From 5e6c6d766f5782dd1f91bf249f5f8ea7878977a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 26 Aug 2003 04:36:27 +0000 Subject: sync with changes from Jerome Tournier @ IDEALX; should now work with sambaSamAccount schema (This used to be commit 5f41cd76b793305e1e9e4da76d58daa2d8438c63) --- examples/LDAP/smbldap-tools/CONTRIBUTORS | 6 +- examples/LDAP/smbldap-tools/ChangeLog | 1 + examples/LDAP/smbldap-tools/TODO | 1 + examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 4 +- .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 2 +- examples/LDAP/smbldap-tools/smbldap-passwd.pl | 13 +- examples/LDAP/smbldap-tools/smbldap-populate.pl | 73 +- examples/LDAP/smbldap-tools/smbldap-tools.spec | 38 +- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 72 +- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 2 +- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 56 +- examples/LDAP/smbldap-tools/smbldap_conf.pm | 64 +- examples/LDAP/smbldap-tools/smbldap_tools.pm | 861 ++++++++++++--------- 13 files changed, 682 insertions(+), 511 deletions(-) diff --git a/examples/LDAP/smbldap-tools/CONTRIBUTORS b/examples/LDAP/smbldap-tools/CONTRIBUTORS index 9765a57e60..1b308a7266 100644 --- a/examples/LDAP/smbldap-tools/CONTRIBUTORS +++ b/examples/LDAP/smbldap-tools/CONTRIBUTORS @@ -4,7 +4,7 @@ Have contributed directly to this tools, or are always in charge of some aspects of it developments (alphabetical order): - . Terry Davis + . Terry Davis . David Le Corfec . Olivier Lemaire . Jérôme Tournier @@ -24,6 +24,6 @@ Many thanks to contributors for bug report and patches: bug report for smbldap-passwd . Xavier Boschian bug report for smbldap-populate - - + . Christophe DUBREUIL + Net::LDAP support in smbldap_tools.pm # - The End diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog index 9a0bc744e1..76b8b3f3c6 100644 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -2,6 +2,7 @@ # ## ChangeLog for SMBLDAP-TOOLS +* 2002-07-24: top and account objectclasses replaced with inetorgperson * 2002-06-03: notes to webmin.idealx.org (idxldapaccounts) * 2002-06-01: release 0.7. tested with 2.2.4 * 2002-05-31: fixed smbldap-populate compliance to smbldap_conf diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO index 57424d462a..71e6695299 100644 --- a/examples/LDAP/smbldap-tools/TODO +++ b/examples/LDAP/smbldap-tools/TODO @@ -4,6 +4,7 @@ ## (BF: Bug Report / FR: Feature Request) +FR * add 'LDAP port' for both slave and master LDAP server in smbldap_conf.pm FR * use RFC2307 best practices (Luke, next time you visit Paris, have a beer at IDEALX'cantina ;-) FR * add mail (sendmail/postfix/qmail/courier) support diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index f9b42f95b4..f248027e91 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,5 +1,5 @@ -#!/usr/bin/perl - +# $Id: smbldap-groupmod.pl,v 1.1.6.2 2003/08/26 04:36:27 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index b1780dec61..0d0efa384c 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -45,7 +45,7 @@ changetype: modify lmpassword: $lmpwd ntpassword: $ntpwd gecos: $gecos -smbHome: $homedir +sambaHomePath: $homedir "; diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl index ef7687a49e..29aee97c50 100755 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -1,6 +1,7 @@ #!/usr/bin/perl # LDAP to unix password sync script for samba +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -113,19 +114,19 @@ if ($samba == 1) { exit(1); } my $ntpwd = `$mk_ntpasswd '$pass'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); # change nt/lm passwords my $tmpldif = "$dn_line changetype: modify -replace: lmpassword -lmpassword: $lmpassword +replace: sambaLMPassword +sambaLMPassword: $sambaLMPassword - changetype: modify -replace: ntpassword -ntpassword: $ntpassword +replace: sambaNTPassword +sambaNTPassword: $sambaNTPassword - "; diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index 5be9ca4262..1676017c67 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -87,6 +87,7 @@ if (!defined($_ldifName)) { die "can't extract first attr and value from suffix $suffix"; } #print "$attr=$val\n"; + my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/); #my $FILE="|cat"; my $FILE="|$ldapadd -c"; @@ -95,7 +96,9 @@ if (!defined($_ldifName)) { print FILE < +Packager: Jerome Tournier Source0: smbldap-groupadd.pl Source1: smbldap-groupdel.pl Source2: smbldap-groupmod.pl @@ -60,8 +60,8 @@ make rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/%{prefix}/sbin mkdir -p $RPM_BUILD_ROOT/%{prefix}/share -mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc -mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools +mkdir -p $RPM_BUILD_ROOT/usr/share/doc +mkdir -p $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools cd mkntpwd ; make PREFIX=$RPM_BUILD_ROOT/%{prefix} install @@ -80,13 +80,13 @@ install -m 555 %{SOURCE10} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_tools.pm install -m 550 %{SOURCE19} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-accounts.pl install -m 550 %{SOURCE20} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-groups.pl -install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/CONTRIBUTORS -install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/COPYING -install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/ChangeLog -install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/FILES -install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/README -install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/TODO -install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/INFRA +install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/CONTRIBUTORS +install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/COPYING +install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/ChangeLog +install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/FILES +install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/README +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/TODO +install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/INFRA %clean rm -rf $RPM_BUILD_ROOT @@ -102,11 +102,11 @@ perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_USERHOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEDRIVE_/H/' %{prefix}/sbin/smbldap_conf.pm # FIXME: links should not be removed on upgrade #%postun @@ -121,14 +121,16 @@ perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm %{prefix}/sbin/smbldap_tools.pm %config %{prefix}/sbin/smbldap_conf.pm %{prefix}/sbin/mkntpwd -%doc %{prefix}/share/doc/%{name}/TODO -%doc %{prefix}/share/doc/%{name}/README -%doc %{prefix}/share/doc/%{name}/CONTRIBUTORS -%doc %{prefix}/share/doc/%{name}/FILES -%doc %{prefix}/share/doc/%{name}/COPYING +%doc /usr/share/doc/%{name}/ %changelog +* Fri Aug 22 2003 Jerome Tournier 0.8-1 +- support for Samba3.0 + +* Thu Sep 26 2002 Gérald Macinenti 0.7-2 +- top and account objectclasses replaced by InetOrgPerson + * Sat Jun 1 2002 Olivier Lemaire 0.7-1 - some bugfixes about smbldap-populate - bugfixed the smbpasswd call in smbldap-useradd diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index 508487af93..99c9525e82 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -26,7 +26,6 @@ use strict; use smbldap_tools; use smbldap_conf; - ##################### use Getopt::Std; @@ -51,11 +50,11 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -P ends by invoking smbldap-passwd.pl\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D homeDrive (letter associated with home share, like 'H:')\n"; - print " -E scriptPath (DOS script to execute on login)\n"; - print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; print " -? show this help message\n"; exit (1); } @@ -141,7 +140,7 @@ my $userHomeDirectory; my $tmp; if (!defined($userHomeDirectory = $Options{'d'})) { - $userHomeDirectory = $_userHomePrefix.$userName; + $userHomeDirectory = $_userHomePrefix."/".$userName; } $_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); $_userGecos = $tmp if (defined($tmp = $Options{'c'})); @@ -175,7 +174,7 @@ if (defined($tmp = $Options{'w'})) { my $tmpldif = "dn: uid=$userName,$computersdn changetype: modify -acctFlags: [W ] +sambaAcctFlags: [W ] "; die "$0: error while modifying accountflags of $userName\n" @@ -194,10 +193,10 @@ acctFlags: [W ] my $tmpldif = "dn: uid=$userName,$usersdn -objectclass: top -objectclass: account +objectclass: inetOrgPerson objectclass: posixAccount cn: $userName +sn: $userName uid: $userName uidNumber: $userUidNumber gidNumber: $userGidNumber @@ -228,12 +227,14 @@ if (defined($grouplist = $Options{'G'})) { # If user was created successfully then we should create his/her home dir if (defined($tmp = $Options{'m'})) { + unless ( $userName =~ /\$$/ ) { if ( !(-e $userHomeDirectory) ) { system "mkdir $userHomeDirectory 2>/dev/null"; system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; system "chmod 700 $userHomeDirectory 2>/dev/null"; } + } } @@ -269,19 +270,18 @@ if (defined($Options{'a'})) { my $tmpldif = "dn: uid=$userName,$usersdn changetype: modify -objectclass: top -objectclass: account +objectClass: inetOrgPerson objectclass: posixAccount -objectClass: sambaAccount -pwdLastSet: 0 -logonTime: 0 -logoffTime: 2147483647 -kickoffTime: 2147483647 -pwdCanChange: $valpwdcanchange -pwdMustChange: $valpwdmustchange +objectClass: sambaSAMAccount +sambaPwdLastSet: 0 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: $valpwdcanchange +sambaPwdMustChange: $valpwdmustchange displayName: $_userGecos -acctFlags: $valacctflags -rid: $userRid +sambaAcctFlags: $valacctflags +sambaSID: $smbldap_conf::SID-$userRid "; @@ -329,14 +329,14 @@ if (defined($tmp = $Options{'F'})) { my $tmpldif = "dn: uid=$userName,$usersdn changetype: modify -rid: $userRid -primaryGroupID: $userGroupRid -homeDrive: $valhomedrive -smbHome: $valsmbhome -profilePath: $valprofilepath -scriptPath: $valscriptpath -lmPassword: XXX -ntPassword: XXX +sambaSID: $smbldap_conf::SID-$userRid +sambaPrimaryGroupSID: $smbldap_conf::SID-$userGroupRid +sambaHomeDrive: $valhomedrive +sambaHomePath: $valsmbhome +sambaProfilePath: $valprofilepath +sambaLogonScript: $valscriptpath +sambaLMPassword: XXX +sambaNTPassword: XXX "; @@ -382,7 +382,7 @@ exit 0; For Samba users, rid is 2*uidNumber+1000, and primaryGroupID is 2*gidNumber+1001. Thus you may want to use smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator - to create a domain administrator (admin rid is 0x1F4 = 500 and + to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and grouprid is 0x200 = 512) Without any option, the account created will be an Unix (Posix) @@ -391,7 +391,7 @@ exit 0; -a The user will have a Samba account (and Unix). -w Creates an account for a Samba machine (Workstation), so that - it can join a domain. + it can join a sambaDomainName. -x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else decimal (2.2.2 patched from cvs or 2.2.x, x > 2) @@ -441,15 +441,15 @@ exit 0; -B must change password ? 0 if no, 1 if yes - -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - -D homeDrive (letter associated with home share, like 'H:') + -D sambaHomeDrive (letter associated with home share, like 'H:') - -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') =head1 SEE ALSO diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl index 54309fa5db..435be4fdd0 100755 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index 016d7b5422..dffb95bace 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -50,11 +50,11 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D homeDrive (letter associated with home share, like 'H:')\n"; - print " -E scriptPath (DOS script to execute on login)\n"; - print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; print " -I disable an user. Can't be used with -H or -J\n"; print " -J enable an user. Can't be used with -H or -I\n"; print " -? show this help message\n"; @@ -201,19 +201,19 @@ if (defined($tmp = $Options{'G'})) { } # -# A : pwdCanChange -# B : pwdMustChange -# C : smbHome -# D : homeDrive -# E : scriptPath -# F : profilePath -# H : acctFlags +# A : sambaPwdCanChange +# B : sambaPwdMustChange +# C : sambaHomePath +# D : sambaHomeDrive +# E : sambaLogonScript +# F : sambaProfilePath +# H : sambaAcctFlags my $attr; my $winmagic = 2147483647; if (defined($tmp = $Options{'A'})) { - $attr = "pwdCanChange"; + $attr = "sambaPwdCanChange"; if ($tmp != 0) { $mods .= "$attr: 0\n"; } else { @@ -222,7 +222,7 @@ if (defined($tmp = $Options{'A'})) { } if (defined($tmp = $Options{'B'})) { - $attr = "pwdMustChange"; + $attr = "sambaPwdMustChange"; if ($tmp != 0) { $mods .= "$attr: 0\n"; } else { @@ -231,37 +231,37 @@ if (defined($tmp = $Options{'B'})) { } if (defined($tmp = $Options{'C'})) { - $attr = "smbHome"; + $attr = "sambaHomePath"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'D'})) { - $attr = "homeDrive"; + $attr = "sambaHomeDrive"; $tmp = $tmp.":" unless ($tmp =~ /:/); $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'E'})) { - $attr = "scriptPath"; + $attr = "sambaLogonScript"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'F'})) { - $attr = "profilePath"; + $attr = "sambaProfilePath"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'H'})) { - $attr = "acctFlags"; + $attr = "sambaAcctFlags"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } elsif (defined($tmp = $Options{'I'})) { my $flags; - if ( $lines =~ /^acctFlags: (.*)/m ) { + if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { $flags = $1; } @@ -272,12 +272,12 @@ if (defined($tmp = $Options{'H'})) { if ($flags =~ /(\w+)/) { $letters = $1; } - $mods .= "acctFlags: \[D$letters\]\n"; + $mods .= "sambaAcctFlags: \[D$letters\]\n"; } } elsif (defined($tmp = $Options{'J'})) { my $flags; - if ( $lines =~ /^acctFlags: (.*)/m ) { + if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { $flags = $1; } @@ -289,7 +289,7 @@ if (defined($tmp = $Options{'H'})) { $letters = $1; } $letters =~ s/D//; - $mods .= "acctFlags: \[$letters\]\n"; + $mods .= "sambaAcctFlags: \[$letters\]\n"; } } @@ -380,15 +380,15 @@ if ($nscd_status == 0) { -B must change password ? 0 if no, 1 if yes - -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - -D homeDrive (letter associated with home share, like 'H:') + -D sambaHomeDrive (letter associated with home share, like 'H:') - -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') -I disable user. Can't be used with -H or -J diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm index 9a5a116b98..dd1d772ea7 100644 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -29,7 +29,7 @@ package smbldap_conf; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$with_smbpasswd $mk_ntpasswd +$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd $ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn $computersdn @@ -48,7 +48,7 @@ $VERSION = 1.00; @EXPORT = qw( $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$with_smbpasswd $mk_ntpasswd +$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd $ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn $computersdn $groupsdn $scope $binddn $bindpasswd @@ -73,6 +73,10 @@ $usersou $computersou $groupsou $UID_START = 1000; $GID_START = 1000; +# Put your own SID +# to obtain this number do: # net getlocalsid +our $SID='S-1-5-21-636805976-1992644568-3666589737'; + ############################################################################## # # LDAP Configuration @@ -86,19 +90,34 @@ $GID_START = 1000; # Slave LDAP : needed for read operations # # Ex: $slaveLDAP = "127.0.0.1"; -$slaveLDAP = "_SLAVELDAP_"; +$slaveLDAP = "127.0.0.1"; + +$slavePort = "389"; # # Master LDAP : needed for write operations # # Ex: $masterLDAP = "127.0.0.1"; -$masterLDAP = "_MASTERLDAP_"; +$masterLDAP = "127.0.0.1"; + + +# +# Master Port +# 389 636 +# Ex: $masterPort = " +$masterPort = "389"; + +# +# Use SSL for LDAP +# +$ldapSSL = "0"; # # LDAP Suffix # # Ex: $suffix = "dc=IDEALX,dc=ORG"; -$suffix = "_SUFFIX_"; +$suffix = "dc=IDEALX,dc=ORG"; + # # Where are stored Users @@ -134,11 +153,11 @@ $scope = "sub"; # # Bind DN used # Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org -$binddn = "_BINDDN_"; +$binddn = "cn=Manager,$suffix"; # # Bind DN passwd used # Ex: $bindpasswd = 'secret'; for 'secret' -$bindpasswd = "_BINDPW_"; +$bindpasswd = "secret"; # # Notes: if using dual ldap patch, you can specify to different configuration @@ -167,7 +186,7 @@ $_userLoginShell = q(_LOGINSHELL_); # Home directory prefix (without username) # #Ex: $_userHomePrefix = q(/home/); -$_userHomePrefix = q(_USERHOMEPREFIX_); +$_userHomePrefix = q(_HOMEPREFIX_); # # Gecos @@ -211,7 +230,7 @@ $_userProfile = q(\\\\_PDCNAME_\\profiles\\); # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: q(U:) for U: -$_userHomeDrive = q(_HOMEDRIVE_:); +$_userHomeDrive = q(_HOMEDRIVE_); # # The default user netlogon script name @@ -232,15 +251,28 @@ $with_smbpasswd = 0; $smbpasswd = "/usr/bin/smbpasswd"; $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; +if ( $ldapSSL eq "0" ) { + $slaveURI = "ldap://$slaveLDAP:$slavePort"; + $masterURI = "ldap://$masterLDAP:$masterPort"; +} +elsif ( $ldapSSL eq "1" ) { + $slaveURI = "ldaps://$slaveLDAP:$slavePort"; + $masterURI = "ldaps://$masterLDAP:$masterPort"; +} +else { + die "ldapSSL option must be either 0 or 1.\n"; +} + + $ldap_path = "/usr/bin"; $ldap_opts = "-x"; -$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP -D '$slaveDN' -w '$slavePw'"; -$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP"; -$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapadd = "$ldap_path/ldapadd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'"; +$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI"; +$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index 0a451210f3..ad6ef74eb6 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -2,6 +2,7 @@ use strict; package smbldap_tools; use smbldap_conf; +use Net::LDAP; # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -29,6 +30,7 @@ use smbldap_conf; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); use Exporter; $VERSION = 1.00; + @ISA = qw(Exporter); @EXPORT = qw( @@ -59,101 +61,149 @@ get_user_dn2 # dn_line = get_user_dn($username) # where dn_line is like "dn: a=b,c=d" + +#sub ldap_search +#{ +#my ($local_base,$local_scope,$local_filtre)=@_; +#} + + + sub get_user_dn { my $user = shift; - my $dn=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^dn:"`; - chomp $dn; + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn;} + $ldap->unbind; + chomp($dn); if ($dn eq '') { return undef; } - + $dn="dn: ".$dn; return $dn; } -# return (success, dn) -sub get_user_dn2 + +sub get_user_dn2 ## migré { my $user = shift; - - my $sr = `$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'`; - if ($sr eq "") { - print "get_user_dn2: error in ldapsearch : -$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'\n"; - return (0, undef); + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + # $mesg->code && warn $mesg->error; + if ($mesg->code) + { + print("Code erreur : ",$mesg->code,"\n"); + print("Message d'erreur : ",$mesg->error,"\n"); + return (0,undef); + } + + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn; } - - my @lines = split(/\n/, $sr); - - my @matches = grep(/^dn:/, @lines); - - my $dn = $matches[0]; - chomp $dn; + $ldap->unbind; + chomp($dn); if ($dn eq '') { - return (1, undef); + return (1,undef); } - - return (1, $dn); + $dn="dn: ".$dn; + return (1,$dn); } -# dn_line = get_group_dn($groupname) -# where dn_line is like "dn: a=b,c=d" + sub get_group_dn -{ - my $group = shift; - my $dn=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))' | grep "^dn:"`; - chomp $dn; - if ($dn eq '') { - return undef; - } - - return $dn; -} + { + my $group = shift; + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn;} + $ldap->unbind; + chomp($dn); + if ($dn eq '') { + return undef; + } + $dn="dn: ".$dn; + return $dn; + } +# return (success, dn) # bool = is_samba_user($username) sub is_samba_user -{ - my $user = shift; - my $cmd = "$ldapsearch -b '$suffix' -s '$scope' '(&(objectClass=sambaAccount)(uid=$user))' | grep '^dn:\'"; - my $res=`$cmd`; - chomp $res; - if ($res ne '') { - return 1; - } - return 0; -} + { + my $user = shift; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectClass=sambaSamAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; + $ldap->unbind; + return ($mesg->count ne 0); + } + -# bool = is_user_valid($username) # try to bind with user dn and password to validate current password -sub is_user_valid -{ - my ($user, $dn, $pass) = @_; - my $res=`$ldapsearchnobind -b '$usersdn' -s '$scope' -D '$dn' -w '$pass' '(&(objectclass=posixAccount)(uid=$user))' 2>/dev/null | grep "^dn:"`; - chomp $res; - if ($res eq '') { - return 0; - } - return 1; +sub is_user_valid + { + my ($user, $dn, $pass) = @_; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + my $mesg= $ldap->bind (dn => $dn, password => $pass ); + if ($mesg->code eq 0) + { + $ldap->unbind; + return 1; + } + else + { + if($ldap->bind()) { + $ldap->unbind; + return 0; + } else { + print ("Le serveur LDAP est indisponible.