[debian-edu-commits] r78835 - in branches/wheezy/debian-edu-config: debian etc/gosa share/debian-edu-config/tools
schweer-guest at alioth.debian.org
schweer-guest at alioth.debian.org
Tue Jan 22 12:46:07 UTC 2013
Author: schweer-guest
Date: 2013-01-22 12:46:07 +0000 (Tue, 22 Jan 2013)
New Revision: 78835
Modified:
branches/wheezy/debian-edu-config/debian/changelog
branches/wheezy/debian-edu-config/etc/gosa/gosa.conf
branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync
Log:
* gosa-sync: Let Kerberos policy password violations be reported in
GOsa?\194?\178 and prevent setting such an unsynced password in GOsa?\194?\178. Script
provided by Andreas B. Mundt (debian-lan project).
* gosa.conf: drop postmodify entry in admin section, obsoleted by gosa-sync.
Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog 2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/debian/changelog 2013-01-22 12:46:07 UTC (rev 78835)
@@ -18,6 +18,10 @@
* FIXME: please confirm networking and gosa seup still actually works.
* Provide gosa netgroups plugin in (/usr/)share/d-e-c/netgroups and install
it using update-gosa in target in finish-install.
+ * gosa-sync: Let Kerberos policy password violations be reported in
+ GOsa² and prevent setting such an unsynced password in GOsa². Script
+ provided by Andreas B. Mundt (debian-lan project).
+ * gosa.conf: drop postmodify entry in admin section, obsoleted by gosa-sync.
-- Wolfgang Schweer <wschweer at arcor.de> Sun, 20 Jan 2013 18:54:12 +0100
Modified: branches/wheezy/debian-edu-config/etc/gosa/gosa.conf
===================================================================
--- branches/wheezy/debian-edu-config/etc/gosa/gosa.conf 2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/etc/gosa/gosa.conf 2013-01-22 12:46:07 UTC (rev 78835)
@@ -38,8 +38,7 @@
<!-- This long ACL list is required to exclude the users menu entry when only
'viewFaxEntries' permissions are set -->
<plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
- class="userManagement"
- postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn" />
+ class="userManagement" />
<plugin acl="groups" class="groupManagement" />
<plugin acl="roles" class="roleManagement"/>
<plugin acl="acl" class="aclManagement" />
Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync 2013-01-22 10:51:42 UTC (rev 78834)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/gosa-sync 2013-01-22 12:46:07 UTC (rev 78835)
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
set -e
@@ -14,38 +14,41 @@
## A caller not knowing the correct ldap password cannot change the
## principal's one.
-RETVAL=0
-
USERDN="$1"
USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
-# The new user password is in environment, $USERPASSWORD
+## The new user password is in environment, $USERPASSWORD.
+## Check if provided password corresponds to hash saved in ldap database:
-## check if provided password corresponds to hash saved in ldap database:
+TMPFILE=$(tempfile)
+trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
-TMPFILE=$(tempfile)
cat <<EOF | tr -d "\n" > "$TMPFILE"
$USERPASSWORD
EOF
+
IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
-# escapes " because kadmin need to use double quotes
-EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/"/""/g')"
+# Escapes " because kadmin needs to use double quotes:
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > "$TMPFILE" <<EOF
change_password -pw "$EUSERPASSWORD" $USERID
EOF
-
- # Grep away change_password -pw call to make sure syslog to not
- # get a copy of the new password.
- cat "$TMPFILE" | kadmin.local 2>&1 | grep -v "change_password -pw" | logger -t gosa-sync -p notice
-
- logger -t gosa-sync -p notice "Kerberos password for '$USERID' changed."
+ RET=$((cat "$TMPFILE" | kadmin.local 1> /dev/null) 2>&1)
+ if [ -z "$RET" ] ; then
+ logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'."
+ else
+ logger -t gosa-sync -p warning "$RET"
+ echo "$RET"
+ fi
else
- RETVAL=1
- logger -t gosa-sync -p warning "Could not verify password for '$USERID'. Nothing done."
-fi
+ RET="Could not verify password for '$USERID'. Nothing done."
+ echo $RET
+ logger -t gosa-sync -p warning "$RET"
+fi
rm "$TMPFILE"
-exit $RETVAL
+
+exit 0
More information about the debian-edu-commits
mailing list