mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
removing outdated scripts and adding comments about 'ldap password syc'
(This used to be commit 29885eae59
)
This commit is contained in:
parent
3d393502e7
commit
b3f1b28e1e
@ -1,64 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
##
|
||||
## Example script to export ldap entries into an smbpasswd file format
|
||||
## using the Mozilla PerLDAP module.
|
||||
##
|
||||
## writen by jerry@samba.org
|
||||
##
|
||||
## ported to Net::LDAP by dkrovich@slackworks.com
|
||||
|
||||
use Net::LDAP;
|
||||
|
||||
######################################################
|
||||
## Set these values to whatever you need for your site
|
||||
##
|
||||
|
||||
$DN="dc=samba,dc=my-domain,dc=com";
|
||||
$ROOTDN="cn=Manager,dc=my-domain,dc=com";
|
||||
$rootpw = "secret";
|
||||
$LDAPSERVER="localhost";
|
||||
|
||||
##
|
||||
## end local site variables
|
||||
######################################################
|
||||
|
||||
$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
|
||||
|
||||
print "##\n";
|
||||
print "## Autogenerated smbpasswd file via ldapsearch\n";
|
||||
print "## from $LDAPSERVER ($DN)\n";
|
||||
print "##\n";
|
||||
|
||||
## scheck for the existence of the posixAccount first
|
||||
$result = $ldap->search ( base => "$DN",
|
||||
scope => "sub",
|
||||
filter => "(objectclass=sambaAccount)"
|
||||
);
|
||||
|
||||
|
||||
|
||||
## loop over the entries we found
|
||||
while ( $entry = $result->shift_entry() ) {
|
||||
|
||||
@uid = $entry->get_value("uid");
|
||||
@uidNumber = $entry->get_value("uidNumber");
|
||||
@lm_pw = $entry->get_value("lmpassword");
|
||||
@nt_pw = $entry->get_value("ntpassword");
|
||||
@acct = $entry->get_value("acctFlags");
|
||||
@pwdLastSet = $entry->get_value("pwdLastSet");
|
||||
|
||||
if (($#uid+1) && ($#uidNumber+1)) {
|
||||
|
||||
$lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1));
|
||||
$nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1));
|
||||
$acct[0] = "[DU ]" if (! ($#acct+1));
|
||||
$pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1));
|
||||
|
||||
print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$ldap->unbind();
|
||||
exit 0;
|
||||
|
@ -1,119 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
##
|
||||
## Example script of how you could import a smbpasswd file into an LDAP
|
||||
## directory using the Mozilla PerLDAP module.
|
||||
##
|
||||
## writen by jerry@samba.org
|
||||
##
|
||||
## ported to Net::LDAP by dkrovich@slackworks.com
|
||||
|
||||
use Net::LDAP;
|
||||
|
||||
#################################################
|
||||
## set these to a value appropriate for your site
|
||||
##
|
||||
|
||||
$DN="ou=people,dc=plainjoe,dc=org";
|
||||
$ROOTDN="cn=Manager,dc=plainjoe,dc=org";
|
||||
# If you use perl special character in your
|
||||
# rootpw, escape them:
|
||||
# $rootpw = "secr\@t" instead of $rootpw = "secr@t"
|
||||
$rootpw = "n0pass";
|
||||
$LDAPSERVER="scooby";
|
||||
|
||||
##
|
||||
## end local site variables
|
||||
#################################################
|
||||
|
||||
$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
|
||||
|
||||
## Bind as $ROOTDN so you can do updates
|
||||
$mesg = $ldap->bind($ROOTDN, password => $rootpw);
|
||||
$mesg->error() if $mesg->code();
|
||||
|
||||
while ( $string = <STDIN> ) {
|
||||
chomp ($string);
|
||||
|
||||
## Get the account info from the smbpasswd file
|
||||
@smbentry = split (/:/, $string);
|
||||
|
||||
## Check for the existence of a system account
|
||||
@getpwinfo = getpwnam($smbentry[0]);
|
||||
if (! @getpwinfo ) {
|
||||
print STDERR "**$smbentry[0] does not have a system account... \n";
|
||||
next;
|
||||
}
|
||||
## Calculate RID = uid*2 +1000
|
||||
$rid=@getpwinfo[2]*2+1000;
|
||||
|
||||
## check and see if account info already exists in LDAP.
|
||||
$result = $ldap->search ( base => "$DN",
|
||||
scope => "sub",
|
||||
filter => "(uid=$smbentry[0])"
|
||||
);