\nVérifier le serveur, les câblages, ..."); + $ldap->unbind; + return 0; + } die "Problème : Contacter votre administrateur"; + } } # dn = get_dn_from_line ($dn_line) # helper to get "a=b,c=d" from "dn: a=b,c=d" sub get_dn_from_line -{ - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; -} + { + my $dn = shift; + $dn =~ s/^dn: //; + return $dn; + } # success = add_posix_machine($user, $uid, $gid) sub add_posix_machine -{ - my ($user, $uid, $gid) = @_; - -my $tmpldif = -"dn: uid=$user,$computersdn -objectclass: top + { + my ($user, $uid, $gid) = @_; + my $tmpldif = + "dn: uid=$user,$computersdn +objectclass: inetOrgPerson objectclass: posixAccount +sn: $user cn: $user uid: $user uidNumber: $uid @@ -164,420 +214,497 @@ description: Computer "; - die "$0: error while adding posix account to machine $user\n" + die "$0: error while adding posix account to machine $user\n" unless (do_ldapadd($tmpldif) == 0); - - undef $tmpldif; - - return 1; -} + undef $tmpldif; + return 1; + } # success = add_samba_machine($computername) sub add_samba_machine { my $user = shift; system "smbpasswd -a -m $user"; - return 1; } sub add_samba_machine_mkntpwd -{ - my ($user, $uid) = @_; - my $rid = 2 * $uid + 1000; # Samba 2.2.2 stuff - - my $name = $user; - $name =~ s/.$//s; - - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - return 0; - } - - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - - my $tmpldif = -"dn: uid=$user,$computersdn + { + my ($user, $uid) = @_; + my $sambaSID = 2 * $uid + 1000; + my $name = $user; + $name =~ s/.$//s; + + if ($mk_ntpasswd eq '') { + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + return 0; + } + + my $ntpwd = `$mk_ntpasswd '$name'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + + my $tmpldif = + "dn: uid=$user,$computersdn changetype: modify -objectclass: top +objectclass: inetOrgPerson objectclass: posixAccount -objectClass: sambaAccount -pwdLastSet: 0 -logonTime: 0 -logoffTime: 2147483647 -kickoffTime: 2147483647 -pwdCanChange: 0 -pwdMustChange: 2147483647 -acctFlags: [W ] -lmpassword: $lmpassword -ntpassword: $ntpassword -rid: $rid -primaryGroupID: 0 +objectClass: sambaSamAccount +sambaPwdLastSet: 0 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +sambaPwdMustChange: 2147483647 +sambaAcctFlags: [W ] +sambaLMPassword: $lmpassword +sambaNTPassword: $ntpassword +sambaSID: $smbldap_conf::SID-$sambaSID +sambaPrimaryGroupSID: $smbldap_conf::SID-0 "; - die "$0: error while adding samba account to $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + die "$0: error while adding samba account to $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; - return 1; -} + return 1; + } sub group_add_user -{ - my ($group, $userid) = @_; - my $dn_line; - - if (!defined($dn_line = get_group_dn($group))) { - return 1; - } - my $dn = get_dn_from_line($dn_line); - my $members = `$ldapsearch -b '$dn' -s base | grep -i "^memberUid:"`; - chomp($members); - # user already member ? - if ($members =~ m/^memberUid: $userid/) { - return 2; - } - my $mods = ""; - if ($members ne '') { - $mods="$dn_line + { + my ($group, $userid) = @_; + my $members=''; + my $dn_line = get_group_dn($group); + if (!defined($dn_line)) { + return 1; + } + my $dn = get_dn_from_line($dn_line); + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base =>$dn, scope => "base", filter => "(objectClass=*)" ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { $members.= $attr.": ".$ent."\n"; } + } + } + } + $ldap->unbind; + chomp($members); + # user already member ? + if ($members =~ m/^memberUid: $userid/) { + return 2; + } + my $mods = ""; + if ($members ne '') { + $mods="$dn_line changetype: modify replace: memberUid $members memberUid: $userid + "; - } else { - $mods="$dn_line + } else { + $mods="$dn_line changetype: modify add: memberUid memberUid: $userid -"; - } +"; + } #print "$mods\n"; - - my $tmpldif = -"$mods + my $tmpldif = + "$mods "; - die "$0: error while modifying group $group\n" + die "$0: error while modifying group $group\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - return 0; -} - -sub add_grouplist_user -{ - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { - group_add_user($group, $user); - } -} - -# XXX FIXME : acctFlags |= D, and not acctFlags = D + undef $tmpldif; + return 0; + } + +sub add_grouplist_user + { + my ($grouplist, $user) = @_; + my @array = split(/,/, $grouplist); + foreach my $group (@array) { + group_add_user($group, $user); + } + } + +# XXX