From ba63d1c1459f3c1c6b74e139627735b97ba11b36 Mon Sep 17 00:00:00 2001
From: Daniel Hornung <d.hornung@indiscale.com>
Date: Wed, 10 Jun 2020 16:22:50 +0200
Subject: [PATCH] FIX: ldap_authentication.sh no longer accepts PW as command
 line arg

See #11.
---
 misc/pam_authentication/ldap.conf              |  2 +-
 misc/pam_authentication/ldap_authentication.sh | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/misc/pam_authentication/ldap.conf b/misc/pam_authentication/ldap.conf
index aca5b049..117d1074 100644
--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
@@ -2,6 +2,6 @@
 
 
 # Set the ldap server here.  This is also used to generate a fully qualified
-# user name.
+# user name: <USER>@$LDAP_SERVER
 
 # LDAP_SERVER="example.com"
diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh
index 1e3ee2e8..f887bf99 100755
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -21,10 +21,10 @@
 #
 # ** end header
 
-# Try to authenticate a user ($1) with a password ($2) via LDAP
+# Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).
 
-[[ "$#" == "2" ]] || {
-    echo "call this script with two arguments: user and password"
+[[ "$#" == "1" || "$#" == "2" ]] || {
+    echo "Call this script as: $0 <user> [<password file>]"
     exit 1
 }
 
@@ -33,11 +33,17 @@
 exe_dir=$(dirname $0)
 . "$exe_dir/"ldap.conf
 
+# If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
     username="${1}@${LDAP_SERVER}"
-    pw="$2"
+    pwfile="$2"
+    pwargs=("-w" "$pwfile")
+    if [[ $pwfile == "-" ]] ; then
+        pwargs=("-W")
+    fi
 
-    if timeout 5s ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"; then
+    export LDAPTLS_REQCERT=ALLOW
+    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
         return 0
     else
         ret_code="$?"
@@ -48,7 +54,7 @@ testpw() {
         return "$ret_code"
     fi
 
-    ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"
+    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"
 
 }
 
-- 
GitLab