|
1
by Adam Sommer
initial import |
1 |
2007/11/28 : ldapscripts 1.7.2 |
2 |
- runtime : Use 'trap - <signal>' to restore traps instead of the uncommon 'trap -' syntax |
|
3 |
- runtime : Fix _changepasswd by removing the trailing newline character in the temporary file (echo -n) |
|
4 |
||
5 |
2007/10/13 : ldapscripts 1.7.1 |
|
6 |
- Fixes for CVE-2007-5373 |
|
7 |
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373 |
|
8 |
and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582 |
|
9 |
||
10 |
1) Up to now, each ldap* command was called with the -w parameter, which allows to |
|
11 |
specify the bind password on the command line. Unfortunately, this could make the |
|
12 |
password appear to anybody performing a `ps` during the call. This is now avoided |
|
13 |
by using the -y parameter and a password file. |
|
14 |
||
15 |
-> A new BINDPWDFILE option has been added : it specifies the path to the bind |
|
16 |
password file. This file can be created by something like : |
|
17 |
'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the |
|
18 |
BINDPWD parameter from your configuration file. |
|
19 |
||
20 |
2) Changing a user password could also reveal the new password on the command line, |
|
21 |
because of the use of ldappasswd's -s option. This has been fixed by using a temporary |
|
22 |
file containing the new password (and ldappassword's -T option). |
|
23 |
||
24 |
-> [internals] New mktempf() and reltempf() functions have been added |
|
25 |
||
26 |
[For older versions of OpenLDAP, -y and -T parameters may not be available. It is still |
|
27 |
possible to use the old BINDPWD parameter. Just uncomment it from the configuration file |
|
28 |
and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The |
|
29 |
ldapscripts will just behave as previously and use inline -w and -s parameters, warning |
|
30 |
you this is not secure way of running them.] |
|
31 |
||
32 |
3) A similar problem related to sed expressions has been found : it may also lead to |
|
33 |
reveal a user's password to `ps` users. This is now fixed by using temporary files |
|
34 |
containing sed expressions (and sed's -f option). |
|
35 |
||
36 |
4) A new test has been added to check if 'echo' and '[' are built-in or not. If not, |
|
37 |
you'll be warned that the ldapscripts may not be safe to use (because these commands |
|
38 |
manipulate passwords when creating temporary files).
|
|
39 |
||
40 |
-> [internals] New is_builtin() function
|
|
41 |
||
42 |
Note that these flaws depend largely on your kernel configuration : hardened kernels
|
|
43 |
should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on
|
|
44 |
FreeBSD). It may also depend on the version of OpenLDAP client commands you run.
|
|
45 |
||
46 |
Thanks a lot to Don and Madcoder for their help !
|
|
47 |
||
48 |
- Few fixes to avoid using non-standard 'if ! command's... |
|
49 |
||
50 |
2007/09/03 : ldapscripts 1.7
|
|
51 |
- Fixed several typos and bugs
|
|
52 |
- _ldapinit : new options : '-r' and '-s' to create only the root dn ('-r'), or regular OUs ('-s') |
|
53 |
- [internals] Added the ability to select depth when using _extractldif()
|
|
54 |
- [internals] New is_integer function
|
|
55 |
- _lsldap : new options : '-u', '-g' and '-m', to list only 'u'ser, 'g'roup or 'm'achine entries |
|
56 |
- New _ldapmodify{user,group,machine} interactive scripts to edit entries
|
|
57 |
- Added a new $TMPDIR configuration variable (necessary for the new scripts)
|
|
58 |
- Added _ldapmodify{user,group,machine}(1) manpages
|
|
59 |
- Now bundled with a brand-new Makefile (old install script no more available)
|
|
60 |
||
61 |
2007/04/20 : ldapscripts 1.6
|
|
62 |
- Fixed typos
|
|
63 |
- internal _ldapsearch() improved
|
|
64 |
- New _ldapfinger command to display a user/machine/group POSIX account's details |
|
65 |
- ldapadduser : new option to set the defaults permissions when creating home directories (thanks to Guillaume Rousse) |
