[Samba] Samba 2.2.3a+LDAP Password synch w/MD5
Andreas Strodl
andreas at strodl.org
Fri Mar 22 01:25:31 GMT 2002
On Thu, Mar 21, 2002 at 07:58:59PM -0800, nate wrote:
> hi.
>
> Today i started working on how I can get password synch
> with LDAP and MD5 passwords.
>
> Since I'm no scripter or programmer I saw a couple other scripts
> and combined parts and added some of my own,and the result
> is a script that can change a password on the command line,
> I haven't yet tried it through samba(I will tomorrow once i get back
> to the office, no way to test from home)
>
> I put the script here, as the email I'm sure will mangle it:
> http://portal.aphroland.org/samba/smbpass-ldap.txt
try the latest samba release and search for the ldapsync.pl
else I can send you my version
>
> My problems with existing scripts:
> 1) they used crypt password, where I am using MD5
then use the md5 function instead of crypt and {md5} instead of {crypt}
> 2) They depended on a dn: uid=, and i could not get this
> working, so I wrote a quick ldapsearch query to extract the
> full name from the database for modifying the ldappassword.
>
> I would really like a way to do this without putting the
> admin password in the script., if theres a way to store
> this password encrypted somehow that would be great.
the problem is that you dont have the old password from the user
(samba starts the passwd sync program only with the new password).
there are a few ways I know how you can do it:
* make a smbadm dn and give him write permissions to the password
attributes (lmpassword, ntpassword, userpassword)
* make an acl for the ip address from your samba server and give
the server write permissions
>
> I would of had this done hours ago but came accross a bug
> in openssh where it segfaults when libnss-ldap is installed
> and using SSL/TLS. wasn't till about 30mins ago that i tried
> it with SSL/TLSoff and it stopped segfaulting.
>
> I'm sure there is probably a better way to do this, so any
> suggestions are welcome :)
>
> thanks!
>
> nate
>
> the script:
> #!/usr/bin/perl -w my $pass;
> my $pass2; $user=$ARGV[0];
> system "stty -echo";
> print "New password : ";
> chomp($pass=<STDIN>);
> print "\n";
> system "stty echo"; system "stty -echo";
> print "Retype new password : ";
> chomp($pass2=<STDIN>);
> print "\n";
> system "stty echo"; if ($pass ne $pass2) {
> print "New passwords don't match!\n";
> exit (10);
> } system "/usr/bin/smbpasswd $user $pass";
> $pass=`/usr/sbin/slappasswd -h {MD5} -s $pass`;
> $id=`/usr/bin/ldapsearch -H 'ldap://my.ldap.server:3890/' -b
> 'ou=People,o=linuxpowered,c=us' '(uid=$user)' cn -LLL | grep 'cn:' | cut -b
> 5-0`;
> #print "Username: $user\n";
> #print "UserID: $id\n";
> #print "Password: $pass\n";
> #exit 1;
> $FILE="|ldapmodify -D 'cn=admin,o=linuxpowered,c=us' -w MY_SECRET -H
> 'ldap://my.ldap.server:3890/'";
> open FILE or die;
> print FILE <<EOF;
> dn: cn=$id ,ou=People ,o=linuxpowered ,c=us
> changetype: modify
> replace: userPassword
> userPassword: $pass
> EOF
> close FILE;
> exit 0;
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
greets
Andrew
More information about the samba
mailing list