From 69be80651e65f99c5ccf94c7e71677621ea98fd3 Mon Sep 17 00:00:00 2001 From: Scott Little Date: Wed, 1 Aug 2018 14:22:31 -0400 Subject: [PATCH] Relocate ldapscripts to stx-integ/ldap/ldapscripts Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: I688cd576de5e8fb9fbe7ad727b9e5321ad4b0e45 Story: 2002801 Task: 22687 Signed-off-by: Scott Little --- centos_pkg_dirs | 1 + ldap/ldapscripts/PKG-INFO | 14 + ldap/ldapscripts/centos/build_srpm.data | 3 + ldap/ldapscripts/centos/ldapscripts.spec | 73 ++++ ...p-user-setup-noninteractive-mode-fix.patch | 15 + ...-user-setup-support-input-validation.patch | 87 +++++ .../files/ldap-user-setup-support.patch | 354 ++++++++++++++++++ .../files/ldapaddgroup.template.cgcs | 5 + .../files/ldapaddsudo.template.cgcs | 10 + .../files/ldapadduser.template.cgcs | 16 + .../files/ldapmodsudo.template.cgcs | 4 + .../files/ldapmoduser.template.cgcs | 4 + ldap/ldapscripts/files/ldapscripts.conf.cgcs | 152 ++++++++ ldap/ldapscripts/files/ldapscripts.passwd | 1 + ldap/ldapscripts/files/log_timestamp.patch | 15 + .../files/sudo-delete-support.patch | 352 +++++++++++++++++ ldap/ldapscripts/files/sudo-support.patch | 289 ++++++++++++++ 17 files changed, 1395 insertions(+) create mode 100644 ldap/ldapscripts/PKG-INFO create mode 100644 ldap/ldapscripts/centos/build_srpm.data create mode 100644 ldap/ldapscripts/centos/ldapscripts.spec create mode 100644 ldap/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch create mode 100644 ldap/ldapscripts/files/ldap-user-setup-support-input-validation.patch create mode 100644 ldap/ldapscripts/files/ldap-user-setup-support.patch create mode 100755 ldap/ldapscripts/files/ldapaddgroup.template.cgcs create mode 100755 ldap/ldapscripts/files/ldapaddsudo.template.cgcs create mode 100755 ldap/ldapscripts/files/ldapadduser.template.cgcs create mode 100755 ldap/ldapscripts/files/ldapmodsudo.template.cgcs create mode 100755 ldap/ldapscripts/files/ldapmoduser.template.cgcs create mode 100755 ldap/ldapscripts/files/ldapscripts.conf.cgcs create mode 100644 ldap/ldapscripts/files/ldapscripts.passwd create mode 100644 ldap/ldapscripts/files/log_timestamp.patch create mode 100644 ldap/ldapscripts/files/sudo-delete-support.patch create mode 100644 ldap/ldapscripts/files/sudo-support.patch diff --git a/centos_pkg_dirs b/centos_pkg_dirs index e7d9e93b6..a8b5a5e5d 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -134,3 +134,4 @@ base/bash base/haproxy base/netpbm filesystem/iscsi-initiator-utils +ldap/ldapscripts diff --git a/ldap/ldapscripts/PKG-INFO b/ldap/ldapscripts/PKG-INFO new file mode 100644 index 000000000..a5f4eb34b --- /dev/null +++ b/ldap/ldapscripts/PKG-INFO @@ -0,0 +1,14 @@ +Metadata-Version: 1.1 +Name: ldapscripts +Version: 2.0.8 +Summary: ldapscripts +Home-page: +Author: +Author-email: +License: GPLv2 + +Description: +Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory. + + +Platform: UNKNOWN diff --git a/ldap/ldapscripts/centos/build_srpm.data b/ldap/ldapscripts/centos/build_srpm.data new file mode 100644 index 000000000..0beff5cbc --- /dev/null +++ b/ldap/ldapscripts/centos/build_srpm.data @@ -0,0 +1,3 @@ +COPY_LIST="files/* \ + $CGCS_BASE/downloads/ldapscripts-2.0.8.tgz" +TIS_PATCH_VER=1 diff --git a/ldap/ldapscripts/centos/ldapscripts.spec b/ldap/ldapscripts/centos/ldapscripts.spec new file mode 100644 index 000000000..3baeb1f49 --- /dev/null +++ b/ldap/ldapscripts/centos/ldapscripts.spec @@ -0,0 +1,73 @@ +Name: ldapscripts +Version: 2.0.8 +Release: 0%{?_tis_dist}.%{tis_patch_ver} +Summary: ldapscripts + +Group: base +License: GPLv2 +URL: unknown +Source0: %{name}-%{version}.tgz +Source1: ldapscripts.conf.cgcs +Source2: ldapadduser.template.cgcs +Source3: ldapaddgroup.template.cgcs +Source4: ldapmoduser.template.cgcs +Source5: ldapaddsudo.template.cgcs +Source6: ldapmodsudo.template.cgcs +Source7: ldapscripts.passwd + +Patch0: sudo-support.patch +Patch1: sudo-delete-support.patch +Patch2: log_timestamp.patch +Patch3: ldap-user-setup-support.patch +Patch4: ldap-user-setup-support-input-validation.patch +Patch5: ldap-user-setup-noninteractive-mode-fix.patch + +%define debug_package %{nil} + +# BuildRequires: +# Requires: + +%description +Shell scripts that allow to manage POSIX accounts (users, groups, machines) in an LDAP directory. + + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + + +%build + + +%install +make install DESTDIR=%{buildroot} + +rm -Rf %{buildroot}/usr/local/man +rm -f %{buildroot}/usr/local/sbin/*machine* +rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample +install -d ldroot}}/usr/local/etc/ +install -m 644 %{SOURCE1} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.conf +install -m 644 %{SOURCE2} %{buildroot}/usr/local/etc/ldapscripts/ldapadduser.template.cgcs +install -m 644 %{SOURCE3} %{buildroot}/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs +install -m 644 %{SOURCE4} %{buildroot}/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs +install -m 644 %{SOURCE5} %{buildroot}/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs +install -m 644 %{SOURCE6} %{buildroot}/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs +install -m 600 %{SOURCE7} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.passwd + +%files +%defattr(-,root,root,-) +%dir /usr/local/etc/ldapscripts/ +%dir /usr/local/lib/ldapscripts/ +/usr/local/sbin/* +%config(noreplace) /usr/local/etc/ldapscripts/ldapscripts.passwd +/usr/local/etc/ldapscripts/* +/usr/local/lib/ldapscripts/* + + +%changelog + diff --git a/ldap/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch b/ldap/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch new file mode 100644 index 000000000..da3b20f4a --- /dev/null +++ b/ldap/ldapscripts/files/ldap-user-setup-noninteractive-mode-fix.patch @@ -0,0 +1,15 @@ +--- + sbin/ldapusersetup | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sbin/ldapusersetup ++++ b/sbin/ldapusersetup +@@ -105,7 +105,7 @@ LdapAddLoginShell () { + ;; + esac + else +- shellopn=${$2,,} ++ shellopn=${2,,} + case $shellopn in + "bash") _SHELL="/bin/sh";; + "lshell") _SHELL="$_DEFAULTLSHELL";; diff --git a/ldap/ldapscripts/files/ldap-user-setup-support-input-validation.patch b/ldap/ldapscripts/files/ldap-user-setup-support-input-validation.patch new file mode 100644 index 000000000..91caf1a65 --- /dev/null +++ b/ldap/ldapscripts/files/ldap-user-setup-support-input-validation.patch @@ -0,0 +1,87 @@ +--- + sbin/ldapusersetup | 45 ++++++++++++++++++++++++++++++++++----------- + 1 file changed, 34 insertions(+), 11 deletions(-) + +--- a/sbin/ldapusersetup ++++ b/sbin/ldapusersetup +@@ -44,6 +44,29 @@ _SHELL="" + + ### Helper functions ### + ++# Gets input from user and validates it. ++# Will only return if input meets validation ++# criteria otherwise will just sit there. ++# ++# Input : input string ($1), valid output options ($2) ++# Output: the validated input ++# Note : the validation list must be an array ++LdapUserInput () { ++declare -a optionAry=("${!2}") ++while true; do ++ read -p "$1" _output ++ # convert to lower case ++ _output2=${_output,,} ++ # check if output is a valid option ++ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then ++ break ++ else ++ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2 ++ fi ++done ++ echo "$_output2" ++} ++ + # Delete an ldap user if it exists + # and exit with error + # Input : username ($1), exit msg ($2) +@@ -67,10 +90,12 @@ LdapAddUser() { + LdapAddLoginShell () { + if [ -z "$2" ]; then + # Ask the user for the login shell +- echo "Select Login Shell option # [2]: ++ shellInput="Select Login Shell option # [2]: + 1) Bash +-2) Lshell" +- read opn ++2) Lshell ++" ++ options=( 1, 2 ) ++ opn=`LdapUserInput "$shellInput" options[@]` + case $opn in + 1) _SHELL="/bin/sh";; + 2) _SHELL="$_DEFAULTLSHELL";; +@@ -139,7 +164,6 @@ LdapUpdateShadowWarning () { + echo "Updating password expiry to $_newWarning days" + } + +- + # Since this setup script is meant to be a + # wrapper on top of existing ldap scripts, + # it share invoke those... we could have achieved +@@ -170,10 +194,9 @@ if [ "$#" -eq 0 ]; then + # prompt for sudo permissions + if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then + # Should sudo be activated for this user +- echo -n "Add $_username to sudoer list? (yes/NO): " +- read CONFIRM +- CONFIRM=${CONFIRM,,} +- ++ shellInput="Add $_username to sudoer list? (yes/NO): " ++ options=( "yes", "no" ) ++ CONFIRM=`LdapUserInput "$shellInput" options[@]` + if is_yes $CONFIRM + then + LdapAddSudo "$_username" +@@ -181,9 +204,9 @@ if [ "$#" -eq 0 ]; then + fi + + # Add to secondary user group +- echo -n "Add $_username to secondary user group? (yes/NO): " +- read CONFIRM +- CONFIRM=${CONFIRM,,} ++ shellInput="Add $_username to secondary user group? (yes/NO): " ++ options=( "yes", "no" ) ++ CONFIRM=`LdapUserInput "$shellInput" options[@]` + if is_yes $CONFIRM + then + echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: " diff --git a/ldap/ldapscripts/files/ldap-user-setup-support.patch b/ldap/ldapscripts/files/ldap-user-setup-support.patch new file mode 100644 index 000000000..c24576fe5 --- /dev/null +++ b/ldap/ldapscripts/files/ldap-user-setup-support.patch @@ -0,0 +1,354 @@ +--- + Makefile | 5 + man/man1/ldapusersetup.1 | 61 ++++++++++ + sbin/ldapusersetup | 263 +++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 327 insertions(+), 2 deletions(-) + +--- /dev/null ++++ b/sbin/ldapusersetup +@@ -0,0 +1,263 @@ ++#!/bin/sh ++ ++# ldapusersetup : interactive setup for adding users to LDAP ++ ++# Copyright (c) 2015 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ] ++then ++ echo "Usage : $0 [-u ] ++where accepted field(s) are as follows: ++--sudo : whether to add this user to sudoer list ++--shell <\"bash\"|\"lshell\"> : choose the shell for this user (default is lshell) ++--secondgroup : the secondary group to add this user to ++--passmax : the shadowMax value for this user ++--passwarning : the shadowWarning value for this user" ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# runtime defaults ++_DEFAULTGRP2="wrs_protected" ++_DEFAULTLSHELL="/usr/local/bin/cgcs_cli" ++_DEFAULTSHADOWMAX="90" ++_DEFAULTSHADOWWARNING="2" ++_SHELL="" ++ ++### Helper functions ### ++ ++# Delete an ldap user if it exists ++# and exit with error ++# Input : username ($1), exit msg ($2) ++# Output : none ++LdapRollback() { ++ ldapdeleteuser "$1" ++ end_die "$2" ++} ++ ++# Add an ldap user and exit on failure ++# Input : username ($1) ++# Output : none ++LdapAddUser() { ++ ldapadduser "$1" users ++ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user" ++} ++ ++# Replace Login Shell and call Rollback on failure ++# Input : username ($1), shell to set ($2) ++# Output : none ++LdapAddLoginShell () { ++ if [ -z "$2" ]; then ++ # Ask the user for the login shell ++ echo "Select Login Shell option # [2]: ++1) Bash ++2) Lshell" ++ read opn ++ case $opn in ++ 1) _SHELL="/bin/sh";; ++ 2) _SHELL="$_DEFAULTLSHELL";; ++ *) ++ [ ! -z "$opn" ] && echo "Invalid option. Selecting Lshell" ++ _SHELL="$_DEFAULTLSHELL" ++ ;; ++ esac ++ else ++ shellopn=${$2,,} ++ case $shellopn in ++ "bash") _SHELL="/bin/sh";; ++ "lshell") _SHELL="$_DEFAULTLSHELL";; ++ *) ++ echo "Invalid option($2). Selecting Lshell"; _SHELL="$_DEFAULTLSHELL" ++ ;; ++ esac ++ fi ++ # Replace the login shell ++ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null ++ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell" ++} ++ ++# Add user to sudoer list ++# Input : username ($1) ++# Output : true or false ++LdapAddSudo() { ++ ldapaddsudo "$1" 2> /dev/null ++ [ $? -eq 0 ] || \ ++ echo_log "Non critical setup error: cannot add to sudoer list" ++} ++ ++# Add user to a secondary user group ++# Input : username ($1), user group ($2) ++# Output : true or false ++LdapSecondaryGroup () { ++ _newGrp="$2" ++ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2 ++ ++ ldapaddusertogroup $1 $_newGrp ++ [ $? -eq 0 ] || \ ++ echo_log "Non critical setup error: cannot add $1 to $_newGrp" ++} ++ ++# Update shadowMax for user ++# Input : username ($1), shadow Max value ($2) ++# Output : none ++LdapUpdateShadowMax () { ++ _newShadow="$2" ++ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \ ++ && _newShadow=$_DEFAULTSHADOWMAX ++ ++ ldapmodifyuser $1 replace shadowMax $_newShadow ++ echo "Updating password expiry to $_newShadow days" ++} ++ ++# Update shadowWarning for user ++# Input : username ($1), shadow Warning value ($2) ++# Output : none ++LdapUpdateShadowWarning () { ++ _newWarning="$2" ++ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \ ++ && _newWarning=$_DEFAULTSHADOWWARNING ++ ++ ldapmodifyuser $1 replace shadowWarning $_newWarning ++ echo "Updating password expiry to $_newWarning days" ++} ++ ++ ++# Since this setup script is meant to be a ++# wrapper on top of existing ldap scripts, ++# it share invoke those... we could have achieved ++# loose coupling by not relying on helpers but ++# at the expense of massively redundant code ++# duplication. ++declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_DEFAULTLSHELL") ++ ++# Do some quick sanity tests to make sure ++# helper scripts are present ++for src in "${helper_scripts[@]}"; do ++ if ! type "$src" &>/dev/null; then ++ end_die "Cannot locate $src. Update your PATH variable" ++ fi ++done ++ ++if [ "$#" -eq 0 ]; then ++ # This setup collects all attributes ++ # interactively during runtime ++ echo -n "Enter username to add to LDAP: " ++ read _username ++ LdapAddUser "$_username" ++ ++ # Replace the login shell. We will prompt the user for this ++ LdapAddLoginShell "$_username" ++ ++ # If login shell is NOT the default limited shell then ++ # prompt for sudo permissions ++ if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then ++ # Should sudo be activated for this user ++ echo -n "Add $_username to sudoer list? (yes/NO): " ++ read CONFIRM ++ CONFIRM=${CONFIRM,,} ++ ++ if is_yes $CONFIRM ++ then ++ LdapAddSudo "$_username" ++ fi ++ fi ++ ++ # Add to secondary user group ++ echo -n "Add $_username to secondary user group? (yes/NO): " ++ read CONFIRM ++ CONFIRM=${CONFIRM,,} ++ if is_yes $CONFIRM ++ then ++ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: " ++ read _grp2 ++ LdapSecondaryGroup $_username $_grp2 ++ fi ++ ++ # Set password expiry ++ echo -n "Enter days after which user password must \ ++be changed [$_DEFAULTSHADOWMAX]: " ++ read _shadowMax ++ LdapUpdateShadowMax $_username $_shadowMax ++ ++ # Set password warning ++ echo -n "Enter days before password is to expire that \ ++user is warned [$_DEFAULTSHADOWWARNING]: " ++ read _shadowWarning ++ LdapUpdateShadowWarning $_username $_shadowWarning ++ ++else ++ # we have to read command line option ++ while [[ $# > 1 ]] ++ do ++ key="$1" ++ ++ case $key in ++ -u|--user) # compulsory ++ _username="$2" ++ shift ++ ;; ++ --sudo) # optional ++ _sudo="yes" ++ ;; ++ --shell) # optional ++ _loginshell="$2" ++ shift ++ ;; ++ --passmax) # optional ++ _shadowMax="$2" ++ shift ++ ;; ++ --passwarning) # optional ++ _shadowWarning="$2" ++ shift ++ ;; ++ --secondgroup) # optional ++ _grpConfirm="1" ++ _grp2="$2" ++ shift ++ ;; ++ *) ++ ++ ;; ++ esac ++ shift ++ done ++ ++ # Add LDAP user ++ [ -z "$_username" ] && end_die "No username argument specified" ++ LdapAddUser $_username ++ ++ # Change Login Shell ++ LdapAddLoginShell $_username "$_loginshell" ++ ++ # Add sudo if required ++ if is_yes $_sudo ++ then ++ LdapAddSudo "$_username" ++ fi ++ ++ # Add secondary group if required ++ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2 ++ ++ # Password modifications ++ LdapUpdateShadowMax $_username $_shadowMax ++ LdapUpdateShadowWarning $_username $_shadowWarning ++fi +--- a/Makefile ++++ b/Makefile +@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodify + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ldapmodifysudo ldapdeletesudo ++ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ + ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \ +- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1 ++ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \ ++ ldapdeletesudo.1 ldapusersetup.1 + MAN5FILES = ldapscripts.5 + TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \ + ldapadduser.template.sample +--- /dev/null ++++ b/man/man1/ldapusersetup.1 +@@ -0,0 +1,61 @@ ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Kam Nasim ++.\" knasim@windriver.com ++.\" ++.TH ldapusersetup 1 "December 16, 2015" ++ ++.SH NAME ++ldapusersetup \- wizard for adding an LDAP user to CGCS. ++ ++.SH SYNOPSIS ++.B ldapusersetup ++ ++.SH DESCRIPTION ++ldapusersetup interactively walks through the process of creating an LDAP user ++for access to CGCS services. The user is prompted for: ++- username ++- if a sudoEntry needs to be created ++- if a secondary user group needs to be added ++- user password expiry and warning configuration ++Alternatively, the user may provide these parameters as command line actions. ++Look at the OPTIONS section for more information. ++ ++To delete the user and all its group associations, simply use ldapdeleteuser(1) ++ ++.SH OPTIONS ++.TP ++.B [-u ] ++The name or uid of the user to modify. ++The following fields are available as long format options: ++--sudo : whether to add this user to sudoer list ++--shell : which login shell to use (default is lshell) ++--secondgroup : the secondary group to add this user to ++--passmax : the shadowMax value for this user ++--passwarning : the shadowWarning value for this user" ++ ++.SH "SEE ALSO" ++ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. diff --git a/ldap/ldapscripts/files/ldapaddgroup.template.cgcs b/ldap/ldapscripts/files/ldapaddgroup.template.cgcs new file mode 100755 index 000000000..b34c1059a --- /dev/null +++ b/ldap/ldapscripts/files/ldapaddgroup.template.cgcs @@ -0,0 +1,5 @@ +dn: cn=,, +objectClass: posixGroup +cn: +gidNumber: +description: Group account diff --git a/ldap/ldapscripts/files/ldapaddsudo.template.cgcs b/ldap/ldapscripts/files/ldapaddsudo.template.cgcs new file mode 100755 index 000000000..f93170db4 --- /dev/null +++ b/ldap/ldapscripts/files/ldapaddsudo.template.cgcs @@ -0,0 +1,10 @@ +dn: cn=,ou=SUDOers, +objectClass: top +objectClass: sudoRole +cn: +sudoUser: +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +#sudoOrder: +#sudoOption: diff --git a/ldap/ldapscripts/files/ldapadduser.template.cgcs b/ldap/ldapscripts/files/ldapadduser.template.cgcs new file mode 100755 index 000000000..29f3cccb2 --- /dev/null +++ b/ldap/ldapscripts/files/ldapadduser.template.cgcs @@ -0,0 +1,16 @@ +dn: uid=,, +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +objectClass: top +cn: +uid: +uidNumber: +gidNumber: +shadowMax: 99999 +shadowWarning: 7 +shadowLastChange: 0 +homeDirectory: +loginShell: +gecos: +description: User account diff --git a/ldap/ldapscripts/files/ldapmodsudo.template.cgcs b/ldap/ldapscripts/files/ldapmodsudo.template.cgcs new file mode 100755 index 000000000..c79705fc6 --- /dev/null +++ b/ldap/ldapscripts/files/ldapmodsudo.template.cgcs @@ -0,0 +1,4 @@ +dn: cn=,ou=SUDOers, +changeType: modify +: +: diff --git a/ldap/ldapscripts/files/ldapmoduser.template.cgcs b/ldap/ldapscripts/files/ldapmoduser.template.cgcs new file mode 100755 index 000000000..f192024bc --- /dev/null +++ b/ldap/ldapscripts/files/ldapmoduser.template.cgcs @@ -0,0 +1,4 @@ +dn: uid=,, +changeType: modify +: +: diff --git a/ldap/ldapscripts/files/ldapscripts.conf.cgcs b/ldap/ldapscripts/files/ldapscripts.conf.cgcs new file mode 100755 index 000000000..9350dd37d --- /dev/null +++ b/ldap/ldapscripts/files/ldapscripts.conf.cgcs @@ -0,0 +1,152 @@ +# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora +# Copyright (C) 2006-2013 Ganaël LAPLANCHE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# LDAP server +SERVER="ldap://controller" + +# Suffixes +SUFFIX="dc=cgcs,dc=local" # Global suffix +GSUFFIX="ou=Group" # Groups ou (just under $SUFFIX) +USUFFIX="ou=People" # Users ou (just under $SUFFIX) +MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX) + +# Authentication type +# If empty, use simple authentication +# Else, use the value as an SASL authentication mechanism +SASLAUTH="" +#SASLAUTH="GSSAPI" + +# Simple authentication parameters +# The following BIND* parameters are ignored if SASLAUTH is set +BINDDN="cn=ldapadmin,dc=cgcs,dc=local" +# The following file contains the raw password of the BINDDN +# Create it with something like : echo -n 'secret' > $BINDPWDFILE +# WARNING !!!! Be careful not to make this file world-readable +BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd" +# For older versions of OpenLDAP, it is still possible to use +# unsecure