FIX: ldap_authentication.sh no longer accepts PW as command line arg

See #11.

FIX: ldap_authentication.sh no longer accepts PW as command line arg
ba63d1c1 · Daniel Hornung · 2f697124 · ba63d1c1 · ba63d1c1
Commit ba63d1c1 authored 4 years ago by Daniel Hornung
--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
@@ -2,6 +2,6 @@


 # Set the ldap server here.  This is also used to generate a fully qualified
-# user name.
+# user name: <USER>@$LDAP_SERVER

 # LDAP_SERVER="example.com"
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -21,10 +21,10 @@
 #
 # ** end header

-# Try to authenticate a user ($1) with a password ($2) via LDAP
+# Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).

-[[ "$#" == "2" ]] || {
-    echo "call this script with two arguments: user and password"
+[[ "$#" == "1" || "$#" == "2" ]] || {
+    echo "Call this script as: $0 <user> [<password file>]"
    exit 1
 }

@@ -33,11 +33,17 @@
 exe_dir=$(dirname $0)
 . "$exe_dir/"ldap.conf

+# If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
    username="${1}@${LDAP_SERVER}"
-    pw="$2"
+    pwfile="$2"
+    pwargs=("-w" "$pwfile")
+    if [[ $pwfile == "-" ]] ; then
+        pwargs=("-W")
+    fi

-    if timeout 5s ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"; then
+    export LDAPTLS_REQCERT=ALLOW
+    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
        return 0
    else
        ret_code="$?"
@@ -48,7 +54,7 @@ testpw() {
        return "$ret_code"
    fi

-    ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"
+    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"

 }