Relocate ldapscripts to stx-integ/ldap/ldapscripts
Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: I4d0aa1d13de96cf498523b084137d76cb4720cfc Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
51f969296b
commit
50808566f9
|
@ -1,5 +1,4 @@
|
||||||
iptables
|
iptables
|
||||||
ldapscripts
|
|
||||||
net-tools
|
net-tools
|
||||||
drbd-tools
|
drbd-tools
|
||||||
mariadb
|
mariadb
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
Metadata-Version: 1.1
|
|
||||||
Name: ldapscripts
|
|
||||||
Version: 2.0.8
|
|
||||||
Summary: ldapscripts
|
|
||||||
Home-page:
|
|
||||||
Author:
|
|
||||||
Author-email:
|
|
||||||
License: GPLv2
|
|
||||||
|
|
||||||
Description:
|
|
||||||
Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory.
|
|
||||||
|
|
||||||
|
|
||||||
Platform: UNKNOWN
|
|
|
@ -1,3 +0,0 @@
|
||||||
COPY_LIST="files/* \
|
|
||||||
$CGCS_BASE/downloads/ldapscripts-2.0.8.tgz"
|
|
||||||
TIS_PATCH_VER=2
|
|
|
@ -1,75 +0,0 @@
|
||||||
Name: ldapscripts
|
|
||||||
Version: 2.0.8
|
|
||||||
Release: 0%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Summary: ldapscripts
|
|
||||||
|
|
||||||
Group: base
|
|
||||||
License: GPLv2
|
|
||||||
URL: unknown
|
|
||||||
Source0: %{name}-%{version}.tgz
|
|
||||||
Source1: ldapscripts.conf.cgcs
|
|
||||||
Source2: ldapadduser.template.cgcs
|
|
||||||
Source3: ldapaddgroup.template.cgcs
|
|
||||||
Source4: ldapmoduser.template.cgcs
|
|
||||||
Source5: ldapaddsudo.template.cgcs
|
|
||||||
Source6: ldapmodsudo.template.cgcs
|
|
||||||
Source7: ldapscripts.passwd
|
|
||||||
|
|
||||||
Patch0: sudo-support.patch
|
|
||||||
Patch1: sudo-delete-support.patch
|
|
||||||
Patch2: log_timestamp.patch
|
|
||||||
Patch3: ldap-user-setup-support.patch
|
|
||||||
Patch4: ldap-user-setup-support-input-validation.patch
|
|
||||||
Patch5: ldap-user-setup-noninteractive-mode-fix.patch
|
|
||||||
Patch6: allow-anonymous-bind-for-ldap-search.patch
|
|
||||||
|
|
||||||
%define debug_package %{nil}
|
|
||||||
|
|
||||||
# BuildRequires:
|
|
||||||
# Requires:
|
|
||||||
|
|
||||||
%description
|
|
||||||
Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory.
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%setup -q
|
|
||||||
%patch0 -p1
|
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
|
||||||
|
|
||||||
|
|
||||||
%install
|
|
||||||
make install DESTDIR=%{buildroot}
|
|
||||||
|
|
||||||
rm -Rf %{buildroot}/usr/local/man
|
|
||||||
rm -f %{buildroot}/usr/local/sbin/*machine*
|
|
||||||
rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample
|
|
||||||
install -d ldroot}}/usr/local/etc/
|
|
||||||
install -m 644 %{SOURCE1} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.conf
|
|
||||||
install -m 644 %{SOURCE2} %{buildroot}/usr/local/etc/ldapscripts/ldapadduser.template.cgcs
|
|
||||||
install -m 644 %{SOURCE3} %{buildroot}/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs
|
|
||||||
install -m 644 %{SOURCE4} %{buildroot}/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs
|
|
||||||
install -m 644 %{SOURCE5} %{buildroot}/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs
|
|
||||||
install -m 644 %{SOURCE6} %{buildroot}/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs
|
|
||||||
install -m 600 %{SOURCE7} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.passwd
|
|
||||||
|
|
||||||
%files
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%dir /usr/local/etc/ldapscripts/
|
|
||||||
%dir /usr/local/lib/ldapscripts/
|
|
||||||
/usr/local/sbin/*
|
|
||||||
%config(noreplace) /usr/local/etc/ldapscripts/ldapscripts.passwd
|
|
||||||
/usr/local/etc/ldapscripts/*
|
|
||||||
/usr/local/lib/ldapscripts/*
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Date: Mon, 16 Apr 2018 14:58:03 -0400
|
|
||||||
Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search
|
|
||||||
|
|
||||||
---
|
|
||||||
lib/runtime | 7 +++++--
|
|
||||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/runtime b/lib/runtime
|
|
||||||
index 012ac95..18acf3f 100644
|
|
||||||
--- a/lib/runtime
|
|
||||||
+++ b/lib/runtime
|
|
||||||
@@ -197,8 +197,11 @@ _ldapsearch () {
|
|
||||||
elif [ -n "$BINDPWDFILE" ]
|
|
||||||
then
|
|
||||||
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
|
|
||||||
- else
|
|
||||||
+ elif [ -n "$BINDPWD" ]
|
|
||||||
+ then
|
|
||||||
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
|
|
||||||
+ else
|
|
||||||
+ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -785,7 +788,7 @@ then
|
|
||||||
then
|
|
||||||
warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
|
|
||||||
else
|
|
||||||
- end_die "Unable to read password file $BINDPWDFILE, exiting..."
|
|
||||||
+ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
sbin/ldapusersetup | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/sbin/ldapusersetup
|
|
||||||
+++ b/sbin/ldapusersetup
|
|
||||||
@@ -105,7 +105,7 @@ LdapAddLoginShell () {
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
else
|
|
||||||
- shellopn=${$2,,}
|
|
||||||
+ shellopn=${2,,}
|
|
||||||
case $shellopn in
|
|
||||||
"bash") _SHELL="/bin/sh";;
|
|
||||||
"lshell") _SHELL="$_DEFAULTLSHELL";;
|
|
|
@ -1,87 +0,0 @@
|
||||||
---
|
|
||||||
sbin/ldapusersetup | 45 ++++++++++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 34 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
--- a/sbin/ldapusersetup
|
|
||||||
+++ b/sbin/ldapusersetup
|
|
||||||
@@ -44,6 +44,29 @@ _SHELL=""
|
|
||||||
|
|
||||||
### Helper functions ###
|
|
||||||
|
|
||||||
+# Gets input from user and validates it.
|
|
||||||
+# Will only return if input meets validation
|
|
||||||
+# criteria otherwise will just sit there.
|
|
||||||
+#
|
|
||||||
+# Input : input string ($1), valid output options ($2)
|
|
||||||
+# Output: the validated input
|
|
||||||
+# Note : the validation list must be an array
|
|
||||||
+LdapUserInput () {
|
|
||||||
+declare -a optionAry=("${!2}")
|
|
||||||
+while true; do
|
|
||||||
+ read -p "$1" _output
|
|
||||||
+ # convert to lower case
|
|
||||||
+ _output2=${_output,,}
|
|
||||||
+ # check if output is a valid option
|
|
||||||
+ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then
|
|
||||||
+ break
|
|
||||||
+ else
|
|
||||||
+ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2
|
|
||||||
+ fi
|
|
||||||
+done
|
|
||||||
+ echo "$_output2"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
# Delete an ldap user if it exists
|
|
||||||
# and exit with error
|
|
||||||
# Input : username ($1), exit msg ($2)
|
|
||||||
@@ -67,10 +90,12 @@ LdapAddUser() {
|
|
||||||
LdapAddLoginShell () {
|
|
||||||
if [ -z "$2" ]; then
|
|
||||||
# Ask the user for the login shell
|
|
||||||
- echo "Select Login Shell option # [2]:
|
|
||||||
+ shellInput="Select Login Shell option # [2]:
|
|
||||||
1) Bash
|
|
||||||
-2) Lshell"
|
|
||||||
- read opn
|
|
||||||
+2) Lshell
|
|
||||||
+"
|
|
||||||
+ options=( 1, 2 )
|
|
||||||
+ opn=`LdapUserInput "$shellInput" options[@]`
|
|
||||||
case $opn in
|
|
||||||
1) _SHELL="/bin/sh";;
|
|
||||||
2) _SHELL="$_DEFAULTLSHELL";;
|
|
||||||
@@ -139,7 +164,6 @@ LdapUpdateShadowWarning () {
|
|
||||||
echo "Updating password expiry to $_newWarning days"
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
# Since this setup script is meant to be a
|
|
||||||
# wrapper on top of existing ldap scripts,
|
|
||||||
# it share invoke those... we could have achieved
|
|
||||||
@@ -170,10 +194,9 @@ if [ "$#" -eq 0 ]; then
|
|
||||||
# prompt for sudo permissions
|
|
||||||
if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then
|
|
||||||
# Should sudo be activated for this user
|
|
||||||
- echo -n "Add $_username to sudoer list? (yes/NO): "
|
|
||||||
- read CONFIRM
|
|
||||||
- CONFIRM=${CONFIRM,,}
|
|
||||||
-
|
|
||||||
+ shellInput="Add $_username to sudoer list? (yes/NO): "
|
|
||||||
+ options=( "yes", "no" )
|
|
||||||
+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
|
|
||||||
if is_yes $CONFIRM
|
|
||||||
then
|
|
||||||
LdapAddSudo "$_username"
|
|
||||||
@@ -181,9 +204,9 @@ if [ "$#" -eq 0 ]; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add to secondary user group
|
|
||||||
- echo -n "Add $_username to secondary user group? (yes/NO): "
|
|
||||||
- read CONFIRM
|
|
||||||
- CONFIRM=${CONFIRM,,}
|
|
||||||
+ shellInput="Add $_username to secondary user group? (yes/NO): "
|
|
||||||
+ options=( "yes", "no" )
|
|
||||||
+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
|
|
||||||
if is_yes $CONFIRM
|
|
||||||
then
|
|
||||||
echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
|
|
|
@ -1,354 +0,0 @@
|
||||||
---
|
|
||||||
Makefile | 5
|
|
||||||
man/man1/ldapusersetup.1 | 61 ++++++++++
|
|
||||||
sbin/ldapusersetup | 263 +++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 327 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/sbin/ldapusersetup
|
|
||||||
@@ -0,0 +1,263 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# ldapusersetup : interactive setup for adding users to LDAP
|
|
||||||
+
|
|
||||||
+# Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+#
|
|
||||||
+# This program is free software; you can redistribute it and/or
|
|
||||||
+# modify it under the terms of the GNU General Public License
|
|
||||||
+# as published by the Free Software Foundation; either version 2
|
|
||||||
+# of the License, or (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program; if not, write to the Free Software
|
|
||||||
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+# USA.
|
|
||||||
+
|
|
||||||
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
|
|
||||||
+then
|
|
||||||
+ echo "Usage : $0 [-u <username | uid> <field> <value>]
|
|
||||||
+where accepted field(s) are as follows:
|
|
||||||
+--sudo : whether to add this user to sudoer list
|
|
||||||
+--shell <\"bash\"|\"lshell\"> : choose the shell for this user (default is lshell)
|
|
||||||
+--secondgroup <grp> : the secondary group to add this user to
|
|
||||||
+--passmax <value> : the shadowMax value for this user
|
|
||||||
+--passwarning <value> : the shadowWarning value for this user"
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Source runtime file
|
|
||||||
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
|
|
||||||
+. "$_RUNTIMEFILE"
|
|
||||||
+
|
|
||||||
+# runtime defaults
|
|
||||||
+_DEFAULTGRP2="wrs_protected"
|
|
||||||
+_DEFAULTLSHELL="/usr/local/bin/cgcs_cli"
|
|
||||||
+_DEFAULTSHADOWMAX="90"
|
|
||||||
+_DEFAULTSHADOWWARNING="2"
|
|
||||||
+_SHELL=""
|
|
||||||
+
|
|
||||||
+### Helper functions ###
|
|
||||||
+
|
|
||||||
+# Delete an ldap user if it exists
|
|
||||||
+# and exit with error
|
|
||||||
+# Input : username ($1), exit msg ($2)
|
|
||||||
+# Output : none
|
|
||||||
+LdapRollback() {
|
|
||||||
+ ldapdeleteuser "$1"
|
|
||||||
+ end_die "$2"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Add an ldap user and exit on failure
|
|
||||||
+# Input : username ($1)
|
|
||||||
+# Output : none
|
|
||||||
+LdapAddUser() {
|
|
||||||
+ ldapadduser "$1" users
|
|
||||||
+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Replace Login Shell and call Rollback on failure
|
|
||||||
+# Input : username ($1), shell to set ($2)
|
|
||||||
+# Output : none
|
|
||||||
+LdapAddLoginShell () {
|
|
||||||
+ if [ -z "$2" ]; then
|
|
||||||
+ # Ask the user for the login shell
|
|
||||||
+ echo "Select Login Shell option # [2]:
|
|
||||||
+1) Bash
|
|
||||||
+2) Lshell"
|
|
||||||
+ read opn
|
|
||||||
+ case $opn in
|
|
||||||
+ 1) _SHELL="/bin/sh";;
|
|
||||||
+ 2) _SHELL="$_DEFAULTLSHELL";;
|
|
||||||
+ *)
|
|
||||||
+ [ ! -z "$opn" ] && echo "Invalid option. Selecting Lshell"
|
|
||||||
+ _SHELL="$_DEFAULTLSHELL"
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ else
|
|
||||||
+ shellopn=${$2,,}
|
|
||||||
+ case $shellopn in
|
|
||||||
+ "bash") _SHELL="/bin/sh";;
|
|
||||||
+ "lshell") _SHELL="$_DEFAULTLSHELL";;
|
|
||||||
+ *)
|
|
||||||
+ echo "Invalid option($2). Selecting Lshell"; _SHELL="$_DEFAULTLSHELL"
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ fi
|
|
||||||
+ # Replace the login shell
|
|
||||||
+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
|
|
||||||
+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Add user to sudoer list
|
|
||||||
+# Input : username ($1)
|
|
||||||
+# Output : true or false
|
|
||||||
+LdapAddSudo() {
|
|
||||||
+ ldapaddsudo "$1" 2> /dev/null
|
|
||||||
+ [ $? -eq 0 ] || \
|
|
||||||
+ echo_log "Non critical setup error: cannot add to sudoer list"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Add user to a secondary user group
|
|
||||||
+# Input : username ($1), user group ($2)
|
|
||||||
+# Output : true or false
|
|
||||||
+LdapSecondaryGroup () {
|
|
||||||
+ _newGrp="$2"
|
|
||||||
+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
|
|
||||||
+
|
|
||||||
+ ldapaddusertogroup $1 $_newGrp
|
|
||||||
+ [ $? -eq 0 ] || \
|
|
||||||
+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Update shadowMax for user
|
|
||||||
+# Input : username ($1), shadow Max value ($2)
|
|
||||||
+# Output : none
|
|
||||||
+LdapUpdateShadowMax () {
|
|
||||||
+ _newShadow="$2"
|
|
||||||
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
|
|
||||||
+ && _newShadow=$_DEFAULTSHADOWMAX
|
|
||||||
+
|
|
||||||
+ ldapmodifyuser $1 replace shadowMax $_newShadow
|
|
||||||
+ echo "Updating password expiry to $_newShadow days"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Update shadowWarning for user
|
|
||||||
+# Input : username ($1), shadow Warning value ($2)
|
|
||||||
+# Output : none
|
|
||||||
+LdapUpdateShadowWarning () {
|
|
||||||
+ _newWarning="$2"
|
|
||||||
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
|
|
||||||
+ && _newWarning=$_DEFAULTSHADOWWARNING
|
|
||||||
+
|
|
||||||
+ ldapmodifyuser $1 replace shadowWarning $_newWarning
|
|
||||||
+ echo "Updating password expiry to $_newWarning days"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+# Since this setup script is meant to be a
|
|
||||||
+# wrapper on top of existing ldap scripts,
|
|
||||||
+# it share invoke those... we could have achieved
|
|
||||||
+# loose coupling by not relying on helpers but
|
|
||||||
+# at the expense of massively redundant code
|
|
||||||
+# duplication.
|
|
||||||
+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_DEFAULTLSHELL")
|
|
||||||
+
|
|
||||||
+# Do some quick sanity tests to make sure
|
|
||||||
+# helper scripts are present
|
|
||||||
+for src in "${helper_scripts[@]}"; do
|
|
||||||
+ if ! type "$src" &>/dev/null; then
|
|
||||||
+ end_die "Cannot locate $src. Update your PATH variable"
|
|
||||||
+ fi
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+if [ "$#" -eq 0 ]; then
|
|
||||||
+ # This setup collects all attributes
|
|
||||||
+ # interactively during runtime
|
|
||||||
+ echo -n "Enter username to add to LDAP: "
|
|
||||||
+ read _username
|
|
||||||
+ LdapAddUser "$_username"
|
|
||||||
+
|
|
||||||
+ # Replace the login shell. We will prompt the user for this
|
|
||||||
+ LdapAddLoginShell "$_username"
|
|
||||||
+
|
|
||||||
+ # If login shell is NOT the default limited shell then
|
|
||||||
+ # prompt for sudo permissions
|
|
||||||
+ if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then
|
|
||||||
+ # Should sudo be activated for this user
|
|
||||||
+ echo -n "Add $_username to sudoer list? (yes/NO): "
|
|
||||||
+ read CONFIRM
|
|
||||||
+ CONFIRM=${CONFIRM,,}
|
|
||||||
+
|
|
||||||
+ if is_yes $CONFIRM
|
|
||||||
+ then
|
|
||||||
+ LdapAddSudo "$_username"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # Add to secondary user group
|
|
||||||
+ echo -n "Add $_username to secondary user group? (yes/NO): "
|
|
||||||
+ read CONFIRM
|
|
||||||
+ CONFIRM=${CONFIRM,,}
|
|
||||||
+ if is_yes $CONFIRM
|
|
||||||
+ then
|
|
||||||
+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
|
|
||||||
+ read _grp2
|
|
||||||
+ LdapSecondaryGroup $_username $_grp2
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # Set password expiry
|
|
||||||
+ echo -n "Enter days after which user password must \
|
|
||||||
+be changed [$_DEFAULTSHADOWMAX]: "
|
|
||||||
+ read _shadowMax
|
|
||||||
+ LdapUpdateShadowMax $_username $_shadowMax
|
|
||||||
+
|
|
||||||
+ # Set password warning
|
|
||||||
+ echo -n "Enter days before password is to expire that \
|
|
||||||
+user is warned [$_DEFAULTSHADOWWARNING]: "
|
|
||||||
+ read _shadowWarning
|
|
||||||
+ LdapUpdateShadowWarning $_username $_shadowWarning
|
|
||||||
+
|
|
||||||
+else
|
|
||||||
+ # we have to read command line option
|
|
||||||
+ while [[ $# > 1 ]]
|
|
||||||
+ do
|
|
||||||
+ key="$1"
|
|
||||||
+
|
|
||||||
+ case $key in
|
|
||||||
+ -u|--user) # compulsory
|
|
||||||
+ _username="$2"
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --sudo) # optional
|
|
||||||
+ _sudo="yes"
|
|
||||||
+ ;;
|
|
||||||
+ --shell) # optional
|
|
||||||
+ _loginshell="$2"
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --passmax) # optional
|
|
||||||
+ _shadowMax="$2"
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --passwarning) # optional
|
|
||||||
+ _shadowWarning="$2"
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --secondgroup) # optional
|
|
||||||
+ _grpConfirm="1"
|
|
||||||
+ _grp2="$2"
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ *)
|
|
||||||
+
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ shift
|
|
||||||
+ done
|
|
||||||
+
|
|
||||||
+ # Add LDAP user
|
|
||||||
+ [ -z "$_username" ] && end_die "No username argument specified"
|
|
||||||
+ LdapAddUser $_username
|
|
||||||
+
|
|
||||||
+ # Change Login Shell
|
|
||||||
+ LdapAddLoginShell $_username "$_loginshell"
|
|
||||||
+
|
|
||||||
+ # Add sudo if required
|
|
||||||
+ if is_yes $_sudo
|
|
||||||
+ then
|
|
||||||
+ LdapAddSudo "$_username"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # Add secondary group if required
|
|
||||||
+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
|
|
||||||
+
|
|
||||||
+ # Password modifications
|
|
||||||
+ LdapUpdateShadowMax $_username $_shadowMax
|
|
||||||
+ LdapUpdateShadowWarning $_username $_shadowWarning
|
|
||||||
+fi
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodify
|
|
||||||
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
|
|
||||||
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
|
|
||||||
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
|
|
||||||
- ldaprenameuser ldapmodifysudo ldapdeletesudo
|
|
||||||
+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
|
|
||||||
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
|
|
||||||
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
|
|
||||||
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
|
|
||||||
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
|
|
||||||
- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
|
|
||||||
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
|
|
||||||
+ ldapdeletesudo.1 ldapusersetup.1
|
|
||||||
MAN5FILES = ldapscripts.5
|
|
||||||
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
|
|
||||||
ldapadduser.template.sample
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/man/man1/ldapusersetup.1
|
|
||||||
@@ -0,0 +1,61 @@
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is free software; you can redistribute it and/or
|
|
||||||
+.\" modify it under the terms of the GNU General Public License
|
|
||||||
+.\" as published by the Free Software Foundation; either version 2
|
|
||||||
+.\" of the License, or (at your option) any later version.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is distributed in the hope that it will be useful,
|
|
||||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+.\" GNU General Public License for more details.
|
|
||||||
+.\"
|
|
||||||
+.\" You should have received a copy of the GNU General Public License
|
|
||||||
+.\" along with this program; if not, write to the Free Software
|
|
||||||
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+.\" USA.
|
|
||||||
+.\"
|
|
||||||
+.\" Kam Nasim
|
|
||||||
+.\" knasim@windriver.com
|
|
||||||
+.\"
|
|
||||||
+.TH ldapusersetup 1 "December 16, 2015"
|
|
||||||
+
|
|
||||||
+.SH NAME
|
|
||||||
+ldapusersetup \- wizard for adding an LDAP user to CGCS.
|
|
||||||
+
|
|
||||||
+.SH SYNOPSIS
|
|
||||||
+.B ldapusersetup
|
|
||||||
+
|
|
||||||
+.SH DESCRIPTION
|
|
||||||
+ldapusersetup interactively walks through the process of creating an LDAP user
|
|
||||||
+for access to CGCS services. The user is prompted for:
|
|
||||||
+- username
|
|
||||||
+- if a sudoEntry needs to be created
|
|
||||||
+- if a secondary user group needs to be added
|
|
||||||
+- user password expiry and warning configuration
|
|
||||||
+Alternatively, the user may provide these parameters as command line actions.
