Attachment #5165 for bug #31026

View | Details | Raw Unified | Return to bug 31026
Collapse All | Expand All





LOCKFILE=/tmp/.univention_check_connection
# create lock file
if ! lockfile-create -q --retry 0 "$LOCKFILE"; then
	exit 0
fi


export PATH=$PATH:/sbin:/usr/sbin

eval "$(/usr/sbin/univention-config-registry shell)"

	run_parts=true
fi


action () {
	dir="/etc/network/if-$1.d"
	export MODE=$1

	if [ -d "$dir" ] && "$run_parts"; then
		run-parts "$dir" >/dev/null
	fi
}

if univention-ldap-server-available
then
	case "$auth_methods" in
	*ldap*) ;;
	*)
	fi
fi

if [ -n "$ldap_server_addition" ] && [ $connection_okay = 0 ]; then
	for h in  $ldap_server_addition; do
		if /bin/netcat -q0 -w4 $h 7389 </dev/null >/dev/null 2>&1; then
			connection_okay=1
			break
		fi
	done
fi

if [ $connection_okay = 1 ]; then
	res="`echo $auth_methods | grep ldap`"
	if [ -z "$res" ]; then
		/usr/sbin/univention-config-registry set auth/methods="$auth_methods_default" >/dev/null
		action up
	esac
else
	case "$auth_methods" in
	*ldap*)
		/usr/sbin/univention-config-registry set auth/methods=cache >/dev/null
		action down
	esac

fi

# remove lock file
lockfile-remove "$LOCKFILE"




# <http://www.gnu.org/licenses/>.

. /usr/share/univention-lib/base.sh
LOG=/var/log/univention/managed-client.log
create_logfile_if_missing "$LOG" "root:adm" 640

map () {
	cat /etc/univention/templates/mapping/*.univention-config-registry-mapping |
	while IFS== read ldap ucr
	do
		if [ "$1" = "$ldap" ]
		then
			ucr=${ucr#\"} ucr=${ucr%\"}
			echo "$ucr"
			return
		fi
	done
	echo "$1"
}

case "$1" in
	start)
		univention-config-registry set domain/connection=false >/dev/null 2>&1

		echo -n "Setting up Managed Client "
		echo "Setting up Managed Client `date`" >>"$LOG" 2>&1

		eval "$(univention-config-registry shell)"


		# check configuration
		if [ -z "$ldap_server_name" -o -z "$ldap_base" -o -z "$ldap_hostdn" ]; then
			echo "setup failed"
			echo "setup failed" >>"$LOG"
			exit 1
		fi

		# check for ldap server
		if univention-ldap-server-available &&
			ldapsearch -x -h "$ldap_server_name" -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b "$ldap_base" -s BASE >>"$LOG" 2>&1
		then
			univention-config-registry set domain/connection=true >/dev/null 2>&1

				if [ -z "$ldap_mydn" ]; then
					ldap_mydn="$(ldapsearch -x -h $ldap_server_name -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b $ldap_base "(&(objectClass=univentionClient)(objectClass=univentionHost)(cn=$hostname))"  | ldapsearch-wrapper | grep ^dn | sed -e 's|dn: ||')"
				fi

				if [ -n "$ldap_hostdn" ]; then
					use_dn="$ldap_hostdn"
				elif [ -n "$ldap_mydn" ]; then
					use_dn="$ldap_mydn"
				fi

				if [ -n "$use_dn" ]; then
					# get policy result
					univention-config-registry unset univentionAutoStartScript
					univention-config-registry set ldap/mydn="$use_dn" >/dev/null 2>&1

					policy_file=$(mktemp)
					policy_file_result=$(mktemp)

					univention_policy_result -D "$ldap_hostdn" -y /etc/machine.secret -s "$use_dn" > $policy_file

					cat $policy_file | while read line; do

			if [ -z "$ldap_mydn" ]; then
				ldap_mydn="$(ldapsearch -x -h "$ldap_server_name" -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b $ldap_base "(&(objectClass=univentionClient)(objectClass=univentionHost)(cn=$hostname))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p;T;q')"
			fi

						if [ -n "$var" ] && [ -n "$val" ]; then
							new_value=$(grep "$var=" /etc/univention/templates/mapping/* | head -n 1 | sed -e 's|.*=||;s|"||g')
							if [ -n "${new_value}" ]; then
								echo $line | sed -e "s|${var}=|${new_value}=|g" -e 's|="|=|' -e 's|"$||' >> $policy_file_result
							else
								echo $line | sed -e 's|="|=|' -e 's|"$||' >> $policy_file_result
							fi
						fi

			if [ -n "$ldap_hostdn" ]; then
				use_dn="$ldap_hostdn"
			elif [ -n "$ldap_mydn" ]; then
				use_dn="$ldap_mydn"
			fi

			if [ -n "$use_dn" ]; then
				# get policy result
				univention-config-registry unset univentionAutoStartScript
				univention-config-registry set ldap/mydn="$use_dn" >/dev/null 2>&1

				univention_policy_result -D "$ldap_hostdn" -y /etc/machine.secret -s "$use_dn" |
				while IFS== read var val; do
					if [ -n "$var" ] && [ -n "$val" ]; then
						var=$(map "$var")
						val=${val#\"} val=${val%\"}
						printf "$var=$val\0"
					fi
				done |
				xrags -0r univention-config-registry set >>"$LOG" 2>&1
			fi
		else
			echo "E: connection to $ldap_server_name failed" >>"$LOG" 2>&1
		fi

		if [ "$(univention-config-registry get univentionXMouseDevice)" = "/dev/input/mice" ]; then
		if [ "`univention-config-registry get univentionXMouseDevice`" = "/dev/input/mice" ]; then
			modprobe mousedev
		fi


		echo "done"

		;;
esac





# <http://www.gnu.org/licenses/>.

. /usr/share/univention-lib/base.sh
LOG=/var/log/univention/mobile-client.log
create_logfile_if_missing "$LOG" "root:adm" 640

map () {
	cat /etc/univention/templates/mapping/*.univention-config-registry-mapping |
	while IFS== read ldap ucr
	do
		if [ "$1" = "$ldap" ]
		then
			ucr=${ucr#\"} ucr=${ucr%\"}
			echo "$ucr"
			return
		fi
	done
	echo "$1"
}

case "$1" in
	start)
		univention-config-registry set domain/connection=false >/dev/null 2>&1

		echo -n "Setting up Mobile Client "
		echo "Setting up Mobile Client `date`" >>"$LOG" 2>&1

		eval "$(univention-config-registry shell)"


		# check configuration
		if [ -z "$ldap_server_name" -o -z "$ldap_base" -o -z "$ldap_hostdn" ]; then
			echo "setup failed"
			echo "setup failed" >>"$LOG"
			exit 1
		fi

		# check for ldap server
		if univention-ldap-server-available &&
			ldapsearch -x -h "$ldap_server_name" -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b "$ldap_base" -s BASE >>"$LOG" 2>&1
		then
			univention-config-registry set domain/connection=true >/dev/null 2>&1

				if [ -z "$ldap_mydn" ]; then
					ldap_mydn="$(ldapsearch -x -h $ldap_server_name -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b $ldap_base "(&(objectClass=univentionMobileClient)(objectClass=univentionHost)(cn=$hostname))" | ldapsearch-wrapper | grep ^dn | sed -e 's|dn: ||')"
				fi

				if [ -n "$ldap_hostdn" ]; then
					use_dn="$ldap_hostdn"
				elif [ -n "$ldap_mydn" ]; then
					use_dn="$ldap_mydn"
				fi

				if [ -n "$use_dn" ]; then
					# get policy result
					univention-config-registry unset univentionAutoStartScript
					univention-config-registry set ldap/mydn="$use_dn" >/dev/null 2>&1

					policy_file=$(mktemp)
					policy_file_result=$(mktemp)

					univention_policy_result -D "$ldap_hostdn" -y /etc/machine.secret -s "$use_dn" > $policy_file

					cat $policy_file | while read line; do

			if [ -z "$ldap_mydn" ]; then
				ldap_mydn="$(ldapsearch -x -h "$ldap_server_name" -ZZ -D "$ldap_hostdn" -y /etc/machine.secret -b $ldap_base "(&(objectClass=univentionMobileClient)(objectClass=univentionHost)(cn=$hostname))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p;T;q')"
			fi

