From cc3c39e85188028bd870f11402e94a927cce0de5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergiusz=20=27q3k=27=20Baza=C5=84ski?= <q3k@q3k.org>
Date: Mon, 27 Nov 2017 18:51:05 +0100
Subject: [PATCH] Only alert on both SASL and SSHA passwords

We will ask users to use a self-service portal to migrate to SASL-only
once that portal exists :).
---
 bin/check-member | 40 ++++++++++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/bin/check-member b/bin/check-member
index 394d48a..4447e80 100755
--- a/bin/check-member
+++ b/bin/check-member
@@ -37,6 +37,7 @@ function weird() {
 
 	echo -ne "\e[33mWeird:\e[0m "
 	echo $problem
+	echo ""
 
 }
 
@@ -126,20 +127,35 @@ stat --printf="%a" $maildir | grep -q '700' || fail "User $member has broken per
 
 echo -e "\e[32mStep 5\e[0m - Checking kerberos integration."
 
-$kadmin $kadminopts listprincs | grep -q $member || fail "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL" fatal
-
-principal="$member@HACKERSPACE.PL"
-
-ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
-	echo $line | cut -d" " -f 2 | base64 -d
-done | grep -q "{SASL}$principal" || fail "User $member has no SASL password in LDAP"
-
-ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
-	echo $line | cut -d" " -f 2 | base64 -d
-done | grep -q "{SSHA}" && weird "User $member has SSHA password in LDAP"
-
 if check_group boston-shell; then
 	homedir="/home/$member"
 	[ -d $homedir ] || fail "User $member does not have a homedir" "sudo cp -rv /etc/skel $homedir"
 	stat --printf="%U:%G" $homedir | grep -q "$member:$member" || fail "User $member has broken ownership on homedir" "sudo chown $member:$member $homedir"
 fi
+
+if $kadmin $kadminopts listprincs | grep -q $member ; then
+	principal="$member@HACKERSPACE.PL"
+	has_sasl=0
+	has_ssha=0
+
+	ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
+		echo $line | cut -d" " -f 2 | base64 -d
+	done | grep -q "{SASL}$principal"
+	if [ $? == 0 ] ; then
+		has_sasl=1
+	fi
+	
+	ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
+		echo $line | cut -d" " -f 2 | base64 -d
+	done | grep -q "{SSHA}"
+	if [ $? == 0 ] ; then
+		has_ssha=1
+	fi
+
+	[ $has_sasl == 1 ] && [ $has_ssha == 1 ] && fail "User $member has both SASL and SSHA password in LDAP"
+else
+	weird "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL"
+fi
+
+
+