Be the first to post a text review of ldapscripts. Rate and review a project by clicking thumbs up or thumbs down in the right column.

View all reviews

• ldapscripts ldapscripts-1.9.0 file released: ldapscripts-1.9.0.tgz

  2009/07/16 : ldapscripts 1.9.0 - Fixed a few lines in man pages - Changed PASSWORDGEN's default value to not use uuencode anymore - Use 'id' command instead of 'logname' to guess current user (used by ldapfinger and ldapid) Be careful if you want to act on your own account using su/sudo ! - New DESTDIR variable in Makefile, to specify a global chroot as a target directory for installation => thanks to Alexander GQ Gerasiov for those 4 fixes ! - New 'ldapgid' command to display a group's list of IDs

  posted 175 days ago

• File released: /ldapscripts/ldapscripts-1.9.0/ldapscripts-1.9.0.tgz

  posted 175 days ago

• ldapscripts ldapscripts-1.8.0 file released: ldapscripts-1.8.0.tgz

  2008/08/10 : ldapscripts 1.8.0 - HEADS UP ! The scripts are no longer named using a heading '_'. This prefix was used to differentiate extra commands not directly useable by Samba (in the smb.conf configuration file), but as the ldapscripts start being more and more used as everyday admin tools, a heading '_' just leads to confusion and annoyance. I have finally decided to remove them. Here is the renaming scheme : _ldapdeletemachine -> ldapdeletemachine _ldapfinger -> ldapfinger _ldapinit -> ldapinit _ldapmodifygroup -> ldapmodifygroup _ldapmodifymachine -> ldapmodifymachine _ldapmodifyuser -> ldapmodifyuser _ldaprenamegroup -> ldaprenamegroup _ldaprenamemachine -> ldaprenamemachine _lsldap -> lsldap And, to avoid collision with OpenLDAP's ldappasswd command : _ldappasswd -> ldapsetpasswd (T.H., I hope you'll enjoy that change ;-)) - HEADS UP (yes, again) ! Since the ldapscripts are admin-oriented, they are now installed to the sbin/ directory by default. This should not change lots of things for you since they were installed root/750 into bin/. The runtime file has also moved to the lib/ldapscripts directory. - added support for character set conversion : the ldapscripts now use (packagers should read : *depends on*) iconv (UTF-8 conversion) and uudecode (base64 decoding). See ICONVBIN, ICONVCHAR and UUDECODEBIN options in ldapscripts.conf. You can leave ICONVBIN and UUDECODEBIN unset to disable any kind of conversion (by default, character set conversion and base64 decoding are turned on, so you will have to set your local charset - ICONVCHAR - before using the scripts). - new 'ldapid' command shows a user's list of id (just like the 'id' command does). See ldapid(1) for more details. - ldapfinger : added -u, -g and -m options to force restricted lookups. Using ldapfinger with no argument now acts on current user (using logname(1)). - ldapinit : fixed Debian bug #421064 by adding a continue (-c) option to _ldapadd (and _ldapmodify) functions. ldapinit will now continue to initialize LDAP tree if a previous entry already exists. - ldapsetpasswd : fixed a bug in wrong exit result, introduced by the use of a temporary file for changing password (ldapscripts 1.7.1). - ldapadduser : fixed typo when preserving permissions from HOMESKEL (cp -P -> -p). - all errors/warnings are now reported to STDERR (new warn_log function replaces several echo_log calls). Contributed from Adam Sommer (thanks a lot !) : - added -h and --help options for each command. - resolver functions (uid/gid <-> user/group) now try to use LDAP if local lookup (using pw or getent) fails. As a consequence, the scripts will *not* accept to use unresolved entries anymore (e.g. when adding memberUids). - it is now possible to set PASSWORDGEN to '<ask>'. You then will be prompted for a new password when adding a user with the 'ldapadduser' command. - added support for <ask> keyword in LDIF templates This new feature is available for ldapadduser, ldapaddgroup, ldapaddmachine and ldapinit. A new _askattrs fonction has been added to the runtime file. To use this feature, you may specify : ------ attributeName: <ask> ------ for example : ------ description: Entry for <ask> in my LDAP directory ------ in the templates used by the 4 commands above. Be careful, only one <ask> (the first one) will be replaced per line. Multivalued attributes are allowed (you can add several attributes sharing the same name and the <ask> option). As a consequence, the ASKGECOS option has been removed, since it can be performed using an <ask> option for the gecos attribute. Do not forget to update your configuration file and templates ! Internals : - various typos and fixes - runtime : - new is_b64, _b64decode, _utf8encode, _utf8decode functions. - new _getattribute and _askpassword functions. - new is_like function. - _genpassword : do not eval PASSWORDGEN if empty or set to "<ask>". - mktempf : added more entropy to _TMPFILE naming using /dev/random. As a consequence, availability of /dev/random on the client system is now mandatory to run the scripts. - sed and grep arguments cleanup (removed unnecessary -E and -e). - Makefile : - RUNDIR has been renamed to LIBDIR. New [un]installlib targets to [un]install the runtime file. - Replaced mkdir calls with 'install -d' ones (may not be available on every system). - Do not overwrite/delete configuration files / password file anymore if files exist or has changed (differ from .sample ones).

  posted 515 days ago

• ldapscripts ldapscripts-1.8.0 file released: ldapscripts-1.8.0.tgz

  2008/08/10 : ldapscripts 1.8.0 - HEADS UP ! The scripts are no longer named using a heading '_'. This prefix was used to differentiate extra commands not directly useable by Samba (in the smb.conf configuration file), but as the ldapscripts start being more and more used as everyday admin tools, a heading '_' just leads to confusion and annoyance. I have finally decided to remove them. Here is the renaming scheme : _ldapdeletemachine -> ldapdeletemachine _ldapfinger -> ldapfinger _ldapinit -> ldapinit _ldapmodifygroup -> ldapmodifygroup _ldapmodifymachine -> ldapmodifymachine _ldapmodifyuser -> ldapmodifyuser _ldaprenamegroup -> ldaprenamegroup _ldaprenamemachine -> ldaprenamemachine _lsldap -> lsldap And, to avoid collision with OpenLDAP's ldappasswd command : _ldappasswd -> ldapsetpasswd (T.H., I hope you'll enjoy that change ;-)) - HEADS UP (yes, again) ! Since the ldapscripts are admin-oriented, they are now installed to the sbin/ directory by default. This should not change lots of things for you since they were installed root/750 into bin/. The runtime file has also moved to the lib/ldapscripts directory. - added support for character set conversion : the ldapscripts now use (packagers should read : *depends on*) iconv (UTF-8 conversion) and uudecode (base64 decoding). See ICONVBIN, ICONVCHAR and UUDECODEBIN options in ldapscripts.conf. You can leave ICONVBIN and UUDECODEBIN unset to disable any kind of conversion (by default, character set conversion and base64 decoding are turned on, so you will have to set your local charset - ICONVCHAR - before using the scripts). - new 'ldapid' command shows a user's list of id (just like the 'id' command does). See ldapid(1) for more details. - ldapfinger : added -u, -g and -m options to force restricted lookups. Using ldapfinger with no argument now acts on current user (using logname(1)). - ldapinit : fixed Debian bug #421064 by adding a continue (-c) option to _ldapadd (and _ldapmodify) functions. ldapinit will now continue to initialize LDAP tree if a previous entry already exists. - ldapsetpasswd : fixed a bug in wrong exit result, introduced by the use of a temporary file for changing password (ldapscripts 1.7.1). - ldapadduser : fixed typo when preserving permissions from HOMESKEL (cp -P -> -p). - all errors/warnings are now reported to STDERR (new warn_log function replaces several echo_log calls). Contributed from Adam Sommer (thanks a lot !) : - added -h and --help options for each command. - resolver functions (uid/gid <-> user/group) now try to use LDAP if local lookup (using pw or getent) fails. As a consequence, the scripts will *not* accept to use unresolved entries anymore (e.g. when adding memberUids). - it is now possible to set PASSWORDGEN to '<ask>'. You then will be prompted for a new password when adding a user with the 'ldapadduser' command. - added support for <ask> keyword in LDIF templates This new feature is available for ldapadduser, ldapaddgroup, ldapaddmachine and ldapinit. A new _askattrs fonction has been added to the runtime file. To use this feature, you may specify : ------ attributeName: <ask> ------ for example : ------ description: Entry for <ask> in my LDAP directory ------ in the templates used by the 4 commands above. Be careful, only one <ask> (the first one) will be replaced per line. Multivalued attributes are allowed (you can add several attributes sharing the same name and the <ask> option). As a consequence, the ASKGECOS option has been removed, since it can be performed using an <ask> option for the gecos attribute. Do not forget to update your configuration file and templates ! Internals : - various typos and fixes - runtime : - new is_b64, _b64decode, _utf8encode, _utf8decode functions. - new _getattribute and _askpassword functions. - new is_like function. - _genpassword : do not eval PASSWORDGEN if empty or set to "<ask>". - mktempf : added more entropy to _TMPFILE naming using /dev/random. As a consequence, availability of /dev/random on the client system is now mandatory to run the scripts. - sed and grep arguments cleanup (removed unnecessary -E and -e). - Makefile : - RUNDIR has been renamed to LIBDIR. New [un]installlib targets to [un]install the runtime file. - Replaced mkdir calls with 'install -d' ones (may not be available on every system). - Do not overwrite/delete configuration files / password file anymore if files exist or has changed (differ from .sample ones).

  posted 515 days ago

• File released: /ldapscripts/ldapscripts-1.8.0/ldapscripts-1.8.0.tgz

  posted 515 days ago

• ldapscripts ldapscripts-1.7.2 file released: ldapscripts-1.7.2.tgz

  2007/11/28 : ldapscripts 1.7.2 - runtime : Use 'trap - <signal>' to restore traps instead of the uncommon 'trap -' syntax - runtime : Fix _changepasswd by removing the trailing newline character in the temporary file (echo -n)

  posted 771 days ago

• ldapscripts ldapscripts-1.7.2 file released: ldapscripts-1.7.2.tgz

  2007/11/28 : ldapscripts 1.7.2 - runtime : Use 'trap - <signal>' to restore traps instead of the uncommon 'trap -' syntax - runtime : Fix _changepasswd by removing the trailing newline character in the temporary file (echo -n)

  posted 771 days ago

• File released: /ldapscripts/ldapscripts-1.7.2/ldapscripts-1.7.2.tgz

  posted 771 days ago

• ldapscripts ldapscripts-1.7.1 file released: ldapscripts-1.7.1.tgz

  2007/10/13 : ldapscripts 1.7.1 - Fixes for CVE-2007-5373 see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582 1) Up to now, each ldap* command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a `ps` during the call. This is now avoided by using the -y parameter and a password file. -> A new BINDPWDFILE option has been added : it specifies the path to the bind password file. This file can be created by something like : 'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the BINDPWD parameter from your configuration file. 2) Changing a user password could also reveal the new password on the command line, because of the use of ldappasswd's -s option. This has been fixed by using a temporary file containing the new password (and ldappassword's -T option). -> [internals] New mktempf() and reltempf() functions have been added [For older versions of OpenLDAP, -y and -T parameters may not be available. It is still possible to use the old BINDPWD parameter. Just uncomment it from the configuration file and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The ldapscripts will just behave as previously and use inline -w and -s parameters, warning you this is not secure way of running them.] 3) A similar problem related to sed expressions has been found : it may also lead to reveal a user's password to `ps` users. This is now fixed by using temporary files containing sed expressions (and sed's -f option). 4) A new test has been added to check if 'echo' and '[' are built-in or not. If not, you'll be warned that the ldapscripts may not be safe to use (because these commands manipulate passwords when creating temporary files). -> [internals] New is_builtin() function Note that these flaws depend largely on your kernel configuration : hardened kernels should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on FreeBSD). It may also depend on the version of OpenLDAP client commands you run. Thanks a lot to Don and Madcoder for their help ! - Few fixes to avoid using non-standard 'if ! command's...

  posted 817 days ago

• ldapscripts ldapscripts-1.7.1 file released: ldapscripts-1.7.1.tgz

  2007/10/13 : ldapscripts 1.7.1 - Fixes for CVE-2007-5373 see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582 1) Up to now, each ldap* command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a `ps` during the call. This is now avoided by using the -y parameter and a password file. -> A new BINDPWDFILE option has been added : it specifies the path to the bind password file. This file can be created by something like : 'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the BINDPWD parameter from your configuration file. 2) Changing a user password could also reveal the new password on the command line, because of the use of ldappasswd's -s option. This has been fixed by using a temporary file containing the new password (and ldappassword's -T option). -> [internals] New mktempf() and reltempf() functions have been added [For older versions of OpenLDAP, -y and -T parameters may not be available. It is still possible to use the old BINDPWD parameter. Just uncomment it from the configuration file and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The ldapscripts will just behave as previously and use inline -w and -s parameters, warning you this is not secure way of running them.] 3) A similar problem related to sed expressions has been found : it may also lead to reveal a user's password to `ps` users. This is now fixed by using temporary files containing sed expressions (and sed's -f option). 4) A new test has been added to check if 'echo' and '[' are built-in or not. If not, you'll be warned that the ldapscripts may not be safe to use (because these commands manipulate passwords when creating temporary files). -> [internals] New is_builtin() function Note that these flaws depend largely on your kernel configuration : hardened kernels should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on FreeBSD). It may also depend on the version of OpenLDAP client commands you run. Thanks a lot to Don and Madcoder for their help ! - Few fixes to avoid using non-standard 'if ! command's...

  posted 817 days ago