Add debian package for ldapscripts

Porting all CentOS patches, and also align the file permission
with CentOS.

Test Plan: Verify the building, installing and booting test

PASS: Verify package build
PASS: Verify system install
PASS: Verify system boot

Story: 2009221
Task: 43415
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7766d4aa26420c6f701a0dffaa7e9bf6b77e0c75
This commit is contained in:
Yue Tao 2021-09-23 14:06:31 +08:00
parent 229a6b32af
commit 39bc6c35f1
11 changed files with 1328 additions and 0 deletions

View File

@ -0,0 +1,24 @@
Align the permission with the CentOS, and remove the
ldapaddmachine.template.sample which is deleted during
CentOS install step.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
--- a/debian/rules
+++ b/debian/rules
@@ -17,6 +17,7 @@ override_dh_auto_install:
install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts
+ rm -rf ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddmachine.template.sample
override_dh_installdocs:
dh_installdocs README TODO
@@ -29,3 +30,7 @@ override_dh_installexamples:
override_dh_fixperms:
dh_fixperms --exclude etc/ldapscripts/ldapscripts.passwd
+ chmod 440 ./debian/ldapscripts/usr/lib/ldapscripts/runtime
+ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddgroup.template.sample
+ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapadduser.template.sample
+ chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapscripts.conf.sample

View File

@ -0,0 +1,23 @@
--- a/debian/rules
+++ b/debian/rules
@@ -3,10 +3,20 @@
%:
dh $@
+override_dh_usrlocal:
+
override_dh_auto_install:
$(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts LIBDIR=/usr/share/ldapscripts MANDIR=/usr/share/man
cp debian/runtime.debian debian/ldapscripts/usr/share/ldapscripts
rm debian/ldapscripts/etc/ldapscripts/*.sample
+ $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/usr/local/etc/ldapscripts
+ install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 644 ldapadduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 644 ldapmoduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
+ install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts
override_dh_installdocs:
dh_installdocs README TODO

View File

@ -0,0 +1,2 @@
debian-install-cgcs-files.patch
debian-align-permission-with-centos.patch

View File

@ -0,0 +1,9 @@
---
debver: 2.0.8-2
dl_path:
name: 2.0.8-2.tar.gz
url: https://github.com/gerasiov/ldapscripts/archive/refs/tags/debian/2.0.8-2.tar.gz
md5sum: f7c5d518d23319f0dd408cff4057a100
revision:
dist: $STX_DIST
PKG_GITREVCOUNT:

View File

@ -0,0 +1,38 @@
From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Mon, 16 Apr 2018 14:58:03 -0400
Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search
---
lib/runtime | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/runtime b/lib/runtime
index 012ac95..18acf3f 100644
--- a/lib/runtime
+++ b/lib/runtime
@@ -197,8 +197,11 @@ _ldapsearch () {
elif [ -n "$BINDPWDFILE" ]
then
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
- else
+ elif [ -n "$BINDPWD" ]
+ then
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
+ else
+ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
fi
}
@@ -785,7 +788,7 @@ then
then
warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
else
- end_die "Unable to read password file $BINDPWDFILE, exiting..."
+ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..."
fi
fi
fi
--
1.8.3.1