						if [ -n "$var" ] && [ -n "$val" ]; then
							new_value=$(grep "$var=" /etc/univention/templates/mapping/* | head -n 1 | sed -e 's|.*=||;s|"||g')
							if [ -n "${new_value}" ]; then
								echo $line | sed -e "s|${var}=|${new_value}=|g" -e 's|="|=|' -e 's|"$||' >> $policy_file_result
							else
								echo $line | sed -e 's|="|=|' -e 's|"$||' >> $policy_file_result
							fi
						fi

			if [ -n "$ldap_hostdn" ]; then
				use_dn="$ldap_hostdn"
			elif [ -n "$ldap_mydn" ]; then
				use_dn="$ldap_mydn"
			fi

			if [ -n "$use_dn" ]; then
				# get policy result
				univention-config-registry unset univentionAutoStartScript
				univention-config-registry set ldap/mydn="$use_dn" >/dev/null 2>&1

				univention_policy_result -D "$ldap_hostdn" -y /etc/machine.secret -s "$use_dn" |
				while IFS== read var val; do
					if [ -n "$var" ] && [ -n "$val" ]; then
						var=$(map "$var")
						val=${val#\"} val=${val%\"}
						printf "$var=$val\0"
					fi
				done |
				xrags -0r univention-config-registry set >>"$LOG" 2>&1
			fi
		else
			echo "E: connection to $ldap_server_name failed" >>"$LOG" 2>&1
		fi

		if [ "$(univention-config-registry get univentionXMouseDevice)" = "/dev/input/mice" ]; then
		if [ "`univention-config-registry get univentionXMouseDevice`" = "/dev/input/mice" ]; then
			modprobe mousedev
		fi


		echo "done"

		;;
esac





	exit 1
}

try_ldap () { # try to connect LDAP server
	local trial_counter=60
	while [ $trial_counter -ge 0 ]
	do
		sleep 1
		if univention-ldapsearch -D "$ldap_hostdn" -y "$1" -h "$ldap_master" -p "$ldap_master_port" -s base > /dev/null 2>&3
		then
			return 0
		fi
	done
	return 1
}

eval "$(/usr/sbin/univention-config-registry shell)"

# 0 -> set to true

if [ -z "$ldap_hostdn" ]; then
	FAIL "failed to change server password: empty config-registry variable ldap/hostdn"
fi

if [ ! -e "/etc/machine.secret" ]; then
	FAIL "failed to change server password: /etc/machine.secret not found"
fi

if [ -e "/var/lib/univention-directory-replication/failed.ldif" ]; then
	FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists"
fi

fi

# Try to use a trivial command just to check that LDAP server is reachable.
if ! univention-ldapsearch -D "$ldap_hostdn" -y /etc/machine.secret -s base > /dev/null 2>&3
then
	FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch"
fi

new_pass=$(mktemp /etc/machine.secret.XXXXXXXX)
old_pass=$(mktemp /etc/machine.secret.XXXXXXXX)
trap "rm -f '$new_pass' '$old_pass'" EXIT

cp /etc/machine.secret "$old_pass"
makepasswd --chars 8 | tr -d '\n' >"$new_pass"

if [ ! -s "$new_pass" ]; then
	FAIL "failed to change server password: makepasswd returned an empty password"
fi

# Try to run hook scripts for "prechange" (which are named '^[A-Za-z0-9_-]+$')
# Never use --exit-on-error with run-parts scripts because after an exit-on-error
# we wouldn't know which scripts have received a "prechange" and need a "nochange".
if ! run-parts --verbose --arg prechange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
# If ANY of the scripts fails while doing "prechange", then rollback with "nochange".
then
	# Use run-parts without --exit-on-error; go through all scripts.
	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
	FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
fi

# Try to modify the server password with UDM.
if ! /usr/sbin/univention-directory-manager "computers/$server_role" modify \
	--binddn "$ldap_hostdn" --bindpwfile "$old_pass" \
	--dn "$ldap_hostdn" --set password="$(cat "$new_pass")" >&3 2>&3
# If changing the server password with UDM failed for some unknown reason,
# then rollback the previous run-parts operation. 
then
	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
	FAIL "failed to change server password for $ldap_hostdn"

