3 # LDAP to unix password sync script for samba
5 # This code was developped by IDEALX (http://IDEALX.org/) and
6 # contributors (their names can be found in the CONTRIBUTORS file).
8 # Copyright (C) 2001-2002 IDEALX
10 # This program is free software; you can redistribute it and/or
11 # modify it under the terms of the GNU General Public License
12 # as published by the Free Software Foundation; either version 2
13 # of the License, or (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program; if not, write to the Free Software
22 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
26 # . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP
27 # . may also replace /bin/passwd
31 use FindBin
qw($RealBin);
42 foreach $arg (@ARGV) {
44 die "Only root can specify parameters\n";
46 if ( ($arg eq '-?') || ($arg eq '--help') ) {
47 print "Usage: $0 [username]\n";
48 print " -?, --help show this help message\n";
50 } elsif (substr($arg,0) ne '-') {
57 if (!defined($user)) {
61 # test existence of user in LDAP
63 if (!defined($dn_line = get_user_dn($user))) {
64 print "$0: user $user doesn't exist\n";
68 my $dn = get_dn_from_line($dn_line);
70 my $samba = is_samba_user($user);
72 print "Changing password for $user\n";
75 if (!defined($oldpass)) {
76 # prompt for current password
78 print "(current) UNIX password: ";
79 chomp($oldpass=<STDIN>);
83 if (!is_user_valid($user, $dn, $oldpass)) {
84 print "Authentication failure\n";
89 # prompt for new password
95 print "New password : ";
101 print "Retype new password : ";
102 chomp($pass2=<STDIN>);
106 if ($pass ne $pass2) {
107 print "New passwords don't match!\n";
111 # First, connecting to the directory
112 my $ldap_master=connect_ldap_master();
114 # only modify smb passwords if smb user
116 if (!$with_smbpasswd) {
117 # generate LanManager and NT clear text passwords
118 if ($mk_ntpasswd eq '') {
119 print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n";
122 my $ntpwd = `$mk_ntpasswd '$pass'`;
123 chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':')));
124 chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1));
125 # the sambaPwdLastSet must be updating
128 push(@mods, 'sambaLMPassword' => $sambaLMPassword);
129 push(@mods, 'sambaNTPassword' => $sambaNTPassword);
130 push(@mods, 'sambaPwdLastSet' => $date);
131 if (defined $_defaultMaxPasswordAge) {
132 my $new_sambaPwdMustChange=$date+$_defaultMaxPasswordAge*24*60*60;
133 push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange);
134 push(@mods, 'sambaAcctFlags' => '[U]');
136 # Let's change nt/lm passwords
137 my $modify = $ldap_master->modify ( "$dn",
138 'replace' => { @mods }
140 $modify->code && warn "failed to modify entry: ", $modify->error ;
144 my $FILE="|$smbpasswd -s >/dev/null";
145 open (FILE, $FILE) || die "$!\n";
154 my $FILE="|$smbpasswd $user -s >/dev/null";
155 open (FILE
, $FILE) || die "$!\n";
166 # change unix password
167 my $hash_password = `slappasswd -h {$hash_encrypt} -s '$pass'`;
168 chomp($hash_password);
169 my $modify = $ldap_master->modify ( "$dn",
171 replace
=> [userPassword
=> "$hash_password"]
174 $modify->code && warn "Unable to change password : ", $modify->error ;
177 $ldap_master->unbind;
186 smbldap-passwd.pl - change user password
190 smbldap-passwd.pl [name]
194 smbldap-passwd.pl changes passwords for user accounts. A normal user
195 may only change the password for their own account, the super user may
196 change the password for any account.
199 The user is first prompted for their old password, if one is present.
200 This password is then tested against the stored password by binding
201 to the server. The user has only one chance to enter the correct pass-
202 word. The super user is permitted to bypass this step so that forgot-
203 ten passwords may be changed.
205 The user is then prompted for a replacement password. As a general
206 guideline, passwords should consist of 6 to 8 characters including
207 one or more from each of following sets:
209 Lower case alphabetics
211 Upper case alphabetics
217 passwd will prompt again and compare the second entry against the first.
218 Both entries are require to match in order for the password to be