Attachment #4805 for bug #29275

View | Details | Raw Unified | Return to bug 29275
Collapse All | Expand All




		read -s password
		DCPWD=$(mktemp)
		trap "rm -f '$DCPWD'" EXIT
		echo -n "$password" >>$DCPWD
		echo ""
		echo ""
	fi


	# First use udm to search the user DN
	binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
		/usr/sbin/univention-directory-manager users/user list --filter uid=$DCACCOUNT --logfile /dev/null | sed -ne 's|DN: ||p')"

	if [ -z "$binddn" ]; then
		# Next check is the local ldapi interface
		binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
			ldapsearch -x LLL -H ldapi:/// "(&(uid=$DCACCOUNT)(objectClass=person))" dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p;s|^DN: ||p')"
	fi

	if [ -z "$binddn" ]; then
		# Check with anonymous bind
		ldap_result=$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
			   "ldapsearch -x -LLL \'\(\&\(uid=$DCACCOUNT\)\(objectClass=person\)\)\' dn")
		for i in $(echo "$ldap_result" | ldapsearch-wrapper | ldapsearch-decode64 | sed -ne 's|^dn: ||p'); do
			if [ -n "$binddn" ]; then
				failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
			fi

	if [ -z "$binddn" ]; then
		failed_message "binddn for user $DCACCOUNT not found"
	else
		ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
		if [ $? != 0 ]; then
			failed_message "Invalid credentials"
		else

		fi

		if [ ! "$server_role" = "domaincontroller_master" ] || [ -n "$ASK_PASS" ] ; then
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")"
		else
			"$i"
		fi




check_ldap_tls_connection () {
	echo -n "Check TLS connection "

	eval "$(univention-config-registry shell ldap/master/port)"

	ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null
	if  [ $? != 0 ]; then



# get master versions
versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry search --brief ^version/)"
OLDIFS=$IFS
IFS=$'\n'
for i in $versions; do

if [ -x /etc/init.d/samba4 ]; then
	echo -n "Stop Samba 4 Server: "
	if [ "$dns_backend" = "samba4" ]; then
		univention-config-registry set dns/backend=ldap >>/var/log/univention/join.log 2>&1
		/etc/init.d/bind9 restart >>/var/log/univention/join.log 2>&1
	fi
	/etc/init.d/samba4 stop >>/var/log/univention/join.log 2>&1


if [ -z "$LDAPBASE" ]; then
	echo -n "Search ldap/base"
	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry search --brief ^ldap/base$ | sed -ne 's|^ldap/base: ||p')"
else
	ldap_base="$LDAPBASE"
fi


# First use udm to search the user DN
binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
	/usr/sbin/univention-directory-manager users/user list --filter uid="$DCACCOUNT" --logfile /dev/null | sed -ne 's|^DN: ||p')"

if [ -z "$binddn" ]; then
	# Next check is the local ldapi interface

if [ -e /etc/runit/univention/univention-directory-listener ]; then
	echo -n "Stopping univention-directory-listener daemon: "
	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
	while ! sv status univention-directory-listener | grep -q "^down"
	do
		sleep 1
		/etc/init.d/univention-directory-listener stop >/dev/null 2>&1

Lines 168-174 Link Here

(-)univention-server-join (-1 / +1 lines)
168	if [ -z "$BINDDN" ]; then	168	if [ -z "$BINDDN" ]; then
169	if [ -n "$BINDACCOUNT" ]; then	169	if [ -n "$BINDACCOUNT" ]; then
170	# FIXME: This not longer works with anonymous bind disabled!	170	# FIXME: This not longer works with anonymous bind disabled!
171	BINDDN="$(ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn \| ldapsearch-wrapper \| sed -ne 's\|dn: \|\|p')"	171	BINDDN="$(ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|dn: \|\|p')"
172	log 0 "found BINDDN: $BINDDN" >>"$LOGFILE"	172	log 0 "found BINDDN: $BINDDN" >>"$LOGFILE"
173	if [ -z "$BINDDN" ]; then	173	if [ -z "$BINDDN" ]; then
174	log 1 "E: failed to get binddn for $BINDACCOUNT"	174	log 1 "E: failed to get binddn for $BINDACCOUNT"

