--- Makefile | 4 +-- lib/runtime | 15 ++++++++++++ man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++ man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++ man/man1/ldapdeleteuser.1 | 5 ++-- man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++ man/man1/ldapmodifyuser.1 | 15 ++++++++--- sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++ sbin/ldapdeleteuser | 5 ++++ sbin/ldapmodifysudo | 2 - 10 files changed, 232 insertions(+), 9 deletions(-) --- a/sbin/ldapdeleteuser +++ b/sbin/ldapdeleteuser @@ -46,6 +46,11 @@ _UDN="$_ENTRY" # Delete entry _ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP" + +# Optionally, delete the sudoer entry if it exists +_ldapdeletesudo $1 +[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete" + # Finally, delete this user from all his secondary groups case $GCLASS in posixGroup) --- a/sbin/ldapmodifysudo +++ b/sbin/ldapmodifysudo @@ -1,6 +1,6 @@ #!/bin/sh -# ldapmodifyuser : modifies a sudo entry in an LDAP directory +# ldapmodifysudo : modifies a sudo entry in an LDAP directory # Copyright (C) 2007-2013 Ganaël LAPLANCHE # Copyright (C) 2014 Stephen Crooks --- /dev/null +++ b/sbin/ldapdeletesudo @@ -0,0 +1,38 @@ +#!/bin/sh + +# ldapdeletesudo : deletes a sudoRole from LDAP + +# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora +# Copyright (C) 2006-2013 Ganaël LAPLANCHE +# Copyright (c) 2015 Wind River Systems, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] +then + echo "Usage : $0 " + exit 1 +fi + +# Source runtime file +_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" +. "$_RUNTIMEFILE" + +# Username = first argument +_ldapdeletesudo "$1" +[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1" + +end_ok "Successfully deleted sudoUser entry for $1 from LDAP" --- a/man/man1/ldapmodifyuser.1 +++ b/man/man1/ldapmodifyuser.1 @@ -1,4 +1,5 @@ .\" Copyright (C) 2007-2017 Ganaël LAPLANCHE +.\" Copyright (c) 2015 Wind River Systems, Inc. .\" .\" This program is free software; you can redistribute it and/or .\" modify it under the terms of the GNU General Public License @@ -19,14 +20,14 @@ .\" ganael.laplanche@martymac.org .\" http://contribs.martymac.org .\" -.TH ldapmodifyuser 1 "August 22, 2007" +.TH ldapmodifyuser 1 "December 8, 2015" .SH NAME ldapmodifyuser \- modifies a POSIX user account in LDAP interactively .SH SYNOPSIS .B ldapmodifyuser -.RB +.RB [ ] .SH DESCRIPTION ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you @@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif The DN of the entry being modified is already specified : just begin with a changeType attribute or any other one(s) of your choice (in this case, the defaut changeType is 'modify'). +Alternatively, if an optional "action" argument is given, followed by a +field - value pair then user will not be interactively prompted. + .SH OPTIONS .TP -.B +.B [ ] The name or uid of the user to modify. +The optional "action" pertaining to this user entry. +The field - value pair on which the action needs to be undertaken. .SH "SEE ALSO" -ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5). +ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5). .SH AVAILABILITY The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). --- a/man/man1/ldapdeleteuser.1 +++ b/man/man1/ldapdeleteuser.1 @@ -1,4 +1,5 @@ .\" Copyright (C) 2006-2017 Ganaël LAPLANCHE +.\" Copyright (c) 2015 Wind River Systems, Inc. .\" .\" This program is free software; you can redistribute it and/or .\" modify it under the terms of the GNU General Public License @@ -19,10 +20,10 @@ .\" ganael.laplanche@martymac.org .\" http://contribs.martymac.org .\" -.TH ldapdeleteuser 1 "January 1, 2006" +.TH ldapdeleteuser 1 "December 8, 2015" .SH NAME -ldapdeleteuser \- deletes a POSIX user account from LDAP. +ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP. .SH SYNOPSIS .B ldapdeleteuser --- /dev/null +++ b/man/man1/ldapaddsudo.1 @@ -0,0 +1,54 @@ +.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE +.\" Copyright (c) 2015 Wind River Systems, Inc. +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version 2 +.\" of the License, or (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +.\" USA. +.\" +.\" Ganael Laplanche +.\" ganael.laplanche@martymac.org +.\" http://contribs.martymac.org +.\" +.TH ldapaddsudo 1 "December 8, 2015" + +.SH NAME +ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP. + +.SH SYNOPSIS +.B ldapaddsudo +.RB +.RB +.RB [uid] + +.SH OPTIONS +.TP +.B +The name of the user to add. +.TP +.B +The group name or the gid of the user to add. +.TP +.B [uid] +The uid of the user to add. Automatically computed if not specified. + +.SH "SEE ALSO" +ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5). + +.SH AVAILABILITY +The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). +The latest version of the ldapscripts is available on : +.B http://contribs.martymac.org + +.SH BUGS +No bug known. --- /dev/null +++ b/man/man1/ldapmodifysudo.1 @@ -0,0 +1,57 @@ +.\" Copyright (C) 2007-2013 Ganaël LAPLANCHE +.\" Copyright (c) 2015 Wind River Systems, Inc. +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version 2 +.\" of the License, or (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +.\" USA. +.\" +.\" Ganael Laplanche +.\" ganael.laplanche@martymac.org +.\" http://contribs.martymac.org +.\" +.TH ldapmodifysudo 1 "December 8, 2015" + +.SH NAME +ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively + +.SH SYNOPSIS +.B ldapmodifysudo +.RB [ ] + +.SH DESCRIPTION +ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you +are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1). +The DN of the entry being modified is already specified : just begin with a changeType attribute or any +other one(s) of your choice (in this case, the defaut changeType is 'modify'). + +Alternatively, if an optional "action" argument is given, followed by a +field - value pair then user will not be interactively prompted. + +.SH OPTIONS +.TP +.B [ ] +The name or uid of the user to modify. +The optional "action" pertaining to this user entry. +The field - value pair on which the action needs to be undertaken. + +.SH "SEE ALSO" +ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5). + +.SH AVAILABILITY +The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). +The latest version of the ldapscripts is available on : +.B http://contribs.martymac.org + +.SH BUGS +No bug known. --- /dev/null +++ b/man/man1/ldapdeletesudo.1 @@ -0,0 +1,46 @@ +.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE +.\" Copyright (c) 2015 Wind River Systems, Inc. +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version 2 +.\" of the License, or (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +.\" USA. +.\" +.\" Ganael Laplanche +.\" ganael.laplanche@martymac.org +.\" http://contribs.martymac.org +.\" +.TH ldapdeletesudo 1 "December 8, 2015" + +.SH NAME +ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP + +.SH SYNOPSIS +.B ldapdeletesudo +.RB + +.SH OPTIONS +.TP +.B +The name or uid of the user to delete. + +.SH "SEE ALSO" +ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5). + +.SH AVAILABILITY +The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). +The latest version of the ldapscripts is available on : +.B http://contribs.martymac.org + +.SH BUGS +No bug known. --- a/Makefile +++ b/Makefile @@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser | ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ - ldaprenameuser ldapmodifysudo + ldaprenameuser ldapmodifysudo ldapdeletesudo MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \ - ldapaddmachine.1 ldapdeleteuser.1 + ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1 MAN5FILES = ldapscripts.5 TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \ ldapadduser.template.sample --- a/lib/runtime +++ b/lib/runtime @@ -294,6 +294,21 @@ _ldapdelete () { fi } +# Deletes a sudoUser entry in the LDAP directory +# Input : POSIX username whose sudo entry to delete ($1) +# Output: 0 on successful delete +# 1 on being unable to find sudoUser +# 2 on being unable to delete found sudoUser entry +_ldapdeletesudo () { + [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument" + # Find the entry + _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))" + [ -z "$_ENTRY" ] && return 1 + + # Now delete that entry + _ldapdelete "$_ENTRY" || return 2 +} + # Extracts LDIF information from $0 (the current script itself) # selecting lines beginning with $1 occurrences of '#' # Input : depth ($1)