view release on metacpan or  search on metacpan

scripts/smbldap-passwd  view on Meta::CPAN

#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP
#       . may also replace /bin/passwd

# untaint environment
$ENV{'PATH'}= '/bin:/usr/bin';
$ENV{'SHELL'}= '/bin/sh';
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

use strict;
use FindBin;
use FindBin qw($RealBin);
use lib "$RealBin/";
use smbldap_tools;

use Crypt::SmbHash;
use Digest::MD5 qw(md5);
use Digest::SHA1 qw(sha1);
use MIME::Base64 qw(encode_base64);

# function declaration
sub make_hash;
sub make_salt;

my $user= undef;
my $oldpass= undef;

my $arg;
my $update_samba_passwd= 1;
my $update_unix_passwd= 1;

foreach $arg (@ARGV) {
  if ( substr( $arg, 0, 1 ) eq '-' ) {
    if ( $arg eq '-h' || $arg eq '-?' || $arg eq '--help' ) {
      print_banner;
      print "Usage: $0 [options] [username]\n";
      print "  -h, -?, --help show this help message\n";
      print "  -s             update only samba password\n";
      print "  -u             update only UNIX password\n";
      exit (6);
    } elsif ($arg eq '-s') {
      $update_samba_passwd= 1; $update_unix_passwd= 0;
    } elsif ($arg eq '-u') {
      $update_samba_passwd= 0; $update_unix_passwd= 1;
    }
  } else {
    if ( $< != 0 ) {
      die "Only root can specify username\n";
    }
    $user= $arg; last;
  }
}

if (!defined($user)) {
  $user = getpwuid($<);		# $user=$ENV{"USER"};
}

# check if $user variable is not tainted
# [TODO] create proper user mask
$user =~ /^([-\@\ \w.]+\$?)$/ and $user = $1 or
  die "$0: username '$user' is tainted\n";


my ($dn,$ldap_master);
# First, connecting to the directory
if ($< != 0) {
  # non-root user
  if (!defined($oldpass)) {
    # prompt for password
    print "Identity validation...\nenter your UNIX password: ";
    system "/bin/stty -echo" if (-t STDIN);
    chomp($oldpass=<STDIN>); 
    system "/bin/stty echo" if (-t STDIN);
    print "\n";

    $config{masterDN}="uid=$user,$config{usersdn}";
    $config{masterPw}="$oldpass";
    $ldap_master=connect_ldap_master();
    $dn=$config{masterDN};
    if (!is_user_valid($user, $dn, $oldpass)) {
      print "Authentication failure\n";
      exit (10);
    }
  }
} else {
  # root user
  $ldap_master=connect_ldap_master();
  # test existence of user in LDAP
  my $dn_line;
  if (!defined($dn_line = get_user_dn($user))) {
    print "$0: user $user doesn't exist\n";
    exit (10);
  }
  $dn = get_dn_from_line($dn_line);
}

my $samba = is_samba_user($user);

# Printing verbose message
if ( $samba and $update_samba_passwd ) {
  if ( $update_unix_passwd ) {
    print "Changing UNIX and samba passwords for $user\n";
  } else {
    print "Changing samba password for $user\n";
  }
} else {
  if ( $update_unix_passwd ) {
    print "Changing UNIX password for $user\n";
  } else {
    die "Internal error";
  }
}

# prompt for new password