View File

@ -0,0 +1,354 @@
---
Makefile | 5 +-
man/man1/ldapusersetup.1 | 60 +++++++++++
sbin/ldapusersetup | 254 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 317 insertions(+), 2 deletions(-)
create mode 100644 man/man1/ldapusersetup.1
create mode 100644 sbin/ldapusersetup
diff --git a/sbin/ldapusersetup b/sbin/ldapusersetup
new file mode 100644
index 0000000..27d12dc
--- /dev/null
+++ b/sbin/ldapusersetup
@@ -0,0 +1,254 @@
+#!/bin/sh
+
+# ldapusersetup : interactive setup for adding users to LDAP
+
+# Copyright (c) 2015 Wind River Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
+then
+ echo "Usage : $0 [-u <username | uid> <field> <value>]
+where accepted field(s) are as follows:
+--sudo : whether to add this user to sudoer list
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# runtime defaults
+_DEFAULTGRP2="sys_protected"
+_BASHSHELL="/bin/bash"
+_DEFAULTSHADOWMAX="90"
+_DEFAULTSHADOWWARNING="2"
+_SHELL=""
+
+### Helper functions ###
+
+# Gets input from user and validates it.
+# Will only return if input meets validation
+# criteria otherwise will just sit there.
+#
+# Input : input string ($1), valid output options ($2)
+# Output: the validated input
+# Note : the validation list must be an array
+LdapUserInput () {
+declare -a optionAry=("${!2}")
+while true; do
+ read -p "$1" _output
+ # convert to lower case
+ _output2=${_output,,}
+ # check if output is a valid option
+ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then
+ break
+ else
+ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2
+ fi
+done
+ echo "$_output2"
+}
+
+# Delete an ldap user if it exists
+# and exit with error
+# Input : username ($1), exit msg ($2)
+# Output : none
+LdapRollback() {
+ ldapdeleteuser "$1"
+ end_die "$2"
+}
+
+# Add an ldap user and exit on failure
+# Input : username ($1)
+# Output : none
+LdapAddUser() {
+ ldapadduser "$1" users
+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
+}
+
+# Replace Login Shell and call Rollback on failure
+# Input : username ($1), shell to set ($2)
+# Output : none
+LdapAddLoginShell () {
+ # Support bash only now.
+ _SHELL="$_BASHSHELL"
+ # Replace the login shell
+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
+}
+
+# Add user to sudoer list
+# Input : username ($1)
+# Output : true or false
+LdapAddSudo() {
+ ldapaddsudo "$1" 2> /dev/null
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add to sudoer list"
+}
+
+# Add user to a secondary user group
+# Input : username ($1), user group ($2)
+# Output : true or false
+LdapSecondaryGroup () {
+ _newGrp="$2"
+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
+
+ ldapaddusertogroup $1 $_newGrp
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
+}
+
+# Update shadowMax for user
+# Input : username ($1), shadow Max value ($2)
+# Output : none
+LdapUpdateShadowMax () {
+ _newShadow="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newShadow=$_DEFAULTSHADOWMAX
+
+ ldapmodifyuser $1 replace shadowMax $_newShadow
+ echo "Updating password expiry to $_newShadow days"
+}
+
+# Update shadowWarning for user
+# Input : username ($1), shadow Warning value ($2)
+# Output : none
+LdapUpdateShadowWarning () {
+ _newWarning="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newWarning=$_DEFAULTSHADOWWARNING
+
+ ldapmodifyuser $1 replace shadowWarning $_newWarning
+ echo "Updating password expiry to $_newWarning days"
+}
+
+# Since this setup script is meant to be a
+# wrapper on top of existing ldap scripts,
+# it share invoke those... we could have achieved
+# loose coupling by not relying on helpers but
+# at the expense of massively redundant code
+# duplication.
+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_BASHSHELL")
+
+# Do some quick sanity tests to make sure
+# helper scripts are present
+for src in "${helper_scripts[@]}"; do
+ if ! type "$src" &>/dev/null; then
+ end_die "Cannot locate $src. Update your PATH variable"
+ fi
+done
+
+if [ "$#" -eq 0 ]; then
+ # This setup collects all attributes
+ # interactively during runtime
+ echo -n "Enter username to add to LDAP: "
+ read _username
+ LdapAddUser "$_username"
+
+ # Replace the login shell. Only bash is supported now.
+ LdapAddLoginShell "$_username"
+
+ # Should sudo be activated for this user
+ echo -n "Add $_username to sudoer list? (yes/NO): "
+ read CONFIRM
+ CONFIRM=${CONFIRM,,}
+
+ if is_yes $CONFIRM
+ then
+ LdapAddSudo "$_username"
+ fi
+
+ # Add to secondary user group
+ shellInput="Add $_username to secondary user group? (yes/NO): "
+ options=( "yes", "no" )
+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
+ if is_yes $CONFIRM
+ then
+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
+ read _grp2
+ LdapSecondaryGroup $_username $_grp2
+ fi
+
+ # Set password expiry
+ echo -n "Enter days after which user password must \
+be changed [$_DEFAULTSHADOWMAX]: "
+ read _shadowMax
+ LdapUpdateShadowMax $_username $_shadowMax
+
+ # Set password warning
+ echo -n "Enter days before password is to expire that \
+user is warned [$_DEFAULTSHADOWWARNING]: "
+ read _shadowWarning
+ LdapUpdateShadowWarning $_username $_shadowWarning
+
+else
+ # we have to read command line option
+ while [[ $# > 1 ]]
+ do
+ key="$1"
+
+ case $key in
+ -u|--user) # compulsory
+ _username="$2"
+ shift
+ ;;
+ --sudo) # optional
+ _sudo="yes"
+ ;;
+ --passmax) # optional
+ _shadowMax="$2"
+ shift
+ ;;
+ --passwarning) # optional
+ _shadowWarning="$2"
+ shift
+ ;;
+ --secondgroup) # optional
+ _grpConfirm="1"
+ _grp2="$2"
+ shift
+ ;;
+ *)
+
+ ;;
+ esac
+ shift
+ done
+
+ # Add LDAP user
+ [ -z "$_username" ] && end_die "No username argument specified"
+ LdapAddUser $_username
+
+ # Change Login Shell
+ LdapAddLoginShell $_username "$_loginshell"
+
+ # Add sudo if required
+ if is_yes $_sudo
+ then
+ LdapAddSudo "$_username"
+ fi
+
+ # Add secondary group if required
+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
+
+ # Password modifications
+ LdapUpdateShadowMax $_username $_shadowMax
+ LdapUpdateShadowWarning $_username $_shadowWarning
+fi
diff --git a/Makefile b/Makefile
index f81c272..6e5b193 100644
--- a/Makefile
+++ b/Makefile
@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser l
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
- ldaprenameuser ldapmodifysudo ldapdeletesudo
+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
+ ldapdeletesudo.1 ldapusersetup.1
MAN5FILES = ldapscripts.5
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
ldapadduser.template.sample
diff --git a/man/man1/ldapusersetup.1 b/man/man1/ldapusersetup.1
new file mode 100644
index 0000000..9b3129b
--- /dev/null
+++ b/man/man1/ldapusersetup.1
@@ -0,0 +1,60 @@
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Kam Nasim
+.\" knasim@windriver.com
+.\"
+.TH ldapusersetup 1 "December 16, 2015"
+
+.SH NAME
+ldapusersetup \- wizard for adding an LDAP user to CGCS.
+
+.SH SYNOPSIS
+.B ldapusersetup
+
+.SH DESCRIPTION
+ldapusersetup interactively walks through the process of creating an LDAP user
+for access to CGCS services. The user is prompted for:
+- username
+- if a sudoEntry needs to be created
+- if a secondary user group needs to be added
+- user password expiry and warning configuration
+Alternatively, the user may provide these parameters as command line actions.
+Look at the OPTIONS section for more information.
+
+To delete the user and all its group associations, simply use ldapdeleteuser(1)
+
+.SH OPTIONS
+.TP
+.B [-u <username | uid> <field> <value>]
+The name or uid of the user to modify.
+The following fields are available as long format options:
+--sudo : whether to add this user to sudoer list
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+
+.SH "SEE ALSO"
+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.

