AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Updates for packages

Browse Source
This commit is contained in:
DarkFeather
2024-09-02 23:54:57 -05:00
parent f139ea55b4
commit 59b3181d61
17 changed files with 473 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/Password/package/Makefile
View File

@@ -1,4 +1,4 @@
binlist = ldap-adduser ldap-userreport ldap-resetpass
binlist = ldap-adduser ldap-userreport ldap-resetpass ldap-recreateuser
filelist = sample-user.ldif
compile:

22
roles/Password/package/ldap-recreateuser Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
uid="$1"
userfile="/etc/openldap/users.d/$uid.ldif"
if [ -z "$uid" ]; then
echo "Need a user ID (uid)!"
exit 1
fi
if [ ! -f "$userfile" ]; then
ldapsearch -x "uid=${uid}" > "$userfile"
echo "$userfile" had to be created -- please validate before re-running this script.
exit 2
fi
read -sp 'cn=root,dc=aninix,dc=net Password: ' rootdnpw
ldapdelete -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net" && \
ldapadd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f "$userfile"
exit $?

21
roles/Password/package/ldap-resetpass
View File

@@ -7,8 +7,25 @@ if [ -z "$uid" ]; then
exit 1
fi
ldappasswd -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net"
read -sp 'cn=root,dc=aninix,dc=net Password: ' rootdnpw
#ldapmodify -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 -f <(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n")
ldappasswd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net" && \
ldapmodify -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
add: pwdReset
pwdReset: TRUE
EOM
)
echo 'As cn=root,cn=config...' && ldapmodify -D 'cn=root,cn=config' -W -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
delete: pwdChangedTime
EOM
)
exit $?

115
roles/Password/package/ldap-userreport
View File

@@ -1,54 +1,95 @@
#!/bin/bash
hostname=`hostname`
errortext="ERROR:NEVER"
arg="$1"
function shortshow() {
echo ${user}": "$email
function getLDAPAttr() {
### Get an LDAP attribute
# param: filter
# param attribute
filter="${1}"
attribute="${2}"
ldapsearch -x "${filter}" "${attribute}" | grep -E "^${attribute}: " | sed "s/${attribute}: //"
}
basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'`
# Clear cleanup files
ldif="/root/cleanup.ldif"
>"${ldif}"
bash="/root/cleanup.bash"
echo "#!/bin/bash" > "${bash}"
for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\ | sed 's/^uid: //'`; do
# Attributes
basedn=`getLDAPAttr '(cn=root)' dn | sed 's/cn=root,//'`
pwdMaxAge=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdMaxAge`
warning=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdExpireWarning`
pwdWarnAge=$(( $pwdMaxAge - $warning ))
unset EXPIRED EXPIRING OK PENDING
### Check all users
for user in `ldapsearch -x -b "ou=People,$basedn" uid | grep -E ^uid:\ | sed 's/^uid: //'`; do
# Pull changed stats
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
# created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
# email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
# If user has PENDING changed, report
if [ -z "$lastChanged" ]; then
lastChanged="$errortext";
if [ -z "${PENDING}" ]; then
PENDING="${user}"
else
PENDING="${PENDING},${user}"
fi
else
delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8) +%s`))"
fi
lastlog=`lastlog -u $user | tail -n 1`
if [ `echo $lastlog | grep -c 'Never logged in'` -gt 0 ]; then
lastlog=$errortext
else
lastlog=`echo $lastlog | awk '{$1="";$2="";$3="";print $0 }'`
fi
printf "User $user (email: $email, created: $created) last changed their password on $lastChanged. They last logged in to SSH on $hostname on $lastlog\n" | (
case "$arg" in
"--inactive")
if grep -E $errortext'$' &> /dev/null; then shortshow; fi
;;
"--needschange")
if [ "$lastChanged" == "$errortext" ]; then
shortshow
# Report if user is expired
if [ $delta -gt $pwdMaxAge ]; then
if [ -z "${EXPIRED}" ]; then
EXPIRED="${user}"
else
if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi
EXPIRED="${EXPIRED},${user}"
fi
;;
"--expired")
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge 31536000 ]; then
shortshow;
printf "dn: uid=${user},ou=People,${basedn}\nchangetype: delete\n\n" >> "${ldif}"
printf "rm -Rf `getent passwd "${user}" | cut -f 6 -d ':'`\n" >> "${bash}"
# Report if the user is expiring and needs to update their password.
elif [ $delta -gt $pwdWarnAge ] && [ $delta -le $pwdMaxAge ]; then
if [ -z "${EXPIRING}" ]; then
EXPIRING="${user}"
else
EXPIRING="${EXPIRING},${user}"
fi
;;
*)
cat
;;
esac
)
# Record the user account is OK.
else
if [ -z "${OK}" ]; then
OK="${user}"
else
OK="${OK},${user}"
fi
fi
fi
done
### Results
# Should always have OK users in the tree.
echo "OK: ${OK}"
# Report when there are users that have not changed their password.
# This may be normal, such as for new user accounts, and may not drive action.
if [ -n "$PENDING" ]; then
echo "PENDING: ${PENDING}"
fi
# Report when users are expiring -- give them several notices to fix it.
if [ -n "${EXPIRING}" ]; then
echo "EXPIRING: ${EXPIRING}"
ravensend -c "#tech" -m "The following users are expiring: ${EXPIRING}"
fi
# Report users that have expired. These users should be contacted or removed.
if [ -n "${EXPIRED}" ]; then
echo "EXPIRED: ${EXPIRED}"
echo "Expired users can be cleaned up with ${ldif} and ${bash}"
ravensend -c "#sharingan" -m 'Users have expired and need attention.'
fi