bendem · March 21, 2025 15:18
diff --git a/check olcAccess.sh b/check olcAccess.sh
 ldapsearch -LLL -o ldif-wrap=no -H ldapi:/// -Y EXTERNAL -b 'cn=config' 'olcAccess=*' olcAccess \
  | awk '{
      if ($1 == "olcAccess::") {
        command = "base64 -d -i"; print $2 | command; close(command)
      } else { 
        print $0
      }
  }'
diff --git a/ldap-ssha-userpassword.sh b/ldap-ssha-userpassword.sh
 #!/bin/bash

 set -Eeuo pipefail

 readonly LDAP_SEARCH_OU="${LDAP_SEARCH_OU:-ou=people,dc=liege,dc=work}"
 readonly LDAP_USER="${LDAP_USER:-cn=$USER,ou=vdl,ou=ville,ou=people,dc=liege,dc=be}"
 readonly LDAP_URL="${LDAP_URL:-"ldaps://ldap-test.vdl.intra/"}"
 readonly DRY_RUN="${DRY_RUN:-0}"

 ldap_password="${LDAP_PASSWORD:-}"
 if [[ -z "$ldap_password" ]]; then
    read -srp "ldap password for $LDAP_USER: " ldap_password
    echo
 fi

 readonly LDAP_PASSWORD="$ldap_password"
 unset ldap_password

 declare total_changed=0
 declare total_error=0
 declare total=0

 ssha() {
    python -c "from passlib.hash import ldap_salted_sha1; from sys import argv; print(ldap_salted_sha1.hash(argv[1]))" "$1"
 }

 change_password() {
    local user_dn
    local user_password
    local hashed_user_password

    user_dn="$1"
    user_password="$2"

    hashed_user_password="$(ssha "$user_password")"

    if [[ "$DRY_RUN" == 0 ]]; then
        ldapmodify -H "$LDAP_URL" -D "$LDAP_USER" -w "$LDAP_PASSWORD" <<EOF
 dn: $user_dn
 changetype: modify
 replace: userPassword
 userPassword: $hashed_user_password
 EOF
    fi

    total_changed=$(( total_changed + 1 ))
 }

 failed() {
    echo "that broke..." 1>&2
    report
 }

 report() {
    echo "read $total users, changed $total_changed, there were $total_error errors" 1>&2
 }

 ldapsearch -o ldif-wrap=no -x -LLL -H "${LDAP_URL}" -b "${LDAP_SEARCH_OU}" -D "$LDAP_USER" -w "$LDAP_PASSWORD" \
        '(&(userPassword=*)(uid=*))' userPassword \
    | grep -v ^$ \
    | awk '{
            if ($1 ~ /::$/) {
                command = "base64 -d && echo"
            } else {
                command = "cat -"
            }

            print $2 | command
            close(command)
        }' \
    | {
        trap failed ERR

        while IFS= read -r user_dn; do
            total=$(( total + 1 ))

            IFS= read -r password
            if [[ "$password" == "{"* ]]; then
                continue
            fi

            echo "updating $user_dn"
            change_password "$user_dn" "$password" || {
                total_error=$(( total_error + 1 ))
            }
        done

        report
    }
diff --git a/modify loglevel.sh b/modify loglevel.sh
 ldapmodify -H ldapi:/// -Y EXTERNAL <<EOF
 dn: cn=config
 changetype: modify
 replace: olcLogLevel
 olcLogLevel: config stats acl
 EOF
diff --git a/parse_ldap_encoded_fields.sh b/parse_ldap_encoded_fields.sh
 parse_ldap_encoded_fields() {
    awk '{
        if ($1 ~ /::$/) {
            printf "%s ", substr($1, 0, length($1) - 1)
            command = "base64 -d -w0 && echo"
            OFS=""
        } else {
            printf "%s", $1
            command = "cat -"
            OFS=" "
        }

        $1=""
        print $0 | command
        close(command)
    }'
 }
	ldapsearch -LLL -o ldif-wrap=no -H ldapi:/// -Y EXTERNAL -b 'cn=config' 'olcAccess=*' olcAccess \
	\| awk '{
	if ($1 == "olcAccess::") {
	command = "base64 -d -i"; print $2 \| command; close(command)
	} else {
	print $0
	}
	}'
	#!/bin/bash

	set -Eeuo pipefail

	readonly LDAP_SEARCH_OU="${LDAP_SEARCH_OU:-ou=people,dc=liege,dc=work}"
	readonly LDAP_USER="${LDAP_USER:-cn=$USER,ou=vdl,ou=ville,ou=people,dc=liege,dc=be}"
	readonly LDAP_URL="${LDAP_URL:-"ldaps://ldap-test.vdl.intra/"}"
	readonly DRY_RUN="${DRY_RUN:-0}"

	ldap_password="${LDAP_PASSWORD:-}"
	if [[ -z "$ldap_password" ]]; then
	read -srp "ldap password for $LDAP_USER: " ldap_password
	echo
	fi

	readonly LDAP_PASSWORD="$ldap_password"
	unset ldap_password

	declare total_changed=0
	declare total_error=0
	declare total=0

	ssha() {
	python -c "from passlib.hash import ldap_salted_sha1; from sys import argv; print(ldap_salted_sha1.hash(argv[1]))" "$1"
	}

	change_password() {
	local user_dn
	local user_password
	local hashed_user_password

	user_dn="$1"
	user_password="$2"

	hashed_user_password="$(ssha "$user_password")"

	if [[ "$DRY_RUN" == 0 ]]; then
	ldapmodify -H "$LDAP_URL" -D "$LDAP_USER" -w "$LDAP_PASSWORD" <<EOF
	dn: $user_dn
	changetype: modify
	replace: userPassword
	userPassword: $hashed_user_password
	EOF
	fi

	total_changed=$(( total_changed + 1 ))
	}

	failed() {
	echo "that broke..." 1>&2
	report
	}

	report() {
	echo "read $total users, changed $total_changed, there were $total_error errors" 1>&2
	}

	ldapsearch -o ldif-wrap=no -x -LLL -H "${LDAP_URL}" -b "${LDAP_SEARCH_OU}" -D "$LDAP_USER" -w "$LDAP_PASSWORD" \
	'(&(userPassword=)(uid=))' userPassword \
	\| grep -v ^$ \
	\| awk '{
	if ($1 ~ /::$/) {
	command = "base64 -d && echo"
	} else {
	command = "cat -"
	}

	print $2 \| command
	close(command)
	}' \
	\| {
	trap failed ERR

	while IFS= read -r user_dn; do
	total=$(( total + 1 ))

	IFS= read -r password
	if [[ "$password" == "{"* ]]; then
	continue
	fi

	echo "updating $user_dn"
	change_password "$user_dn" "$password" \|\| {
	total_error=$(( total_error + 1 ))
	}
	done

	report
	}
	ldapmodify -H ldapi:/// -Y EXTERNAL <<EOF
	dn: cn=config
	changetype: modify
	replace: olcLogLevel
	olcLogLevel: config stats acl
	EOF
	parse_ldap_encoded_fields() {
	awk '{
	if ($1 ~ /::$/) {
	printf "%s ", substr($1, 0, length($1) - 1)
	command = "base64 -d -w0 && echo"
	OFS=""
	} else {
	printf "%s", $1
	command = "cat -"
	OFS=" "
	}

	$1=""
	print $0 \| command
	close(command)
	}'
	}