From 1d73a1bd701b5c709e27c8098610dd7e9cbd52d6 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Wed, 17 Aug 2022 14:19:46 -0400 Subject: [PATCH] Patch ldapscripts to support user password change This is part of the change to replace nslcd with sssd to support multiple secure ldap backends. This change patched ldapscripts (ldapadduser) to reset password right after the ldap user is created on Debian. With its password reset, the ldap user will be forced to change its password at first login, the similar behavior as on CentOS. Test Plan on Debian (SX and DX): PASS: Package build, image build. PASS: System deployment. PASS: ldap user added by ldapadduser or ldapusersetup will be asked to change password at first login (either on console or by ssh) PASS: Change checked by shellcheck, warnings investigated. Story: 2009834 Task: 46068 Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203 Signed-off-by: Andy Ning Change-Id: I13f098c6053816bb3b0450c039caccf94c04d55d --- ...1-Reset-password-after-user-is-added.patch | 46 +++++++++++++++++++ ldap/ldapscripts/debian/patches/series | 1 + 2 files changed, 47 insertions(+) create mode 100644 ldap/ldapscripts/debian/patches/0001-Reset-password-after-user-is-added.patch diff --git a/ldap/ldapscripts/debian/patches/0001-Reset-password-after-user-is-added.patch b/ldap/ldapscripts/debian/patches/0001-Reset-password-after-user-is-added.patch new file mode 100644 index 000000000..6ac0aafaf --- /dev/null +++ b/ldap/ldapscripts/debian/patches/0001-Reset-password-after-user-is-added.patch @@ -0,0 +1,46 @@ +From 78fd27c8a743b8de335fa1d2578c0569114f1bfe Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Tue, 9 Aug 2022 15:40:50 +0000 +Subject: [PATCH] Reset password after user is added + +After user is added and password set, reset its password so that +the user will be asked to change password at first login, a similar +behavior as in CentOS. + +Signed-off-by: Andy Ning +--- + sbin/ldapadduser | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/sbin/ldapadduser b/sbin/ldapadduser +index cc44f7d..ecc073e 100755 +--- a/sbin/ldapadduser ++++ b/sbin/ldapadduser +@@ -77,6 +77,24 @@ if [ -n "$_PASSWORD" ] + then + _changepassword "$_PASSWORD" "uid=$_USER,$USUFFIX,$SUFFIX" + [ $? -eq 0 ] && echo_log "Successfully set password for user $_USER" ++ ++ # reset user's password so the user will be asked to change password. ++ # These variables are used by the runtime script _ldapmodify which is sourced. ++ _ACTION="add" ++ _FIELD="pwdReset" ++ _VALUE="TRUE" ++ ++ # Use template if necessary ++ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ] ++ then ++ _getldif="cat $UMTEMPLATE" ++ else ++ _getldif="_extractldif 2" ++ fi ++ ++ $_getldif | _filterldif | _utf8encode | _ldapmodify ++ [ $? -eq 0 ] || end_die "Error resetting password for user $_USER" ++ warn_log "Warning : password is reset, user will be asked to change password at login" + else + [ -n "$PASSWORDGEN" ] && warn_log "Warning : got invalid password for user $_USER (password not set)" + fi +-- +2.25.1 + diff --git a/ldap/ldapscripts/debian/patches/series b/ldap/ldapscripts/debian/patches/series index 1f8162336..c76e5119c 100644 --- a/ldap/ldapscripts/debian/patches/series +++ b/ldap/ldapscripts/debian/patches/series @@ -5,3 +5,4 @@ ldap-user-setup-support.patch allow-anonymous-bind-for-ldap-search.patch ldapscripts-templates.patch install-ldapscripts-files-to-etc.patch +0001-Reset-password-after-user-is-added.patch