From b6bbc39204a4676922099ab78b6c48009266d1bb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 26 Dec 2001 05:35:40 +0000 Subject: sync with 2.2 (This used to be commit aca58b0b72d2eb5024b4d5103fde5b281212d714) --- examples/LDAP/README | 114 ++++++++++++++++++++++++++++ examples/LDAP/export2_smbpasswd.pl | 64 ++++++++++++++++ examples/LDAP/export_smbpasswd.pl | 63 +++++++++++++++ examples/LDAP/import2_smbpasswd.pl | 108 ++++++++++++++++++++++++++ examples/LDAP/import_smbpasswd.pl | 65 ++++++++++++++++ examples/LDAP/ldapchpasswd | 152 +++++++++++++++++++++++++++++++++++++ examples/LDAP/ldapsync.pl | 117 ++++++++++++++++++++++++++++ examples/LDAP/samba.schema | 107 ++++++++++++++++++++++++++ 8 files changed, 790 insertions(+) create mode 100644 examples/LDAP/README create mode 100644 examples/LDAP/export2_smbpasswd.pl create mode 100644 examples/LDAP/export_smbpasswd.pl create mode 100644 examples/LDAP/import2_smbpasswd.pl create mode 100644 examples/LDAP/import_smbpasswd.pl create mode 100644 examples/LDAP/ldapchpasswd create mode 100644 examples/LDAP/ldapsync.pl create mode 100644 examples/LDAP/samba.schema (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README new file mode 100644 index 0000000000..281a66e65a --- /dev/null +++ b/examples/LDAP/README @@ -0,0 +1,114 @@ +!== +!== README File for storing smbpasswd in LDAP +!== +!== written by Gerald Carter +!== + +This is a quick and dirty means of storing smbpasswd entries +in smbpasswd. Samba 2.2.x does not have any ability to grab +this information directly from LDAP so you will need to +periodically generate an smbpasswd from an ldapsearch +"(objectclass=smbPasswordEntry)". + +Be aware of search limits on your client or server which prevent +all entries from being returned in the search result. + + +Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl +------------------------------------------------------------ +You must install Mozilla PerLDAP which is available at: + + http://www.mozilla.org/directory + +PerLDAP depends on the Netscape (aka iPlanet) C-SDK which is +available for download at: + + http:// www.iplanet.com/downloads/developer/ + + +Pre-requisites for import2_smbpasswd.pl & export2_smbpasswd.pl +-------------------------------------------------------------- +These two scripts are modified versions of +[import|export]_smbpasswd.pl rewritten to use the Net::LDAP +perl module available from + + http://perl-ldap.sourceforge.net + + + +OpenLDAP 2.0.x +-------------- + +A sample schema file (samba.schema) has been included for use +with OpenLDAP 2.0.x. The OIDs used in this file are owned by +the Samba team and generated from its own Enterprise number +of 7165 (as issued by IANA). + +Copy the samba.schema file into your /etc/openldap/schema directory, +and add an include for it in the /etc/openldap/slapd.conf file. +Note that samba.schema relies upon the uid and uidNumber attributes +from the RFC2307 schema (i.e. nis.schema) + +If you choose to import /etc/passwd, nis, or nisplus tables +into ldap, you can use migration tools provided by PADL Software +which are located at + + http://www.padl.com/tools.html + +It is not a requirement that a user's /etc/passwd account +is stored in LDAP for the samba.schema file to work (although +the whole point of storing smbpasswd in LDAP is to have a +single location for user accounts, right?) + +The padl tools will leave you with LDIF files which you can import +into OpenLDAP. Before you can import them, you need to include +nis.schema and cosine.schema in your slapd.conf file. + +You must restart the LDAP server for these new included schema files +to become active. + + +import[2]_smbpasswd.pl +---------------------- + +Make sure you customize the local site variable in the perl script +(i.e. ldapserver, rootdn, rootpw, etc...). The script reads from +standard input and requires that user entries already exist +in your directories containing the 'objectclass: posixAccount' +value pair. For more information on this object and related schema, +refer to RFC2307 and http://www.padl.com/software.html). + +The following will import an smbpasswd file into an LDAP directory + + $ cat smbpasswd | import[2]_smbpasswd.pl + + +export[2]_smbpasswd.pl +---------------------- + +Make sure you customize the local site variable in the perl script +(i.e. ldapserver, rootdn, rootpw, etc...). You can then generate +an smbpasswd file by executing + + $ export[2]_smbpasswd.pl > smbpasswd + +NOTE: Server side (or client side) search limites may prevent +all users from being listed. Check you directory server documentation +for details. + + + +ldapsync.pl & ldapchgpasswd.pl +------------------------------ +For more information on these scripts, see + + http://www.mami.net/univr/tng-ldap/howto/ + + +The ldapsync.pl script requires a small command (smbencrypt) +for generating LanMan and NT password hashes which +can be found at ftp://samba.org/pub/samba/contributed/ + +!== +!== end of README +!== diff --git a/examples/LDAP/export2_smbpasswd.pl b/examples/LDAP/export2_smbpasswd.pl new file mode 100644 index 0000000000..90f5805e55 --- /dev/null +++ b/examples/LDAP/export2_smbpasswd.pl @@ -0,0 +1,64 @@ +#!/usr/bin/perl +## +## Example script to export ldap entries into an smbpasswd file format +## using the Mozilla PerLDAP module. +## +## writen by jerry@samba.org +## +## ported to Net::LDAP by dkrovich@slackworks.com + +use Net::LDAP; + +###################################################### +## Set these values to whatever you need for your site +## + +$DN="dc=samba,dc=my-domain,dc=com"; +$ROOTDN="cn=Manager,dc=my-domain,dc=com"; +$rootpw = "secret"; +$LDAPSERVER="localhost"; + +## +## end local site variables +###################################################### + +$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; + +print "##\n"; +print "## Autogenerated smbpasswd file via ldapsearch\n"; +print "## from $LDAPSERVER ($DN)\n"; +print "##\n"; + +## scheck for the existence of the posixAccount first +$result = $ldap->search ( base => "$DN", + scope => "sub", + filter => "(objectclass=smbpasswordentry)" + ); + + + +## loop over the entries we found +while ( $entry = $result->shift_entry() ) { + + @uid = $entry->get_value("uid"); + @uidNumber = $entry->get_value("uidNumber"); + @lm_pw = $entry->get_value("lmpassword"); + @nt_pw = $entry->get_value("ntpassword"); + @acct = $entry->get_value("acctFlags"); + @pwdLastSet = $entry->get_value("pwdLastSet"); + + if (($#uid+1) && ($#uidNumber+1)) { + + $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); + $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); + $acct[0] = "[DU ]" if (! ($#acct+1)); + $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); + + print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; + } + +} + +$ldap->unbind(); +exit 0; + diff --git a/examples/LDAP/export_smbpasswd.pl b/examples/LDAP/export_smbpasswd.pl new file mode 100644 index 0000000000..3f67dc6242 --- /dev/null +++ b/examples/LDAP/export_smbpasswd.pl @@ -0,0 +1,63 @@ +#!/usr/bin/perl +## +## Example script to export ldap entries into an smbpasswd file format +## using the Mozilla PerLDAP module. +## +## writen by jerry@samba.org +## + +use Mozilla::LDAP::Conn; +use Mozilla::LDAP::Entry; + +###################################################### +## Set these values to whatever you need for your site +## + +$DN="ou=people,dc=plainjoe,dc=org"; +$ROOTDN="cn=Manager,dc=plainjoe,dc=org"; +$rootpw = "secret"; +$LDAPSERVER="localhost"; + +## +## end local site variables +###################################################### + + +$conn = new Mozilla::LDAP::Conn ("$LDAPSERVER", "389", $ROOTDN, $rootpw ); +die "Unable to connect to LDAP server $LDAPSERVER" unless $conn; + +print "##\n"; +print "## Autogenerated smbpasswd file via ldapsearch\n"; +print "## from $LDAPSERVER ($DN)\n"; +print "##\n"; + +## scheck for the existence of the posixAccount first +$result = $conn->search ("$DN", "sub", "(objectclass=smbPasswordEntry)"); + + +## loop over the entries we found +while ($result) { + + @uid = $result->getValue("uid"); + @uidNumber = $result->getValue("uidNumber"); + @lm_pw = $result->getValue("lmpassword"); + @nt_pw = $result->getValue("ntpassword"); + @acct = $result->getValue("acctFlags"); + @pwdLastSet = $result->getValue("pwdLastSet"); + + if (($#uid+1) && ($#uidNumber+1)) { + + $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); + $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); + $acct[0] = "[DU ]" if (! ($#acct+1)); + $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); + + print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; + } + + $result = $conn->nextEntry(); + +} + +$conn->close(); +exit 0; diff --git a/examples/LDAP/import2_smbpasswd.pl b/examples/LDAP/import2_smbpasswd.pl new file mode 100644 index 0000000000..bf643391a7 --- /dev/null +++ b/examples/LDAP/import2_smbpasswd.pl @@ -0,0 +1,108 @@ +#!/usr/bin/perl +## +## Example script of how you could import a smbpasswd file into an LDAP +## directory using the Mozilla PerLDAP module. +## +## writen by jerry@samba.org +## +## ported to Net::LDAP by dkrovich@slackworks.com + +use Net::LDAP; + +################################################# +## set these to a value appropriate for your site +## + +$DN="dc=samba,dc=my-domain,dc=com"; +$ROOTDN="cn=Manager,dc=my-domain,dc=com"; +$rootpw = "secret"; +$LDAPSERVER="localhost"; + +## +## end local site variables +################################################# + +$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; + +## Bind as $ROOTDN so you can do updates +$mesg = $ldap->bind($ROOTDN, password => $rootpw); + +while ( $string = ) { + chop ($string); + + ## Get the account info from the smbpasswd file + @smbentry = split (/:/, $string); + + ## Check for the existence of a system account + @getpwinfo = getpwnam($smbentry[0]); + if (! @getpwinfo ) { + print STDERR "$smbentry[0] does not have a system account... skipping\n"; + next; + } + + ## check and see if account info already exists in LDAP. + $result = $ldap->search ( base => "$DN", + scope => "sub", + filter => "(&(|(objectclass=posixAccount)(objectclass=smbPasswordEntry))(uid=$smbentry[0]))" + ); + + ## If no LDAP entry exists, create one. + if ( $result->count == 0 ) { + $entry = $ldap->add ( dn => "uid=$smbentry[0]\,$DN", + attrs => [ + uid => $smbentry[0], + uidNumber => @getpwinfo[2], + lmPassword => $smbentry[2], + ntPassword => $smbentry[3], + acctFlags => $smbentry[4], + pwdLastSet => substr($smbentry[5],4), + objectclass => [ 'top', 'smbPasswordEntry' ] + ] + ); + print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; + + ## Otherwise, supplement/update the existing entry. + } elsif ($result->count == 1) { + # Put the search results into an entry object + $entry = $result->shift_entry; + + print "Updating [" . $entry->dn . "]\n"; + + ## Add the objectclass: smbPasswordEntry attribute if it's not there + @values = $entry->get_value( "objectclass" ); + $flag = 1; + foreach $item (@values) { + if ( lc($item) eq "smbpasswordentry" ) { + print $item . "\n"; + $flag = 0; + } + } + if ( $flag ) { + $entry->add(objectclass => "smbPasswordEntry"); + } + + ## Set the other attribute values + $entry->replace(lmPassword => $smbentry[2], + ntPassword => $smbentry[3], + acctFlags => $smbentry[4], + pwdLastSet => substr($smbentry[5],4) + ); + + ## Apply changes to the LDAP server + $updatemesg = $entry->update($ldap); + if ( $updatemesg->code ) { + print "Error updating $smbentry[0]!\n"; + } + + ## If we get here, the LDAP search returned more than one value + ## which shouldn't happen under normal circumstances. + } else { + print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; + next; + } +} + +$ldap->unbind(); +exit 0; + + diff --git a/examples/LDAP/import_smbpasswd.pl b/examples/LDAP/import_smbpasswd.pl new file mode 100644 index 0000000000..14aeff967f --- /dev/null +++ b/examples/LDAP/import_smbpasswd.pl @@ -0,0 +1,65 @@ +#!/usr/bin/perl +## +## Example script of how you could import and smbpasswd file into an LDAP +## directory using the Mozilla PerLDAP module. +## +## writen by jerry@samba.org +## + +use Mozilla::LDAP::Conn; +use Mozilla::LDAP::Entry; + +################################################# +## set these to a value appropriate for your site +## + +$DN="ou=people,dc=plainjoe,dc=org"; +$ROOTDN="cn=Manager,dc=plainjoe,dc=org"; +$rootpw = "secret"; +$LDAPSERVER="localhost"; + +## +## end local site variables +################################################# + +$conn = new Mozilla::LDAP::Conn ("$LDAPSERVER", "389", $ROOTDN, $rootpw ); +die "Unable to connect to LDAP server $LDAPSERVER" unless $conn; + + +while ( $string = ) { + chop ($string); + + ## get the account information + @smbentry = split (/:/, $string); + + ## check for the existence of the posixAccount first + + ## FIXME!! Should do a getownam() and let the NSS modules lookup the account + ## This way you can have a UNIX account in /etc/passwd and the smbpasswd i + ## entry in LDAP. + $result = $conn->search ("$DN", "sub", "(&(uid=$smbentry[0])(objectclass=posixAccount))"); + if ( ! $result ) { + print STDERR "uid=$smbentry[0] does not have a posixAccount entry in the directory!\n"; + next; + } + + print "Updating [" . $result->getDN() . "]\n"; + + ## Do we need to add the 'objectclass: smbPasswordEntry' attribute? + if (! $result->hasValue("objectclass", "smbPasswordEntry")) { + $result->addValue("objectclass", "smbPasswordEntry"); + } + + ## Set other attribute values + $result->setValues ("lmPassword", $smbentry[2]); + $result->setValues ("ntPassword", $smbentry[3]); + $result->setValues ("acctFlags", $smbentry[4]); + $result->setValues ("pwdLastSet", substr($smbentry[5],4)); + + if (! $conn->update($result)) { + print "Error updating!\n"; + } +} + +$conn->close(); +exit 0; diff --git a/examples/LDAP/ldapchpasswd b/examples/LDAP/ldapchpasswd new file mode 100644 index 0000000000..0776d9bed1 --- /dev/null +++ b/examples/LDAP/ldapchpasswd @@ -0,0 +1,152 @@ +#!/usr/bin/perl -w + +# LDAP to unix password sync script for samba-tng +# originally by Jody Haynes +# 2000/12/12 milos@interactivesi.com +# modified for use with MD5 passwords +# 2000/12/16 mami@arena.sci.univr.it +# modified to change lmpassword and ntpassword for samba +# 2001/01/05 mami@arena.sci.univr.it +# modified for being also a /bin/passwd replacement +# 2001/01/29 mami@arena.sci.univr.it +# now there are two small programs: ldapchpasswd to +# change password from unix and ldapsync.pl to sync +# from NT/2000. ldapchpasswd do not need clear password. +# 2001/01/31 mami@arena.sci.univr.it +# add server parameter to ldap commands +# 2001/06/20 mami@arena.sci.univr.it +# add pwdlastset and shadowlastchange update + +$basedn = "ou=Students,dc=univr, dc=it"; +$binddn = "uid=root,dc=univr,dc=it"; +$scope = "sub"; +$server = "my_server"; + +foreach $arg (@ARGV) { + if ($< != 0) { + die "Only root can specify parameters\n"; + } else { + if ( ($arg eq '-?') || ($arg eq '--help') ) { + print "Usage: $0 [-o] [username]\n"; + print " -o, --without-old-password do not ask for old password (root only)\n"; + print " -?, --help show this help message\n"; + exit (-1); + } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { + $oldpass = 1; + } elsif (substr($arg,0) ne '-') { + $user = $arg; + if (!defined(getpwnam($user))) { + die "$0: Unknown user name '$user'\n"; ; + } + } + } +} + +if (!defined($user)) { + $user=$ENV{"USER"}; +} + +# current user's dn +my $dn = ''; + +if ($< == 0) { + system "stty -echo"; + print "LDAP password for root DN: "; + chomp($passwd=); + print "\n"; + system "stty echo"; + # Find dn for user $user binding as root's dn + chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`); + if ( ($dn eq '') || ($passwd eq '') ) { + print "Wrong LDAP password for root DN!\n"; + exit (-1); + } +} else { + if (!defined($oldpass)) { + system "stty -echo"; + print "Old password for user $user: "; + chomp($oldpass=); + print "\n"; + system "stty echo"; + + # Find path to uid + chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`); + # Find old password for user $user binding as self + chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`); + + if ( ($dn eq '') || ($oldpass eq '') ) { + print "Wrong password for user $user!\n"; + exit (-1); + } + } +} + +system "stty -echo"; +print "New password for user $user: "; +chomp($pass=); +print "\n"; +system "stty echo"; + +system "stty -echo"; +print "Retype new password for user $user: "; +chomp($pass2=); +print "\n"; +system "stty echo"; + +if ( ($pass ne $pass2) || (length($pass)<1) ) { + die "Wrong password!\n"; +} else { +# MD5 password +$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; +$bsalt = "\$1\$"; $esalt = "\$"; +$modsalt = $bsalt.$random.$esalt; +$password = crypt($pass, $modsalt); + +# LanManager and NT clear text passwords +$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`; +chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); +chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + +#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd"; +if ($< != 0) { + $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'"; +} else { + $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'"; +} + +# Chenge time +$shadowlastchange=int(time/24/3600); +$pwdlastset=sprintf('%x',time); + +open FILE or die; + +print FILE < +# 12/12/2000 milos@interactivesi.com +# modified for use with MD5 passwords +# 12/16/2000 mami@arena.sci.univr.it +# modified to change lmpassword and ntpassword for samba +# 05/01/2001 mami@arena.sci.univr.it +# modified for being also a /bin/passwd replacement + +$basedn = "ou=Students,dc=univr, dc=it"; +$binddn = "uid=root,dc=univr,dc=it"; +$scope = "sub"; +$passwd = "mysecret"; + +foreach $arg (@ARGV) { + if ($< != 0) { + die "Only root can specify parameters\n"; + } else { + if ( ($arg eq '-?') || ($arg eq '--help') ) { + print "Usage: $0 [-o] [username]\n"; + print " -o, --without-old-password do not ask for old password (root only)\n"; + print " -?, --help show this help message\n"; + exit (-1); + } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { + $oldpass = 1; + } elsif (substr($arg,0) ne '-') { + $user = $arg; + if (!defined(getpwnam($user))) { + die "$0: Unknown user name '$user'\n"; ; + } + } + } +} + +if (!defined($user)) { + $user=$ENV{"USER"}; +} + +if (!defined($oldpass)) { + system "stty -echo"; + print "Old password for user $user: "; + chomp($oldpass=); + print "\n"; + system "stty echo"; + + $ntpwd = `/usr/local/sbin/smbencrypt '$oldpass'`; + $lmpassword = substr($ntpwd, 0, index($ntpwd, ':')); chomp $lmpassword; + $ntpassword = substr($ntpwd, index($ntpwd, ':')+1); chomp $ntpassword; + + # Find dn for user $user (maybe check unix password too?) + $dn=`ldapsearch -b '$basedn' -s '$scope' '(&(uid=$user)(lmpassword=$lmpassword)(ntpassword=$ntpassword))'|head -1`; + chomp $dn; + + if ($dn eq '') { + print "Wrong password for user $user!\n"; + exit (-1); + } +} else { + # Find dn for user $user + $dn=`ldapsearch -b '$basedn' -s '$scope' '(uid=$user)'|head -1`; + chomp $dn; +} + +system "stty -echo"; +print "New password for user $user: "; +chomp($pass=); +print "\n"; +system "stty echo"; + +system "stty -echo"; +print "Retype new password for user $user: "; +chomp($pass2=); +print "\n"; +system "stty echo"; + +if ($pass ne $pass2) { + die "Wrong password!\n"; +} else { +# MD5 password +$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; +$bsalt = "\$1\$"; $esalt = "\$"; +$modsalt = $bsalt.$random.$esalt; +$password = crypt($pass, $modsalt); + +# LanManager and NT clear text passwords +$ntpwd = `/usr/local/sbin/smbencrypt '$pass'`; +chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); +chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + +$FILE="|/usr/bin/ldapmodify -D '$binddn' -w $passwd"; + +open FILE or die; + +print FILE < Date: Fri, 28 Dec 2001 02:03:36 +0000 Subject: merge from 2.2 (This used to be commit 241b5218ea5ad83ecb02a0f838e84abee0672371) --- examples/LDAP/samba.schema | 1 + 1 file changed, 1 insertion(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 6ab43bcf5a..e8a1a025d2 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -4,6 +4,7 @@ ## OIDs are owned by the Samba Team ## ## Prerequisite schemas - uid & uidNumber (nis.schema) +## - displayName (inetorgperson.schema) ## ## 1.3.1.5.1.4.1.7165.2.1.x - attributetypes ## 1.3.1.5.1.4.1.7165.2.2.x - objectclasses -- cgit From 8942e906f0b3d02a94a3bd0411d3d11ac4af5873 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Jan 2002 00:05:23 +0000 Subject: sync with 2.2 (This used to be commit 9e3b432c57747e6fd876c53a576858ef1227ba8e) --- examples/LDAP/samba.schema | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index e8a1a025d2..2a1620345d 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -101,8 +101,8 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL DESC 'Samba Account' - MUST ( uid $ uidNumber ) - MAY ( cn $ gidNumber $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ + MUST ( uid $ rid ) + MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ rid $ primaryGroupID )) + description $ userWorkstations $ primaryGroupID )) -- cgit From 5f63565f2d7102d227cd69f7d788badad61d6860 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 6 Jan 2002 23:21:23 +0000 Subject: sync up comments with 2.2 (This used to be commit 3d4adad1501fc02ee0c60c69c01a92bdb16a1711) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 2a1620345d..25184495eb 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -3,7 +3,7 @@ ## Schema for storing Samba's smbpasswd file in LDAP ## OIDs are owned by the Samba Team ## -## Prerequisite schemas - uid & uidNumber (nis.schema) +## Prerequisite schemas - uid (cosine.schema) ## - displayName (inetorgperson.schema) ## ## 1.3.1.5.1.4.1.7165.2.1.x - attributetypes -- cgit From 732f5e8f806fb678d600c7a2a9d75db5a424ab62 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 11 Feb 2002 13:49:02 +0000 Subject: fixes from 2,2 (This used to be commit 46bd77a02a47c26c4981472c8cea09e64c2ef4d2) --- examples/LDAP/samba.schema | 86 +++++++++++++++++++++++++++++++--------------- 1 file changed, 59 insertions(+), 27 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 25184495eb..0f9ec5faa4 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,6 +10,9 @@ ## 1.3.1.5.1.4.1.7165.2.2.x - objectclasses ## +## +## Password hashes +## attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' DESC 'LanManager Passwd' EQUALITY caseIgnoreIA5Match @@ -20,41 +23,50 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' - DESC 'NT pwdLastSet' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) - +## +## Account flags in string format ([UWDX ]) +## attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +## +## Password timestamps & policies +## +attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' + DESC 'NT pwdLastSet' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logonTime' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' DESC 'NT logoffTime' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kickoffTime' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' DESC 'NT pwdCanChange' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' DESC 'NT pwdMustChange' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +## +## string settings +## attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT homeDrive' EQUALITY caseIgnoreIA5Match @@ -75,34 +87,54 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' + DESC 'smbHome' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' + DESC 'Windows NT domain to which the user belongs' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +## +## user and group RID +## attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'NT rid' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'NT Group RID' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' - DESC 'smbHome' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass ## -#objectclass ( 1.3.1.5.