summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorScott Little <scott.little@windriver.com>2018-08-01 14:22:27 -0400
committerScott Little <scott.little@windriver.com>2018-08-01 14:22:29 -0400
commit50808566f9229bec9ed019722d2227e42106c7dd (patch)
tree222676b0be558cb69e6f239503101c0c87d3ac65
parent51f969296b3d7a2dc4277d57f4f97a563b8c0550 (diff)
Relocate ldapscripts to stx-integ/ldap/ldapscripts
Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: I4d0aa1d13de96cf498523b084137d76cb4720cfc Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
Notes
Notes (review): Code-Review+2: Don Penney <don.penney@windriver.com> Code-Review+2: Saul Wold <sgw@linux.intel.com> Workflow+1: Scott Little <scott.little@windriver.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 02 Aug 2018 19:13:12 +0000 Reviewed-on: https://review.openstack.org/587965 Project: openstack/stx-gplv2 Branch: refs/heads/master
-rw-r--r--centos_pkg_dirs1
-rw-r--r--ldapscripts/PKG-INFO14
-rw-r--r--ldapscripts/centos/build_srpm.data3
-rw-r--r--ldapscripts/centos/ldapscripts.spec75
-rw-r--r--ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch38
-rw-r--r--ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch15
-rw-r--r--ldapscripts/files/ldap-user-setup-support-input-validation.patch87
-rw-r--r--ldapscripts/files/ldap-user-setup-support.patch354
-rwxr-xr-xldapscripts/files/ldapaddgroup.template.cgcs5
-rwxr-xr-xldapscripts/files/ldapaddsudo.template.cgcs10
-rwxr-xr-xldapscripts/files/ldapadduser.template.cgcs16
-rwxr-xr-xldapscripts/files/ldapmodsudo.template.cgcs4
-rwxr-xr-xldapscripts/files/ldapmoduser.template.cgcs4
-rwxr-xr-xldapscripts/files/ldapscripts.conf.cgcs152
-rw-r--r--ldapscripts/files/ldapscripts.passwd1
-rw-r--r--ldapscripts/files/log_timestamp.patch15
-rw-r--r--ldapscripts/files/sudo-delete-support.patch352
-rw-r--r--ldapscripts/files/sudo-support.patch289
18 files changed, 0 insertions, 1435 deletions
diff --git a/centos_pkg_dirs b/centos_pkg_dirs
index d04671c..9d28c78 100644
--- a/centos_pkg_dirs
+++ b/centos_pkg_dirs
@@ -1,5 +1,4 @@
1iptables 1iptables
2ldapscripts
3net-tools 2net-tools
4drbd-tools 3drbd-tools
5mariadb 4mariadb
diff --git a/ldapscripts/PKG-INFO b/ldapscripts/PKG-INFO
deleted file mode 100644
index a5f4eb3..0000000
--- a/ldapscripts/PKG-INFO
+++ /dev/null
@@ -1,14 +0,0 @@
1Metadata-Version: 1.1
2Name: ldapscripts
3Version: 2.0.8
4Summary: ldapscripts
5Home-page:
6Author:
7Author-email:
8License: GPLv2
9
10Description:
11Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory.
12
13
14Platform: UNKNOWN
diff --git a/ldapscripts/centos/build_srpm.data b/ldapscripts/centos/build_srpm.data
deleted file mode 100644
index 5327613..0000000
--- a/ldapscripts/centos/build_srpm.data
+++ /dev/null
@@ -1,3 +0,0 @@
1COPY_LIST="files/* \
2 $CGCS_BASE/downloads/ldapscripts-2.0.8.tgz"
3TIS_PATCH_VER=2
diff --git a/ldapscripts/centos/ldapscripts.spec b/ldapscripts/centos/ldapscripts.spec
deleted file mode 100644
index 263e38d..0000000
--- a/ldapscripts/centos/ldapscripts.spec
+++ /dev/null
@@ -1,75 +0,0 @@
1Name: ldapscripts
2Version: 2.0.8
3Release: 0%{?_tis_dist}.%{tis_patch_ver}
4Summary: ldapscripts
5
6Group: base
7License: GPLv2
8URL: unknown
9Source0: %{name}-%{version}.tgz
10Source1: ldapscripts.conf.cgcs
11Source2: ldapadduser.template.cgcs
12Source3: ldapaddgroup.template.cgcs
13Source4: ldapmoduser.template.cgcs
14Source5: ldapaddsudo.template.cgcs
15Source6: ldapmodsudo.template.cgcs
16Source7: ldapscripts.passwd
17
18Patch0: sudo-support.patch
19Patch1: sudo-delete-support.patch
20Patch2: log_timestamp.patch
21Patch3: ldap-user-setup-support.patch
22Patch4: ldap-user-setup-support-input-validation.patch
23Patch5: ldap-user-setup-noninteractive-mode-fix.patch
24Patch6: allow-anonymous-bind-for-ldap-search.patch
25
26%define debug_package %{nil}
27
28# BuildRequires:
29# Requires:
30
31%description
32Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory.
33
34
35%prep
36%setup -q
37%patch0 -p1
38%patch1 -p1
39%patch2 -p1
40%patch3 -p1
41%patch4 -p1
42%patch5 -p1
43%patch6 -p1
44
45
46%build
47
48
49%install
50make install DESTDIR=%{buildroot}
51
52rm -Rf %{buildroot}/usr/local/man
53rm -f %{buildroot}/usr/local/sbin/*machine*
54rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample
55install -d ldroot}}/usr/local/etc/
56install -m 644 %{SOURCE1} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.conf
57install -m 644 %{SOURCE2} %{buildroot}/usr/local/etc/ldapscripts/ldapadduser.template.cgcs
58install -m 644 %{SOURCE3} %{buildroot}/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs
59install -m 644 %{SOURCE4} %{buildroot}/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs
60install -m 644 %{SOURCE5} %{buildroot}/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs
61install -m 644 %{SOURCE6} %{buildroot}/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs
62install -m 600 %{SOURCE7} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.passwd
63
64%files
65%defattr(-,root,root,-)
66%dir /usr/local/etc/ldapscripts/
67%dir /usr/local/lib/ldapscripts/
68/usr/local/sbin/*
69%config(noreplace) /usr/local/etc/ldapscripts/ldapscripts.passwd
70/usr/local/etc/ldapscripts/*
71/usr/local/lib/ldapscripts/*
72
73
74%changelog
75
diff --git a/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch b/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch
deleted file mode 100644
index e2e0129..0000000
--- a/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001
2From: Kam Nasim <kam.nasim@windriver.com>
3Date: Mon, 16 Apr 2018 14:58:03 -0400
4Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search
5
6---
7 lib/runtime | 7 +++++--
8 1 file changed, 5 insertions(+), 2 deletions(-)
9
10diff --git a/lib/runtime b/lib/runtime
11index 012ac95..18acf3f 100644
12--- a/lib/runtime
13+++ b/lib/runtime
14@@ -197,8 +197,11 @@ _ldapsearch () {
15 elif [ -n "$BINDPWDFILE" ]
16 then
17 $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
18- else
19+ elif [ -n "$BINDPWD" ]
20+ then
21 $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
22+ else
23+ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
24 fi
25 }
26
27@@ -785,7 +788,7 @@ then
28 then
29 warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
30 else
31- end_die "Unable to read password file $BINDPWDFILE, exiting..."
