Only alert on both SASL and SSHA passwords

We will ask users to use a self-service portal to migrate to SASL-only once that portal exists :).
2017-11-27 18:51:05 +01:00 · 2017-11-27 18:51:05 +01:00 · cc3c39e851
parent f71ee82158
commit cc3c39e851
1 changed files with 28 additions and 12 deletions
--- a/bin/check-member
+++ b/bin/check-member
@ -37,6 +37,7 @@ function weird() {

 	echo -ne "\e[33mWeird:\e[0m "
 	echo $problem
+	echo ""

 }

@ -126,20 +127,35 @@ stat --printf="%a" $maildir | grep -q '700' || fail "User $member has broken per

 echo -e "\e[32mStep 5\e[0m - Checking kerberos integration."

-$kadmin $kadminopts listprincs | grep -q $member || fail "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL" fatal
-
-principal="$member@HACKERSPACE.PL"
-
-ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
-	echo $line | cut -d" " -f 2 | base64 -d
-done | grep -q "{SASL}$principal" || fail "User $member has no SASL password in LDAP"
-
-ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
-	echo $line | cut -d" " -f 2 | base64 -d
-done | grep -q "{SSHA}" && weird "User $member has SSHA password in LDAP"
-
 if check_group boston-shell; then
 	homedir="/home/$member"
 	[ -d $homedir ] || fail "User $member does not have a homedir" "sudo cp -rv /etc/skel $homedir"
 	stat --printf="%U:%G" $homedir | grep -q "$member:$member" || fail "User $member has broken ownership on homedir" "sudo chown $member:$member $homedir"
 fi
+
+if $kadmin $kadminopts listprincs | grep -q $member ; then
+	principal="$member@HACKERSPACE.PL"
+	has_sasl=0
+	has_ssha=0
+
+	ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
+		echo $line | cut -d" " -f 2 | base64 -d
+	done | grep -q "{SASL}$principal"
+	if [ $? == 0 ] ; then
+		has_sasl=1
+	fi
+	
+	ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
+		echo $line | cut -d" " -f 2 | base64 -d
+	done | grep -q "{SSHA}"
+	if [ $? == 0 ] ; then
+		has_ssha=1
+	fi
+
+	[ $has_sasl == 1 ] && [ $has_ssha == 1 ] && fail "User $member has both SASL and SSHA password in LDAP"
+else
+	weird "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL"
+fi
+
+
+