 my $crypt_salt_format;
278
279 my $clear_pass=$_[0] or return undef;
280 $hash_encrypt='{' . $_[1] . '}' or $hash_encrypt = "{SSHA}";
281 $crypt_salt_format=$_[2] or $crypt_salt_format = '%s';
282
283 my $hash_pass;
284 if ($hash_encrypt eq "{CRYPT}" && defined($crypt_salt_format)) {
285 # Generate CRYPT hash
286 # for unix md5crypt $crypt_salt_format = '$1$%.8s'
287 my $salt = sprintf($crypt_salt_format,make_salt());
288 $hash_pass = "{CRYPT}" . crypt($clear_pass,$salt);
289
290 } elsif ($hash_encrypt eq "{MD5}") {
291 # Generate MD5 hash
292 $hash_pass = "{MD5}" . encode_base64( md5($clear_pass),'' );
293
294 } elsif ($hash_encrypt eq "{SMD5}") {
295 # Generate SMD5 hash (MD5 with salt)
296 my $salt = make_salt(4);
297 $hash_pass = "{SMD5}" . encode_base64( md5($clear_pass . $salt) . $salt,'');
298
299 } elsif ($hash_encrypt eq "{SHA}") {
300 # Generate SHA1 hash
301 $hash_pass = "{SHA}" . encode_base64( sha1($clear_pass),'' );
302
303 } elsif ($hash_encrypt eq "{SSHA}") {
304 # Generate SSHA hash (SHA1 with salt)
305 my $salt = make_salt(4);
306 $hash_pass = "{SSHA}" . encode_base64( sha1($clear_pass . $salt) . $salt,'' );
307
308 } elsif ($hash_encrypt eq "{CLEARTEXT}") {
309 $hash_pass=$clear_pass;
310
311 } else {
312 $hash_pass=undef;
313 }
314 return $hash_pass;
315 }
316
317# Generates salt
318# Similar to Crypt::Salt module from CPAN
319sub make_salt
320 {
321 my $length=32;
322 $length = $_[0] if exists($_[0]);
323
324 my @tab = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
325 return join "",@tab[map {rand 64} (1..$length)];
326 }
327
328# - The End
329
330=head1 NAME
331
332smbldap-passwd - change user password
333
334=head1 SYNOPSIS
335
336smbldap-passwd [-?|--help|-s|-u] [name]
337
338=head1 DESCRIPTION
339
340smbldap-passwd changes passwords for user accounts. A normal user may only change the password for their own account, the super user may change the password for any account.
341
342If option -s specified then changed only samba password.
343If options -u specified then changed only UNIX password.
344With no options then changed both - UNIX and samba passwords.
345
346Password Changes
347 The user is first prompted for their old password, if one is present. This password is then tested against the stored password by binding to the server. The user has only one chance to enter the correct passwword. The super user is permitted to bypass this step so that forgotten passwords may be changed.
348 The user is then prompted for a replacement password. As a general guideline, passwords should consist of 6 to 8 characters including one or more from each of following sets:
349
350Lower case alphabetics
351
352Upper case alphabetics
353
354Digits 0 thru 9
355
356Punctuation marks
357
358Password will prompt again and compare the second entry against the first. Both entries are require to match in order for the password to be changed.
359
360=head1 SEE ALSO
361
362 passwd(1)
363
364=cut
365
366#'
Note: See TracBrowser for help on using the repository browser.