Blame SOURCES/0003-entry-add-passwd-user-sub-command.patch

02b4cc
From 6a673b236dfdfdf9c73cc3d2ccf3949eb1a5ddd0 Mon Sep 17 00:00:00 2001
02b4cc
From: Sumit Bose <sbose@redhat.com>
02b4cc
Date: Fri, 11 Jun 2021 12:47:37 +0200
02b4cc
Subject: [PATCH 3/3] entry: add passwd-user sub-command
02b4cc
02b4cc
The new command allows to set or reset a user password with the help of
02b4cc
an account privileged to set the password.
02b4cc
02b4cc
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1952828
02b4cc
---
02b4cc
 doc/adcli.xml     |  20 +++++++
02b4cc
 library/adentry.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++
02b4cc
 library/adentry.h |   3 +
02b4cc
 tools/entry.c     |  99 +++++++++++++++++++++++++++++++++
02b4cc
 tools/tools.c     |   1 +
02b4cc
 tools/tools.h     |   4 ++
02b4cc
 6 files changed, 265 insertions(+)
02b4cc
02b4cc
diff --git a/doc/adcli.xml b/doc/adcli.xml
02b4cc
index 1ed5d3f..6c36297 100644
02b4cc
--- a/doc/adcli.xml
02b4cc
+++ b/doc/adcli.xml
02b4cc
@@ -56,6 +56,11 @@
02b4cc
 		<arg choice="opt">--domain=domain.example.com</arg>
02b4cc
 		<arg choice="plain">user</arg>
02b4cc
 	</cmdsynopsis>
02b4cc
+	<cmdsynopsis>
02b4cc
+		<command>adcli passwd-user</command>
02b4cc
+		<arg choice="opt">--domain=domain.example.com</arg>
02b4cc
+		<arg choice="plain">user</arg>
02b4cc
+	</cmdsynopsis>
02b4cc
 	<cmdsynopsis>
02b4cc
 		<command>adcli create-group</command>
02b4cc
 		<arg choice="opt">--domain=domain.example.com</arg>
02b4cc
@@ -696,6 +701,21 @@ $ adcli delete-user Fry --domain=domain.example.com
02b4cc
 
02b4cc
 </refsect1>
02b4cc
 
02b4cc
+<refsect1 id='passwd_user'>
02b4cc
+	<title>(Re)setting the password of a User with an Administrative Account</title>
02b4cc
+
02b4cc
+	<para><command>adcli passwd-user</command> sets or resets the password
02b4cc
+	of user account. The administrative account used for this operation
02b4cc
+	must have privileges to set a password.</para>
02b4cc
+
02b4cc
+<programlisting>
02b4cc
+$ adcli passwd-user Fry --domain=domain.example.com
02b4cc
+</programlisting>
02b4cc
+
02b4cc
+	<para>The various global options can be used.</para>
02b4cc
+
02b4cc
+</refsect1>
02b4cc
+
02b4cc
 
02b4cc
 <refsect1 id='create_group'>
02b4cc
 	<title>Creating a Group</title>
02b4cc
diff --git a/library/adentry.c b/library/adentry.c
02b4cc
index 13dcaf8..0d9b9af 100644
02b4cc
--- a/library/adentry.c
02b4cc
+++ b/library/adentry.c
02b4cc
@@ -409,6 +409,144 @@ adcli_entry_delete (adcli_entry *entry)
02b4cc
 	return ADCLI_SUCCESS;
02b4cc
 }
02b4cc
 
