[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ldap/gosa postcreation and kerberos password synchronization

Hi all,

[first, congrats to the gosa-guys for their latest release ;-)]

I am currently thinking about how to handle the post-creation,
post-password-change and related stuff properly.

So far, I use the draft-script attached below which is run by the gosa
postcreation hook (www-data added to sudoers file) to handle all needs:

1.: A (posix) user is created in gosa: The script called as 
    /usr/bin/sudo /usr/sbin/gosa-pp %uid 
    creates homedir and corresponding principal with random
    password. This works fine.   

2.: Now, the password for the new user is entered in gosa. I figured
    out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
    called with just the password as argument. Unfortunately there is
    no uid attached, so I do not know how to set the attached password
    for the user just(?) created. (Currently, the script tries to
    create a homedir for a user with uid=password, so this has to be
    fixed too.) 

3.: Assume, the user changes his password in gosa now. In this case
    gosa-pp is called as:
    gosa-pp uid oldpw newpw
    As you see below, with root's almighty power the new password is
    enforced, but there is no check if the old password is known by
    the executing party.

Issue 3 can probably be solved by executing the change as the
principal the password corresponds to. But what about issue 2?

Are there any better solutions, hints and tips around? 
Thanks in advance,


Here's most of the gosa-pp script:

HOSTNAME=$(hostname -s)

case $NUMARGS in
    ## lookup user and create home directory and principal:
    ldapsearch -xLLL -h $LDAPHOST
  "(&(uid=$USERID)(objectClass=posixAccount))" \
  cn homeDirectory gidNumber 2>/dev/null | \
      while read KEY VALUE ; do 
        case "$KEY" in 
          dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
          cn:) USERNAME="$VALUE" ;;
          homeDirectory:) HOMEDIR="$VALUE" ;;
          gidNumber:) GROUPID="$VALUE"  ;;
            test "$HOMEDIR" || continue 
            echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
            test -e "$HOMEDIR" && continue 
    	    cp -r /etc/skel $HOMEDIR
    	    chown -R $USERID:$GROUPID $HOMEDIR
	    kadmin.local -q "add_principal -randkey -x $USERDN
	logger -p notice Home directory \'$HOMEDIR\' and principal
  \'$USERID\' created. 
        ## send a welcome-email: 
        cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system
    USERDN=`ldapsearch -xLLL -h ldap
    "(&(uid=$USERID)(objectClass=posixAccount))" dn | sed "s/: /=/"`
    ## FIXME: make sure that $OLDPW is correct 
    kadmin.local -q "change_password -pw $NEWPW $USERID" 1>/dev/null
    logger -p notice Password for \'$USERID\' changed.
    logger -p warning Invalid number of arguments for $0.

exit 0

Reply to: