From a25941c377e95e69e4d03c37844d2f54005e0845 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank.brehm@pixelpark.com>
Date: Wed, 14 Aug 2019 11:50:49 +0200
Subject: [PATCH] Adding bin/check-ldap-passwd

---
 bin/check-ldap-passwd | 84 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100755 bin/check-ldap-passwd

diff --git a/bin/check-ldap-passwd b/bin/check-ldap-passwd
new file mode 100755
index 0000000..3514aed
--- /dev/null
+++ b/bin/check-ldap-passwd
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -u
+set -e
+
+LDAP_USR="cn=admin"
+LDAP_PWD_FILE="${HOME}/.private/ldap-admin-wonl.txt"
+LDAP_BASE="o=isp"
+
+if [[ ! -f "${LDAP_PWD_FILE}" ]] ; then
+    echo "Password file '${LDAP_PWD_FILE}' not found" >&2
+    exit 3
+fi
+
+if [[ ! -r "${LDAP_PWD_FILE}" ]] ; then
+    echo "Password file '${LDAP_PWD_FILE}' not readable" >&2
+    exit 3
+fi
+
+main() {
+
+    local ldap_user="$1"
+    local passwd="$2"
+
+    #local filter="(&(objectclass=posixAccount)(uidnumber=*)(uid=${ldap_user}))"
+    local filter="(&(|(uid=${ldap_user})(mail=${ldap_user}))(userPassword=*))"
+    local cmd="ldapsearch -x -LLL -o ldif-wrap=no -h ldap.pixelpark.com -p 389"
+    cmd+=" -b \"${LDAP_BASE}\" -v -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" "
+    cmd+=" \"${filter}\" userPassword 2>&1 | "
+    cmd+=" grep -i '^userPassword:' | sed -e 's/^userPassword::[ 	][ 	]*//'"
+
+    echo "${cmd}" >&2
+
+    local ldap_passwd_coded=$( eval ${cmd} )
+    echo "ldap_passwd_coded: ${ldap_passwd_coded}"
+
+    if [[ -z "${ldap_passwd_coded}" ]] ; then
+        echo
+        echo "Nutzer mit uid '${ldap_user}' nicht gefunden oder hat kein Passwort." >&2
+        echo
+        exit 1
+    fi
+
+    local ldap_passwd_value=$( echo "${ldap_passwd_coded}" | base64 -d )
+    echo "ldap_passwd_value: ${ldap_passwd_value}"
+
+    local ldap_hash_method=$( echo "${ldap_passwd_value}" | \
+            sed -e 's/^{//' -e 's/}.*//' | \
+            tr '[:upper:]' '[:lower:]' )
+    echo "ldap_hash_method:  ${ldap_hash_method}"
+
+    if [[ "${ldap_hash_method}" != 'crypt' ]] ; then
+        echo
+        echo "Unbekannte Hash-Methode '${ldap_hash_method}'" >&2
+        echo
+        exit 5
+    fi
+
+    local ldap_passwd_hash=$( echo "${ldap_passwd_value}" | sed -e 's/^{[^}]*}//' )
+    echo "ldap_passwd_hash:  ${ldap_passwd_hash}"
+
+    local salt=$( echo "${ldap_passwd_hash}" | sed -e 's/^\(..\).*/\1/' )
+    echo "salt:              ${salt}"
+
+    local encr_passwd=$( mkpasswd -m des "${passwd}" "${salt}" )
+    echo "encr_passwd:       ${encr_passwd}"
+
+    echo
+    if [[ "${ldap_passwd_hash}" == "${encr_passwd}" ]] ; then
+        echo
+        echo "Passwort ist okay."
+        echo
+    else
+        echo
+        echo "Passwort is FALSCH" >&2
+        echo
+        exit 1
+    fi
+
+}
+
+main "$@"
+
+# vim: et list
-- 
2.39.5