ldap/gosa postcreation and kerberos password synchronization
[first, congrats to the gosa-guys for their latest release ;-)]
I am currently thinking about how to handle the post-creation,
post-password-change and related stuff properly.
So far, I use the draft-script attached below which is run by the gosa
postcreation hook (www-data added to sudoers file) to handle all needs:
1.: A (posix) user is created in gosa: The script called as
/usr/bin/sudo /usr/sbin/gosa-pp %uid
creates homedir and corresponding principal with random
password. This works fine.
2.: Now, the password for the new user is entered in gosa. I figured
out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
called with just the password as argument. Unfortunately there is
no uid attached, so I do not know how to set the attached password
for the user just(?) created. (Currently, the script tries to
create a homedir for a user with uid=password, so this has to be
3.: Assume, the user changes his password in gosa now. In this case
gosa-pp is called as:
gosa-pp uid oldpw newpw
As you see below, with root's almighty power the new password is
enforced, but there is no check if the old password is known by
the executing party.
Issue 3 can probably be solved by executing the change as the
principal the password corresponds to. But what about issue 2?
Are there any better solutions, hints and tips around?
Thanks in advance,
Here's most of the gosa-pp script:
case $NUMARGS in
## lookup user and create home directory and principal:
ldapsearch -xLLL -h $LDAPHOST
cn homeDirectory gidNumber 2>/dev/null | \
while read KEY VALUE ; do
case "$KEY" in
dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
cn:) USERNAME="$VALUE" ;;
homeDirectory:) HOMEDIR="$VALUE" ;;
gidNumber:) GROUPID="$VALUE" ;;
test "$HOMEDIR" || continue
echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
test -e "$HOMEDIR" && continue
cp -r /etc/skel $HOMEDIR
chown -R $USERID:$GROUPID $HOMEDIR
kadmin.local -q "add_principal -randkey -x $USERDN
logger -p notice Home directory \'$HOMEDIR\' and principal
## send a welcome-email:
cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system
USERDN=`ldapsearch -xLLL -h ldap
"(&(uid=$USERID)(objectClass=posixAccount))" dn | sed "s/: /=/"`
## FIXME: make sure that $OLDPW is correct
kadmin.local -q "change_password -pw $NEWPW $USERID" 1>/dev/null
logger -p notice Password for \'$USERID\' changed.
logger -p warning Invalid number of arguments for $0.