# If the changed server password has really been set correctly, then we can already use it.
# Try to use the new password with LDAP against the MASTER.
# Repeat this several times, just in case password distribution takes some time.
if ! try_ldap "$new_pass"
then
	# The server is in an inconsistent state because the new password has
	# been set with UDM but LDAP does't work with it. Do not continue with
	# changes that would only worsen the situation. Instead, try to rollback.
	# Reset the old password with UDM and give up.
	/usr/sbin/univention-directory-manager "computers/$server_role" modify \
		--binddn "$ldap_hostdn" --bindpwfile "$new_pass" \
		--dn "$ldap_hostdn" --set password="$(cat "$old_pass")" >&3 2>&3

	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
	FAIL "resetting old server password for $ldap_hostdn, because access to LDAP master did not work with the new password"
fi
		# Reset the old password with UDM and give up.
		/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3

		# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
		run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
		FAIL "resetting old server password for $ldap_hostdn, because access to LDAP master did not work with the new password"
	fi
	trial_counter=$(( trial_counter - 1))
done

# Now that we are sure the new password already works with LDAP master,
# we can dare to overwrite the machine password. The machine password is
# needed by the Listener who replicates the changed password to the
# local server's LDAP.
echo -n "$(date +"%y%m%d%H%M"): " >>/etc/machine.secret.old
cat "$old_pass" >>/etc/machine.secret.old
chmod 600 /etc/machine.secret.old

# change machine.secret and restart listener
cp "$new_pass" >/etc/machine.secret
chmod 600 /etc/machine.secret
[ -x /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3

# The password is changed on the master now, but it is not clear if
# this change has been replicated to the local host yet.
# Do the same test as above but with the local LDAP replication.
if ! try_ldap "$new_pass"
then
	# The server is in an inconsistent state because the new password has
	# been set with UDM but LDAP does't work with it. Do not continue with
	# changes that would only worsen the situation. Instead, try to rollback.
	# Reset the old password with UDM and give up.
	/usr/sbin/univention-directory-manager "computers/$server_role" modify \
		--binddn "$ldap_hostdn" --bindpwfile "$new_pass" \
		--dn "$ldap_hostdn" --set password="$(cat "$old_pass")" >&3 2>&3

	# Rollback /etc/machine.secret and restart listener
	cp "$old_pass" /etc/machine.secret
	chmod 600 /etc/machine.secret
	[ -x /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3

	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
	FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password"
fi
		awk '{pwd=$2}; END {printf("%s", pwd)}' /etc/machine.secret.old > /etc/machine.secret
		chmod 600 /etc/machine.secret
		[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3

		# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
		run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
		FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password"
	fi
	trial_counter=$(( trial_counter - 1))
done

# At this point the server password has been changed.
# The change has gone beyond the point-of-no-return and

# obvious through the log file. It is essential now to
# go all the way through all the run-parts scripts with postchange.

if [ "$server_role" != "domaincontroller_master" ] && [ "$server_role" != "domaincontroller_backup" ]; then
	if [ -x /etc/init.d/univention-directory-listener ]; then
		invoke-rc.d univention-directory-listener crestart >&3 2>&3
	fi
fi

# run hook scripts for "postchange" (which are named '^[A-Za-z0-9_-]+$')
# Use run-parts without --exit-on-error; go through all scripts.
run-parts --verbose --arg postchange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

export PATH=/sbin:/usr/sbin:$PATH

eval "$(univention-config-registry shell ldap/server/name ldap/server/addition ldap/server/port)"

for h in $ldap_server_name $ldap_server_addition
do
	if /bin/netcat -q0 -w4 "$h" "${ldap_server_port:-7389}" </dev/null >/dev/null 2>&1
	then
		exit 0
	fi
done

if [ -n "$ldap_server_addition" ] && [ $exit_code = 1 ]; then
	for h in  $ldap_server_addition; do
		if /bin/netcat -q0 -w4 $h 7389 </dev/null >/dev/null 2>&1; then
			exit_code=0
			break
		fi
	done
fi

exit 1

Return to bug 31026