Only alert on both SASL and SSHA passwords
We will ask users to use a self-service portal to migrate to SASL-only once that portal exists :).master
parent
f71ee82158
commit
cc3c39e851
|
@ -37,6 +37,7 @@ function weird() {
|
|||
|
||||
echo -ne "\e[33mWeird:\e[0m "
|
||||
echo $problem
|
||||
echo ""
|
||||
|
||||
}
|
||||
|
||||
|
@ -126,20 +127,35 @@ stat --printf="%a" $maildir | grep -q '700' || fail "User $member has broken per
|
|||
|
||||
echo -e "\e[32mStep 5\e[0m - Checking kerberos integration."
|
||||
|
||||
$kadmin $kadminopts listprincs | grep -q $member || fail "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL" fatal
|
||||
|
||||
principal="$member@HACKERSPACE.PL"
|
||||
|
||||
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
||||
echo $line | cut -d" " -f 2 | base64 -d
|
||||
done | grep -q "{SASL}$principal" || fail "User $member has no SASL password in LDAP"
|
||||
|
||||
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
||||
echo $line | cut -d" " -f 2 | base64 -d
|
||||
done | grep -q "{SSHA}" && weird "User $member has SSHA password in LDAP"
|
||||
|
||||
if check_group boston-shell; then
|
||||
homedir="/home/$member"
|
||||
[ -d $homedir ] || fail "User $member does not have a homedir" "sudo cp -rv /etc/skel $homedir"
|
||||
stat --printf="%U:%G" $homedir | grep -q "$member:$member" || fail "User $member has broken ownership on homedir" "sudo chown $member:$member $homedir"
|
||||
fi
|
||||
|
||||
if $kadmin $kadminopts listprincs | grep -q $member ; then
|
||||
principal="$member@HACKERSPACE.PL"
|
||||
has_sasl=0
|
||||
has_ssha=0
|
||||
|
||||
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
||||
echo $line | cut -d" " -f 2 | base64 -d
|
||||
done | grep -q "{SASL}$principal"
|
||||
if [ $? == 0 ] ; then
|
||||
has_sasl=1
|
||||
fi
|
||||
|
||||
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
||||
echo $line | cut -d" " -f 2 | base64 -d
|
||||
done | grep -q "{SSHA}"
|
||||
if [ $? == 0 ] ; then
|
||||
has_ssha=1
|
||||
fi
|
||||
|
||||
[ $has_sasl == 1 ] && [ $has_ssha == 1 ] && fail "User $member has both SASL and SSHA password in LDAP"
|
||||
else
|
||||
weird "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue