From 39bc6c35f15dc90edd5160a9e6486222cb2748ab Mon Sep 17 00:00:00 2001 From: Yue Tao Date: Thu, 23 Sep 2021 14:06:31 +0800 Subject: [PATCH] Add debian package for ldapscripts Porting all CentOS patches, and also align the file permission with CentOS. Test Plan: Verify the building, installing and booting test PASS: Verify package build PASS: Verify system install PASS: Verify system boot Story: 2009221 Task: 43415 Signed-off-by: Yue Tao Change-Id: I7766d4aa26420c6f701a0dffaa7e9bf6b77e0c75 --- .../debian-align-permission-with-centos.patch | 24 ++ .../debian-install-cgcs-files.patch | 23 ++ ldap/ldapscripts/debian/deb_patches/series | 2 + ldap/ldapscripts/debian/meta_data.yaml | 9 + ...allow-anonymous-bind-for-ldap-search.patch | 38 ++ .../patches/ldap-user-setup-support.patch | 354 ++++++++++++++++++ .../patches/ldapscripts-templates.patch | 216 +++++++++++ .../debian/patches/log_timestamp.patch | 15 + ldap/ldapscripts/debian/patches/series | 6 + .../debian/patches/sudo-delete-support.patch | 352 +++++++++++++++++ .../debian/patches/sudo-support.patch | 289 ++++++++++++++ 11 files changed, 1328 insertions(+) create mode 100644 ldap/ldapscripts/debian/deb_patches/debian-align-permission-with-centos.patch create mode 100644 ldap/ldapscripts/debian/deb_patches/debian-install-cgcs-files.patch create mode 100644 ldap/ldapscripts/debian/deb_patches/series create mode 100644 ldap/ldapscripts/debian/meta_data.yaml create mode 100644 ldap/ldapscripts/debian/patches/allow-anonymous-bind-for-ldap-search.patch create mode 100644 ldap/ldapscripts/debian/patches/ldap-user-setup-support.patch create mode 100644 ldap/ldapscripts/debian/patches/ldapscripts-templates.patch create mode 100644 ldap/ldapscripts/debian/patches/log_timestamp.patch create mode 100644 ldap/ldapscripts/debian/patches/series create mode 100644 ldap/ldapscripts/debian/patches/sudo-delete-support.patch create mode 100644 ldap/ldapscripts/debian/patches/sudo-support.patch diff --git a/ldap/ldapscripts/debian/deb_patches/debian-align-permission-with-centos.patch b/ldap/ldapscripts/debian/deb_patches/debian-align-permission-with-centos.patch new file mode 100644 index 000000000..7c939ab1a --- /dev/null +++ b/ldap/ldapscripts/debian/deb_patches/debian-align-permission-with-centos.patch @@ -0,0 +1,24 @@ +Align the permission with the CentOS, and remove the +ldapaddmachine.template.sample which is deleted during +CentOS install step. + +Signed-off-by: Yue Tao + +--- a/debian/rules ++++ b/debian/rules +@@ -17,6 +17,7 @@ override_dh_auto_install: + install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts + install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts + install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts ++ rm -rf ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddmachine.template.sample + + override_dh_installdocs: + dh_installdocs README TODO +@@ -29,3 +30,7 @@ override_dh_installexamples: + + override_dh_fixperms: + dh_fixperms --exclude etc/ldapscripts/ldapscripts.passwd ++ chmod 440 ./debian/ldapscripts/usr/lib/ldapscripts/runtime ++ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddgroup.template.sample ++ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapadduser.template.sample ++ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapscripts.conf.sample diff --git a/ldap/ldapscripts/debian/deb_patches/debian-install-cgcs-files.patch b/ldap/ldapscripts/debian/deb_patches/debian-install-cgcs-files.patch new file mode 100644 index 000000000..b151ce17e --- /dev/null +++ b/ldap/ldapscripts/debian/deb_patches/debian-install-cgcs-files.patch @@ -0,0 +1,23 @@ +--- a/debian/rules ++++ b/debian/rules +@@ -3,10 +3,20 @@ + %: + dh $@ + ++override_dh_usrlocal: ++ + override_dh_auto_install: + $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts LIBDIR=/usr/share/ldapscripts MANDIR=/usr/share/man + cp debian/runtime.debian debian/ldapscripts/usr/share/ldapscripts + rm debian/ldapscripts/etc/ldapscripts/*.sample ++ $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/usr/local/etc/ldapscripts ++ install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 644 ldapadduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 644 ldapmoduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts ++ install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts + + override_dh_installdocs: + dh_installdocs README TODO diff --git a/ldap/ldapscripts/debian/deb_patches/series b/ldap/ldapscripts/debian/deb_patches/series new file mode 100644 index 000000000..916363b3f --- /dev/null +++ b/ldap/ldapscripts/debian/deb_patches/series @@ -0,0 +1,2 @@ +debian-install-cgcs-files.patch +debian-align-permission-with-centos.patch diff --git a/ldap/ldapscripts/debian/meta_data.yaml b/ldap/ldapscripts/debian/meta_data.yaml new file mode 100644 index 000000000..ac2a0d5a1 --- /dev/null +++ b/ldap/ldapscripts/debian/meta_data.yaml @@ -0,0 +1,9 @@ +--- +debver: 2.0.8-2 +dl_path: + name: 2.0.8-2.tar.gz + url: https://github.com/gerasiov/ldapscripts/archive/refs/tags/debian/2.0.8-2.tar.gz + md5sum: f7c5d518d23319f0dd408cff4057a100 +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: diff --git a/ldap/ldapscripts/debian/patches/allow-anonymous-bind-for-ldap-search.patch b/ldap/ldapscripts/debian/patches/allow-anonymous-bind-for-ldap-search.patch new file mode 100644 index 000000000..e2e012977 --- /dev/null +++ b/ldap/ldapscripts/debian/patches/allow-anonymous-bind-for-ldap-search.patch @@ -0,0 +1,38 @@ +From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001 +From: Kam Nasim +Date: Mon, 16 Apr 2018 14:58:03 -0400 +Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search + +--- + lib/runtime | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/runtime b/lib/runtime +index 012ac95..18acf3f 100644 +--- a/lib/runtime ++++ b/lib/runtime +@@ -197,8 +197,11 @@ _ldapsearch () { + elif [ -n "$BINDPWDFILE" ] + then + $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" +- else ++ elif [ -n "$BINDPWD" ] ++ then + $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" ++ else ++ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" + fi + } + +@@ -785,7 +788,7 @@ then + then + warn_log "Warning : using command-line passwords, ldapscripts may not be safe" + else +- end_die "Unable to read password file $BINDPWDFILE, exiting..." ++ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..." + fi + fi + fi +-- +1.8.3.1 + diff --git a/ldap/ldapscripts/debian/patches/ldap-user-setup-support.patch b/ldap/ldapscripts/debian/patches/ldap-user-setup-support.patch new file mode 100644 index 000000000..f2b723eab --- /dev/null +++ b/ldap/ldapscripts/debian/patches/ldap-user-setup-support.patch @@ -0,0 +1,354 @@ +--- + Makefile | 5 +- + man/man1/ldapusersetup.1 | 60 +++++++++++ + sbin/ldapusersetup | 254 +++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 317 insertions(+), 2 deletions(-) + create mode 100644 man/man1/ldapusersetup.1 + create mode 100644 sbin/ldapusersetup + +diff --git a/sbin/ldapusersetup b/sbin/ldapusersetup +new file mode 100644 +index 0000000..27d12dc +--- /dev/null ++++ b/sbin/ldapusersetup +@@ -0,0 +1,254 @@ ++#!/bin/sh ++ ++# ldapusersetup : interactive setup for adding users to LDAP ++ ++# Copyright (c) 2015 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ] ++then ++ echo "Usage : $0 [-u ] ++where accepted field(s) are as follows: ++--sudo : whether to add this user to sudoer list ++--secondgroup : the secondary group to add this user to ++--passmax : the shadowMax value for this user ++--passwarning : the shadowWarning value for this user" ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# runtime defaults ++_DEFAULTGRP2="sys_protected" ++_BASHSHELL="/bin/bash" ++_DEFAULTSHADOWMAX="90" ++_DEFAULTSHADOWWARNING="2" ++_SHELL="" ++ ++### Helper functions ### ++ ++# Gets input from user and validates it. ++# Will only return if input meets validation ++# criteria otherwise will just sit there. ++# ++# Input : input string ($1), valid output options ($2) ++# Output: the validated input ++# Note : the validation list must be an array ++LdapUserInput () { ++declare -a optionAry=("${!2}") ++while true; do ++ read -p "$1" _output ++ # convert to lower case ++ _output2=${_output,,} ++ # check if output is a valid option ++ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then ++ break ++ else ++ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2 ++ fi ++done ++ echo "$_output2" ++} ++ ++# Delete an ldap user if it exists ++# and exit with error ++# Input : username ($1), exit msg ($2) ++# Output : none ++LdapRollback() { ++ ldapdeleteuser "$1" ++ end_die "$2" ++} ++ ++# Add an ldap user and exit on failure ++# Input : username ($1) ++# Output : none ++LdapAddUser() { ++ ldapadduser "$1" users ++ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user" ++} ++ ++# Replace Login Shell and call Rollback on failure ++# Input : username ($1), shell to set ($2) ++# Output : none ++LdapAddLoginShell () { ++ # Support bash only now. ++ _SHELL="$_BASHSHELL" ++ # Replace the login shell ++ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null ++ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell" ++} ++ ++# Add user to sudoer list ++# Input : username ($1) ++# Output : true or false ++LdapAddSudo() { ++ ldapaddsudo "$1" 2> /dev/null ++ [ $? -eq 0 ] || \ ++ echo_log "Non critical setup error: cannot add to sudoer list" ++} ++ ++# Add user to a secondary user group ++# Input : username ($1), user group ($2) ++# Output : true or false ++LdapSecondaryGroup () { ++ _newGrp="$2" ++ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2 ++ ++ ldapaddusertogroup $1 $_newGrp ++ [ $? -eq 0 ] || \ ++ echo_log "Non critical setup error: cannot add $1 to $_newGrp" ++} ++ ++# Update shadowMax for user ++# Input : username ($1), shadow Max value ($2) ++# Output : none ++LdapUpdateShadowMax () { ++ _newShadow="$2" ++ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \ ++ && _newShadow=$_DEFAULTSHADOWMAX ++ ++ ldapmodifyuser $1 replace shadowMax $_newShadow ++ echo "Updating password expiry to $_newShadow days" ++} ++ ++# Update shadowWarning for user ++# Input : username ($1), shadow Warning value ($2) ++# Output : none ++LdapUpdateShadowWarning () { ++ _newWarning="$2" ++ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \ ++ && _newWarning=$_DEFAULTSHADOWWARNING ++ ++ ldapmodifyuser $1 replace shadowWarning $_newWarning ++ echo "Updating password expiry to $_newWarning days" ++} ++ ++# Since this setup script is meant to be a ++# wrapper on top of existing ldap scripts, ++# it share invoke those... we could have achieved ++# loose coupling by not relying on helpers but ++# at the expense of massively redundant code ++# duplication. ++declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_BASHSHELL") ++ ++# Do some quick sanity tests to make sure ++# helper scripts are present ++for src in "${helper_scripts[@]}"; do ++ if ! type "$src" &>/dev/null; then ++ end_die "Cannot locate $src. Update your PATH variable" ++ fi ++done ++ ++if [ "$#" -eq 0 ]; then ++ # This setup collects all attributes ++ # interactively during runtime ++ echo -n "Enter username to add to LDAP: " ++ read _username ++ LdapAddUser "$_username" ++ ++ # Replace the login shell. Only bash is supported now. ++ LdapAddLoginShell "$_username" ++ ++ # Should sudo be activated for this user ++ echo -n "Add $_username to sudoer list? (yes/NO): " ++ read CONFIRM ++ CONFIRM=${CONFIRM,,} ++ ++ if is_yes $CONFIRM ++ then ++ LdapAddSudo "$_username" ++ fi ++ ++ # Add to secondary user group ++ shellInput="Add $_username to secondary user group? (yes/NO): " ++ options=( "yes", "no" ) ++ CONFIRM=`LdapUserInput "$shellInput" options[@]` ++ if is_yes $CONFIRM ++ then ++ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: " ++ read _grp2 ++ LdapSecondaryGroup $_username $_grp2 ++ fi ++ ++ # Set password expiry ++ echo -n "Enter days after which user password must \ ++be changed [$_DEFAULTSHADOWMAX]: " ++ read _shadowMax ++ LdapUpdateShadowMax $_username $_shadowMax ++ ++ # Set password warning ++ echo -n "Enter days before password is to expire that \ ++user is warned [$_DEFAULTSHADOWWARNING]: " ++ read _shadowWarning ++ LdapUpdateShadowWarning $_username $_shadowWarning ++ ++else ++ # we have to read command line option ++ while [[ $# > 1 ]] ++ do ++ key="$1" ++ ++ case $key in ++ -u|--user) # compulsory ++ _username="$2" ++ shift ++ ;; ++ --sudo) # optional ++ _sudo="yes" ++ ;; ++ --passmax) # optional ++ _shadowMax="$2" ++ shift ++ ;; ++ --passwarning) # optional ++ _shadowWarning="$2" ++ shift ++ ;; ++ --secondgroup) # optional ++ _grpConfirm="1" ++ _grp2="$2" ++ shift ++ ;; ++ *) ++ ++ ;; ++ esac ++ shift ++ done ++ ++ # Add LDAP user ++ [ -z "$_username" ] && end_die "No username argument specified" ++ LdapAddUser $_username ++ ++ # Change Login Shell ++ LdapAddLoginShell $_username "$_loginshell" ++ ++ # Add sudo if required ++ if is_yes $_sudo ++ then ++ LdapAddSudo "$_username" ++ fi ++ ++ # Add secondary group if required ++ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2 ++ ++ # Password modifications ++ LdapUpdateShadowMax $_username $_shadowMax ++ LdapUpdateShadowWarning $_username $_shadowWarning ++fi +diff --git a/Makefile b/Makefile +index f81c272..6e5b193 100644 +--- a/Makefile ++++ b/Makefile +@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser l + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ldapmodifysudo ldapdeletesudo ++ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ + ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \ +- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1 ++ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \ ++ ldapdeletesudo.1 ldapusersetup.1 + MAN5FILES = ldapscripts.5 + TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \ + ldapadduser.template.sample +diff --git a/man/man1/ldapusersetup.1 b/man/man1/ldapusersetup.1 +new file mode 100644 +index 0000000..9b3129b +--- /dev/null ++++ b/man/man1/ldapusersetup.1 +@@ -0,0 +1,60 @@ ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Kam Nasim ++.\" knasim@windriver.com ++.\" ++.TH ldapusersetup 1 "December 16, 2015" ++ ++.SH NAME ++ldapusersetup \- wizard for adding an LDAP user to CGCS. ++ ++.SH SYNOPSIS ++.B ldapusersetup ++ ++.SH DESCRIPTION ++ldapusersetup interactively walks through the process of creating an LDAP user ++for access to CGCS services. The user is prompted for: ++- username ++- if a sudoEntry needs to be created ++- if a secondary user group needs to be added ++- user password expiry and warning configuration ++Alternatively, the user may provide these parameters as command line actions. ++Look at the OPTIONS section for more information. ++ ++To delete the user and all its group associations, simply use ldapdeleteuser(1) ++ ++.SH OPTIONS ++.TP ++.B [-u ] ++The name or uid of the user to modify. ++The following fields are available as long format options: ++--sudo : whether to add this user to sudoer list ++--secondgroup : the secondary group to add this user to ++--passmax : the shadowMax value for this user ++--passwarning : the shadowWarning value for this user" ++ ++.SH "SEE ALSO" ++ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. diff --git a/ldap/ldapscripts/debian/patches/ldapscripts-templates.patch b/ldap/ldapscripts/debian/patches/ldapscripts-templates.patch new file mode 100644 index 000000000..554c8ba48 --- /dev/null +++ b/ldap/ldapscripts/debian/patches/ldapscripts-templates.patch @@ -0,0 +1,216 @@ +Add this files from CentOS version + +Signed-off-by: Yue Tao +--- /dev/null ++++ ldapscripts-2.0.8/ldapaddgroup.template.cgcs +@@ -0,0 +1,5 @@ ++dn: cn=,, ++objectClass: posixGroup ++cn: ++gidNumber: ++description: Group account +--- /dev/null ++++ ldapscripts-2.0.8/ldapaddsudo.template.cgcs +@@ -0,0 +1,10 @@ ++dn: cn=,ou=SUDOers, ++objectClass: top ++objectClass: sudoRole ++cn: ++sudoUser: ++sudoHost: ALL ++sudoRunAsUser: ALL ++sudoCommand: ALL ++#sudoOrder: ++#sudoOption: +--- /dev/null ++++ ldapscripts-2.0.8/ldapadduser.template.cgcs +@@ -0,0 +1,16 @@ ++dn: uid=,, ++objectClass: account ++objectClass: posixAccount ++objectClass: shadowAccount ++objectClass: top ++cn: ++uid: ++uidNumber: ++gidNumber: ++shadowMax: 99999 ++shadowWarning: 7 ++shadowLastChange: 0 ++homeDirectory: ++loginShell: ++gecos: ++description: User account +--- /dev/null ++++ ldapscripts-2.0.8/ldapmodsudo.template.cgcs +@@ -0,0 +1,4 @@ ++dn: cn=,ou=SUDOers, ++changeType: modify ++: ++: +--- /dev/null ++++ ldapscripts-2.0.8/ldapmoduser.template.cgcs +@@ -0,0 +1,4 @@ ++dn: uid=,, ++changeType: modify ++: ++: +--- /dev/null ++++ ldapscripts-2.0.8/ldapscripts.conf.cgcs +@@ -0,0 +1,152 @@ ++# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora ++# Copyright (C) 2006-2013 Ganaël LAPLANCHE ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++# LDAP server ++SERVER="ldap://controller" ++ ++# Suffixes ++SUFFIX="dc=cgcs,dc=local" # Global suffix ++GSUFFIX="ou=Group" # Groups ou (just under $SUFFIX) ++USUFFIX="ou=People" # Users ou (just under $SUFFIX) ++MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX) ++ ++# Authentication type ++# If empty, use simple authentication ++# Else, use the value as an SASL authentication mechanism ++SASLAUTH="" ++#SASLAUTH="GSSAPI" ++ ++# Simple authentication parameters ++# The following BIND* parameters are ignored if SASLAUTH is set ++BINDDN="cn=ldapadmin,dc=cgcs,dc=local" ++# The following file contains the raw password of the BINDDN ++# Create it with something like : echo -n 'secret' > $BINDPWDFILE ++# WARNING !!!! Be careful not to make this file world-readable ++BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd" ++# For older versions of OpenLDAP, it is still possible to use ++# unsecure command-line passwords by defining the following option ++# AND commenting the previous one (BINDPWDFILE takes precedence) ++#BINDPWD="secret" ++ ++# Start with these IDs *if no entry found in LDAP* ++GIDSTART="10000" # Group ID ++UIDSTART="10000" # User ID ++MIDSTART="20000" # Machine ID ++ ++# Group membership management ++# ObjectCLass used for groups ++# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !) ++# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup). ++# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis, ++# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration. ++GCLASS="posixGroup" # Leave "posixGroup" here if not sure ! ++# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial ++# member. Specify it below, you will be able to remove it once groups are populated. ++#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX" ++ ++# User properties ++USHELL="/bin/sh" ++UHOMES="/home/%u" # You may use %u for username here ++CREATEHOMES="no" # Create home directories and set rights ? ++HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. ++HOMEPERMS="700" # Default permissions for home directories ++ ++# User passwords generation ++# Command-line used to generate a password for added users. ++# You may use %u for username here ; special value "" will ask for a password interactively ++# WARNING !!!! This is evaluated, everything specified here will be run ! ++# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy). ++# In this case, consider using /dev/urandom instead. ++#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" ++#PASSWORDGEN="pwgen" ++#PASSWORDGEN="echo changeme" ++PASSWORDGEN="echo %u" ++#PASSWORDGEN="" ++ ++# User passwords recording ++# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS ++# (useful when performing a massive creation / net rpc vampire) ++# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! ++# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! ++RECORDPASSWORDS="no" ++PASSWORDFILE="/var/log/ldapscripts_passwd.log" ++ ++# Where to log ++LOGFILE="/var/log/ldapscripts.log" ++ ++# Temporary folder ++TMPDIR="/tmp" ++ ++# Various binaries used within the scripts ++# Warning : they also use uuencode, date, grep, sed, cut, which... ++# Please check they are installed before using these scripts ++# Note that many of them should come with your OS ++ ++# OpenLDAP client commands ++LDAPSEARCHBIN="/usr/bin/ldapsearch" ++LDAPADDBIN="/usr/bin/ldapadd" ++LDAPDELETEBIN="/usr/bin/ldapdelete" ++LDAPMODIFYBIN="/usr/bin/ldapmodify" ++LDAPMODRDNBIN="/usr/bin/ldapmodrdn" ++LDAPPASSWDBIN="/usr/bin/ldappasswd" ++ ++# OpenLDAP client common additional options ++# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS ++#LDAPBINOPTS="-ZZ" ++ ++# OpenLDAP ldapsearch-specific additional options ++# The following option disables long-line wrapping (which makes the scripts bug ++# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so ++# comment it if you are using OpenLDAP < 2.4.24. ++LDAPSEARCHOPTS="-o ldif-wrap=no" ++# And here is an example to activate paged results ++#LDAPSEARCHOPTS="-E pr=500/noprompt" ++ ++# Character set conversion : $ICONVCHAR <-> UTF-8 ++# Comment ICONVBIN to disable UTF-8 conversion ++# ICONVBIN="/usr/bin/iconv" ++# ICONVCHAR="" ++ ++# Base64 decoding ++# Comment UUDECODEBIN to disable Base64 decoding ++#UUDECODEBIN="/usr/bin/uudecode" ++ ++# Getent command to use - choose the ones used ++# on your system. Leave blank or comment for auto-guess. ++# GNU/Linux ++GETENTPWCMD="getent passwd" ++GETENTGRCMD="getent group" ++# FreeBSD ++#GETENTPWCMD="pw usershow" ++#GETENTGRCMD="pw groupshow" ++# Auto ++#GETENTPWCMD="" ++#GETENTGRCMD="" ++ ++# You can specify custom LDIF templates here ++# Leave empty to use default templates ++# See *.template.sample for default templates ++#GTEMPLATE="/path/to/ldapaddgroup.template" ++#UTEMPLATE="/path/to/ldapadduser.template" ++#MTEMPLATE="/path/to/ldapaddmachine.template" ++GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs" ++UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs" ++UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs" ++STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs" ++SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs" ++MTEMPLATE="" +--- /dev/null ++++ ldapscripts-2.0.8/ldapscripts.passwd +@@ -0,0 +1 @@ ++_LDAPADMIN_PW_ diff --git a/ldap/ldapscripts/debian/patches/log_timestamp.patch b/ldap/ldapscripts/debian/patches/log_timestamp.patch new file mode 100644 index 000000000..a521d0ed5 --- /dev/null +++ b/ldap/ldapscripts/debian/patches/log_timestamp.patch @@ -0,0 +1,15 @@ +--- + lib/runtime | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/runtime ++++ b/lib/runtime +@@ -863,7 +863,7 @@ fi + # Log command + if [ "$LOGTOFILE" = "yes" ] + then +- log_to_file "$(date '+%b %d %H:%M:%S') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*" ++ log_to_file "$(date '+%FT%T') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*" + fi + if [ "$LOGTOSYSLOG" = "yes" ] + then diff --git a/ldap/ldapscripts/debian/patches/series b/ldap/ldapscripts/debian/patches/series new file mode 100644 index 000000000..e51d3e41d --- /dev/null +++ b/ldap/ldapscripts/debian/patches/series @@ -0,0 +1,6 @@ +sudo-support.patch +sudo-delete-support.patch +log_timestamp.patch +ldap-user-setup-support.patch +allow-anonymous-bind-for-ldap-search.patch +ldapscripts-templates.patch diff --git a/ldap/ldapscripts/debian/patches/sudo-delete-support.patch b/ldap/ldapscripts/debian/patches/sudo-delete-support.patch new file mode 100644 index 000000000..ed0d48e3f --- /dev/null +++ b/ldap/ldapscripts/debian/patches/sudo-delete-support.patch @@ -0,0 +1,352 @@ +--- + Makefile | 4 +-- + lib/runtime | 15 ++++++++++++ + man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++ + man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++ + man/man1/ldapdeleteuser.1 | 5 ++-- + man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++ + man/man1/ldapmodifyuser.1 | 15 ++++++++--- + sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++ + sbin/ldapdeleteuser | 5 ++++ + sbin/ldapmodifysudo | 2 - + 10 files changed, 232 insertions(+), 9 deletions(-) + +--- a/sbin/ldapdeleteuser ++++ b/sbin/ldapdeleteuser +@@ -46,6 +46,11 @@ _UDN="$_ENTRY" + # Delete entry + _ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP" + ++ ++# Optionally, delete the sudoer entry if it exists ++_ldapdeletesudo $1 ++[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete" ++ + # Finally, delete this user from all his secondary groups + case $GCLASS in + posixGroup) +--- a/sbin/ldapmodifysudo ++++ b/sbin/ldapmodifysudo +@@ -1,6 +1,6 @@ + #!/bin/sh + +-# ldapmodifyuser : modifies a sudo entry in an LDAP directory ++# ldapmodifysudo : modifies a sudo entry in an LDAP directory + + # Copyright (C) 2007-2013 Ganaël LAPLANCHE + # Copyright (C) 2014 Stephen Crooks +--- /dev/null ++++ b/sbin/ldapdeletesudo +@@ -0,0 +1,38 @@ ++#!/bin/sh ++ ++# ldapdeletesudo : deletes a sudoRole from LDAP ++ ++# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora ++# Copyright (C) 2006-2013 Ganaël LAPLANCHE ++# Copyright (c) 2015 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++then ++ echo "Usage : $0 " ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Username = first argument ++_ldapdeletesudo "$1" ++[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1" ++ ++end_ok "Successfully deleted sudoUser entry for $1 from LDAP" +--- a/man/man1/ldapmodifyuser.1 ++++ b/man/man1/ldapmodifyuser.1 +@@ -1,4 +1,5 @@ + .\" Copyright (C) 2007-2017 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. + .\" + .\" This program is free software; you can redistribute it and/or + .\" modify it under the terms of the GNU General Public License +@@ -19,14 +20,14 @@ + .\" ganael.laplanche@martymac.org + .\" http://contribs.martymac.org + .\" +-.TH ldapmodifyuser 1 "August 22, 2007" ++.TH ldapmodifyuser 1 "December 8, 2015" + + .SH NAME + ldapmodifyuser \- modifies a POSIX user account in LDAP interactively + + .SH SYNOPSIS + .B ldapmodifyuser +-.RB ++.RB [ ] + + .SH DESCRIPTION + ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you +@@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif + The DN of the entry being modified is already specified : just begin with a changeType attribute or any + other one(s) of your choice (in this case, the defaut changeType is 'modify'). + ++Alternatively, if an optional "action" argument is given, followed by a ++field - value pair then user will not be interactively prompted. ++ + .SH OPTIONS + .TP +-.B ++.B [ ] + The name or uid of the user to modify. ++The optional "action" pertaining to this user entry. ++The field - value pair on which the action needs to be undertaken. + + .SH "SEE ALSO" +-ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5). ++ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5). + + .SH AVAILABILITY + The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). +--- a/man/man1/ldapdeleteuser.1 ++++ b/man/man1/ldapdeleteuser.1 +@@ -1,4 +1,5 @@ + .\" Copyright (C) 2006-2017 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. + .\" + .\" This program is free software; you can redistribute it and/or + .\" modify it under the terms of the GNU General Public License +@@ -19,10 +20,10 @@ + .\" ganael.laplanche@martymac.org + .\" http://contribs.martymac.org + .\" +-.TH ldapdeleteuser 1 "January 1, 2006" ++.TH ldapdeleteuser 1 "December 8, 2015" + + .SH NAME +-ldapdeleteuser \- deletes a POSIX user account from LDAP. ++ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP. + + .SH SYNOPSIS + .B ldapdeleteuser +--- /dev/null ++++ b/man/man1/ldapaddsudo.1 +@@ -0,0 +1,54 @@ ++.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapaddsudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP. ++ ++.SH SYNOPSIS ++.B ldapaddsudo ++.RB ++.RB ++.RB [uid] ++ ++.SH OPTIONS ++.TP ++.B ++The name of the user to add. ++.TP ++.B ++The group name or the gid of the user to add. ++.TP ++.B [uid] ++The uid of the user to add. Automatically computed if not specified. ++ ++.SH "SEE ALSO" ++ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- /dev/null ++++ b/man/man1/ldapmodifysudo.1 +@@ -0,0 +1,57 @@ ++.\" Copyright (C) 2007-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapmodifysudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively ++ ++.SH SYNOPSIS ++.B ldapmodifysudo ++.RB [ ] ++ ++.SH DESCRIPTION ++ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you ++are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1). ++The DN of the entry being modified is already specified : just begin with a changeType attribute or any ++other one(s) of your choice (in this case, the defaut changeType is 'modify'). ++ ++Alternatively, if an optional "action" argument is given, followed by a ++field - value pair then user will not be interactively prompted. ++ ++.SH OPTIONS ++.TP ++.B [ ] ++The name or uid of the user to modify. ++The optional "action" pertaining to this user entry. ++The field - value pair on which the action needs to be undertaken. ++ ++.SH "SEE ALSO" ++ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- /dev/null ++++ b/man/man1/ldapdeletesudo.1 +@@ -0,0 +1,46 @@ ++.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapdeletesudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP ++ ++.SH SYNOPSIS ++.B ldapdeletesudo ++.RB ++ ++.SH OPTIONS ++.TP ++.B ++The name or uid of the user to delete. ++ ++.SH "SEE ALSO" ++ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- a/Makefile ++++ b/Makefile +@@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser | + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ldapmodifysudo ++ ldaprenameuser ldapmodifysudo ldapdeletesudo + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ + ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \ +- ldapaddmachine.1 ldapdeleteuser.1 ++ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1 + MAN5FILES = ldapscripts.5 + TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \ + ldapadduser.template.sample +--- a/lib/runtime ++++ b/lib/runtime +@@ -294,6 +294,21 @@ _ldapdelete () { + fi + } + ++# Deletes a sudoUser entry in the LDAP directory ++# Input : POSIX username whose sudo entry to delete ($1) ++# Output: 0 on successful delete ++# 1 on being unable to find sudoUser ++# 2 on being unable to delete found sudoUser entry ++_ldapdeletesudo () { ++ [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument" ++ # Find the entry ++ _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))" ++ [ -z "$_ENTRY" ] && return 1 ++ ++ # Now delete that entry ++ _ldapdelete "$_ENTRY" || return 2 ++} ++ + # Extracts LDIF information from $0 (the current script itself) + # selecting lines beginning with $1 occurrences of '#' + # Input : depth ($1) diff --git a/ldap/ldapscripts/debian/patches/sudo-support.patch b/ldap/ldapscripts/debian/patches/sudo-support.patch new file mode 100644 index 000000000..76fff9422 --- /dev/null +++ b/ldap/ldapscripts/debian/patches/sudo-support.patch @@ -0,0 +1,289 @@ +Index: ldapscripts-2.0.8/sbin/ldapaddsudo +=================================================================== +--- /dev/null ++++ ldapscripts-2.0.8/sbin/ldapaddsudo +@@ -0,0 +1,63 @@ ++#!/bin/sh ++ ++# ldapaddsudo : adds a sudoRole to LDAP ++ ++# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora ++# Copyright (C) 2006-2013 Ganaël LAPLANCHE ++# Copyright (c) 2014 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++then ++ echo "Usage : $0 " ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Username = first argument ++_USER="$1" ++ ++# Use template if necessary ++if [ -n "$STEMPLATE" ] && [ -r "$STEMPLATE" ] ++then ++ _getldif="cat $STEMPLATE" ++else ++ _getldif="_extractldif 2" ++fi ++ ++# Add sudo entry to LDAP ++$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd ++ ++[ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP" ++echo_log "Successfully added sudo access for user $_USER to LDAP" ++ ++end_ok ++ ++# Ldif template ################################## ++##dn: cn=,ou=SUDOers,, ++##objectClass: top ++##objectClass: sudoRole ++##cn: ++##sudoUser: ++##sudoHost: ALL ++##sudoRunAsUser: ALL ++##sudoCommand: ALL ++###sudoOrder: ++###sudoOption: +Index: ldapscripts-2.0.8/sbin/ldapmodifyuser +=================================================================== +--- ldapscripts-2.0.8.orig/sbin/ldapmodifyuser ++++ ldapscripts-2.0.8/sbin/ldapmodifyuser +@@ -19,9 +19,11 @@ + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, + # USA. + +-if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \ ++ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \ ++ [ "$#" -ne 4 ] + then +- echo "Usage : $0 " ++ echo "Usage : $0 [ ]" + exit 1 + fi + +@@ -33,21 +35,48 @@ _RUNTIMEFILE="/usr/lib/ldapscripts/runti + _findentry "$USUFFIX,$SUFFIX" "(&(objectClass=posixAccount)(|(uid=$1)(uidNumber=$1)))" + [ -z "$_ENTRY" ] && end_die "User $1 not found in LDAP" + +-# Allocate and create temp file +-mktempf +-echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" +- +-# Display entry +-echo "# About to modify the following entry :" +-_ldapsearch "$_ENTRY" +- +-# Edit entry +-echo "# Enter your modifications here, end with CTRL-D." +-echo "dn: $_ENTRY" +-cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++# Username = first argument ++_USER="$1" ++ ++if [ "$#" -eq 1 ] ++then ++ # Allocate and create temp file ++ mktempf ++ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Display entry ++ echo "# About to modify the following entry :" ++ _ldapsearch "$_ENTRY" ++ ++ # Edit entry ++ echo "# Enter your modifications here, end with CTRL-D." ++ echo "dn: $_ENTRY" ++ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Send modifications ++ cat "$_TMPFILE" | _utf8encode | _ldapmodify ++else ++ # Action = second argument ++ _ACTION="$2" ++ ++ # Field = third argument ++ _FIELD="$3" ++ ++ # Value = fourth argument ++ _VALUE="$4" ++ ++ # Use template if necessary ++ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ] ++ then ++ _getldif="cat $UMTEMPLATE" ++ else ++ _getldif="_extractldif 2" ++ fi ++ ++ # Modify user in LDAP ++ $_getldif | _filterldif | _utf8encode | _ldapmodify ++fi + +-# Send modifications +-cat "$_TMPFILE" | _utf8encode | _ldapmodify + if [ $? -ne 0 ] + then + reltempf +@@ -55,3 +84,9 @@ then + fi + reltempf + end_ok "Successfully modified user entry $_ENTRY in LDAP" ++ ++# Ldif template ################################## ++##dn: uid=,, ++##changeType: modify ++##: ++##: +Index: ldapscripts-2.0.8/lib/runtime +=================================================================== +--- ldapscripts-2.0.8.orig/lib/runtime ++++ ldapscripts-2.0.8/lib/runtime +@@ -344,6 +344,9 @@ s||$MSUFFIX|g + s|<_msuffix>|$_MSUFFIX|g + s||$GSUFFIX|g + s|<_gsuffix>|$_GSUFFIX|g ++s||$_ACTION|g ++s||$_FIELD|g ++s||$_VALUE|g + EOF + + # Use it +Index: ldapscripts-2.0.8/Makefile +=================================================================== +--- ldapscripts-2.0.8.orig/Makefile ++++ ldapscripts-2.0.8/Makefile +@@ -37,11 +37,11 @@ LIBDIR = $(PREFIX)/lib/$(NAME) + RUNFILE = runtime + ETCFILE = ldapscripts.conf + PWDFILE = ldapscripts.passwd +-SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser \ ++SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser ldapaddsudo \ + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ++ ldaprenameuser ldapmodifysudo + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ +Index: ldapscripts-2.0.8/sbin/ldapmodifysudo +=================================================================== +--- /dev/null ++++ ldapscripts-2.0.8/sbin/ldapmodifysudo +@@ -0,0 +1,93 @@ ++#!/bin/sh ++ ++# ldapmodifyuser : modifies a sudo entry in an LDAP directory ++ ++# Copyright (C) 2007-2013 Ganaël LAPLANCHE ++# Copyright (C) 2014 Stephen Crooks ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \ ++ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \ ++ [ "$#" -ne 4 ] ++then ++ echo "Usage : $0 [ ]" ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Find username : $1 must exist in LDAP ! ++_findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))" ++[ -z "$_ENTRY" ] && end_die "Sudo user $1 not found in LDAP" ++ ++# Username = first argument ++_USER="$1" ++ ++if [ "$#" -eq 1 ] ++then ++ # Allocate and create temp file ++ mktempf ++ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Display entry ++ echo "# About to modify the following entry :" ++ _ldapsearch "$_ENTRY" ++ ++ # Edit entry ++ echo "# Enter your modifications here, end with CTRL-D." ++ echo "dn: $_ENTRY" ++ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Send modifications ++ cat "$_TMPFILE" | _utf8encode | _ldapmodify ++else ++ # Action = second argument ++ _ACTION="$2" ++ ++ # Field = third argument ++ _FIELD="$3" ++ ++ # Value = fourth argument ++ _VALUE="$4" ++ ++ # Use template if necessary ++ if [ -n "$SMTEMPLATE" ] && [ -r "$SMTEMPLATE" ] ++ then ++ _getldif="cat $SMTEMPLATE" ++ else ++ _getldif="_extractldif 2" ++ fi ++ ++ # Modify user in LDAP ++ $_getldif | _filterldif | _utf8encode | _ldapmodify ++fi ++ ++if [ $? -ne 0 ] ++then ++ reltempf ++ end_die "Error modifying sudo entry $_ENTRY in LDAP" ++fi ++reltempf ++end_ok "Successfully modified sudo entry $_ENTRY in LDAP" ++ ++# Ldif template ################################## ++##dn: cn=,ou=SUDOers, ++##changeType: modify ++##: ++##: