examples/LDAP/ldapchpasswd

   1 #!/usr/bin/perl -w
   2
   3 # LDAP to unix password sync script for samba-tng
   4 # originally by Jody Haynes <Jody.Haynes@isunnetworks.com>
   5 # 2000/12/12    milos@interactivesi.com
   6 #               modified for use with MD5 passwords
   7 # 2000/12/16    mami@arena.sci.univr.it
   8 #               modified to change lmpassword and ntpassword for samba
   9 # 2001/01/05    mami@arena.sci.univr.it
  10 #               modified for being also a /bin/passwd replacement
  11 # 2001/01/29    mami@arena.sci.univr.it
  12 #               now there are two small programs: ldapchpasswd to
  13 #               change password from unix and ldapsync.pl to sync
  14 #               from NT/2000. ldapchpasswd do not need clear password.
  15 # 2001/01/31    mami@arena.sci.univr.it
  16 #               add server parameter to ldap commands
  17 # 2001/06/20    mami@arena.sci.univr.it
  18 #               add pwdlastset and shadowlastchange update
  19
  20 $basedn = "ou=Students,dc=univr, dc=it";
  21 $binddn = "uid=root,dc=univr,dc=it";
  22 $scope = "sub";
  23 $server = "my_server";
  24
  25 foreach $arg (@ARGV) {
  26         if ($< != 0) {
  27                 die "Only root can specify parameters\n";
  28         } else {
  29                 if ( ($arg eq '-?') || ($arg eq '--help') ) {
  30                         print "Usage: $0 [-o] [username]\n";
  31                         print "  -o, --without-old-password     do not ask for old password (root only)\n";
  32                         print "  -?, --help                     show this help message\n";
  33                         exit (-1);
  34                 } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) {
  35                         $oldpass = 1;
  36                 } elsif (substr($arg,0) ne '-')  {
  37                         $user = $arg;
  38                         if (!defined(getpwnam($user))) {
  39                                 die "$0: Unknown user name '$user'\n";  ;
  40                         }
  41                 }
  42         }
  43 }
  44
  45 if (!defined($user)) {
  46         $user=$ENV{"USER"};
  47 }
  48
  49 # current user's dn
  50 my $dn = '';
  51
  52 if ($< == 0) {
  53         system "stty -echo";
  54         print "LDAP password for root DN: ";
  55         chomp($passwd=<STDIN>);
  56         print "\n";
  57         system "stty echo";
  58         # Find dn for user $user binding as root's dn
  59         chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`);
  60         if ( ($dn eq '') || ($passwd eq '') ) {
  61                 print "Wrong LDAP password for root DN!\n";
  62                 exit (-1);
  63         }
  64 } else {
  65         if (!defined($oldpass)) {
  66                 system "stty -echo";
  67                 print "Old password for user $user: ";
  68                 chomp($oldpass=<STDIN>);
  69                 print "\n";
  70                 system "stty echo";
  71
  72                 # Find path to uid
  73                 chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`);
  74                 # Find old password for user $user binding as self
  75                 chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`);
  76
  77                 if ( ($dn eq '') || ($oldpass eq '') ) {
  78                         print "Wrong password for user $user!\n";
  79                         exit (-1);
  80                 }
  81         }
  82 }
  83
  84 system "stty -echo";
  85 print "New password for user $user: ";
  86 chomp($pass=<STDIN>);
  87 print "\n";
  88 system "stty echo";
  89
  90 system "stty -echo";
  91 print "Retype new password for user $user: ";
  92 chomp($pass2=<STDIN>);
  93 print "\n";
  94 system "stty echo";
  95
  96 if ( ($pass ne $pass2) || (length($pass)<1) ) {
  97         die "Wrong password!\n";
  98 } else {
  99 # MD5 password
 100 $random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64];
 101 $bsalt = "\$1\$"; $esalt = "\$";
 102 $modsalt = $bsalt.$random.$esalt;
 103 $password = crypt($pass, $modsalt);
 104
 105 # LanManager and NT clear text passwords
 106 $ntpwd = `/usr/local/sbin/mkntpwd '$pass'`;
 107 chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
 108 chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
 109
 110 #$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd";
 111 if ($< != 0) {
 112         $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'";
 113 } else {
 114         $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'";
 115 }
 116
 117 # Chenge time
 118 $shadowlastchange=int(time/24/3600);
 119 $pwdlastset=sprintf('%x',time);
 120
 121 open FILE or die;
 122
 123 print FILE <<EOF;
 124 dn: $dn
 125 changetype: modify
 126 replace: userPassword
 127 userPassword: {crypt}$password
 128 -
 129 changetype: modify
 130 replace: lmpassword
 131 lmpassword: $lmpassword
 132 -
 133 changetype: modify
 134 replace: ntpassword
 135 ntpassword: $ntpassword
 136 -
 137 changetype: modify
 138 replace: shadowlastchange
 139 shadowlastchange: $shadowlastchange
 140 -
 141 changetype: modify
 142 replace: pwdlastset
 143 pwdlastset: $pwdlastset
 144 -
 145
 146 EOF
 147 close FILE;
 148
 149 }
 150
 151 exit 0;
 152