#!/usr/bin/perl -w # LDAP to unix password sync script for samba-tng # originally by Jody Haynes <Jody.Haynes@isunnetworks.com> # 2000/12/12 milos@interactivesi.com # modified for use with MD5 passwords # 2000/12/16 mami@arena.sci.univr.it # modified to change lmpassword and ntpassword for samba # 2001/01/05 mami@arena.sci.univr.it # modified for being also a /bin/passwd replacement # 2001/01/29 mami@arena.sci.univr.it # now there are two small programs: ldapchpasswd to # change password from unix and ldapsync.pl to sync # from NT/2000. ldapchpasswd do not need clear password. # 2001/01/31 mami@arena.sci.univr.it # add server parameter to ldap commands # 2001/06/20 mami@arena.sci.univr.it # add pwdlastset and shadowlastchange update $basedn = "ou=Students,dc=univr, dc=it"; $binddn = "uid=root,dc=univr,dc=it"; $scope = "sub"; $server = "my_server"; foreach $arg (@ARGV) { if ($< != 0) { die "Only root can specify parameters\n"; } else { if ( ($arg eq '-?') || ($arg eq '--help') ) { print "Usage: $0 [-o] [username]\n"; print " -o, --without-old-password do not ask for old password (root only)\n"; print " -?, --help show this help message\n"; exit (-1); } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { $oldpass = 1; } elsif (substr($arg,0) ne '-') { $user = $arg; if (!defined(getpwnam($user))) { die "$0: Unknown user name '$user'\n"; ; } } } } if (!defined($user)) { $user=$ENV{"USER"}; } # current user's dn my $dn = ''; if ($< == 0) { system "stty -echo"; print "LDAP password for root DN: "; chomp($passwd=<STDIN>); print "\n"; system "stty echo"; # Find dn for user $user binding as root's dn chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`); if ( ($dn eq '') || ($passwd eq '') ) { print "Wrong LDAP password for root DN!\n"; exit (-1); } } else { if (!defined($oldpass)) { system "stty -echo"; print "Old password for user $user: "; chomp($oldpass=<STDIN>); print "\n"; system "stty echo"; # Find path to uid chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`); # Find old password for user $user binding as self chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`); if ( ($dn eq '') || ($oldpass eq '') ) { print "Wrong password for user $user!\n"; exit (-1); } } } system "stty -echo"; print "New password for user $user: "; chomp($pass=<STDIN>); print "\n"; system "stty echo"; system "stty -echo"; print "Retype new password for user $user: "; chomp($pass2=<STDIN>); print "\n"; system "stty echo"; if ( ($pass ne $pass2) || (length($pass)<1) ) { die "Wrong password!\n"; } else { # MD5 password $random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; $bsalt = "\$1\$"; $esalt = "\$"; $modsalt = $bsalt.$random.$esalt; $password = crypt($pass, $modsalt); # LanManager and NT clear text passwords $ntpwd = `/usr/local/sbin/mkntpwd '$pass'`; chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); #$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd"; if ($< != 0) { $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'"; } else { $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'"; } # Chenge time $shadowlastchange=int(time/24/3600); $pwdlastset=sprintf('%x',time); open FILE or die; print FILE <<EOF; dn: $dn changetype: modify replace: userPassword userPassword: {crypt}$password - changetype: modify replace: lmpassword lmpassword: $lmpassword - changetype: modify replace: ntpassword ntpassword: $ntpassword - changetype: modify replace: shadowlastchange shadowlastchange: $shadowlastchange - changetype: modify replace: pwdlastset pwdlastset: $pwdlastset - EOF close FILE; } exit 0;