02b4cc
+static adcli_result
02b4cc
+adcli_entry_ensure_enabled (adcli_entry *entry)
02b4cc
+{
02b4cc
+	adcli_result res;
02b4cc
+	LDAP *ldap;
02b4cc
+	adcli_attrs *attrs;
02b4cc
+	uint32_t uac = 0;
02b4cc
+	char *uac_str;
02b4cc
+	unsigned long attr_val;
02b4cc
+	char *end;
02b4cc
+
02b4cc
+	return_unexpected_if_fail (entry->entry_attrs != NULL);
02b4cc
+
02b4cc
+	ldap = adcli_conn_get_ldap_connection (entry->conn);
02b4cc
+	return_unexpected_if_fail (ldap != NULL);
02b4cc
+
02b4cc
+	uac_str = _adcli_ldap_parse_value (ldap, entry->entry_attrs,
02b4cc
+	                                   "userAccountControl");
02b4cc
+	if (uac_str != NULL) {
02b4cc
+		attr_val = strtoul (uac_str, &end, 10);
02b4cc
+		if (*end != '\0' || attr_val > UINT32_MAX) {
02b4cc
+			_adcli_warn ("Invalid userAccountControl '%s' for %s account in directory: %s, assuming 0",
02b4cc
+			            uac_str, entry->object_class, entry->entry_dn);
02b4cc
+		} else {
02b4cc
+			uac = attr_val;
02b4cc
+		}
02b4cc
+		free (uac_str);
02b4cc
+	}
02b4cc
+	if (uac & UAC_ACCOUNTDISABLE) {
02b4cc
+		uac &= ~(UAC_ACCOUNTDISABLE);
02b4cc
+
02b4cc
+		if (asprintf (&uac_str, "%d", uac) < 0) {
02b4cc
+			_adcli_warn ("Cannot enable %s entry %s after password (re)set",
02b4cc
+			             entry->object_class, entry->entry_dn);
02b4cc
+			return ADCLI_ERR_UNEXPECTED;
02b4cc
+		}
02b4cc
+
02b4cc
+		attrs = adcli_attrs_new ();
02b4cc
+		adcli_attrs_replace (attrs, "userAccountControl", uac_str,
02b4cc
+		                     NULL);
02b4cc
+		res = adcli_entry_modify (entry, attrs);
02b4cc
+		if (res == ADCLI_SUCCESS) {
02b4cc
+			_adcli_info ("Enabled %s entry %s after password (re)set",
02b4cc
+			             entry->object_class, entry->entry_dn);
02b4cc
+		} else {
02b4cc
+			_adcli_warn ("Failed to enable %s entry %s after password (re)set",
02b4cc
+			             entry->object_class, entry->entry_dn);
02b4cc
+		}
02b4cc
+		free (uac_str);
02b4cc
+		adcli_attrs_free (attrs);
02b4cc
+	} else {
02b4cc
+		res = ADCLI_SUCCESS;
02b4cc
+	}
02b4cc
+
02b4cc
+	return res;
02b4cc
+}
02b4cc
+
02b4cc
+adcli_result
02b4cc
+adcli_entry_set_passwd (adcli_entry *entry, const char *user_pwd)
02b4cc
+{
02b4cc
+	adcli_result res;
02b4cc
+	LDAP *ldap;
02b4cc
+	krb5_error_code code;
02b4cc
+	krb5_context k5;
02b4cc
+	krb5_ccache ccache;
02b4cc
+	krb5_data result_string = { 0, };
02b4cc
+	krb5_data result_code_string = { 0, };
02b4cc
+	int result_code;
02b4cc
+	char *message;
02b4cc
+	krb5_principal user_principal;
02b4cc
+
02b4cc
+	ldap = adcli_conn_get_ldap_connection (entry->conn);
02b4cc
+	return_unexpected_if_fail (ldap != NULL);
02b4cc
+
02b4cc
+	/* Find the user */
02b4cc
+	res = update_entry_from_domain (entry, ldap);
02b4cc
+	if (res != ADCLI_SUCCESS)
02b4cc
+		return res;
02b4cc