|
|
||||||
+Look at the OPTIONS section for more information.
|
|
||||||
+
|
|
||||||
+To delete the user and all its group associations, simply use ldapdeleteuser(1)
|
|
||||||
+
|
|
||||||
+.SH OPTIONS
|
|
||||||
+.TP
|
|
||||||
+.B [-u <username | uid> <field> <value>]
|
|
||||||
+The name or uid of the user to modify.
|
|
||||||
+The following fields are available as long format options:
|
|
||||||
+--sudo : whether to add this user to sudoer list
|
|
||||||
+--shell <bash | lshell> : which login shell to use (default is lshell)
|
|
||||||
+--secondgroup <grp> : the secondary group to add this user to
|
|
||||||
+--passmax <value> : the shadowMax value for this user
|
|
||||||
+--passwarning <value> : the shadowWarning value for this user"
|
|
||||||
+
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
|
|
||||||
+
|
|
||||||
+.SH AVAILABILITY
|
|
||||||
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
||||||
+The latest version of the ldapscripts is available on :
|
|
||||||
+.B http://contribs.martymac.org
|
|
||||||
+
|
|
||||||
+.SH BUGS
|
|
||||||
+No bug known.
|
|
|
@ -1,5 +0,0 @@
|
||||||
dn: cn=<group>,<gsuffix>,<suffix>
|
|
||||||
objectClass: posixGroup
|
|
||||||
cn: <group>
|
|
||||||
gidNumber: <gid>
|
|
||||||
description: Group account
|
|
|
@ -1,10 +0,0 @@
|
||||||
dn: cn=<user>,ou=SUDOers,<suffix>
|
|
||||||
objectClass: top
|
|
||||||
objectClass: sudoRole
|
|
||||||
cn: <user>
|
|
||||||
sudoUser: <user>
|
|
||||||
sudoHost: ALL
|
|
||||||
sudoRunAsUser: ALL
|
|
||||||
sudoCommand: ALL
|
|
||||||
#sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
|
|
||||||
#sudoOption: <specify other sudo specific attributes here>
|
|
|
@ -1,16 +0,0 @@
|
||||||
dn: uid=<user>,<usuffix>,<suffix>
|
|
||||||
objectClass: account
|
|
||||||
objectClass: posixAccount
|
|
||||||
objectClass: shadowAccount
|
|
||||||
objectClass: top
|
|
||||||
cn: <user>
|
|
||||||
uid: <user>
|
|
||||||
uidNumber: <uid>
|
|
||||||
gidNumber: <gid>
|
|
||||||
shadowMax: 99999
|
|
||||||
shadowWarning: 7
|
|
||||||
shadowLastChange: 0
|
|
||||||
homeDirectory: <home>
|
|
||||||
loginShell: <shell>
|
|
||||||
gecos: <user>
|
|
||||||
description: User account
|
|
|
@ -1,4 +0,0 @@
|
||||||
dn: cn=<user>,ou=SUDOers,<suffix>
|
|
||||||
changeType: modify
|
|
||||||
<action>: <field>
|
|
||||||
<field>: <value>
|
|
|
@ -1,4 +0,0 @@
|
||||||
dn: uid=<user>,<usuffix>,<suffix>
|
|
||||||
changeType: modify
|
|
||||||
<action>: <field>
|
|
||||||
<field>: <value>
|
|
|
@ -1,152 +0,0 @@
|
||||||
# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
|
|
||||||
# Copyright (C) 2006-2013 Ganaël LAPLANCHE
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation; either version 2
|
|
||||||
# of the License, or (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
# USA.
|
|
||||||
|
|
||||||
# LDAP server
|
|
||||||
SERVER="ldap://controller"
|
|
||||||
|
|
||||||
# Suffixes
|
|
||||||
SUFFIX="dc=cgcs,dc=local" # Global suffix
|
|
||||||
GSUFFIX="ou=Group" # Groups ou (just under $SUFFIX)
|
|
||||||
USUFFIX="ou=People" # Users ou (just under $SUFFIX)
|
|
||||||
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
|
|
||||||
|
|
||||||
# Authentication type
|
|
||||||
# If empty, use simple authentication
|
|
||||||
# Else, use the value as an SASL authentication mechanism
|
|
||||||
SASLAUTH=""
|
|
||||||
#SASLAUTH="GSSAPI"
|
|
||||||
|
|
||||||
# Simple authentication parameters
|
|
||||||
# The following BIND* parameters are ignored if SASLAUTH is set
|
|
||||||
BINDDN="cn=ldapadmin,dc=cgcs,dc=local"
|
|
||||||
# The following file contains the raw password of the BINDDN
|
|
||||||
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
|
|
||||||
# WARNING !!!! Be careful not to make this file world-readable
|
|
||||||
BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
|
|
||||||
# For older versions of OpenLDAP, it is still possible to use
|
|
||||||
# unsecure command-line passwords by defining the following option
|
|
||||||
# AND commenting the previous one (BINDPWDFILE takes precedence)
|
|
||||||
#BINDPWD="secret"
|
|
||||||
|
|
||||||
# Start with these IDs *if no entry found in LDAP*
|
|
||||||
GIDSTART="10000" # Group ID
|
|
||||||
UIDSTART="10000" # User ID
|
|
||||||
MIDSTART="20000" # Machine ID
|
|
||||||
|
|
||||||
# Group membership management
|
|
||||||
# ObjectCLass used for groups
|
|
||||||
# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
|
|
||||||
# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
|
|
||||||
# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
|
|
||||||
# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
|
|
||||||
GCLASS="posixGroup" # Leave "posixGroup" here if not sure !
|
|
||||||
# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial
|
|
||||||
# member. Specify it below, you will be able to remove it once groups are populated.
|
|
||||||
#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"
|
|
||||||
|
|
||||||
# User properties
|
|
||||||
USHELL="/bin/sh"
|
|
||||||
UHOMES="/home/%u" # You may use %u for username here
|
|
||||||
CREATEHOMES="no" # Create home directories and set rights ?
|
|
||||||
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
|
|
||||||
HOMEPERMS="700" # Default permissions for home directories
|
|
||||||
|
|
||||||
# User passwords generation
|
|
||||||
# Command-line used to generate a password for added users.
|
|
||||||
# You may use %u for username here ; special value "<ask>" will ask for a password interactively
|
|
||||||
# WARNING !!!! This is evaluated, everything specified here will be run !
|
|
||||||
# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
|
|
||||||
# In this case, consider using /dev/urandom instead.
|
|
||||||
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
|
|
||||||
#PASSWORDGEN="pwgen"
|
|
||||||
#PASSWORDGEN="echo changeme"
|
|
||||||
PASSWORDGEN="echo %u"
|
|
||||||
#PASSWORDGEN="<ask>"
|
|
||||||
|
|
||||||
# User passwords recording
|
|
||||||
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
|
|
||||||
# (useful when performing a massive creation / net rpc vampire)
|
|
||||||
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
|
|
||||||
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
|
|
||||||
RECORDPASSWORDS="no"
|
|
||||||
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
|
|
||||||
|
|
||||||
# Where to log
|
|
||||||
LOGFILE="/var/log/ldapscripts.log"
|
|
||||||
|
|
||||||
# Temporary folder
|
|
||||||
TMPDIR="/tmp"
|
|
||||||
|
|
||||||
# Various binaries used within the scripts
|
|
||||||
# Warning : they also use uuencode, date, grep, sed, cut, which...
|
|
||||||
# Please check they are installed before using these scripts
|
|
||||||
# Note that many of them should come with your OS
|
|
||||||
|
|
||||||
# OpenLDAP client commands
|
|
||||||
LDAPSEARCHBIN="/usr/bin/ldapsearch"
|
|
||||||
LDAPADDBIN="/usr/bin/ldapadd"
|
|
||||||
LDAPDELETEBIN="/usr/bin/ldapdelete"
|
|
||||||
LDAPMODIFYBIN="/usr/bin/ldapmodify"
|
|
||||||
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
|
|
||||||
LDAPPASSWDBIN="/usr/bin/ldappasswd"
|
|
||||||
|
|
||||||
# OpenLDAP client common additional options
|
|
||||||
# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS
|
|
||||||
#LDAPBINOPTS="-ZZ"
|
|
||||||
|
|
||||||
# OpenLDAP ldapsearch-specific additional options
|
|
||||||
# The following option disables long-line wrapping (which makes the scripts bug
|
|
||||||
# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so
|
|
||||||
# comment it if you are using OpenLDAP < 2.4.24.
|
|
||||||
LDAPSEARCHOPTS="-o ldif-wrap=no"
|
|
||||||
# And here is an example to activate paged results
|
|
||||||
#LDAPSEARCHOPTS="-E pr=500/noprompt"
|
|
||||||
|
|
||||||
# Character set conversion : $ICONVCHAR <-> UTF-8
|
|
||||||
# Comment ICONVBIN to disable UTF-8 conversion
|
|
||||||
# ICONVBIN="/usr/bin/iconv"
|
|
||||||
# ICONVCHAR=""
|
|
||||||
|
|
||||||
# Base64 decoding
|
|
||||||
# Comment UUDECODEBIN to disable Base64 decoding
|
|
||||||
#UUDECODEBIN="/usr/bin/uudecode"
|
|
||||||
|
|
||||||
# Getent command to use - choose the ones used
|
|
||||||
# on your system. Leave blank or comment for auto-guess.
|
|
||||||
# GNU/Linux
|
|
||||||
GETENTPWCMD="getent passwd"
|
|
||||||
GETENTGRCMD="getent group"
|
|
||||||
# FreeBSD
|
|
||||||
#GETENTPWCMD="pw usershow"
|
|
||||||
#GETENTGRCMD="pw groupshow"
|
|
||||||
# Auto
|
|
||||||
#GETENTPWCMD=""
|
|
||||||
#GETENTGRCMD=""
|
|
||||||
|
|
||||||
# You can specify custom LDIF templates here
|
|
||||||
# Leave empty to use default templates
|
|
||||||
# See *.template.sample for default templates
|
|
||||||
#GTEMPLATE="/path/to/ldapaddgroup.template"
|
|
||||||
#UTEMPLATE="/path/to/ldapadduser.template"
|
|
||||||
#MTEMPLATE="/path/to/ldapaddmachine.template"
|
|
||||||
GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs"
|
|
||||||
UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs"
|
|
||||||
UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs"
|
|
||||||
STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs"
|
|
||||||
SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs"
|
|
||||||
MTEMPLATE=""
|
|
|
@ -1 +0,0 @@
|
||||||
_LDAPADMIN_PW_
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
lib/runtime | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/lib/runtime
|
|
||||||
+++ b/lib/runtime
|
|
||||||
@@ -863,7 +863,7 @@ fi
|
|
||||||
# Log command
|
|
||||||
if [ "$LOGTOFILE" = "yes" ]
|
|
||||||
then
|
|
||||||
- log_to_file "$(date '+%b %d %H:%M:%S') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
|
|
||||||
+ log_to_file "$(date '+%FT%T') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
|
|
||||||
fi
|
|
||||||
if [ "$LOGTOSYSLOG" = "yes" ]
|
|
||||||
then
|
|
|
@ -1,352 +0,0 @@
|
||||||
---
|
|
||||||
Makefile | 4 +--
|
|
||||||
lib/runtime | 15 ++++++++++++
|
|
||||||
man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++
|
|
||||||
man/man1/ldapdeleteuser.1 | 5 ++--
|
|
||||||
man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
man/man1/ldapmodifyuser.1 | 15 ++++++++---
|
|
||||||
sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++
|
|
||||||
sbin/ldapdeleteuser | 5 ++++
|
|
||||||
sbin/ldapmodifysudo | 2 -
|
|
||||||
10 files changed, 232 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
--- a/sbin/ldapdeleteuser
|
|
||||||
+++ b/sbin/ldapdeleteuser
|
|
||||||
@@ -46,6 +46,11 @@ _UDN="$_ENTRY"
|
|
||||||
# Delete entry
|
|
||||||
_ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP"
|
|
||||||
|
|
||||||
+
|
|
||||||
+# Optionally, delete the sudoer entry if it exists
|
|
||||||
+_ldapdeletesudo $1
|
|
||||||
+[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete"
|
|
||||||
+
|
|
||||||
# Finally, delete this user from all his secondary groups
|
|
||||||
case $GCLASS in
|
|
||||||
posixGroup)
|
|
||||||
--- a/sbin/ldapmodifysudo
|
|
||||||
+++ b/sbin/ldapmodifysudo
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
-# ldapmodifyuser : modifies a sudo entry in an LDAP directory
|
|
||||||
+# ldapmodifysudo : modifies a sudo entry in an LDAP directory
|
|
||||||
|
|
||||||
# Copyright (C) 2007-2013 Ganaël LAPLANCHE
|
|
||||||
# Copyright (C) 2014 Stephen Crooks
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/sbin/ldapdeletesudo
|
|
||||||
@@ -0,0 +1,38 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# ldapdeletesudo : deletes a sudoRole from LDAP
|
|
||||||
+
|
|
||||||
+# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
|
|
||||||
+# Copyright (C) 2006-2013 Ganaël LAPLANCHE
|
|
||||||
+# Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+#
|
|
||||||
+# This program is free software; you can redistribute it and/or
|
|
||||||
+# modify it under the terms of the GNU General Public License
|
|
||||||
+# as published by the Free Software Foundation; either version 2
|
|
||||||
+# of the License, or (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program; if not, write to the Free Software
|
|
||||||
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+# USA.
|
|
||||||
+
|
|
||||||
+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
|
|
||||||
+then
|
|
||||||
+ echo "Usage : $0 <username>"
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Source runtime file
|
|
||||||
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
|
|
||||||
+. "$_RUNTIMEFILE"
|
|
||||||
+
|
|
||||||
+# Username = first argument
|
|
||||||
+_ldapdeletesudo "$1"
|
|
||||||
+[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1"
|
|
||||||
+
|
|
||||||
+end_ok "Successfully deleted sudoUser entry for $1 from LDAP"
|
|
||||||
--- a/man/man1/ldapmodifyuser.1
|
|
||||||
+++ b/man/man1/ldapmodifyuser.1
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
.\" Copyright (C) 2007-2017 Ganaël LAPLANCHE
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
.\"
|
|
||||||
.\" This program is free software; you can redistribute it and/or
|
|
||||||
.\" modify it under the terms of the GNU General Public License
|
|
||||||
@@ -19,14 +20,14 @@
|
|
||||||
.\" ganael.laplanche@martymac.org
|
|
||||||
.\" http://contribs.martymac.org
|
|
||||||
.\"
|
|
||||||
-.TH ldapmodifyuser 1 "August 22, 2007"
|
|
||||||
+.TH ldapmodifyuser 1 "December 8, 2015"
|
|
||||||
|
|
||||||
.SH NAME
|
|
||||||
ldapmodifyuser \- modifies a POSIX user account in LDAP interactively
|
|
||||||
|
|
||||||
.SH SYNOPSIS
|
|
||||||
.B ldapmodifyuser
|
|
||||||
-.RB <username | uid>
|
|
||||||
+.RB <username | uid> [<add | replace | delete> <field> <value>]
|
|
||||||
|
|
||||||
.SH DESCRIPTION
|
|
||||||
ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you
|
|
||||||
@@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif
|
|
||||||
The DN of the entry being modified is already specified : just begin with a changeType attribute or any
|
|
||||||
other one(s) of your choice (in this case, the defaut changeType is 'modify').
