ldap/gosa postcreation and kerberos password synchronization

To: gosa@oss.gonicus.de, debian-edu@lists.debian.org
Subject: ldap/gosa postcreation and kerberos password synchronization
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Wed, 12 May 2010 19:26:12 +0200
Message-id: <[🔎] 20100512172612.GA4330@flashgordon>
Mail-followup-to: gosa@oss.gonicus.de, debian-edu@lists.debian.org

Hi all,

[first, congrats to the gosa-guys for their latest release ;-)]

I am currently thinking about how to handle the post-creation,
post-password-change and related stuff properly.

So far, I use the draft-script attached below which is run by the gosa
postcreation hook (www-data added to sudoers file) to handle all needs:

1.: A (posix) user is created in gosa: The script called as 
    /usr/bin/sudo /usr/sbin/gosa-pp %uid 
    creates homedir and corresponding principal with random
    password. This works fine.   

2.: Now, the password for the new user is entered in gosa. I figured
    out that the passwordHook="/usr/bin/sudo /usr/sbin/gosa-pp" is
    called with just the password as argument. Unfortunately there is
    no uid attached, so I do not know how to set the attached password
    for the user just(?) created. (Currently, the script tries to
    create a homedir for a user with uid=password, so this has to be
    fixed too.) 

3.: Assume, the user changes his password in gosa now. In this case
    gosa-pp is called as:
    gosa-pp uid oldpw newpw
    As you see below, with root's almighty power the new password is
    enforced, but there is no check if the old password is known by
    the executing party.

Issue 3 can probably be solved by executing the change as the
principal the password corresponds to. But what about issue 2?

Are there any better solutions, hints and tips around? 
Thanks in advance,

    Andi

Here's most of the gosa-pp script:

#!/bin/sh
[...]
NUMARGS=$#
PREFIX=/skole
HOSTNAME=$(hostname -s)
LDAPHOST=ldap
BASE=dc=skole,dc=skolelinux,dc=no
USERID=$1

case $NUMARGS in
  1)
    ## lookup user and create home directory and principal:
    ldapsearch -xLLL -h $LDAPHOST
  "(&(uid=$USERID)(objectClass=posixAccount))" \
  cn homeDirectory gidNumber 2>/dev/null | \
      while read KEY VALUE ; do 
        case "$KEY" in 
          dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
          cn:) USERNAME="$VALUE" ;;
          homeDirectory:) HOMEDIR="$VALUE" ;;
          gidNumber:) GROUPID="$VALUE"  ;;
          "") 
            test "$HOMEDIR" || continue 
            echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
            test -e "$HOMEDIR" && continue 
    	    cp -r /etc/skel $HOMEDIR
    	    chown -R $USERID:$GROUPID $HOMEDIR
	    kadmin.local -q "add_principal -randkey -x $USERDN
  $USERID"
	logger -p notice Home directory \'$HOMEDIR\' and principal
  \'$USERID\' created. 
        ## send a welcome-email: 
        cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system
[...]
EOF
	;; 
        esac 
      done
    ;;
  3)
    USERDN=`ldapsearch -xLLL -h ldap
    "(&(uid=$USERID)(objectClass=posixAccount))" dn | sed "s/: /=/"`
    OLDPW=$2
    NEWPW=$3
    ## FIXME: make sure that $OLDPW is correct 
    kadmin.local -q "change_password -pw $NEWPW $USERID" 1>/dev/null
    logger -p notice Password for \'$USERID\' changed.
    ;;
  *)
    logger -p warning Invalid number of arguments for $0.
esac

exit 0

Reply to:

Prev by Date: Re: HowTo test gosa in debian-edu squeeze
Next by Date: Re: HowTo test gosa in debian-edu squeeze
Previous by thread: [Bug 1453] unable to use custom xorg.conf in lts.conf
Next by thread: Processing of debian-edu-install_1.510_i386.changes
Index(es):
- Date
- Thread