From: Frank Brehm Date: Wed, 14 Aug 2019 12:18:56 +0000 (+0200) Subject: Adding bin/check-ldap-passwd X-Git-Tag: 0.4.1~10^2 X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=d859a98ed526f60e386fbce5289c299ecd5afcff;p=pixelpark%2Fpp-admin-tools.git Adding bin/check-ldap-passwd --- diff --git a/bin/check-ldap-passwd b/bin/check-ldap-passwd new file mode 100755 index 0000000..384e22a --- /dev/null +++ b/bin/check-ldap-passwd @@ -0,0 +1,187 @@ +#!/bin/bash + +set -u +set -e + +BASE_NAME="$( basename ${0} )" +MY_REAL_NAME=$( readlink -f $0 ) +BIN_DIR=$( dirname "${MY_REAL_NAME}" ) +BASE_DIR=$( dirname "${BIN_DIR}" ) +LIB_DIR="${BASE_DIR}/lib" +CONF_DIR="${BASE_DIR}/etc" + +if [[ -f "${LIB_DIR}/functions.rc" ]] ; then + . "${LIB_DIR}/functions.rc" +else + echo "Bash resource file '${LIB_DIR}/functions.rc' not found" >&2 + exit 5 +fi + +OBJECT_TOKEN= +GIVEN_PASSWD= + +detect_color + +DESCRIPTION=$( cat <<-EOF + Checks the given password of the given user against the password in LDAP. + +EOF +) + +#------------------------------------------------------------------------------ +usage() { + cat <<-EOF + Usage: ${BASE_NAME} [Common Options] [LDAP Options] + ${BASE_NAME} [-h|--help] + ${BASE_NAME} [-V|--version] + + Mandatory Parameter(s): + UID|EMAIL: Either the Uid of the requested object + (Posix name, mostly in the form 'first_name.last_name'), or + the E-Mail address of the account or group to search. + PASSWORD: The password to check against the password inside LDAP. + + LDAP Options: + EOF + + echo "${LDAP_USAGE_MSG}" + echo + echo " Common Options:" + echo "${STD_USAGE_MSG}" + +} + +#------------------------------------------------------------------------------ +get_options() { + + local tmp= + local base_dir= + + set +e + tmp=$( getopt -o ${LDAP_STD_OPTS_SHORT}${STD_SHORT_OPTIONS} \ + --long ${LDAP_STD_OPTS_LONG},${STD_LONG_OPTIONS} \ + -n "${BASE_NAME}" -- "$@" ) + if [[ $? != 0 ]] ; then + echo "" >&2 + usage >&2 + exit 1 + fi + set -e + + # Note the quotes around `$TEMP': they are essential! + eval set -- "${tmp}" + eval_common_options "$@" + if [[ "${DEBUG}" == 'y' ]] ; then + declare -p REMAINING_OPTS + declare -p REMAINING_ARGS + fi + + eval_ldap_options "${REMAINING_OPTS[@]}" "${REMAINING_ARGS[@]}" + + if [[ "${DEBUG}" == 'y' ]] ; then + declare -p REMAINING_OPTS + declare -p REMAINING_ARGS + fi + + debug "Remaining arguments: ${CYAN}${#REMAINING_ARGS[@]}${NORMAL}" + + if [[ "${#REMAINING_OPTS[@]}" -gt 0 ]] ; then + error "Unknown options: ${REMAINING_OPTS[*]}" + echo >&2 + usage >&2 + exit 2 + fi + + if [[ "${#REMAINING_ARGS[@]}" == "0" ]] ; then + error "No Uids or E-Mail addresses given to retrieve." + echo >&2 + usage >&2 + exit 2 + fi + + if [[ "${#REMAINING_ARGS[@]}" != "3" ]] ; then + error "No Password given to check." + echo >&2 + usage >&2 + exit 2 + fi + OBJECT_TOKEN="${REMAINING_ARGS[1]}" + GIVEN_PASSWD="${REMAINING_ARGS[2]}" + + debug "Checking password '${CYAN}${GIVEN_PASSWD}${NORMAL}' of user '${CYAN}${OBJECT_TOKEN}${NORMAL}' ..." + +} + +#------------------------------------------------------------------------------ +main() { + + get_options "$@" + + local oifs="${IFS}" + IFS=" +" + + local cmd= + local filter= + local result= + + local cmd_base="ldapsearch -LLL -o ldif-wrap=no " + cmd_base+="-h \"${LDAP_HOST}\" -p ${LDAP_PORT} -b \"${LDAP_BASE}\" " + cmd_base+="-x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\"" + + local filter="(&(|(uid=${OBJECT_TOKEN})(mail=${OBJECT_TOKEN}))(userPassword=*))" + local cmd="${cmd_base} \"${filter}\" userPassword 2>&1 | " + cmd+=" grep -i '^userPassword:' | sed -e 's/^userPassword::[ ][ ]*//'" + debug "Executing: ${cmd}" + result=$( eval ${cmd} ) + debug "ldap_passwd_coded: '${CYAN}${result}${NORMAL}'." + + if [[ -z "${result}" ]] ; then + echo + error "Nutzer mit uid '${RED}${OBJECT_TOKEN}${NORMAL}' nicht gefunden oder hat kein Passwort." >&2 + echo + exit 1 + fi + + local ldap_passwd_value=$( echo "${result}" | base64 -d ) + debug "ldap_passwd_value: '${CYAN}${ldap_passwd_value}${NORMAL}'." + + local ldap_hash_method=$( echo "${ldap_passwd_value}" | \ + sed -e 's/^{//' -e 's/}.*//' | \ + tr '[:upper:]' '[:lower:]' ) + debug "ldap_hash_method: '${CYAN}${ldap_hash_method}${NORMAL}'." + + if [[ "${ldap_hash_method}" != 'crypt' ]] ; then + echo + error "Unbekannte Hash-Methode '${RED}${ldap_hash_method}${NORMAL}'" >&2 + echo + exit 5 + fi + + local ldap_passwd_hash=$( echo "${ldap_passwd_value}" | sed -e 's/^{[^}]*}//' ) + debug "ldap_passwd_hash: '${CYAN}${ldap_passwd_hash}${NORMAL}'." + + local salt=$( echo "${ldap_passwd_hash}" | sed -e 's/^\(..\).*/\1/' ) + debug "salt: '${CYAN}${salt}${NORMAL}'." + + local encr_passwd=$( mkpasswd -m des "${GIVEN_PASSWD}" "${salt}" ) + debug "encr_passwd: '${CYAN}${encr_passwd}${NORMAL}'." + + echo + if [[ "${ldap_passwd_hash}" == "${encr_passwd}" ]] ; then + echo + echo -e "Passwort ist ${GREEN}OKAY${NORMAL}." + echo + else + echo + echo -e "Passwort is ${RED}FALSCH${NORMAL}." >&2 + echo + exit 1 + fi + +} + +main "$@" +exit 0 + +# vim: et list filetype=sh