View File

@ -0,0 +1,216 @@
Add this files from CentOS version
Signed-off-by: Yue Tao <yue.tao@windriver.com>
--- /dev/null
+++ ldapscripts-2.0.8/ldapaddgroup.template.cgcs
@@ -0,0 +1,5 @@
+dn: cn=<group>,<gsuffix>,<suffix>
+objectClass: posixGroup
+cn: <group>
+gidNumber: <gid>
+description: Group account
--- /dev/null
+++ ldapscripts-2.0.8/ldapaddsudo.template.cgcs
@@ -0,0 +1,10 @@
+dn: cn=<user>,ou=SUDOers,<suffix>
+objectClass: top
+objectClass: sudoRole
+cn: <user>
+sudoUser: <user>
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+#sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
+#sudoOption: <specify other sudo specific attributes here>
--- /dev/null
+++ ldapscripts-2.0.8/ldapadduser.template.cgcs
@@ -0,0 +1,16 @@
+dn: uid=<user>,<usuffix>,<suffix>
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: <user>
+uid: <user>
+uidNumber: <uid>
+gidNumber: <gid>
+shadowMax: 99999
+shadowWarning: 7
+shadowLastChange: 0
+homeDirectory: <home>
+loginShell: <shell>
+gecos: <user>
+description: User account
--- /dev/null
+++ ldapscripts-2.0.8/ldapmodsudo.template.cgcs
@@ -0,0 +1,4 @@
+dn: cn=<user>,ou=SUDOers,<suffix>
+changeType: modify
+<action>: <field>
+<field>: <value>
--- /dev/null
+++ ldapscripts-2.0.8/ldapmoduser.template.cgcs
@@ -0,0 +1,4 @@
+dn: uid=<user>,<usuffix>,<suffix>
+changeType: modify
+<action>: <field>
+<field>: <value>
--- /dev/null
+++ ldapscripts-2.0.8/ldapscripts.conf.cgcs
@@ -0,0 +1,152 @@
+# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
+# Copyright (C) 2006-2013 Ganaël LAPLANCHE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+# LDAP server
+SERVER="ldap://controller"
+
+# Suffixes
+SUFFIX="dc=cgcs,dc=local" # Global suffix
+GSUFFIX="ou=Group" # Groups ou (just under $SUFFIX)
+USUFFIX="ou=People" # Users ou (just under $SUFFIX)
+MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
+
+# Authentication type
+# If empty, use simple authentication
+# Else, use the value as an SASL authentication mechanism
+SASLAUTH=""
+#SASLAUTH="GSSAPI"
+
+# Simple authentication parameters
+# The following BIND* parameters are ignored if SASLAUTH is set
+BINDDN="cn=ldapadmin,dc=cgcs,dc=local"
+# The following file contains the raw password of the BINDDN
+# Create it with something like : echo -n 'secret' > $BINDPWDFILE
+# WARNING !!!! Be careful not to make this file world-readable
+BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
+# For older versions of OpenLDAP, it is still possible to use
+# unsecure command-line passwords by defining the following option
+# AND commenting the previous one (BINDPWDFILE takes precedence)
+#BINDPWD="secret"
+
+# Start with these IDs *if no entry found in LDAP*
+GIDSTART="10000" # Group ID
+UIDSTART="10000" # User ID
+MIDSTART="20000" # Machine ID
+
+# Group membership management
+# ObjectCLass used for groups
+# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
+# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
+# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
+# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
+GCLASS="posixGroup" # Leave "posixGroup" here if not sure !
+# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial
+# member. Specify it below, you will be able to remove it once groups are populated.
+#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"
+
+# User properties
+USHELL="/bin/sh"
+UHOMES="/home/%u" # You may use %u for username here
+CREATEHOMES="no" # Create home directories and set rights ?
+HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
+HOMEPERMS="700" # Default permissions for home directories
+
+# User passwords generation
+# Command-line used to generate a password for added users.
+# You may use %u for username here ; special value "<ask>" will ask for a password interactively
+# WARNING !!!! This is evaluated, everything specified here will be run !
+# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
+# In this case, consider using /dev/urandom instead.
+#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
+#PASSWORDGEN="pwgen"
+#PASSWORDGEN="echo changeme"
+PASSWORDGEN="echo %u"
+#PASSWORDGEN="<ask>"
+
+# User passwords recording
+# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
+# (useful when performing a massive creation / net rpc vampire)
+# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
+# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
+RECORDPASSWORDS="no"
+PASSWORDFILE="/var/log/ldapscripts_passwd.log"
+
+# Where to log
+LOGFILE="/var/log/ldapscripts.log"
+
+# Temporary folder
+TMPDIR="/tmp"
+
+# Various binaries used within the scripts
+# Warning : they also use uuencode, date, grep, sed, cut, which...
+# Please check they are installed before using these scripts
+# Note that many of them should come with your OS
+
+# OpenLDAP client commands
+LDAPSEARCHBIN="/usr/bin/ldapsearch"
+LDAPADDBIN="/usr/bin/ldapadd"
+LDAPDELETEBIN="/usr/bin/ldapdelete"
+LDAPMODIFYBIN="/usr/bin/ldapmodify"
+LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
+LDAPPASSWDBIN="/usr/bin/ldappasswd"
+
+# OpenLDAP client common additional options
+# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS
+#LDAPBINOPTS="-ZZ"
+
+# OpenLDAP ldapsearch-specific additional options
+# The following option disables long-line wrapping (which makes the scripts bug
+# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so
+# comment it if you are using OpenLDAP < 2.4.24.
+LDAPSEARCHOPTS="-o ldif-wrap=no"
+# And here is an example to activate paged results
+#LDAPSEARCHOPTS="-E pr=500/noprompt"
+
+# Character set conversion : $ICONVCHAR <-> UTF-8
+# Comment ICONVBIN to disable UTF-8 conversion
+# ICONVBIN="/usr/bin/iconv"
+# ICONVCHAR=""
+
+# Base64 decoding
+# Comment UUDECODEBIN to disable Base64 decoding
+#UUDECODEBIN="/usr/bin/uudecode"
+
+# Getent command to use - choose the ones used
+# on your system. Leave blank or comment for auto-guess.
+# GNU/Linux
+GETENTPWCMD="getent passwd"
+GETENTGRCMD="getent group"
+# FreeBSD
+#GETENTPWCMD="pw usershow"
+#GETENTGRCMD="pw groupshow"
+# Auto
+#GETENTPWCMD=""
+#GETENTGRCMD=""
+
+# You can specify custom LDIF templates here
+# Leave empty to use default templates
+# See *.template.sample for default templates
+#GTEMPLATE="/path/to/ldapaddgroup.template"
+#UTEMPLATE="/path/to/ldapadduser.template"
+#MTEMPLATE="/path/to/ldapaddmachine.template"
+GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs"
+UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs"
+UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs"
+STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs"
+SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs"
+MTEMPLATE=""
--- /dev/null
+++ ldapscripts-2.0.8/ldapscripts.passwd
@@ -0,0 +1 @@
+_LDAPADMIN_PW_

