passwd

#!/usr/bin/env ruby

require 'net/ldap'
require 'securerandom'
require 'digest/sha1'
require 'base64'
require 'io/console'

# Generate 16 hex characters of random
def generate_salt
  SecureRandom.hex(16)
end

# Hash the password using the given salt. If no salt is supplied, use a new
# one.
def encode_password(plaintext, salt=generate_salt)
  raise ArgumentError.new("Password must not be nil") if plaintext.nil?

  ssha = Digest::SHA1.digest(plaintext+salt) + salt

  return "{SSHA}" + Base64.strict_encode64(ssha).chomp
end

# Check the supplied password against the given hash and return true if they
# match, else false.
def check_password(password, ssha)
  decoded = Base64.decode64(ssha.gsub(/^{SSHA}/, ''))
  hash = decoded[0..19] # isolate the hash
  salt = decoded[20..-1] # isolate the salt

  return encode_password(password, salt) == ssha
end

LDAPPASSWD = File.read("ldap.passwd").chomp

print "Username: "
uid = gets.chomp

ldap = Net::LDAP.new(
  :host => '127.0.0.1',
  :port => 389,
  :auth => {
    :method => :simple,
    :username => "cn=admin,dc=york,dc=hackspace,dc=org,dc=uk",
    :password => LDAPPASSWD
  }
)

filter = Net::LDAP::Filter.eq( "uid", uid )
treebase = "ou=Users,dc=york,dc=hackspace,dc=org,dc=uk"

hash = ldap.search( :base => treebase, :filter => filter )[0].userPassword[0]

loop do
  print "Password: "
  password = STDIN.noecho(&:gets).chomp
  puts

  break if check_password(password, hash)

  puts "Incorrect password. Try again, Dumdum."
end

newpass = ""

loop do
  print "New password: "
  newpass = STDIN.noecho(&:gets).chomp
  puts
  print "Again: "
  newpass2 = STDIN.noecho(&:gets).chomp
  puts

  break if newpass == newpass2

  puts "Passwords do not match. Try again, Dumdum."
end

newhash = encode_password(newpass)

ldap.replace_attribute(
  "uid=#{uid},#{treebase}",
  :userPassword,
  newhash
)