ltb-project · xavierba · Nov 13, 2023 · Nov 13, 2023 · Nov 13, 2023 · Nov 13, 2023
diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh
@@ -190,7 +190,7 @@ MY_MAIL_BIN="mail"
 # Log header format
 # Could include unix commands
 #
-MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` $0[$$]:"
+MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $0[$$]:"
 
 #
 # Path to GAWK (GNU awk) binary
@@ -208,28 +208,28 @@ MY_GAWK_BIN="/usr/bin/gawk"
 #
 getTimeInSeconds() {
 	date=0
-	os=`uname -s`
+	os=$(uname -s)
 
 	if [ "$1" ]; then
-		date=`TZ=UTC ${MY_GAWK_BIN} 'BEGIN  { \
+		date=$(TZ=UTC ${MY_GAWK_BIN} 'BEGIN  { \
 			if (ARGC == 2) { \
 		        	print mktime(ARGV[1]) \
 			} \
-			exit 0 }' "$1"`
+			exit 0 }' "$1")
 	else
 		if [ "${os}" = "SunOS" ]; then
 			# Under Sun Solaris, there is no simple way to
 			# retrieve epoch time.
 			# TODO: manage zulu time (GMT)
-			date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \
-				'/^time\(\)/ {gsub(/ /,"",$2);print $2}'`
+			date=$(/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \
+				'/^time\(\)/ {gsub(/ /,"",$2);print $2}')
 		else
-			now=`date +"%Y %m %d %H %M %S" -u`
-			date=`getTimeInSeconds "$now"`
+			now=$(date +"%Y %m %d %H %M %S" -u)
+			date=$(getTimeInSeconds "$now")
 		fi
 	fi
 
-	echo ${date}
+	echo "${date}"
 }
 
 #====================================================================
@@ -255,43 +255,44 @@ if [ -d ${tmp_dir} ]; then
 fi
 mkdir ${tmp_dir}
 
-if [ ${MY_LDAP_ROOTDN} ]; then
+if [ "${MY_LDAP_ROOTDN}" ]; then
+	# shellcheck disable=SC2153
 	ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}"
 fi
 
 ## Performs global search
-${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \
+${MY_LDAP_SEARCHBIN} "${ldap_param}" -s ${MY_LDAP_SEARCHSCOPE} \
 	-b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \
 	"dn" | grep -iE '^dn:' > ${result_file}
 
 ## Loops on results
-while read dnStr
+while read -r dnStr
 do
 	# Do not use blank lines
 	if [ ! "${dnStr}" ]; then
 		continue
 	fi
 
 	# Process ldap search
-	dn=`echo ${dnStr} | cut -d : -f 2`
+	dn=$(echo "${dnStr}" | cut -d : -f 2)
 
 	# Increment users counter
-	nb_users=`expr ${nb_users} + 1`
+	nb_users=$(("${nb_users}" + 1))
 
-	${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \
+	${MY_LDAP_SEARCHBIN} "${ldap_param}" -s base -b "${dn}" \
 		${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \
 		> ${buffer_file}
 
-	login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
-	name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\
-		| sed "s/^ *//;s/ *$//"`
-	mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
-	pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \
-		| cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"`
-	pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \
-		| cut -d : -f 2 | sed "s/^ *//;s/ *$//"`
+	login=$(grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
+	name=$(grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\
+		| sed "s/^ *//;s/ *$//")
+	mail=$(grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
+	pwdChangedTime=$(grep -w "pwdChangedTime:" ${buffer_file} \
+		| cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//")
+	pwdPolicySubentry=$(grep -w "pwdPolicySubentry:" ${buffer_file} \
+		| cut -d : -f 2 | sed "s/^ *//;s/ *$//")
 
 	# Go to next entry if no pwdChangedTime
 	if [ ! "${pwdChangedTime}" ]; then
@@ -300,7 +301,7 @@ do
 	fi
 
 	# Go to next entry if no pwdPolicySubEntry and no default policy
-	if [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then
+	if [ ! "${pwdPolicySubentry}" ] && [ ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then
 		echo "${MY_LOG_HEADER} No password policy for ${login}" >&2
 		continue
 	fi
@@ -314,14 +315,14 @@ do
 	fi
 
 	ldap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory"
-	pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
-	pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
-	pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
-	pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \
-		| sed "s/^ *//;s/ *$//"`
+	pwdMaxAge=$(${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
+	pwdExpireWarning=$(${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
+	pwdMinLength=$(${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
+	pwdInHistory=$(${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \
+		| sed "s/^ *//;s/ *$//")
 
         # Go to next user if no pwdMaxAge (no expiration)
         if [ ! "${pwdMaxAge}" ]; then
@@ -334,58 +335,58 @@ do
 
 	# Retrieves time difference between today and last change.
 	if [ "${pwdChangedTime}" ]; then
-		s=`echo ${pwdChangedTime} | cut -c 13-14`
-		m=`echo ${pwdChangedTime} | cut -c 11-12`
-		h=`echo ${pwdChangedTime} | cut -c 9-10`
-		d=`echo ${pwdChangedTime} | cut -c 7-8`
-		M=`echo ${pwdChangedTime} | cut -c 5-6`
-		y=`echo ${pwdChangedTime} | cut -c 1-4`
-		currentTime=`getTimeInSeconds`
-		pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"`
-		diffTime=`expr ${currentTime} - ${pwdChangedTime}`
+		s=$(echo "${pwdChangedTime}" | cut -c 13-14)
+		m=$(echo "${pwdChangedTime}" | cut -c 11-12)
+		h=$(echo "${pwdChangedTime}" | cut -c 9-10)
+		d=$(echo "${pwdChangedTime}" | cut -c 7-8)
+		M=$(echo "${pwdChangedTime}" | cut -c 5-6)
+		y=$(echo "${pwdChangedTime}" | cut -c 1-4)
+		currentTime=$(getTimeInSeconds)
+		pwdChangedTime=$(getTimeInSeconds "$y $M $d $h $m $s")
+		diffTime=$(("${currentTime}" - "${pwdChangedTime}"))
 	fi
 
 	# Go to next user if password already expired
-	expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}`
-	if [ ${currentTime} -gt ${expireTime} ]; then
-		nb_expired_users=`expr ${nb_expired_users} + 1`
+	expireTime=$(("${pwdChangedTime}" + "${pwdMaxAge}"))
+	if [ "${currentTime}" -gt "${expireTime}" ]; then
+		nb_expired_users=$(("${nb_expired_users}" + 1))
 		echo "${MY_LOG_HEADER} Password expired for ${login}" >&2
 		continue
 	fi
 
-	expireTimeTZ=`date -d @$expireTime "+%A %d %B %Y %T"`
+	expireTimeTZ=$(date -d @"$expireTime" "+%A %d %B %Y %T")
 
-	expireTimeMail=`date -d @$expireTime "+%s"`
+	expireTimeMail=$(date -d @"$expireTime" "+%s")
 
-	now=`date +%s`
+	now=$(date +%s)
 
-	expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))`
+	expireDays=$(( (expireTimeMail - now) / (60*60*24) ))
 
   # Print debug information on STDERR when there is no mail
   if [ -z "${mail}" ];then
     echo "${MY_LOG_HEADER} No mail attribute (${MY_LDAP_MAIL_ATTR}) for user ${login}" >&2
   fi
 
 	# ALL LDAP attributes should be there, else continue to next user
-	if [ "${mail}" -a "${name}" \
-		-a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ]
+	if [ "${mail}" ] && [ "${name}" ] \
+		&& [ "${login}" ] && [ "${diffTime}" ] && [ "${pwdMaxAge}" ]
 	then
 		# Ajusts time with delay
-		diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}`
-		if [ ${diffTime} -gt ${pwdMaxAge} ]; then
+		diffTime=$(("${diffTime}" + "${MY_MAIL_DELAY}"))
+		if [ "${diffTime}" -gt "${pwdMaxAge}" ]; then
 			logmsg="${MY_MAIL_BODY}"
-			logmsg=`echo ${logmsg} | sed "s/%name/${name}/; \
+			logmsg=$(echo "${logmsg}" | sed "s/%name/${name}/; \
 				s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \
-				s/%expireDays/${expireDays}/"`
+				s/%expireDays/${expireDays}/")
 
 			# Sending mail...
-			echo "${logmsg}" | ${MY_MAIL_BIN} "${MY_MAIL_FROM}" -s "${MY_MAIL_SUBJECT}" ${mail} >&2
+			echo "${logmsg}" | ${MY_MAIL_BIN} "${MY_MAIL_FROM}" -s "${MY_MAIL_SUBJECT}" "${mail}" >&2
 
 			# Print debug information on STDERR
 			echo "${MY_LOG_HEADER} Mail sent to user ${login} (${mail})" >&2
 
 			# Increment warning counter
-			nb_warning_users=`expr ${nb_warning_users} + 1`
+			nb_warning_users=$(("${nb_warning_users}" + 1))
 		fi
 	fi
 

diff --git a/cleanLdapBrokenAliases.sh b/cleanLdapBrokenAliases.sh
@@ -71,7 +71,7 @@ MY_LDAP_BINDPW="secret"
 # Log header format
 # Could include unix commands
 #
-MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` `basename $0`[$$]:"
+MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $(basename "$0")[$$]:"
 
 #------------------------------------------------------------------------
 # INIT
@@ -92,11 +92,11 @@ MY_SCRIPTNAME="$0"
 #
 delete_broken_aliases() {
   # $1: search base dn
-  for alias_dn in `search_dn "$1" "sub" "(objectclass=alias)"`
+  for alias_dn in $(search_dn "$1" "sub" "(objectclass=alias)")
   do
-    object_dn=`search_aliasedObjectName "${alias_dn}"`
-    if [ `test_dn "${object_dn}"` -ne 0 ] ; then
-      if [ `delete_dn "${alias_dn}"` -eq 0 ] ; then
+    object_dn=$(search_aliasedObjectName "${alias_dn}")
+    if [ "$(test_dn "${object_dn}")" -ne 0 ] ; then
+      if [ "$(delete_dn "${alias_dn}")" -eq 0 ] ; then
         print_trace "removing broken alias ${alias_dn} [OK]"
       else
         print_trace "removing broken alias ${alias_dn} [FAILED]"
@@ -110,7 +110,7 @@ delete_broken_aliases() {
 #
 delete_dn() {
   # $1: entry dn
-  ldapdelete ${MY_LDAP_AUTHTOKEN} "$1" > /dev/null 2>&1
+  ldapdelete "${MY_LDAP_AUTHTOKEN}" "$1" > /dev/null 2>&1
   echo $?
 }
 
@@ -127,15 +127,15 @@ print_trace() {
 #
 print_usage() {
   echo "Usage : ${MY_SCRIPTNAME}]" 1>&2
-  echo "\t-b <searchbase>" 1>&2
+  echo "  -b <searchbase>" 1>&2
 }  
 
 #
 # Get the aliasedObjectName value of an LDAP alias.
 #
 search_aliasedObjectName() {
   # $1: alias dn
-  ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -s base aliasedObjectName \
+  ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -s base aliasedObjectName \
     | perl -p0e 's/\n //g' | grep -i "aliasedObjectName" | awk -F': ' '{print $2}'
 }
 
@@ -146,7 +146,7 @@ search_dn() {
   # $1: base dn
   # $2: scope
   # $3: filter
-  ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -S "" -s "$2" "$3" dn \
+  ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -S "" -s "$2" "$3" dn \
     | perl -p0e 's/\n //g' | awk -F': ' '{print $2}'
 }
 
@@ -155,7 +155,7 @@ search_dn() {
 #
 test_dn() {
   # $1: entry dn
-  ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -s base dn > /dev/null 2>&1
+  ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -s base dn > /dev/null 2>&1
   echo $?
 }