|
49 |
exec 3>>/var/log/univention/server_password_change.log |
49 |
exec 3>>/var/log/univention/server_password_change.log |
50 |
fi |
50 |
fi |
51 |
|
51 |
|
52 |
echo "($(date '+%F %T.%N')) Starting server password change" >&3 |
52 |
echowithtimestamp "Starting server password change" >&3 |
53 |
FAIL () { # log error message to log file and std-err, then fail |
53 |
FAIL () { # log error message to log file and std-err, then fail |
54 |
echo "$@" >&3 |
54 |
msg=$(echowithtimestamp "$@") |
55 |
echo "$@" >&2 |
55 |
echo "$msg" >&3 |
|
|
56 |
echo "$msg" >&2 |
56 |
exit 1 |
57 |
exit 1 |
57 |
} |
58 |
} |
58 |
try_ldap () { # try to connect LDAP server |
59 |
try_ldap () { # try to connect LDAP server |
|
91 |
# 2 -> empty |
92 |
# 2 -> empty |
92 |
is_ucr_true server/password/change |
93 |
is_ucr_true server/password/change |
93 |
if [ $? = 1 ]; then |
94 |
if [ $? = 1 ]; then |
94 |
echo "($(date '+%F %T.%N')) Server password change is disabled by the UCR variable server/password/change" >&3 |
95 |
echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3 |
95 |
exit 0 |
96 |
exit 0 |
96 |
fi |
97 |
fi |
97 |
|
98 |
|
98 |
[ -n "$server_role" ] || |
99 |
[ -n "$server_role" ] || |
99 |
FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable server/role" |
100 |
FAIL "failed to change server password: empty config-registry variable server/role" |
100 |
[ -n "$ldap_hostdn" ] || |
101 |
[ -n "$ldap_hostdn" ] || |
101 |
FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable ldap/hostdn" |
102 |
FAIL "failed to change server password: empty config-registry variable ldap/hostdn" |
102 |
[ -e "$MSECRET" ] || |
103 |
[ -e "$MSECRET" ] || |
103 |
FAIL "($(date '+%F %T.%N')) failed to change server password: $MSECRET not found" |
104 |
FAIL "failed to change server password: $MSECRET not found" |
104 |
[ -e "/var/lib/univention-directory-replication/failed.ldif" ] && |
105 |
[ -e "/var/lib/univention-directory-replication/failed.ldif" ] && |
105 |
FAIL "($(date '+%F %T.%N')) failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" |
106 |
FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" |
106 |
|
107 |
|
107 |
# Allow password change only if it is scheduled. |
108 |
# Allow password change only if it is scheduled. |
108 |
epoch_last_change="$(stat --format %Y "$MSECRET")" |
109 |
epoch_last_change="$(stat --format %Y "$MSECRET")" |
|
110 |
seconds_last_change="$((epoch- epoch_last_change))" |
111 |
seconds_last_change="$((epoch- epoch_last_change))" |
111 |
days_last_change="$((seconds_last_change/60/60/24))" |
112 |
days_last_change="$((seconds_last_change/60/60/24))" |
112 |
if [ "$server_password_interval" -gt "$days_last_change" ]; then |
113 |
if [ "$server_password_interval" -gt "$days_last_change" ]; then |
113 |
echo "($(date '+%F %T.%N')) No server password change scheduled for today, terminating without a change" >&3 |
114 |
echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3 |
114 |
exit 0 |
115 |
exit 0 |
115 |
fi |
116 |
fi |
116 |
|
117 |
|
117 |
echo "($(date '+%F %T.%N')) Proceeding with regular server password change scheduled for today" >&3 |
118 |
echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3 |
118 |
|
119 |
|
119 |
# Try to use a trivial command just to check that LDAP server is reachable. |
120 |
# Try to use a trivial command just to check that LDAP server is reachable. |
120 |
univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 || |
121 |
univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 || |
121 |
FAIL "($(date '+%F %T.%N')) failed to contact LDAP server: cannot connect with univention-ldapsearch" |
122 |
FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch" |
122 |
|
123 |
|
123 |
old_pass="$(mktemp "$MSECRET.XXXXXXXX")" |
124 |
old_pass="$(mktemp "$MSECRET.XXXXXXXX")" |
124 |
new_pass="$(mktemp "$MSECRET.XXXXXXXX")" |
125 |
new_pass="$(mktemp "$MSECRET.XXXXXXXX")" |
Lines 131-142
ln -f "$MSECRET" "$old_pass"
|
Link Here
|
---|
|
131 |
# shellcheck disable=SC2015 |
132 |
# shellcheck disable=SC2015 |
132 |
create_machine_password >"$new_pass" && |
133 |
create_machine_password >"$new_pass" && |
133 |
[ -s "$new_pass" ] || |
134 |
[ -s "$new_pass" ] || |
134 |
FAIL "($(date '+%F %T.%N')) failed to change server password: create_machine_password() returned an empty password" |
135 |
FAIL "failed to change server password: create_machine_password() returned an empty password" |
135 |
|
136 |
|
136 |
if ! run_hooks prechange |
137 |
if ! run_hooks prechange |
137 |
then |
138 |
then |
