From: Frank Brehm Date: Tue, 2 Nov 2021 09:42:39 +0000 (+0100) Subject: Implementing update of all passwords X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=fb861b39d385ecfd84e59742d193c2fb7e408625;p=pixelpark%2Fldap-migration.git Implementing update of all passwords --- diff --git a/after-migration.sh b/after-migration.sh index 6981982..3afbd69 100755 --- a/after-migration.sh +++ b/after-migration.sh @@ -35,13 +35,6 @@ DPX_PEOPLE_SEARCH_BASE="ou=People,o=Pixelpark,o=isp" OLD_IMAP_SERVER='mail-brln-store02.pixelpark.com' NEW_IMAP_SERVER='dev-imap01.pixelpark.com' -PWD_HASH_FBREHM="{PBKDF2_SHA256}AAAIACeyMif+rcXuIDhZvJLqcfH6ha1+JrZJeoMzkwvOWZg\ -HKmPajIJ81CaumGfut/bW55VSoLNKaNKY/4+Y1M7dmfLGuSiyUP6gJ2pY2NHiIBtl9kwe6H7A8uOEQr\ -OgnfqZQzpwrGfOAH6THaQUJhRoVwKSObD0eGIc2S3ETGvf7dinDK6BHDCPqDYY/KaeEI9MclPhZbwFY\ -up9IVTherAkv9aLoPP8HP4QFxC1yi3Ek2gGBCjvxuMd6cHYWySRtpHvF6b2yjXcMe1uoeHmNWMwqKl8\ -0oE1ZAjFKrts2rFdMwmJvqM3BaPZTra8j03NhqA/Syl2CJ2du2wDfrhjRcAgsLGegV/gF/oti3GSsk9\ -wnhNR1Db4nR5uCe2RCCyd+3guoTWVV6OzgUuYcM8QKhTeDzHPmKjWn+gPXH8VYHNdTMbJ" - LDIF_FILE= #------------------------------------------------------------------- @@ -319,54 +312,94 @@ cleanup_tmp_file() { } #------------------------------------------------ -update_passwd_fbrehm() { +update_password() { - empty_line - draw_line + local uid="$1" + local password_hash="$2" + local password_hash_base64="$2" + local dn= + local cn= + local cn_base64= + local value= + local filter= + local cmd= + local old_pwd_hash_base64= + local old_pwd_hash= - local usr='frank.brehm' - info "Changing LDAP password of user '${CYAN}${usr}${NORMAL}' ..." + empty_line - local dn= - local filter="(&(objectClass=*)(|(mail=${usr})(mailAlternateAddress=${usr})" - filter+="(mailEquivalentAddress=${usr})(uid=${usr})))" - local cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + debug "Searching for DN of uid '${CYAN}${uid}${NORMAL}' ..." + filter="(&(objectClass=*)(uid=${uid}))" + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " cmd+="-b \"${DPX_PEOPLE_SEARCH_BASE}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " cmd+="\"${filter}\" dn | grep '^dn:' | sed -e 's/^dn:[ ][ ]*//i' | head -n 1" - - debug "Executing: ${cmd}" + # debug "Executing: ${cmd}" dn=$( eval ${cmd} ) + if [[ -z "${dn}" ]] ; then - warn "Did not found user '${YELLOW}${usr}${NORMAL}'." - return + warn "Did not found DN of uid '${YELLOW}${uid}${NORMAL}'." + return 0 + fi + debug "Found DN of '${CYAN}${uid}${NORMAL}': ${CYAN}${dn}${NORMAL}." + + debug "Searching for Common name of uid '${CYAN}${uid}${NORMAL}' ..." + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"(objectClass=*)\" cn | grep -i '^cn:' | head -n 1" + # debug "Executing: ${cmd}" + value=$( eval ${cmd} ) + if [[ -n "${value}" ]] ; then + if echo "${value}" | grep -q -i "^cn::" ; then + cn=$( printf "${value}" | sed -e 's/^cn::[ ][ ]*//i' | base64 -d ) + else + cn=$( printf "${value}" | sed -e 's/^cn:[ ][ ]*//i' ) + fi + debug "Found Common name of uid '${CYAN}${uid}${NORMAL}': '${CYAN}${cn}${NORMAL}'." + else + warn "Did not found Common name of uid '${YELLOW}${uid}${NORMAL}'." + cn="${uid}" + fi + + debug "Searching for old password of '${CYAN}${cn}${NORMAL}' ..." + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"(objectClass=*)\" userPassword | grep -i '^userPassword:' | head -n 1" + # debug "Executing: ${cmd}" + value=$( eval ${cmd} ) + if [[ -n "${value}" ]] ; then + if echo "${value}" | grep -q -i "^userPassword::" ; then + old_pwd_hash=$( printf "${value}" | sed -e 's/^userPassword::[ ][ ]*//i' | base64 -d ) + else + old_pwd_hash=$( printf "${value}" | sed -e 's/^userPassword:[ ][ ]*//i' ) + fi + debug "Found old password hash '${CYAN}${cn}${NORMAL}': '${CYAN}${old_pwd_hash}${NORMAL}'." + if [[ "${old_pwd_hash}" == "${password_hash}" ]] ; then + info "Password of user '${CYAN}${cn}${NORMAL}' must not be changed." + return 0 + fi + else + debug "User '${CYAN}${cn}${NORMAL}' has currently no password." fi - debug "Found DN for user '${CYAN}${usr}${NORMAL}': ${CYAN}${dn}${NORMAL}'." cat > "${LDIF_FILE}" <<-EOF dn: ${dn} changetype: modify EOF - debug "Searching for existing password of '${CYAN}${usr}${NORMAL}' ..." - cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " - cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " - cmd+="'(objectClass=*)' userPassword | grep -i '^userPassword:'" - debug "Executing: ${cmd}" - local cur_pwd=$( eval $cmd ) - - if [[ -z "${cur_pwd}" ]] ; then - info "Adding attribute userPassword ..." + if [[ -z "${old_pwd_hash}" ]] ; then + info "Adding userPassword to user '${CYAN}${cn}${NORMAL}' ..." cat >> "${LDIF_FILE}" <<-EOF add: userPassword EOF else - info "Modifying attribute userPassword ..." + info "Modifying userPassword of user '${CYAN}${cn}${NORMAL}' ..." cat >> "${LDIF_FILE}" <<-EOF replace: userPassword EOF fi - echo "userPassword: ${PWD_HASH_FBREHM}" >> "${LDIF_FILE}" + password_hash_base64=$( printf "${password_hash}" | base64 -w 0 ) + echo "userPassword:: ${password_hash_base64}" >> "${LDIF_FILE}" echo "-" >> "${LDIF_FILE}" echo '' >> "${LDIF_FILE}" @@ -383,6 +416,7 @@ update_passwd_fbrehm() { fi debug "Done." + } #------------------------------------------------ @@ -447,6 +481,11 @@ update_passwords() { done fi + for uid in "${uids[@]}" ; do + password_hash="${password_hashes[${uid}]}" + update_password "${uid}" "${password_hash}" + done + } #------------------------------------------------ @@ -535,7 +574,6 @@ main() { trap cleanup_tmp_file INT TERM EXIT ABRT - # update_passwd_fbrehm update_passwords # update_all_mailhosts