#!/bin/sh # # ndspasswd - Change your NDS passwword or UNIX/Linux login shell via LDAP # # Author: Ryan C. Anderson PATH=/bin:/usr/bin:/usr/sbin:/usr/ucb OS=`uname` OSVER=`uname -r` ID=`whoami` me=`basename $0` STTY_ORIG=`stty -g` # Enter your DS servers here LDAP_SVRS="ds1 ds2 ds3" USAGE="\nUsage: $me [ -h | -e ]. -h for this message. -e to change default shell\n\n" NOSUP="\n$me: Does not work on this OS. Run on a Solaris or Linux workstation, or change password on a PC (Ctrl-Alt-Delete --> Change Password...).\n" case $OS in SunOS) if [ $OSVER = 5.8 ]; then LDAPMODIFY=/usr/ldaptools/bin/ldapmodify LDAPSEARCH=/usr/ldaptools/bin/ldapsearch else printf $NOSUP exit 2 fi ;; Linux) LDAPMODIFY="/usr/ldaptools/bin/ldapmodify" LDAPSEARCH="/usr/ldaptools/bin/ldapsearch" ;; *) printf $NOSUP ;; esac # Clean up the terminal if the script is killed trap "stty $STTY_ORIG; exit 2" HUP INT QUIT TERM # Use Novell's ldapmodify for consistency and TLS suport if [ ! -x $LDAPMODIFY ]; then printf "$me: Missing $LDAPMODIFY, exiting. Use a different Solaris or Linux workstation or change your password on a PC.\n" exit 2 fi # Figure out what LDAP server to use for ldaphost in $LDAP_SVRS; do case $OS in SunOS) ping $ldaphost 1 >/dev/null ;; Linux) ping -c 1 $ldaphost >/dev/null ;; esac if [ $? -eq 0 ]; then LDAPSVR=$ldaphost break fi done if [ x$LDAPSVR = x ]; then printf "$me: NDS server unreachable\n" exit 2 fi # Now figure out user's DN LDAPDN=`$LDAPSEARCH -h $LDAPSVR -LLL cn=$ID dn` DN=`echo $LDAPDN | sed -e 's/dn: //'` # Change a users password chg_pass() { printf "$me: Changing Novell/UNIX password for $ID" printf "\nEnter your existing (Novell) password: " stty -echo read OLDPASS stty $STTY_ORIG printf "\nEnter your new password: " stty -echo read NEWPASS1 stty $STTY_ORIG printf "\nRe-enter your new password: " stty -echo read NEWPASS2 stty $STTY_ORIG echo "" if [ $NEWPASS1 != $NEWPASS2 ]; then printf "\nExiting. Passwords do not match. Run $me again.\n\n" exit 1 elif [ $NEWPASS1 = $NEWPASS2 ]; then NEWPASS=$NEWPASS1 fi # Now we know the password, set the command to use LDAPCMD="$LDAPMODIFY -h $LDAPSVR -r -ZZ -D $DN -w $OLDPASS" echo "$LDAPDN changetype: modify delete: userPassword userPassword: $OLDPASS - add: userPassword userPassword: $NEWPASS" | $LDAPCMD >/dev/null 2>&1 if [ $? -eq 0 ]; then printf "\n$me: Novell password for $ID successfully changed\n\n" elif [ $? -ne 0 ]; then printf "\n$me: Password not changed. Likely cause: script error\n" printf "or password does not meet password guidelines. If\n" printf "problems persist, change password on a PC or\n" printf "call the Helpdesk.\n\n" fi } # Change a users default shell* # * Each posixAccount user must have a Trustee assignment of 'write' # to their own loginShell attribute in NDS for this to work! # Slurp this LDIF file as an admin to give this permission: # dn: o= # changetype: modify # add: ACL # ACL: 7#subtree#[This]#loginShell chg_shell() { OLDSHELL=`$LDAPSEARCH -h $LDAPSVR cn=$ID loginShell | grep '^loginShell' | awk -F: '{ print $2 }'` printf "\nChanging default shell for $ID\n" printf "Enter your existing (Novell) password: " stty -echo read OLDPASS stty $STTY_ORIG printf "\nOld shell: $OLDSHELL" printf "\nNew shell: " read NEWSHELL printf "\n" grep $NEWSHELL /etc/shells > /dev/null 2>&1 if [ $? -ne 0 ]; then printf "Can't change to this shell, use one from /etc/shells\n" exit 2 fi # Now we know the password, set the command to use LDAPCMD="$LDAPMODIFY -h $LDAPSVR -r -ZZ -D $DN -w $OLDPASS" echo "$LDAPDN changetype: modify replace: loginShell loginShell: $NEWSHELL" | $LDAPCMD >/dev/null 2>&1 if [ $? -eq 0 ]; then printf "Login shell for $ID changed from $OLDSHELL to $NEWSHELL\n\n" elif [ $? -ne 0 ]; then printf "ERROR: Login shell not changed. Run $me again or call the Helpdesk.\n\n" fi exit } # We can either change our shell (-e) or password (no arg) # This is the same behavior as `yppasswd -e` if [ x"$1" = x"-e" ]; then chg_shell elif [ x"$1" = x"" ]; then chg_pass elif [ x"$1" = x"-h" ]; then printf "$USAGE" else printf "$USAGE" fi exit