|
|
||||||
|
|
||||||
+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
|
|
||||||
+field - value pair then user will not be interactively prompted.
|
|
||||||
+
|
|
||||||
.SH OPTIONS
|
|
||||||
.TP
|
|
||||||
-.B <username | uid>
|
|
||||||
+.B <username | uid> [<add | replace | delete> <field> <value>]
|
|
||||||
The name or uid of the user to modify.
|
|
||||||
+The optional "action" pertaining to this user entry.
|
|
||||||
+The field - value pair on which the action needs to be undertaken.
|
|
||||||
|
|
||||||
.SH "SEE ALSO"
|
|
||||||
-ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5).
|
|
||||||
+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5).
|
|
||||||
|
|
||||||
.SH AVAILABILITY
|
|
||||||
The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
||||||
--- a/man/man1/ldapdeleteuser.1
|
|
||||||
+++ b/man/man1/ldapdeleteuser.1
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
.\" Copyright (C) 2006-2017 Ganaël LAPLANCHE
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
.\"
|
|
||||||
.\" This program is free software; you can redistribute it and/or
|
|
||||||
.\" modify it under the terms of the GNU General Public License
|
|
||||||
@@ -19,10 +20,10 @@
|
|
||||||
.\" ganael.laplanche@martymac.org
|
|
||||||
.\" http://contribs.martymac.org
|
|
||||||
.\"
|
|
||||||
-.TH ldapdeleteuser 1 "January 1, 2006"
|
|
||||||
+.TH ldapdeleteuser 1 "December 8, 2015"
|
|
||||||
|
|
||||||
.SH NAME
|
|
||||||
-ldapdeleteuser \- deletes a POSIX user account from LDAP.
|
|
||||||
+ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP.
|
|
||||||
|
|
||||||
.SH SYNOPSIS
|
|
||||||
.B ldapdeleteuser
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/man/man1/ldapaddsudo.1
|
|
||||||
@@ -0,0 +1,54 @@
|
|
||||||
+.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is free software; you can redistribute it and/or
|
|
||||||
+.\" modify it under the terms of the GNU General Public License
|
|
||||||
+.\" as published by the Free Software Foundation; either version 2
|
|
||||||
+.\" of the License, or (at your option) any later version.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is distributed in the hope that it will be useful,
|
|
||||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+.\" GNU General Public License for more details.
|
|
||||||
+.\"
|
|
||||||
+.\" You should have received a copy of the GNU General Public License
|
|
||||||
+.\" along with this program; if not, write to the Free Software
|
|
||||||
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+.\" USA.
|
|
||||||
+.\"
|
|
||||||
+.\" Ganael Laplanche
|
|
||||||
+.\" ganael.laplanche@martymac.org
|
|
||||||
+.\" http://contribs.martymac.org
|
|
||||||
+.\"
|
|
||||||
+.TH ldapaddsudo 1 "December 8, 2015"
|
|
||||||
+
|
|
||||||
+.SH NAME
|
|
||||||
+ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP.
|
|
||||||
+
|
|
||||||
+.SH SYNOPSIS
|
|
||||||
+.B ldapaddsudo
|
|
||||||
+.RB <username>
|
|
||||||
+.RB <groupname | gid>
|
|
||||||
+.RB [uid]
|
|
||||||
+
|
|
||||||
+.SH OPTIONS
|
|
||||||
+.TP
|
|
||||||
+.B <username>
|
|
||||||
+The name of the user to add.
|
|
||||||
+.TP
|
|
||||||
+.B <groupname | gid>
|
|
||||||
+The group name or the gid of the user to add.
|
|
||||||
+.TP
|
|
||||||
+.B [uid]
|
|
||||||
+The uid of the user to add. Automatically computed if not specified.
|
|
||||||
+
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5).
|
|
||||||
+
|
|
||||||
+.SH AVAILABILITY
|
|
||||||
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
||||||
+The latest version of the ldapscripts is available on :
|
|
||||||
+.B http://contribs.martymac.org
|
|
||||||
+
|
|
||||||
+.SH BUGS
|
|
||||||
+No bug known.
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/man/man1/ldapmodifysudo.1
|
|
||||||
@@ -0,0 +1,57 @@
|
|
||||||
+.\" Copyright (C) 2007-2013 Ganaël LAPLANCHE
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is free software; you can redistribute it and/or
|
|
||||||
+.\" modify it under the terms of the GNU General Public License
|
|
||||||
+.\" as published by the Free Software Foundation; either version 2
|
|
||||||
+.\" of the License, or (at your option) any later version.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is distributed in the hope that it will be useful,
|
|
||||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+.\" GNU General Public License for more details.
|
|
||||||
+.\"
|
|
||||||
+.\" You should have received a copy of the GNU General Public License
|
|
||||||
+.\" along with this program; if not, write to the Free Software
|
|
||||||
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+.\" USA.
|
|
||||||
+.\"
|
|
||||||
+.\" Ganael Laplanche
|
|
||||||
+.\" ganael.laplanche@martymac.org
|
|
||||||
+.\" http://contribs.martymac.org
|
|
||||||
+.\"
|
|
||||||
+.TH ldapmodifysudo 1 "December 8, 2015"
|
|
||||||
+
|
|
||||||
+.SH NAME
|
|
||||||
+ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively
|
|
||||||
+
|
|
||||||
+.SH SYNOPSIS
|
|
||||||
+.B ldapmodifysudo
|
|
||||||
+.RB <username | uid> [<add | replace | delete> <field> <value>]
|
|
||||||
+
|
|
||||||
+.SH DESCRIPTION
|
|
||||||
+ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you
|
|
||||||
+are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1).
|
|
||||||
+The DN of the entry being modified is already specified : just begin with a changeType attribute or any
|
|
||||||
+other one(s) of your choice (in this case, the defaut changeType is 'modify').
|
|
||||||
+
|
|
||||||
+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
|
|
||||||
+field - value pair then user will not be interactively prompted.
|
|
||||||
+
|
|
||||||
+.SH OPTIONS
|
|
||||||
+.TP
|
|
||||||
+.B <username | uid> [<add | replace | delete> <field> <value>]
|
|
||||||
+The name or uid of the user to modify.
|
|
||||||
+The optional "action" pertaining to this user entry.
|
|
||||||
+The field - value pair on which the action needs to be undertaken.
|
|
||||||
+
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5).
|
|
||||||
+
|
|
||||||
+.SH AVAILABILITY
|
|
||||||
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
||||||
+The latest version of the ldapscripts is available on :
|
|
||||||
+.B http://contribs.martymac.org
|
|
||||||
+
|
|
||||||
+.SH BUGS
|
|
||||||
+No bug known.
