diff options
-rw-r--r-- | examples/LDAP/export_smbpasswd.pl | 64 | ||||
-rw-r--r-- | examples/LDAP/import_smbpasswd.pl | 119 | ||||
-rw-r--r-- | examples/LDAP/ldapchpasswd | 152 | ||||
-rw-r--r-- | examples/LDAP/ldapsync.pl | 5 |
4 files changed, 5 insertions, 335 deletions
diff --git a/examples/LDAP/export_smbpasswd.pl b/examples/LDAP/export_smbpasswd.pl deleted file mode 100644 index e4f120bf02..0000000000 --- a/examples/LDAP/export_smbpasswd.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -## -## Example script to export ldap entries into an smbpasswd file format -## using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -###################################################### -## Set these values to whatever you need for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -###################################################### - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -print "##\n"; -print "## Autogenerated smbpasswd file via ldapsearch\n"; -print "## from $LDAPSERVER ($DN)\n"; -print "##\n"; - -## scheck for the existence of the posixAccount first -$result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(objectclass=sambaAccount)" - ); - - - -## loop over the entries we found -while ( $entry = $result->shift_entry() ) { - - @uid = $entry->get_value("uid"); - @uidNumber = $entry->get_value("uidNumber"); - @lm_pw = $entry->get_value("lmpassword"); - @nt_pw = $entry->get_value("ntpassword"); - @acct = $entry->get_value("acctFlags"); - @pwdLastSet = $entry->get_value("pwdLastSet"); - - if (($#uid+1) && ($#uidNumber+1)) { - - $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); - $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); - $acct[0] = "[DU ]" if (! ($#acct+1)); - $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); - - print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; - } - -} - -$ldap->unbind(); -exit 0; - diff --git a/examples/LDAP/import_smbpasswd.pl b/examples/LDAP/import_smbpasswd.pl deleted file mode 100644 index 61ad33c809..0000000000 --- a/examples/LDAP/import_smbpasswd.pl +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/perl -## -## Example script of how you could import a smbpasswd file into an LDAP -## directory using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -################################################# -## set these to a value appropriate for your site -## - -$DN="ou=people,dc=plainjoe,dc=org"; -$ROOTDN="cn=Manager,dc=plainjoe,dc=org"; -# If you use perl special character in your -# rootpw, escape them: -# $rootpw = "secr\@t" instead of $rootpw = "secr@t" -$rootpw = "n0pass"; -$LDAPSERVER="scooby"; - -## -## end local site variables -################################################# - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -## Bind as $ROOTDN so you can do updates -$mesg = $ldap->bind($ROOTDN, password => $rootpw); -$mesg->error() if $mesg->code(); - -while ( $string = <STDIN> ) { - chomp ($string); - - ## Get the account info from the smbpasswd file - @smbentry = split (/:/, $string); - - ## Check for the existence of a system account - @getpwinfo = getpwnam($smbentry[0]); - if (! @getpwinfo ) { - print STDERR "**$smbentry[0] does not have a system account... \n"; - next; - } - ## Calculate RID = uid*2 +1000 - $rid=@getpwinfo[2]*2+1000; - - ## check and see if account info already exists in LDAP. - $result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(uid=$smbentry[0])" - ); - - ## If no LDAP entry exists, create one. - if ( $result->count == 0 ) { - $new_entry = Net::LDAP::Entry->new(); - $new_entry->add( dn => "uid=$smbentry[0],$DN", - uid => $smbentry[0], - rid => $rid, - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - cn => $smbentry[0], - pwdLastSet => hex(substr($smbentry[5],4)), - objectclass => 'sambaAccount' ); - - $result = $ldap->add( $new_entry ); - $result->error() if $result->code(); - print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; - - ## Otherwise, supplement/update the existing entry. - } - elsif ($result->count == 1) - { - # Put the search results into an entry object - $entry = $result->entry(0); - - print "Updating [" . $entry->dn . "]\n"; - - ## Add the objectclass: sambaAccount attribute if it's not there - @values = $entry->get_value( "objectclass" ); - $flag = 1; - foreach $item (@values) { - print "$item\n"; - if ( "$item" eq "sambaAccount" ) { - $flag = 0; - } - } - if ( $flag ) { - ## Adding sambaAccount objectclass requires adding at least rid: - ## uid attribute already exists we know since we searched on it - $entry->add(objectclass => "sambaAccount", - rid => $rid ); - } - - ## Set the other attribute values - $entry->replace(rid => $rid, - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => hex(substr($smbentry[5],4))); - - ## Apply changes to the LDAP server - $updatemesg = $entry->update($ldap); - $updatemesg->error() if $updatemesg->code(); - - ## If we get here, the LDAP search returned more than one value - ## which shouldn't happen under normal circumstances. - } else { - print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; - next; - } -} - -$ldap->unbind(); -exit 0; - - diff --git a/examples/LDAP/ldapchpasswd b/examples/LDAP/ldapchpasswd deleted file mode 100644 index 0776d9bed1..0000000000 --- a/examples/LDAP/ldapchpasswd +++ /dev/null @@ -1,152 +0,0 @@ -#!