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY +#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY # DESC 'Samba smbpasswd entry' # MUST ( uid $ uidNumber ) # MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) -objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL DESC 'Samba Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID )) + description $ userWorkstations $ primaryGroupID $ domain )) + +## +## Used for Winbind experimentation +## +objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY + DESC 'Pool for allocating UNIX uids' + MUST ( uidNumber $ cn ) ) + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY + DESC 'Pool for allocating UNIX gids' + MUST ( gidNumber $ cn ) ) + -- cgit From 72f4d55453b4349f6fcaef1d1900cf946dc8c64b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 11 Feb 2002 13:57:44 +0000 Subject: merge from 2.2 (This used to be commit bb574aab8f3f4ac2f7ae919790481a419f8173cb) --- examples/LDAP/samba.schema | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 0f9ec5faa4..be088c7403 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -6,8 +6,8 @@ ## Prerequisite schemas - uid (cosine.schema) ## - displayName (inetorgperson.schema) ## -## 1.3.1.5.1.4.1.7165.2.1.x - attributetypes -## 1.3.1.5.1.4.1.7165.2.2.x - objectclasses +## 1.3.6.1.4.1.7165.2.1.x - attributetypes +## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## ## -- cgit From 7a959e81d42bdff1269589b7d17a12ab0b3243be Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 May 2002 15:37:14 +0000 Subject: merging some changes from SAMBA_2_2 (This used to be commit e8ede079b5af4187573f1b8ed0d94b6f03cbbd22) --- examples/LDAP/samba-schema-netscapeds4.x | 54 +++++++++++++++++++++++ examples/LDAP/samba-schema-netscapeds5.x | 74 ++++++++++++++++++++++++++++++++ examples/LDAP/samba-schema.IBMSecureWay | 43 +++++++++++++++++++ 3 files changed, 171 insertions(+) create mode 100644 examples/LDAP/samba-schema-netscapeds4.x create mode 100644 examples/LDAP/samba-schema-netscapeds5.x create mode 100644 examples/LDAP/samba-schema.IBMSecureWay (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-netscapeds4.x b/examples/LDAP/samba-schema-netscapeds4.x new file mode 100644 index 0000000000..c5a11b8b66 --- /dev/null +++ b/examples/LDAP/samba-schema-netscapeds4.x @@ -0,0 +1,54 @@ +# +# LDAP Schema file for SAMBA attribute storage +# This file is suitable for usage with Netscape Directory Server 4.1x +# Adapted by Scott Lawson with help from Ron Creamer +# + +attribute lmPassword 1.3.6.1.4.1.7165.2.1.1 cis single +attribute ntPassword 1.3.6.1.4.1.7165.2.1.2 cis single +attribute acctFlags 1.3.6.1.4.1.7165.2.1.4 cis single +attribute pwdLastSet 1.3.6.1.4.1.7165.2.1.3 int single +attribute logonTime 1.3.6.1.4.1.7165.2.1.5 int single +attribute logoffTime 1.3.6.1.4.1.7165.2.1.6 int single +attribute kickoffTime 1.3.6.1.4.1.7165.2.1.7 int single +attribute pwdCanChange 1.3.6.1.4.1.7165.2.1.8 int single +attribute pwdMustChange 1.3.6.1.4.1.7165.2.1.9 int single +attribute homedrive 1.3.6.1.4.1.7165.2.1.10 cis single +attribute scriptPath 1.3.6.1.4.1.7165.2.1.11 cis single +attribute profilePath 1.3.6.1.4.1.7165.2.1.12 cis single +attribute userWorkstations 1.3.6.1.4.1.7165.2.1.13 cis single +attribute rid 1.3.6.1.4.1.7165.2.1.14 int single +attribute primaryGroupID 1.3.6.1.4.1.7165.2.1.15 int single +attribute smbHome 1.3.6.1.4.1.7165.2.1.17 cis single +attribute domain 1.3.6.1.4.1.7165.2.1.18 cis single + +objectclass sambaAccount + oid + 1.3.1.5.1.4.1.7165.2.2.2 + superior + top + requires + objectClass, + uid, + rid + allows + cn, + lmPassword, + ntPassword, + pwdLastSet, + logonTime, + logoffTime, + KickoffTime, + pwdCanChange, + pwdMustChange, + acctFlags, + displayName, + smbHome, + homeDrive, + scriptPath, + profilePath, + description, + userWorkstations, + primaryGroupID, + domain + diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x new file mode 100644 index 0000000000..0abc9d82e2 --- /dev/null +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -0,0 +1,74 @@ +## +## submitted by Martin.Dehn@comparex.de +## +## Experiement sambaAccount schema file Netscape DS 5.0 +## +## INSTALL-DIRECTORY/slapd-your_name/config/schema/samba-schema-netscapeds5.ldif +## +dn: cn=schema +objectClass: top +objectClass: ldapSubentry +objectClass: subschema +cn: schema +aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo + us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow + (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, + o=NetscapeRoot";) +aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group + "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) +aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld + ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) +modifiersName: cn=directory manager +modifyTimestamp: 20020322124844Z +objectClasses: ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTUR + AL MAY ( acctFlags $ domain $ homeDrive $ kickoffTime $ lmPassword $ logofft + ime $ logonTime $ ntPassword $ primaryGroupID $ profilePath $ pwdCanChange $ + pwdLastSet $ pwdMustChange $ rid $ scriptPath $ smbHome $ userWorkstations + ) X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT script pa + th' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined + ' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logon time' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT profile + path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defin + ed' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' DESC 'NT passwd c + an change' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user + defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome' SYNTAX + 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' SYNTAX 1.3.6.1.4.1 + .1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' DESC 'Windows NT domai + n Samba' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user de + fined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT home drive + ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' + ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logofftime' DESC 'logoff Time' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'NT Group + RID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defin + ed' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' DESC 'LanManager Pa + sswd' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defin + ed' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' DESC 'NT pwdmust + chnage' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user def + ined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account Flags' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC 'userWo + rkstations' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user + defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kickoff T + ime' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user define + d' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'rid' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' DESC 'NT Passwd' SY + NTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) +nsSchemaCSN: 3c9b282c000000000000 + diff --git a/examples/LDAP/samba-schema.IBMSecureWay b/examples/LDAP/samba-schema.IBMSecureWay new file mode 100644 index 0000000000..1fca4a749a --- /dev/null +++ b/examples/LDAP/samba-schema.IBMSecureWay @@ -0,0 +1,43 @@ +## +## Submitted by Dirk Kastens +## +## I translated the samba.schema to be used with IBM +## SecureWay directoy server 3.2.2. You have to load +## it in your slapd32.conf with: +## +## dn: cn=IBM SecureWay, cn=Schemas, cn=Configuration +## cn: IBM SecureWay +## ibm-slapdIncludeSchema: /etc/lapschema/samba.schema +## +objectClasses { +( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' DESC 'Samba Account' SUP top MUST uid $ rid MAY ( acctFlags $ cn $ description $ displayName $ homeDrive $ kickoffTime $ lmPassword $ logoffTime $ logonTime $ ntPassword $ primaryGroupID $ profilePath $ pwdCanChange $ pwdLastSet $ pwdMustChange $ scriptPath $ smbHome $ userWorkstations ) ) +} + +attributeTypes { +( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' DESC 'LanManager Passwd' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT homeDrive' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT scriptPath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT profilePath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC 'userWorkstations' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'NT rid' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'NT Group RID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) +( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' DESC 'NT Passwd' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' DESC 'NT pwdLastSet' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logonTime' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' DESC 'NT logoffTime' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kickoffTime' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' DESC 'NT pwdCanChange' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' DESC 'NT pwdMustChange' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +} + +IBMattributeTypes { +} + +ldapSyntaxes { +} + +matchingRules { +} + -- cgit From 21d26afb2af6ae34219a4286eb7a8896d7e04a3a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 14:15:33 +0000 Subject: sync 3_0 branch with HEAD (This used to be commit 19ab776bf9c91cf4e56887fd7a63d3253b7e36ef) --- examples/LDAP/samba.schema | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index be088c7403..61dface0a2 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -119,8 +119,20 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' # MUST ( uid $ uidNumber ) # MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) -objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL - DESC 'Samba Account' +#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +# DESC 'Samba Account' +# MUST ( uid $ rid ) +# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ +# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ +# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ +# description $ userWorkstations $ primaryGroupID $ domain )) + +## The X.500 data model (and therefore LDAPv3) says that each entry can +## only have one structural objectclass. OpenLDAP 2.0 does not enforce +## this currently but will in v2.1 + +objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY + DESC 'Samba Auxilary Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ -- cgit From 52457e109308c6204858b3483fd16171b89ebaee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 6 Jan 2003 17:57:52 +0000 Subject: removed idpool from schema file (experimental) to remove the dependency on nis.schema. add $(LDFLAGS) to libsmbclient build (This used to be commit cd16064784a5e5fd9d2a67d4dfba605f7d8046ac) --- examples/LDAP/samba.schema | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 61dface0a2..f71c344e06 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -142,11 +142,11 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY ## ## Used for Winbind experimentation ## -objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY - DESC 'Pool for allocating UNIX uids' - MUST ( uidNumber $ cn ) ) +#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY +# DESC 'Pool for allocating UNIX uids' +# MUST ( uidNumber $ cn ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY - DESC 'Pool for allocating UNIX gids' - MUST ( gidNumber $ cn ) ) +#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY +# DESC 'Pool for allocating UNIX gids' +# MUST ( gidNumber $ cn ) ) -- cgit From 210cb79d29fcf8e01b538b6af4dee430f9032882 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 22 Jan 2003 23:49:54 +0000 Subject: Minor merges from HEAD. (This used to be commit 902a1dc1d5f74ce94496d03327c07416bc2061be) --- examples/LDAP/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index 281a66e65a..42cf4ff33a 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -5,7 +5,7 @@ !== This is a quick and dirty means of storing smbpasswd entries -in smbpasswd. Samba 2.2.x does not have any ability to grab +in LDAP. Samba 2.2.x does not have any ability to grab this information directly from LDAP so you will need to periodically generate an smbpasswd from an ldapsearch "(objectclass=smbPasswordEntry)". -- cgit From 7679811afb35c047f00f2c3b04602ac01d2db041 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Mar 2003 09:43:23 +0000 Subject: Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f) --- examples/LDAP/samba.schema | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index f71c344e06..71689237e8 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -110,6 +110,19 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +## +## group mapping attributes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' + DESC 'NT Group Type' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' + DESC 'Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + ## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass @@ -139,6 +152,18 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ description $ userWorkstations $ primaryGroupID $ domain )) +############################################################################ +## +## Please note that this schema is really experimental and might +## change before the 3.0 release. +## +############################################################################ + +objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY + DESC 'Samba Group Mapping' + MUST ( gidNumber $ ntSid $ ntGroupType ) + MAY ( displayName $ description )) + ## ## Used for Winbind experimentation ## -- cgit From 878f9147bf0552fb06cf55b6c0122c893ee21c8e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 27 Mar 2003 14:25:30 +0000 Subject: Fix schema error not detected by OpenLDAP 2.0.23 but by 2.1.16. Volker (This used to be commit 5acb9f421c149126370e79d66d3d9ace6be9a695) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 71689237e8..e801e0b847 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -115,7 +115,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' ## attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' DESC 'NT Group Type' - EQUALITY caseIgnoreIA5Match + EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' -- cgit From a53c63f99e2ada1f172c8e942af2666d8862fa49 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 18 Apr 2003 22:19:04 +0000 Subject: uidPool and gidPool don't use cn anymore (but we don't use thsi anyways) (This used to be commit 7f0fd03f699f24094e32a92dbb0ec55d9a602c36) --- examples/LDAP/samba.schema | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index e801e0b847..b95fbeb8ff 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -169,9 +169,9 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY ## #objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY # DESC 'Pool for allocating UNIX uids' -# MUST ( uidNumber $ cn ) ) +# MUST ( uidNumber ) ) #objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY # DESC 'Pool for allocating UNIX gids' -# MUST ( gidNumber $ cn ) ) +# MUST ( gidNumber ) ) -- cgit From 49530d0db5a509951c66b73aaf2aa101caf6117b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Apr 2003 10:20:55 +0000 Subject: A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14) --- examples/LDAP/samba.schema | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index b95fbeb8ff..f9475f07ea 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -110,6 +110,15 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +## +## SID, of any type +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' + DESC 'Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + ## ## group mapping attributes ## @@ -118,10 +127,19 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' - DESC 'Security ID' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +## +## Store info on the domain +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid' + DESC 'Next NT rid to give our for users' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid' + DESC 'Next NT rid to give out for groups' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## The smbPasswordEntry objectclass has been depreciated in favor of the @@ -146,7 +164,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Auxilary Account' - MUST ( uid $ rid ) + MUST ( uid $ ntSid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ @@ -159,6 +177,17 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY ## ############################################################################ +## +## Whole-of-domain info +## + +objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL + DESC 'Samba Domain Information' + MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid)) + +## +## Group mapping info +## objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ ntSid $ ntGroupType ) -- cgit From c37cc212c8aab591e725e73d4137f1742ac63d21 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 9 May 2003 21:51:57 +0000 Subject: syncing import/export smbpasswd file scripts from 2.2 (This used to be commit ee1374cabf38c3d99e66a45316e232d1c2cfbe6a) --- examples/LDAP/export2_smbpasswd.pl | 64 ------------------- examples/LDAP/export_smbpasswd.pl | 51 ++++++++-------- examples/LDAP/import2_smbpasswd.pl | 108 -------------------------------- examples/LDAP/import_smbpasswd.pl | 122 ++++++++++++++++++++++++++----------- 4 files changed, 114 insertions(+), 231 deletions(-) delete mode 100644 examples/LDAP/export2_smbpasswd.pl delete mode 100644 examples/LDAP/import2_smbpasswd.pl (limited to 'examples/LDAP') diff --git a/examples/LDAP/export2_smbpasswd.pl b/examples/LDAP/export2_smbpasswd.pl deleted file mode 100644 index 90f5805e55..0000000000 --- a/examples/LDAP/export2_smbpasswd.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -## -## Example script to export ldap entries into an smbpasswd file format -## using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -###################################################### -## Set these values to whatever you need for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -###################################################### - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -print "##\n"; -print "## Autogenerated smbpasswd file via ldapsearch\n"; -print "## from $LDAPSERVER ($DN)\n"; -print "##\n"; - -## scheck for the existence of the posixAccount first -$result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(objectclass=smbpasswordentry)" - ); - - - -## loop over the entries we found -while ( $entry = $result->shift_entry() ) { - - @uid = $entry->get_value("uid"); - @uidNumber = $entry->get_value("uidNumber"); - @lm_pw = $entry->get_value("lmpassword"); - @nt_pw = $entry->get_value("ntpassword"); - @acct = $entry->get_value("acctFlags"); - @pwdLastSet = $entry->get_value("pwdLastSet"); - - if (($#uid+1) && ($#uidNumber+1)) { - - $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); - $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); - $acct[0] = "[DU ]" if (! ($#acct+1)); - $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); - - print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; - } - -} - -$ldap->unbind(); -exit 0; - diff --git a/examples/LDAP/export_smbpasswd.pl b/examples/LDAP/export_smbpasswd.pl index 3f67dc6242..e4f120bf02 100644 --- a/examples/LDAP/export_smbpasswd.pl +++ b/examples/LDAP/export_smbpasswd.pl @@ -5,16 +5,16 @@ ## ## writen by jerry@samba.org ## +## ported to Net::LDAP by dkrovich@slackworks.com -use Mozilla::LDAP::Conn; -use Mozilla::LDAP::Entry; +use Net::LDAP; ###################################################### ## Set these values to whatever you need for your site ## -$DN="ou=people,dc=plainjoe,dc=org"; -$ROOTDN="cn=Manager,dc=plainjoe,dc=org"; +$DN="dc=samba,dc=my-domain,dc=com"; +$ROOTDN="cn=Manager,dc=my-domain,dc=com"; $rootpw = "secret"; $LDAPSERVER="localhost"; @@ -22,9 +22,7 @@ $LDAPSERVER="localhost"; ## end local site variables ###################################################### - -$conn = new Mozilla::LDAP::Conn ("$LDAPSERVER", "389", $ROOTDN, $rootpw ); -die "Unable to connect to LDAP server $LDAPSERVER" unless $conn; +$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; print "##\n"; print "## Autogenerated smbpasswd file via ldapsearch\n"; @@ -32,32 +30,35 @@ print "## from $LDAPSERVER ($DN)\n"; print "##\n"; ## scheck for the existence of the posixAccount first -$result = $conn->search ("$DN", "sub", "(objectclass=smbPasswordEntry)"); - - +$result = $ldap->search ( base => "$DN", + scope => "sub", + filter => "(objectclass=sambaAccount)" + ); + + + ## loop over the entries we found -while ($result) { - - @uid = $result->getValue("uid"); - @uidNumber = $result->getValue("uidNumber"); - @lm_pw = $result->getValue("lmpassword"); - @nt_pw = $result->getValue("ntpassword"); - @acct = $result->getValue("acctFlags"); - @pwdLastSet = $result->getValue("pwdLastSet"); - +while ( $entry = $result->shift_entry() ) { + + @uid = $entry->get_value("uid"); + @uidNumber = $entry->get_value("uidNumber"); + @lm_pw = $entry->get_value("lmpassword"); + @nt_pw = $entry->get_value("ntpassword"); + @acct = $entry->get_value("acctFlags"); + @pwdLastSet = $entry->get_value("pwdLastSet"); + if (($#uid+1) && ($#uidNumber+1)) { - + $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); $acct[0] = "[DU ]" if (! ($#acct+1)); $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); - + print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; } - - $result = $conn->nextEntry(); - + } -$conn->close(); +$ldap->unbind(); exit 0; + diff --git a/examples/LDAP/import2_smbpasswd.pl b/examples/LDAP/import2_smbpasswd.pl deleted file mode 100644 index bf643391a7..0000000000 --- a/examples/LDAP/import2_smbpasswd.pl +++ /dev/null @@ -1,108 +0,0 @@ -#!