Re: [389-users] how to generate the userpassword

Grzegorz Dwornicki Sun, 05 Aug 2012 10:29:55 -0700

Here it is. I was using it to change password on openldap + samba using
ldap. Samba has its own password attribute. This script takes password from
user, encrypt it in crypt + call smbpasswd to set password aswell.


$ cat sambaldapnewpass
#!/bin/bash

#ask user for password:

BASEDN="dc=org1,dc=county"
USERDN="dc=domain1"
BASEDIR=/home/lol87

#login LDAP format: uid=$LOGIN,$USERDN,$BASEDN

if  [ -e $1 ];
then
    echo "Login"
    read LOGIN
else
    LOGIN=$1
fi

stty -echo

PASS=s
PASS2=w

while [ $PASS != $PASS2 ];
do
    echo "new password:"
    read PASS
    echo "repeat new password:"
    read PASS2
done

stty echo

echo $PASS > $BASEDIR/${LOGIN}.tmp
chmod 400 $BASEDIR/${LOGIN}.tmp

#generate new password for LDAP:

LDAPPASS=$(slappasswd -n -h '{crypt}' -c '$6$%.27s' -T
$BASEDIR/${LOGIN}.tmp -n)
echo $LDAPPASS
rm $BASEDIR/${LOGIN}.tmp

cat $BASEDIR/passchange.ldif | sed ' s/LDAPLOGIN/'$LOGIN'/ ' | sed '
s/BASEDN/'$BASEDN'/ ' | sed ' s/USERDN/'$USERDN'/ ' >
$BASEDIR/passchange_tmp.ldif
echo  "userPassword: $LDAPPASS" >> $BASEDIR/passchange_tmp.ldif
ldapmodify -x -D "cn=admin,dc=domain1,dc=org1,dc=county" -w some_password <
$BASEDIR/passchange_tmp.ldif

#rm $BASEDIR/passchange_tmp.ldif

and now:
$ cat passchange.ldif
dn: uid=LDAPLOGIN,USERDN,BASEDN
changetype: modify
replace: userPassword

You may need to change:

slappasswd -n -h '{crypt}' -c '$6$%.27s' -T $BASEDIR/${LOGIN}.tmp -n

paremeter of -c option defines salt. In my experience i saw many Linux
distros having diferent salt. Part "$6$" is required (look in man page of
crypt function) and "%.27s" means to generate 27chars for salt. More
details you may found in man page of slappasswd. Option -h tells slappasswd
to use format provided as parameter in this case crypt.

I did not use it for some time soo please treat this as a template for your
script. I hope this will help you.

Greg.

2012/8/5 Fosiul Alam <fos...@gmail.com>

> Hi Thanks
> i cant use GUI  as the script should take care everything
> I think it would sha1 .
> i will try to find a solution if i cant please post your script here
>
> it would be really helpful
> thanks
>
>
> On Sun, Aug 5, 2012 at 3:49 PM, Grzegorz Dwornicki <gd1...@gmail.com>
> wrote:
> > You can use gui. Just edit user account and type thre new password.
> > Directory server should encypt it before updating the entry in database.
> >
> > If you use slappasswd without any parameters it will ask for password and
> > generate sha1 hash for you. To use crypt you need to set format to crypt,
> > and set proper salt.
> >
> > I shold have on my pc example script using slappasswd i wrote it some
> time
> > ago. I can't post it now bcause at the moment im on the bus. If no one
> will
> > post example of using slappasswd then I will later. Unless you will find
> > solution first.
> >
> > Greg.
> >
> > Send from htc desire z
> >
> > 05-08-2012 15:34, "Fosiul Alam" <fos...@gmail.com> napisał(a):
> >
> >> HI
> >> Thanks for reply
> >> I am using Directory Server 389
> >>
> >> and I am using a script to create the ldif file
> >>
> >> So some how i will  have to create userpassword ..
> >>
> >> But dont understand .. whats the way  to do that
> >> From GUI interface i can create password  easily
> >> so whats the syntax to create userpassword ??
> >>
> >> Regards
> >>
> >>
> >> On Sun, Aug 5, 2012 at 2:25 PM, Christopher Wood
> >> <christopher_w...@pobox.com> wrote:
> >> > Perhaps use slappasswd?
> >> >
> >> > On Sun, Aug 05, 2012 at 01:58:33PM +0100, Fosiul Alam wrote:
> >> >> Hi
> >> >> I am generating  the ldif by script.
> >> >> but i cant understand how  will i generate the userpassword.
> >> >>
> >> >> userPassword: {crypt}x
> >> >>
> >> >> how this crypt or hash working
> >> >>
> >> >> Please give me some lights on this.
> >> >>
> >> >>
> >> >> Regards
> >> >> --
> >> >> 389 users mailing list
> >> >> 389-users@lists.fedoraproject.org
> >> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >> > --
> >> > 389 users mailing list
> >> > 389-users@lists.fedoraproject.org
> >> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>
> >>
> >>
> >> --
> >> Regards
> >> Fosiul Alam
> >> 07877100621
> >> http://www.fosiul.co.uk
> >> --
> >> 389 users mailing list
> >> 389-users@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> Regards
> Fosiul Alam
> 07877100621
> http://www.fosiul.co.uk
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] how to generate the userpassword

Reply via email to