|
||||
|
||||
## If no LDAP entry exists, create one.
|
||||
if ( $result->count == 0 ) {
|
||||
$new_entry = Net::LDAP::Entry->new();
|
||||
$new_entry->add( dn => "uid=$smbentry[0],$DN",
|
||||
uid => $smbentry[0],
|
||||
rid => $rid,
|
||||
lmPassword => $smbentry[2],
|
||||
ntPassword => $smbentry[3],
|
||||
acctFlags => $smbentry[4],
|
||||
cn => $smbentry[0],
|
||||
pwdLastSet => hex(substr($smbentry[5],4)),
|
||||
objectclass => 'sambaAccount' );
|
||||
|
||||
$result = $ldap->add( $new_entry );
|
||||
$result->error() if $result->code();
|
||||
print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n";
|
||||
|
||||
## Otherwise, supplement/update the existing entry.
|
||||
}
|
||||
elsif ($result->count == 1)
|
||||
{
|
||||
# Put the search results into an entry object
|
||||
$entry = $result->entry(0);
|
||||
|
||||
print "Updating [" . $entry->dn . "]\n";
|
||||
|
||||
## Add the objectclass: sambaAccount attribute if it's not there
|
||||
@values = $entry->get_value( "objectclass" );
|
||||
$flag = 1;
|
||||
foreach $item (@values) {
|
||||
print "$item\n";
|
||||
if ( "$item" eq "sambaAccount" ) {
|
||||
$flag = 0;
|
||||
}
|
||||
}
|
||||
if ( $flag ) {
|
||||
## Adding sambaAccount objectclass requires adding at least rid:
|
||||
## uid attribute already exists we know since we searched on it
|
||||
$entry->add(objectclass => "sambaAccount",
|
||||
rid => $rid );
|
||||
}
|
||||
|
||||
## Set the other attribute values
|
||||
$entry->replace(rid => $rid,
|
||||
lmPassword => $smbentry[2],
|
||||
ntPassword => $smbentry[3],
|
||||
acctFlags => $smbentry[4],
|
||||
pwdLastSet => hex(substr($smbentry[5],4)));
|
||||
|
||||
## Apply changes to the LDAP server
|
||||
$updatemesg = $entry->update($ldap);
|
||||
$updatemesg->error() if $updatemesg->code();
|
||||
|
||||
## If we get here, the LDAP search returned more than one value
|
||||
## which shouldn't happen under normal circumstances.
|
||||
} else {
|
||||
print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n";
|
||||
next;
|
||||
}
|
||||
}
|
||||
|
||||
$ldap->unbind();
|
||||
exit 0;
