Lines 41-46
FAIL () { # log error message to log file and std-err, then fail
|
Link Here
|
---|
|
41 |
exit 1 |
41 |
exit 1 |
42 |
} |
42 |
} |
43 |
|
43 |
|
|
|
44 |
try_ldap () { # try to connect LDAP server |
45 |
local trial_counter=60 |
46 |
while [ $trial_counter -ge 0 ] |
47 |
do |
48 |
sleep 1 |
49 |
if univention-ldapsearch -D "$ldap_hostdn" -y "$1" -h "$ldap_master" -p "$ldap_master_port" -s base > /dev/null 2>&3 |
50 |
then |
51 |
return 0 |
52 |
fi |
53 |
done |
54 |
return 1 |
55 |
} |
56 |
|
44 |
eval "$(/usr/sbin/univention-config-registry shell)" |
57 |
eval "$(/usr/sbin/univention-config-registry shell)" |
45 |
|
58 |
|
46 |
# 0 -> set to true |
59 |
# 0 -> set to true |
|
58 |
if [ -z "$ldap_hostdn" ]; then |
71 |
if [ -z "$ldap_hostdn" ]; then |
59 |
FAIL "failed to change server password: empty config-registry variable ldap/hostdn" |
72 |
FAIL "failed to change server password: empty config-registry variable ldap/hostdn" |
60 |
fi |
73 |
fi |
61 |
|
|
|
62 |
if [ ! -e "/etc/machine.secret" ]; then |
74 |
if [ ! -e "/etc/machine.secret" ]; then |
63 |
FAIL "failed to change server password: /etc/machine.secret not found" |
75 |
FAIL "failed to change server password: /etc/machine.secret not found" |
64 |
fi |
76 |
fi |
65 |
|
|
|
66 |
if [ -e "/var/lib/univention-directory-replication/failed.ldif" ]; then |
77 |
if [ -e "/var/lib/univention-directory-replication/failed.ldif" ]; then |
67 |
FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" |
78 |
FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" |
68 |
fi |
79 |
fi |
|
76 |
fi |
87 |
fi |
77 |
|
88 |
|
78 |
# Try to use a trivial command just to check that LDAP server is reachable. |
89 |
# Try to use a trivial command just to check that LDAP server is reachable. |
79 |
univention-ldapsearch -D "$ldap_hostdn" -w "$(cat /etc/machine.secret)" -s base > /dev/null 2>&3 |
90 |
if ! univention-ldapsearch -D "$ldap_hostdn" -y /etc/machine.secret -s base > /dev/null 2>&3 |
80 |
if [ $? -ne 0 ]; then |
91 |
then |
81 |
FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch" |
92 |
FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch" |
82 |
fi |
93 |
fi |
83 |
|
94 |
|
84 |
new_password=$(makepasswd --chars 8) |
95 |
new_pass=$(mktemp /etc/machine.secret.XXXXXXXX) |
85 |
old_password=$(cat /etc/machine.secret) |
96 |
old_pass=$(mktemp /etc/machine.secret.XXXXXXXX) |
|
|
97 |
trap "rm -f '$new_pass' '$old_pass'" EXIT |
86 |
|
98 |
|
87 |
if [ -z "$new_password" ]; then |
99 |
cp /etc/machine.secret "$old_pass" |
|
|
100 |
makepasswd --chars 8 | tr -d '\n' >"$new_pass" |
101 |
|
102 |
if [ ! -s "$new_pass" ]; then |
88 |
FAIL "failed to change server password: makepasswd returned an empty password" |
103 |
FAIL "failed to change server password: makepasswd returned an empty password" |
89 |
fi |
104 |
fi |
90 |
|
105 |
|
91 |
# Try to run hook scripts for "prechange" (which are named '^[A-Za-z0-9_-]+$') |
106 |
# Try to run hook scripts for "prechange" (which are named '^[A-Za-z0-9_-]+$') |
92 |
# Never use --exit-on-error with run-parts scripts because after an exit-on-error |
107 |
# Never use --exit-on-error with run-parts scripts because after an exit-on-error |
93 |
# we wouldn't know which scripts have received a "prechange" and need a "nochange". |
108 |
# we wouldn't know which scripts have received a "prechange" and need a "nochange". |
94 |
run-parts --verbose --arg prechange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
109 |
if ! run-parts --verbose --arg prechange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
95 |
# If ANY of the scripts fails while doing "prechange", then rollback with "nochange". |
110 |
# If ANY of the scripts fails while doing "prechange", then rollback with "nochange". |
96 |
if [ $? != 0 ]; then |
111 |
then |
97 |
# Use run-parts without --exit-on-error; go through all scripts. |
112 |
# Use run-parts without --exit-on-error; go through all scripts. |
98 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
113 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
99 |
FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged" |
114 |
FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged" |
100 |
fi |
115 |
fi |
101 |
|
116 |
|
102 |
# Try to modify the server password with UDM. |
117 |
# Try to modify the server password with UDM. |
103 |
/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$old_password" --dn "$ldap_hostdn" --set password="$new_password" >&3 2>&3 |
118 |
if ! /usr/sbin/univention-directory-manager "computers/$server_role" modify \ |
|
|
119 |
--binddn "$ldap_hostdn" --bindpwfile "$old_pass" \ |
120 |
--dn "$ldap_hostdn" --set password="$(cat "$new_pass")" >&3 2>&3 |
104 |
# If changing the server password with UDM failed for some unknown reason, |
121 |
# If changing the server password with UDM failed for some unknown reason, |
105 |
# then rollback the previous run-parts operation. |
122 |
# then rollback the previous run-parts operation. |
106 |
if [ $? != 0 ]; then |
123 |
then |
107 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
124 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
108 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
125 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
109 |
FAIL "failed to change server password for $ldap_hostdn" |
126 |
FAIL "failed to change server password for $ldap_hostdn" |
|
112 |
# If the changed server password has really been set correctly, then we can already use it. |
129 |
# If the changed server password has really been set correctly, then we can already use it. |
113 |
# Try to use the new password with LDAP against the MASTER. |
130 |
# Try to use the new password with LDAP against the MASTER. |
114 |
# Repeat this several times, just in case password distribution takes some time. |
131 |
# Repeat this several times, just in case password distribution takes some time. |
115 |
trial_counter=60 |
132 |
if ! try_ldap "$new_pass" |
116 |
while sleep 1 |
133 |
then |
117 |
do |
134 |
# The server is in an inconsistent state because the new password has |
118 |
# Try to use a trivial command just to check that the new password works. |
135 |
# been set with UDM but LDAP does't work with it. Do not continue with |
119 |
univention-ldapsearch -D "$ldap_hostdn" -w "$new_password" -h "$ldap_master" -p "$ldap_master_port" -s base > /dev/null 2>&3 |
136 |
# changes that would only worsen the situation. Instead, try to rollback. |
120 |
if [ $? -eq 0 ]; then |
137 |
# Reset the old password with UDM and give up. |
121 |
# OK, password worked against master, go on with the script. |
138 |
/usr/sbin/univention-directory-manager "computers/$server_role" modify \ |
122 |
break |
139 |
--binddn "$ldap_hostdn" --bindpwfile "$new_pass" \ |
123 |
fi |
140 |
--dn "$ldap_hostdn" --set password="$(cat "$old_pass")" >&3 2>&3 |
124 |
# If the new password failed for a long time, give up. |
141 |
|
125 |
if [ $trial_counter -eq 0 ]; then |
142 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
126 |
# The server is in an inconsistent state because the new password has |
143 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
127 |
# been set with UDM but LDAP does't work with it. Do not continue with |
144 |
FAIL "resetting old server password for $ldap_hostdn, because access to LDAP master did not work with the new password" |
128 |
# changes that would only worsen the situation. Instead, try to rollback. |
145 |
fi |
129 |
# Reset the old password with UDM and give up. |
|
|
130 |
/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3 |
131 |
|
132 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
133 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
134 |
FAIL "resetting old server password for $ldap_hostdn, because access to LDAP master did not work with the new password" |
135 |
fi |
136 |
trial_counter=$(( trial_counter - 1)) |
137 |
done |
138 |
|
146 |
|
139 |
# Now that we are sure the new password already works with LDAP master, |
147 |
# Now that we are sure the new password already works with LDAP master, |
140 |
# we can dare to overwrite the machine password. The machine password is |
148 |
# we can dare to overwrite the machine password. The machine password is |
141 |
# needed by the Listener who replicates the changed password to the |
149 |
# needed by the Listener who replicates the changed password to the |
142 |
# local server's LDAP. |
150 |
# local server's LDAP. |
143 |
echo "$(date +"%y%m%d%H%M"): $old_password" >>/etc/machine.secret.old |
151 |
echo -n "$(date +"%y%m%d%H%M"): " >>/etc/machine.secret.old |
|
|
152 |
cat "$old_pass" >>/etc/machine.secret.old |
144 |
chmod 600 /etc/machine.secret.old |
153 |
chmod 600 /etc/machine.secret.old |
145 |
|
154 |
|
146 |
# change machine.secret and restart listener |
155 |
# change machine.secret and restart listener |
147 |
echo -n "$new_password" >/etc/machine.secret |
156 |
cp "$new_pass" >/etc/machine.secret |
148 |
chmod 600 /etc/machine.secret |
157 |
chmod 600 /etc/machine.secret |
149 |
[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 |
158 |
[ -x /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 |
150 |
|
159 |
|
151 |
# The password is changed on the master now, but it is not clear if |
160 |
# The password is changed on the master now, but it is not clear if |
152 |
# this change has been replicated to the local host yet. |
161 |
# this change has been replicated to the local host yet. |
153 |
# Do the same test as above but with the local LDAP replication. |
162 |
# Do the same test as above but with the local LDAP replication. |
154 |
trial_counter=60 |
163 |
if ! try_ldap "$new_pass" |
155 |
while sleep 1 |
164 |
then |
156 |
do |
165 |
# The server is in an inconsistent state because the new password has |
157 |
# Try to use a trivial command just to check that the new password works. |
166 |
# been set with UDM but LDAP does't work with it. Do not continue with |
158 |
univention-ldapsearch -D "$ldap_hostdn" -w "$new_password" -s base > /dev/null 2>&3 |
167 |
# changes that would only worsen the situation. Instead, try to rollback. |
159 |
if [ $? -eq 0 ]; then |
168 |
# Reset the old password with UDM and give up. |
160 |
# OK, password worked, go on with the script. |
169 |
/usr/sbin/univention-directory-manager "computers/$server_role" modify \ |
161 |
break |
170 |
--binddn "$ldap_hostdn" --bindpwfile "$new_pass" \ |
162 |
fi |
171 |
--dn "$ldap_hostdn" --set password="$(cat "$old_pass")" >&3 2>&3 |
163 |
# If the new password failed for a long time, give up. |
172 |
|
164 |
if [ $trial_counter -eq 0 ]; then |
173 |
# Rollback /etc/machine.secret and restart listener |
165 |
# The server is in an inconsistent state because the new password has |
174 |
cp "$old_pass" /etc/machine.secret |
166 |
# been set with UDM but LDAP does't work with it. Do not continue with |
175 |
chmod 600 /etc/machine.secret |
167 |
# changes that would only worsen the situation. Instead, try to rollback. |
176 |
[ -x /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 |
168 |
# Reset the old password with UDM and give up. |
177 |
|
169 |
|
178 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
170 |
/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3 |
179 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
171 |
|
180 |
FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password" |
172 |
# Rollback /etc/machine.secret and restart listener |
181 |
fi |
173 |
awk '{pwd=$2}; END {printf("%s", pwd)}' /etc/machine.secret.old > /etc/machine.secret |
|
|
174 |
chmod 600 /etc/machine.secret |
175 |
[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 |
176 |
|
177 |
# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') |
178 |
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
179 |
FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password" |
180 |
fi |
181 |
trial_counter=$(( trial_counter - 1)) |
182 |
done |
183 |
|
182 |
|
184 |
# At this point the server password has been changed. |
183 |
# At this point the server password has been changed. |
185 |
# The change has gone beyond the point-of-no-return and |
184 |
# The change has gone beyond the point-of-no-return and |
|
188 |
# obvious through the log file. It is essential now to |
187 |
# obvious through the log file. It is essential now to |
189 |
# go all the way through all the run-parts scripts with postchange. |
188 |
# go all the way through all the run-parts scripts with postchange. |
190 |
|
189 |
|
191 |
if [ "$server_role" != "domaincontroller_master" ] && [ "$server_role" != "domaincontroller_backup" ]; then |
|
|
192 |
if [ -x /etc/init.d/univention-directory-listener ]; then |
193 |
invoke-rc.d univention-directory-listener crestart >&3 2>&3 |
194 |
fi |
195 |
fi |
196 |
|
197 |
# run hook scripts for "postchange" (which are named '^[A-Za-z0-9_-]+$') |
190 |
# run hook scripts for "postchange" (which are named '^[A-Za-z0-9_-]+$') |
198 |
# Use run-parts without --exit-on-error; go through all scripts. |
191 |
# Use run-parts without --exit-on-error; go through all scripts. |
199 |
run-parts --verbose --arg postchange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |
192 |
run-parts --verbose --arg postchange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 |