From 7cc29d2547be2e3a47403c4b16c4c5ce6e22a221 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Thu, 11 May 2006 00:12:54 +0000 Subject: [PATCH] allow slappasswd to generate cleartext secret --- doc/man/man8/slappasswd.8 | 40 ++++++++++++++++++--- servers/slapd/slappasswd.c | 72 ++++++++++++++++++++++++++++++++++---- 2 files changed, 100 insertions(+), 12 deletions(-) diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 index 8cd7d8a587..b480d5ccfc 100644 --- a/doc/man/man8/slappasswd.8 +++ b/doc/man/man8/slappasswd.8 @@ -8,7 +8,7 @@ slappasswd \- OpenLDAP password utility .B SBINDIR/slappasswd .B [\-v] .B [\-u] -.B [\-s secret|\-T file] +.B [\-g|\-s secret|\-T file] .B [\-h hash] .B [\-c salt-format] .B @@ -35,20 +35,46 @@ by default. This option is provided for forward compatibility. .TP .BI \-s " secret" The secret to hash. -If this and +If this, +.B \-g +and .B \-T are absent, the user will be prompted for the secret to hash. -.B \-s +.BR \-s , +.B \-g and .B \-T and mutually exclusive flags. .TP +.BI \-g +Generate the secret. +If this, +.B \-s +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. +If this is present, +.I {CLEARTEXT} +is used as scheme. +.B \-g +and +.B \-h +are mutually exclusive flags. +.TP .BI \-T " file" Hash the contents of the file. -If this and +If this, +.B \-g +and .B \-s are absent, the user will be prompted for the secret to hash. -.B \-s +.BR \-s , +.B \-g and .B \-T and mutually exclusive flags. @@ -87,6 +113,10 @@ uses the .B {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. +Unless +.I {CLEARTEXT} +is used, this flag is incompatible with +.BR \-g . .TP .BI \-c " crypt-salt-format" Specify the format of the salt passed to diff --git a/servers/slapd/slappasswd.c b/servers/slapd/slappasswd.c index 1bfdb768f1..0d18eadf78 100644 --- a/servers/slapd/slappasswd.c +++ b/servers/slapd/slappasswd.c @@ -32,6 +32,7 @@ #include #include +#include #include #include @@ -44,9 +45,10 @@ usage(const char *s) { fprintf(stderr, "Usage: %s [options]\n" + " -c format\tcrypt(3) salt format\n" + " -g\n" " -h hash\tpassword scheme\n" " -s secret\tnew password\n" - " -c format\tcrypt(3) salt format\n" " -u\t\tgenerate RFC2307 values (default)\n" " -v\t\tincrease verbosity\n" " -T file\tread file for new password\n" @@ -58,11 +60,13 @@ usage(const char *s) int slappasswd( int argc, char *argv[] ) { + char *cleartext_scheme = "{CLEARTEXT}"; #ifdef LUTIL_SHA1_BYTES - char *scheme = "{SSHA}"; + char *default_scheme = "{SSHA}"; #else - char *scheme = "{SMD5}"; + char *default_scheme = "{SMD5}"; #endif + char *scheme = default_scheme; char *newpw = NULL; char *pwfile = NULL; @@ -74,7 +78,7 @@ slappasswd( int argc, char *argv[] ) struct berval hash; while( (i = getopt( argc, argv, - "c:d:h:s:T:vu" )) != EOF ) + "c:d:gh:s:T:vu" )) != EOF ) { switch (i) { case 'c': /* crypt salt format */ @@ -82,21 +86,75 @@ slappasswd( int argc, char *argv[] ) lutil_salt_format( optarg ); break; + case 'g': /* new password (generate) */ + if ( pwfile != NULL ) { + fprintf( stderr, "Option -s incompatible with -T\n" ); + return EXIT_FAILURE; + + } else if ( newpw != NULL ) { + fprintf( stderr, "New password already provided\n" ); + return EXIT_FAILURE; + + } else if ( scheme != default_scheme && strcmp( scheme, cleartext_scheme ) != 0 ) { + fprintf( stderr, "Option -g incompatible with scheme \"%s\"\n", scheme ); + return EXIT_FAILURE; + + } else { + struct berval p = BER_BVNULL; + + lutil_passwd_generate( &p, 8 ); + + newpw = p.bv_val; + + scheme = cleartext_scheme; + } + break; + case 'h': /* scheme */ - scheme = strdup( optarg ); + if ( scheme == cleartext_scheme ) { + if ( strcmp( optarg, cleartext_scheme ) != 0 ) { + fprintf( stderr, "Option -h incompatible with -g\n" ); + return EXIT_FAILURE; + } + + } else if ( scheme != default_scheme ) { + fprintf( stderr, "Scheme already provided\n" ); + return EXIT_FAILURE; + + } else { + scheme = strdup( optarg ); + } break; case 's': /* new password (secret) */ - { + if ( pwfile != NULL ) { + fprintf( stderr, "Option -s incompatible with -T\n" ); + return EXIT_FAILURE; + + } else if ( newpw != NULL ) { + fprintf( stderr, "New password already provided\n" ); + return EXIT_FAILURE; + + } else { char* p; newpw = strdup( optarg ); for( p = optarg; *p != '\0'; p++ ) { *p = '\0'; } - } break; + } + break; case 'T': /* password file */ + if ( pwfile != NULL ) { + fprintf( stderr, "Password file already provided\n" ); + return EXIT_FAILURE; + + } else if ( newpw != NULL ) { + fprintf( stderr, "Option -T incompatible with -s/-g\n" ); + return EXIT_FAILURE; + + } pwfile = optarg; break;