/usr/bin/perl -## -## Example script of how you could import a smbpasswd file into an LDAP -## directory using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -################################################# -## set these to a value appropriate for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -################################################# - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -## Bind as $ROOTDN so you can do updates -$mesg = $ldap->bind($ROOTDN, password => $rootpw); - -while ( $string = ) { - chop ($string); - - ## Get the account info from the smbpasswd file - @smbentry = split (/:/, $string); - - ## Check for the existence of a system account - @getpwinfo = getpwnam($smbentry[0]); - if (! @getpwinfo ) { - print STDERR "$smbentry[0] does not have a system account... skipping\n"; - next; - } - - ## check and see if account info already exists in LDAP. - $result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(&(|(objectclass=posixAccount)(objectclass=smbPasswordEntry))(uid=$smbentry[0]))" - ); - - ## If no LDAP entry exists, create one. - if ( $result->count == 0 ) { - $entry = $ldap->add ( dn => "uid=$smbentry[0]\,$DN", - attrs => [ - uid => $smbentry[0], - uidNumber => @getpwinfo[2], - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => substr($smbentry[5],4), - objectclass => [ 'top', 'smbPasswordEntry' ] - ] - ); - print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; - - ## Otherwise, supplement/update the existing entry. - } elsif ($result->count == 1) { - # Put the search results into an entry object - $entry = $result->shift_entry; - - print "Updating [" . $entry->dn . "]\n"; - - ## Add the objectclass: smbPasswordEntry attribute if it's not there - @values = $entry->get_value( "objectclass" ); - $flag = 1; - foreach $item (@values) { - if ( lc($item) eq "smbpasswordentry" ) { - print $item . "\n"; - $flag = 0; - } - } - if ( $flag ) { - $entry->add(objectclass => "smbPasswordEntry"); - } - - ## Set the other attribute values - $entry->replace(lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => substr($smbentry[5],4) - ); - - ## Apply changes to the LDAP server - $updatemesg = $entry->update($ldap); - if ( $updatemesg->code ) { - print "Error updating $smbentry[0]!\n"; - } - - ## If we get here, the LDAP search returned more than one value - ## which shouldn't happen under normal circumstances. - } else { - print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; - next; - } -} - -$ldap->unbind(); -exit 0; - - diff --git a/examples/LDAP/import_smbpasswd.pl b/examples/LDAP/import_smbpasswd.pl index 14aeff967f..61ad33c809 100644 --- a/examples/LDAP/import_smbpasswd.pl +++ b/examples/LDAP/import_smbpasswd.pl @@ -1,13 +1,13 @@ #!/usr/bin/perl ## -## Example script of how you could import and smbpasswd file into an LDAP +## Example script of how you could import a smbpasswd file into an LDAP ## directory using the Mozilla PerLDAP module. ## ## writen by jerry@samba.org ## +## ported to Net::LDAP by dkrovich@slackworks.com -use Mozilla::LDAP::Conn; -use Mozilla::LDAP::Entry; +use Net::LDAP; ################################################# ## set these to a value appropriate for your site @@ -15,51 +15,105 @@ use Mozilla::LDAP::Entry; $DN="ou=people,dc=plainjoe,dc=org"; $ROOTDN="cn=Manager,dc=plainjoe,dc=org"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; +# If you use perl special character in your +# rootpw, escape them: +# $rootpw = "secr\@t" instead of $rootpw = "secr@t" +$rootpw = "n0pass"; +$LDAPSERVER="scooby"; ## ## end local site variables ################################################# -$conn = new Mozilla::LDAP::Conn ("$LDAPSERVER", "389", $ROOTDN, $rootpw ); -die "Unable to connect to LDAP server $LDAPSERVER" unless $conn; +$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; +## Bind as $ROOTDN so you can do updates +$mesg = $ldap->bind($ROOTDN, password => $rootpw); +$mesg->error() if $mesg->code(); while ( $string = ) { - chop ($string); + chomp ($string); - ## get the account information + ## Get the account info from the smbpasswd file @smbentry = split (/:/, $string); - ## check for the existence of the posixAccount first + ## Check for the existence of a system account + @getpwinfo = getpwnam($smbentry[0]); + if (! @getpwinfo ) { + print STDERR "**$smbentry[0] does not have a system account... \n"; + next; + } + ## Calculate RID = uid*2 +1000 + $rid=@getpwinfo[2]*2+1000; + + ## check and see if account info already exists in LDAP. + $result = $ldap->search ( base => "$DN", + scope => "sub", + filter => "(uid=$smbentry[0])" + ); - ## FIXME!! Should do a getownam() and let the NSS modules lookup the account - ## This way you can have a UNIX account in /etc/passwd and the smbpasswd i - ## entry in LDAP. - $result = $conn->search ("$DN", "sub", "(&(uid=$smbentry[0])(objectclass=posixAccount))"); - if ( ! $result ) { - print STDERR "uid=$smbentry[0] does not have a posixAccount entry in the directory!\n"; - next; - } + ## If no LDAP entry exists, create one. + if ( $result->count == 0 ) { + $new_entry = Net::LDAP::Entry->new(); + $new_entry->add( dn => "uid=$smbentry[0],$DN", + uid => $smbentry[0], + rid => $rid, + lmPassword => $smbentry[2], + ntPassword => $smbentry[3], + acctFlags => $smbentry[4], + cn => $smbentry[0], + pwdLastSet => hex(substr($smbentry[5],4)), + objectclass => 'sambaAccount' ); - print "Updating [" . $result->getDN() . "]\n"; + $result = $ldap->add( $new_entry ); + $result->error() if $result->code(); + print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; - ## Do we need to add the 'objectclass: smbPasswordEntry' attribute? - if (! $result->hasValue("objectclass", "smbPasswordEntry")) { - $result->addValue("objectclass", "smbPasswordEntry"); - } - - ## Set other attribute values - $result->setValues ("lmPassword", $smbentry[2]); - $result->setValues ("ntPassword", $smbentry[3]); - $result->setValues ("acctFlags", $smbentry[4]); - $result->setValues ("pwdLastSet", substr($smbentry[5],4)); - - if (! $conn->update($result)) { - print "Error updating!\n"; - } + ## Otherwise, supplement/update the existing entry. + } + elsif ($result->count == 1) + { + # Put the search results into an entry object + $entry = $result->entry(0); + + print "Updating [" . $entry->dn . "]\n"; + + ## Add the objectclass: sambaAccount attribute if it's not there + @values = $entry->get_value( "objectclass" ); + $flag = 1; + foreach $item (@values) { + print "$item\n"; + if ( "$item" eq "sambaAccount" ) { + $flag = 0; + } + } + if ( $flag ) { + ## Adding sambaAccount objectclass requires adding at least rid: + ## uid attribute already exists we know since we searched on it + $entry->add(objectclass => "sambaAccount", + rid => $rid ); + } + + ## Set the other attribute values + $entry->replace(rid => $rid, + lmPassword => $smbentry[2], + ntPassword => $smbentry[3], + acctFlags => $smbentry[4], + pwdLastSet => hex(substr($smbentry[5],4))); + + ## Apply changes to the LDAP server + $updatemesg = $entry->update($ldap); + $updatemesg->error() if $updatemesg->code(); + + ## If we get here, the LDAP search returned more than one value + ## which shouldn't happen under normal circumstances. + } else { + print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; + next; + } } -$conn->close(); +$ldap->unbind(); exit 0; + + -- cgit From c079ba4e6b65fcaff93ff249cfb54da967f26caa Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 9 May 2003 21:52:49 +0000 Subject: syncing README to go along with scripts (This used to be commit 94780f0947f7ad7d5bc83e61681148637b59d7ab) --- examples/LDAP/README | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index 42cf4ff33a..c7ff16ad08 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -4,29 +4,11 @@ !== written by Gerald Carter !== -This is a quick and dirty means of storing smbpasswd entries -in LDAP. Samba 2.2.x does not have any ability to grab -this information directly from LDAP so you will need to -periodically generate an smbpasswd from an ldapsearch -"(objectclass=smbPasswordEntry)". - -Be aware of search limits on your client or server which prevent -all entries from being returned in the search result. +This is a quick and dirty means of converting smbpasswd entries +to sambaAccount entriues in an LDAP directory. Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl ------------------------------------------------------------- -You must install Mozilla PerLDAP which is available at: - - http://www.mozilla.org/directory - -PerLDAP depends on the Netscape (aka iPlanet) C-SDK which is -available for download at: - - http:// www.iplanet.com/downloads/developer/ - - -Pre-requisites for import2_smbpasswd.pl & export2_smbpasswd.pl -------------------------------------------------------------- These two scripts are modified versions of [import|export]_smbpasswd.pl rewritten to use the Net::LDAP @@ -36,6 +18,7 @@ perl module available from + OpenLDAP 2.0.x -------------- @@ -68,7 +51,7 @@ You must restart the LDAP server for these new included schema files to become active. -import[2]_smbpasswd.pl +import_smbpasswd.pl ---------------------- Make sure you customize the local site variable in the perl script @@ -80,17 +63,17 @@ refer to RFC2307 and http://www.padl.com/software.html). The following will import an smbpasswd file into an LDAP directory - $ cat smbpasswd | import[2]_smbpasswd.pl + $ cat smbpasswd | import_smbpasswd.pl -export[2]_smbpasswd.pl +export_smbpasswd.pl ---------------------- Make sure you customize the local site variable in the perl script (i.e. ldapserver, rootdn, rootpw, etc...). You can then generate an smbpasswd file by executing - $ export[2]_smbpasswd.pl > smbpasswd + $ export_smbpasswd.pl > smbpasswd NOTE: Server side (or client side) search limites may prevent all users from being listed. Check you directory server documentation -- cgit From 2735fb0119c5c938e236db406c74f914a0360151 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 May 2003 05:59:34 +0000 Subject: As discussed on samba-technical - move to 'primaryGroupSid' insted of primaryGroupID (rid). This is consistant with the move from 'rid' to ntSid for the primary user identifier. Also cope with legacy installations where primaryGroupID might have been stored as 0. Andrew Bartlett (This used to be commit 0e432817cb927b41af7b49fb0b5081ffdb46f85e) --- examples/LDAP/samba.schema | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index f9475f07ea..3a620b9a59 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -119,6 +119,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## +## Primary group SID, compatible with ntSid +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID' + DESC 'Primary Group Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + ## ## group mapping attributes ## @@ -168,7 +178,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID $ domain )) + description $ userWorkstations $ primaryGroupSID $ domain )) ############################################################################ ## -- cgit From 5d16254f560ba26929bc473c28b85c87317ca368 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 03:32:20 +0000 Subject: *****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66) --- examples/LDAP/samba.schema | 159 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 134 insertions(+), 25 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 3a620b9a59..6ef8980613 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,6 +10,10 @@ ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## +####################################################################### +## Attributes used by Samba 2.2 schema ## +####################################################################### + ## ## Password hashes ## @@ -110,11 +114,104 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +####################################################################### +## Attributes used by Samba 3.0 schema ## +####################################################################### + +## +## Password hashes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' + DESC 'LanManager Passwd' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' + DESC 'NT Passwd' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +## +## Account flags in string format ([UWDX ]) +## +attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' + DESC 'Account Flags' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +## +## Password timestamps & policies +## +attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' + DESC 'NT pwdLastSet' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' + DESC 'NT pwdCanChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' + DESC 'NT pwdMustChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' + DESC 'NT logonTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' + DESC 'NT logoffTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' + DESC 'NT kickoffTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + + +## +## string settings +## +attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' + DESC 'NT homeDrive' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' + DESC 'NT scriptPath' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' + DESC 'NT profilePath' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' + DESC 'userWorkstations' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' + DESC 'smbHome' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' + DESC 'Windows NT domain to which the user belongs' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + ## ## SID, of any type ## -attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) @@ -124,7 +221,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' ## Primary group SID, compatible with ntSid ## -attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID' +attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) @@ -132,7 +229,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID' ## ## group mapping attributes ## -attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' +attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -141,16 +238,21 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' ## Store info on the domain ## -attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid' +attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid' +attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +######################################################################## +## HISTORICAL ## +######################################################################## + ## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass @@ -168,17 +270,35 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid' # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ # description $ userWorkstations $ primaryGroupID $ domain )) +######################################################################## +## END OF HISTORICAL ## +######################################################################## + ## The X.500 data model (and therefore LDAPv3) says that each entry can ## only have one structural objectclass. OpenLDAP 2.0 does not enforce ## this currently but will in v2.1 objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Auxilary Account' - MUST ( uid $ ntSid ) + MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupSID $ domain )) + description $ userWorkstations $ primaryGroupID $ domain )) + +## +## added new objectclass (and OID) for 3.0 to help us deal with backwards +## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry +## +objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY + DESC 'Samba 3.0 Auxilary Account' + MUST ( uid $ sambaSID ) + MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ + sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ + sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ + displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ + sambaProfilePath $ description $ sambaUserWorkstations $ + sambaPrimaryGroupSID $ sambaDomainName )) ############################################################################ ## @@ -187,30 +307,19 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY ## ############################################################################ -## -## Whole-of-domain info -## - -objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL - DESC 'Samba Domain Information' - MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid)) - ## ## Group mapping info ## objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' - MUST ( gidNumber $ ntSid $ ntGroupType ) - MAY ( displayName $ description )) + MUST ( gidNumber $ sambaSID $ sambaGroupType ) + MAY ( displayName $ description $ cn )) ## -## Used for Winbind experimentation +## Whole-of-domain info ## -#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY -# DESC 'Pool for allocating UNIX uids' -# MUST ( uidNumber ) ) - -#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY -# DESC 'Pool for allocating UNIX gids' -# MUST ( gidNumber ) ) +objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL + DESC 'Samba Domain Information' + MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ + sambaSID ) ) -- cgit From b2b381f3a472dd20e6b0df7ba0f9713ea60db972 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 04:37:40 +0000 Subject: perl script to convert from sambaAccount to sambaSamAccount; requires Net::LDAP::LDIF (This used to be commit 9cde1aa32aed55a3d7cb28881c6acd9800b02065) --- examples/LDAP/convertSambaAccount | 105 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100755 examples/LDAP/convertSambaAccount (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount new file mode 100755 index 0000000000..9fccf6a8b2 --- /dev/null +++ b/examples/LDAP/convertSambaAccount @@ -0,0 +1,105 @@ +#!/usr/bin/perl -w +## +## Convert an LDIF file containing sambaAccount entries +## to the new sambaSamAccount objectclass +## +## Copyright Gerald (Jerry) Carter 2003 +## +## Usage: convertSambaAccount +## + + +use strict; +use Net::LDAP::LDIF; + +my ( $domain, $domsid ); +my ( $ldif, $ldif2 ); +my ( $entry, @objclasses, $obj ); +my ( $is_samba_account ); +my ( %attr_map, $key ); + +if ( $#ARGV != 2 ) { + print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n"; + exit 1; +} + +%attr_map = ( + lmPassword => 'sambaLMPassword', + ntPassword => 'sambaNTPassword', + pwdLastSet => 'sambaPwdLastSet', + pwdMustChange => 'sambaPwdMustChange', + pwdCanChange => 'sambaPwdCanChange', + homeDrive => 'sambaHomeDrive', + smbHome => 'sambaHomePath', + scriptPath => 'sambaLogonScript', + profilePath => 'sambaProfilePath', + kickoffTime => 'sambaKickoffTime', + logonTime => 'sambaLogonTime', + logoffTime => 'sambaLogoffTime', + userWorkstations => 'sambaUserWorkstations', + domain => 'sambaDomainName', + acctFlags => 'sambaAcctFlags', +); + +$domsid = $ARGV[0]; + +$ldif = Net::LDAP::LDIF->new ($ARGV[1], "r") + or die $!; +$ldif2 = Net::LDAP::LDIF->new ($ARGV[2], "w") + or die $!; + +while ( !$ldif->eof ) { + undef ( $entry ); + $entry = $ldif->read_entry(); + + ## skip entry if we find an error + if ( $ldif->error() ) { + print "Error msg: ",$ldif->error(),"\n"; + print "Error lines:\n",$ldif->error_lines(),"\n"; + next; + } + + ## + ## check to see if we have anything to do on this + ## entry. If not just write it out + ## + @objclasses = $entry->get_value( "objectClass" ); + undef ( $is_samba_account ); + foreach $obj ( @objclasses ) { + if ( "$obj" eq "sambaAccount" ) { + $is_samba_account = 1; + } + } + + if ( !defined ( $is_samba_account ) ) { + $ldif2->write_entry( $entry ); + next; + } + + ## + ## start editing the sambaAccount + ## + + $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); + $entry->add( 'objectclass' => 'sambaSamAccount' ); + + $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); + $entry->delete( 'rid' ); + + if ( $entry->get_value( "primaryGroupID" ) ) { + $entry->add( 'primaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); + $entry->delete( 'primaryGroupID' ); + } + + + foreach $key ( keys %attr_map ) { + if ( $entry->get_value($key) ) { + $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } + } + + $ldif2->write_entry( $entry ); +} + + -- cgit From b2c19b772738c036a44b344b77b7757781f2e1f0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 04:49:01 +0000 Subject: s/primaryGroupSID/sambaPrimaryGroupSID/ (This used to be commit 925c60f5e2f5301da90fc26dddc1bad610eea0d0) --- examples/LDAP/convertSambaAccount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 9fccf6a8b2..f5b49ff095 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -87,7 +87,7 @@ while ( !