{{tag>Brouillon LDAP Mdp Script Auth}}
= LDAP script changement mot de passe en masse
Je viens de retrouver ce bout de code.
''ldap_reset_account.sh''
#! /bin/bash
LDAP_BINDDN='cn=root,dc=acme,dc=corp'
LDAP_PASS=''
LDAP_SERVER='localhost'
LDAP_PORT='3890'
LDAP_SEARCHBASE='ou=people,dc=acme,dc=corp'
PASS_OLD_TXT='password'
FIC_TMP='/tmp/ldap-reset-password.ldif'
FIC_CSV='/tmp/ldap-newpassword.csv'
echo > $FIC_TMP
echo "dn;mail;pass" > $FIC_CSV
IFS_BCK="$IFS"
IFS=$'\t\n'
ALL_DN_ACCOUNT_OLDPASS="$(ldapsearch -p $LDAP_PORT -h $LDAP_SERVER -b $LDAP_SEARCHBASE "userPassword=$PASS_OLD_TXT" -D $LDAP_BINDDN -w $LDAP_PASS dn |grep ^dn:)"
for DN in $ALL_DN_ACCOUNT_OLDPASS
do
PASS_NEW_TXT=$(cat /dev/urandom |tr -dc A-Za-z0-9 |head -c10 |tr -d "\n")
# GENERATION FICHIER LDIF
echo $DN >>$FIC_TMP
echo "changetype: modify" >>$FIC_TMP
echo "replace: userPassword" >>$FIC_TMP
echo "userPassword: $PASS_NEW_TXT" >>$FIC_TMP
echo >> $FIC_TMP
# GENERATION CSV
DN=$(echo $DN |sed -e 's/^dn: //')
MAIL=$(ldapsearch -p $LDAP_PORT -h $LDAP_SERVER -b "$DN" -D $LDAP_BINDDN -w $LDAP_PASS mail |grep ^mail: |sed -e 's/^mail: //')
echo "$DN;$MAIL;$PASS_NEW_TXT"
echo "$DN;$MAIL;$PASS_NEW_TXT" >> $FIC_CSV
done
IFS="$IFS_BCK"
echo "ldapmodify -p $LDAP_PORT -h $LDAP_SERVER -D $LDAP_BINDDN -w $LDAP_PASS -f $FIC_TMP"
----
FIXME Tuto LDAP
apt-get install slapd ldapscripts ldap-utils shelldap
-----
Exemple d'un compte utilisateur
dn: uid=prenom.nom.ext,ou=users,dc=truc,dc=domainad,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: prenom nom
gidNumber: 5400
givenName: prenom
homeDirectory: /home/prenom.nom.ext
initials: JB
loginShell: /bin/bash
mail: prenom.nom.ext@entreprise.com
shadowExpire: -1
shadowFlag: 0
shadowLastChange: 10877
shadowMin: 8
shadowWarning: 7
sn: nom
title: System Administrator
uid: prenom.nom.ext
uidNumber: 5400
userPassword: {SASL}prenom.nom.ext@truc.domainad.net
Tester la config
slaptest