Patch ldapscripts to support user password change
This is part of the change to replace nslcd with sssd to support multiple secure ldap backends. This change patched ldapscripts (ldapadduser) to reset password right after the ldap user is created on Debian. With its password reset, the ldap user will be forced to change its password at first login, the similar behavior as on CentOS. Test Plan on Debian (SX and DX): PASS: Package build, image build. PASS: System deployment. PASS: ldap user added by ldapadduser or ldapusersetup will be asked to change password at first login (either on console or by ssh) PASS: Change checked by shellcheck, warnings investigated. Story: 2009834 Task: 46068 Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I13f098c6053816bb3b0450c039caccf94c04d55d
This commit is contained in:
parent
df777c46ba
commit
1d73a1bd70
@ -0,0 +1,46 @@
|
|||||||
|
From 78fd27c8a743b8de335fa1d2578c0569114f1bfe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andy Ning <andy.ning@windriver.com>
|
||||||
|
Date: Tue, 9 Aug 2022 15:40:50 +0000
|
||||||
|
Subject: [PATCH] Reset password after user is added
|
||||||
|
|
||||||
|
After user is added and password set, reset its password so that
|
||||||
|
the user will be asked to change password at first login, a similar
|
||||||
|
behavior as in CentOS.
|
||||||
|
|
||||||
|
Signed-off-by: Andy Ning <andy.ning@windriver.com>
|
||||||
|
---
|
||||||
|
sbin/ldapadduser | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/sbin/ldapadduser b/sbin/ldapadduser
|
||||||
|
index cc44f7d..ecc073e 100755
|
||||||
|
--- a/sbin/ldapadduser
|
||||||
|
+++ b/sbin/ldapadduser
|
||||||
|
@@ -77,6 +77,24 @@ if [ -n "$_PASSWORD" ]
|
||||||
|
then
|
||||||
|
_changepassword "$_PASSWORD" "uid=$_USER,$USUFFIX,$SUFFIX"
|
||||||
|
[ $? -eq 0 ] && echo_log "Successfully set password for user $_USER"
|
||||||
|
+
|
||||||
|
+ # reset user's password so the user will be asked to change password.
|
||||||
|
+ # These variables are used by the runtime script _ldapmodify which is sourced.
|
||||||
|
+ _ACTION="add"
|
||||||
|
+ _FIELD="pwdReset"
|
||||||
|
+ _VALUE="TRUE"
|
||||||
|
+
|
||||||
|
+ # Use template if necessary
|
||||||
|
+ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ]
|
||||||
|
+ then
|
||||||
|
+ _getldif="cat $UMTEMPLATE"
|
||||||
|
+ else
|
||||||
|
+ _getldif="_extractldif 2"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
|
||||||
|
+ [ $? -eq 0 ] || end_die "Error resetting password for user $_USER"
|
||||||
|
+ warn_log "Warning : password is reset, user will be asked to change password at login"
|
||||||
|
else
|
||||||
|
[ -n "$PASSWORDGEN" ] && warn_log "Warning : got invalid password for user $_USER (password not set)"
|
||||||
|
fi
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
@ -5,3 +5,4 @@ ldap-user-setup-support.patch
|
|||||||
allow-anonymous-bind-for-ldap-search.patch
|
allow-anonymous-bind-for-ldap-search.patch
|
||||||
ldapscripts-templates.patch
|
ldapscripts-templates.patch
|
||||||
install-ldapscripts-files-to-etc.patch
|
install-ldapscripts-files-to-etc.patch
|
||||||
|
0001-Reset-password-after-user-is-added.patch
|
||||||
|
Loading…
Reference in New Issue
Block a user