138 |
run_hooks nochange |
139 |
run_hooks nochange |
139 |
FAIL "($(date '+%F %T.%N')) run-parts failed during prechange, rolling back with nochange, server password unchanged" |
140 |
FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged" |
140 |
fi |
141 |
fi |
141 |
|
142 |
|
142 |
# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange". |
143 |
# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange". |
|
153 |
read -r lid </var/lib/univention-directory-listener/notifier_id |
154 |
read -r lid </var/lib/univention-directory-listener/notifier_id |
154 |
if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then |
155 |
if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then |
155 |
nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) || |
156 |
nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) || |
156 |
echo "($(date '+%F %T.%N')) Could not get notifier id from Primary Directory Node!" >&3 |
157 |
echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3 |
157 |
fi |
158 |
fi |
158 |
[ "${lid:-0}" = "${nid:-1}" ] && |
159 |
[ "${lid:-0}" = "${nid:-1}" ] && |
159 |
return 0 |
160 |
return 0 |
160 |
fi |
161 |
fi |
161 |
echo " ($(date '+%F %T.%N')) Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 |
162 |
echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 |
162 |
sleep 2 |
163 |
sleep 2 |
163 |
done |
164 |
done |
164 |
run_hooks nochange |
165 |
run_hooks nochange |
165 |
FAIL "($(date '+%F %T.%N')) Pending listener transactions timeout, rolling back with nochange, server password unchanged" |
166 |
FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged" |
166 |
} |
167 |
} |
167 |
check_in_sync |
168 |
check_in_sync |
168 |
|
169 |
|
Lines 172-178
if ! change_password "$old_pass" "$new_pass"
|
Link Here
|
---|
|
172 |
# then rollback the previous run-parts operation. |
173 |
# then rollback the previous run-parts operation. |
173 |
then |
174 |
then |
174 |
run_hooks nochange |
175 |
run_hooks nochange |
175 |
FAIL "($(date '+%F %T.%N')) failed to change server password for $ldap_hostdn" |
176 |
FAIL "failed to change server password for $ldap_hostdn" |
176 |
fi |
177 |
fi |
177 |
|
178 |
|
178 |
# If the changed server password has really been set correctly, then we can already use it. |
179 |
# If the changed server password has really been set correctly, then we can already use it. |
|
187 |
change_password "$new_pass" "$old_pass" |
188 |
change_password "$new_pass" "$old_pass" |
188 |
|
189 |
|
189 |
run_hooks nochange |
190 |
run_hooks nochange |
190 |
FAIL "($(date '+%F %T.%N')) resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" |
191 |
FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" |
191 |
fi |
192 |
fi |
192 |
|
193 |
|
193 |
# Now that we are sure the new password already works with Primary Directory Node LDAP, |
194 |
# Now that we are sure the new password already works with Primary Directory Node LDAP, |
Lines 221-227
if ! run_hooks localchange --regex '^univention-samba4'
|
Link Here
|
---|
|
221 |
# if samba-tool user setpassword fails, reset the old password. |
222 |
# if samba-tool user setpassword fails, reset the old password. |
222 |
then |
223 |
then |
223 |
revert_password_change |
224 |
revert_password_change |
224 |
FAIL "($(date '+%F %T.%N')) Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." |
225 |
FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." |
225 |
fi |
226 |
fi |
226 |
|
227 |
|
227 |
# The password is changed on the Primary Directory Node now, but it is not clear if |
228 |
# The password is changed on the Primary Directory Node now, but it is not clear if |
|
234 |
# changes that would only worsen the situation. Instead, try to rollback. |
235 |
# changes that would only worsen the situation. Instead, try to rollback. |
235 |
# Reset the old password with UDM and give up. |
236 |
# Reset the old password with UDM and give up. |
236 |
revert_password_change |
237 |
revert_password_change |
237 |
FAIL "($(date '+%F %T.%N')) Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." |
238 |
FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." |
238 |
fi |
239 |
fi |
239 |
|
240 |
|
240 |
# At this point the server password has been changed. |
241 |
# At this point the server password has been changed. |
|
252 |
|
253 |
|
253 |
run_hooks postchange |
254 |
run_hooks postchange |
254 |
|
255 |
|
255 |
echo "($(date '+%F %T.%N')) done" >&3 |
256 |
echowithtimestamp "done" >&3 |
256 |
exec 3<&- |
257 |
exec 3<&- |
257 |
|
258 |
|
258 |
exit 0 |
259 |
exit 0 |