it-artikel:linux:openldap-ppolicy-und-passwd-oder-wie-man-den-passwortwechsel-auf-der-shell-erzwingen-kann
Differences
This shows you the differences between two versions of the page.
— | it-artikel:linux:openldap-ppolicy-und-passwd-oder-wie-man-den-passwortwechsel-auf-der-shell-erzwingen-kann [2022-08-31 12:30] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== OpenLDAP, ppolicy und passwd - Oder wie man den Passwortwechsel auf der Shell erzwingen kann ====== | ||
+ | |||
+ | Dies ist kein Vollständiges Howto. Es ist nur ein ein kleiner Teil eines größeren Linux LDAP und Fileserver Projektes basierend auf Debian 5 Lenny, OpenLDAP, Samba und diversen Weiteren Linux Komponenten. Es ist ein TEIL des Linux Login-Scriptes welches über / | ||
+ | |||
+ | Diese Seite soll nur für Anregungen dienen und zeigen wie ich das eine oder andere Problem dabei gelöst habe. | ||
+ | |||
+ | Dabei ist zu bemerken dass ich hier nicht die in linux sonst so übliche Shadow-Passwords Technologie verwende, sondern primär auf OpenLDAP als Benutzerdatenbank im zusammenspiel mit dem OpenLDAP Overlay ppolicy setze. | ||
+ | |||
+ | |||
+ | ==== check-for-pw-reset4.sh ==== | ||
+ | <code bash check-for-pw-reset4.sh> | ||
+ | #!/bin/sh | ||
+ | # | ||
+ | ############################################## | ||
+ | # / | ||
+ | # | ||
+ | # FREE for Use/ | ||
+ | # | ||
+ | # | ||
+ | # This Script is to be sourced by / | ||
+ | # check a users homedir for a " | ||
+ | # he reset the Users password. If that Flare-File is found the user is been | ||
+ | # forced to change his password for security reasons. | ||
+ | # | ||
+ | ############################################### | ||
+ | # | ||
+ | # Version: | ||
+ | # | ||
+ | # | ||
+ | # Version History: | ||
+ | # | ||
+ | # 2008-01-22 first Release by Axel Werner | ||
+ | # 2009-02-26 change: | ||
+ | # Else dont force user to reset pw as its been already set by samba or something else. | ||
+ | # 2009-03-05 add: | ||
+ | # | ||
+ | # getting locked out permanently. i added a check for grace logins so the user gets | ||
+ | # a warning and an information about how many grace logins he got left. | ||
+ | # 2009-03-16 add: | ||
+ | # | ||
+ | # which locks out the user for some reason. | ||
+ | # 2009-07-20 change: | ||
+ | # | ||
+ | # | ||
+ | ############################################## | ||
+ | # | ||
+ | # | ||
+ | #set -x | ||
+ | |||
+ | # set the default ppolicy for normal users here so i can lookup their grace logins | ||
+ | ppolicydn=' | ||
+ | flare=' | ||
+ | |||
+ | |||
+ | flag=false | ||
+ | |||
+ | # check for ldap attribut ' | ||
+ | flag=`ldapsearch -ZZ -x -LLL ' | ||
+ | |||
+ | # check for flare-file if users pw has been reseted by admin | ||
+ | if test -f ~/${flare}; then { | ||
+ | #echo " | ||
+ | flag=' | ||
+ | } | ||
+ | fi | ||
+ | |||
+ | |||
+ | if [ " | ||
+ | cat << | ||
+ | |||
+ | ATTENTION: | ||
+ | For security reason you will NOW have to change your password | ||
+ | to something ONLY YOU know about. | ||
+ | |||
+ | NOTE: MAKE SURE your new password contains at least one UPPERCASE, | ||
+ | a NUMBER and one SPECIAL character. Else your will not be able to | ||
+ | change your password and so you cannot log in properly. | ||
+ | |||
+ | NOW Please Enter Your OLD PASSWORD FIRST! (Those given by your Admin) | ||
+ | |||
+ | EOF | ||
+ | while ! passwd; do | ||
+ | cat <<EOF | ||
+ | |||
+ | FAILURE: Changing your password failed. Maybe you used one of your older passwords or | ||
+ | your new password does not meet the password-requirements. Please Retry! | ||
+ | |||
+ | AGAIN: Start entering your OLD Passwort first, then enter new Password and confirm | ||
+ | new password again. | ||
+ | |||
+ | EOF | ||
+ | done | ||
+ | rm ~/${flare} > /dev/null 2>&1 | ||
+ | cat <<EOF | ||
+ | | ||
+ | Your Linux Console-Password has been Changed successfully! Thank You! | ||
+ | NOTICE: Dont forget to change/ | ||
+ | |||
+ | EOF | ||
+ | fi | ||
+ | |||
+ | |||
+ | ################## | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | GraceLoginsUses=false | ||
+ | GraceLoginsUses=`ldapsearch -ZZ -x -LLL ' | ||
+ | if [ " | ||
+ | |||
+ | pwdGraceAuthNLimit=false | ||
+ | loginsleft=false | ||
+ | pwdGraceAuthNLimit=`ldapsearch -ZZ -x -LLL -b " | ||
+ | |||
+ | # trim leading and trailing whitespace from a variable | ||
+ | pwdGraceAuthNLimit=${pwdGraceAuthNLimit## | ||
+ | pwdGraceAuthNLimit=${pwdGraceAuthNLimit%%+([[: | ||
+ | |||
+ | let loginsleft=" | ||
+ | |||
+ | if [ " | ||
+ | |||
+ | cat << | ||
+ | |||
+ | ATTENTION: | ||
+ | THIS IS YOUR LAST CHANCE TO CHANGE YOUR PASSWORD! | ||
+ | If you dont change your password NOW your Account will | ||
+ | become permanently locked. | ||
+ | |||
+ | NOTE: MAKE SURE your new password contains at least one UPPERCASE, | ||
+ | a NUMBER and a SPECIAL character. Else your will not be able to | ||
+ | change your password and so you cannot log in properly. | ||
+ | |||
+ | NOW Please Enter Your OLD PASSWORD FIRST! | ||
+ | |||
+ | EOF | ||
+ | while ! passwd; do | ||
+ | cat <<EOF | ||
+ | |||
+ | FAILURE: Changing your password failed. Maybe you used one of your older passwords or | ||
+ | your new password does not meet the password-requirements. Please Retry! | ||
+ | |||
+ | AGAIN: Start entering your OLD Passwort first, then enter new Password and confirm | ||
+ | new password again. | ||
+ | |||
+ | EOF | ||
+ | done | ||
+ | cat <<EOF | ||
+ | | ||
+ | Your Linux Console-Password has been Changed successfully! Thank You! | ||
+ | NOTICE: Dont forget to change/ | ||
+ | |||
+ | EOF | ||
+ | |||
+ | else | ||
+ | cat <<EOF | ||
+ | |||
+ | ######### | ||
+ | WARNING! | ||
+ | ######### | ||
+ | It seems your Password has expired and THIS is a GRACE LOGIN. | ||
+ | You MUST change your Password within your remaining grace logins, | ||
+ | else your account will become LOCKED. | ||
+ | |||
+ | EOF | ||
+ | echo "You have ${loginsleft} grace logins left!" | ||
+ | echo | ||
+ | echo "Press ENTER to confirm..." | ||
+ | read | ||
+ | |||
+ | fi | ||
+ | |||
+ | fi | ||
+ | |||
+ | set +x | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | --- // | ||
+ | |||
+ | |||
+ | |||
+ | {{tag> |