View File

@ -0,0 +1,15 @@
---
lib/runtime | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/runtime
+++ b/lib/runtime
@@ -863,7 +863,7 @@ fi
# Log command
if [ "$LOGTOFILE" = "yes" ]
then
- log_to_file "$(date '+%b %d %H:%M:%S') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
+ log_to_file "$(date '+%FT%T') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*"
fi
if [ "$LOGTOSYSLOG" = "yes" ]
then

View File

@ -0,0 +1,6 @@
sudo-support.patch
sudo-delete-support.patch
log_timestamp.patch
ldap-user-setup-support.patch
allow-anonymous-bind-for-ldap-search.patch
ldapscripts-templates.patch

View File

@ -0,0 +1,352 @@
---
Makefile | 4 +--
lib/runtime | 15 ++++++++++++
man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++
man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++
man/man1/ldapdeleteuser.1 | 5 ++--
man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++
man/man1/ldapmodifyuser.1 | 15 ++++++++---
sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++
sbin/ldapdeleteuser | 5 ++++
sbin/ldapmodifysudo | 2 -
10 files changed, 232 insertions(+), 9 deletions(-)
--- a/sbin/ldapdeleteuser
+++ b/sbin/ldapdeleteuser
@@ -46,6 +46,11 @@ _UDN="$_ENTRY"
# Delete entry
_ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP"
+
+# Optionally, delete the sudoer entry if it exists
+_ldapdeletesudo $1
+[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete"
+
# Finally, delete this user from all his secondary groups
case $GCLASS in
posixGroup)
--- a/sbin/ldapmodifysudo
+++ b/sbin/ldapmodifysudo
@@ -1,6 +1,6 @@
#!/bin/sh
-# ldapmodifyuser : modifies a sudo entry in an LDAP directory
+# ldapmodifysudo : modifies a sudo entry in an LDAP directory
# Copyright (C) 2007-2013 Ganaël LAPLANCHE
# Copyright (C) 2014 Stephen Crooks
--- /dev/null
+++ b/sbin/ldapdeletesudo
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# ldapdeletesudo : deletes a sudoRole from LDAP
+
+# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
+# Copyright (C) 2006-2013 Ganaël LAPLANCHE
+# Copyright (c) 2015 Wind River Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
+then
+ echo "Usage : $0 <username>"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# Username = first argument
+_ldapdeletesudo "$1"
+[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1"
+
+end_ok "Successfully deleted sudoUser entry for $1 from LDAP"
--- a/man/man1/ldapmodifyuser.1
+++ b/man/man1/ldapmodifyuser.1
@@ -1,4 +1,5 @@
.\" Copyright (C) 2007-2017 Ganaël LAPLANCHE
+.\" Copyright (c) 2015 Wind River Systems, Inc.
.\"
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
@@ -19,14 +20,14 @@
.\" ganael.laplanche@martymac.org
.\" http://contribs.martymac.org
.\"
-.TH ldapmodifyuser 1 "August 22, 2007"
+.TH ldapmodifyuser 1 "December 8, 2015"
.SH NAME
ldapmodifyuser \- modifies a POSIX user account in LDAP interactively
.SH SYNOPSIS
.B ldapmodifyuser
-.RB <username | uid>
+.RB <username | uid> [<add | replace | delete> <field> <value>]
.SH DESCRIPTION
ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you
@@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif
The DN of the entry being modified is already specified : just begin with a changeType attribute or any
other one(s) of your choice (in this case, the defaut changeType is 'modify').
+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
+field - value pair then user will not be interactively prompted.
+
.SH OPTIONS
.TP
-.B <username | uid>
+.B <username | uid> [<add | replace | delete> <field> <value>]
The name or uid of the user to modify.
+The optional "action" pertaining to this user entry.
+The field - value pair on which the action needs to be undertaken.
.SH "SEE ALSO"
-ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5).
+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5).
.SH AVAILABILITY
The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
--- a/man/man1/ldapdeleteuser.1
+++ b/man/man1/ldapdeleteuser.1
@@ -1,4 +1,5 @@
.\" Copyright (C) 2006-2017 Ganaël LAPLANCHE
+.\" Copyright (c) 2015 Wind River Systems, Inc.
.\"
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
@@ -19,10 +20,10 @@
.\" ganael.laplanche@martymac.org
.\" http://contribs.martymac.org
.\"
-.TH ldapdeleteuser 1 "January 1, 2006"
+.TH ldapdeleteuser 1 "December 8, 2015"
.SH NAME
-ldapdeleteuser \- deletes a POSIX user account from LDAP.
+ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP.
.SH SYNOPSIS
.B ldapdeleteuser
--- /dev/null
+++ b/man/man1/ldapaddsudo.1
@@ -0,0 +1,54 @@
+.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Ganael Laplanche
+.\" ganael.laplanche@martymac.org
+.\" http://contribs.martymac.org
+.\"
+.TH ldapaddsudo 1 "December 8, 2015"
+
+.SH NAME
+ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP.
+
+.SH SYNOPSIS
+.B ldapaddsudo
+.RB <username>
+.RB <groupname | gid>
+.RB [uid]
+
+.SH OPTIONS
+.TP
+.B <username>
+The name of the user to add.
+.TP
+.B <groupname | gid>
+The group name or the gid of the user to add.
+.TP
+.B [uid]
+The uid of the user to add. Automatically computed if not specified.
+
+.SH "SEE ALSO"
+ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.
--- /dev/null
+++ b/man/man1/ldapmodifysudo.1
@@ -0,0 +1,57 @@
+.\" Copyright (C) 2007-2013 Ganaël LAPLANCHE
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Ganael Laplanche
+.\" ganael.laplanche@martymac.org
+.\" http://contribs.martymac.org
+.\"
+.TH ldapmodifysudo 1 "December 8, 2015"
+
+.SH NAME
+ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively
+
+.SH SYNOPSIS
+.B ldapmodifysudo
+.RB <username | uid> [<add | replace | delete> <field> <value>]
+
+.SH DESCRIPTION
+ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you
+are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1).
+The DN of the entry being modified is already specified : just begin with a changeType attribute or any
+other one(s) of your choice (in this case, the defaut changeType is 'modify').
+
+Alternatively, if an optional "action" argument <add | replace | delete> is given, followed by a
+field - value pair then user will not be interactively prompted.
+
+.SH OPTIONS
+.TP
+.B <username | uid> [<add | replace | delete> <field> <value>]
+The name or uid of the user to modify.
+The optional "action" pertaining to this user entry.
+The field - value pair on which the action needs to be undertaken.
+
+.SH "SEE ALSO"
+ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.
--- /dev/null
+++ b/man/man1/ldapdeletesudo.1
@@ -0,0 +1,46 @@
+.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Ganael Laplanche
+.\" ganael.laplanche@martymac.org
+.\" http://contribs.martymac.org
+.\"
+.TH ldapdeletesudo 1 "December 8, 2015"
+
+.SH NAME
+ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP
+
+.SH SYNOPSIS
+.B ldapdeletesudo
+.RB <username | uid>
+
+.SH OPTIONS
+.TP
+.B <username | uid>
+The name or uid of the user to delete.
+
+.SH "SEE ALSO"
+ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.
--- a/Makefile
+++ b/Makefile
@@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser |
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
- ldaprenameuser ldapmodifysudo
+ ldaprenameuser ldapmodifysudo ldapdeletesudo
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
- ldapaddmachine.1 ldapdeleteuser.1
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
MAN5FILES = ldapscripts.5
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
ldapadduser.template.sample
--- a/lib/runtime
+++ b/lib/runtime
@@ -294,6 +294,21 @@ _ldapdelete () {
fi
}
+# Deletes a sudoUser entry in the LDAP directory
+# Input : POSIX username whose sudo entry to delete ($1)
+# Output: 0 on successful delete
+# 1 on being unable to find sudoUser
+# 2 on being unable to delete found sudoUser entry
+_ldapdeletesudo () {
+ [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument"
+ # Find the entry
+ _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
+ [ -z "$_ENTRY" ] && return 1
+
+ # Now delete that entry
+ _ldapdelete "$_ENTRY" || return 2
+}
+
# Extracts LDIF information from $0 (the current script itself)
# selecting lines beginning with $1 occurrences of '#'
# Input : depth ($1)

View File

@ -0,0 +1,289 @@
Index: ldapscripts-2.0.8/sbin/ldapaddsudo
===================================================================
--- /dev/null
+++ ldapscripts-2.0.8/sbin/ldapaddsudo
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# ldapaddsudo : adds a sudoRole to LDAP
+
+# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
+# Copyright (C) 2006-2013 Ganaël LAPLANCHE
+# Copyright (c) 2014 Wind River Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
+then
+ echo "Usage : $0 <username>"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# Username = first argument
+_USER="$1"
+
+# Use template if necessary
+if [ -n "$STEMPLATE" ] && [ -r "$STEMPLATE" ]
+then
+ _getldif="cat $STEMPLATE"
+else
+ _getldif="_extractldif 2"
+fi
+
+# Add sudo entry to LDAP
+$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd
+
+[ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP"
+echo_log "Successfully added sudo access for user $_USER to LDAP"
+
+end_ok
+
+# Ldif template ##################################
+##dn: cn=<user>,ou=SUDOers,<usuffix>,<suffix>
+##objectClass: top
+##objectClass: sudoRole
+##cn: <user>
+##sudoUser: <user>
+##sudoHost: ALL
+##sudoRunAsUser: ALL
+##sudoCommand: ALL
+###sudoOrder: <default: 0, if multiple entries match, this entry with the highest sudoOrder is used>
+###sudoOption: <specify other sudo specific attributes here>
Index: ldapscripts-2.0.8/sbin/ldapmodifyuser
===================================================================
--- ldapscripts-2.0.8.orig/sbin/ldapmodifyuser
+++ ldapscripts-2.0.8/sbin/ldapmodifyuser
@@ -19,9 +19,11 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
-if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
+ [ "$#" -ne 4 ]
then
- echo "Usage : $0 <username | uid>"
+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
exit 1
fi
@@ -33,21 +35,48 @@ _RUNTIMEFILE="/usr/lib/ldapscripts/runti
_findentry "$USUFFIX,$SUFFIX" "(&(objectClass=posixAccount)(|(uid=$1)(uidNumber=$1)))"
[ -z "$_ENTRY" ] && end_die "User $1 not found in LDAP"
-# Allocate and create temp file
-mktempf
-echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
-
-# Display entry
-echo "# About to modify the following entry :"
-_ldapsearch "$_ENTRY"
-
-# Edit entry
-echo "# Enter your modifications here, end with CTRL-D."
-echo "dn: $_ENTRY"
-cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
+# Username = first argument
+_USER="$1"
+
+if [ "$#" -eq 1 ]
+then
+ # Allocate and create temp file
+ mktempf
+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
+
+ # Display entry
+ echo "# About to modify the following entry :"
+ _ldapsearch "$_ENTRY"
+
+ # Edit entry
+ echo "# Enter your modifications here, end with CTRL-D."
+ echo "dn: $_ENTRY"
+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
+
+ # Send modifications
+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
+else
+ # Action = second argument
+ _ACTION="$2"
+
+ # Field = third argument
+ _FIELD="$3"
+
+ # Value = fourth argument
+ _VALUE="$4"
+
+ # Use template if necessary
+ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ]
+ then
+ _getldif="cat $UMTEMPLATE"
+ else
+ _getldif="_extractldif 2"
+ fi
+
+ # Modify user in LDAP
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
+fi
