#!/bin/sh
#
# Tue Sep 11 16:02:46 CEST 2007
#

# Uebernahme der Passwoerter in LDAP, NIS und Windows
BASE=/etc/YP/Passwd
SUBMIT=$BASE/New
WINDOWSPASSWDSAVE=$BASE/Windows
NISBASE=/etc/YP
ALLSUBDOMAINS="all alkox sar"

ACCESS="-x -D cn=Manager,dc=informatik,dc=hu-berlin,dc=de -w "

modify_ldap()
{
    # echo "Try modify Password in LDAP for user '$USER' in Domain '$SUBDOMAIN'"
    RES=`/opt/csw/bin/ldapsearch -x -b ou=People,ou=$SUBDOMAIN,dc=informatik,dc=hu-berlin,dc=de uid=$USER uid | /usr/bin/grep "uid:"`
    if [ "x$RES" = "x" ] ; then
          echo "LDAP: User '$USER' not in Domain '$SUBDOMAIN'\n"
          return
    fi
    /opt/csw/bin/ldapmodify $ACCESS  `cat $BASE/Secure/ldap` <<EOF
dn: uid=$USER,ou=People,ou=$SUBDOMAIN,dc=informatik,dc=hu-berlin,dc=de
changetype: modify
replace: shadowLastChange
shadowLastChange: $AKTDATE
-
replace: sambaPwdLastSet
sambaPwdLastSet: $AKTDATE
-
replace: sambaLMPassword
sambaLMPassword: $NEWCRYPTLM
-
replace: sambaNTPassword
sambaNTPassword: $NEWCRYPTNT
-
replace: userPassword
userPassword: $NEWSSHA
EOF
    return
}

modify_nis()
{
    # echo "Try modify Password in NIS for user '$USER'"
    ONISPAS=`awk -F: "/^$USER:/{ print \\$2; }" $NISBASE/passwd`
    if [ "x$ONISPAS" != "x" ] ; then
       #
       # Uebernahme in NIS-Datenbaseis
       #
       /opt/csw/bin/gsed "/^$USER:/s;${ONISPAS};${NEWCRYPT};" $NISBASE/passwd > $NISBASE/passwd.new
       cp $NISBASE/passwd $NISBASE/passwd.old
       mv $NISBASE/passwd.new $NISBASE/passwd
       chmod og-rwx $NISBASE/passwd $NISBASE/passwd.old
       echo "NIS: For User '$USER' password changed."
    else 
       echo "     NIS: User  '$USER'  nicht in NIS-Datenbasis !!!!!!"
    fi
    return
}

modify_windows()
{
    # echo "Try modify Password in windows for user '$USER'"
    /usr/bin/ssh -l root spree.ms.informatik.hu-berlin.de cscript "//NoLogo" pw.vbs  <<EOF
$USER
$UNCPASS
EOF
    RES=$?
    if [ $RES -eq 0 ] ; then
        echo "Windows: For User '$USER' password changed."
        return
    fi
    cp $SUBMIT/$USERGPG $WINDOWSPASSWDSAVE/$USERPG
    chmod og-rwx $WINDOWSPASSWDSAVE/$USERPG
    if [ $RES -eq 6 ] ; then
        echo "    Windows!! User '$USER' Passwort fuer Windows falsch - Passwort nicht veraendert!!!!!"
        return
    fi
    echo "    Windows!! User '$USER'  nicht bekannt!!!!!!"
    return
}

cd $SUBMIT
for USERGPG in *
  do
    if [ "x$USERGPG" = 'x*' ] ; then
       continue
    fi
    USER=`echo $USERGPG | /usr/bin/sed "s/\.gpg//"`
    # Klartextpassword Crypten, dazu mit gpg entschluesseln
    UNC=`cat $USERGPG | /opt/csw/bin/gpg -q --batch --passphrase-file $BASE/Secure/gpg -d`
    U=`/usr/bin/cat <<EOF | awk '{ print $3 }'
$UNC
EOF`
    if [ "x$U" != "x$USER" ] ; then
       echo "Warnung!! Aenderungssatz $USER.gpg nicht fuer User '$USER' - Passwort nicht veraendert"
       unset UNC
       continue
    fi
    SUBDOMAIN=`/usr/bin/cat <<EOF | awk '{ print $2 }'
$UNC
EOF`

    RES=`/opt/csw/bin/ldapsearch -x -b ou=People,ou=$SUBDOMAIN,dc=informatik,dc=hu-berlin,dc=de uid=$USER uid | /usr/bin/grep "uid:"`
    if [ "x$RES" = "x" ] ; then
        echo "Warnung!! User  '$USER'  nicht in LDAP-Datenbasis - Passwort nicht veraendert"
       unset UNC
        continue
    fi

    /opt/csw/bin/ldapsearch $ACCESS `cat $BASE/Secure/ldap` -b ou=People,ou=$SUBDOMAIN,dc=informatik,dc=hu-berlin,dc=de uid=$USER userPassword | awk '/^userPassword::/{ print $2; }' >/tmp/asdf$$
    LNPA=`cat /tmp/asdf$$`
    rm -f /tmp/asdf$$
    NPA=`/usr/bin/cat <<EOF | awk '{ print $5 }'
$UNC
EOF`
    if [ "x$NPA" != "x$LNPA" ] ; then
       echo "Veralteter Aenderungssatz fuer User '$USER' - Passwort nicht veraendert."
       unset UNC
       continue
    fi
    # Aenderungsdatum
    AKTDATE=`/opt/csw/bin/gdate +%s`
    UNCPASS=`/usr/bin/cat <<EOF | awk '{ print $4 }'
$UNC
EOF`
    unset UNC
    export UNCPASS
    NEWCRYPT=`$BASE/Bin/passcrypt`
    NEWSSHA=`/opt/csw/sbin/slappasswd -h {SSHA} -s "$UNCPASS"`
    NEWCRYPTLM=`/opt/Ldap/Bin/Bin/mkntpwd -L $UNCPASS`
    NEWCRYPTNT=`/opt/Ldap/Bin/Bin/mkntpwd -N $UNCPASS`
    # Uebernahme in LDAP in alle SUBDOMAIN
    for SUBDOMAIN in $ALLSUBDOMAINS
      do
       modify_ldap
    done
    # Uebernahme in nis
    modify_nis
    # Uebernahme in windows
    modify_windows
    #
    unset UNCPASS
    unset NEWCRYPT
    #
done

unset ACCESS