FIXME : sambaAcctFlags |= D, and not sambaAcctFlags = D sub disable_user -{ - my $user = shift; - my $dn_line; + { + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } - my $tmpldif = -"dn: $dn_line + my $tmpldif = + "dn: $dn_line changetype: modify replace: userPassword userPassword: {crypt}!x "; - die "$0: error while modifying user $user\n" + die "$0: error while modifying user $user\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + undef $tmpldif; - if (is_samba_user($user)) { - - my $tmpldif = -"dn: $dn_line + if (is_samba_user($user)) { + + my $tmpldif = + "dn: $dn_line changetype: modify -replace: acctFlags -acctFlags: [D ] +replace: sambaAcctFlags +sambaAcctFlags: [D ] "; - die "$0: error while modifying user $user\n" + die "$0: error while modifying user $user\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - - } - -} + undef $tmpldif; + } + } # delete_user($user) sub delete_user -{ - my $user = shift; - my $dn_line; + { + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } - my $dn = get_dn_from_line($dn_line); - system "$ldapdelete $dn >/dev/null"; -} + my $dn = get_dn_from_line($dn_line); + system "$ldapdelete $dn >/dev/null"; + } # $success = group_add($groupname, $group_gid, $force_using_existing_gid) sub group_add -{ - my ($gname, $gid, $force) = @_; - - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - - if (!defined($gid)) { - while (defined(getgrgid($GID_START))) { - $GID_START++; - } - $gid = $GID_START; - } else { - if (!defined($force)) { - if (defined(getgrgid($gid))) { - return 0; - } - } - } - - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - - my $tmpldif = -"dn: cn=$gname,$groupsdn + { + my ($gname, $gid, $force) = @_; + my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; + } + if (!defined($gid)) { + while (defined(getgrgid($GID_START))) { + $GID_START++; + } + $gid = $GID_START; + } else { + if (!defined($force)) { + if (defined(getgrgid($gid))) { + return 0; + } + } + } + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + my $tmpldif = + "dn: cn=$gname,$groupsdn objectclass: posixGroup cn: $gname gidNumber: $gid "; - die "$0: error while adding posix group $gname\n" + die "$0: error while adding posix group $gname\n" unless (do_ldapadd($tmpldif) == 0); - - undef $tmpldif; - - return 1; -} + undef $tmpldif; + return 1; + } # $homedir = get_homedir ($user) sub get_homedir -{ - my $user = shift; - my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; - chomp $homeDir; - if ($homeDir eq '') { - return undef; - } - $homeDir =~ s/^homeDirectory: //; - - return $homeDir; -} + { + my $user = shift; + my $homeDir=''; + # my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base =>$suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bhomeDirectory\b/){ + foreach my $ent($entry->get_value($attr)) { + $homeDir.= $attr.": ".$ent."\n"; + } + } + } + } + $ldap->unbind; + chomp $homeDir; + if ($homeDir eq '') { + return undef; + } + $homeDir =~ s/^homeDirectory: //; + return $homeDir; + } # search for an user sub read_user -{ - my $user = shift; - my $lines=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' -LLL`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: " . $entry->dn."\n"; + foreach my $attr ($entry->attributes) { + { + $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; + } + } + } + $ldap->unbind; # take down sessio(n + chomp $lines; + if ($lines eq '') { + return undef; + } + return $lines; + } # search for a group sub read_group -{ - my $user = shift; - my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(cn=$user))' -LLL`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(cn=$user))" + ); + + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: " . $entry->dn."\n"; + foreach my $attr ($entry->attributes) { + { + $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; + } + } + } + + $ldap->unbind; # take down sessio(n + chomp $lines; + if ($lines eq '') { + return undef; + } + return $lines; + } # find groups of a given user +##### MODIFIE ######## sub find_groups_of -{ - my $user = shift; - my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(memberuid=$user))' -LLL | grep "^dn: "`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(memberuid=$user))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: ".