-# Send modifications
-cat "$_TMPFILE" | _utf8encode | _ldapmodify
if [ $? -ne 0 ]
then
reltempf
@@ -55,3 +84,9 @@ then
fi
reltempf
end_ok "Successfully modified user entry $_ENTRY in LDAP"
+
+# Ldif template ##################################
+##dn: uid=<user>,<usuffix>,<suffix>
+##changeType: modify
+##<action>: <field>
+##<field>: <value>
Index: ldapscripts-2.0.8/lib/runtime
===================================================================
--- ldapscripts-2.0.8.orig/lib/runtime
+++ ldapscripts-2.0.8/lib/runtime
@@ -344,6 +344,9 @@ s|<msuffix>|$MSUFFIX|g
s|<_msuffix>|$_MSUFFIX|g
s|<gsuffix>|$GSUFFIX|g
s|<_gsuffix>|$_GSUFFIX|g
+s|<action>|$_ACTION|g
+s|<field>|$_FIELD|g
+s|<value>|$_VALUE|g
EOF
# Use it
Index: ldapscripts-2.0.8/Makefile
===================================================================
--- ldapscripts-2.0.8.orig/Makefile
+++ ldapscripts-2.0.8/Makefile
@@ -37,11 +37,11 @@ LIBDIR = $(PREFIX)/lib/$(NAME)
RUNFILE = runtime
ETCFILE = ldapscripts.conf
PWDFILE = ldapscripts.passwd
-SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser \
+SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser ldapaddsudo \
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
- ldaprenameuser
+ ldaprenameuser ldapmodifysudo
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
Index: ldapscripts-2.0.8/sbin/ldapmodifysudo
===================================================================
--- /dev/null
+++ ldapscripts-2.0.8/sbin/ldapmodifysudo
@@ -0,0 +1,93 @@
+#!/bin/sh
+
+# ldapmodifyuser : modifies a sudo entry in an LDAP directory
+
+# Copyright (C) 2007-2013 Ganaël LAPLANCHE
+# Copyright (C) 2014 Stephen Crooks
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \
+ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \
+ [ "$#" -ne 4 ]
+then
+ echo "Usage : $0 <username | uid> [<add | replace | delete> <field> <value>]"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# Find username : $1 must exist in LDAP !
+_findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))"
+[ -z "$_ENTRY" ] && end_die "Sudo user $1 not found in LDAP"
+
+# Username = first argument
+_USER="$1"
+
+if [ "$#" -eq 1 ]
+then
+ # Allocate and create temp file
+ mktempf
+ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
+
+ # Display entry
+ echo "# About to modify the following entry :"
+ _ldapsearch "$_ENTRY"
+
+ # Edit entry
+ echo "# Enter your modifications here, end with CTRL-D."
+ echo "dn: $_ENTRY"
+ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE"
+
+ # Send modifications
+ cat "$_TMPFILE" | _utf8encode | _ldapmodify
+else
+ # Action = second argument
+ _ACTION="$2"
+
+ # Field = third argument
+ _FIELD="$3"
+
+ # Value = fourth argument
+ _VALUE="$4"
+
+ # Use template if necessary
+ if [ -n "$SMTEMPLATE" ] && [ -r "$SMTEMPLATE" ]
+ then
+ _getldif="cat $SMTEMPLATE"
+ else
+ _getldif="_extractldif 2"
+ fi
+
+ # Modify user in LDAP
+ $_getldif | _filterldif | _utf8encode | _ldapmodify
+fi
+
+if [ $? -ne 0 ]
+then
+ reltempf
+ end_die "Error modifying sudo entry $_ENTRY in LDAP"
+fi
+reltempf
+end_ok "Successfully modified sudo entry $_ENTRY in LDAP"
+
+# Ldif template ##################################
+##dn: cn=<user>,ou=SUDOers,<suffix>
+##changeType: modify
+##<action>: <field>
+##<field>: <value>