command-line passwords by defining the following option +# AND commenting the previous one (BINDPWDFILE takes precedence) +#BINDPWD="secret" + +# Start with these IDs *if no entry found in LDAP* +GIDSTART="10000" # Group ID +UIDSTART="10000" # User ID +MIDSTART="20000" # Machine ID + +# Group membership management +# ObjectCLass used for groups +# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !) +# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup). +# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis, +# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration. +GCLASS="posixGroup" # Leave "posixGroup" here if not sure ! +# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial +# member. Specify it below, you will be able to remove it once groups are populated. +#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX" + +# User properties +USHELL="/bin/sh" +UHOMES="/home/%u" # You may use %u for username here +CREATEHOMES="no" # Create home directories and set rights ? +HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. +HOMEPERMS="700" # Default permissions for home directories + +# User passwords generation +# Command-line used to generate a password for added users. +# You may use %u for username here ; special value "" will ask for a password interactively +# WARNING !!!! This is evaluated, everything specified here will be run ! +# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy). +# In this case, consider using /dev/urandom instead. +#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" +#PASSWORDGEN="pwgen" +#PASSWORDGEN="echo changeme" +PASSWORDGEN="echo %u" +#PASSWORDGEN="" + +# User passwords recording +# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS +# (useful when performing a massive creation / net rpc vampire) +# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! +# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! +RECORDPASSWORDS="no" +PASSWORDFILE="/var/log/ldapscripts_passwd.log" + +# Where to log +LOGFILE="/var/log/ldapscripts.log" + +# Temporary folder +TMPDIR="/tmp" + +# Various binaries used within the scripts +# Warning : they also use uuencode, date, grep, sed, cut, which... +# Please check they are installed before using these scripts +# Note that many of them should come with your OS + +# OpenLDAP client commands +LDAPSEARCHBIN="/usr/bin/ldapsearch" +LDAPADDBIN="/usr/bin/ldapadd" +LDAPDELETEBIN="/usr/bin/ldapdelete" +LDAPMODIFYBIN="/usr/bin/ldapmodify" +LDAPMODRDNBIN="/usr/bin/ldapmodrdn" +LDAPPASSWDBIN="/usr/bin/ldappasswd" + +# OpenLDAP client common additional options +# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS +#LDAPBINOPTS="-ZZ" + +# OpenLDAP ldapsearch-specific additional options +# The following option disables long-line wrapping (which makes the scripts bug +# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so +# comment it if you are using OpenLDAP < 2.4.24. +LDAPSEARCHOPTS="-o ldif-wrap=no" +# And here is an example to activate paged results +#LDAPSEARCHOPTS="-E pr=500/noprompt" + +# Character set conversion : $ICONVCHAR <-> UTF-8 +# Comment ICONVBIN to disable UTF-8 conversion +# ICONVBIN="/usr/bin/iconv" +# ICONVCHAR="" + +# Base64 decoding +# Comment UUDECODEBIN to disable Base64 decoding +#UUDECODEBIN="/usr/bin/uudecode" + +# Getent command to use - choose the ones used +# on your system. Leave blank or comment for auto-guess. +# GNU/Linux +GETENTPWCMD="getent passwd" +GETENTGRCMD="getent group" +# FreeBSD +#GETENTPWCMD="pw usershow" +#GETENTGRCMD="pw groupshow" +# Auto +#GETENTPWCMD="" +#GETENTGRCMD="" + +# You can specify custom LDIF templates here +# Leave empty to use default templates +# See *.template.sample for default templates +#GTEMPLATE="/path/to/ldapaddgroup.template" +#UTEMPLATE="/path/to/ldapadduser.template" +#MTEMPLATE="/path/to/ldapaddmachine.template" +GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs" +UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs" +UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs" +STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs" +SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs" +MTEMPLATE="" diff --git a/ldap/ldapscripts/files/ldapscripts.passwd b/ldap/ldapscripts/files/ldapscripts.passwd new file mode 100644 index 000000000..385336f09 --- /dev/null +++ b/ldap/ldapscripts/files/ldapscripts.passwd @@ -0,0 +1 @@ +_LDAPADMIN_PW_ diff --git a/ldap/ldapscripts/files/log_timestamp.patch b/ldap/ldapscripts/files/log_timestamp.patch new file mode 100644 index 000000000..a521d0ed5 --- /dev/null +++ b/ldap/ldapscripts/files/log_timestamp.patch @@ -0,0 +1,15 @@ +--- + lib/runtime | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/runtime ++++ b/lib/runtime +@@ -863,7 +863,7 @@ fi + # Log command + if [ "$LOGTOFILE" = "yes" ] + then +- log_to_file "$(date '+%b %d %H:%M:%S') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*" ++ log_to_file "$(date '+%FT%T') $(uname -n | sed 's|\..