Return to bug 29275

Lines 124-130 Link Here

(-)univention-run-join-scripts (-6 / +6 lines)
124	read -s password	124	read -s password
125	DCPWD=$(mktemp)	125	DCPWD=$(mktemp)
126	trap "rm -f '$DCPWD'" EXIT	126	trap "rm -f '$DCPWD'" EXIT
127	echo "$password" >>$DCPWD	127	echo -n "$password" >>$DCPWD
128	echo ""	128	echo ""
129	echo ""	129	echo ""
130	fi	130	fi
Lines 133-151 Link Here
133		133
134	# First use udm to search the user DN	134	# First use udm to search the user DN
135	binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \	135	binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
136	/usr/sbin/udm users/user list --filter uid=$DCACCOUNT --logfile /dev/null \| sed -ne 's\|DN: \|\|p')"	136	/usr/sbin/univention-directory-manager users/user list --filter uid=$DCACCOUNT --logfile /dev/null \| sed -ne 's\|DN: \|\|p')"
137		137
138	if [ -z "$binddn" ]; then	138	if [ -z "$binddn" ]; then
139	# Next check is the local ldapi interface	139	# Next check is the local ldapi interface
140	binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \	140	binddn="$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
141	ldapsearch -x LLL -H ldapi:/// "(&(uid=$DCACCOUNT)(objectClass=person))" dn \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"	141	ldapsearch -x LLL -H ldapi:/// "(&(uid=$DCACCOUNT)(objectClass=person))" dn \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p;s\|^DN: \|\|p')"
142	fi	142	fi
143		143
144	if [ -z "$binddn" ]; then	144	if [ -z "$binddn" ]; then
145	# Check with anonymous bind	145	# Check with anonymous bind
146	ldap_result=$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \	146	ldap_result=$(univention-ssh "$DCPWD" "$DCACCOUNT"@"$ldap_master" \
147	"ldapsearch -x -LLL \'\(\&\(uid=$DCACCOUNT\)\(objectClass=person\)\)\' dn")	147	"ldapsearch -x -LLL \'\(\&\(uid=$DCACCOUNT\)\(objectClass=person\)\)\' dn")
148	for i in $(echo "$ldap_result" \| ldapsearch-wrapper \| sed -n 's/^dn: \(.*\)/\1/p'); do	148	for i in $(echo "$ldap_result" \| ldapsearch-wrapper \| ldapsearch-decode64 \| sed -ne 's\|^dn: \|\|p'); do
149	if [ -n "$binddn" ]; then	149	if [ -n "$binddn" ]; then
150	failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"	150	failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
151	fi	151	fi
Lines 157-163 Link Here
157	if [ -z "$binddn" ]; then	157	if [ -z "$binddn" ]; then
158	failed_message "binddn for user $DCACCOUNT not found"	158	failed_message "binddn for user $DCACCOUNT not found"
159	else	159	else
160	ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w `cat $DCPWD` -LLL -s base >/dev/null 2>&1	160	ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
161	if [ $? != 0 ]; then	161	if [ $? != 0 ]; then
162	failed_message "Invalid credentials"	162	failed_message "Invalid credentials"
163	else	163	else
Lines 192-198 Link Here
192	fi	192	fi
193		193
194	if [ ! "$server_role" = "domaincontroller_master" ] \|\| [ -n "$ASK_PASS" ] ; then	194	if [ ! "$server_role" = "domaincontroller_master" ] \|\| [ -n "$ASK_PASS" ] ; then
195	"$i" --binddn "$binddn" --bindpwd "$(cat "$DCPWD")"	195	"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")"
196	else	196	else
197	"$i"	197	"$i"
198	fi	198	fi

