diff options
| author | Gerald Carter <jerry@samba.org> | 2005-01-20 16:31:42 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:55:03 -0500 |
| commit | e86235fbdcfe8dd71b2ee887052e27f67a240fab (patch) | |
| tree | 8c655206dc786e92dc5884f124dc48bab0ffe999 /examples/LDAP/smbldap-tools/smbldap_tools.pm | |
| parent | 5f659ffbf07eeba2fdabaaa7def0f78726f68ab2 (diff) | |
| download | samba-e86235fbdcfe8dd71b2ee887052e27f67a240fab.tar.gz samba-e86235fbdcfe8dd71b2ee887052e27f67a240fab.tar.bz2 samba-e86235fbdcfe8dd71b2ee887052e27f67a240fab.zip | |
r4867: Removing smbldap-tools from the svn tree. I'll include
the latest version in the actual release tarballs.
Have spoken to the idealx developers about this.
Updated README to reflect the changte for people using svn.
Removed ldapsync.pl since it is no longer needed when using
the smbldap-tools (only keep things you support).
(This used to be commit f745e5119f420d4826ac395037880666761e05e8)
Diffstat (limited to 'examples/LDAP/smbldap-tools/smbldap_tools.pm')
| -rwxr-xr-x | examples/LDAP/smbldap-tools/smbldap_tools.pm | 771 |
1 files changed, 0 insertions, 771 deletions
diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm deleted file mode 100755 index d33a65b7d1..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ /dev/null @@ -1,771 +0,0 @@ -#! /usr/bin/perl -w -use strict; -package smbldap_tools; -use smbldap_conf; -use Net::LDAP; - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - - -# ugly funcs using global variables and spawning openldap clients - -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); -use Exporter; -$VERSION = 1.00; - -@ISA = qw(Exporter); - -@EXPORT = qw( - get_user_dn - get_group_dn - is_group_member - is_samba_user - is_unix_user - is_user_valid - does_sid_exist - get_dn_from_line - add_posix_machine - add_samba_machine - add_samba_machine_mkntpwd - group_add_user - add_grouplist_user - disable_user - delete_user - group_add - group_del - get_homedir - read_user - read_user_entry - read_group - read_group_entry - read_group_entry_gid - find_groups_of - parse_group - group_remove_member - group_get_members - do_ldapadd - do_ldapmodify - get_user_dn2 - connect_ldap_master - connect_ldap_slave - group_type_by_name - ); - -sub connect_ldap_master - { - # bind to a directory with dn and password - my $ldap_master = Net::LDAP->new( - "$masterLDAP", - port => "$masterPort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact master ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_master->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_master->bind ( "$binddn", - password => "$masterPw" - ); - return($ldap_master); - } - -sub connect_ldap_slave - { - # bind to a directory with dn and password - my $ldap_slave = Net::LDAP->new( - "$slaveLDAP", - port => "$slavePort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact slave ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_slave->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_slave->bind ( "$binddn", - password => "$slavePw" - ); - return($ldap_slave); - } - -sub get_user_dn - { - my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return undef; - } - $dn="dn: ".$dn; - return $dn; - } - - -sub get_user_dn2 - { - my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && warn "failed to perform search; ", $mesg->error; - - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return (1,undef); - } - $dn="dn: ".$dn; - return (1,$dn); - } - - -sub get_group_dn - { - my $group = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return undef; - } - $dn="dn: ".$dn; - return $dn; - } - -# return (success, dn) -# bool = is_samba_user($username) -sub is_samba_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=sambaSamAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_unix_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_group_member - { - my $dn_group = shift; - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => 'base', - filter => "(&(memberUid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -# all entries = does_sid_exist($sid,$scope) -sub does_sid_exist - { - my $sid = shift; - my $dn_group=shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => $scope, - filter => "(sambaSID=$sid)" - #filter => "(&(objectClass=sambaSamAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg); - } - -# try to bind with user dn and password to validate current password -sub is_user_valid - { - my ($user, $dn, $pass) = @_; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - my $mesg= $ldap->bind (dn => $dn, password => $pass ); - if ($mesg->code eq 0) { - $ldap->unbind; - return 1; - } else { - if ($ldap->bind()) { - $ldap->unbind; - return 0; - } else { - print ("The LDAP directory is not available.