+
02b4cc
+	if (!entry->entry_dn) {
02b4cc
+		_adcli_err ("Cannot find the %s entry %s in the domain",
02b4cc
+		            entry->object_class, entry->sam_name);
02b4cc
+		return ADCLI_ERR_CONFIG;
02b4cc
+	}
02b4cc
+
02b4cc
+	k5 = adcli_conn_get_krb5_context (entry->conn);
02b4cc
+	return_unexpected_if_fail (k5 != NULL);
02b4cc
+
02b4cc
+	code = _adcli_krb5_build_principal (k5, entry->sam_name,
02b4cc
+	                                    adcli_conn_get_domain_realm (entry->conn),
02b4cc
+	                                    &user_principal);
02b4cc
+	return_unexpected_if_fail (code == 0);
02b4cc
+
02b4cc
+	ccache = adcli_conn_get_login_ccache (entry->conn);
02b4cc
+	return_unexpected_if_fail (ccache != NULL);
02b4cc
+
02b4cc
+	memset (&result_string, 0, sizeof (result_string));
02b4cc
+	memset (&result_code_string, 0, sizeof (result_code_string));
02b4cc
+
02b4cc
+	code = krb5_set_password_using_ccache (k5, ccache, user_pwd,
02b4cc
+	                                       user_principal, &result_code,
02b4cc
+	                                       &result_code_string, &result_string);
02b4cc
+
02b4cc
+	if (code != 0) {
02b4cc
+		_adcli_err ("Couldn't set password for %s account: %s: %s",
02b4cc
+		            entry->object_class,
02b4cc
+		            entry->sam_name, krb5_get_error_message (k5, code));
02b4cc
+		/* TODO: Parse out these values */
02b4cc
+		res = ADCLI_ERR_DIRECTORY;
02b4cc
+
02b4cc
+	} else if (result_code != 0) {
02b4cc
+#ifdef HAVE_KRB5_CHPW_MESSAGE
02b4cc
+		if (krb5_chpw_message (k5, &result_string, &message) != 0)
02b4cc
+			message = NULL;
02b4cc
+#else
02b4cc
+		message = NULL;
02b4cc
+		if (result_string.length)
02b4cc
+			message = _adcli_str_dupn (result_string.data, result_string.length);
02b4cc
+#endif
02b4cc
+		_adcli_err ("Cannot set %s password: %.*s%s%s",
02b4cc
+		            entry->object_class,
02b4cc
+		            (int)result_code_string.length, result_code_string.data,
02b4cc
+		            message ? ": " : "", message ? message : "");
02b4cc
+		res = ADCLI_ERR_CREDENTIALS;
02b4cc
+#ifdef HAVE_KRB5_CHPW_MESSAGE
02b4cc
+		krb5_free_string (k5, message);
02b4cc
+#else
02b4cc
+		free (message);
02b4cc
+#endif
02b4cc
+	} else {
02b4cc
+		_adcli_info ("Password (re)setted for %s: %s", entry->object_class, entry->entry_dn);
02b4cc
+
02b4cc
+		res = adcli_entry_ensure_enabled (entry);
02b4cc
+	}
02b4cc
+
02b4cc
+	return res;
02b4cc
+}
02b4cc
+
02b4cc
 const char *
02b4cc
 adcli_entry_get_sam_name (adcli_entry *entry)
02b4cc
 {
02b4cc
diff --git a/library/adentry.h b/library/adentry.h
02b4cc
index ae90689..f2382b1 100644
02b4cc
--- a/library/adentry.h
02b4cc
+++ b/library/adentry.h
02b4cc
@@ -49,6 +49,9 @@ adcli_result       adcli_entry_modify                   (adcli_entry *entry,
02b4cc
 
