pass-reset-ldap

pass_reset_ldap
code format="bash"
 * 1) !/bin/ksh
 * 2)       Author:         Chad Crider
 * 3)       Purpose:        LDAP Reset Tool (to make life easier)
 * 4)       Date:           11/03/2009
 * 5)       Current Trapped Status codes:
 * 6)       16              No Such Attribute
 * 7)       19              Constraint violation ( password filter )
 * 8)       20:             Value exists
 * 9)       32:             Object doesn't exist
 * 10)       49              Invalid Credentials
 * 11)       50:             Insufficient access
 * 12)       NOTE: Currently it requires a couple of binaries and libs in /remote/ldap/app
 * 1)       32:             Object doesn't exist
 * 2)       49              Invalid Credentials
 * 3)       50:             Insufficient access
 * 4)       NOTE: Currently it requires a couple of binaries and libs in /remote/ldap/app
 * 1)       NOTE: Currently it requires a couple of binaries and libs in /remote/ldap/app

MODE="d" if [ "$1" != "" ]; then if [ "$1" = "-r" ]; then echo "Generating random password..." MODE="r" else echo -ne "\nUsage: \n--\n1) No argument for normal usage\n2) -r for a randomly generated password.\n\n" exit 1 fi fi
 * 1) Check to see if there is an argument and act accordingly

HOST=`uname -n` LDAPSERVER=localhost PORT=389 LDAPSCMD="/usr/iplanet/ds5/shared/bin/ldapsearch -h $LDAPSERVER -p $PORT" LDAPSADD="/usr/bin/ldapadd -h $LDAPSERVER -p $PORT -D \"uid=$ADMINID,ou=people,dc=gds,o=lilly.com\" -w $ADMINPASS" export LD_LIBRARY_PATH=/usr/iplanet/ds5/lib:/remote/ldap/app export PATH=${PATH}:/remote/ldap/app typeset -l USERID typeset -l GID typeset -l NETGROUP typeset -l SHELL typeset -l GROUP typeset -l ADMINID typeset integer counter counter=0
 * 1) Since we are not using TLS do this locally
 * 1) This set's the variable's to always be lowercase

adminid { print -n "enter your admin user id:                    " read ADMINID print -n "enter your password:                         " stty -echo read ADMINPASS stty echo $LDAPSCMD -D "uid=$ADMINID,ou=people,dc=gds,o=lilly.com" -w $ADMINPASS -b dc=gds,o=lilly.com -s one objectclass=* > /dev/null 2>&1 if $? -eq "49" ;then print "The password for $ADMINID is invalid" let counter=counter+1 print "$counter" if $counter = 3 ; then print "Three failed attemps...exiting" exit 0 fi       # Running adminid again unless they fail to authenticate 3 times adminid fi LDAPSMOD="/usr/bin/ldapmodify -h $LDAPSERVER -p $PORT -D uid=$ADMINID,ou=people,dc=gds,o=lilly.com -w $ADMINPASS" print "You have successfully authenticated" sleep 1 }
 * 1) FUNCTION GET ADMIN ID
 * 1) echo "$LDAPSMOD"

geterr { errcode=$? if $errcode -eq "49" ;then print "The password is invalid" fi if $errcode -eq "32" ;then print "No such object exists" fi if $errcode -eq "19" ;then print "Constraint violation on attribute you are changing, perhaps it is already set ?" fi if $errcode -eq "50" ;then print "You have insufficient rights to make this change" fi if $errcode -eq "0" ;then print "Change was successful" print "Password reset to " $NEWPASS # print "Press and key to reset another user" # read junk fi }
 * 1) FUNCTION ERROR

ldap_repair {
 * 1) Function to make sure netgroups are good before resetting password
 * 2) (from ldap.repair)


 * 1) USER=`id | tr '(' ' ' | tr ')' ' ' | awk '{print $2}'`

ldapsearch -h localhost -p 389 -b ou=people,dc=gds,o=lilly.com -s one "uid=$USERID" gecos | grep gecos | awk -F= '{print $2}' | awk -F, '{print $1}'

ldapsearch -h localhost -p 389 -b ou=netgroup,dc=gds,o=lilly.com -s one "nisNetgroupTriple=(,$USERID,)" | grep "ou=netgroup" | awk -F= '{print $2}' | awk -F, '{print $1}' >> /tmp/ldap.repair.$$

for n in `cat /tmp/ldap.repair.$$`; do echo "dn: cn=$n,ou=netgroup,dc=gds,o=lilly.com" >> /tmp/ldap.repair.ldif.$$ echo "delete: nisNetgroupTriple" >> /tmp/ldap.repair.ldif.$$ echo "nisNetgroupTriple: (,"$USERID",)" >> /tmp/ldap.repair.ldif.$$ printf "\n" >> /tmp/ldap.repair.ldif.$$ echo "dn: cn=$n,ou=netgroup,dc=gds,o=lilly.com" >> /tmp/ldap.repair.ldif.$$ echo "add: nisNetgroupTriple" >> /tmp/ldap.repair.ldif.$$ echo "nisNetgroupTriple: (,$USERID,)" >> /tmp/ldap.repair.ldif.$$ printf "\n" >> /tmp/ldap.repair.ldif.$$ done

/bin/ldapmodify -D "uid=$ADMINID,ou=people,dc=gds,o=lilly.com" -c -f /tmp/ldap.repair.ldif.$$ -w $ADMINPASS

}
 * 1) rm /tmp/ldap.repair*$$

adminid
 * 1) RUN ADMINID

reset_pass { while true; do
 * 1) Reset the user's password

echo "Userid to reset: \c" read USERID


 * 1) Call ldap_repair before password reset
 * 2) echo "Repairing netgroups..."
 * 3) ldap_repair

if [ "$MODE" = "r" ]; then #Could also use `openssl rand -base64 6` NEWPASS=`dd if=/dev/random bs=6 count=1 2>/dev/null | openssl base64` else NEWPASS=`date +%d$(date +%b| tr '[:upper:]' '[:lower:]')%y` fi $LDAPSMOD << EOF dn: uid=$USERID,ou=people,dc=gds,o=lilly.com changetype: modify replace: userPassword userPassword: $NEWPASS EOF geterr if $errcode -ne "0" ;then print "Password not changed due to above error" #return # If error, restart function to prompt for new userid reset_pass fi sleep 1 $LDAPSMOD << EOF dn: uid=$USERID,ou=people,dc=gds,o=lilly.com changetype: modify replace: passwordExpirationTime passwordExpirationTime: 19700101000000Z - replace: passwordExpWarned passwordExpWarned: 0 EOF print "Press and key to reset another user" read junk clear done } reset_pass code