$ldif->eof ) { $entry->delete( 'rid' ); if ( $entry->get_value( "primaryGroupID" ) ) { - $entry->add( 'primaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); + $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); $entry->delete( 'primaryGroupID' ); } -- cgit From df641bc7caceab142372a279a2844df187c86597 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 05:28:16 +0000 Subject: fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 6ef8980613..7093a96b04 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -313,7 +313,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) - MAY ( displayName $ description $ cn )) + MAY ( displayName $ description )) ## ## Whole-of-domain info -- cgit From c5278567746158192dda8a691f0640f6edc9272e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 May 2003 17:18:35 +0000 Subject: moving the sambaAccount objectclass to 'historical' to prevent confusion on which one should be used for new servers. I'll add a note about uncommenting the older items for ldapsam_compat in the release notes (This used to be commit 469c5ad1acfb452617b10653e06ce3b34ec9e146) --- examples/LDAP/samba.schema | 292 ++++++++++++++++++++++----------------------- 1 file changed, 142 insertions(+), 150 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 7093a96b04..3db7094bf2 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,111 +10,139 @@ ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## -####################################################################### -## Attributes used by Samba 2.2 schema ## -####################################################################### +######################################################################## +## HISTORICAL ## +######################################################################## ## ## Password hashes ## -attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' - DESC 'LanManager Passwd' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' +# DESC 'LanManager Passwd' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' - DESC 'NT Passwd' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' +# DESC 'NT Passwd' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) ## ## Account flags in string format ([UWDX ]) ## -attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' - DESC 'Account Flags' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' +# DESC 'Account Flags' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) -## +## ## Password timestamps & policies ## -attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' - DESC 'NT pwdLastSet' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' +# DESC 'NT pwdLastSet' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' - DESC 'NT logonTime' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' +# DESC 'NT logonTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' - DESC 'NT logoffTime' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' +# DESC 'NT logoffTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' - DESC 'NT kickoffTime' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' +# DESC 'NT kickoffTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' - DESC 'NT pwdCanChange' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' +# DESC 'NT pwdCanChange' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' - DESC 'NT pwdMustChange' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' +# DESC 'NT pwdMustChange' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## string settings ## -attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' - DESC 'NT homeDrive' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' +# DESC 'NT homeDrive' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' - DESC 'NT scriptPath' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' +# DESC 'NT scriptPath' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' - DESC 'NT profilePath' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' +# DESC 'NT profilePath' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' - DESC 'userWorkstations' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' +# DESC 'userWorkstations' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' - DESC 'smbHome' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' +# DESC 'smbHome' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) -attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' - DESC 'Windows NT domain to which the user belongs' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' +# DESC 'Windows NT domain to which the user belongs' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) ## ## user and group RID ## -attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' - DESC 'NT rid' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' +# DESC 'NT rid' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' - DESC 'NT Group RID' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' +# DESC 'NT Group RID' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +## +## The smbPasswordEntry objectclass has been depreciated in favor of the +## sambaAccount objectclass +## +#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY +# DESC 'Samba smbpasswd entry' +# MUST ( uid $ uidNumber ) +# MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) + +#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +# DESC 'Samba Account' +# MUST ( uid $ rid ) +# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ +# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ +# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ +# description $ userWorkstations $ primaryGroupID $ domain )) + +#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY +# DESC 'Samba Auxilary Account' +# MUST ( uid $ rid ) +# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ +# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ +# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ +# description $ userWorkstations $ primaryGroupID $ domain )) + +######################################################################## +## END OF HISTORICAL ## +######################################################################## - ####################################################################### ## Attributes used by Samba 3.0 schema ## ####################################################################### @@ -123,12 +151,12 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' ## Password hashes ## attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' - DESC 'LanManager Passwd' + DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' - DESC 'NT Passwd' + DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) @@ -140,36 +168,36 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) -## +## ## Password timestamps & policies ## attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' - DESC 'NT pwdLastSet' + DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' - DESC 'NT pwdCanChange' + DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' - DESC 'NT pwdMustChange' + DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - + attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' - DESC 'NT logonTime' + DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' - DESC 'NT logoffTime' + DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' - DESC 'NT kickoffTime' + DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -178,34 +206,34 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' ## string settings ## attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' - DESC 'NT homeDrive' + DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' - DESC 'NT scriptPath' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + DESC 'Logon script path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' - DESC 'NT profilePath' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + DESC 'Roaming profile path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' - DESC 'userWorkstations' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + DESC 'List of user workstations the user is allowed to logon to' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' - DESC 'smbHome' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + DESC 'Home directory UNC path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) ## ## SID, of any type @@ -249,70 +277,34 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -######################################################################## -## HISTORICAL ## -######################################################################## - -## -## The smbPasswordEntry objectclass has been depreciated in favor of the -## sambaAccount objectclass -## -#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY -# DESC 'Samba smbpasswd entry' -# MUST ( uid $ uidNumber ) -# MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) - -#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL -# DESC 'Samba Account' -# MUST ( uid $ rid ) -# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ -# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ -# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ -# description $ userWorkstations $ primaryGroupID $ domain )) - -######################################################################## -## END OF HISTORICAL ## -######################################################################## +####################################################################### +## objectClasses used by Samba 3.0 schema ## +####################################################################### -## The X.500 data model (and therefore LDAPv3) says that each entry can -## only have one structural objectclass. OpenLDAP 2.0 does not enforce +## The X.500 data model (and therefore LDAPv3) says that each entry can +## only have one structural objectclass. OpenLDAP 2.0 does not enforce ## this currently but will in v2.1 -objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY - DESC 'Samba Auxilary Account' - MUST ( uid $ rid ) - MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ - logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ - displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID $ domain )) - ## -## added new objectclass (and OID) for 3.0 to help us deal with backwards +## added new objectclass (and OID) for 3.0 to help us deal with backwards ## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry ## objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY - DESC 'Samba 3.0 Auxilary Account' - MUST ( uid $ sambaSID ) - MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ - sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ - sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ - displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ - sambaProfilePath $ description $ sambaUserWorkstations $ + DESC 'Samba 3.0 Auxilary SAM Account' + MUST ( uid $ sambaSID ) + MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ + sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ + sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ + displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ + sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName )) -############################################################################ -## -## Please note that this schema is really experimental and might -## change before the 3.0 release. -## -############################################################################ - ## ## Group mapping info ## objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' - MUST ( gidNumber $ sambaSID $ sambaGroupType ) + MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) ## @@ -320,6 +312,6 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY ## objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' - MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ - sambaSID ) ) + MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ + sambaSID ) ) -- cgit From 3bdfd57a2dc590896a2e45652ad4f5e3c2358108 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 5 Jun 2003 02:34:30 +0000 Subject: working draft of the idmap_ldap code. Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350) --- examples/LDAP/samba.schema | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 3db7094bf2..9887954045 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -315,3 +315,13 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ sambaSID ) ) +## used for idmap_ldap module +objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY + DESC 'Pool for allocating UNIX uids/gids' + MUST ( uidNumber $ gidNumber ) ) + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top STRUCTURAL + DESC 'Mapping from a SID to an ID' + MUST ( sambaSID ) + MAY ( uidNumber $ gidNumber )) + -- cgit From b93851af1368a3d718e29e6337a53b263e31f855 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 12 Jun 2003 13:41:13 +0000 Subject: check that an attribute is defined and not just non-zero (This used to be commit 8c18174a899e9578e0e82d17c7602e84b342644c) --- examples/LDAP/convertSambaAccount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index f5b49ff095..1cfb3ee2a4 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -93,7 +93,7 @@ while ( !$ldif->eof ) { foreach $key ( keys %attr_map ) { - if ( $entry->get_value($key) ) { + if ( defined($entry->get_value($key)) ) { $entry->add( $attr_map{$key} => $entry->get_value($key) ); $entry->delete( $key ); } -- cgit From af0ddc81d82eb964ddab551dcd7309aaec96a618 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 13 Jun 2003 02:53:03 +0000 Subject: fix typo in description (This used to be commit be82b3d9dfef938030731e1021076df4dcfdb443) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 9887954045..067f5a497d 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -132,7 +132,7 @@ # description $ userWorkstations $ primaryGroupID $ domain )) #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY -# DESC 'Samba Auxilary Account' +# DESC 'Samba Auxiliary Account' # MUST ( uid $ rid ) # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ -- cgit From 5d4937c2b6e5b01fd13bc197224459ab690897e9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 15 Jun 2003 05:14:28 +0000 Subject: This patch is Vorlon's fault! (This used to be commit 56d2049561e5d5c22ac9d76cb013643083d9644e) --- examples/LDAP/convertSambaAccount | 56 ++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 22 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 1cfb3ee2a4..5b7febd6a0 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -15,8 +15,8 @@ use Net::LDAP::LDIF; my ( $domain, $domsid ); my ( $ldif, $ldif2 ); my ( $entry, @objclasses, $obj ); -my ( $is_samba_account ); -my ( %attr_map, $key ); +my ( $is_samba_account, $is_samba_group ); +my ( %attr_map, %group_attr_map, $key ); if ( $#ARGV != 2 ) { print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n"; @@ -41,6 +41,11 @@ if ( $#ARGV != 2 ) { acctFlags => 'sambaAcctFlags', ); +%group_attr_map = ( + ntSid => 'sambaSID', + ntGroupType => 'sambaGroupType', +); + $domsid = $ARGV[0]; $ldif = Net::LDAP::LDIF->new ($ARGV[1], "r") @@ -65,37 +70,44 @@ while ( !$ldif->eof ) { ## @objclasses = $entry->get_value( "objectClass" ); undef ( $is_samba_account ); + undef ( $is_samba_group ); foreach $obj ( @objclasses ) { if ( "$obj" eq "sambaAccount" ) { $is_samba_account = 1; + } elsif ( "$obj" eq "sambaGroupMapping" ) { + $is_samba_group = 1; } } - if ( !defined ( $is_samba_account ) ) { - $ldif2->write_entry( $entry ); - next; - } - - ## - ## start editing the sambaAccount - ## + if ( defined ( $is_samba_account ) ) { + ## + ## start editing the sambaAccount + ## - $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); - $entry->add( 'objectclass' => 'sambaSamAccount' ); + $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); + $entry->add( 'objectclass' => 'sambaSamAccount' ); - $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); - $entry->delete( 'rid' ); + $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); + $entry->delete( 'rid' ); - if ( $entry->get_value( "primaryGroupID" ) ) { - $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); - $entry->delete( 'primaryGroupID' ); - } + if ( $entry->get_value( "primaryGroupID" ) ) { + $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); + $entry->delete( 'primaryGroupID' ); + } - foreach $key ( keys %attr_map ) { - if ( defined($entry->get_value($key)) ) { - $entry->add( $attr_map{$key} => $entry->get_value($key) ); - $entry->delete( $key ); + foreach $key ( keys %attr_map ) { + if ( defined($entry->get_value($key)) ) { + $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } + } + } elsif ( defined ( $is_samba_group ) ) { + foreach $key ( keys %group_attr_map ) { + if ( defined($entry->get_value($key)) ) { + $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } } } -- cgit From a220e983d0ea04634e68d146c6279ec2896e0cfd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 15:21:43 +0000 Subject: applying fix for group map conversion (patch from Kristyan Osborne) (This used to be commit 6237fae9b8407ee04226b984a932150799191d29) --- examples/LDAP/convertSambaAccount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 5b7febd6a0..223c43eada 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -105,7 +105,7 @@ while ( !$ldif->eof ) { } elsif ( defined ( $is_samba_group ) ) { foreach $key ( keys %group_attr_map ) { if ( defined($entry->get_value($key)) ) { - $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->add( $group_attr_map{$key} => $entry->get_value($key) ); $entry->delete( $key ); } } -- cgit From 4168d61fb22e19a248a6c3d3ad43e2f73e37fc6a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 4 Jul 2003 13:29:42 +0000 Subject: This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e) --- examples/LDAP/samba.schema | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 067f5a497d..6e8387f16e 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -276,6 +276,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' + DESC 'Next NT rid to give out for anything' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' + DESC 'Base at which the samba RID generation algorithm should operate' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ####################################################################### ## objectClasses used by Samba 3.0 schema ## @@ -312,16 +322,23 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY ## objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' - MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ - sambaSID ) ) + MUST ( sambaDomainName $ + sambaSID ) + MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ + sambaAlgorithmicRidBase ) ) ## used for idmap_ldap module objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top STRUCTURAL + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) - MAY ( uidNumber $ gidNumber )) + MAY ( uidNumber $ gidNumber ) ) + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL + DESC 'Structural Class for a SID' + MUST ( sambaSID ) ) -- cgit From 0722fc16a445a47ef3aaa60e7a0e5324bfcf55eb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Aug 2003 16:08:39 +0000 Subject: fix comments about schema dependencies (This used to be commit f72f51d39ff3e6d22dbda8b9c115ca10e93e7022) --- examples/LDAP/samba.schema | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 6e8387f16e..14cd720588 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -1,10 +1,11 @@ ## -## schema file for OpenLDAP 2.0.x -## Schema for storing Samba's smbpasswd file in LDAP +## schema file for OpenLDAP 2.x +## Schema for storing Samba user accounts and group maps in LDAP ## OIDs are owned by the Samba Team ## -## Prerequisite schemas - uid (cosine.schema) +## Prerequisite schemas - uid (cosine.schema) ## - displayName (inetorgperson.schema) +## - gidNumber (nis.schema) ## ## 1.3.6.1.4.1.7165.2.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.2.x - objectclasses -- cgit From a750624f4d005e2bc415e86a38947a7fa10d0cb9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Aug 2003 21:52:52 +0000 Subject: checlking in initial version of 2.2 scripts so I can start updating them (This used to be commit 766a5070d58ada7a871a7fab45b5f7e203264952) --- examples/LDAP/smbldap-tools/AUTHORS | 0 examples/LDAP/smbldap-tools/CONTRIBUTORS | 29 + examples/LDAP/smbldap-tools/COPYING | 340 +++++++++ examples/LDAP/smbldap-tools/ChangeLog | 29 + examples/LDAP/smbldap-tools/FILES | 43 ++ examples/LDAP/smbldap-tools/INFRASTRUCTURE | 84 +++ examples/LDAP/smbldap-tools/INSTALL | 28 + examples/LDAP/smbldap-tools/Makefile | 35 + examples/LDAP/smbldap-tools/NEWS | 0 examples/LDAP/smbldap-tools/README | 87 +++ examples/LDAP/smbldap-tools/TODO | 27 + examples/LDAP/smbldap-tools/cgi/README | 27 + examples/LDAP/smbldap-tools/cgi/ldappass.cgi | 202 ++++++ examples/LDAP/smbldap-tools/mkntpwd/Makefile | 62 ++ examples/LDAP/smbldap-tools/mkntpwd/getopt.c | 756 +++++++++++++++++++++ examples/LDAP/smbldap-tools/mkntpwd/getopt.h | 133 ++++ examples/LDAP/smbldap-tools/mkntpwd/md4.c | 171 +++++ examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c | 253 +++++++ examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h | 17 + examples/LDAP/smbldap-tools/mkntpwd/smbdes.c | 337 +++++++++ examples/LDAP/smbldap-tools/smbldap-groupadd.pl | 84 +++ examples/LDAP/smbldap-tools/smbldap-groupdel.pl | 93 +++ examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 211 ++++++ examples/LDAP/smbldap-tools/smbldap-groupshow.pl | 72 ++ .