02b4cc
 adcli_result       adcli_entry_delete                   (adcli_entry *entry);
02b4cc
 
02b4cc
+adcli_result       adcli_entry_set_passwd               (adcli_entry *entry,
02b4cc
+                                                         const char *user_pwd);
02b4cc
+
02b4cc
 const char *       adcli_entry_get_domain_ou            (adcli_entry *entry);
02b4cc
 
02b4cc
 void               adcli_entry_set_domain_ou            (adcli_entry *entry,
02b4cc
diff --git a/tools/entry.c b/tools/entry.c
02b4cc
index 05e4313..52d2546 100644
02b4cc
--- a/tools/entry.c
02b4cc
+++ b/tools/entry.c
02b4cc
@@ -24,6 +24,7 @@
02b4cc
 #include "config.h"
02b4cc
 
02b4cc
 #include "adcli.h"
02b4cc
+#include "adprivate.h"
02b4cc
 #include "adattrs.h"
02b4cc
 #include "tools.h"
02b4cc
 
02b4cc
@@ -385,6 +386,104 @@ adcli_tool_user_delete (adcli_conn *conn,
02b4cc
 	return 0;
02b4cc
 }
02b4cc
 
02b4cc
+int
02b4cc
+adcli_tool_user_passwd (adcli_conn *conn,
02b4cc
+                        int argc,
02b4cc
+                        char *argv[])
02b4cc
+{
02b4cc
+	adcli_result res;
02b4cc
+	adcli_entry *entry;
02b4cc
+	int opt;
02b4cc
+	char *user_pwd = NULL;
02b4cc
+
02b4cc
+	struct option options[] = {
02b4cc
+		{ "domain", required_argument, NULL, opt_domain },
02b4cc
+		{ "domain-realm", required_argument, NULL, opt_domain_realm },
02b4cc
+		{ "domain-controller", required_argument, NULL, opt_domain_controller },
02b4cc
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
02b4cc
+		{ "login-user", required_argument, NULL, opt_login_user },
02b4cc
+		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
02b4cc
+		{ "no-password", no_argument, 0, opt_no_password },
02b4cc
+		{ "stdin-password", no_argument, 0, opt_stdin_password },
02b4cc
+		{ "prompt-password", no_argument, 0, opt_prompt_password },
02b4cc
+		{ "verbose", no_argument, NULL, opt_verbose },
02b4cc
+		{ "help", no_argument, NULL, 'h' },
02b4cc
+		{ 0 },
02b4cc
+	};
02b4cc
+
02b4cc
+	static adcli_tool_desc usages[] = {
02b4cc
+		{ 0, "usage: adcli passwd-user --domain=xxxx user" },
02b4cc
+		{ 0 },
02b4cc
+	};
02b4cc
+
02b4cc
+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
02b4cc
+		switch (opt) {
02b4cc
+		case 'h':
02b4cc
+		case '?':
02b4cc
+		case ':':
02b4cc
+			adcli_tool_usage (options, usages);
02b4cc
+			adcli_tool_usage (options, common_usages);
02b4cc
+			return opt == 'h' ? 0 : 2;
02b4cc
+		default:
02b4cc
+			res = parse_option ((Option)opt, optarg, conn);
02b4cc
+			if (res != ADCLI_SUCCESS) {
02b4cc
+				return res;
02b4cc
+			}
02b4cc
+			break;
02b4cc
+		}
02b4cc
+	}
02b4cc
+
02b4cc
+	argc -= optind;
02b4cc
+	argv += optind;
02b4cc
+
02b4cc
+	if (argc != 1) {
02b4cc
+		warnx ("specify one user name to (re)set password");
02b4cc
+		return 2;
02b4cc
+	}
02b4cc
+
02b4cc
+	entry = adcli_entry_new_user (conn, argv[0]);
02b4cc
+	if (entry == NULL) {
02b4cc
+		warnx ("unexpected memory problems");
02b4cc
+		return -1;
02b4cc
+	}
02b4cc
+
02b4cc
+	adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);
02b4cc
+
02b4cc
+	res = adcli_conn_connect (conn);
02b4cc
+	if (res != ADCLI_SUCCESS) {
02b4cc
+		warnx ("couldn't connect to %s domain: %s",
02b4cc
+		       adcli_conn_get_domain_name (conn),
02b4cc
+		       adcli_get_last_error ());
02b4cc
+		adcli_entry_unref (entry);
02b4cc
+		return -res;
02b4cc
+	}
02b4cc
+
02b4cc
+	user_pwd = adcli_prompt_password_func (ADCLI_LOGIN_USER_ACCOUNT,
02b4cc
+	                                       adcli_entry_get_sam_name(entry),
02b4cc
+	                                       0, NULL);
02b4cc
+	if (user_pwd == NULL || *user_pwd == '\0') {
02b4cc
+		warnx ("missing password");
02b4cc
+		_adcli_password_free (user_pwd);
02b4cc
+		adcli_entry_unref (entry);
02b4cc
+		return 2;
02b4cc
+	}
02b4cc
+
02b4cc
+	res = adcli_entry_set_passwd (entry, user_pwd);
02b4cc
+	_adcli_password_free (user_pwd);
02b4cc
+	if (res != ADCLI_SUCCESS) {
02b4cc
+		warnx ("(re)setting password for user %s in domain %s failed: %s",
02b4cc
+		       adcli_entry_get_sam_name (entry),
02b4cc
+		       adcli_conn_get_domain_name (conn),
02b4cc
+		       adcli_get_last_error ());
02b4cc
+		adcli_entry_unref (entry);
02b4cc
+		return -res;
02b4cc
+	}
02b4cc
+
02b4cc
+	adcli_entry_unref (entry);
02b4cc
+
02b4cc
+	return 0;
02b4cc
+}
02b4cc
+
02b4cc
 int
02b4cc
 adcli_tool_group_create (adcli_conn *conn,
02b4cc
                          int argc,
02b4cc
diff --git a/tools/tools.c b/tools/tools.c
02b4cc
index 84bbba9..a14b9ca 100644
02b4cc
--- a/tools/tools.c
02b4cc
+++ b/tools/tools.c
02b4cc
@@ -63,6 +63,7 @@ struct {
02b4cc
 	{ "create-msa", adcli_tool_computer_managed_service_account, "Create a managed service account in the given AD domain", },
02b4cc
 	{ "create-user", adcli_tool_user_create, "Create a user account", },
02b4cc
 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
02b4cc
+	{ "passwd-user", adcli_tool_user_passwd, "(Re)set a user password", },
02b4cc
 	{ "create-group", adcli_tool_group_create, "Create a group", },
02b4cc
 	{ "delete-group", adcli_tool_group_delete, "Delete a group", },
02b4cc
 	{ "add-member", adcli_tool_member_add, "Add users to a group", },
02b4cc
diff --git a/tools/tools.h b/tools/tools.h
02b4cc
index 82d5e4e..d38aa32 100644
02b4cc
--- a/tools/tools.h
02b4cc
+++ b/tools/tools.h
02b4cc
@@ -94,6 +94,10 @@ int       adcli_tool_user_delete       (adcli_conn *conn,
02b4cc
                                         int argc,
02b4cc
                                         char *argv[]);
02b4cc
 
02b4cc
+int       adcli_tool_user_passwd       (adcli_conn *conn,
02b4cc
+                                        int argc,
02b4cc
+                                        char *argv[]);
02b4cc
+
02b4cc
 int       adcli_tool_group_create      (adcli_conn *conn,
02b4cc
                                         int argc,
02b4cc
                                         char *argv[]);
02b4cc
-- 
02b4cc
2.31.1
02b4cc