\n Check the server, cables ..."); - $ldap->unbind; - return 0; - } - die "Problem : contact your administrator"; - } - } - - -# dn = get_dn_from_line ($dn_line) -# helper to get "a=b,c=d" from "dn: a=b,c=d" -sub get_dn_from_line - { - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; - } - - -# success = add_posix_machine($user, $uid, $gid) -sub add_posix_machine - { - my ($user, $uid, $gid) = @_; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $add = $ldap_master->add ( "uid=$user,$computersdn", - attr => [ - 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], - 'cn' => "$user", - 'sn' => "$user", - 'uid' => "$user", - 'uidNumber' => "$uid", - 'gidNumber' => "$gid", - 'homeDirectory' => '/dev/null', - 'loginShell' => '/bin/false', - 'description' => 'Computer', - ] - ); - - $add->code && warn "failed to add entry: ", $add->error ; - # take down the session - $ldap_master->unbind; - - } - - -# success = add_samba_machine($computername) -sub add_samba_machine - { - my $user = shift; - system "smbpasswd -a -m $user"; - return 1; - } - -sub add_samba_machine_mkntpwd - { - my ($user, $uid) = @_; - my $sambaSID = 2 * $uid + 1000; - my $name = $user; - $name =~ s/.$//s; - - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - return 0; - } - - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "uid=$user,$computersdn", - changes => [ - replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSamAccount']], - add => [sambaPwdLastSet => '0'], - add => [sambaLogonTime => '0'], - add => [sambaLogoffTime => '2147483647'], - add => [sambaKickoffTime => '2147483647'], - add => [sambaPwdCanChange => '0'], - add => [sambaPwdMustChange => '0'], - add => [sambaAcctFlags => '[W ]'], - add => [sambaLMPassword => "$lmpassword"], - add => [sambaNTPassword => "$ntpassword"], - add => [sambaSID => "$SID-$sambaSID"], - add => [sambaPrimaryGroupSID => "$SID-0"] - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - - return 1; - # take down the session - $ldap_master->unbind; - - } - - -sub group_add_user - { - my ($group, $userid) = @_; - my $members=''; - my $dn_line = get_group_dn($group); - if (!defined(get_group_dn($group))) { - print "$0: group \"$group\" doesn't exist\n"; - exit (6); - } - if (!defined($dn_line)) { - return 1; - } - my $dn = get_dn_from_line("$dn_line"); - # on look if the user is already present in the group - my $is_member=is_group_member($dn,$userid); - if ($is_member == 1) { - print "User \"$userid\" already member of the group \"$group\".\n"; - } else { - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - # It does not matter if the user already exist, Net::LDAP will add the user - # if he does not exist, and ignore him if his already in the directory. - my $modify = $ldap_master->modify ( "$dn", - changes => [ - add => [memberUid => $userid] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - } - } - -sub group_del - { - my $group_dn=shift; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete ($group_dn); - $modify->code && die "failed to delete group : ", $modify->error ; - # take down session - $ldap_master->unbind; - } - -sub add_grouplist_user - { - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { - group_add_user($group, $user); - } - } - -sub disable_user - { - my $user = shift; - my $dn_line; - my $dn = get_dn_from_line($dn_line); - - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [userPassword => '{crypt}!x'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - - if (is_samba_user($user)) { - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [sambaAcctFlags => '[D ]'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - } - # take down session - $ldap_master->unbind; - } - -# delete_user($user) -sub delete_user - { - my $user = shift; - my $dn_line; - - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } - - my $dn = get_dn_from_line($dn_line); - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete($dn); - $ldap_master->unbind; - } - -# $gid = group_add($groupname, $group_gid, $force_using_existing_gid) -sub group_add - { - my ($gname, $gid, $force) = @_; - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - if (!defined($gid)) { - while (defined(getgrgid($GID_START))) { - $GID_START++; - } - $gid = $GID_START; - } else { - if (!defined($force)) { - if (defined(getgrgid($gid))) { - return undef; - } - } - } - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->add ( "cn=$gname,$groupsdn", - attrs => [ - objectClass => 'posixGroup', - cn => "$gname", - gidNumber => "$gid" - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - return $gid; - } - -# $homedir = get_homedir ($user) -sub get_homedir - { - my $user = shift; - my $homeDir=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( - base =>$suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bhomeDirectory\b/) { - foreach my $ent ($entry->get_value($attr)) { - $homeDir.= $attr.": ".$ent."\n"; - } - } - } - } - $ldap_slave->unbind; - chomp $homeDir; - if ($homeDir eq '') { - return undef; - } - $homeDir =~ s/^homeDirectory: //; - return $homeDir; - } - -# search for an user -sub read_user - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } - -# search for a user -# return the attributes in an array -sub read_user_entry - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->entry(); - $ldap_slave->unbind; - return $entry; - } - -# search for a group -sub read_group - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } - -# find groups of a given user -##### MODIFIE ######## -sub find_groups_of - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave; - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(memberuid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: ".$entry->dn."\n"; - } - $ldap_slave->unbind; - chomp($lines); - if ($lines eq '') { - return undef; - } - return $lines; - } - -sub read_group_entry { - my $group = shift; - my $entry; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$group))" - ); - - $mesg->code && die $mesg->error; - my $nb=$mesg->count; - if ($nb > 1) { - print "Error: $nb groups exist \"cn=$group\"\n"; - foreach $entry ($mesg->all_entries) { my $dn=$entry->dn; print " $dn\n"; } - exit 11; - } else { - $entry = $mesg->shift_entry(); - } - return $entry; -} - -sub read_group_entry_gid { - my $group = shift; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(gidNumber=$group))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->shift_entry(); - return $entry; -} - -# return the gidnumber for a group given as name or gid -# -1 : bad group name -# -2 : bad gidnumber -sub parse_group - { - my $userGidNumber = shift; - if ($userGidNumber =~ /[^\d]/ ) { - my $gname = $userGidNumber; - my $gidnum = getgrnam($gname); - if ($gidnum !~ /\d+/) { - return -1; - } else { - $userGidNumber = $gidnum; - } - } elsif (!defined(getgrgid($userGidNumber))) { - return -2; - } - return $userGidNumber; - } - -# remove $user from $group -sub group_remove_member - { - my ($group, $user) = @_; - my $members=''; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $dn = get_dn_from_line($grp_line); - # we test if the user exist in the group - my $is_member=is_group_member($dn,$user); - if ($is_member == 1) { - my $ldap_master=connect_ldap_master(); - # delete only the user from the group - my $modify = $ldap_master->modify ( "$dn", - changes => [ - delete => [memberUid => ["$user"]] - ] - ); - $modify->code && die "failed to delete entry: ", $modify->error ; - $ldap_master->unbind; - } - return 1; - } - -sub group_get_members - { - my ($group) = @_; - my $members; - my @resultat; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixgroup)(cn=$group))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bmemberUid\b/) { - foreach my $ent ($entry->get_value($attr)) { - push (@resultat,$ent); - } - } - } - } - return @resultat; - } - -sub do_ldapmodify - { - my $ldif = shift; - my $FILE = "|$ldapmodify -r >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <<EOF; -$ldif -EOF - ; - close FILE; - my $rc = $?; - return $rc; - } - -sub group_type_by_name { - my $type_name = shift; - my %groupmap = ( - 'domain' => 2, - 'local' => 4, - 'builtin' => 5 - ); - return $groupmap{$type_name}; -} - - - -1; - |