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 234 +++++++ .../LDAP/smbldap-tools/smbldap-migrate-groups.pl | 225 ++++++ examples/LDAP/smbldap-tools/smbldap-passwd.pl | 215 ++++++ examples/LDAP/smbldap-tools/smbldap-populate.pl | 294 ++++++++ examples/LDAP/smbldap-tools/smbldap-tools.spec | 169 +++++ examples/LDAP/smbldap-tools/smbldap-useradd.pl | 460 +++++++++++++ examples/LDAP/smbldap-tools/smbldap-userdel.pl | 122 ++++ examples/LDAP/smbldap-tools/smbldap-usermod.pl | 403 +++++++++++ examples/LDAP/smbldap-tools/smbldap-usershow.pl | 69 ++ examples/LDAP/smbldap-tools/smbldap_conf.pm | 249 +++++++ examples/LDAP/smbldap-tools/smbldap_tools.pm | 583 ++++++++++++++++ 35 files changed, 6143 insertions(+) create mode 100644 examples/LDAP/smbldap-tools/AUTHORS create mode 100644 examples/LDAP/smbldap-tools/CONTRIBUTORS create mode 100644 examples/LDAP/smbldap-tools/COPYING create mode 100644 examples/LDAP/smbldap-tools/ChangeLog create mode 100644 examples/LDAP/smbldap-tools/FILES create mode 100644 examples/LDAP/smbldap-tools/INFRASTRUCTURE create mode 100644 examples/LDAP/smbldap-tools/INSTALL create mode 100644 examples/LDAP/smbldap-tools/Makefile create mode 100644 examples/LDAP/smbldap-tools/NEWS create mode 100644 examples/LDAP/smbldap-tools/README create mode 100644 examples/LDAP/smbldap-tools/TODO create mode 100644 examples/LDAP/smbldap-tools/cgi/README create mode 100755 examples/LDAP/smbldap-tools/cgi/ldappass.cgi create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/Makefile create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/getopt.c create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/getopt.h create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/md4.c create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h create mode 100644 examples/LDAP/smbldap-tools/mkntpwd/smbdes.c create mode 100755 examples/LDAP/smbldap-tools/smbldap-groupadd.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-groupdel.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-groupmod.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-groupshow.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl create mode 100644 examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-passwd.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-populate.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-tools.spec create mode 100755 examples/LDAP/smbldap-tools/smbldap-useradd.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-userdel.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-usermod.pl create mode 100755 examples/LDAP/smbldap-tools/smbldap-usershow.pl create mode 100644 examples/LDAP/smbldap-tools/smbldap_conf.pm create mode 100755 examples/LDAP/smbldap-tools/smbldap_tools.pm (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/AUTHORS b/examples/LDAP/smbldap-tools/AUTHORS new file mode 100644 index 0000000000..e69de29bb2 diff --git a/examples/LDAP/smbldap-tools/CONTRIBUTORS b/examples/LDAP/smbldap-tools/CONTRIBUTORS new file mode 100644 index 0000000000..9765a57e60 --- /dev/null +++ b/examples/LDAP/smbldap-tools/CONTRIBUTORS @@ -0,0 +1,29 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/CONTRIBUTORS,v $ +# +## Authors and actives contributors to SMBLDAP-TOOLS + +Have contributed directly to this tools, or are always in charge of +some aspects of it developments (alphabetical order): + . Terry Davis + . David Le Corfec + . Olivier Lemaire + . Jrme Tournier + +Many thanks to contributors for bug report and patches: + . Gert-Jan Braas + bug report for 2.2.3 samba.schema + . Jody Haynes + originaly passwd.pl + . Brad Langhorst + package relocatability + . Mirko Manea + originaly useradd.pl + . Alain Richard + bug report and Perl tips + . Roland Schulz + bug report for smbldap-passwd + . Xavier Boschian + bug report for smbldap-populate + + +# - The End diff --git a/examples/LDAP/smbldap-tools/COPYING b/examples/LDAP/smbldap-tools/COPYING new file mode 100644 index 0000000000..32d0e6014a --- /dev/null +++ b/examples/LDAP/smbldap-tools/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog new file mode 100644 index 0000000000..9a0bc744e1 --- /dev/null +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -0,0 +1,29 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/ChangeLog,v $ +# +## ChangeLog for SMBLDAP-TOOLS + +* 2002-06-03: notes to webmin.idealx.org (idxldapaccounts) +* 2002-06-01: release 0.7. tested with 2.2.4 +* 2002-05-31: fixed smbldap-populate compliance to smbldap_conf + cleaned up smbldap_conf to be more readable + some more documentation + bugfixes on smbldap-passwd and smbldap-populate +* 2002-05-16: modified default mode on homes: now 700 +* 2002-05-13: fixed spec (relocation and reqs) +* 2002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl + (rid is now mandatory in the sambaAccount objectClass) +* 2002-02-14: just modified default populate for Administrator +* 2002-02-05: release 0.6. enable/disable user in usermod +* 2002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups + from a net group dump. added samba parameters to smbldap-useradd + and smbldap-usermod. +* 2002-01-12: added smbldap-migrate-accounts to migrate users/machines + accounts from a PWDUMP dump +* 2001-12-13: added smbldap-populate to create the initial base +* 2001-12-13: initial release 0.1 +* 2001-12-12: fixed the SPEC file for RedHat +* 2001-12-03: cleaned the code and use strict; +* 2001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG) + + +# - The End diff --git a/examples/LDAP/smbldap-tools/FILES b/examples/LDAP/smbldap-tools/FILES new file mode 100644 index 0000000000..48ee571b29 --- /dev/null +++ b/examples/LDAP/smbldap-tools/FILES @@ -0,0 +1,43 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/FILES,v $ +# +## File listing for SMBLDAP-TOOLS + +CONTRIBUTORS : authors and contributors +COPYING : licence +FILES : this file listing +README : introduction and usage +TODO : feature request and bug report list +ChangeLog : changelog + +Core: +=-=-= +smbldap-groupadd.pl : to add a new group + (objectclass: posixGroup) +smbldap-groupdel.pl : to delete a group + (objectclass: posixGroup) +smbldap-groupmod.pl : to modify a group (mostly used to add user to a group) + (objectclass: posixGroup) +smbldap-groupshow.pl : to view a group + (objectclass: posixGroup) +smbldap_conf.pm : global configuration datas +smbldap_tools.pm : functions +smbldap-useradd.pl : to add a new user + (objectclass: posixAccount and/or sambaAccount) +smbldap-userdel.pl : to delete a user + (objectclass: posixAccount and/or sambaAccount) +smbldap-usermod.pl : to modify an user datas + (objectclass: posixAccount and/or sambaAccount) +smbldap-usershow.pl : to view an user datas + (objectclass: posixAccount and/or sambaAccount) +smbldap-passwd.pl : to sync passwd (Unix and Samba) + (a replacement for the system passwd utility) +smbldap-populate.pl : to add a builtin ldif to initialize your LDAP master for + smbldap use, or to add a specified ldif +smbldap-tools.spec : SPEC file for RedHat RPM package format + +Migration: +=-=-=-=-=- +smbldap-migrate-accounts.pl : add NT sam entries from pwdump to ldap +smbldap-migrate-groups.pl : add any LDAP posixGroups from the output of the 'net group' NT command + +# - The End diff --git a/examples/LDAP/smbldap-tools/INFRASTRUCTURE b/examples/LDAP/smbldap-tools/INFRASTRUCTURE new file mode 100644 index 0000000000..75b80bb4c8 --- /dev/null +++ b/examples/LDAP/smbldap-tools/INFRASTRUCTURE @@ -0,0 +1,84 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $ +# +## Some notes about the architecture + + +Global Architecture for smbdlap-tools +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +smbldap-tools help you manage users and groups for Unix and Samba, +using LDAP. They may be used in any context, and are kept relatively +simplier enought to let you customize them to you needs. + +They need the following objectClasses to work: + . sambaAccount: from samba.schema for Samba 2.2 branch + . posixAccount and posixGroup : from nis.schema + . organizationalUnit and dcObject: from core.schema + +They will probably use in a near future some additional objectClasses +to support : + . mail features (sendmail/postfix/qmail/courier). + . conform to RFC2307 best practices (and so some maps too like merging + Netbios computers (sambaAccounts) with ipHosts + +For ease of visualization of the LDAP objects by human standards, we +used a DIT like this one : + . dc=IDEALX,dc=org : the company/organization suffix + . ou=Users : to store users accounts + . ou=Computers : to store computers accounts + . ou=Groups : to store system groups +Of course, you're free to use a different naming scheme and DIT (see +smbldap_conf.pm). + + +Built in groups initial population +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +smbldap-populate.pl populate the LDAP directory with some built in groups +using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As +far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have +real inpact on the Samba and Windows population. To activate this group as +the Domain Administrators Group, use the following smb.conf directive (see +man smb.conf for more): + + domain admin group = " @"Domain Admins" " + +Other built in groups are really cosmetic ones with Samba 2.2.x. We did not +removed them because one of these days, we whish to use Samba 3.0 where +Windows Group Support should be operational. + +Why these specific gidNumbers ? +It's about unix/windows mapping of numerical ids with Samba. Ids below 1024 +are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the +"Domain Administrators" NT group. The magic number is found in Samba sources +and possibly other Samba/Windows documentations. + +The goal is to have a set of Unix users who are Domain Administrators and can +modify Samba datas (eg. LDAP content), with commandline tools or within +Windows via Samba. + +Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap +server). You give the domain administrator's login and password in the +appropriate ws settings, then the ws contacts the samba server, which checks +the credentials and use them as unix user to run the smbldap-tools (if I +remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin +for Samba (thus Windows). Using nss_ldap, you also have an account with +gid 512. + + +Known BUGS and WORKAROUND used +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP, +but written as decimal. Fixed in CVS by reading as decimal. By default +smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd +behaviour. + +The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however +as the check is there because Samba store admin credentials to establish the +LDAP connection. The uid == 0 check was to ensure that a normal user could +not get write access to the LDAP backend. A more logical situation should be +done for 2.2.5 by checking if the user is a member of the domain admin group +(reported to Jerremy and Gerald 2002-05-28). + +# - The End diff --git a/examples/LDAP/smbldap-tools/INSTALL b/examples/LDAP/smbldap-tools/INSTALL new file mode 100644 index 0000000000..f4c72751a7 --- /dev/null +++ b/examples/LDAP/smbldap-tools/INSTALL @@ -0,0 +1,28 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INSTALL,v $ +# +## How To Install SMBLDAP-TOOLS + +Quick & Dirty: +=-=-=-=-=-=-=- + . Copy all those scripts in /usr/local/sbin/ + . Modify smbldap_conf.pm to match your configuration + . If not already done : "smbpasswd -w secret" to set up + the ldap admin password in secrets.tdb + . Either add /usr/local/sbin in $PERLLIB or run the scripts + from this directory, or make a symlink from /usr/local/sbin/*.pm + to /usr/lib/perl5/. + . to allow a domain admin to add user using "add user script" in smb.conf : + chmod 753 smbldap_conf.pm + chmod 750 smbldap-useradd.pl + chgrp 512 smbldap_conf.pm smbldap-useradd.pl (512 = 0x200 = Domain Admins) + Have your admin belong to this group + In smb.conf : domain admin group = " @"Domain Admins" " + +RedHat RPM: +=-=-=-=-=-= +Install smbldap-tools-0.7-1.i386.rpm +Modify /usr/local/sbin/smbldap_conf.pm to match you configuration +If not already done : "smbpasswd -w secret" to set up +the ldap admin password in secrets.tdb + +# - The End diff --git a/examples/LDAP/smbldap-tools/Makefile b/examples/LDAP/smbldap-tools/Makefile new file mode 100644 index 0000000000..3e5eac427d --- /dev/null +++ b/examples/LDAP/smbldap-tools/Makefile @@ -0,0 +1,35 @@ +PACKAGE=smbldap-tools +RELEASE=0.7 +DESTDIR = $(PACKAGE)-$(RELEASE) + +dist: distclean $(DESTDIR).tgz + +$(DESTDIR).tgz: .diststamp + rm -rf $(DESTDIR) + mkdir $(DESTDIR) + # copy files + cp CONTRIBUTORS $(DESTDIR) + cp COPYING $(DESTDIR) + cp ChangeLog $(DESTDIR) + cp FILES $(DESTDIR) + cp INSTALL $(DESTDIR) + cp README $(DESTDIR) + cp TODO $(DESTDIR) + cp INFRASTRUCTURE $(DESTDIR) + tar cf mkntpwd.tar mkntpwd + gzip mkntpwd.tar + cp mkntpwd.tar.gz $(DESTDIR) + cp smbldap-*.pl $(DESTDIR) + cp smbldap_*.pm $(DESTDIR) + # copy directories + tar cvzf $(DESTDIR).tgz $(DESTDIR) + rm -rf $(DESTDIR) + touch .diststamp + +.diststamp: + +distclean: + rm -f *~ + rm -f $(DESTDIR).tgz + rm -f mkntpwd.tar.gz + diff --git a/examples/LDAP/smbldap-tools/NEWS b/examples/LDAP/smbldap-tools/NEWS new file mode 100644 index 0000000000..e69de29bb2 diff --git a/examples/LDAP/smbldap-tools/README b/examples/LDAP/smbldap-tools/README new file mode 100644 index 0000000000..add0175c0c --- /dev/null +++ b/examples/LDAP/smbldap-tools/README @@ -0,0 +1,87 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/README,v $ +# + +Latest version may be found at http://samba.idealx.org/ + + +What those tools are for? +=-=-=-=-=-=-=-=-=-=-=-=-= + +A collection of scripts, over user{add,del,mod} and group{add,del,mod} +system tools to manipulate users and groups stored in LDAP directory, +for DEN system like SAMBA-LDAP and pam/nss_ldap systems. + +Additionnaly, some scripts are designed to ease your migration from +a Windows NT 4.0 PDC Server to a Samba-LDAP PDC Server (Killer?;-): +smbldap-populate, smbldap-migrate-groups, smbldap-migrate-accounts. + +They are currently used with Samba 2.2.4, therefore you may (will) have +to make some fixes for Samba TNG and Samba 3.0. Hint: contribs welcome :) + +In the future, some other function may come (like backup and restore, +Novell migration tools, samba system activity report, dealing with +mail functions, compliance to RFC2307...): consult TODO. + + +What do SMBLDAP-TOOLS provide? +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Those tools provide the following functions : + . populate LDAP database with a basic LDIF + . add a user or group + . delete a user or group + . modify all users or groups data (all attributes types stored in + posixAccount and sambaAccount object class) +Taking care of : + . staying compatible with all standard system tools options + (user/group{add,del,mod}) + . be extensible for future developments + (manipulation of shadow account options, for example) + . error management, in the way system tools do +Constraints : + . usage of PERL (portability) + . all options must be placed in an external configuration file + . english localization + +The current release uses the "mkntpwd" program, in mkntpwd.tar.gz +in the current directory. It comes from +http://www.demog.berkeley.edu/~aperrin/tips/src/mkntpwd.tar.gz +It allows to not use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) + +What do SMBLDAP-TOOLS deliver? +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +Contents : + . scripts (see FILES) + . user documentation in pod format, included in the sources + (or just use the -? option) + +These tools aim at delivering the same functionality as the corresponding +system tools. However they may not be all implemented yet. +Current limitations : + . no shadow support + . cannot change uid with usermod + . no UTF-8 support (thus ASCII-7 only) + + +How to generate documentation? +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Just issue the following command: + perldoc name_of_script.pl (ex: perldoc smbldap-useradd.pl) + +Where can I find the latest release of those scripts? +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Just fire any web browser to http://samba.IDEALX.org/ +and/or contact samba@IDEALX.org + +Additionnaly, you will find an useful Webmin module +at http://webmin.IDEALX.org/ if interested in a graphical +user interface to manager user and groups accounts via Webmin +for your Samba+LDAP PDC. + +Let us know if these tools helped you, or if we should enhance +them with some functions you want them to support. + +Sincerly, + LEM + +# - The End diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO new file mode 100644 index 0000000000..57424d462a --- /dev/null +++ b/examples/LDAP/smbldap-tools/TODO @@ -0,0 +1,27 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/TODO,v $ +# +## TODO list - First In, Last in the list... +## (BF: Bug Report / FR: Feature Request) + + +FR * use RFC2307 best practices (Luke, next time you visit Paris, have a + beer at IDEALX'cantina ;-) +FR * add mail (sendmail/postfix/qmail/courier) support +FR * bugfix, really : allow non-root users to change passwd + (currently the config must be unreadable because of bindpasswd) +FR * make smbldap-tools to use system configuration files + (/etc/login.defs and /etc/ldap.conf for example) +FR * rewrite smbldap-tools using perl-ldap. In fact, this 0.x + release use ldap system tools (ldapadd,ldapdelete,ldapmodify) +FR * add shadowAccounts manipulation support +FR * internationalize the SMBLDAP-TOOLS +FR * add smbldap-sar : Samba System Activity Report to help + supporting Samba/LDAP sysadmin activity +FR * add smbldap-backup/smbldap-restore to backup and restore + a SAM (in LDAP) database. No sorcery, just LDIF, but usefull + for non-LDAP gurus +FR * adding migration tools from migration from W2K and NetWare to Samba-LDAP +FR * adapt smbldap-tools to use Samba 3.0 + + +# - The End diff --git a/examples/LDAP/smbldap-tools/cgi/README b/examples/LDAP/smbldap-tools/cgi/README new file mode 100644 index 0000000000..7a4fc0c02b --- /dev/null +++ b/examples/LDAP/smbldap-tools/cgi/README @@ -0,0 +1,27 @@ +Description: + A cgi to allow users to change their passwords via a web browser. + +Installation: + Drop this into a cgi-enabled directory on your webserver. + Edit it and change the CONFIGURATION section to suit your environment. + READ THE NOTES SECTION. + +Notes: This script will run as the user who runs your web server. So, to invoke the smbpasswd call, you must implement sudo. + Example of /etc/sudoers: + + # Host alias specification + # User alias specification + User_Alias PASSWD = apache + # Cmnd alias specification + Cmnd_Alias PASSWD = /usr/bin/smbpasswd + # User privilege specification + root ALL=(ALL) ALL + PASSWD ALL= NOPASSWD: PASSWD + + This concept is probably very insecure and broken. That is why this is a 0.1 release. :) + + +Feel free to drop me suggestions. I am a perl learner so I am always open to suggestions. + +Terry Davis +tdavis@approbation.org diff --git a/examples/LDAP/smbldap-tools/cgi/ldappass.cgi b/examples/LDAP/smbldap-tools/cgi/ldappass.cgi new file mode 100755 index 0000000000..4a5ecb8f3a --- /dev/null +++ b/examples/LDAP/smbldap-tools/cgi/ldappass.cgi @@ -0,0 +1,202 @@ +#!/usr/bin/perl + +################################################################################ +# +# changepass.pl - A program to allow users to change their passwords +# via a web browser. +# Terry Davis +# +# URLs +# Net::LDAP - http:// +# usermod and this file - http://www.cloudamster.com/cloudmaster/projects +# +# Release History: +# Version 0.1 - initial write +# +# ToDo: +# ... the ToDo section is on the ToDo list... +# +# Limitations: +# The password cannot contain single and double quotes.....welcome to quoting hell.... +# +# Notes: +# This code is largely based on work done by Danny Sauer - http://www.cloudamster.com/cloudmaster/projects +# His work is not licensed and is marked as 'freely distributable'. +# Thank you to Danny for his hard work on the initial work. +# +################################################################################ + +use CGI qw(:standard); +use Net::LDAP; + +# CONFIGURATION SECTION +$masterLDAP = "ldap.idealx.org"; +$basedn = "dc=IDEALX,dc=org"; +$masterPw = ""; +$masterDN = "cn=manager,$basedn"; +$ldap_path = "/usr/bin"; +$ldap_opts = "-x"; +$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$usersdn = "ou=Users,$basedn"; +# END CONFIGURATION + + + +# DONT EDIT ANYTHING BELOW THIS LINE +$logtag = "Login:"; +$passtag = "Current password:"; +$npasstag1 = "New password:"; +$npasstag2 = "Retype new pasword:"; +$error = ""; +$color = ""; +$stopcolor = ""; + +if(param()){ + nologin() unless ($username = param('login')); + nopass() unless ($oldpass = param('oldpass')); + nonewpass(1) unless ($newpass1 = param('newpass')); + nonewpass(2) unless ($newpass2 = param('newpass2')); + verifyuser($username) or die "bad user"; + verifypass($username, $oldpass) or die "bad pass"; + testnewpass($newpass1, $newpass2) or die "bad new pass"; + changepass($username, $newpass1) or die "couldn't change pass"; + printsuccess(); +}else{ + printpage(); +} +exit(0); + +sub verifyuser{ + local $user = shift; + $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; + $ldap->bind(); + if (0 < $ldap->search(base => $basedn, filter => "(uid=$user)")->count){ + return 1; + } + $logtag = $color . $logtag . $color; + $error = "No such user"; + printpage(); + return 0; +} + +sub verifypass{ + $uid = shift; + $pass = shift; + $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; + $binddn = "uid=$uid,ou=People,$basedn"; + return 1 if($ldap->bind( $binddn, password => $pass)->code == 0); + if($ldap->bind()){ + $passtag = $color . $passtag . $color; + $error = "Incorrect password"; + printpage(); + return 0; + }else{ + print header, start_html(-title=>"LDAP dead"); + print h2("
The LDAP server is temporarily unavailable."), + p,"Please try again later