$entry->dn."\n"; + } + $ldap->unbind; + chomp($lines); + if ($lines eq '') {return undef; } + return $lines; + } # return the gidnumber for a group given as name or gid # -1 : bad group name # -2 : bad gidnumber sub parse_group -{ - my $userGidNumber = shift; - - if ($userGidNumber =~ /[^\d]/ ) { - my $gname = $userGidNumber; - my $gidnum = getgrnam($gname); - if ($gidnum !~ /\d+/) { - return -1; - } else { - $userGidNumber = $gidnum; - } - } elsif (!defined(getgrgid($userGidNumber))) { - return -2; - } - return $userGidNumber; -} + { + my $userGidNumber = shift; + if ($userGidNumber =~ /[^\d]/ ) { + my $gname = $userGidNumber; + my $gidnum = getgrnam($gname); + if ($gidnum !~ /\d+/) { + return -1; + } else { + $userGidNumber = $gidnum; + } + } elsif (!defined(getgrgid($userGidNumber))) { + return -2; + } + return $userGidNumber; + } # remove $user from $group sub group_remove_member -{ - my ($group, $user) = @_; - - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; - - #print "avant ---\n$members\n"; - $members =~ s/memberUid: $user\n//; - #print "----\n$members\n---\n"; - - chomp($members); - - my $header; - if ($members eq '') { - $header = "changetype: modify\n"; - $header .= "delete: memberUid"; - } else { - $header = "changetype: modify\n"; - $header .= "replace: memberUid"; - } - - my $tmpldif = + { + my ($group, $user) = @_; + my $members=''; + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixgroup)(cn=$group))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { + $members.= $attr.": ".$ent."\n"; + } + } + } + } + #print "Valeurs de members :\n$members"; + $ldap->unbind; + # my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; + # print "avant ---\n$members\n"; + $members =~ s/memberUid: $user\n//; + #print "après ---\n$members\n"; + chomp($members); + + my $header; + if ($members eq '') { + $header = "changetype: modify\n"; + $header .= "delete: memberUid"; + } else { + $header = "changetype: modify\n"; + $header .= "replace: memberUid"; + } + + my $tmpldif = "$grp_line $header $members "; - die "$0: error while modifying group $group\n" + + #print "Valeur du tmpldif : \n$tmpldif"; + die "$0: error while modifying group $group\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + undef $tmpldif; - return 1; -} + $ldap->unbind; + return 1; + } sub group_get_members -{ - my ($group) = @_; - my @members; - - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' memberUid | grep -i "^memberUid:"`; - - my @lines = split (/\n/, $members); - foreach my $line (@lines) { - $line =~ s/^memberUid: //; - push(@members, $line); - } - - return @members; -} + { + my ($group) = @_; + my $members; + my @resultat; + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { return 0; } + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixgroup)(cn=$group))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes){ + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { push (@resultat,$ent); } + } + } + } + return @resultat; + } sub file_write { - my ($filename, $filecontent) = @_; - local *FILE; - open (FILE, "> $filename") || - die "Cannot open «$filename» for writing: $!\n"; - print FILE $filecontent; - close FILE; + my ($filename, $filecontent) = @_; + local *FILE; + open (FILE, "> $filename") || + die "Cannot open $filename for writing: $!\n"; + print FILE $filecontent; + close FILE; } # wrapper for ldapadd sub do_ldapadd2 -{ - my $ldif = shift; + { + my $ldif = shift; + my $tempfile = "/tmp/smbldapadd.$$"; + file_write($tempfile, $ldif); - my $tempfile = "/tmp/smbldapadd.$$"; - file_write($tempfile, $ldif); - - my $rc = system "$ldapadd < $tempfile >/dev/null"; - unlink($tempfile); - return $rc; -} + my $rc = system "$ldapadd < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; + } sub do_ldapadd -{ - my $ldif = shift; - - my $FILE = "|$ldapadd >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE </dev/null"; - unlink($tempfile); - return $rc; -} + { + my $ldif = shift; + my $tempfile = "/tmp/smbldapmod.$$"; + file_write($tempfile, $ldif); + my $rc = system "$ldapmodify -r < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; + } sub do_ldapmodify -{ - my $ldif = shift; - - my $FILE = "|$ldapmodify -r >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <