starlingx/integ
Code Issues Proposed changes
cabaf9abc8
integ/ldap/ldapscripts/files/ldap-user-setup-support.patch
Scott Little 69be80651e Relocate ldapscripts to stx-integ/ldap/ldapscripts 
Move content from stx-gplv2 into stx-integ

Packages will be relocated to

stx-integ:
    base/
        bash
        cgcs-users
        cluster-resource-agents
        dpkg
        haproxy
        libfdt
        netpbm
        rpm

    database/
        mariadb

    filesystem/
        iscsi-initiator-utils

    filesystem/drbd/
        drbd-tools

    kernel/kernel-modules/
        drbd
        integrity
        intel-e1000e
        intel-i40e
        intel-i40evf
        intel-ixgbe
        intel-ixgbevf
        qat17
        tpmdd

    ldap/
        ldapscripts

    networking/
        iptables
        net-tools

Change-Id: I688cd576de5e8fb9fbe7ad727b9e5321ad4b0e45
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:31:54 -04:00

355 lines
11 KiB
Diff
Raw Blame History

---
Makefile | 5
man/man1/ldapusersetup.1 | 61 ++++++++++
sbin/ldapusersetup | 263 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 327 insertions(+), 2 deletions(-)
--- /dev/null
+++ b/sbin/ldapusersetup
@@ -0,0 +1,263 @@
+#!/bin/sh
+
+# ldapusersetup : interactive setup for adding users to LDAP
+
+# Copyright (c) 2015 Wind River Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
+then
+ echo "Usage : $0 [-u <username | uid> <field> <value>]
+where accepted field(s) are as follows:
+--sudo : whether to add this user to sudoer list
+--shell <\"bash\"|\"lshell\"> : choose the shell for this user (default is lshell)
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# runtime defaults
+_DEFAULTGRP2="wrs_protected"
+_DEFAULTLSHELL="/usr/local/bin/cgcs_cli"
+_DEFAULTSHADOWMAX="90"
+_DEFAULTSHADOWWARNING="2"
+_SHELL=""
+
+### Helper functions ###
+
+# Delete an ldap user if it exists
+# and exit with error
+# Input : username ($1), exit msg ($2)
+# Output : none
+LdapRollback() {
+ ldapdeleteuser "$1"
+ end_die "$2"
+}
+
+# Add an ldap user and exit on failure
+# Input : username ($1)
+# Output : none
+LdapAddUser() {
+ ldapadduser "$1" users
+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
+}
+
+# Replace Login Shell and call Rollback on failure
+# Input : username ($1), shell to set ($2)
+# Output : none
+LdapAddLoginShell () {
+ if [ -z "$2" ]; then
+ # Ask the user for the login shell
+ echo "Select Login Shell option # [2]:
+1) Bash
+2) Lshell"
+ read opn
+ case $opn in
+ 1) _SHELL="/bin/sh";;
+ 2) _SHELL="$_DEFAULTLSHELL";;
+ *)
+ [ ! -z "$opn" ] && echo "Invalid option. Selecting Lshell"
+ _SHELL="$_DEFAULTLSHELL"
+ ;;
+ esac
+ else
+ shellopn=${$2,,}
+ case $shellopn in
+ "bash") _SHELL="/bin/sh";;
+ "lshell") _SHELL="$_DEFAULTLSHELL";;
+ *)
+ echo "Invalid option($2). Selecting Lshell"; _SHELL="$_DEFAULTLSHELL"
+ ;;
+ esac
+ fi
+ # Replace the login shell
+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
+}
+
+# Add user to sudoer list
+# Input : username ($1)
+# Output : true or false
+LdapAddSudo() {
+ ldapaddsudo "$1" 2> /dev/null
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add to sudoer list"
+}
+
+# Add user to a secondary user group
+# Input : username ($1), user group ($2)
+# Output : true or false
+LdapSecondaryGroup () {
+ _newGrp="$2"
+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
+
+ ldapaddusertogroup $1 $_newGrp
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
+}
+
+# Update shadowMax for user
+# Input : username ($1), shadow Max value ($2)
+# Output : none
+LdapUpdateShadowMax () {
+ _newShadow="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newShadow=$_DEFAULTSHADOWMAX
+
+ ldapmodifyuser $1 replace shadowMax $_newShadow
+ echo "Updating password expiry to $_newShadow days"
+}
+
+# Update shadowWarning for user
+# Input : username ($1), shadow Warning value ($2)
+# Output : none
+LdapUpdateShadowWarning () {
+ _newWarning="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newWarning=$_DEFAULTSHADOWWARNING
+
+ ldapmodifyuser $1 replace shadowWarning $_newWarning
+ echo "Updating password expiry to $_newWarning days"
+}
+
+
+# Since this setup script is meant to be a
+# wrapper on top of existing ldap scripts,
+# it share invoke those... we could have achieved
