Shelley Waltz wrote: > I searched and did not find a suitable answer, so I am > posting. Somehow I feel there is an answer, but it has > eluded me. > > I have RHEL5 with openldap with the ppolicy module. > I wish to have a script or web cgi which I can have > the users access to change their password and have them > obey the ppolicy restrictions. I have not been able > to find a suitable tool which will provide feedback > regarding their selection requirements and errors. > If there is one, please point me in the right direction. > > regards > Shelley
If you take a look at the mailing list archive, you find this mail from Buchan Milne. Maybe it will solve your problem: ---------- Weitergeleitete Nachricht ---------- Betreff: Re: Invalid DN Syntax in Shell Script Datum: Dienstag, 3. Mai 2011 Von: Buchan Milne <[email protected]> An: InĂ¡cio Alves <[email protected]> ----- Original Message ----- > Hi to all, > > > I'm trying write a script shell to simplifies the change of pass of > users. You may prefer to look for some existing scripts/tools. For example, I have: http://staff.telkomsa.net/~bgmilne/ldap/ldap-passwd.pl which can work as a shell command or as a CGI. I currently use it in conjunction with the script: http://staff.telkomsa.net/~bgmilne/ldap/find-ldap-expired.pl which notifies my users by email that their passwords will expire. Run 'perldoc xxx.pl' to see the documentation for each script. > Then I write > > > function verificaSenha(){ > whoAmI=`whoami` > param=`echo "ldapsearch -x -W -D > \"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b > \"dc=ifce,dc=edu,dc=br\" \"(uid=$whoAmI)\""` > exec `echo "$param"` > } > > > the line param=... produces a command line that when I write directly > in the term it works, however in the line exec "$param" I am > solicitated my LDAP pass (like in directly term) but when I type I get > > > > ldapsearch -x -W -D "uid=inacio,ou=People,dc=ifce,dc=edu,dc=br" -b > "dc=ifce,dc=edu,dc=br" "(uid=inacio)" > Enter LDAP Password: > ldap_bind: Invalid DN syntax (34) > additional info: invalid DN You should probably compare the logs on the LDAP server for the two binds, and see if they differ. I suspect a difference introduced by shell quoting. I wouldn't use exec, but rather just call ldapsearch directly. But, then, shell quoting, handling of spaces etc. are reasons to avoid shell scripting for serious LDAP work. Regards, Buchan ------------------------------------------------------- -- Harry Jede
