[debian-edu-commits] r78835 - in branches/wheezy/debian-edu-config: debian etc/gosa share/debian-edu-config/tools

schweer-guest at alioth.debian.org schweer-guest at alioth.debian.org
Tue Jan 22 12:46:07 UTC 2013 

Author: schweer-guest
Date: 2013-01-22 12:46:07 +0000 (Tue, 22 Jan 2013)
New Revision: 78835

Modified:
   branches/wheezy/debian-edu-config/debian/changelog
   branches/wheezy/debian-edu-config/etc/gosa/gosa.conf
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync
Log:
* gosa-sync: Let Kerberos policy password violations be reported in 
  GOsa?\194?\178 and prevent setting such an unsynced password in GOsa?\194?\178.  Script 
  provided by Andreas B. Mundt (debian-lan project).
* gosa.conf: drop postmodify entry in admin section, obsoleted by gosa-sync.      

Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog	2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/debian/changelog	2013-01-22 12:46:07 UTC (rev 78835)
@@ -18,6 +18,10 @@
   * FIXME: please confirm networking and gosa seup still actually works.
   * Provide gosa netgroups plugin in (/usr/)share/d-e-c/netgroups and install
     it using update-gosa in target in finish-install.
+  * gosa-sync: Let Kerberos policy password violations be reported in 
+    GOsa² and prevent setting such an unsynced password in GOsa².  Script 
+    provided by Andreas B. Mundt (debian-lan project).
+  * gosa.conf: drop postmodify entry in admin section, obsoleted by gosa-sync.      
 
  -- Wolfgang Schweer <wschweer at arcor.de>  Sun, 20 Jan 2013 18:54:12 +0100
 

Modified: branches/wheezy/debian-edu-config/etc/gosa/gosa.conf
===================================================================
--- branches/wheezy/debian-edu-config/etc/gosa/gosa.conf	2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/etc/gosa/gosa.conf	2013-01-22 12:46:07 UTC (rev 78835)
@@ -38,8 +38,7 @@
       <!-- This long ACL list is required to exclude the users menu entry when only 
             'viewFaxEntries' permissions are set -->
       <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware" 
-              class="userManagement" 
-              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn" />
+              class="userManagement" />
       <plugin acl="groups" class="groupManagement" />
       <plugin acl="roles" class="roleManagement"/>
       <plugin acl="acl"  class="aclManagement" />

Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync	2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync	2013-01-22 12:46:07 UTC (rev 78835)
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
@@ -14,38 +14,41 @@
 ## A caller not knowing the correct ldap password cannot change the
 ## principal's one.
 
-RETVAL=0
-
 USERDN="$1"
 USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
 
-# The new user password is in environment, $USERPASSWORD
+## The new user password is in environment, $USERPASSWORD.
+## Check if provided password corresponds to hash saved in ldap database:
 
-## check if provided password corresponds to hash saved in ldap database:
+TMPFILE=$(tempfile)
+trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
 
-TMPFILE=$(tempfile)
 cat <<EOF | tr -d "\n" > "$TMPFILE"
 $USERPASSWORD
 EOF
+
 IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
 
-# escapes " because kadmin need to use  double quotes
-EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/"/""/g')"
+# Escapes " because kadmin needs to use double quotes:
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
 
 if [ "$IAM" = "dn:$USERDN" ] ; then
     cat > "$TMPFILE" <<EOF
 change_password -pw "$EUSERPASSWORD" $USERID
 EOF
-
-    # Grep away change_password -pw call to make sure syslog to not
-    # get a copy of the new password.
-    cat "$TMPFILE" | kadmin.local 2>&1 | grep -v "change_password -pw" | logger -t gosa-sync -p notice
-
-    logger -t gosa-sync -p notice "Kerberos password for '$USERID' changed."
+    RET=$((cat "$TMPFILE" | kadmin.local 1> /dev/null) 2>&1)
+    if [ -z "$RET" ] ; then
+        logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'."
+    else
+        logger -t gosa-sync -p warning "$RET"
+        echo "$RET"
+    fi
 else
-    RETVAL=1
-    logger -t gosa-sync -p warning "Could not verify password for '$USERID'. Nothing done."
-fi 
+    RET="Could not verify password for '$USERID'. Nothing done."
+    echo $RET
+    logger -t gosa-sync -p warning "$RET"
+fi
 
 rm "$TMPFILE"
-exit $RETVAL
+
+exit 0

More information about the debian-edu-commits mailing list