32+ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..."
33 fi
34 fi
35 fi
36--
371.8.3.1
38
diff --git a/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch b/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch
deleted file mode 100644
index da3b20f..0000000
--- a/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1---
2 sbin/ldapusersetup | 2 +-
3 1 file changed, 1 insertion(+), 1 deletion(-)
4
5--- a/sbin/ldapusersetup
6+++ b/sbin/ldapusersetup
7@@ -105,7 +105,7 @@ LdapAddLoginShell () {
8 ;;
9 esac
10 else
11- shellopn=${$2,,}
12+ shellopn=${2,,}
13 case $shellopn in
14 "bash") _SHELL="/bin/sh";;
15 "lshell") _SHELL="$_DEFAULTLSHELL";;
diff --git a/ldapscripts/files/ldap-user-setup-support-input-validation.patch b/ldapscripts/files/ldap-user-setup-support-input-validation.patch
deleted file mode 100644
index 91caf1a..0000000
--- a/ldapscripts/files/ldap-user-setup-support-input-validation.patch
+++ /dev/null
@@ -1,87 +0,0 @@
1---
2 sbin/ldapusersetup | 45 ++++++++++++++++++++++++++++++++++-----------
3 1 file changed, 34 insertions(+), 11 deletions(-)
4
5--- a/sbin/ldapusersetup
6+++ b/sbin/ldapusersetup
7@@ -44,6 +44,29 @@ _SHELL=""
8
9 ### Helper functions ###
10
11+# Gets input from user and validates it.
12+# Will only return if input meets validation
13+# criteria otherwise will just sit there.
14+#
15+# Input : input string ($1), valid output options ($2)
16+# Output: the validated input
17+# Note : the validation list must be an array
18+LdapUserInput () {
19+declare -a optionAry=("${!2}")
20+while true; do
21+ read -p "$1" _output
22+ # convert to lower case
23+ _output2=${_output,,}
24+ # check if output is a valid option
25+ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then
26+ break
27+ else
28+ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2
29+ fi
30+done
31+ echo "$_output2"
32+}
33+
34 # Delete an ldap user if it exists
35 # and exit with error
36 # Input : username ($1), exit msg ($2)
37@@ -67,10 +90,12 @@ LdapAddUser() {
38 LdapAddLoginShell () {
39 if [ -z "$2" ]; then
40 # Ask the user for the login shell
41- echo "Select Login Shell option # [2]:
42+ shellInput="Select Login Shell option # [2]:
43 1) Bash
44-2) Lshell"
45- read opn
46+2) Lshell
47+"
48+ options=( 1, 2 )
49+ opn=`LdapUserInput "$shellInput" options[@]`
50 case $opn in
51 1) _SHELL="/bin/sh";;
52 2) _SHELL="$_DEFAULTLSHELL";;
53@@ -139,7 +164,6 @@ LdapUpdateShadowWarning () {
54 echo "Updating password expiry to $_newWarning days"
55 }
56
57-
58 # Since this setup script is meant to be a
59 # wrapper on top of existing ldap scripts,
60 # it share invoke those... we could have achieved
61@@ -170,10 +194,9 @@ if [ "$#" -eq 0 ]; then
62 # prompt for sudo permissions
63 if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then
64 # Should sudo be activated for this user
65- echo -n "Add $_username to sudoer list? (yes/NO): "
66- read CONFIRM
67- CONFIRM=${CONFIRM,,}
68-
69+ shellInput="Add $_username to sudoer list? (yes/NO): "
70+ options=( "yes", "no" )
71+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
72 if is_yes $CONFIRM
73 then
74 LdapAddSudo "$_username"
75@@ -181,9 +204,9 @@ if [ "$#" -eq 0 ]; then
76 fi
77
78 # Add to secondary user group
79- echo -n "Add $_username to secondary user group? (yes/NO): "
80- read CONFIRM
81- CONFIRM=${CONFIRM,,}
82+ shellInput="Add $_username to secondary user group? (yes/NO): "
83+ options=( "yes", "no" )
84+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
85 if is_yes $CONFIRM
86 then
87 echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
diff --git a/ldapscripts/files/ldap-user-setup-support.patch b/ldapscripts/files/ldap-user-setup-support.patch
deleted file mode 100644
index c24576f..0000000
--- a/ldapscripts/files/ldap-user-setup-support.patch
+++ /dev/null
@@ -1,354 +0,0 @@
1---
2 Makefile | 5
3 man/man1/ldapusersetup.1 | 61 ++++++++++
4 sbin/ldapusersetup | 263 +++++++++++++++++++++++++++++++++++++++++++++++
5 3 files changed, 327 insertions(+), 2 deletions(-)
6
7--- /dev/null
8+++ b/sbin/ldapusersetup
9@@ -0,0 +1,263 @@
10+#!/bin/sh
11+
12+# ldapusersetup : interactive setup for adding users to LDAP
13+
14+# Copyright (c) 2015 Wind River Systems, Inc.
15+#
16+# This program is free software; you can redistribute it and/or
17+# modify it under the terms of the GNU General Public License
18+# as published by the Free Software Foundation; either version 2
19+# of the License, or (at your option) any later version.
20+#
21+# This program is distributed in the hope that it will be useful,
22+# but WITHOUT ANY WARRANTY; without even the implied warranty of
23+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24+# GNU General Public License for more details.
25+#
26+# You should have received a copy of the GNU General Public License
27+# along with this program; if not, write to the Free Software
28+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
29+# USA.