*$||') ldapscripts: $(basename "$0")($USER): $0 $*" + fi + if [ "$LOGTOSYSLOG" = "yes" ] + then diff --git a/ldap/ldapscripts/files/sudo-delete-support.patch b/ldap/ldapscripts/files/sudo-delete-support.patch new file mode 100644 index 000000000..ed0d48e3f --- /dev/null +++ b/ldap/ldapscripts/files/sudo-delete-support.patch @@ -0,0 +1,352 @@ +--- + Makefile | 4 +-- + lib/runtime | 15 ++++++++++++ + man/man1/ldapaddsudo.1 | 54 +++++++++++++++++++++++++++++++++++++++++++ + man/man1/ldapdeletesudo.1 | 46 +++++++++++++++++++++++++++++++++++++ + man/man1/ldapdeleteuser.1 | 5 ++-- + man/man1/ldapmodifysudo.1 | 57 ++++++++++++++++++++++++++++++++++++++++++++++ + man/man1/ldapmodifyuser.1 | 15 ++++++++--- + sbin/ldapdeletesudo | 38 ++++++++++++++++++++++++++++++ + sbin/ldapdeleteuser | 5 ++++ + sbin/ldapmodifysudo | 2 - + 10 files changed, 232 insertions(+), 9 deletions(-) + +--- a/sbin/ldapdeleteuser ++++ b/sbin/ldapdeleteuser +@@ -46,6 +46,11 @@ _UDN="$_ENTRY" + # Delete entry + _ldapdelete "$_UDN" || end_die "Error deleting user $_UDN from LDAP" + ++ ++# Optionally, delete the sudoer entry if it exists ++_ldapdeletesudo $1 ++[ $? -eq 2 ] && end_die "Found sudoEntry for user $_UDN but unable to delete" ++ + # Finally, delete this user from all his secondary groups + case $GCLASS in + posixGroup) +--- a/sbin/ldapmodifysudo ++++ b/sbin/ldapmodifysudo +@@ -1,6 +1,6 @@ + #!/bin/sh + +-# ldapmodifyuser : modifies a sudo entry in an LDAP directory ++# ldapmodifysudo : modifies a sudo entry in an LDAP directory + + # Copyright (C) 2007-2013 Ganaël LAPLANCHE + # Copyright (C) 2014 Stephen Crooks +--- /dev/null ++++ b/sbin/ldapdeletesudo +@@ -0,0 +1,38 @@ ++#!/bin/sh ++ ++# ldapdeletesudo : deletes a sudoRole from LDAP ++ ++# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora ++# Copyright (C) 2006-2013 Ganaël LAPLANCHE ++# Copyright (c) 2015 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++then ++ echo "Usage : $0 " ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Username = first argument ++_ldapdeletesudo "$1" ++[ $? -eq 0 ] || end_die "Unable to locate or delete sudoUser entry for $1" ++ ++end_ok "Successfully deleted sudoUser entry for $1 from LDAP" +--- a/man/man1/ldapmodifyuser.1 ++++ b/man/man1/ldapmodifyuser.1 +@@ -1,4 +1,5 @@ + .\" Copyright (C) 2007-2017 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. + .\" + .\" This program is free software; you can redistribute it and/or + .\" modify it under the terms of the GNU General Public License +@@ -19,14 +20,14 @@ + .\" ganael.laplanche@martymac.org + .\" http://contribs.martymac.org + .\" +-.TH ldapmodifyuser 1 "August 22, 2007" ++.TH ldapmodifyuser 1 "December 8, 2015" + + .SH NAME + ldapmodifyuser \- modifies a POSIX user account in LDAP interactively + + .SH SYNOPSIS + .B ldapmodifyuser +-.RB ++.RB [ ] + + .SH DESCRIPTION + ldapmodifyuser first looks for the right entry to modify. Once found, the entry is presented and you +@@ -34,13 +35,18 @@ are prompted to enter LDIF data to modif + The DN of the entry being modified is already specified : just begin with a changeType attribute or any + other one(s) of your choice (in this case, the defaut changeType is 'modify'). + ++Alternatively, if an optional "action" argument is given, followed by a ++field - value pair then user will not be interactively prompted. ++ + .SH OPTIONS + .TP +-.B ++.B [ ] + The name or uid of the user to modify. ++The optional "action" pertaining to this user entry. ++The field - value pair on which the action needs to be undertaken. + + .SH "SEE ALSO" +-ldapmodifygroup(1), ldapmodifymachine(1), ldapscripts(5). ++ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifysudo(1), ldapscripts(5). + + .SH AVAILABILITY + The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). +--- a/man/man1/ldapdeleteuser.1 ++++ b/man/man1/ldapdeleteuser.1 +@@ -1,4 +1,5 @@ + .\" Copyright (C) 2006-2017 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. + .\" + .\" This program is free software; you can redistribute it and/or + .\" modify it under the terms of the GNU General Public License +@@ -19,10 +20,10 @@ + .\" ganael.laplanche@martymac.org + .\" http://contribs.martymac.org + .\" +-.TH ldapdeleteuser 1 "January 1, 2006" ++.TH ldapdeleteuser 1 "December 8, 2015" + + .SH NAME +-ldapdeleteuser \- deletes a POSIX user account from LDAP. ++ldapdeleteuser \- deletes a POSIX user account, and its sudo entry, from LDAP. + + .SH SYNOPSIS + .B ldapdeleteuser +--- /dev/null ++++ b/man/man1/ldapaddsudo.1 +@@ -0,0 +1,54 @@ ++.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapaddsudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapaddsudo \- adds a POSIX user account to the sudoer list in LDAP. ++ ++.SH SYNOPSIS ++.B ldapaddsudo ++.RB ++.RB ++.RB [uid] ++ ++.SH OPTIONS ++.TP ++.B ++The name of the user to add. ++.TP ++.B ++The group name or the gid of the user to add. ++.TP ++.B [uid] ++The uid of the user to add. Automatically computed if not specified. ++ ++.SH "SEE ALSO" ++ldapadduser(1), ldapaddgroup(1), ldapaddmachine(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- /dev/null ++++ b/man/man1/ldapmodifysudo.1 +@@ -0,0 +1,57 @@ ++.