summaryrefslogtreecommitdiff
path: root/examples/LDAP
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-08-28 16:38:59 +0000
committerGerald Carter <jerry@samba.org>2003-08-28 16:38:59 +0000
commitb3f1b28e1e6efb32ff8e9536a45216edffda0eff (patch)
treed01195bd969c2fb7da1411bbc60665fe6f5a16cd /examples/LDAP
parent3d393502e7d9d40454c13dfc590ed0b16a74edaf (diff)
downloadsamba-b3f1b28e1e6efb32ff8e9536a45216edffda0eff.tar.gz
samba-b3f1b28e1e6efb32ff8e9536a45216edffda0eff.tar.bz2
samba-b3f1b28e1e6efb32ff8e9536a45216edffda0eff.zip
removing outdated scripts and adding comments about 'ldap password syc'
(This used to be commit 29885eae591bdbb899d18ac2e7ae355751cd4be6)
Diffstat (limited to 'examples/LDAP')
-rw-r--r--examples/LDAP/export_smbpasswd.pl64
-rw-r--r--examples/LDAP/import_smbpasswd.pl119
-rw-r--r--examples/LDAP/ldapchpasswd152
-rw-r--r--examples/LDAP/ldapsync.pl5
4 files changed, 5 insertions, 335 deletions
diff --git a/examples/LDAP/export_smbpasswd.pl b/examples/LDAP/export_smbpasswd.pl
deleted file mode 100644
index e4f120bf02..0000000000
--- a/examples/LDAP/export_smbpasswd.pl
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/perl
-##
-## Example script to export ldap entries into an smbpasswd file format
-## using the Mozilla PerLDAP module.
-##
-## writen by jerry@samba.org
-##
-## ported to Net::LDAP by dkrovich@slackworks.com
-
-use Net::LDAP;
-
-######################################################
-## Set these values to whatever you need for your site
-##
-
-$DN="dc=samba,dc=my-domain,dc=com";
-$ROOTDN="cn=Manager,dc=my-domain,dc=com";
-$rootpw = "secret";
-$LDAPSERVER="localhost";
-
-##
-## end local site variables
-######################################################
-
-$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
-
-print "##\n";
-print "## Autogenerated smbpasswd file via ldapsearch\n";
-print "## from $LDAPSERVER ($DN)\n";
-print "##\n";
-
-## scheck for the existence of the posixAccount first
-$result = $ldap->search ( base => "$DN",
- scope => "sub",
- filter => "(objectclass=sambaAccount)"
- );
-
-
-
-## loop over the entries we found
-while ( $entry = $result->shift_entry() ) {
-
- @uid = $entry->get_value("uid");
- @uidNumber = $entry->get_value("uidNumber");
- @lm_pw = $entry->get_value("lmpassword");
- @nt_pw = $entry->get_value("ntpassword");
- @acct = $entry->get_value("acctFlags");
- @pwdLastSet = $entry->get_value("pwdLastSet");
-
- if (($#uid+1) && ($#uidNumber+1)) {
-
- $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1));
- $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1));
- $acct[0] = "[DU ]" if (! ($#acct+1));
- $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1));
-
- print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n";
- }
-
-}
-
-$ldap->unbind();
-exit 0;
-
diff --git a/examples/LDAP/import_smbpasswd.pl b/examples/LDAP/import_smbpasswd.pl
deleted file mode 100644
index 61ad33c809..0000000000
--- a/examples/LDAP/import_smbpasswd.pl
+++ /dev/null
@@ -1,119 +0,0 @@
-#!/usr/bin/perl
-##
-## Example script of how you could import a smbpasswd file into an LDAP
-## directory using the Mozilla PerLDAP module.
-##
-## writen by jerry@samba.org
-##
-## ported to Net::LDAP by dkrovich@slackworks.com
-
-use Net::LDAP;
-
-#################################################
-## set these to a value appropriate for your site
-##
-
-$DN="ou=people,dc=plainjoe,dc=org";
-$ROOTDN="cn=Manager,dc=plainjoe,dc=org";
-# If you use perl special character in your
-# rootpw, escape them:
-# $rootpw = "secr\@t" instead of $rootpw = "secr@t"
-$rootpw = "n0pass";
-$LDAPSERVER="scooby";
-
-##
-## end local site variables
-#################################################
-
-$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
-
-## Bind as $ROOTDN so you can do updates
-$mesg = $ldap->bind($ROOTDN, password => $rootpw);
-$mesg->error() if $mesg->code();
-
-while ( $string = <STDIN> ) {
- chomp ($string);
-
- ## Get the account info from the smbpasswd file
- @smbentry = split (/:/, $string);
-
- ## Check for the existence of a system account
- @getpwinfo = getpwnam($smbentry[0]);
- if (! @getpwinfo ) {
- print STDERR "**$smbentry[0] does not have a system account... \n";
- next;
- }
- ## Calculate RID = uid*2 +1000
- $rid=@getpwinfo[2]*2+1000;
-
- ## check and see if account info already exists in LDAP.
- $result = $ldap->search ( base => "$DN",
- scope => "sub",
- filter => "(uid=$smbentry[0])"
- );
-
- ## If no LDAP entry exists, create one.
- if ( $result->count == 0 ) {
- $new_entry = Net::LDAP::Entry->new();
- $new_entry->add( dn => "uid=$smbentry[0],$DN",
- uid => $smbentry[0],
- rid => $rid,
- lmPassword => $smbentry[2],
- ntPassword => $smbentry[3],
- acctFlags => $smbentry[4],
- cn => $smbentry[0],
- pwdLastSet => hex(substr($smbentry[5],4)),
- objectclass => 'sambaAccount' );
-
- $result = $ldap->add( $new_entry );
- $result->error() if $result->code();
- print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n";
-
- ## Otherwise, supplement/update the existing entry.
- }
- elsif ($result->count == 1)
- {
- # Put the search results into an entry object
- $entry = $result->entry(0);
-
- print "Updating [" . $entry->dn . "]\n";
-
- ## Add the objectclass: sambaAccount attribute if it's not there
- @values = $entry->get_value( "objectclass" );
- $flag = 1;
- foreach $item (@values) {
- print "$item\n";
- if ( "$item" eq "sambaAccount" ) {
- $flag = 0;
- }
- }
- if ( $flag ) {
- ## Adding sambaAccount objectclass requires adding at least rid:
- ## uid attribute already exists we know since we searched on it
- $entry->add(objectclass => "sambaAccount",
- rid => $rid );
- }
-
- ## Set the other attribute values
- $entry->replace(rid => $rid,
- lmPassword => $smbentry[2],
- ntPassword => $smbentry[3],
- acctFlags => $smbentry[4],
- pwdLastSet => hex(substr($smbentry[5],4)));
-
- ## Apply changes to the LDAP server
- $updatemesg = $entry->update($ldap);
- $updatemesg->error() if $updatemesg->code();
-
- ## If we get here, the LDAP search returned more than one value
- ## which shouldn't happen under normal circumstances.
- } else {
- print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n";
- next;
- }
-}
-
-$ldap->unbind();
-exit 0;
-
-
diff --git a/examples/LDAP/ldapchpasswd b/examples/LDAP/ldapchpasswd
deleted file mode 100644
index 0776d9bed1..0000000000
--- a/examples/LDAP/ldapchpasswd
+++ /dev/null
@@ -1,152 +0,0 @@
-#!/usr/bin/perl -w
-
-# LDAP to unix password sync script for samba-tng
-# originally by Jody Haynes <Jody.Haynes@isunnetworks.com>
-# 2000/12/12 milos@interactivesi.com
-# modified for use with MD5 passwords
-# 2000/12/16 mami@arena.sci.univr.it
-# modified to change lmpassword and ntpassword for samba
-# 2001/01/05 mami@arena.sci.univr.it
-# modified for being also a /bin/passwd replacement
-# 2001/01/29 mami@arena.sci.univr.it
-# now there are two small programs: ldapchpasswd to
-# change password from unix and ldapsync.pl to sync
-# from NT/2000. ldapchpasswd do not need clear password.
-# 2001/01/31 mami@arena.sci.univr.it
-# add server parameter to ldap commands
-# 2001/06/20 mami@arena.sci.univr.it
-# add pwdlastset and shadowlastchange update
-
-$basedn = "ou=Students,dc=univr, dc=it";
-$binddn = "uid=root,dc=univr,dc=it";
-$scope = "sub";
-$server = "my_server";
-
-foreach $arg (@ARGV) {
- if ($< != 0) {
- die "Only root can specify parameters\n";
- } else {
- if ( ($arg eq '-?') || ($arg eq '--help') ) {
- print "Usage: $0 [-o] [username]\n";
- print " -o, --without-old-password do not ask for old password (root only)\n";
- print " -?, --help show this help message\n";
- exit (-1);
- } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) {
- $oldpass = 1;
- } elsif (substr($arg,0) ne '-') {
- $user = $arg;
- if (!defined(getpwnam($user))) {
- die "$0: Unknown user name '$user'\n"; ;
- }
- }
- }
-}
-
-if (!defined($user)) {
- $user=$ENV{"USER"};
-}
-
-# current user's dn
-my $dn = '';
-
-if ($< == 0) {
- system "stty -echo";
- print "LDAP password for root DN: ";
- chomp($passwd=<STDIN>);
- print "\n";
- system "stty echo";
- # Find dn for user $user binding as root's dn
- chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`);
- if ( ($dn eq '') || ($passwd eq '') ) {
- print "Wrong LDAP password for root DN!\n";
- exit (-1);
- }
-} else {
- if (!defined($oldpass)) {
- system "stty -echo";
- print "Old password for user $user: ";
- chomp($oldpass=<STDIN>);
- print "\n";
- system "stty echo";
-
- # Find path to uid
- chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`);
- # Find old password for user $user binding as self
- chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`);
-
- if ( ($dn eq '') || ($oldpass eq '') ) {
- print "Wrong password for user $user!\n";
- exit (-1);
- }
- }
-}
-
-system "stty -echo";
-print "New password for user $user: ";
-chomp($pass=<STDIN>);
-print "\n";
-system "stty echo";
-
-system "stty -echo";
-print "Retype new password for user $user: ";
-chomp($pass2=<STDIN>);
-print "\n";
-system "stty echo";
-
-if ( ($pass ne $pass2) || (length($pass)<1) ) {
- die "Wrong password!\n";
-} else {
-# MD5 password
-$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64];
-$bsalt = "\$1\$"; $esalt = "\$";
-$modsalt = $bsalt.$random.$esalt;
-$password = crypt($pass, $modsalt);
-
-# LanManager and NT clear text passwords
-$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`;
-chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
-chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
-
-#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd";
-if ($< != 0) {
- $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'";
-} else {
- $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'";
-}
-
-# Chenge time
-$shadowlastchange=int(time/24/3600);
-$pwdlastset=sprintf('%x',time);
-
-open FILE or die;
-
-print FILE <<EOF;
-dn: $dn
-changetype: modify
-replace: userPassword
-userPassword: {crypt}$password
--
-changetype: modify
-replace: lmpassword
-lmpassword: $lmpassword
--
-changetype: modify
-replace: ntpassword
-ntpassword: $ntpassword
--
-changetype: modify
-replace: shadowlastchange
-shadowlastchange: $shadowlastchange
--
-changetype: modify
-replace: pwdlastset
-pwdlastset: $pwdlastset
--
-
-EOF
-close FILE;
-
-}
-
-exit 0;
-
diff --git a/examples/LDAP/ldapsync.pl b/examples/LDAP/ldapsync.pl
index fecc594c2d..c112bcc34c 100644
--- a/examples/LDAP/ldapsync.pl
+++ b/examples/LDAP/ldapsync.pl
@@ -8,6 +8,11 @@
# modified to change lmpassword and ntpassword for samba
# 05/01/2001 mami@arena.sci.univr.it
# modified for being also a /bin/passwd replacement
+#
+# ACHTUNG!! For servers that support the LDAP Modify password
+# extended op (e.g. OpenLDAP), see the "ldap password
+# sync" option in smb.conf(5).
+#
$basedn = "ou=Students,dc=univr, dc=it";
$binddn = "uid=root,dc=univr,dc=it";