30+
31+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
32+then
33+ echo "Usage : $0 [-u <username | uid> <field> <value>]
34+where accepted field(s) are as follows:
35+--sudo : whether to add this user to sudoer list
36+--shell <\"bash\"|\"lshell\"> : choose the shell for this user (default is lshell)
37+--secondgroup <grp> : the secondary group to add this user to
38+--passmax <value> : the shadowMax value for this user
39+--passwarning <value> : the shadowWarning value for this user"
40+ exit 1
41+fi
42+
43+# Source runtime file
44+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
45+. "$_RUNTIMEFILE"
46+
47+# runtime defaults
48+_DEFAULTGRP2="wrs_protected"
49+_DEFAULTLSHELL="/usr/local/bin/cgcs_cli"
50+_DEFAULTSHADOWMAX="90"
51+_DEFAULTSHADOWWARNING="2"
52+_SHELL=""
53+
54+### Helper functions ###
55+
56+# Delete an ldap user if it exists
57+# and exit with error
58+# Input : username ($1), exit msg ($2)
59+# Output : none
60+LdapRollback() {
61+ ldapdeleteuser "$1"
62+ end_die "$2"
63+}
64+
65+# Add an ldap user and exit on failure
66+# Input : username ($1)
67+# Output : none
68+LdapAddUser() {
69+ ldapadduser "$1" users
70+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
71+}
72+
73+# Replace Login Shell and call Rollback on failure
74+# Input : username ($1), shell to set ($2)
75+# Output : none
76+LdapAddLoginShell () {
77+ if [ -z "$2" ]; then
78+ # Ask the user for the login shell
79+ echo "Select Login Shell option # [2]:
80+1) Bash
81+2) Lshell"
82+ read opn
83+ case $opn in
84+ 1) _SHELL="/bin/sh";;
85+ 2) _SHELL="$_DEFAULTLSHELL";;
86+ *)
87+ [ ! -z "$opn" ] && echo "Invalid option. Selecting Lshell"
88+ _SHELL="$_DEFAULTLSHELL"
89+ ;;
90+ esac
91+ else
92+ shellopn=${$2,,}
93+ case $shellopn in
94+ "bash") _SHELL="/bin/sh";;
95+ "lshell") _SHELL="$_DEFAULTLSHELL";;
96+ *)
97+ echo "Invalid option($2). Selecting Lshell"; _SHELL="$_DEFAULTLSHELL"
98+ ;;
99+ esac
100+ fi
101+ # Replace the login shell
102+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
103+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
104+}
105+
106+# Add user to sudoer list
107+# Input : username ($1)
108+# Output : true or false
109+LdapAddSudo() {
110+ ldapaddsudo "$1" 2> /dev/null
111+ [ $? -eq 0 ] || \
112+ echo_log "Non critical setup error: cannot add to sudoer list"
113+}
114+
115+# Add user to a secondary user group
116+# Input : username ($1), user group ($2)
117+# Output : true or false
118+LdapSecondaryGroup () {
119+ _newGrp="$2"
120+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
121+
122+ ldapaddusertogroup $1 $_newGrp
123+ [ $? -eq 0 ] || \
124+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
125+}
126+
127+# Update shadowMax for user
128+# Input : username ($1), shadow Max value ($2)
129+# Output : none
130+LdapUpdateShadowMax () {
131+ _newShadow="$2"
132+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
133+ && _newShadow=$_DEFAULTSHADOWMAX
134+
135+ ldapmodifyuser $1 replace shadowMax $_newShadow
136+ echo "Updating password expiry to $_newShadow days"
137+}
138+
139+# Update shadowWarning for user
140+# Input : username ($1), shadow Warning value ($2)
141+# Output : none
142+LdapUpdateShadowWarning () {
143+ _newWarning="$2"
144+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
145+ && _newWarning=$_DEFAULTSHADOWWARNING
146+
147+ ldapmodifyuser $1 replace shadowWarning $_newWarning
148+ echo "Updating password expiry to $_newWarning days"
149+}
150+
151+
152+# Since this setup script is meant to be a
153+# wrapper on top of existing ldap scripts,
154+# it share invoke those... we could have achieved
155+# loose coupling by not relying on helpers but
156+# at the expense of massively redundant code
157+# duplication.
158+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_DEFAULTLSHELL")
159+
160+# Do some quick sanity tests to make sure
161+# helper scripts are present
162+for src in "${helper_scripts[@]}"; do
163+ if ! type "$src" &>/dev/null; then
164+ end_die "Cannot locate $src. Update your PATH variable"
165+ fi
166+done
167+
168+if [ "$#" -eq 0 ]; then
169+ # This setup collects all attributes
170+ # interactively during runtime
171+ echo -n "Enter username to add to LDAP: "
172+ read _username
173+ LdapAddUser "$_username"
174+
175+ # Replace the login shell. We will prompt the user for this
176+ LdapAddLoginShell "$_username"
177+
178+ # If login shell is NOT the default limited shell then
179+ # prompt for sudo permissions
180+ if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then
181+ # Should sudo be activated for this user
182+ echo -n "Add $_username to sudoer list? (yes/NO): "
183+ read CONFIRM
184+ CONFIRM=${CONFIRM,,}
185+
186+ if is_yes $CONFIRM
187+ then
188+ LdapAddSudo "$_username"
189+ fi
190+ fi
191+
192+ # Add to secondary user group
193+ echo -n "Add $_username to secondary user group? (yes/NO): "
194+ read CONFIRM
195+ CONFIRM=${CONFIRM,,}
196+ if is_yes $CONFIRM
197+ then
198+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
199+ read _grp2
200+ LdapSecondaryGroup $_username $_grp2
201+ fi
202+
203+ # Set password expiry
204+ echo -n "Enter days after which user password must \
205+be changed [$_DEFAULTSHADOWMAX]: "
206+ read _shadowMax
207+ LdapUpdateShadowMax $_username $_shadowMax
208+
209+ # Set password warning
210+ echo -n "Enter days before password is to expire that \
211+user is warned [$_DEFAULTSHADOWWARNING]: "
212+ read _shadowWarning
213+ LdapUpdateShadowWarning $_username $_shadowWarning
214+
215+else
216+ # we have to read command line option
217+ while [[ $# > 1 ]]
218+ do
219+ key="$1"
220+
221+ case $key in
222+ -u|--user) # compulsory
223+ _username="$2"
224+ shift
225+ ;;
226+ --sudo) # optional
227+ _sudo="yes"
228+ ;;
229+ --shell) # optional
230+ _loginshell="$2"
231+ shift
232+ ;;
233+ --passmax) # optional
234+ _shadowMax="$2"
235+ shift
236+ ;;
237+ --passwarning) # optional
238+ _shadowWarning="$2"
239+ shift
240+ ;;
241+ --secondgroup) # optional
242+ _grpConfirm="1"
243+ _grp2="$2"
244+ shift
245+ ;;
246+ *)
247+
248+ ;;
249+ esac
250+ shift
251+ done
252+
253+ # Add LDAP user
254+ [ -z "$_username" ] && end_die "No username argument specified"
255+ LdapAddUser $_username
256+
257+ # Change Login Shell
258+ LdapAddLoginShell $_username "$_loginshell"
259+
260+ # Add sudo if required
261+ if is_yes $_sudo
262+ then
263+ LdapAddSudo "$_username"
264+ fi
265+
266+ # Add secondary group if required
267+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
268+
269+ # Password modifications
270+ LdapUpdateShadowMax $_username $_shadowMax
271+ LdapUpdateShadowWarning $_username $_shadowWarning
272+fi
273--- a/Makefile
274+++ b/Makefile
275@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodify
276 ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
277 ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
278 ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
279- ldaprenameuser ldapmodifysudo ldapdeletesudo
280+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
281 MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
282 ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
283 ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
284 ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
285- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
286+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
287+ ldapdeletesudo.1 ldapusersetup.1
288 MAN5FILES = ldapscripts.5
289 TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
290 ldapadduser.template.sample
291--- /dev/null
292+++ b/man/man1/ldapusersetup.1
293@@ -0,0 +1,61 @@
294+.\" Copyright (c) 2015 Wind River Systems, Inc.