+# loose coupling by not relying on helpers but
+# at the expense of massively redundant code
+# duplication.
+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_DEFAULTLSHELL")
+
+# Do some quick sanity tests to make sure
+# helper scripts are present
+for src in "${helper_scripts[@]}"; do
+ if ! type "$src" &>/dev/null; then
+ end_die "Cannot locate $src. Update your PATH variable"
+ fi
+done
+
+if [ "$#" -eq 0 ]; then
+ # This setup collects all attributes
+ # interactively during runtime
+ echo -n "Enter username to add to LDAP: "
+ read _username
+ LdapAddUser "$_username"
+
+ # Replace the login shell. We will prompt the user for this
+ LdapAddLoginShell "$_username"
+
+ # If login shell is NOT the default limited shell then
+ # prompt for sudo permissions
+ if [ "$_SHELL" != "$_DEFAULTLSHELL" ]; then
+ # Should sudo be activated for this user
+ echo -n "Add $_username to sudoer list? (yes/NO): "
+ read CONFIRM
+ CONFIRM=${CONFIRM,,}
+
+ if is_yes $CONFIRM
+ then
+ LdapAddSudo "$_username"
+ fi
+ fi
+
+ # Add to secondary user group
+ echo -n "Add $_username to secondary user group? (yes/NO): "
+ read CONFIRM
+ CONFIRM=${CONFIRM,,}
+ if is_yes $CONFIRM
+ then
+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
+ read _grp2
+ LdapSecondaryGroup $_username $_grp2
+ fi
+
+ # Set password expiry
+ echo -n "Enter days after which user password must \
+be changed [$_DEFAULTSHADOWMAX]: "
+ read _shadowMax
+ LdapUpdateShadowMax $_username $_shadowMax
+
+ # Set password warning
+ echo -n "Enter days before password is to expire that \
+user is warned [$_DEFAULTSHADOWWARNING]: "
+ read _shadowWarning
+ LdapUpdateShadowWarning $_username $_shadowWarning
+
+else
+ # we have to read command line option
+ while [[ $# > 1 ]]
+ do
+ key="$1"
+
+ case $key in
+ -u|--user) # compulsory
+ _username="$2"
+ shift
+ ;;
+ --sudo) # optional
+ _sudo="yes"
+ ;;
+ --shell) # optional
+ _loginshell="$2"
+ shift
+ ;;
+ --passmax) # optional
+ _shadowMax="$2"
+ shift
+ ;;
+ --passwarning) # optional
+ _shadowWarning="$2"
+ shift
+ ;;
+ --secondgroup) # optional
+ _grpConfirm="1"
+ _grp2="$2"
+ shift
+ ;;
+ *)
+
+ ;;
+ esac
+ shift
+ done
+
+ # Add LDAP user
+ [ -z "$_username" ] && end_die "No username argument specified"
+ LdapAddUser $_username
+
+ # Change Login Shell
+ LdapAddLoginShell $_username "$_loginshell"
+
+ # Add sudo if required
+ if is_yes $_sudo
+ then
+ LdapAddSudo "$_username"
+ fi
+
+ # Add secondary group if required
+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
+
+ # Password modifications
+ LdapUpdateShadowMax $_username $_shadowMax
+ LdapUpdateShadowWarning $_username $_shadowWarning
+fi
--- a/Makefile
+++ b/Makefile
@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodify
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
- ldaprenameuser ldapmodifysudo ldapdeletesudo
+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
+ ldapdeletesudo.1 ldapusersetup.1
MAN5FILES = ldapscripts.5
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
ldapadduser.template.sample
--- /dev/null
+++ b/man/man1/ldapusersetup.1
@@ -0,0 +1,61 @@
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Kam Nasim
+.\" knasim@windriver.com
+.\"
+.TH ldapusersetup 1 "December 16, 2015"
+
+.SH NAME
+ldapusersetup \- wizard for adding an LDAP user to CGCS.
+
+.SH SYNOPSIS
+.B ldapusersetup
+
+.SH DESCRIPTION
+ldapusersetup interactively walks through the process of creating an LDAP user
+for access to CGCS services. The user is prompted for:
+- username
+- if a sudoEntry needs to be created
+- if a secondary user group needs to be added
+- user password expiry and warning configuration
+Alternatively, the user may provide these parameters as command line actions.
+Look at the OPTIONS section for more information.
+
+To delete the user and all its group associations, simply use ldapdeleteuser(1)
+
+.SH OPTIONS
+.TP
+.B [-u <username | uid> <field> <value>]
+The name or uid of the user to modify.
+The following fields are available as long format options:
+--sudo : whether to add this user to sudoer list
+--shell <bash | lshell> : which login shell to use (default is lshell)
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+
+.SH "SEE ALSO"
+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.
View Git Blame Copy Permalink