[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Modify Extended Operation Tool

Shelley Waltz wrote:
> I searched and did not find a suitable answer, so I am
> posting.  Somehow I feel there is an answer, but it has
> eluded me.
> I have RHEL5 with openldap with the ppolicy module.
> I wish to have a script or web cgi which I can have
> the users access to change their password and have them
> obey the ppolicy restrictions.  I have not been able
> to find a suitable tool which  will provide feedback
> regarding their selection requirements and errors.
> If there is one, please point me in the right direction.
> regards
> Shelley

If you take a look at the mailing list archive, you find this mail from 
Buchan Milne. Maybe it will solve your problem:

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: Invalid DN Syntax in Shell Script
Datum: Dienstag, 3. Mai 2011
Von: Buchan Milne <bgmilne@staff.telkomsa.net>
An: Inácio Alves <inacioc.alves@gmail.com>

----- Original Message -----
> Hi to all,
> I'm trying write a script shell to simplifies the change of pass of
> users.

You may prefer to look for some existing scripts/tools. For example, I 

which can work as a shell command or as a CGI. I currently use it in 
conjunction with the script:

which notifies my users by email that their passwords will expire.

Run 'perldoc xxx.pl' to see the documentation for each script.

> Then I write
> function verificaSenha(){
> whoAmI=`whoami`
> param=`echo "ldapsearch -x -W -D
> \"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b
> \"dc=ifce,dc=edu,dc=br\" \"(uid=$whoAmI)\""`
> exec `echo "$param"`
> }
> the line param=... produces a command line that when I write directly
> in the term it works, however in the line exec "$param" I am
> solicitated my LDAP pass (like in directly term) but when I type I get
> ldapsearch -x -W -D "uid=inacio,ou=People,dc=ifce,dc=edu,dc=br" -b
> "dc=ifce,dc=edu,dc=br" "(uid=inacio)"
> Enter LDAP Password:
> ldap_bind: Invalid DN syntax (34)
> additional info: invalid DN

You should probably compare the logs on the LDAP server for the two 
binds, and see if they differ. I suspect a difference introduced by 
shell quoting. I wouldn't use exec, but rather just call ldapsearch 

But, then, shell quoting, handling of spaces etc. are reasons to avoid 
shell scripting for serious LDAP work.




Harry Jede