|
66 |
- It is now possible to use a full URI instead of a name for the SERVER directive (thanks to Guillaume Rousse) |
|
67 |
- It is now possible to use external LDIF templates when creating a user/machine/group (thanks to Guillaume Rousse) |
|
68 |
See TEMPLATES options in the ldapscripts.conf file and *.template.sample files in the etc/ directory |
|
69 |
- Now use 'sort -n' instead of 'sort -g' when extracting the last account from the directory (thanks to Rudi van Drunen) |
|
70 |
- Added a 'description' attribute for group accounts |
|
71 |
||
72 |
2007/01/03 : ldapscripts 1.5 |
|
73 |
- Fixed typos (thanks to Mikael Lammentausta) |
|
74 |
- Small fixes to the install script |
|
75 |
- ldapadduser : use $_UID instead of $_USER while chown'ing homedir (thanks to Mikael Lammentausta) |
|
76 |
- ldapadduser : new option to ask for the gecos (thanks to Mikael Lammentausta)
|
|
77 |
- ldapadduser : new option to copy skeleton files to home directories (thanks to Mikael Lammentausta)
|
|
78 |
- ldapadduser : now skip user's home dir creation if it already exists |
|
79 |
- ldapadduser/ldapaddmachine : modified account description attributes : set to 'User account' or 'Machine account' |
|
80 |
- ldapadduser/ldapaddgroup/ldapaddmachine : use $_USER and $_GROUP instead of $1 when possible |
|
81 |
- New _ldappasswd script to modify a user's password (suggested by Mikael Lammentausta) |
|
82 |
||
83 |
2006/01/05 : ldapscripts 1.4
|
|
84 |
- More code cleaning !!! Code now clean... (and bug-free ???) - thanks to Madcoder for the help he provided !
|
|
85 |
- Removed dependency to slappasswd !!! Using ldappasswd instead (included in the standard ldap-client commands)
|
|
86 |
- Added new ldaprenameuser command (uses ldapmodrdn included in the standard ldap-client commands)
|
|
87 |
Add this to Samba 3.0.21's configuration file : rename user script = ldaprenameuser '%uold' '%unew' |
|
88 |
Warning : renaming an entry (user/group/machine) only involves renaming its RDN ! |
|
89 |
This means may have to change manually the account's homedir (user) and modify each group to include the new |
|
90 |
rdn (user/machine) as a memberuid.
|
|
91 |
- Also added useful _ldaprenamegroup and _ldaprenamemachine scripts (not used by Samba)
|
|
92 |
- A user/machine is now searched using its uid (no more use of its cn)
|
|
93 |
- Full command now shown in logs
|
|
94 |
- Modified README
|
|
95 |
- New TODO file
|
|
96 |
- Man pages (section 1 for each script, section 5 for a global "ldapscripts" manual)
|
|
97 |
||
98 |
2005/10/01 : ldapscripts 1.3
|
|
99 |
Compatibility rework / code cleaning - the scripts now work on FreeBSD !
|
|
100 |
- no more calls to "source", use . instead
|
|
101 |
- now using "=" instead of "==" in test
|
|
102 |
- now return 1 instead of -1 when an error occurs
|
|
103 |
- added possibility to specify the getent command, so you can use pw instead (for FreeBSD)
|
|
104 |
- added auto-guess for this command if left blank in conf file
|
|
105 |
- splitted the horrible conf file into a real conf file and a "runtime" file
|
|
106 |
||
107 |
2005/07/15 : ldapscript 1.2
|
|
108 |
- applied patch from Vincent Esposito to make sure uid/gid/mid found in LDAP is higher than *START ones
|
|
109 |
- small documentation modifications
|
|
110 |
||
111 |
2005/02/18 : ldapscripts 1.1
|
|
112 |
- added _ldapinit command, to inititalize an LDAP directory with a minimal hierarchy
|
|
113 |
- added support for home directories creation (see ldapscripts.conf)
|
|
114 |
- no more need for backslashes in user home directories and user shell in ldapscripts.conf
|
|
115 |
- added support for initializing (randomized) passwords when adding a user.
|
|
116 |
- Passwords can also be recorded into a log file when performing a massive user creation (see ldapscripts.conf)
|
|
117 |
||
118 |
2005/02/07 : ldapscripts 1.0
|