|
||||
|
||||
|
@ -1,152 +0,0 @@
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
# LDAP to unix password sync script for samba-tng
|
||||
# originally by Jody Haynes <Jody.Haynes@isunnetworks.com>
|
||||
# 2000/12/12 milos@interactivesi.com
|
||||
# modified for use with MD5 passwords
|
||||
# 2000/12/16 mami@arena.sci.univr.it
|
||||
# modified to change lmpassword and ntpassword for samba
|
||||
# 2001/01/05 mami@arena.sci.univr.it
|
||||
# modified for being also a /bin/passwd replacement
|
||||
# 2001/01/29 mami@arena.sci.univr.it
|
||||
# now there are two small programs: ldapchpasswd to
|
||||
# change password from unix and ldapsync.pl to sync
|
||||
# from NT/2000. ldapchpasswd do not need clear password.
|
||||
# 2001/01/31 mami@arena.sci.univr.it
|
||||
# add server parameter to ldap commands
|
||||
# 2001/06/20 mami@arena.sci.univr.it
|
||||
# add pwdlastset and shadowlastchange update
|
||||
|
||||
$basedn = "ou=Students,dc=univr, dc=it";
|
||||
$binddn = "uid=root,dc=univr,dc=it";
|
||||
$scope = "sub";
|
||||
$server = "my_server";
|
||||
|
||||
foreach $arg (@ARGV) {
|
||||
if ($< != 0) {
|
||||
die "Only root can specify parameters\n";
|
||||
} else {
|
||||
if ( ($arg eq '-?') || ($arg eq '--help') ) {
|
||||
print "Usage: $0 [-o] [username]\n";
|
||||
print " -o, --without-old-password do not ask for old password (root only)\n";
|
||||
print " -?, --help show this help message\n";
|
||||
exit (-1);
|
||||
} elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) {
|
||||
$oldpass = 1;
|
||||
} elsif (substr($arg,0) ne '-') {
|
||||
$user = $arg;
|
||||
if (!defined(getpwnam($user))) {
|
||||
die "$0: Unknown user name '$user'\n"; ;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!defined($user)) {
|
||||
$user=$ENV{"USER"};
|
||||
}
|
||||
|
||||
# current user's dn
|
||||
my $dn = '';
|
||||
|
||||
if ($< == 0) {
|
||||
system "stty -echo";
|
||||
print "LDAP password for root DN: ";
|
||||
chomp($passwd=<STDIN>);
|
||||
print "\n";
|
||||
system "stty echo";
|
||||
# Find dn for user $user binding as root's dn
|
||||
chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`);
|
||||
if ( ($dn eq '') || ($passwd eq '') ) {
|
||||
print "Wrong LDAP password for root DN!\n";
|
||||
exit (-1);
|
||||
}
|
||||
} else {
|
||||
if (!defined($oldpass)) {
|
||||
system "stty -echo";
|
||||
print "Old password for user $user: ";
|
||||
chomp($oldpass=<STDIN>);
|
||||
print "\n";
|
||||
system "stty echo";
|
||||
|
||||
# Find path to uid
|
||||
chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`);
|
||||
# Find old password for user $user binding as self
|
||||
chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`);
|
||||
|
||||
if ( ($dn eq '') || ($oldpass eq '') ) {
|
||||
print "Wrong password for user $user!\n";
|
||||
exit (-1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
system "stty -echo";
|
||||
print "New password for user $user: ";
|
||||
chomp($pass=<STDIN>);
|
||||
print "\n";
|
||||
system "stty echo";
|
||||
|
||||
system "stty -echo";
|
||||
print "Retype new password for user $user: ";
|
||||
chomp($pass2=<STDIN>);
|
||||
print "\n";
|
||||
system "stty echo";
|
||||
|
||||
if ( ($pass ne $pass2) || (length($pass)<1) ) {
|
||||
die "Wrong password!\n";
|
||||
} else {
|
||||
# MD5 password
|
||||
$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64];
|
||||
$bsalt = "\$1\$"; $esalt = "\$";
|
||||
$modsalt = $bsalt.$random.$esalt;
|
||||
$password = crypt($pass, $modsalt);
|
||||
|
||||
# LanManager and NT clear text passwords
|
||||
$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`;
|
||||
chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
|
||||
chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
|
||||
|
||||
#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd";
|
||||
if ($< != 0) {
|
||||
$FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'";
|
||||
} else {
|
||||
$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'";
|
||||
}
|
||||
|
||||
# Chenge time
|
||||
$shadowlastchange=int(time/24/3600);
|
||||
$pwdlastset=sprintf('%x',time);
|
||||
|
||||
open FILE or die;
|
||||
|
||||
print FILE <<EOF;
|
||||
dn: $dn
|
||||
changetype: modify
|
||||
replace: userPassword
|
||||
userPassword: {crypt}$password
|
||||
-
|
||||
changetype: modify
|
||||
replace: lmpassword
|
||||
lmpassword: $lmpassword
|
||||
-
|
||||
changetype: modify
|
||||
replace: ntpassword
|
||||
ntpassword: $ntpassword
|
||||
-
|
||||
changetype: modify
|
||||
replace: shadowlastchange
|
||||
shadowlastchange: $shadowlastchange
|
||||
-
|
||||
changetype: modify
|
||||
replace: pwdlastset
|
||||
pwdlastset: $pwdlastset
|
||||
-
|
||||
|
||||
EOF
|
||||
close FILE;
|
||||
|
||||
}
|
||||
|
||||
exit 0;
|
||||
|
@ -8,6 +8,11 @@
|
||||
# modified to change lmpassword and ntpassword for samba
|
||||
# 05/01/2001 mami@arena.sci.univr.it
|
||||
# modified for being also a /bin/passwd replacement
|
||||
#
|
||||
# ACHTUNG!! For servers that support the LDAP Modify password
|
||||
# extended op (e.g. OpenLDAP), see the "ldap password
|
||||
# sync" option in smb.conf(5).
|
||||
#
|
||||
|
||||
$basedn = "ou=Students,dc=univr, dc=it";
|
||||
$binddn = "uid=root,dc=univr,dc=it";
|
||||
|
Loading…
Reference in New Issue
Block a user