#!/bin/sh

set -e

## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script synchronizes the kerberos password of principals to the
## posix password whenever the password is changed in ldap by gosa. To
## make sure only authorized changes happen, it is tested if the
## supplied password corresponds to the supplied distinguished name in
## ldap.
##
## A caller not knowing the correct ldap password cannot change the
## principal's one.

USERDN=$1
NEWPW=$USERPASSWORD
USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`

## check if provided password corresponds to hash saved in ldap database:
set +e
IAM=`ldapwhoami -x -Z -w $NEWPW -D $USERDN 2>/dev/null`
if [ "$IAM" = "dn:$USERDN" ] ; then
    set -e
    kadmin.local -q "change_password -pw $NEWPW $USERID" 1>/dev/null
    logger -p notice Kerberos password for \'$USERID\' changed.
else
    logger -p warning Could not verify password for \'$USERID\'. Nothing done. 
    exit 1
fi 

exit 0