/usr/bin/perl -w - -# LDAP to unix password sync script for samba-tng -# originally by Jody Haynes <Jody.Haynes@isunnetworks.com> -# 2000/12/12 milos@interactivesi.com -# modified for use with MD5 passwords -# 2000/12/16 mami@arena.sci.univr.it -# modified to change lmpassword and ntpassword for samba -# 2001/01/05 mami@arena.sci.univr.it -# modified for being also a /bin/passwd replacement -# 2001/01/29 mami@arena.sci.univr.it -# now there are two small programs: ldapchpasswd to -# change password from unix and ldapsync.pl to sync -# from NT/2000. ldapchpasswd do not need clear password. -# 2001/01/31 mami@arena.sci.univr.it -# add server parameter to ldap commands -# 2001/06/20 mami@arena.sci.univr.it -# add pwdlastset and shadowlastchange update - -$basedn = "ou=Students,dc=univr, dc=it"; -$binddn = "uid=root,dc=univr,dc=it"; -$scope = "sub"; -$server = "my_server"; - -foreach $arg (@ARGV) { - if ($< != 0) { - die "Only root can specify parameters\n"; - } else { - if ( ($arg eq '-?') || ($arg eq '--help') ) { - print "Usage: $0 [-o] [username]\n"; - print " -o, --without-old-password do not ask for old password (root only)\n"; - print " -?, --help show this help message\n"; - exit (-1); - } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { - $oldpass = 1; - } elsif (substr($arg,0) ne '-') { - $user = $arg; - if (!defined(getpwnam($user))) { - die "$0: Unknown user name '$user'\n"; ; - } - } - } -} - -if (!defined($user)) { - $user=$ENV{"USER"}; -} - -# current user's dn -my $dn = ''; - -if ($< == 0) { - system "stty -echo"; - print "LDAP password for root DN: "; - chomp($passwd=<STDIN>); - print "\n"; - system "stty echo"; - # Find dn for user $user binding as root's dn - chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`); - if ( ($dn eq '') || ($passwd eq '') ) { - print "Wrong LDAP password for root DN!\n"; - exit (-1); - } -} else { - if (!defined($oldpass)) { - system "stty -echo"; - print "Old password for user $user: "; - chomp($oldpass=<STDIN>); - print "\n"; - system "stty echo"; - - # Find path to uid - chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`); - # Find old password for user $user binding as self - chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`); - - if ( ($dn eq '') || ($oldpass eq '') ) { - print "Wrong password for user $user!\n"; - exit (-1); - } - } -} - -system "stty -echo"; -print "New password for user $user: "; -chomp($pass=<STDIN>); -print "\n"; -system "stty echo"; - -system "stty -echo"; -print "Retype new password for user $user: "; -chomp($pass2=<STDIN>); -print "\n"; -system "stty echo"; - -if ( ($pass ne $pass2) || (length($pass)<1) ) { - die "Wrong password!\n"; -} else { -# MD5 password -$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; -$bsalt = "\$1\$"; $esalt = "\$"; -$modsalt = $bsalt.$random.$esalt; -$password = crypt($pass, $modsalt); - -# LanManager and NT clear text passwords -$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`; -chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); -chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - -#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd"; -if ($< != 0) { - $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'"; -} else { - $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'"; -} - -# Chenge time -$shadowlastchange=int(time/24/3600); -$pwdlastset=sprintf('%x',time); - -open FILE or die; - -print FILE <<EOF; -dn: $dn -changetype: modify -replace: userPassword -userPassword: {crypt}$password -- -changetype: modify -replace: lmpassword -lmpassword: $lmpassword -- -changetype: modify -replace: ntpassword -ntpassword: $ntpassword -- -changetype: modify -replace: shadowlastchange -shadowlastchange: $shadowlastchange -- -changetype: modify -replace: pwdlastset -pwdlastset: $pwdlastset -- - -EOF -close FILE; - -} - -exit 0; - diff --git a/examples/LDAP/ldapsync.pl b/examples/LDAP/ldapsync.pl index fecc594c2d..c112bcc34c 100644 --- a/examples/LDAP/ldapsync.pl +++ b/examples/LDAP/ldapsync.pl @@ -8,6 +8,11 @@ # modified to change lmpassword and ntpassword for samba # 05/01/2001 mami@arena.sci.univr.it # modified for being also a /bin/passwd replacement +# +# ACHTUNG!! For servers that support the LDAP Modify password +# extended op (e.g. OpenLDAP), see the "ldap password +# sync" option in smb.conf(5). +# $basedn = "ou=Students,dc=univr, dc=it"; $binddn = "uid=root,dc=univr,dc=it"; |