"; + return 0; + }die "Something (or someone) is defective, contact your friendly Systems Administrator"; +} + +sub testnewpass{ + $p1 = shift; $p2 = shift; + if ($p1 ne $p2){ + $npasstag1 = $color . $npasstag1 . $color; + $npasstag2 = $color . $npasstag2 . $color; + $error = "Passwords don't match ($p1 vs $p2)"; + printpage(); + return 0; + } + if ($p1 =~ /"/ ){ + $npasstag1 = $color . $npasstag1 . $color; + $npasstag2 = $color . $npasstag2 . $color; + $error = "Passwords cannot contain double quotes. Sorry"; + printpage(); + return 0; + } + if ($p1 =~ /'/ ){ + $npasstag1 = $color . $npasstag1 . $color; + $npasstag2 = $color . $npasstag2 . $color; + $error = "Passwords cannot contain single quotes. Sorry"; + printpage(); + return 0; + } + return 1; +} + +sub changepass{ + local $user = shift; + local $newpass = shift; + local $dn = "uid=$user,$usersdn"; + system "$ldappasswd $dn -s '$newpass' > /dev/null"; + `/usr/bin/sudo /usr/bin/smbpasswd $user "$newpass"`; + exit(1); +} + +sub nologin{ + $logtag = $color . $logtag . $color; + $error = "You need to enter a Login Name"; + printpage(); + exit(1); +} + +sub nopass{ + $passtag = $color . $passtag . $color; + $error = "Please enter your old password"; + printpage(); + exit(1); +} + +sub nonewpass{ + $f=shift; + $npasstag1 = $color . $npasstag1 . $color if($f==1); + $npasstag2 = $color . $npasstag2 . $color if($f==2); + $error = "You need to enter your new password"; + $error .= " twice" if($f==2); + printpage(); + exit(1); +} + +sub printpage{ + print header, + start_html(-title=> "Password Change Page", + -author=> 'tdavis@birddog.com', + -BGCOLOR=> 'WHITE'), + h3('Password Change Page'), + startform(-method=>'POST'), + "", + "", + "
", + $logtag, + "", + textfield(-name=>'login', -default=>$login, + -size=>15, -maxlength=>20), + "
", + $passtag, + "", + password_field(-name=>'oldpass', -size=>15, -maxlength=>25), + "
", + $npasstag1, + "", + password_field(-name=>'newpass', -size=>15, -maxlength=>25), + "
", + $npasstag2, + "", + password_field(-name=>'newpass2', -size=>15, -maxlength=>25), + "
", + submit(-name=>"change"),reset(), + "
", + "", + endform(), + "$error", + end_html; +} + +sub printsuccess(){ + print header, + start_html(-title=> "Success", + -BGCOLOR=> 'WHITE'), + h1("Password Succesfully Changed"), + "
", + end_html; +} diff --git a/examples/LDAP/smbldap-tools/mkntpwd/Makefile b/examples/LDAP/smbldap-tools/mkntpwd/Makefile new file mode 100644 index 0000000000..23c9d471b0 --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/Makefile @@ -0,0 +1,62 @@ +# Makefile for l0phtcrack - mudge@l0pht.com 11/1/96 + +# C compiler +#CC=cc +CC=gcc + +# Uncomment the following to add symbols to the code for debugging +#DEBUG=-g -Wall -D_DEBUG +#DEBUG=-D_DEBUG + +# Optimization for the compiler +#OPTIMIZE= +OPTIMIZE=-O2 + +# Choose your architecture +# note that if you are on a big-endian machine like SUN's +# I haven't tweaked the mem-cmp's and md4 stuff to be in +# the correct order yet. You're on your own right now. +# +# FreeBSD +ARCH=-DMPU8086 +STATIC= +XLIBS= +# +# SUNOS +#ARCH=-DBIGENDIAN +#STATIC= +#OPTIMIZE=-O2 +#XLIBS= +# +# ULTRA_SPARC w/ native compiler +#ARCH=-DBIGENDIAN +#STATIC= +#OPTIMIZE=-fast -xO4 -xdepend -xchip=ultra -xarch=v8plus +#XLIBS= +# +# SunOS/Solaris w/gcc +#ARCH=-DBIGENDIAN -DTEST +#STATIC= +#OPTIMIZE=-O2 +#XLIBS= +# +# NeXTStep 3.2 +#CC=cc +#ARCH=-DBIGENDIAN +#STATIC=-Bstatic +#OPTIMIZE= +#XLIBS= + +CFLAGS= $(DEBUG) $(OPTIMIZE) $(ARCH) $(VISUAL) $(PERMUTE) $(STATIC) + +OBJS = getopt.o md4.o mkntpwd.o smbdes.o + +mkntpwd: $(OBJS) + $(CC) $(CFLAGS) $(XLIBS) -o mkntpwd $(OBJS) + +clean: + rm -f core *.o mkntpwd + +install: mkntpwd + install -m 555 mkntpwd $(PREFIX)/sbin/mkntpwd + diff --git a/examples/LDAP/smbldap-tools/mkntpwd/getopt.c b/examples/LDAP/smbldap-tools/mkntpwd/getopt.c new file mode 100644 index 0000000000..5b2e7a9100 --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/getopt.c @@ -0,0 +1,756 @@ +/* Getopt for GNU. + NOTE: getopt is now part of the C library, so if you don't know what + "Keep this file name-space clean" means, talk to roland@gnu.ai.mit.edu + before changing it! + + Copyright (C) 1987, 88, 89, 90, 91, 92, 93, 94 + Free Software Foundation, Inc. + +This file is part of the GNU C Library. Its master source is NOT part of +the C library, however. The master source lives in /gd/gnu/lib. + +The GNU C Library is free software; you can redistribute it and/or +modify it under the terms of the GNU Library General Public License as +published by the Free Software Foundation; either version 2 of the +License, or (at your option) any later version. + +The GNU C Library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Library General Public License for more details. + +You should have received a copy of the GNU Library General Public +License along with the GNU C Library; see the file COPYING.LIB. If +not, write to the Free Software Foundation, Inc., 675 Mass Ave, +Cambridge, MA 02139, USA. */ + +/* This tells Alpha OSF/1 not to define a getopt prototype in . + Ditto for AIX 3.2 and . */ +#ifndef _NO_PROTO +#define _NO_PROTO +#endif + +#ifdef HAVE_CONFIG_H +#include +#endif + +#if !defined (__STDC__) || !__STDC__ +/* This is a separate conditional since some stdc systems + reject `defined (const)'. */ +#ifndef const +#define const +#endif +#endif + +#include + +#ifdef WIN32 +#include +#endif + +/* Comment out all this code if we are using the GNU C Library, and are not + actually compiling the library itself. This code is part of the GNU C + Library, but also included in many other GNU distributions. Compiling + and linking in this code is a waste when using the GNU C library + (especially if it is a shared library). Rather than having every GNU + program understand `configure --with-gnu-libc' and omit the object files, + it is simpler to just do this in the source for each such file. */ + +#if defined (_LIBC) || !defined (__GNU_LIBRARY__) + + +/* This needs to come after some library #include + to get __GNU_LIBRARY__ defined. */ +#ifdef __GNU_LIBRARY__ +/* Don't include stdlib.h for non-GNU C libraries because some of them + contain conflicting prototypes for getopt. */ +#include +#endif /* GNU C library. */ + +/* This version of `getopt' appears to the caller like standard Unix `getopt' + but it behaves differently for the user, since it allows the user + to intersperse the options with the other arguments. + + As `getopt' works, it permutes the elements of ARGV so that, + when it is done, all the options precede everything else. Thus + all application programs are extended to handle flexible argument order. + + Setting the environment variable POSIXLY_CORRECT disables permutation. + Then the behavior is completely standard. + + GNU application programs can use a third alternative mode in which + they can distinguish the relative order of options and other arguments. */ + +#include "getopt.h" + +/* For communication from `getopt' to the caller. + When `getopt' finds an option that takes an argument, + the argument value is returned here. + Also, when `ordering' is RETURN_IN_ORDER, + each non-option ARGV-element is returned here. */ + +char *optarg = NULL; + +/* Index in ARGV of the next element to be scanned. + This is used for communication to and from the caller + and for communication between successive calls to `getopt'. + + On entry to `getopt', zero means this is the first call; initialize. + + When `getopt' returns EOF, this is the index of the first of the + non-option elements that the caller should itself scan. + + Otherwise, `optind' communicates from one call to the next + how much of ARGV has been scanned so far. */ + +/* XXX 1003.2 says this must be 1 before any call. */ +int optind = 0; + +/* The next char to be scanned in the option-element + in which the last option character we returned was found. + This allows us to pick up the scan where we left off. + + If this is zero, or a null string, it means resume the scan + by advancing to the next ARGV-element. */ + +static char *nextchar; + +/* Callers store zero here to inhibit the error message + for unrecognized options. */ + +int opterr = 1; + +/* Set to an option character which was unrecognized. + This must be initialized on some systems to avoid linking in the + system's own getopt implementation. */ + +int optopt = '?'; + +/* Describe how to deal with options that follow non-option ARGV-elements. + + If the caller did not specify anything, + the default is REQUIRE_ORDER if the environment variable + POSIXLY_CORRECT is defined, PERMUTE otherwise. + + REQUIRE_ORDER means don't recognize them as options; + stop option processing when the first non-option is seen. + This is what Unix does. + This mode of operation is selected by either setting the environment + variable POSIXLY_CORRECT, or using `+' as the first character + of the list of option characters. + + PERMUTE is the default. We permute the contents of ARGV as we scan, + so that eventually all the non-options are at the end. This allows options + to be given in any order, even with programs that were not written to + expect this. + + RETURN_IN_ORDER is an option available to programs that were written + to expect options and other ARGV-elements in any order and that care about + the ordering of the two. We describe each non-option ARGV-element + as if it were the argument of an option with character code 1. + Using `-' as the first character of the list of option characters + selects this mode of operation. + + The special argument `--' forces an end of option-scanning regardless + of the value of `ordering'. In the case of RETURN_IN_ORDER, only + `--' can cause `getopt' to return EOF with `optind' != ARGC. */ + +static enum +{ + REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER +} ordering; + +/* Value of POSIXLY_CORRECT environment variable. */ +static char *posixly_correct; + +#ifdef __GNU_LIBRARY__ +/* We want to avoid inclusion of string.h with non-GNU libraries + because there are many ways it can cause trouble. + On some systems, it contains special magic macros that don't work + in GCC. */ +#include +#define my_index strchr +#else + +/* Avoid depending on library functions or files + whose names are inconsistent. */ + +char *getenv (); + +static char * +my_index (str, chr) + const char *str; + int chr; +{ + while (*str) + { + if (*str == chr) + return (char *) str; + str++; + } + return 0; +} + +/* If using GCC, we can safely declare strlen this way. + If not using GCC, it is ok not to declare it. */ +#ifdef __GNUC__ +/* Note that Motorola Delta 68k R3V7 comes with GCC but not stddef.h. + That was relevant to code that was here before. */ +#if !defined (__STDC__) || !__STDC__ +/* gcc with -traditional declares the built-in strlen to return int, + and has done so at least since version 2.4.5. -- rms. */ +extern int strlen (const char *); +#endif /* not __STDC__ */ +#endif /* __GNUC__ */ + +#endif /* not __GNU_LIBRARY__ */ + +/* Handle permutation of arguments. */ + +/* Describe the part of ARGV that contains non-options that have + been skipped. `first_nonopt' is the index in ARGV of the first of them; + `last_nonopt' is the index after the last of them. */ + +static int first_nonopt; +static int last_nonopt; + +/* Exchange two adjacent subsequences of ARGV. + One subsequence is elements [first_nonopt,last_nonopt) + which contains all the non-options that have been skipped so far. + The other is elements [last_nonopt,optind), which contains all + the options processed since those non-options were skipped. + + `first_nonopt' and `last_nonopt' are relocated so that they describe + the new indices of the non-options in ARGV after they are moved. */ + +static void +exchange (argv) + char **argv; +{ + int bottom = first_nonopt; + int middle = last_nonopt; + int top = optind; + char *tem; + + /* Exchange the shorter segment with the far end of the longer segment. + That puts the shorter segment into the right place. + It leaves the longer segment in the right place overall, + but it consists of two parts that need to be swapped next. */ + + while (top > middle && middle > bottom) + { + if (top - middle > middle - bottom) + { + /* Bottom segment is the short one. */ + int len = middle - bottom; + register int i; + + /* Swap it with the top part of the top segment. */ + for (i = 0; i < len; i++) + { + tem = argv[bottom + i]; + argv[bottom + i] = argv[top - (middle - bottom) + i]; + argv[top - (middle - bottom) + i] = tem; + } + /* Exclude the moved bottom segment from further swapping. */ + top -= len; + } + else + { + /* Top segment is the short one. */ + int len = top - middle; + register int i; + + /* Swap it with the bottom part of the bottom segment. */ + for (i = 0; i < len; i++) + { + tem = argv[bottom + i]; + argv[bottom + i] = argv[middle + i]; + argv[middle + i] = tem; + } + /* Exclude the moved top segment from further swapping. */ + bottom += len; + } + } + + /* Update records for the slots the non-options now occupy. */ + + first_nonopt += (optind - last_nonopt); + last_nonopt = optind; +} + +/* Initialize the internal data when the first call is made. */ + +static const char * +_getopt_initialize (optstring) + const char *optstring; +{ + /* Start processing options with ARGV-element 1 (since ARGV-element 0 + is the program name); the sequence of previously skipped + non-option ARGV-elements is empty. */ + + first_nonopt = last_nonopt = optind = 1; + + nextchar = NULL; + + posixly_correct = getenv ("POSIXLY_CORRECT"); + + /* Determine how to handle the ordering of options and nonoptions. */ + + if (optstring[0] == '-') + { + ordering = RETURN_IN_ORDER; + ++optstring; + } + else if (optstring[0] == '+') + { + ordering = REQUIRE_ORDER; + ++optstring; + } + else if (posixly_correct != NULL) + ordering = REQUIRE_ORDER; + else + ordering = PERMUTE; + + return optstring; +} + +/* Scan elements of ARGV (whose length is ARGC) for option characters + given in OPTSTRING. + + If an element of ARGV starts with '-', and is not exactly "-" or "--", + then it is an option element. The characters of this element + (aside from the initial '-') are option characters. If `getopt' + is called repeatedly, it returns successively each of the option characters + from each of the option elements. + + If `getopt' finds another option character, it returns that character, + updating `optind' and `nextchar' so that the next call to `getopt' can + resume the scan with the following option character or ARGV-element. + + If there are no more option characters, `getopt' returns `EOF'. + Then `optind' is the index in ARGV of the first ARGV-element + that is not an option. (The ARGV-elements have been permuted + so that those that are not options now come last.) + + OPTSTRING is a string containing the legitimate option characters. + If an option character is seen that is not listed in OPTSTRING, + return '?' after printing an error message. If you set `opterr' to + zero, the error message is suppressed but we still return '?'. + + If a char in OPTSTRING is followed by a colon, that means it wants an arg, + so the following text in the same ARGV-element, or the text of the following + ARGV-element, is returned in `optarg'. Two colons mean an option that + wants an optional arg; if there is text in the current ARGV-element, + it is returned in `optarg', otherwise `optarg' is set to zero. + + If OPTSTRING starts with `-' or `+', it requests different methods of + handling the non-option ARGV-elements. + See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above. + + Long-named options begin with `--' instead of `-'. + Their names may be abbreviated as long as the abbreviation is unique + or is an exact match for some defined option. If they have an + argument, it follows the option name in the same ARGV-element, separated + from the option name by a `=', or else the in next ARGV-element. + When `getopt' finds a long-named option, it returns 0 if that option's + `flag' field is nonzero, the value of the option's `val' field + if the `flag' field is zero. + + The elements of ARGV aren't really const, because we permute them. + But we pretend they're const in the prototype to be compatible + with other systems. + + LONGOPTS is a vector of `struct option' terminated by an + element containing a name which is zero. + + LONGIND returns the index in LONGOPT of the long-named option found. + It is only valid when a long-named option has been found by the most + recent call. + + If LONG_ONLY is nonzero, '-' as well as '--' can introduce + long-named options. */ + +int +_getopt_internal (argc, argv, optstring, longopts, longind, long_only) + int argc; + char *const *argv; + const char *optstring; + const struct option *longopts; + int *longind; + int long_only; +{ + optarg = NULL; + + if (optind == 0) + optstring = _getopt_initialize (optstring); + + if (nextchar == NULL || *nextchar == '\0') + { + /* Advance to the next ARGV-element. */ + + if (ordering == PERMUTE) + { + /* If we have just processed some options following some non-options, + exchange them so that the options come first. */ + + if (first_nonopt != last_nonopt && last_nonopt != optind) + exchange ((char **) argv); + else if (last_nonopt != optind) + first_nonopt = optind; + + /* Skip any additional non-options + and extend the range of non-options previously skipped. */ + + while (optind < argc + && (argv[optind][0] != '-' || argv[optind][1] == '\0')) + optind++; + last_nonopt = optind; + } + + /* The special ARGV-element `--' means premature end of options. + Skip it like a null option, + then exchange with previous non-options as if it were an option, + then skip everything else like a non-option. */ + + if (optind != argc && !strcmp (argv[optind], "--")) + { + optind++; + + if (first_nonopt != last_nonopt && last_nonopt != optind) + exchange ((char **) argv); + else if (first_nonopt == last_nonopt) + first_nonopt = optind; + last_nonopt = argc; + + optind = argc; + } + + /* If we have done all the ARGV-elements, stop the scan + and back over any non-options that we skipped and permuted. */ + + if (optind == argc) + { + /* Set the next-arg-index to point at the non-options + that we previously skipped, so the caller will digest them. */ + if (first_nonopt != last_nonopt) + optind = first_nonopt; + return EOF; + } + + /* If we have come to a non-option and did not permute it, + either stop the scan or describe it to the caller and pass it by. */ + + if ((argv[optind][0] != '-' || argv[optind][1] == '\0')) + { + if (ordering == REQUIRE_ORDER) + return EOF; + optarg = argv[optind++]; + return 1; + } + + /* We have found another option-ARGV-element. + Skip the initial punctuation. */ + + nextchar = (argv[optind] + 1 + + (longopts != NULL && argv[optind][1] == '-')); + } + + /* Decode the current option-ARGV-element. */ + + /* Check whether the ARGV-element is a long option. + + If long_only and the ARGV-element has the form "-f", where f is + a valid short option, don't consider it an abbreviated form of + a long option that starts with f. Otherwise there would be no + way to give the -f short option. + + On the other hand, if there's a long option "fubar" and + the ARGV-element is "-fu", do consider that an abbreviation of + the long option, just like "--fu", and not "-f" with arg "u". + + This distinction seems to be the most useful approach. */ + + if (longopts != NULL + && (argv[optind][1] == '-' + || (long_only && (argv[optind][2] || !my_index (optstring, argv[optind][1]))))) + { + char *nameend; + const struct option *p; + const struct option *pfound = NULL; + int exact = 0; + int ambig = 0; + int indfound = 0; /* set to zero by Anton */ + int option_index; + + for (nameend = nextchar; *nameend && *nameend != '='; nameend++) + /* Do nothing. */ ; + + /* Test all long options for either exact match + or abbreviated matches. */ + for (p = longopts, option_index = 0; p->name; p++, option_index++) + if (!strncmp(p->name, nextchar, nameend - nextchar)) + { + if ((unsigned int)(nameend - nextchar) == (unsigned int)strlen (p->name)) + { + /* Exact match found. */ + pfound = p; + indfound = option_index; + exact = 1; + break; + } + else if (pfound == NULL) + { + /* First nonexact match found. */ + pfound = p; + indfound = option_index; + } + else + /* Second or later nonexact match found. */ + ambig = 1; + } + + if (ambig && !exact) + { + if (opterr) + fprintf (stderr, "%s: option `%s' is ambiguous\n", + argv[0], argv[optind]); + nextchar += strlen (nextchar); + optind++; + return '?'; + } + + if (pfound != NULL) + { + option_index = indfound; + optind++; + if (*nameend) + { + /* Don't test has_arg with >, because some C compilers don't + allow it to be used on enums. */ + if (pfound->has_arg) + optarg = nameend + 1; + else + { + if (opterr) + { + if (argv[optind - 1][1] == '-') + /* --option */ + fprintf (stderr, + "%s: option `--%s' doesn't allow an argument\n", + argv[0], pfound->name); + else + /* +option or -option */ + fprintf (stderr, + "%s: option `%c%s' doesn't allow an argument\n", + argv[0], argv[optind - 1][0], pfound->name); + } + nextchar += strlen (nextchar); + return '?'; + } + } + else if (pfound->has_arg == 1) + { + if (optind < argc) + optarg = argv[optind++]; + else + { + if (opterr) + fprintf (stderr, "%s: option `%s' requires an argument\n", + argv[0], argv[optind - 1]); + nextchar += strlen (nextchar); + return optstring[0] == ':' ? ':' : '?'; + } + } + nextchar += strlen (nextchar); + if (longind != NULL) + *longind = option_index; + if (pfound->flag) + { + *(pfound->flag) = pfound->val; + return 0; + } + return pfound->val; + } + + /* Can't find it as a long option. If this is not getopt_long_only, + or the option starts with '--' or is not a valid short + option, then it's an error. + Otherwise interpret it as a short option. */ + if (!long_only || argv[optind][1] == '-' + || my_index (optstring, *nextchar) == NULL) + { + if (opterr) + { + if (argv[optind][1] == '-') + /* --option */ + fprintf (stderr, "%s: unrecognized option `--%s'\n", + argv[0], nextchar); + else + /* +option or -option */ + fprintf (stderr, "%s: unrecognized option `%c%s'\n", + argv[0], argv[optind][0], nextchar); + } + nextchar = (char *) ""; + optind++; + return '?'; + } + } + + /* Look at and handle the next short option-character. */ + + { + char c = *nextchar++; + char *temp = my_index (optstring, c); + + /* Increment `optind' when we start to process its last character. */ + if (*nextchar == '\0') + ++optind; + + if (temp == NULL || c == ':') + { + if (opterr) + { + if (posixly_correct) + /* 1003.2 specifies the format of this message. */ + fprintf (stderr, "%s: illegal option -- %c\n", argv[0], c); + else + fprintf (stderr, "%s: invalid option -- %c\n", argv[0], c); + } + optopt = c; + return '?'; + } + if (temp[1] == ':') + { + if (temp[2] == ':') + { + /* This is an option that accepts an argument optionally. */ + if (*nextchar != '\0') + { + optarg = nextchar; + optind++; + } + else + optarg = NULL; + nextchar = NULL; + } + else + { + /* This is an option that requires an argument. */ + if (*nextchar != '\0') + { + optarg = nextchar; + /* If we end this ARGV-element by taking the rest as an arg, + we must advance to the next element now. */ + optind++; + } + else if (optind == argc) + { + if (opterr) + { + /* 1003.2 specifies the format of this message. */ + fprintf (stderr, "%s: option requires an argument -- %c\n", + argv[0], c); + } + optopt = c; + if (optstring[0] == ':') + c = ':'; + else + c = '?'; + } + else + /* We already incremented `optind' once; + increment it again when taking next ARGV-elt as argument. */ + optarg = argv[optind++]; + nextchar = NULL; + } + } + return c; + } +} + +int +getopt (argc, argv, optstring) + int argc; + char *const *argv; + const char *optstring; +{ + return _getopt_internal (argc, argv, optstring, + (const struct option *) 0, + (int *) 0, + 0); +} + +#endif /* _LIBC or not __GNU_LIBRARY__. */ + +#ifdef TEST + +/* Compile with -DTEST to make an executable for use in testing + the above definition of `getopt'. */ + +int +main (argc, argv) + int argc; + char **argv; +{ + int c; + int digit_optind = 0; + + while (1) + { + int this_option_optind = optind ? optind : 1; + + c = getopt (argc, argv, "abc:d:0123456789"); + if (c == EOF) + break; + + switch (c) + { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + if (digit_optind != 0 && digit_optind != this_option_optind) + printf ("digits occur in two different argv-elements.