--- /dev/null
+#!/bin/bash
+
+set -u
+set -e
+
+BASE_NAME="$( basename ${0} )"
+MY_REAL_NAME=$( readlink -f $0 )
+BIN_DIR=$( dirname "${MY_REAL_NAME}" )
+BASE_DIR=$( dirname "${BIN_DIR}" )
+LIB_DIR="${BASE_DIR}/lib"
+CONF_DIR="${BASE_DIR}/etc"
+
+if [[ -f "${LIB_DIR}/functions.rc" ]] ; then
+ . "${LIB_DIR}/functions.rc"
+else
+ echo "Bash resource file '${LIB_DIR}/functions.rc' not found" >&2
+ exit 5
+fi
+
+OBJECT_TOKEN=
+GIVEN_PASSWD=
+
+detect_color
+
+DESCRIPTION=$( cat <<-EOF
+ Checks the given password of the given user against the password in LDAP.
+
+EOF
+)
+
+#------------------------------------------------------------------------------
+usage() {
+ cat <<-EOF
+ Usage: ${BASE_NAME} [Common Options] [LDAP Options] <UID|EMAIL> <PASSWORD>
+ ${BASE_NAME} [-h|--help]
+ ${BASE_NAME} [-V|--version]
+
+ Mandatory Parameter(s):
+ UID|EMAIL: Either the Uid of the requested object
+ (Posix name, mostly in the form 'first_name.last_name'), or
+ the E-Mail address of the account or group to search.
+ PASSWORD: The password to check against the password inside LDAP.
+
+ LDAP Options:
+ EOF
+
+ echo "${LDAP_USAGE_MSG}"
+ echo
+ echo " Common Options:"
+ echo "${STD_USAGE_MSG}"
+
+}
+
+#------------------------------------------------------------------------------
+get_options() {
+
+ local tmp=
+ local base_dir=
+
+ set +e
+ tmp=$( getopt -o ${LDAP_STD_OPTS_SHORT}${STD_SHORT_OPTIONS} \
+ --long ${LDAP_STD_OPTS_LONG},${STD_LONG_OPTIONS} \
+ -n "${BASE_NAME}" -- "$@" )
+ if [[ $? != 0 ]] ; then
+ echo "" >&2
+ usage >&2
+ exit 1
+ fi
+ set -e
+
+ # Note the quotes around `$TEMP': they are essential!
+ eval set -- "${tmp}"
+ eval_common_options "$@"
+ if [[ "${DEBUG}" == 'y' ]] ; then
+ declare -p REMAINING_OPTS
+ declare -p REMAINING_ARGS
+ fi
+
+ eval_ldap_options "${REMAINING_OPTS[@]}" "${REMAINING_ARGS[@]}"
+
+ if [[ "${DEBUG}" == 'y' ]] ; then
+ declare -p REMAINING_OPTS
+ declare -p REMAINING_ARGS
+ fi
+
+ debug "Remaining arguments: ${CYAN}${#REMAINING_ARGS[@]}${NORMAL}"
+
+ if [[ "${#REMAINING_OPTS[@]}" -gt 0 ]] ; then
+ error "Unknown options: ${REMAINING_OPTS[*]}"
+ echo >&2
+ usage >&2
+ exit 2
+ fi
+
+ if [[ "${#REMAINING_ARGS[@]}" == "0" ]] ; then
+ error "No Uids or E-Mail addresses given to retrieve."
+ echo >&2
+ usage >&2
+ exit 2
+ fi
+
+ if [[ "${#REMAINING_ARGS[@]}" != "3" ]] ; then
+ error "No Password given to check."
+ echo >&2
+ usage >&2
+ exit 2
+ fi
+ OBJECT_TOKEN="${REMAINING_ARGS[1]}"
+ GIVEN_PASSWD="${REMAINING_ARGS[2]}"
+
+ debug "Checking password '${CYAN}${GIVEN_PASSWD}${NORMAL}' of user '${CYAN}${OBJECT_TOKEN}${NORMAL}' ..."
+
+}
+
+#------------------------------------------------------------------------------
+main() {
+
+ get_options "$@"
+
+ local oifs="${IFS}"
+ IFS="
+"
+
+ local cmd=
+ local filter=
+ local result=
+
+ local cmd_base="ldapsearch -LLL -o ldif-wrap=no "
+ cmd_base+="-h \"${LDAP_HOST}\" -p ${LDAP_PORT} -b \"${LDAP_BASE}\" "
+ cmd_base+="-x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\""
+
+ local filter="(&(|(uid=${OBJECT_TOKEN})(mail=${OBJECT_TOKEN}))(userPassword=*))"
+ local cmd="${cmd_base} \"${filter}\" userPassword 2>&1 | "
+ cmd+=" grep -i '^userPassword:' | sed -e 's/^userPassword::[ ][ ]*//'"
+ debug "Executing: ${cmd}"
+ result=$( eval ${cmd} )
+ debug "ldap_passwd_coded: '${CYAN}${result}${NORMAL}'."
+
+ if [[ -z "${result}" ]] ; then
+ echo
+ error "Nutzer mit uid '${RED}${OBJECT_TOKEN}${NORMAL}' nicht gefunden oder hat kein Passwort." >&2
+ echo
+ exit 1
+ fi
+
+ local ldap_passwd_value=$( echo "${result}" | base64 -d )
+ debug "ldap_passwd_value: '${CYAN}${ldap_passwd_value}${NORMAL}'."
+
+ local ldap_hash_method=$( echo "${ldap_passwd_value}" | \
+ sed -e 's/^{//' -e 's/}.*//' | \
+ tr '[:upper:]' '[:lower:]' )
+ debug "ldap_hash_method: '${CYAN}${ldap_hash_method}${NORMAL}'."
+
+ if [[ "${ldap_hash_method}" != 'crypt' ]] ; then
+ echo
+ error "Unbekannte Hash-Methode '${RED}${ldap_hash_method}${NORMAL}'" >&2
+ echo
+ exit 5
+ fi
+
+ local ldap_passwd_hash=$( echo "${ldap_passwd_value}" | sed -e 's/^{[^}]*}//' )
+ debug "ldap_passwd_hash: '${CYAN}${ldap_passwd_hash}${NORMAL}'."
+
+ local salt=$( echo "${ldap_passwd_hash}" | sed -e 's/^\(..\).*/\1/' )
+ debug "salt: '${CYAN}${salt}${NORMAL}'."
+
+ local encr_passwd=$( mkpasswd -m des "${GIVEN_PASSWD}" "${salt}" )
+ debug "encr_passwd: '${CYAN}${encr_passwd}${NORMAL}'."
+
+ echo
+ if [[ "${ldap_passwd_hash}" == "${encr_passwd}" ]] ; then
+ echo
+ echo -e "Passwort ist ${GREEN}OKAY${NORMAL}."
+ echo
+ else
+ echo
+ echo -e "Passwort is ${RED}FALSCH${NORMAL}." >&2
+ echo
+ exit 1
+ fi
+
+}
+
+main "$@"
+exit 0
+
+# vim: et list filetype=sh
projects / pixelpark / pp-admin-tools.git / commitdiff