ldapchpasswd   [plain text]

#!/usr/bin/perl -w

# LDAP to unix password sync script for samba-tng
# originally by Jody Haynes <Jody.Haynes@isunnetworks.com>
# 2000/12/12    milos@interactivesi.com
#               modified for use with MD5 passwords
# 2000/12/16	mami@arena.sci.univr.it
#		modified to change lmpassword and ntpassword for samba
# 2001/01/05	mami@arena.sci.univr.it
#		modified for being also a /bin/passwd replacement
# 2001/01/29	mami@arena.sci.univr.it
#		now there are two small programs: ldapchpasswd to
#		change password from unix and ldapsync.pl to sync
#		from NT/2000. ldapchpasswd do not need clear password.
# 2001/01/31	mami@arena.sci.univr.it
#		add server parameter to ldap commands
# 2001/06/20	mami@arena.sci.univr.it
#		add pwdlastset and shadowlastchange update

$basedn = "ou=Students,dc=univr, dc=it";
$binddn = "uid=root,dc=univr,dc=it";
$scope = "sub";
$server = "my_server";

foreach $arg (@ARGV) {
	if ($< != 0) {
		die "Only root can specify parameters\n";
	} else {
		if ( ($arg eq '-?') || ($arg eq '--help') ) {
			print "Usage: $0 [-o] [username]\n";
			print "  -o, --without-old-password	do not ask for old password (root only)\n";
			print "  -?, --help			show this help message\n";
			exit (-1);
		} elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) {
			$oldpass = 1;
		} elsif (substr($arg,0) ne '-')  {
			$user = $arg;
			if (!defined(getpwnam($user))) {
				die "$0: Unknown user name '$user'\n";	;
			}
		}
	}
}

if (!defined($user)) {
	$user=$ENV{"USER"};
}

# current user's dn
my $dn = '';

if ($< == 0) {
	system "stty -echo";
	print "LDAP password for root DN: ";
	chomp($passwd=<STDIN>);
	print "\n";
	system "stty echo";
	# Find dn for user $user binding as root's dn
	chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`);
	if ( ($dn eq '') || ($passwd eq '') ) {
		print "Wrong LDAP password for root DN!\n";
		exit (-1);
	}
} else {
	if (!defined($oldpass)) {
		system "stty -echo";
		print "Old password for user $user: ";
		chomp($oldpass=<STDIN>);
		print "\n";
		system "stty echo";

		# Find path to uid
		chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`);
		# Find old password for user $user binding as self
		chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`);

		if ( ($dn eq '') || ($oldpass eq '') ) {
			print "Wrong password for user $user!\n";
			exit (-1);
		}
	} 
}

system "stty -echo";
print "New password for user $user: ";
chomp($pass=<STDIN>);
print "\n";
system "stty echo";

system "stty -echo";
print "Retype new password for user $user: ";
chomp($pass2=<STDIN>);
print "\n";
system "stty echo";

if ( ($pass ne $pass2) || (length($pass)<1) ) {
	die "Wrong password!\n";
} else {
# MD5 password
$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64];
$bsalt = "\$1\$"; $esalt = "\$";
$modsalt = $bsalt.$random.$esalt;
$password = crypt($pass, $modsalt);

# LanManager and NT clear text passwords
$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`;
chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1));

#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd";
if ($< != 0) {
        $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'";
} else {
        $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'";
}

# Chenge time
$shadowlastchange=int(time/24/3600);
$pwdlastset=sprintf('%x',time);

open FILE or die;

print FILE <<EOF;
dn: $dn
changetype: modify
replace: userPassword
userPassword: {crypt}$password
-
changetype: modify
replace: lmpassword
lmpassword: $lmpassword
-
changetype: modify
replace: ntpassword
ntpassword: $ntpassword
-
changetype: modify
replace: shadowlastchange
shadowlastchange: $shadowlastchange
-
changetype: modify
replace: pwdlastset
pwdlastset: $pwdlastset
-

EOF
close FILE;

}

exit 0;