\" Copyright (C) 2007-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapmodifysudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapmodifysudo \- modifies the sudo entry of a POSIX user account in LDAP interactively ++ ++.SH SYNOPSIS ++.B ldapmodifysudo ++.RB [ ] ++ ++.SH DESCRIPTION ++ldapmodifysudo first looks for the right entry to modify. Once found, the entry is presented and you ++are prompted to enter LDIF data to modify it as you would do using a standard LDIF file and ldapmodify(1). ++The DN of the entry being modified is already specified : just begin with a changeType attribute or any ++other one(s) of your choice (in this case, the defaut changeType is 'modify'). ++ ++Alternatively, if an optional "action" argument is given, followed by a ++field - value pair then user will not be interactively prompted. ++ ++.SH OPTIONS ++.TP ++.B [ ] ++The name or uid of the user to modify. ++The optional "action" pertaining to this user entry. ++The field - value pair on which the action needs to be undertaken. ++ ++.SH "SEE ALSO" ++ldapmodifygroup(1), ldapmodifymachine(1), ldapmodifyuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- /dev/null ++++ b/man/man1/ldapdeletesudo.1 +@@ -0,0 +1,46 @@ ++.\" Copyright (C) 2006-2013 Ganaël LAPLANCHE ++.\" Copyright (c) 2015 Wind River Systems, Inc. ++.\" ++.\" This program is free software; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License ++.\" as published by the Free Software Foundation; either version 2 ++.\" of the License, or (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++.\" USA. ++.\" ++.\" Ganael Laplanche ++.\" ganael.laplanche@martymac.org ++.\" http://contribs.martymac.org ++.\" ++.TH ldapdeletesudo 1 "December 8, 2015" ++ ++.SH NAME ++ldapdeletesudo \- deletes a sudo entry, for a POSIX user account, in LDAP ++ ++.SH SYNOPSIS ++.B ldapdeletesudo ++.RB ++ ++.SH OPTIONS ++.TP ++.B ++The name or uid of the user to delete. ++ ++.SH "SEE ALSO" ++ldapdeletegroup(1), ldapdeletemachine(1), ldapdeleteuser(1), ldapscripts(5). ++ ++.SH AVAILABILITY ++The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details). ++The latest version of the ldapscripts is available on : ++.B http://contribs.martymac.org ++ ++.SH BUGS ++No bug known. +--- a/Makefile ++++ b/Makefile +@@ -41,12 +41,12 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser | + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ldapmodifysudo ++ ldaprenameuser ldapmodifysudo ldapdeletesudo + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ + ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \ +- ldapaddmachine.1 ldapdeleteuser.1 ++ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1 + MAN5FILES = ldapscripts.5 + TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \ + ldapadduser.template.sample +--- a/lib/runtime ++++ b/lib/runtime +@@ -294,6 +294,21 @@ _ldapdelete () { + fi + } + ++# Deletes a sudoUser entry in the LDAP directory ++# Input : POSIX username whose sudo entry to delete ($1) ++# Output: 0 on successful delete ++# 1 on being unable to find sudoUser ++# 2 on being unable to delete found sudoUser entry ++_ldapdeletesudo () { ++ [ -z "$1" ] && end_die "_ldapdeletesudo : missing argument" ++ # Find the entry ++ _findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))" ++ [ -z "$_ENTRY" ] && return 1 ++ ++ # Now delete that entry ++ _ldapdelete "$_ENTRY" || return 2 ++} ++ + # Extracts LDIF information from $0 (the current script itself) + # selecting lines beginning with $1 occurrences of '#' + # Input : depth ($1) diff --git a/ldap/ldapscripts/files/sudo-support.patch b/ldap/ldapscripts/files/sudo-support.patch new file mode 100644 index 000000000..76fff9422 --- /dev/null +++ b/ldap/ldapscripts/files/sudo-support.patch @@ -0,0 +1,289 @@ +Index: ldapscripts-2.0.8/sbin/ldapaddsudo +=================================================================== +--- /dev/null ++++ ldapscripts-2.0.8/sbin/ldapaddsudo +@@ -0,0 +1,63 @@ ++#!/bin/sh ++ ++# ldapaddsudo : adds a sudoRole to LDAP ++ ++# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora ++# Copyright (C) 2006-2013 Ganaël LAPLANCHE ++# Copyright (c) 2014 Wind River Systems, Inc. ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++then ++ echo "Usage : $0 " ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Username = first argument ++_USER="$1" ++ ++# Use template if necessary ++if [ -n "$STEMPLATE" ] && [ -r "$STEMPLATE" ] ++then ++ _getldif="cat $STEMPLATE" ++else ++ _getldif="_extractldif 2" ++fi ++ ++# Add sudo entry to LDAP ++$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd ++ ++[ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP" ++echo_log "Successfully added sudo access for user $_USER to LDAP" ++ ++end_ok ++ ++# Ldif template ################################## ++##dn: cn=,ou=SUDOers,, ++##objectClass: top ++##objectClass: sudoRole ++##cn: ++##sudoUser: ++##sudoHost: ALL ++##sudoRunAsUser: ALL ++##sudoCommand: ALL ++###sudoOrder: ++###sudoOption: +Index: ldapscripts-2.0.8/sbin/ldapmodifyuser +=================================================================== +--- ldapscripts-2.0.8.orig/sbin/ldapmodifyuser ++++ ldapscripts-2.0.8/sbin/ldapmodifyuser +@@ -19,9 +19,11 @@ + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, + # USA. + +-if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \ ++ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \ ++ [ "$#" -ne 4 ] + then +- echo "Usage : $0 " ++ echo "Usage : $0 [ ]" + exit 1 + fi + +@@ -33,21 +35,48 @@ _RUNTIMEFILE="/usr/lib/ldapscripts/runti + _findentry "$USUFFIX,$SUFFIX" "(&(objectClass=posixAccount)(|(uid=$1)(uidNumber=$1)))" + [ -z "$_ENTRY" ] && end_die "User $1 not found in LDAP" + +-# Allocate and create temp file +-mktempf +-echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" +- +-# Display entry +-echo "# About to modify the following entry :" +-_ldapsearch "$_ENTRY" +- +-# Edit entry +-echo "# Enter your modifications here, end with CTRL-D." +-echo "dn: $_ENTRY" +-cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++# Username = first argument ++_USER="$1" ++ ++if [ "$#" -eq 1 ] ++then ++ # Allocate and create temp file ++ mktempf ++ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Display entry ++ echo "# About to modify the following entry :" ++ _ldapsearch "$_ENTRY" ++ ++ # Edit entry ++ echo "# Enter your modifications here, end with CTRL-D." ++ echo "dn: $_ENTRY" ++ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Send modifications ++ cat "$_TMPFILE" | _utf8encode | _ldapmodify ++else ++ # Action = second argument ++ _ACTION="$2" ++ ++ # Field = third argument ++ _FIELD="$3" ++ ++ # Value = fourth argument ++ _VALUE="$4" ++ ++ # Use template if necessary ++ if [ -n "$UMTEMPLATE" ] && [ -r "$UMTEMPLATE" ] ++ then ++ _getldif="cat $UMTEMPLATE" ++ else ++ _getldif="_extractldif 2" ++ fi ++ ++ # Modify user in LDAP ++ $_getldif | _filterldif | _utf8encode | _ldapmodify ++fi + +-# Send modifications +-cat "$_TMPFILE" | _utf8encode | _ldapmodify + if [ $? -ne 0 ] + then + reltempf +@@ -55,3 +84,9 @@ then + fi + reltempf + end_ok "Successfully modified user entry $_ENTRY in LDAP" ++ ++# Ldif template ################################## ++##dn: uid=,, ++##changeType: modify ++##: ++##: +Index: ldapscripts-2.0.8/lib/runtime +=================================================================== +--- ldapscripts-2.0.8.orig/lib/runtime ++++ ldapscripts-2.0.8/lib/runtime +@@ -344,6 +344,9 @@ s||$MSUFFIX|g + s|<_msuffix>|$_MSUFFIX|g + s||$GSUFFIX|g + s|<_gsuffix>|$_GSUFFIX|g ++s||$_ACTION|g ++s||$_FIELD|g ++s||$_VALUE|g + EOF + + # Use it +Index: ldapscripts-2.0.8/Makefile +=================================================================== +--- ldapscripts-2.0.8.orig/Makefile ++++ ldapscripts-2.0.8/Makefile +@@ -37,11 +37,11 @@ LIBDIR = $(PREFIX)/lib/$(NAME) + RUNFILE = runtime + ETCFILE = ldapscripts.conf + PWDFILE = ldapscripts.passwd +-SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser \ ++SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser ldapaddsudo \ + ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \ + ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \ + ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \ +- ldaprenameuser ++ ldaprenameuser ldapmodifysudo + MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \ + ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \ + ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \ +Index: ldapscripts-2.0.8/sbin/ldapmodifysudo +=================================================================== +--- /dev/null ++++ ldapscripts-2.0.8/sbin/ldapmodifysudo +@@ -0,0 +1,93 @@ ++#!/bin/sh ++ ++# ldapmodifyuser : modifies a sudo entry in an LDAP directory ++ ++# Copyright (C) 2007-2013 Ganaël LAPLANCHE ++# Copyright (C) 2014 Stephen Crooks ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++ ++if [ "$1" = "-h" ] || [ "$1" = "--help" ] || \ ++ [[ "$2" != "add" && "$2" != "replace" && "$2" != "delete" ]] || \ ++ [ "$#" -ne 4 ] ++then ++ echo "Usage : $0 [ ]" ++ exit 1 ++fi ++ ++# Source runtime file ++_RUNTIMEFILE="/usr/lib/ldapscripts/runtime" ++. "$_RUNTIMEFILE" ++ ++# Find username : $1 must exist in LDAP ! ++_findentry "$SUFFIX" "(&(objectClass=sudoRole)(|(cn=$1)(sudoUser=$1)))" ++[ -z "$_ENTRY" ] && end_die "Sudo user $1 not found in LDAP" ++ ++# Username = first argument ++_USER="$1" ++ ++if [ "$#" -eq 1 ] ++then ++ # Allocate and create temp file ++ mktempf ++ echo "dn: $_ENTRY" > "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Display entry ++ echo "# About to modify the following entry :" ++ _ldapsearch "$_ENTRY" ++ ++ # Edit entry ++ echo "# Enter your modifications here, end with CTRL-D." ++ echo "dn: $_ENTRY" ++ cat >> "$_TMPFILE" || end_die "Error writing to temporary file $_TMPFILE" ++ ++ # Send modifications ++ cat "$_TMPFILE" | _utf8encode | _ldapmodify ++else ++ # Action = second argument ++ _ACTION="$2" ++ ++ # Field = third argument ++ _FIELD="$3" ++ ++ # Value = fourth argument ++ _VALUE="$4" ++ ++ # Use template if necessary ++ if [ -n "$SMTEMPLATE" ] && [ -r "$SMTEMPLATE" ] ++ then ++ _getldif="cat $SMTEMPLATE" ++ else ++ _getldif="_extractldif 2" ++ fi ++ ++ # Modify user in LDAP ++ $_getldif | _filterldif | _utf8encode | _ldapmodify ++fi ++ ++if [ $? -ne 0 ] ++then ++ reltempf ++ end_die "Error modifying sudo entry $_ENTRY in LDAP" ++fi ++reltempf ++end_ok "Successfully modified sudo entry $_ENTRY in LDAP" ++ ++# Ldif template ################################## ++##dn: cn=,ou=SUDOers, ++##changeType: modify ++##: ++##: