From: Pierangelo Masarati <ando@openldap.org>
Date: Thu, 11 May 2006 00:12:54 +0000 (+0000)
Subject: allow slappasswd to generate cleartext secret
X-Git-Tag: OPENLDAP_REL_ENG_2_4_1ALPHA~2^2~54
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=7cc29d2547be2e3a47403c4b16c4c5ce6e22a221;p=openldap

allow slappasswd to generate cleartext secret
---

diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8
index 8cd7d8a587..b480d5ccfc 100644
--- a/doc/man/man8/slappasswd.8
+++ b/doc/man/man8/slappasswd.8
@@ -8,7 +8,7 @@ slappasswd \- OpenLDAP password utility
 .B SBINDIR/slappasswd
 .B [\-v]
 .B [\-u]
-.B [\-s secret|\-T file]
+.B [\-g|\-s secret|\-T file]
 .B [\-h hash]
 .B [\-c salt-format]
 .B 
@@ -35,20 +35,46 @@ by default.  This option is provided for forward compatibility.
 .TP
 .BI \-s " secret"
 The secret to hash.
-If this and
+If this,
+.B \-g
+and
 .B \-T
 are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+and mutually exclusive flags.
+.TP
+.BI \-g
+Generate the secret.
+If this,
 .B \-s
 and
 .B \-T
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
 and mutually exclusive flags.
+If this is present,
+.I {CLEARTEXT}
+is used as scheme.
+.B \-g
+and
+.B \-h
+are mutually exclusive flags.
 .TP
 .BI \-T " file"
 Hash the contents of the file.
-If this and
+If this,
+.B \-g
+and
 .B \-s
 are absent, the user will be prompted for the secret to hash.
-.B \-s
+.BR \-s ,
+.B \-g
 and
 .B \-T
 and mutually exclusive flags.
@@ -87,6 +113,10 @@ uses the
 .B {CLEARTEXT}
 indicates that the new password should be added to userPassword as
 clear text.
+Unless
+.I {CLEARTEXT}
+is used, this flag is incompatible with
+.BR \-g .
 .TP
 .BI \-c " crypt-salt-format"
 Specify the format of the salt passed to
diff --git a/servers/slapd/slappasswd.c b/servers/slapd/slappasswd.c
index 1bfdb768f1..0d18eadf78 100644
--- a/servers/slapd/slappasswd.c
+++ b/servers/slapd/slappasswd.c
@@ -32,6 +32,7 @@
 #include <ac/unistd.h>
 
 #include <ldap.h>
+#include <lber_pvt.h>
 #include <lutil.h>
 #include <lutil_sha1.h>
 
@@ -44,9 +45,10 @@ usage(const char *s)
 {
 	fprintf(stderr,
 		"Usage: %s [options]\n"
+		"  -c format\tcrypt(3) salt format\n"
+		"  -g\n"
 		"  -h hash\tpassword scheme\n"
 		"  -s secret\tnew password\n"
-		"  -c format\tcrypt(3) salt format\n"
 		"  -u\t\tgenerate RFC2307 values (default)\n"
 		"  -v\t\tincrease verbosity\n"
 		"  -T file\tread file for new password\n"
@@ -58,11 +60,13 @@ usage(const char *s)
 int
 slappasswd( int argc, char *argv[] )
 {
+	char	*cleartext_scheme = "{CLEARTEXT}";
 #ifdef LUTIL_SHA1_BYTES
-	char	*scheme = "{SSHA}";
+	char	*default_scheme = "{SSHA}";
 #else
-	char	*scheme = "{SMD5}";
+	char	*default_scheme = "{SMD5}";
 #endif
+	char	*scheme = default_scheme;
 
 	char	*newpw = NULL;
 	char	*pwfile = NULL;
@@ -74,7 +78,7 @@ slappasswd( int argc, char *argv[] )
 	struct berval hash;
 
 	while( (i = getopt( argc, argv,
-		"c:d:h:s:T:vu" )) != EOF )
+		"c:d:gh:s:T:vu" )) != EOF )
 	{
 		switch (i) {
 		case 'c':	/* crypt salt format */
@@ -82,21 +86,75 @@ slappasswd( int argc, char *argv[] )
 			lutil_salt_format( optarg );
 			break;
 
+		case 'g':	/* new password (generate) */
+			if ( pwfile != NULL ) {
+				fprintf( stderr, "Option -s incompatible with -T\n" );
+				return EXIT_FAILURE;
+
+			} else if ( newpw != NULL ) {
+				fprintf( stderr, "New password already provided\n" );
+				return EXIT_FAILURE;
+
+			} else if ( scheme != default_scheme && strcmp( scheme, cleartext_scheme ) != 0 ) {
+				fprintf( stderr, "Option -g incompatible with scheme \"%s\"\n", scheme );
+				return EXIT_FAILURE;
+
+			} else {
+				struct berval	p = BER_BVNULL;
+
+				lutil_passwd_generate( &p, 8 );
+
+				newpw = p.bv_val;
+
+				scheme = cleartext_scheme;
+			}
+			break;
+
 		case 'h':	/* scheme */
-			scheme = strdup( optarg );
+			if ( scheme == cleartext_scheme ) {
+				if ( strcmp( optarg, cleartext_scheme ) != 0 ) {
+					fprintf( stderr, "Option -h incompatible with -g\n" );
+					return EXIT_FAILURE;
+				}
+				
+			} else if ( scheme != default_scheme ) {
+				fprintf( stderr, "Scheme already provided\n" );
+				return EXIT_FAILURE;
+
+			} else {
+				scheme = strdup( optarg );
+			}
 			break;
 
 		case 's':	/* new password (secret) */
-			{
+			if ( pwfile != NULL ) {
+				fprintf( stderr, "Option -s incompatible with -T\n" );
+				return EXIT_FAILURE;
+
+			} else if ( newpw != NULL ) {
+				fprintf( stderr, "New password already provided\n" );
+				return EXIT_FAILURE;
+
+			} else {
 				char* p;
 				newpw = strdup( optarg );
 
 				for( p = optarg; *p != '\0'; p++ ) {
 					*p = '\0';
 				}
-			} break;
+			}
+			break;
 
 		case 'T':	/* password file */
+			if ( pwfile != NULL ) {
+				fprintf( stderr, "Password file already provided\n" );
+				return EXIT_FAILURE;
+
+			} else if ( newpw != NULL ) {
+				fprintf( stderr, "Option -T incompatible with -s/-g\n" );
+				return EXIT_FAILURE;
+
+			}
 			pwfile = optarg;
 			break;