Lines 124-130 Link Here

(-)univention-join (-6 / +6 lines)
124	check_ldap_tls_connection () {	124	check_ldap_tls_connection () {
125	echo -n "Check TLS connection "	125	echo -n "Check TLS connection "
126		126
127	eval "$(ucr shell ldap/master/port)"	127	eval "$(univention-config-registry shell ldap/master/port)"
128		128
129	ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null	129	ldapsearch -x -ZZ -p "$ldap_master_port" -s base -h "$DCNAME" -D "$binddn" -w "$(<"$DCPWD")" dn >/dev/null
130	if [ $? != 0 ]; then	130	if [ $? != 0 ]; then
Lines 254-260 Link Here
254		254
255		255
256	# get master versions	256	# get master versions
257	versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^version/)"	257	versions="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry search --brief ^version/)"
258	OLDIFS=$IFS	258	OLDIFS=$IFS
259	IFS=$'\n'	259	IFS=$'\n'
260	for i in $versions; do	260	for i in $versions; do
Lines 301-307 Link Here
301	if [ -x /etc/init.d/samba4 ]; then	301	if [ -x /etc/init.d/samba4 ]; then
302	echo -n "Stop Samba 4 Server: "	302	echo -n "Stop Samba 4 Server: "
303	if [ "$dns_backend" = "samba4" ]; then	303	if [ "$dns_backend" = "samba4" ]; then
304	ucr set dns/backend=ldap >>/var/log/univention/join.log 2>&1	304	univention-config-registry set dns/backend=ldap >>/var/log/univention/join.log 2>&1
305	/etc/init.d/bind9 restart >>/var/log/univention/join.log 2>&1	305	/etc/init.d/bind9 restart >>/var/log/univention/join.log 2>&1
306	fi	306	fi
307	/etc/init.d/samba4 stop >>/var/log/univention/join.log 2>&1	307	/etc/init.d/samba4 stop >>/var/log/univention/join.log 2>&1
Lines 310-316 Link Here
310		310
311	if [ -z "$LDAPBASE" ]; then	311	if [ -z "$LDAPBASE" ]; then
312	echo -n "Search ldap/base"	312	echo -n "Search ldap/base"
313	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/ucr search --brief ^ldap/base$ \| sed -ne 's\|^ldap/base: \|\|p')"	313	ldap_base="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" /usr/sbin/univention-config-registry search --brief ^ldap/base$ \| sed -ne 's\|^ldap/base: \|\|p')"
314	else	314	else
315	ldap_base="$LDAPBASE"	315	ldap_base="$LDAPBASE"
316	fi	316	fi
Lines 332-338 Link Here
332		332
333	# First use udm to search the user DN	333	# First use udm to search the user DN
334	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \	334	binddn="$(univention-ssh "$DCPWD" "${DCACCOUNT}@${DCNAME}" \
335	/usr/sbin/udm users/user list --filter uid="$DCACCOUNT" --logfile /dev/null \| sed -ne 's\|^DN: \|\|p')"	335	/usr/sbin/univention-directory-manager users/user list --filter uid="$DCACCOUNT" --logfile /dev/null \| sed -ne 's\|^DN: \|\|p')"
336		336
337	if [ -z "$binddn" ]; then	337	if [ -z "$binddn" ]; then
338	# Next check is the local ldapi interface	338	# Next check is the local ldapi interface
Lines 478-484 Link Here
478	if [ -e /etc/runit/univention/univention-directory-listener ]; then	478	if [ -e /etc/runit/univention/univention-directory-listener ]; then
479	echo -n "Stopping univention-directory-listener daemon: "	479	echo -n "Stopping univention-directory-listener daemon: "
480	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1	480	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
481	while ! sv status univention-directory-listener \| grep "^down" >/dev/null	481	while ! sv status univention-directory-listener \| grep -q "^down"
482	do	482	do
483	sleep 1	483	sleep 1
484	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1	484	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1