Bug#798435: gosa-sync breaks password changes on non-Kerberized accounts

To: submit@bugs.debian.org
Subject: Bug#798435: gosa-sync breaks password changes on non-Kerberized accounts
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 09 Sep 2015 10:27:18 +0000
Message-id: <[🔎] 20150909102718.Horde.caSdBEtAwxc5joZsAoRcyA1@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 798435@bugs.debian.org

Package: debian-edu-config
Severity: important
Version: 1.818
Tags: patch

Hi all,

we have started creating non-POSIX / non-Kerberos accounts on a DebianEdu main server and stumble over a slight flaw debian-edu-config'sgosa-sync script (password change hook).

The hook scripts tries to change the password of the underlyingKerberos principal. It does this always, even if the accountto-be-updated is not a Kerberos account.

By default, we only turn POSIX accounts into Kerberos accounts (whichis a sensible default). This should be honoured by the gosa-syncscript as seen in the below patch (also attached to this mail):


"""
--- gosa-sync.orig	2015-09-09 11:41:11.000000000 +0200
+++ gosa-sync	2015-09-09 12:19:36.703718246 +0200
@@ -17,6 +17,15 @@
 USERDN="$1"
 USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`

+# check if the given user account has the Kerberos principalobjectClass set...+is_krbprincipal=`ldapsearch -LLL -x"(&(uid=${USERID})(objectClass=krbPrincipalAux))"`

+if [ -z "$is_krbprincipal" ]; then
+
+   # if not, simply bail out here without noise...
+    exit 0
+
+fi
+
 ## The new user password is in environment, $USERPASSWORD.
 ## Check if provided password corresponds to hash saved in ldap database:

"""

It would be nice to get this fixed in Debian Edu jessie...

Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

--- gosa-sync.orig	2015-09-09 11:41:11.000000000 +0200
+++ gosa-sync	2015-09-09 12:19:36.703718246 +0200
@@ -17,6 +17,15 @@
 USERDN="$1"
 USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
 
+# check if the given user account is has the Kerberos principal objectClass set...
+is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`
+if [ -z "$is_krbprincipal" ]; then
+
+   # if not, simply bail out here without noise...
+    exit 0
+
+fi
+
 ## The new user password is in environment, $USERPASSWORD.
 ## Check if provided password corresponds to hash saved in ldap database:

Attachment: pgpZXKMo8FGsr.pgp
Description: Digitale PGP-Signatur

Reply to:

Prev by Date: Anacron
Next by Date: Re: Anacron
Previous by thread: Re: Anacron
Next by thread: Re: src:fet: anybody interested here?
Index(es):
- Date
- Thread