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/man/man1/ldapdeletesudo.1
|
|
||||||
@@ -0,0 +1,46 @@
|
|
||||||
+.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE
|
|
||||||
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is free software; you can redistribute it and/or
|
|
||||||
+.\" modify it under the terms of the GNU General Public License
|
|
||||||
+.\" as published by the Free Software Foundation; either version 2
|
|
||||||
+.\" of the License, or (at your option) any later version.
|
|
||||||
+.\"
|
|
||||||
+.\" This program is distributed in the hope that it will be useful,
|
|
||||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+.\" GNU General Public License for more details.
|
|
||||||
+.\"
|
|
||||||
+.\" You should have received a copy of the GNU General Public License
|
|
||||||
+.\" along with this program; if not, write to the Free Software
|
|
||||||
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+.\" USA.
|
|
||||||
+.\"
|
|
||||||
+.\" Ganael Laplanche
|
|
||||||
+.\" ganael.laplanche@martymac.org
|
|
||||||
+.\" http://contribs.martymac.org
|
|
||||||
+.\"
|
|
||||||
+.TH ldapdeletesudo 1 "December 8, 2015"
|
|
||||||
+
|
|
||||||
+.SH NAME
|
|
||||||
+ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP
|
|
||||||
+
|
|
||||||
+.SH SYNOPSIS
|
|
||||||
+.B ldapdeletesudo
|
|
||||||
+.RB <username | uid>
|
|
||||||
+
|
|
||||||
+.SH OPTIONS
|
|
||||||
+.TP
|
|
||||||
+.B <username | uid>
|
|
||||||
+The name or uid of the user to delete.
|
|
||||||
+
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5).
|
|
||||||
+
|
|
||||||
+.SH AVAILABILITY
|
|
||||||
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
||||||
+The latest version of the ldapscripts is available on :
|
|
||||||
+.B http://contribs.martymac.org
|
|
||||||
+
|
|
||||||
+.SH BUGS
|
|
||||||
+No bug known.
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser |
|
|
||||||
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
|
|
||||||
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
|
|
||||||
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
|
|
||||||
- ldaprenameuser ldapmodifysudo
|
|
||||||
+ ldaprenameuser ldapmodifysudo ldapdeletesudo
|
|
||||||
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
|
|
||||||
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
|
|
||||||
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
|
|
||||||
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
|
|
||||||
- ldapaddmachine.1 ldapdeleteuser.1
|
|
||||||
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
|
|
||||||
MAN5FILES = ldapscripts.5
|
|
||||||
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
|
|
||||||
ldapadduser.template.sample
|
|
||||||
--- a/lib/runtime
|
|
||||||
+++ b/lib/runtime
|
|
||||||
@@ -294,6 +294,21 @@ _ldapdelete () {
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
+# Deletes a sudoUser entry in the LDAP directory
|
|
||||||
+# Input : POSIX username whose sudo entry to delete ($1)
|
|
||||||
+# Output: 0 on successful delete
|
|
||||||
+# 1 on being unable to find sudoUser
|
|
||||||
+# 2 on being unable to delete found sudoUser entry
|
|
||||||
+_ldapdeletesudo () {
|
|
||||||
+ [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument"
|
|
||||||
+ # Find the entry
|
|
||||||
+ _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
|
|
||||||
+ [ -z "$_ENTRY" ] && return 1
|
|
||||||
+
|
|
||||||
+ # Now delete that entry
|
|
||||||
+ _ldapdelete "$_ENTRY" || return 2
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
# Extracts LDIF information from $0 (the current script itself)
|
|
||||||
# selecting lines beginning with $1 occurrences of '#'
|
|
||||||
# Input : depth ($1)
|
|
|
@ -1,289 +0,0 @@
|
||||||
Index: ldapscripts-2.0.8/sbin/ldapaddsudo
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ ldapscripts-2.0.8/sbin/ldapaddsudo
|
|
||||||
@@ -0,0 +1,63 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# ldapaddsudo : adds a sudoRole to LDAP
|
|
||||||
+
|
|
||||||
+# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
|
|
||||||
+# Copyright (C) 2006-2013 Ganaël LAPLANCHE
|
|
||||||
+# Copyright (c) 2014 Wind River Systems, Inc.
|
|
||||||
+#
|
|
||||||
+# This program is free software; you can redistribute it and/or
|
|
||||||
+# modify it under the terms of the GNU General Public License
|
|
||||||
+# as published by the Free Software Foundation; either version 2
|
|
||||||
+# of the License, or (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program; if not, write to the Free Software
|
|
||||||
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+# USA.
|
|
||||||
+
|
|
||||||
+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
|
|
||||||
+then
|
|
||||||
+ echo "Usage : $0 <username>"
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Source runtime file
|
|
||||||
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
|
|
||||||
+. "$_RUNTIMEFILE"
|
|
||||||
+
|
|
||||||
+# Username = first argument
|
|
||||||
+_USER="$1"
|
|
||||||
+
|
|
||||||
+# Use template if necessary
|
|
||||||
+if [ -n "$STEMPLATE" ] && [ -r "$STEMPLATE" ]
|
|
||||||
+then
|
|
||||||
+ _getldif="cat $STEMPLATE"
|
|
||||||
+else
|
|
||||||
+ _getldif="_extractldif 2"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Add sudo entry to LDAP
|
|
||||||
+$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd
|
|
||||||
+
|
|
||||||
+[ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP"
|
|
||||||
+echo_log "Successfully added sudo access for user $_USER to LDAP"
|
|
||||||
+
|
|
||||||
+end_ok
|
|
||||||
+
|
|
||||||
+# Ldif template ##################################
|
|
||||||
+##dn: cn=<user>,ou=SUDOers,<usuffix>,<suffix>
|
|
||||||
+##objectClass: top
|
|
||||||
+##objectClass: sudoRole
|
|
||||||
+##cn: <user>
|
|
||||||
+##sudoUser: <user>
|
|
||||||
+##sudoHost: ALL
|
|
||||||
+##sudoRunAsUser: ALL
|
|
||||||
+##sudoCommand: ALL
|
|
||||||
+###sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
|
|
||||||
+###sudoOption: <specify other sudo specific attributes here>
|
|
||||||
Index: ldapscripts-2.0.8/sbin/ldapmodifyuser
|
|
||||||
===================================================================
|
|
||||||
--- ldapscripts-2.0.8.orig/sbin/ldapmodifyuser
|
|
||||||
+++ ldapscripts-2.0.8/sbin/ldapmodifyuser
|
|
||||||
@@ -19,9 +19,11 @@
|
|
||||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
# USA.
|
|
||||||
|
|
||||||
-if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
|
|
||||||
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
|
|
||||||
+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
|
|
||||||
+ [ "$#" -ne 4 ]
|
|
||||||
then
|
|
||||||
- echo "Usage : $0 <username | uid>"
|
|
||||||
+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
@@ -33,21 +35,48 @@ _RUNTIMEFILE="/usr/lib/ldapscripts/runti
|
|
||||||
_findentry "$USUFFIX,$SUFFIX" "(&(objectClass=posixAccount)(|(uid=$1)(uidNumber=$1)))"
|
|
||||||
[ -z "$_ENTRY" ] && end_die "User $1 not found in LDAP"
|
|
||||||
|
|
||||||
-# Allocate and create temp file
|
|
||||||
-mktempf
|
|
||||||
-echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
-
|
|
||||||
-# Display entry
|
|
||||||
-echo "# About to modify the following entry :"
|
|
||||||
-_ldapsearch "$_ENTRY"
|
|
||||||
-
|
|
||||||
-# Edit entry
|
|
||||||
-echo "# Enter your modifications here, end with CTRL-D."
|
|
||||||
-echo "dn: $_ENTRY"
|
|
||||||
-cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
+# Username = first argument
|
|
||||||
+_USER="$1"
|
|
||||||
+
|
|
||||||
+if [ "$#" -eq 1 ]
|
|
||||||
+then
|
|
||||||
+ # Allocate and create temp file
|
|
||||||
+ mktempf
|
|
||||||
+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
+
|
|
||||||
+ # Display entry
|
|
||||||
+ echo "# About to modify the following entry :"
|
|
||||||
+ _ldapsearch "$_ENTRY"
|
|
||||||
+
|
|
||||||
+ # Edit entry
|
|
||||||
+ echo "# Enter your modifications here, end with CTRL-D."
|
|
||||||
+ echo "dn: $_ENTRY"
|
|
||||||
+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
+
|
|
||||||
+ # Send modifications
|
|
||||||
+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
|
|
||||||
+else
|
|
||||||
+ # Action = second argument
|
|
||||||
+ _ACTION="$2"
|
|
||||||
+
|
|
||||||
+ # Field = third argument
|
|
||||||
+ _FIELD="$3"
|
|
||||||
+
|
|
||||||
+ # Value = fourth argument
|
|
||||||
+ _VALUE="$4"
|
|
||||||
+
|
|
||||||
+ # Use template if necessary
|
|
||||||
+ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ]
|
|
||||||
+ then
|
|
||||||
+ _getldif="cat $UMTEMPLATE"
|
|
||||||
+ else
|
|
||||||
+ _getldif="_extractldif 2"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # Modify user in LDAP
|
|
||||||
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
|
|
||||||
+fi
|
|
||||||
|
|
||||||
-# Send modifications
|
|
||||||
-cat "$_TMPFILE" | _utf8encode | _ldapmodify
|
|
||||||
if [ $? -ne 0 ]
|
|
||||||
then
|
|
||||||
reltempf
|
|
||||||
@@ -55,3 +84,9 @@ then
|
|
||||||
fi
|
|
||||||
reltempf
|
|
||||||
end_ok "Successfully modified user entry $_ENTRY in LDAP"
|
|
||||||
+
|
|
||||||
+# Ldif template ##################################
|
|
||||||
+##dn: uid=<user>,<usuffix>,<suffix>
|
|
||||||
+##changeType: modify
|
|
||||||
+##<action>: <field>
|
|
||||||
+##<field>: <value>
|
|
||||||
Index: ldapscripts-2.0.8/lib/runtime
|
|
||||||
===================================================================
|
|
||||||
--- ldapscripts-2.0.8.orig/lib/runtime
|
|
||||||
+++ ldapscripts-2.0.8/lib/runtime
|
|
||||||
@@ -344,6 +344,9 @@ s|<msuffix>|$MSUFFIX|g
|
|
||||||
s|<_msuffix>|$_MSUFFIX|g
|
|
||||||
s|<gsuffix>|$GSUFFIX|g
|
|
||||||
s|<_gsuffix>|$_GSUFFIX|g
|
|
||||||
+s|<action>|$_ACTION|g
|
|
||||||
+s|<field>|$_FIELD|g
|
|
||||||
+s|<value>|$_VALUE|g
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Use it
|
|
||||||
Index: ldapscripts-2.0.8/Makefile
|
|
||||||
===================================================================
|
|
||||||
--- ldapscripts-2.0.8.orig/Makefile
|
|
||||||
+++ ldapscripts-2.0.8/Makefile
|
|
||||||
@@ -37,11 +37,11 @@ LIBDIR = $(PREFIX)/lib/$(NAME)
|
|
||||||
RUNFILE = runtime
|
|
||||||
ETCFILE = ldapscripts.conf
|
|
||||||
PWDFILE = ldapscripts.passwd
|
|
||||||
-SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser \
|
|
||||||
+SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser ldapaddsudo \
|
|
||||||
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
|
|
||||||
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
|
|
||||||
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
|
|
||||||
- ldaprenameuser
|
|
||||||
+ ldaprenameuser ldapmodifysudo
|
|
||||||
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
|
|
||||||
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
|
|
||||||
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
|
|
||||||
Index: ldapscripts-2.0.8/sbin/ldapmodifysudo
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ ldapscripts-2.0.8/sbin/ldapmodifysudo
|
|
||||||
@@ -0,0 +1,93 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# ldapmodifyuser : modifies a sudo entry in an LDAP directory
|
|
||||||
+
|
|
||||||
+# Copyright (C) 2007-2013 Ganaël LAPLANCHE
|
|
||||||
+# Copyright (C) 2014 Stephen Crooks
|
|
||||||
+#
|
|
||||||
+# This program is free software; you can redistribute it and/or
|
|
||||||
+# modify it under the terms of the GNU General Public License
|
|
||||||
+# as published by the Free Software Foundation; either version 2
|
|
||||||
+# of the License, or (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program; if not, write to the Free Software
|
|
||||||
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
||||||
+# USA.
|
|
||||||
+
|
|
||||||
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
|
|
||||||
+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
|
|
||||||
+ [ "$#" -ne 4 ]
|
|
||||||
+then
|
|
||||||
+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Source runtime file
|
|
||||||
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
|
|
||||||
+. "$_RUNTIMEFILE"
|
|
||||||
+
|
|
||||||
+# Find username : $1 must exist in LDAP !
|
|
||||||
+_findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
|
|
||||||
+[ -z "$_ENTRY" ] && end_die "Sudo user $1 not found in LDAP"
|
|
||||||
+
|
|
||||||
+# Username = first argument
|
|
||||||
+_USER="$1"
|
|
||||||
+
|
|
||||||
+if [ "$#" -eq 1 ]
|
|
||||||
+then
|
|
||||||
+ # Allocate and create temp file
|
|
||||||
+ mktempf
|
|
||||||
+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
+
|
|
||||||
+ # Display entry
|
|
||||||
+ echo "# About to modify the following entry :"
|
|
||||||
+ _ldapsearch "$_ENTRY"
|
|
||||||
+
|
|
||||||
+ # Edit entry
|
|
||||||
+ echo "# Enter your modifications here, end with CTRL-D."
|
|
||||||
+ echo "dn: $_ENTRY"
|
|
||||||
+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
|
|
||||||
+
|
|
||||||
+ # Send modifications
|
|
||||||
+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
|
|
||||||
+else
|
|
||||||
+ # Action = second argument
|
|
||||||
+ _ACTION="$2"
|
|
||||||
+
|
|
||||||
+ # Field = third argument
|
|
||||||
+ _FIELD="$3"
|
|
||||||
+
|
|
||||||
+ # Value = fourth argument
|
|
||||||
+ _VALUE="$4"
|
|
||||||
+
|
|
||||||
+ # Use template if necessary
|
|
||||||
+ if [ -n "$SMTEMPLATE" ] && [ -r "$SMTEMPLATE" ]
|
|
||||||
+ then
|
|
||||||
+ _getldif="cat $SMTEMPLATE"
|
|
||||||
+ else
|
|
||||||
+ _getldif="_extractldif 2"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # Modify user in LDAP
|
|
||||||
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ $? -ne 0 ]
|
|
||||||
+then
|
|
||||||
+ reltempf
|
|
||||||
+ end_die "Error modifying sudo entry $_ENTRY in LDAP"
|
|
||||||
+fi
|
|
||||||
+reltempf
|
|
||||||
+end_ok "Successfully modified sudo entry $_ENTRY in LDAP"
|
|
||||||
+
|
|
||||||
+# Ldif template ##################################
|
|
||||||
+##dn: cn=<user>,ou=SUDOers,<suffix>
|
|
||||||
+##changeType: modify
|
|
||||||
+##<action>: <field>
|
|
||||||
+##<field>: <value>
|
|
Loading…
Reference in New Issue