integ/ldap/ldapscripts/debian/patches/0001-Reset-password-after-user-is-added.patch
Andy Ning 1d73a1bd70 Patch ldapscripts to support user password change
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.

This change patched ldapscripts (ldapadduser) to reset password
right after the ldap user is created on Debian. With its password
reset, the ldap user will be forced to change its password at
first login, the similar behavior as on CentOS.

Test Plan on Debian (SX and DX):
PASS: Package build, image build.
PASS: System deployment.
PASS: ldap user added by ldapadduser or ldapusersetup will be asked
      to change password at first login (either on console or by
      ssh)
PASS: Change checked by shellcheck, warnings investigated.

Story: 2009834
Task: 46068
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I13f098c6053816bb3b0450c039caccf94c04d55d
2022-08-24 13:42:54 -04:00

47 lines
1.5 KiB
Diff

From 78fd27c8a743b8de335fa1d2578c0569114f1bfe Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Tue, 9 Aug 2022 15:40:50 +0000
Subject: [PATCH] Reset password after user is added
After user is added and password set, reset its password so that
the user will be asked to change password at first login, a similar
behavior as in CentOS.
Signed-off-by: Andy Ning <andy.ning@windriver.com>
---
sbin/ldapadduser | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/sbin/ldapadduser b/sbin/ldapadduser
index cc44f7d..ecc073e 100755
--- a/sbin/ldapadduser
+++ b/sbin/ldapadduser
@@ -77,6 +77,24 @@ if [ -n "$_PASSWORD" ]
then
_changepassword "$_PASSWORD" "uid=$_USER,$USUFFIX,$SUFFIX"
[ $? -eq 0 ] && echo_log "Successfully set password for user $_USER"
+
+ # reset user's password so the user will be asked to change password.
+ # These variables are used by the runtime script _ldapmodify which is sourced.
+ _ACTION="add"
+ _FIELD="pwdReset"
+ _VALUE="TRUE"
+
+ # Use template if necessary
+ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ]
+ then
+ _getldif="cat $UMTEMPLATE"
+ else
+ _getldif="_extractldif 2"
+ fi
+
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
+ [ $? -eq 0 ] || end_die "Error resetting password for user $_USER"
+ warn_log "Warning : password is reset, user will be asked to change password at login"
else
[ -n "$PASSWORDGEN" ] && warn_log "Warning : got invalid password for user $_USER (password not set)"
fi
--
2.25.1