295+.\"
296+.\" This program is free software; you can redistribute it and/or
297+.\" modify it under the terms of the GNU General Public License
298+.\" as published by the Free Software Foundation; either version 2
299+.\" of the License, or (at your option) any later version.
300+.\"
301+.\" This program is distributed in the hope that it will be useful,
302+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
303+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304+.\" GNU General Public License for more details.
305+.\"
306+.\" You should have received a copy of the GNU General Public License
307+.\" along with this program; if not, write to the Free Software
308+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
309+.\" USA.
310+.\"
311+.\" Kam Nasim
312+.\" knasim@windriver.com
313+.\"
314+.TH ldapusersetup 1 "December 16, 2015"
315+
316+.SH NAME
317+ldapusersetup \- wizard for adding an LDAP user to CGCS.
318+
319+.SH SYNOPSIS
320+.B ldapusersetup
321+
322+.SH DESCRIPTION
323+ldapusersetup interactively walks through the process of creating an LDAP user
324+for access to CGCS services. The user is prompted for:
325+- username
326+- if a sudoEntry needs to be created
327+- if a secondary user group needs to be added
328+- user password expiry and warning configuration
329+Alternatively, the user may provide these parameters as command line actions.
330+Look at the OPTIONS section for more information.
331+
332+To delete the user and all its group associations, simply use ldapdeleteuser(1)
333+
334+.SH OPTIONS
335+.TP
336+.B [-u <username | uid> <field> <value>]
337+The name or uid of the user to modify.
338+The following fields are available as long format options:
339+--sudo : whether to add this user to sudoer list
340+--shell <bash | lshell> : which login shell to use (default is lshell)
341+--secondgroup <grp> : the secondary group to add this user to
342+--passmax <value> : the shadowMax value for this user
343+--passwarning <value> : the shadowWarning value for this user"
344+
345+.SH "SEE ALSO"
346+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
347+
348+.SH AVAILABILITY
349+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
350+The latest version of the ldapscripts is available on :
351+.B http://contribs.martymac.org
352+
353+.SH BUGS
354+No bug known.
diff --git a/ldapscripts/files/ldapaddgroup.template.cgcs b/ldapscripts/files/ldapaddgroup.template.cgcs
deleted file mode 100755
index b34c105..0000000
--- a/ldapscripts/files/ldapaddgroup.template.cgcs
+++ /dev/null
@@ -1,5 +0,0 @@
1dn: cn=<group>,<gsuffix>,<suffix>
2objectClass: posixGroup
3cn: <group>
4gidNumber: <gid>
5description: Group account
diff --git a/ldapscripts/files/ldapaddsudo.template.cgcs b/ldapscripts/files/ldapaddsudo.template.cgcs
deleted file mode 100755
index f93170d..0000000
--- a/ldapscripts/files/ldapaddsudo.template.cgcs
+++ /dev/null
@@ -1,10 +0,0 @@
1dn: cn=<user>,ou=SUDOers,<suffix>
2objectClass: top
3objectClass: sudoRole
4cn: <user>
5sudoUser: <user>
6sudoHost: ALL
7sudoRunAsUser: ALL
8sudoCommand: ALL
9#sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
10#sudoOption: <specify other sudo specific attributes here>
diff --git a/ldapscripts/files/ldapadduser.template.cgcs b/ldapscripts/files/ldapadduser.template.cgcs
deleted file mode 100755
index 29f3ccc..0000000
--- a/ldapscripts/files/ldapadduser.template.cgcs
+++ /dev/null
@@ -1,16 +0,0 @@
1dn: uid=<user>,<usuffix>,<suffix>
2objectClass: account
3objectClass: posixAccount
4objectClass: shadowAccount
5objectClass: top
6cn: <user>
7uid: <user>
8uidNumber: <uid>
9gidNumber: <gid>
10shadowMax: 99999
11shadowWarning: 7
12shadowLastChange: 0
13homeDirectory: <home>
14loginShell: <shell>
15gecos: <user>
16description: User account
diff --git a/ldapscripts/files/ldapmodsudo.template.cgcs b/ldapscripts/files/ldapmodsudo.template.cgcs
deleted file mode 100755
index c79705f..0000000
--- a/ldapscripts/files/ldapmodsudo.template.cgcs
+++ /dev/null
@@ -1,4 +0,0 @@
1dn: cn=<user>,ou=SUDOers,<suffix>
2changeType: modify
3<action>: <field>
4<field>: <value>
diff --git a/ldapscripts/files/ldapmoduser.template.cgcs b/ldapscripts/files/ldapmoduser.template.cgcs
deleted file mode 100755
index f192024..0000000
--- a/ldapscripts/files/ldapmoduser.template.cgcs
+++ /dev/null
@@ -1,4 +0,0 @@
1dn: uid=<user>,<usuffix>,<suffix>
2changeType: modify
3<action>: <field>
4<field>: <value>
diff --git a/ldapscripts/files/ldapscripts.conf.cgcs b/ldapscripts/files/ldapscripts.conf.cgcs
deleted file mode 100755
index 9350dd3..0000000
--- a/ldapscripts/files/ldapscripts.conf.cgcs
+++ /dev/null
@@ -1,152 +0,0 @@
1# Copyright (C) 2005 GanaŽl LAPLANCHE - Linagora
2# Copyright (C) 2006-2013 GanaŽl LAPLANCHE
3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of the GNU General Public License
6# as published by the Free Software Foundation; either version 2
7# of the License, or (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
17# USA.
18
19# LDAP server
20SERVER="ldap://controller"
21
22# Suffixes
23SUFFIX="dc=cgcs,dc=local" # Global suffix
24GSUFFIX="ou=Group" # Groups ou (just under $SUFFIX)
25USUFFIX="ou=People" # Users ou (just under $SUFFIX)
26MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
27
28# Authentication type
29# If empty, use simple authentication
30# Else, use the value as an SASL authentication mechanism
31SASLAUTH=""
32#SASLAUTH="GSSAPI"
33
34# Simple authentication parameters
35# The following BIND* parameters are ignored if SASLAUTH is set
36BINDDN="cn=ldapadmin,dc=cgcs,dc=local"
37# The following file contains the raw password of the BINDDN
38# Create it with something like : echo -n 'secret' > $BINDPWDFILE
39# WARNING !!!! Be careful not to make this file world-readable
40BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
41# For older versions of OpenLDAP, it is still possible to use
42# unsecure command-line passwords by defining the following option
43# AND commenting the previous one (BINDPWDFILE takes precedence)
44#BINDPWD="secret"
45
46# Start with these IDs *if no entry found in LDAP*
47GIDSTART="10000" # Group ID
48UIDSTART="10000" # User ID
49MIDSTART="20000" # Machine ID
50
51# Group membership management
52# ObjectCLass used for groups
53# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
54# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
55# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
56# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
57GCLASS="posixGroup" # Leave "posixGroup" here if not sure !
58# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial
59# member. Specify it below, you will be able to remove it once groups are populated.
60#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"
61
62# User properties
63USHELL="/bin/sh"
64UHOMES="/home/%u" # You may use %u for username here
65CREATEHOMES="no" # Create home directories and set rights ?
66HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
67HOMEPERMS="700" # Default permissions for home directories
68
69# User passwords generation
70# Command-line used to generate a password for added users.
71# You may use %u for username here ; special value "<ask>" will ask for a password interactively
72# WARNING !!!! This is evaluated, everything specified here will be run !
73# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
74# In this case, consider using /dev/urandom instead.
75#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
76#PASSWORDGEN="pwgen"
77#PASSWORDGEN="echo changeme"
78PASSWORDGEN="echo %u"
79#PASSWORDGEN="<ask>"
80
81# User passwords recording
82# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
83# (useful when performing a massive creation / net rpc vampire)
84# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
85# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
86RECORDPASSWORDS="no"
87PASSWORDFILE="/var/log/ldapscripts_passwd.log"
88
89# Where to log
90LOGFILE="/var/log/ldapscripts.log"
91
92# Temporary folder
93TMPDIR="/tmp"
94
95# Various binaries used within the scripts
96# Warning : they also use uuencode, date, grep, sed, cut, which...
97# Please check they are installed before using these scripts
98# Note that many of them should come with your OS
99
100# OpenLDAP client commands
101LDAPSEARCHBIN="/usr/bin/ldapsearch"
102LDAPADDBIN="/usr/bin/ldapadd"
103LDAPDELETEBIN="/usr/bin/ldapdelete"
104LDAPMODIFYBIN="/usr/bin/ldapmodify"
105LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
106LDAPPASSWDBIN="/usr/bin/ldappasswd"
107
108# OpenLDAP client common additional options
109# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS
110#LDAPBINOPTS="-ZZ"
111
112# OpenLDAP ldapsearch-specific additional options
113# The following option disables long-line wrapping (which makes the scripts bug
114# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so
115# comment it if you are using OpenLDAP < 2.4.24.
116LDAPSEARCHOPTS="-o ldif-wrap=no"
117# And here is an example to activate paged results
118#LDAPSEARCHOPTS="-E pr=500/noprompt"
119
120# Character set conversion : $ICONVCHAR <-> UTF-8
121# Comment ICONVBIN to disable UTF-8 conversion
122# ICONVBIN="/usr/bin/iconv"
123# ICONVCHAR=""
124
125# Base64 decoding
126# Comment UUDECODEBIN to disable Base64 decoding
127#UUDECODEBIN="/usr/bin/uudecode"
128
129# Getent command to use - choose the ones used
130# on your system. Leave blank or comment for auto-guess.
131# GNU/Linux
132GETENTPWCMD="getent passwd"
133GETENTGRCMD="getent group"
134# FreeBSD
135#GETENTPWCMD="pw usershow"
136#GETENTGRCMD="pw groupshow"
137# Auto
138#GETENTPWCMD=""
139#GETENTGRCMD=""
140
141# You can specify custom LDIF templates here
142# Leave empty to use default templates
143# See *.template.sample for default templates
144#GTEMPLATE="/path/to/ldapaddgroup.template"
145#UTEMPLATE="/path/to/ldapadduser.template"
146#MTEMPLATE="/path/to/ldapaddmachine.template"
147GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs"
148UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs"
149UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs"
150STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs"
151SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs"
152MTEMPLATE=""
diff --git a/ldapscripts/files/ldapscripts.passwd b/ldapscripts/files/ldapscripts.passwd
deleted file mode 100644
index 385336f..0000000
--- a/ldapscripts/files/ldapscripts.passwd
+++ /dev/null
@@ -1 +0,0 @@
1_LDAPADMIN_PW_
diff --git a/ldapscripts/files/log_timestamp.patch b/ldapscripts/files/log_timestamp.patch
deleted file mode 100644
index a521d0e..0000000
--- a/ldapscripts/files/log_timestamp.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1---
2 lib/runtime | 2 +-
3 1 file changed, 1 insertion(+), 1 deletion(-)
4
5--- a/lib/runtime
6+++ b/lib/runtime
7@@ -863,7 +863,7 @@ fi
8 # Log command
9 if [ "$LOGTOFILE" = "yes" ]
10 then
11- log_to_file "$(date '+%b %d %H:%M:%S') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
12+ log_to_file "$(date '+%FT%T') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
13 fi
14 if [ "$LOGTOSYSLOG" = "yes" ]
15 then
diff --git a/ldapscripts/files/sudo-delete-support.patch b/ldapscripts/files/sudo-delete-support.patch
deleted file mode 100644
index ed0d48e..0000000
--- a/ldapscripts/files/sudo-delete-support.patch
+++ /dev/null
@@ -1,352 +0,0 @@
1---
2 Makefile | 4 +--
3 lib/runtime | 15 ++++++++++++
4 man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++
5 man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++
6 man/man1/ldapdeleteuser.1 | 5 ++--
7 man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++
8 man/man1/ldapmodifyuser.1 | 15 ++++++++---
9 sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++
10 sbin/ldapdeleteuser | 5 ++++
11 sbin/ldapmodifysudo | 2 -
12 10 files changed, 232 insertions(+), 9 deletions(-)
13
14--- a/sbin/ldapdeleteuser
15+++ b/sbin/ldapdeleteuser
16@@ -46,6 +46,11 @@ _UDN="$_ENTRY"
17 # Delete entry
18 _ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP"
19
20+
21+# Optionally, delete the sudoer entry if it exists
22+_ldapdeletesudo $1
23+[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete"
24+
25 # Finally, delete this user from all his secondary groups
26 case $GCLASS in
27 posixGroup)
28--- a/sbin/ldapmodifysudo
29+++ b/sbin/ldapmodifysudo
30@@ -1,6 +1,6 @@
31 #!/bin/sh
32
33-# ldapmodifyuser : modifies a sudo entry in an LDAP directory
34+# ldapmodifysudo : modifies a sudo entry in an LDAP directory
35
36 # Copyright (C) 2007-2013 GanaŽl LAPLANCHE
37 # Copyright (C) 2014 Stephen Crooks
38--- /dev/null
39+++ b/sbin/ldapdeletesudo
40@@ -0,0 +1,38 @@
41+#!/bin/sh
42+
43+# ldapdeletesudo : deletes a sudoRole from LDAP
44+
45+# Copyright (C) 2005 GanaŽl LAPLANCHE - Linagora
46+# Copyright (C) 2006-2013 GanaŽl LAPLANCHE
47+# Copyright (c) 2015 Wind River Systems, Inc.
48+#
49+# This program is free software; you can redistribute it and/or
50+# modify it under the terms of the GNU General Public License
51+# as published by the Free Software Foundation; either version 2
52+# of the License, or (at your option) any later version.
53+#
54+# This program is distributed in the hope that it will be useful,
55+# but WITHOUT ANY WARRANTY; without even the implied warranty of
56+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
57+# GNU General Public License for more details.
58+#
59+# You should have received a copy of the GNU General Public License
60+# along with this program; if not, write to the Free Software
61+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
62+# USA.
63+
64+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
65+then
66+ echo "Usage : $0 <username>"
67+ exit 1
68+fi
69+
70+# Source runtime file
71+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
72+. "$_RUNTIMEFILE"
73+
74+# Username = first argument
75+_ldapdeletesudo "$1"
76+[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1"
77+
78+end_ok "Successfully deleted sudoUser entry for $1 from LDAP"
79--- a/man/man1/ldapmodifyuser.1
80+++ b/man/man1/ldapmodifyuser.1
81@@ -1,4 +1,5 @@
82 .\" Copyright (C) 2007-2017 GanaŽl LAPLANCHE
83+.\" Copyright (c) 2015 Wind River Systems, Inc.
84 .\"
85 .\" This program is free software; you can redistribute it and/or
86 .\" modify it under the terms of the GNU General Public License
87@@ -19,14 +20,14 @@
88 .\" ganael.laplanche@martymac.org
89 .\" http://contribs.martymac.org
90 .\"
91-.TH ldapmodifyuser 1 "August 22, 2007"
92+.TH ldapmodifyuser 1 "December 8, 2015"
93
94 .SH NAME
95 ldapmodifyuser \- modifies a POSIX user account in LDAP interactively
96
97 .SH SYNOPSIS
98 .B ldapmodifyuser
99-.RB <username | uid>
100+.RB <username | uid> [<add | replace | delete> <field> <value>]
101
102 .SH DESCRIPTION
103 ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you
104@@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif
105 The DN of the entry being modified is already specified : just begin with a changeType attribute or any
106 other one(s) of your choice (in this case, the defaut changeType is 'modify').
107
108+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
109+field - value pair then user will not be interactively prompted.
110+
111 .SH OPTIONS
112 .TP
113-.B <username | uid>
114+.B <username | uid> [<add | replace | delete> <field> <value>]
115 The name or uid of the user to modify.
116+The optional "action" pertaining to this user entry.
117+The field - value pair on which the action needs to be undertaken.
118
119 .SH "SEE ALSO"
120-ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5).
121+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5).
122
123 .SH AVAILABILITY
124 The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
125--- a/man/man1/ldapdeleteuser.1
126+++ b/man/man1/ldapdeleteuser.1
127@@ -1,4 +1,5 @@
128 .\" Copyright (C) 2006-2017 GanaŽl LAPLANCHE
129+.\" Copyright (c) 2015 Wind River Systems, Inc.
130 .\"
131 .\" This program is free software; you can redistribute it and/or
132 .\" modify it under the terms of the GNU General Public License
133@@ -19,10 +20,10 @@
134 .\" ganael.laplanche@martymac.org
135 .\" http://contribs.martymac.org
136 .\"
137-.TH ldapdeleteuser 1 "January 1, 2006"
138+.TH ldapdeleteuser 1 "December 8, 2015"
139
140 .SH NAME
141-ldapdeleteuser \- deletes a POSIX user account from LDAP.
142+ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP.
143
144 .SH SYNOPSIS
145 .B ldapdeleteuser
146--- /dev/null
147+++ b/man/man1/ldapaddsudo.1
148@@ -0,0 +1,54 @@
149+.\" Copyright (C) 2006-2013 GanaŽl LAPLANCHE
150+.\" Copyright (c) 2015 Wind River Systems, Inc.
151+.\"
152+.\" This program is free software; you can redistribute it and/or
153+.\" modify it under the terms of the GNU General Public License
154+.\" as published by the Free Software Foundation; either version 2
155+.\" of the License, or (at your option) any later version.
156+.\"
157+.\" This program is distributed in the hope that it will be useful,
158+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
159+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
160+.\" GNU General Public License for more details.
161+.\"
162+.\" You should have received a copy of the GNU General Public License
163+.\" along with this program; if not, write to the Free Software
164+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
165+.\" USA.
166+.\"
167+.\" Ganael Laplanche
168+.\" ganael.laplanche@martymac.org
169+.\" http://contribs.martymac.org
170+.\"
171+.TH ldapaddsudo 1 "December 8, 2015"
172+
173+.SH NAME
174+ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP.
175+
176+.SH SYNOPSIS
177+.B ldapaddsudo
178+.RB <username>
179+.RB <groupname | gid>
180+.RB [uid]
181+
182+.SH OPTIONS
183+.TP
184+.B <username>
185+The name of the user to add.
186+.TP
187+.B <groupname | gid>
188+The group name or the gid of the user to add.
189+.TP
190+.B [uid]
191+The uid of the user to add. Automatically computed if not specified.
192+
193+.SH "SEE ALSO"
194+ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5).
195+
196+.SH AVAILABILITY
197+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
198+The latest version of the ldapscripts is available on :
199+.B http://contribs.martymac.org
200+
201+.SH BUGS
202+No bug known.
203--- /dev/null
204+++ b/man/man1/ldapmodifysudo.1
205@@ -0,0 +1,57 @@
206+.\" Copyright (C) 2007-2013 GanaŽl LAPLANCHE
207+.\" Copyright (c) 2015 Wind River Systems, Inc.
208+.\"
209+.\" This program is free software; you can redistribute it and/or
210+.\" modify it under the terms of the GNU General Public License
211+.\" as published by the Free Software Foundation; either version 2
212+.\" of the License, or (at your option) any later version.
213+.\"
214+.\" This program is distributed in the hope that it will be useful,
215+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
216+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
217+.\" GNU General Public License for more details.
218+.\"
219+.\" You should have received a copy of the GNU General Public License
220+.\" along with this program; if not, write to the Free Software
221+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
222+.\" USA.
223+.\"
224+.\" Ganael Laplanche
225+.\" ganael.laplanche@martymac.org
226+.\" http://contribs.martymac.org
227+.\"
228+.TH ldapmodifysudo 1 "December 8, 2015"
229+
230+.SH NAME
231+ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively
232+
233+.SH SYNOPSIS
234+.B ldapmodifysudo
235+.RB <username | uid> [<add | replace | delete> <field> <value>]
236+
237+.SH DESCRIPTION
238+ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you
239+are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1).
240+The DN of the entry being modified is already specified : just begin with a changeType attribute or any
241+other one(s) of your choice (in this case, the defaut changeType is 'modify').
242+
243+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
244+field - value pair then user will not be interactively prompted.
245+
246+.SH OPTIONS
247+.TP
248+.B <username | uid> [<add | replace | delete> <field> <value>]
249+The name or uid of the user to modify.
250+The optional "action" pertaining to this user entry.
251+The field - value pair on which the action needs to be undertaken.
252+
253+.SH "SEE ALSO"
254+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5).
255+
256+.SH AVAILABILITY
257+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
258+The latest version of the ldapscripts is available on :
259+.B http://contribs.martymac.org
260+
261+.SH BUGS
262+No bug known.
263--- /dev/null
264+++ b/man/man1/ldapdeletesudo.1
265@@ -0,0 +1,46 @@
266+.\" Copyright (C) 2006-2013 GanaŽl LAPLANCHE
267+.\" Copyright (c) 2015 Wind River Systems, Inc.
268+.\"
269+.\" This program is free software; you can redistribute it and/or
270+.\" modify it under the terms of the GNU General Public License
271+.\" as published by the Free Software Foundation; either version 2
272+.\" of the License, or (at your option) any later version.
273+.\"
274+.\" This program is distributed in the hope that it will be useful,
275+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
276+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
277+.\" GNU General Public License for more details.
278+.\"
279+.\" You should have received a copy of the GNU General Public License
280+.\" along with this program; if not, write to the Free Software
281+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
282+.\" USA.
283+.\"
284+.\" Ganael Laplanche
285+.\" ganael.laplanche@martymac.org
286+.\" http://contribs.martymac.org
287+.\"
288+.TH ldapdeletesudo 1 "December 8, 2015"
289+
290+.SH NAME
291+ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP
292+
293+.SH SYNOPSIS
294+.B ldapdeletesudo
295+.RB <username | uid>
296+
297+.SH OPTIONS
298+.TP
299+.B <username | uid>
300+The name or uid of the user to delete.
301+
302+.SH "SEE ALSO"
303+ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5).
304+
305+.SH AVAILABILITY
306+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
307+The latest version of the ldapscripts is available on :
308+.B http://contribs.martymac.org
309+
310+.SH BUGS
311+No bug known.
312--- a/Makefile
313+++ b/Makefile
314@@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser |
315 ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
316 ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
317 ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
318- ldaprenameuser ldapmodifysudo
319+ ldaprenameuser ldapmodifysudo ldapdeletesudo
320 MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
321 ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
322 ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
323 ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
324- ldapaddmachine.1 ldapdeleteuser.1
325+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
326 MAN5FILES = ldapscripts.5
327 TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
328 ldapadduser.template.sample
329--- a/lib/runtime
330+++ b/lib/runtime
331@@ -294,6 +294,21 @@ _ldapdelete () {
332 fi
333 }
334
335+# Deletes a sudoUser entry in the LDAP directory
336+# Input : POSIX username whose sudo entry to delete ($1)
337+# Output: 0 on successful delete
338+# 1 on being unable to find sudoUser
339+# 2 on being unable to delete found sudoUser entry
340+_ldapdeletesudo () {
341+ [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument"
342+ # Find the entry
343+ _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
344+ [ -z "$_ENTRY" ] && return 1
345+
346+ # Now delete that entry
347+ _ldapdelete "$_ENTRY" || return 2
348+}
349+
350 # Extracts LDIF information from $0 (the current script itself)
351 # selecting lines beginning with $1 occurrences of '#'
352 # Input : depth ($1)
diff --git a/ldapscripts/files/sudo-support.patch b/ldapscripts/files/sudo-support.patch
deleted file mode 100644
index 76fff94..0000000
--- a/ldapscripts/files/sudo-support.patch
+++ /dev/null
@@ -1,289 +0,0 @@
1Index: ldapscripts-2.0.8/sbin/ldapaddsudo
2===================================================================
3--- /dev/null
4+++ ldapscripts-2.0.8/sbin/ldapaddsudo
5@@ -0,0 +1,63 @@
6+#!/bin/sh
7+
8+# ldapaddsudo : adds a sudoRole to LDAP
9+
10+# Copyright (C) 2005 GanaŽl LAPLANCHE - Linagora
11+# Copyright (C) 2006-2013 GanaŽl LAPLANCHE
12+# Copyright (c) 2014 Wind River Systems, Inc.
13+#
14+# This program is free software; you can redistribute it and/or
15+# modify it under the terms of the GNU General Public License
16+# as published by the Free Software Foundation; either version 2
17+# of the License, or (at your option) any later version.
18+#
19+# This program is distributed in the hope that it will be useful,
20+# but WITHOUT ANY WARRANTY; without even the implied warranty of
21+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22+# GNU General Public License for more details.
23+#
24+# You should have received a copy of the GNU General Public License
25+# along with this program; if not, write to the Free Software
26+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
27+# USA.
28+
29+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
30+then
31+ echo "Usage : $0 <username>"
32+ exit 1
33+fi
34+
35+# Source runtime file
36+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
37+. "$_RUNTIMEFILE"
38+
39+# Username = first argument
40+_USER="$1"
41+
42+# Use template if necessary
43+if [ -n "$STEMPLATE" ] && [ -r "$STEMPLATE" ]
44+then
45+ _getldif="cat $STEMPLATE"
46+else
47+ _getldif="_extractldif 2"
48+fi
49+
50+# Add sudo entry to LDAP
51+$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd
52+
53+[ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP"
54+echo_log "Successfully added sudo access for user $_USER to LDAP"
55+
56+end_ok
57+
58+# Ldif template ##################################
59+##dn: cn=<user>,ou=SUDOers,<usuffix>,<suffix>
60+##objectClass: top
61+##objectClass: sudoRole
62+##cn: <user>
63+##sudoUser: <user>
64+##sudoHost: ALL
65+##sudoRunAsUser: ALL
66+##sudoCommand: ALL
67+###sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
68+###sudoOption: <specify other sudo specific attributes here>
69Index: ldapscripts-2.0.8/sbin/ldapmodifyuser
70===================================================================
71--- ldapscripts-2.0.8.orig/sbin/ldapmodifyuser
72+++ ldapscripts-2.0.8/sbin/ldapmodifyuser
73@@ -19,9 +19,11 @@
74 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
75 # USA.
76
77-if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
78+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
79+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
80+ [ "$#" -ne 4 ]
81 then
82- echo "Usage : $0 <username | uid>"
83+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
84 exit 1
85 fi
86
87@@ -33,21 +35,48 @@ _RUNTIMEFILE="/usr/lib/ldapscripts/runti
88 _findentry "$USUFFIX,$SUFFIX" "(&(objectClass=posixAccount)(|(uid=$1)(uidNumber=$1)))"
89 [ -z "$_ENTRY" ] && end_die "User $1 not found in LDAP"
90
91-# Allocate and create temp file
92-mktempf
93-echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
94-
95-# Display entry
96-echo "# About to modify the following entry :"
97-_ldapsearch "$_ENTRY"
98-
99-# Edit entry
100-echo "# Enter your modifications here, end with CTRL-D."
101-echo "dn: $_ENTRY"
102-cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
103+# Username = first argument
104+_USER="$1"
105+
106+if [ "$#" -eq 1 ]
107+then
108+ # Allocate and create temp file
109+ mktempf
110+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
111+
112+ # Display entry
113+ echo "# About to modify the following entry :"
114+ _ldapsearch "$_ENTRY"
115+
116+ # Edit entry
117+ echo "# Enter your modifications here, end with CTRL-D."
118+ echo "dn: $_ENTRY"
119+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
120+
121+ # Send modifications
122+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
123+else
124+ # Action = second argument
125+ _ACTION="$2"
126+
127+ # Field = third argument
128+ _FIELD="$3"
129+
130+ # Value = fourth argument
131+ _VALUE="$4"
132+
133+ # Use template if necessary
134+ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ]
135+ then
136+ _getldif="cat $UMTEMPLATE"
137+ else
138+ _getldif="_extractldif 2"
139+ fi
140+
141+ # Modify user in LDAP
142+ $_getldif | _filterldif | _utf8encode | _ldapmodify
143+fi
144
145-# Send modifications
146-cat "$_TMPFILE" | _utf8encode | _ldapmodify
147 if [ $? -ne 0 ]
148 then
149 reltempf
150@@ -55,3 +84,9 @@ then
151 fi
152 reltempf
153 end_ok "Successfully modified user entry $_ENTRY in LDAP"
154+
155+# Ldif template ##################################
156+##dn: uid=<user>,<usuffix>,<suffix>
157+##changeType: modify
158+##<action>: <field>
159+##<field>: <value>
160Index: ldapscripts-2.0.8/lib/runtime
161===================================================================
162--- ldapscripts-2.0.8.orig/lib/runtime
163+++ ldapscripts-2.0.8/lib/runtime
164@@ -344,6 +344,9 @@ s|<msuffix>|$MSUFFIX|g
165 s|<_msuffix>|$_MSUFFIX|g
166 s|<gsuffix>|$GSUFFIX|g
167 s|<_gsuffix>|$_GSUFFIX|g
168+s|<action>|$_ACTION|g
169+s|<field>|$_FIELD|g
170+s|<value>|$_VALUE|g
171 EOF
172
173 # Use it
174Index: ldapscripts-2.0.8/Makefile
175===================================================================
176--- ldapscripts-2.0.8.orig/Makefile
177+++ ldapscripts-2.0.8/Makefile
178@@ -37,11 +37,11 @@ LIBDIR = $(PREFIX)/lib/$(NAME)
179 RUNFILE = runtime
180 ETCFILE = ldapscripts.conf
181 PWDFILE = ldapscripts.passwd
182-SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser \
183+SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser ldapaddsudo \
184 ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
185 ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
186 ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
187- ldaprenameuser
188+ ldaprenameuser ldapmodifysudo
189 MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
190 ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
191 ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
192Index: ldapscripts-2.0.8/sbin/ldapmodifysudo
193===================================================================
194--- /dev/null
195+++ ldapscripts-2.0.8/sbin/ldapmodifysudo
196@@ -0,0 +1,93 @@
197+#!/bin/sh
198+
199+# ldapmodifyuser : modifies a sudo entry in an LDAP directory
200+
201+# Copyright (C) 2007-2013 GanaŽl LAPLANCHE
202+# Copyright (C) 2014 Stephen Crooks
203+#
204+# This program is free software; you can redistribute it and/or
205+# modify it under the terms of the GNU General Public License
206+# as published by the Free Software Foundation; either version 2
207+# of the License, or (at your option) any later version.
208+#
209+# This program is distributed in the hope that it will be useful,
210+# but WITHOUT ANY WARRANTY; without even the implied warranty of
211+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
212+# GNU General Public License for more details.
213+#
214+# You should have received a copy of the GNU General Public License
215+# along with this program; if not, write to the Free Software
216+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
217+# USA.
218+
219+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
220+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
221+ [ "$#" -ne 4 ]
222+then
223+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
224+ exit 1
225+fi
226+
227+# Source runtime file
228+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
229+. "$_RUNTIMEFILE"
230+
231+# Find username : $1 must exist in LDAP !
232+_findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
233+[ -z "$_ENTRY" ] && end_die "Sudo user $1 not found in LDAP"
234+
235+# Username = first argument
236+_USER="$1"
237+
238+if [ "$#" -eq 1 ]
239+then
240+ # Allocate and create temp file
241+ mktempf
242+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
243+
244+ # Display entry
245+ echo "# About to modify the following entry :"
246+ _ldapsearch "$_ENTRY"
247+
248+ # Edit entry
249+ echo "# Enter your modifications here, end with CTRL-D."
250+ echo "dn: $_ENTRY"
251+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
252+
253+ # Send modifications
254+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
255+else
256+ # Action = second argument
257+ _ACTION="$2"
258+
259+ # Field = third argument
260+ _FIELD="$3"
261+
262+ # Value = fourth argument
263+ _VALUE="$4"
264+
265+ # Use template if necessary
266+ if [ -n "$SMTEMPLATE" ] && [ -r "$SMTEMPLATE" ]
267+ then
268+ _getldif="cat $SMTEMPLATE"
269+ else
270+ _getldif="_extractldif 2"
271+ fi
272+
273+ # Modify user in LDAP
274+ $_getldif | _filterldif | _utf8encode | _ldapmodify
275+fi
276+
277+if [ $? -ne 0 ]
278+then
279+ reltempf
280+ end_die "Error modifying sudo entry $_ENTRY in LDAP"
281+fi
282+reltempf
283+end_ok "Successfully modified sudo entry $_ENTRY in LDAP"
284+
285+# Ldif template ##################################
286+##dn: cn=<user>,ou=SUDOers,<suffix>
287+##changeType: modify
288+##<action>: <field>
289+##<field>: <value>