\n"); + digit_optind = this_option_optind; + printf ("option %c\n", c); + break; + + case 'a': + printf ("option a\n"); + break; + + case 'b': + printf ("option b\n"); + break; + + case 'c': + printf ("option c with value `%s'\n", optarg); + break; + + case '?': + break; + + default: + printf ("?? getopt returned character code 0%o ??\n", c); + } + } + + if (optind < argc) + { + printf ("non-option ARGV-elements: "); + while (optind < argc) + printf ("%s ", argv[optind++]); + printf ("\n"); + } + + exit (0); +} + +#endif /* TEST */ diff --git a/examples/LDAP/smbldap-tools/mkntpwd/getopt.h b/examples/LDAP/smbldap-tools/mkntpwd/getopt.h new file mode 100644 index 0000000000..f3696d955d --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/getopt.h @@ -0,0 +1,133 @@ +/* Declarations for getopt. + Copyright (C) 1989, 90, 91, 92, 93, 94 Free Software Foundation, Inc. + +This file is part of the GNU C Library. Its master source is NOT part of +the C library, however. The master source lives in /gd/gnu/lib. + +The GNU C Library is free software; you can redistribute it and/or +modify it under the terms of the GNU Library General Public License as +published by the Free Software Foundation; either version 2 of the +License, or (at your option) any later version. + +The GNU C Library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Library General Public License for more details. + +You should have received a copy of the GNU Library General Public +License along with the GNU C Library; see the file COPYING.LIB. If +not, write to the Free Software Foundation, Inc., 675 Mass Ave, +Cambridge, MA 02139, USA. */ + +#ifndef _GETOPT_H +#define _GETOPT_H 1 + +#ifdef __cplusplus +extern "C" { +#endif + +/* For communication from `getopt' to the caller. + When `getopt' finds an option that takes an argument, + the argument value is returned here. + Also, when `ordering' is RETURN_IN_ORDER, + each non-option ARGV-element is returned here. */ + +extern char *optarg; + +/* Index in ARGV of the next element to be scanned. + This is used for communication to and from the caller + and for communication between successive calls to `getopt'. + + On entry to `getopt', zero means this is the first call; initialize. + + When `getopt' returns EOF, this is the index of the first of the + non-option elements that the caller should itself scan. + + Otherwise, `optind' communicates from one call to the next + how much of ARGV has been scanned so far. */ + +extern int optind; + +/* Callers store zero here to inhibit the error message `getopt' prints + for unrecognized options. */ + +extern int opterr; + +/* Set to an option character which was unrecognized. */ + +extern int optopt; + +/* Describe the long-named options requested by the application. + The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector + of `struct option' terminated by an element containing a name which is + zero. + + The field `has_arg' is: + no_argument (or 0) if the option does not take an argument, + required_argument (or 1) if the option requires an argument, + optional_argument (or 2) if the option takes an optional argument. + + If the field `flag' is not NULL, it points to a variable that is set + to the value given in the field `val' when the option is found, but + left unchanged if the option is not found. + + To have a long-named option do something other than set an `int' to + a compiled-in constant, such as set a value from `optarg', set the + option's `flag' field to zero and its `val' field to a nonzero + value (the equivalent single-letter option character, if there is + one). For long options that have a zero `flag' field, `getopt' + returns the contents of the `val' field. */ + +struct option +{ +#if defined (__STDC__) && __STDC__ + const char *name; +#else + char *name; +#endif + /* has_arg can't be an enum because some compilers complain about + type mismatches in all the code that assumes it is an int. */ + int has_arg; + int *flag; + int val; +}; + +/* Names for the values of the `has_arg' field of `struct option'. */ + +#define no_argument 0 +#define required_argument 1 +#define optional_argument 2 + +#if defined (__STDC__) && __STDC__ +#ifdef __GNU_LIBRARY__ +/* Many other libraries have conflicting prototypes for getopt, with + differences in the consts, in stdlib.h. To avoid compilation + errors, only prototype getopt for the GNU C library. */ +extern int getopt (int argc, char *const *argv, const char *shortopts); +#else /* not __GNU_LIBRARY__ */ +extern int getopt (); +#endif /* __GNU_LIBRARY__ */ +extern int getopt_long (int argc, char *const *argv, const char *shortopts, + const struct option *longopts, int *longind); +extern int getopt_long_only (int argc, char *const *argv, + const char *shortopts, + const struct option *longopts, int *longind); + +/* Internal only. Users should not call this directly. */ +extern int _getopt_internal (int argc, char *const *argv, + const char *shortopts, + const struct option *longopts, int *longind, + int long_only); +#else /* not __STDC__ */ +extern int getopt (); +extern int getopt_long (); +extern int getopt_long_only (); + +extern int _getopt_internal (); +#endif /* __STDC__ */ + +#ifdef __cplusplus +} +#endif + +#endif /* _GETOPT_H */ diff --git a/examples/LDAP/smbldap-tools/mkntpwd/md4.c b/examples/LDAP/smbldap-tools/mkntpwd/md4.c new file mode 100644 index 0000000000..1c9c2e6ecd --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/md4.c @@ -0,0 +1,171 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + a implementation of MD4 designed for use in the SMB authentication protocol + Copyright (C) Andrew Tridgell 1997 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + + +/* NOTE: This code makes no attempt to be fast! + + It assumes that a int is at least 32 bits long +*/ + +typedef unsigned int uint32; + +static uint32 A, B, C, D; + +static uint32 F(uint32 X, uint32 Y, uint32 Z) +{ + return (X&Y) | ((~X)&Z); +} + +static uint32 G(uint32 X, uint32 Y, uint32 Z) +{ + return (X&Y) | (X&Z) | (Y&Z); +} + +static uint32 H(uint32 X, uint32 Y, uint32 Z) +{ + return X^Y^Z; +} + +static uint32 lshift(uint32 x, int s) +{ + x &= 0xFFFFFFFF; + return ((x<>(32-s)); +} + +#define ROUND1(a,b,c,d,k,s) a = lshift(a + F(b,c,d) + X[k], s) +#define ROUND2(a,b,c,d,k,s) a = lshift(a + G(b,c,d) + X[k] + (uint32)0x5A827999,s) +#define ROUND3(a,b,c,d,k,s) a = lshift(a + H(b,c,d) + X[k] + (uint32)0x6ED9EBA1,s) + +/* this applies md4 to 64 byte chunks */ +static void mdfour64(uint32 *M) +{ + int j; + uint32 AA, BB, CC, DD; + uint32 X[16]; + + for (j=0;j<16;j++) + X[j] = M[j]; + + AA = A; BB = B; CC = C; DD = D; + + ROUND1(A,B,C,D, 0, 3); ROUND1(D,A,B,C, 1, 7); + ROUND1(C,D,A,B, 2, 11); ROUND1(B,C,D,A, 3, 19); + ROUND1(A,B,C,D, 4, 3); ROUND1(D,A,B,C, 5, 7); + ROUND1(C,D,A,B, 6, 11); ROUND1(B,C,D,A, 7, 19); + ROUND1(A,B,C,D, 8, 3); ROUND1(D,A,B,C, 9, 7); + ROUND1(C,D,A,B, 10, 11); ROUND1(B,C,D,A, 11, 19); + ROUND1(A,B,C,D, 12, 3); ROUND1(D,A,B,C, 13, 7); + ROUND1(C,D,A,B, 14, 11); ROUND1(B,C,D,A, 15, 19); + + ROUND2(A,B,C,D, 0, 3); ROUND2(D,A,B,C, 4, 5); + ROUND2(C,D,A,B, 8, 9); ROUND2(B,C,D,A, 12, 13); + ROUND2(A,B,C,D, 1, 3); ROUND2(D,A,B,C, 5, 5); + ROUND2(C,D,A,B, 9, 9); ROUND2(B,C,D,A, 13, 13); + ROUND2(A,B,C,D, 2, 3); ROUND2(D,A,B,C, 6, 5); + ROUND2(C,D,A,B, 10, 9); ROUND2(B,C,D,A, 14, 13); + ROUND2(A,B,C,D, 3, 3); ROUND2(D,A,B,C, 7, 5); + ROUND2(C,D,A,B, 11, 9); ROUND2(B,C,D,A, 15, 13); + + ROUND3(A,B,C,D, 0, 3); ROUND3(D,A,B,C, 8, 9); + ROUND3(C,D,A,B, 4, 11); ROUND3(B,C,D,A, 12, 15); + ROUND3(A,B,C,D, 2, 3); ROUND3(D,A,B,C, 10, 9); + ROUND3(C,D,A,B, 6, 11); ROUND3(B,C,D,A, 14, 15); + ROUND3(A,B,C,D, 1, 3); ROUND3(D,A,B,C, 9, 9); + ROUND3(C,D,A,B, 5, 11); ROUND3(B,C,D,A, 13, 15); + ROUND3(A,B,C,D, 3, 3); ROUND3(D,A,B,C, 11, 9); + ROUND3(C,D,A,B, 7, 11); ROUND3(B,C,D,A, 15, 15); + + A += AA; B += BB; C += CC; D += DD; + + A &= 0xFFFFFFFF; B &= 0xFFFFFFFF; + C &= 0xFFFFFFFF; D &= 0xFFFFFFFF; + + for (j=0;j<16;j++) + X[j] = 0; +} + +static void copy64(uint32 *M, unsigned char *in) +{ + int i; + + for (i=0;i<16;i++) + M[i] = (in[i*4+3]<<24) | (in[i*4+2]<<16) | + (in[i*4+1]<<8) | (in[i*4+0]<<0); +} + +static void copy4(unsigned char *out,uint32 x) +{ + out[0] = x&0xFF; + out[1] = (x>>8)&0xFF; + out[2] = (x>>16)&0xFF; + out[3] = (x>>24)&0xFF; +} + +/* produce a md4 message digest from data of length n bytes */ +void mdfour(unsigned char *out, unsigned char *in, int n) +{ + unsigned char buf[128]; + uint32 M[16]; + uint32 b = n * 8; + int i; + + A = 0x67452301; + B = 0xefcdab89; + C = 0x98badcfe; + D = 0x10325476; + + while (n > 64) { + copy64(M, in); + mdfour64(M); + in += 64; + n -= 64; + } + + for (i=0;i<128;i++) + buf[i] = 0; + memcpy(buf, in, n); + buf[n] = 0x80; + + if (n <= 55) { + copy4(buf+56, b); + copy64(M, buf); + mdfour64(M); + } else { + copy4(buf+120, b); + copy64(M, buf); + mdfour64(M); + copy64(M, buf+64); + mdfour64(M); + } + + for (i=0;i<128;i++) + buf[i] = 0; + copy64(M, buf); + + copy4(out, A); + copy4(out+4, B); + copy4(out+8, C); + copy4(out+12, D); + + A = B = C = D = 0; +} + + diff --git a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c new file mode 100644 index 0000000000..0c7d61e134 --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c @@ -0,0 +1,253 @@ +/* + This code is based on work from + L0phtcrack 1.5 06.02.97 mudge@l0pht.com + + The code also contains sources from: + . routines from the samba code source + md4.c smbdes.c + + Anton Roeckseisen (anton@genua.de) + +*/ + +/* + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mkntpwd.h" + +void str_to_key(unsigned char *,unsigned char *); +void usage(char *); +int PutUniCode(char *dst,char *src); +void printlanhash(char *tmp); +void mdfour(unsigned char *out, unsigned char *in, int n); +void E_P16(unsigned char *p14,unsigned char *p16); + + +void main(int argc, char **argv) { + extern char *optarg; + int c; + + int printlan = 0; + char lanpwd[LMPASSWDLEN+1]; + int printnt = 0; + char inputfile[FILENAMEBUFFER+1] = ""; + FILE* InputFilePtr; + int just_pwd = 0; + int i; + char hashout[17]; + + char ntpasswd[NTPASSWDLEN+1]; + char *hold; + unsigned char *p16; + int uni_len; + char passwd[NTPASSWDLEN+1]; + + if (argc==1) + usage(argv[0]); + + if (argc==2) + just_pwd=1; + else + just_pwd=0; + + lanpwd[0] = '\0'; + ntpasswd[0] = '\0'; + + while ( (c = getopt(argc, argv, "L:N:f:")) != EOF){ + switch(c) { + case 'L': + printlan++; + strncpy(lanpwd,optarg,LMPASSWDLEN); + lanpwd[LMPASSWDLEN]='\0'; + for (i=0;i0 && passwd[strlen(passwd)-1]=='\n') + passwd[strlen(passwd)-1]='\0'; + + /* create LANMAN-password (shorter) */ + strncpy(lanpwd,passwd,LMPASSWDLEN); + lanpwd[LMPASSWDLEN]='\0'; + for (i=0;i1 && just_pwd==1) { + strncpy(lanpwd,argv[1],LMPASSWDLEN); + lanpwd[LMPASSWDLEN]='\0'; + for (i=0;i0) { + memset(hashout,'\0',17); + E_P16((uchar *)lanpwd,hashout); + printlanhash(hashout); + } + + if (printnt >0) { + + if (printlan>0) printf(":"); + + memset(ntpasswd, '\0', sizeof(ntpasswd)); + + if (passwd[strlen(passwd)-1] == '\n') /* strip the \n - this + is done in LowerString for the case sensitive + check */ + passwd[strlen(passwd)-1] = '\0'; + + hold = (char *)malloc(NTPASSWDLEN * 2); /* grab space for + unicode */ + if (hold == NULL){ + fprintf(stderr, "out of memory...crackntdialog hold\n"); + exit(1); + } + + uni_len = PutUniCode(hold, passwd); /* convert to + unicode and return correct + unicode length for md4 */ + + p16 = (unsigned char*)malloc(17); /* grab space for md4 hash */ + if (p16 == NULL){ + fprintf(stderr, "out of memory...crackntdialect p16\n"); + exit(1); + } + + memset(p16,'\0',17); + mdfour(p16,hold, uni_len); + + printlanhash(p16); + + free(p16); + free(hold); + } + + printf("\n"); + + exit(0); + +} + +/*****************************************************************************/ +/*****************************************************************************/ +/*****************************************************************************/ + +void usage(char *progname){ + char *p; + + p = strrchr(progname, '\\'); + if (p == NULL) + p = progname; + else + p++; + + fprintf(stderr, "Usage: %s [-L lanmgrpwd] [-N ntpasswd]\n",p); + fprintf(stderr, " %s password\n",p); + fprintf(stderr, " %s -f [-] [filename]\n\n",p); + fprintf(stderr, " -L lanmgrpasswd LanManager cleartextpwd <= 14 chars\n"); + fprintf(stderr, " -N ntpasswd NT cleartextpwd <=128 chars (usually <=14)\n\n"); + fprintf(stderr, " with both options present the encrypted LanManager-Pwd is \n"); + fprintf(stderr, " printed first, followed by a ':' and the encrypted NT-Pwd.\n\n"); + fprintf(stderr, " The second usage behaves like %s -L pwd -N pwd\n\n",p); + fprintf(stderr, " The third usage reads the password from STDIN or a File. Printout\n"); + fprintf(stderr, " is the same as second.\n\n"); + fprintf(stderr, "anton@genua.de\n\n"); + exit(1); +} + + +/******************************************************************* +write a string in unicoode format +********************************************************************/ +int PutUniCode(char *dst,char *src) +{ + int ret = 0; + while (*src) { + dst[ret++] = src[0]; + dst[ret++] = 0; + src++; + } + dst[ret++]=0; + dst[ret++]=0; + return(ret-2); /* the way they do the md4 hash they don't represent + the last null. ie 'A' becomes just 0x41 0x00 - not + 0x41 0x00 0x00 0x00 */ +} + +/* + print binary buffer as hex-string +*/ +void printlanhash(char *tmp) { + + int i; + unsigned char c; + char outbuffer[33]; + + + /* build string from binary hash */ + for(i=0;i<16;i++) { + c=tmp[i]; + sprintf(outbuffer+2*i,"%x",(c>>4) & 0x0f); + sprintf(outbuffer+2*i+1,"%x",c & 0x0f); + } + + /* convert to uppercase */ + for(i=0;i<32;i++) + outbuffer[i] = toupper(outbuffer[i]); + outbuffer[32]='\0'; + + /* print out hex-string */ + printf("%s",outbuffer); +} + + diff --git a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h new file mode 100644 index 0000000000..9a020b8d28 --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h @@ -0,0 +1,17 @@ +#include +#include +#include +#include +#include + +typedef short int16; +typedef int int32; +typedef unsigned short uint16; +typedef unsigned int uint32; +typedef unsigned char uchar; + +#define MAX_STRING 255 +#define MAX_WORD 128 +#define LMPASSWDLEN 14 +#define NTPASSWDLEN 128 +#define FILENAMEBUFFER 128 diff --git a/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c b/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c new file mode 100644 index 0000000000..e4f8280f9b --- /dev/null +++ b/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c @@ -0,0 +1,337 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + + a partial implementation of DES designed for use in the + SMB authentication protocol + + Copyright (C) Andrew Tridgell 1997 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + + +/* NOTES: + + This code makes no attempt to be fast! In fact, it is a very + slow implementation + + This code is NOT a complete DES implementation. It implements only + the minimum necessary for SMB authentication, as used by all SMB + products (including every copy of Microsoft Windows95 ever sold) + + In particular, it can only do a unchained forward DES pass. This + means it is not possible to use this code for encryption/decryption + of data, instead it is only useful as a "hash" algorithm. + + There is no entry point into this code that allows normal DES operation. + + I believe this means that this code does not come under ITAR + regulations but this is NOT a legal opinion. If you are concerned + about the applicability of ITAR regulations to this code then you + should confirm it for yourself (and maybe let me know if you come + up with a different answer to the one above) +*/ + + + +static int perm1[56] = {57, 49, 41, 33, 25, 17, 9, + 1, 58, 50, 42, 34, 26, 18, + 10, 2, 59, 51, 43, 35, 27, + 19, 11, 3, 60, 52, 44, 36, + 63, 55, 47, 39, 31, 23, 15, + 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, + 21, 13, 5, 28, 20, 12, 4}; + +static int perm2[48] = {14, 17, 11, 24, 1, 5, + 3, 28, 15, 6, 21, 10, + 23, 19, 12, 4, 26, 8, + 16, 7, 27, 20, 13, 2, + 41, 52, 31, 37, 47, 55, + 30, 40, 51, 45, 33, 48, + 44, 49, 39, 56, 34, 53, + 46, 42, 50, 36, 29, 32}; + +static int perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, + 60, 52, 44, 36, 28, 20, 12, 4, + 62, 54, 46, 38, 30, 22, 14, 6, + 64, 56, 48, 40, 32, 24, 16, 8, + 57, 49, 41, 33, 25, 17, 9, 1, + 59, 51, 43, 35, 27, 19, 11, 3, + 61, 53, 45, 37, 29, 21, 13, 5, + 63, 55, 47, 39, 31, 23, 15, 7}; + +static int perm4[48] = { 32, 1, 2, 3, 4, 5, + 4, 5, 6, 7, 8, 9, + 8, 9, 10, 11, 12, 13, + 12, 13, 14, 15, 16, 17, + 16, 17, 18, 19, 20, 21, + 20, 21, 22, 23, 24, 25, + 24, 25, 26, 27, 28, 29, + 28, 29, 30, 31, 32, 1}; + +static int perm5[32] = { 16, 7, 20, 21, + 29, 12, 28, 17, + 1, 15, 23, 26, + 5, 18, 31, 10, + 2, 8, 24, 14, + 32, 27, 3, 9, + 19, 13, 30, 6, + 22, 11, 4, 25}; + + +static int perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, + 39, 7, 47, 15, 55, 23, 63, 31, + 38, 6, 46, 14, 54, 22, 62, 30, + 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, + 35, 3, 43, 11, 51, 19, 59, 27, + 34, 2, 42, 10, 50, 18, 58, 26, + 33, 1, 41, 9, 49, 17, 57, 25}; + + +static int sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; + +static int sbox[8][4][16] = { + {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, + {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, + {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, + {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, + + {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, + {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, + {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, + {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, + + {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, + {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, + {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, + {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, + + {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, + {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, + {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, + {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, + + {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, + {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, + {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, + {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, + + {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, + {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, + {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, + {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, + + {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, + {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, + {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, + {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, + + {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, + {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, + {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, + {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; + +static void permute(char *out, char *in, int *p, int n) +{ + int i; + for (i=0;i>1; + key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); + key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); + key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); + key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); + key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); + key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); + key[7] = str[6]&0x7F; + for (i=0;i<8;i++) { + key[i] = (key[i]<<1); + } +} + + +static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key) +{ + int i; + char outb[64]; + char inb[64]; + char keyb[64]; + unsigned char key2[8]; + + str_to_key(key, key2); + + for (i=0;i<64;i++) { + inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0; + keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0; + outb[i] = 0; + } + + dohash(outb, inb, keyb); + + for (i=0;i<8;i++) { + out[i] = 0; + } + + for (i=0;i<64;i++) { + if (outb[i]) + out[i/8] |= (1<<(7-(i%8))); + } +} + +void E_P16(unsigned char *p14,unsigned char *p16) +{ + unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; + smbhash(p16, sp8, p14); + smbhash(p16+8, sp8, p14+7); +} + +void E_P24(unsigned char *p21, unsigned char *c8, unsigned char *p24) +{ + smbhash(p24, c8, p21); + smbhash(p24+8, c8, p21+7); + smbhash(p24+16, c8, p21+14); +} + +void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key) +{ + unsigned char buf[8]; + + smbhash(buf, in, key); + smbhash(out, buf, key+9); +} + +void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key) +{ + unsigned char buf[8]; + static unsigned char key2[8]; + + smbhash(buf, in, key); + key2[0] = key[7]; + smbhash(out, buf, key2); +} + diff --git a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl new file mode 100755 index 0000000000..ee804b34d3 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl @@ -0,0 +1,84 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-groupadd : group (posix) add + +use strict; +use smbldap_tools; + +use Getopt::Std; +my %Options; + +my $ok = getopts('og:?', \%Options); +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-go?] groupname\n"; + print " -g gid\n"; + print " -o gid is not unique\n"; + print " -? show this help message\n"; + exit (1); +} + +my $_groupName = $ARGV[0]; + +if (defined(get_group_dn($_groupName))) { + print "$0: group $_groupName exists\n"; + exit (6); +} + +my $_groupGidNumber = $Options{'g'}; + +if (!group_add($_groupName, $_groupGidNumber, $Options{'o'})) { + print "$0: error adding group $_groupName\n"; + exit (6); +} + +exit(0); + +######################################## + +=head1 NAME + + smbldap-groupadd.pl - Create a new group + +=head1 SYNOPSIS + + smbldap-groupadd.pl [-g gid [-o]] group + +=head1 DESCRIPTION + The smbldap-groupadd.pl command creates a new group account using + the values specified on the command line and the default values + from the system. The new group will be entered into the system + files as needed. The options which apply to the groupadd command are + + -g gid The numerical value of the group's ID. This value must be + unique, unless the -o option is used. The value must be non- + negative. The default is to use the smallest ID value greater + than 1000 and greater than every other group. + +=head1 SEE ALSO + + groupadd(1) + +=cut + +#' + diff --git a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl new file mode 100755 index 0000000000..3d072585b2 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl @@ -0,0 +1,93 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-groupdel : group (posix) deletion + +use strict; +use smbldap_tools; +use smbldap_conf; + +##################### + +use Getopt::Std; +my %Options; + +my $ok = getopts('?', \%Options); +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 groupname\n"; + print " -? show this help message\n"; + exit (1); +} + +my $_groupName = $ARGV[0]; + +my $dn_line; +if (!defined($dn_line = get_group_dn($_groupName))) { + print "$0: group $_groupName doesn't exist\n"; + exit (6); +} + +my $dn = get_dn_from_line($dn_line); + +my $rc = system "$ldapdelete $dn >/dev/null"; +die "$0: error while deleting group $_groupName\n" + unless ($rc == 0); + +my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + +#if (defined($dn_line = get_group_dn($_groupName))) { +# print "$0: failed to delete group\n"; +# exit (7); +#} + + +exit (0); + +############################################################ + +=head1 NAME + + smbldap-groupdel.pl - Delete a group + +=head1 SYNOPSIS + + smbldap-groupdel.pl group + +=head1 DESCRIPTION + + The smbldap-groupdel.pl command modifies the system account files, + deleting all entries that refer to group. The named group must exist. + + You must manually check all filesystems to insure that no files remain + with the named group as the file group ID. + +=head1 SEE ALSO + + groupdel(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl new file mode 100755 index 0000000000..f9b42f95b4 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -0,0 +1,211 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-groupmod : group (posix) modification + + +use strict; +use smbldap_tools; +use smbldap_conf; + + +##################### + +use Getopt::Std; +my %Options; + +my $ok = getopts('og:n:m:x:?', \%Options); +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] groupname\n"; + print " -g new gid\n"; + print " -o gid is not unique\n"; + print " -n new group name\n"; + print " -m add members (comma delimited)\n"; + print " -x delete members (comma delimted)\n"; + print " -? show this help message\n"; + exit (1); +} + +my $groupName = $ARGV[0]; + +if (!defined(get_group_dn($groupName))) { + print "$0: group $groupName doesn't exist\n"; + exit (6); +} + +my $newname = $Options{'n'}; + +my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + +my $gid = getgrnam($groupName); + +my $tmp; +if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) { + if (!defined($Options{'o'})) { + if (defined(getgrgid($tmp))) { + print "$0: gid $tmp exists\n"; + exit (6); + } + } + if (!($gid == $tmp)) { + my $tmpldif = +"dn: cn=$groupName,$groupsdn +changetype: modify +replace: gidNumber +gidNumber: $tmp + +"; + die "$0: error while modifying group $groupName\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + } +} + +if (defined($newname)) { + my $FILE="|$ldapmodrdn >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE </dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + +exit (0); + +############################################################ + +=head1 NAME + + smbldap-groupmod.pl - Modify a group + +=head1 SYNOPSIS + + smbldap-groupmod.pl [-g gid [-o]] [-n group_name ] group + +=head1 DESCRIPTION + + The smbldap-groupmod.pl command modifies the system account files to + reflect the changes that are specified on the command line. + The options which apply to the smbldap-groupmod command are + + -g gid The numerical value of the group's ID. This value must be + unique, unless the -o option is used. The value must be non- + negative. Any files which the old group ID is the file + group ID must have the file group ID changed manually. + + -n group_name + The name of the group will be changed from group to group_name. + + -m members + The members to be added to the group in comma-delimeted form. + + -x members + The members to be removed from the group in comma-delimted form. + +=head1 EXAMPLES + + smbldap-groupmod.pl -g 253 development + This will change the GID of the 'development' group to '253'. + + smbldap-groupmod.pl -n Idiots Managers + This will change the name of the 'Managers' group to 'Idiots'. + + smbldap-groupmod.pl -m "jdoe,jsmith" "Domain Admins" + This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group. + + smbldap-groupmod.pl -x "jdoe,jsmith" "Domain Admins" + This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group. + +=head1 SEE ALSO + + groupmod(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl new file mode 100755 index 0000000000..bc5b4d98fb --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl @@ -0,0 +1,72 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-groupshow : user (posix,shadow,samba) display +# +# History : +# . originally by David Le Corfec + +use strict; +use smbldap_tools; + +use Getopt::Std; +my %Options; + +my $ok = getopts('?', \%Options); + +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-?] group\n"; + print " -? show this help message\n"; + exit (1); +} + +# Read only first @ARGV +my $group = $ARGV[0]; + +my $lines = read_group($group); +if (!defined($lines)) { + print "$0: group $group doesn't exist\n"; + exit (1); +} + +print "$lines\n"; + +exit(0); + +############################################################ + +=head1 NAME + + smbldap-groupshow.pl - Display group informations + +=head1 SYNOPSIS + + smbldap-groupshow.pl groupname + +=head1 DESCRIPTION + + The smbldap-groupshow.pl command displays informations + associated with the given group. + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl new file mode 100755 index 0000000000..b1780dec61 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -0,0 +1,234 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-migrate-accounts : add NT sam entries from pwdump +# to ldap + +use strict; +use Getopt::Std; +use smbldap_tools; +use smbldap_conf; + +# smbldap-migrate.pl (-? for help) +# +# Read pwdump entries on stdin, and add them to the ldap server. +# Output uncreated/unmodified entries (see parameters -C -U) +# in pwdump format to stdout. +# Errors, debug and stats are output to stderr. + +sub modify_account +{ + my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_; + + my $tmpldif = +"dn: uid=$login,$basedn +changetype: modify +lmpassword: $lmpwd +ntpassword: $ntpwd +gecos: $gecos +smbHome: $homedir + +"; + + die "$0: error while modifying user $login\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; +} + +##################### + + +my %Options; + +my $ok = getopts('awA:CUW:?', \%Options); + +if ( (!$ok) || ($Options{'?'}) ) { + print "Usage: $0 [-awAWCU?]\n"; + print " -a process only people, ignore computers\n"; + print " -w process only computers, ignore persons\n"; + print " -A option string passed verbatim to smbldap-useradd for persons\n"; + print " -W option string passed verbatim to smbldap-useradd for computers\n"; + print " -C if entry not found, don't create it and log it to stdout (default: create it)\n"; + print " -U if entry found, don't update it and log it to stdout (default: update it)\n"; + print " -? show this help message\n"; + exit (1); +} + +my %processed = ( 'user' => 0, 'machine' => 0); +my %created = ( 'user' => 0, 'machine' => 0); +my %updated = ( 'user' => 0, 'machine' => 0); +my %logged = ( 'user' => 0, 'machine' => 0); +my %errors = ( 'user' => 0, 'machine' => 0); +my %existing = ( 'user' => 0, 'machine' => 0); +my $specialskipped = 0; + +while (<>) +{ + my ($login, $rid, $lmpwd, $ntpwd, $gecos, $homedir, $b) = split(/:/, $_); + my $usertype; + my $userbasedn; + + my $entry_type = 'user'; + + if ($login =~ m/.*\$$/ ) { # computer + $processed{'machine'}++; + $entry_type = 'machine'; + if (defined($Options{'a'})) { + print STDERR "ignoring $login\n"; + next; + } + + $usertype = "-w $Options{'W'}"; + $userbasedn = $computersdn; + } + else { # people + $processed{'user'}++; + if (defined($Options{'w'})) { + print STDERR "ignoring $login\n"; + next; + } + if ($rid < 1000) { + $specialskipped++; + print STDERR "$login seems to be a special Win account (rid=$rid), skipping\n"; + next; + } + + $usertype = "-a $Options{'A'}"; + $userbasedn = $usersdn; + } + + # normalize homedir +# uncomment to replace configured share with share from pwdump +# if ($homedir eq "") { + $homedir = $_userSmbHome; +# } + + # normalize gecos + if (!($gecos eq "")) { + $gecos =~ tr//AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; + } else { + $gecos = $_userGecos; + } + + my $user_exists = is_samba_user($login); + + if (!$user_exists) { + if (!defined($Options{'C'})) { + # uid doesn't exist and we want to create it + my $addcmd = "/usr/local/sbin/smbldap-useradd.pl $usertype $login > /dev/null"; + print STDERR "$addcmd\n"; + my $r = system "$addcmd"; + if ($r != 0) { + print STDERR "error adding $login, skipping\n"; + next; + } + # lem modif... a retirer si pb + if ($entry_type eq "user") + { + modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); + } + + $created{$entry_type}++; + } + else { # uid doesn't exist and no create => log + print "$_"; + $logged{$entry_type}++; + } + } + else { # account exists + $existing{$entry_type}++; + if (!defined($Options{'U'})) { # exists and modify + modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); + $updated{$entry_type}++; + } + else { # exists and log + print "$_"; + $logged{$entry_type}++; + } + } +} + +my $sum; + +$sum = $processed{'user'} + $processed{'machine'}; +print STDERR "processed: all=$sum user=$processed{'user'} machine=$processed{'machine'}\n"; + +$sum = $existing{'user'} + $existing{'machine'}; +print STDERR "existing: all=$sum user=$existing{'user'} machine=$existing{'machine'}\n"; + +$sum = $created{'user'} + $created{'machine'}; +print STDERR "created: all=$sum user=$created{'user'} machine=$created{'machine'}\n"; + +$sum = $updated{'user'} + $updated{'machine'}; +print STDERR "updated: all=$sum user=$updated{'user'} machine=$updated{'machine'}\n"; + +$sum = $logged{'user'} + $logged{'machine'}; +print STDERR "logged: all=$sum user=$logged{'user'} machine=$logged{'machine'}\n"; + +print STDERR "special users skipped: $specialskipped\n"; + + +######################################## + +=head1 NAME + + smbldap-migrate.pl - Migrate NT accounts to LDAP + +=head1 SYNOPSIS + + smbldap-migrate.pl [-a] [-w] [-A opts] [-W opts] [-C] [-U] [-?] + +=head1 DESCRIPTION + + This command reads from stdin account entries as created by pwdump, + a tool to dump an user database on NT. + Depending of the options, some account entries may be output on + stdout. All errors and informations are sent to stderr. + + -a process only people, ignore computers + + -w process only computers, ignore persons + + -A opts + a string containing arguments to pass verbatim to + smbldap-useradd when adding users, eg "-m -x". + You don't have to specify -a in this string. + + -W opts + a string containing arguments to pass verbatim to + smbldap-useradd when adding computers, eg "-m -x". + You don't have to specify -w in this string. + + -C if NT account not found in LDAP, don't create it and log it to stdout + (default: create it) + + -U if NT account found in LDAP, don't update it and log it to stdout + (default: update it) + + -? show the help message + +=cut + +#' + +# The End + diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl new file mode 100644 index 0000000000..0d3dd07d50 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl @@ -0,0 +1,225 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-migrate-groups : to parse a Windows +# group dump and populate Unix groups +# Reads group dump on stdin + + +use strict; +use smbldap_tools; +use smbldap_conf; +use Getopt::Std; + + + +sub process_rec_group +{ + my ($group, $mb) = @_; + my @members; + + if (!(@members = group_get_members($group))) { + return 0; + } + + foreach my $m (@members) { + if ( !($m =~ m/^\*/) ) { + push @{$mb}, $m; + } else { + my $gname = $m; + $gname =~ s/^.//; + if (!process_rec_group($gname, $mb)) { + print "recursive group not added : $gname\n"; + } + } + } +} + + +# given a group dn and a list of members, update the group +sub modify_group +{ + my ($group, $dn_line, @members, $recgroup) = @_; + my $m; + my @new_mb; + + foreach $m (@members) { + if ( ($m =~ m/^\*/) ) { + my $gname = $m; + $gname =~ s/^.//; + if (!$recgroup) { + print "recursive group not added : $gname\n"; + } else { + if (!process_rec_group($gname, \@new_mb)) { + print "recursive group not added : $gname\n"; + } + } + } else { + push @new_mb, $m; + } + } + + # new_mb contains flat members from group dump + # now append them to existing members + push @new_mb, group_get_members($group); + # uniq them + my %saw; + @saw{@new_mb} = (); + @new_mb = keys %saw; + + my $nmb = $#new_mb + 1; + print STDERR "Group $group now has $nmb member(s)\n"; + + my $mbs; + foreach $m (@new_mb) { + $mbs .= "memberUid: $m\n"; + } + + my $mods="$dn_line +changetype: modify +replace: memberUid +$mbs +"; + + #print "$mods\n"; + my $tmpldif = +"$mods +"; + + die "$0: error while modifying group $group\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; +} + +sub display_group +{ + my ($group, @members) = @_; + + print "Group name $group\n"; + print "Members\n"; + my $m; + my $i = 0; + foreach $m (@members) { + print "$m "; + if ($i % 5 == 0) { + print "\n"; + } + $i++; + } +} + +sub process_group +{ + my ($group, @members, $nocreate, $noupdate, $recgroup) = @_; + + my $dn_line; + if (!defined($dn_line = get_group_dn($group))) { + # group not found, create it ? + if (!$nocreate) { + system "/usr/local/sbin/smbldap-groupadd.pl \"$group\"; sleep 5"; + if (!defined($dn_line = get_group_dn($group))) { + return 1; + } + modify_group($group, $dn_line, @members, $recgroup); + } else { + # don't create + print "not created:\n"; + display_group($group, @members); + } + } else { + # group found, update it ? + if (!$noupdate) { + modify_group($group, $dn_line, @members, $recgroup); + } else { + # don't update + print "not updated:\n"; + display_group($group, @members); + } + } +} + +################################################### + +my %Options; + +my $ok = getopts('CUr?', \%Options); +if ( (!$ok) || ($Options{'?'}) ) { + print "Usage: $0 [-CUr?] < group_dump\n"; + print " -C don't create group if it doesn't exist\n"; + print " -U don't update group if it exists\n"; + print " -r recursively process groups\n"; + exit(1); +} + +my $group_name; +my $group_desc; +my $has_members = 0; +my @members = (); + +while (<>) +{ + my $line = $_; + chomp($line); + next if ( $line =~ m/^\s*$/ ); + + if ($group_name eq "") { + if ( $line =~ m/^Group name\s+(.+).$/ ) { + $group_name = $1; + next; + } + } + if ($group_desc eq "") { + if ( $line =~ m/^Comment\s+(.*)$/ ) { + $group_desc = $1; + next; + } + } + next if ( $line =~ m/^-+.$/ ); + if (!$has_members) { + if ( $line =~ m/^Members/ ) { + $has_members = 1; + next; + } + } else { + if ( $line =~ m/^The command completed successfully/ ) { + last; + } else { + push(@members, split(/\s+/, $line)); + next; + } + } + + #print; +} + +if ( $#members > -1) { + process_group($group_name, @members, $Options{'C'}, $Options{'U'}, $Options{'r'}); +} + +#print "gn=$group_name\n"; +#print "gd=$group_desc\n"; +#my $m; +#foreach $m (@members) +#{ +# print "$m "; +#} +#print "\n"; diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl new file mode 100755 index 0000000000..ef7687a49e --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -0,0 +1,215 @@ +#!/usr/bin/perl + +# LDAP to unix password sync script for samba +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose : +# . ldap-unix passwd sync for SAMBA-2.2.2 + LDAP +# . may also replace /bin/passwd + +use strict; +use smbldap_tools; +use smbldap_conf; + +my $user; +my $oldpass; +my $ret; + +my $arg; + +foreach $arg (@ARGV) { + if ($< != 0) { + die "Only root can specify parameters\n"; + } else { + if ( ($arg eq '-?') || ($arg eq '--help') ) { + print "Usage: $0 [username]\n"; + print " -?, --help show this help message\n"; + exit (6); + } elsif (substr($arg,0) ne '-') { + $user = $arg; + } + $oldpass = 1; + } +} + +if (!defined($user)) { + $user=$ENV{"USER"}; +} + +# test existence of user in LDAP +my $dn_line; +if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); +} + +my $dn = get_dn_from_line($dn_line); + +my $samba = is_samba_user($user); + +print "Changing password for $user\n"; + +# non-root user +if (!defined($oldpass)) { + # prompt for current password + system "stty -echo"; + print "(current) UNIX password: "; + chomp($oldpass=); + print "\n"; + system "stty echo"; + + if (!is_user_valid($user, $dn, $oldpass)) { + print "Authentication failure\n"; + exit (10); + } +} + +# prompt for new password + +my $pass; +my $pass2; + +system "stty -echo"; +print "New password : "; +chomp($pass=); +print "\n"; +system "stty echo"; + +system "stty -echo"; +print "Retype new password : "; +chomp($pass2=); +print "\n"; +system "stty echo"; + +if ($pass ne $pass2) { + print "New passwords don't match!\n"; + exit (10); +} + +# only modify smb passwords if smb user +if ($samba == 1) { + if (!$with_smbpasswd) { +# generate LanManager and NT clear text passwords + if ($mk_ntpasswd eq '') { + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + exit(1); + } + my $ntpwd = `$mk_ntpasswd '$pass'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + +# change nt/lm passwords + my $tmpldif = +"$dn_line +changetype: modify +replace: lmpassword +lmpassword: $lmpassword +- +changetype: modify +replace: ntpassword +ntpassword: $ntpassword +- + +"; + die "$0: error while modifying password for $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + } + else { + if ($< != 0) { + my $FILE="|$smbpasswd -s >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE < /dev/null"; +if ($ret == 0) { + print "all authentication tokens updated successfully\n"; +} else { + return $ret; +} + +exit 0; + + +# - The End + +=head1 NAME + +smbldap-passwd.pl - change user password + +=head1 SYNOPSIS + + smbldap-passwd.pl [name] + +=head1 DESCRIPTION + + smbldap-passwd.pl changes passwords for user accounts. A normal user + may only change the password for their own account, the super user may + change the password for any account. + + Password Changes + The user is first prompted for their old password, if one is present. + This password is then tested against the stored password by binding + to the server. The user has only one chance to enter the correct pass- + word. The super user is permitted to bypass this step so that forgot- + ten passwords may be changed. + + The user is then prompted for a replacement password. As a general + guideline, passwords should consist of 6 to 8 characters including + one or more from each of following sets: + + Lower case alphabetics + + Upper case alphabetics + + Digits 0 thru 9 + + Punctuation marks + + passwd will prompt again and compare the second entry against the first. + Both entries are require to match in order for the password to be + changed. + +=head1 SEE ALSO + + passwd(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl new file mode 100755 index 0000000000..5be9ca4262 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -0,0 +1,294 @@ +#!/usr/bin/perl + +# Populate a LDAP base for Samba-LDAP usage +# +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose : +# . Create an initial LDAP database suitable for Samba 2.2 +# . For lazy people, replace ldapadd (with only an ldif parameter) + +use strict; +use smbldap_tools; +use smbldap_conf; + +use Getopt::Std; + +use vars qw(%oc); + +# objectclass of the suffix +%oc = ( + "ou" => "organizationalUnit", + "o" => "organization", + "dc" => "dcObject", +); + + +my %Options; + +my $ok = getopts('a:b:?', \%Options); +if ( (!$ok) || ($Options{'?'}) ) { + print "Usage: $0 [-ab?] [ldif]\n"; + print " -a administrator login name (default: Administrator)\n"; + print " -b guest login name (default: nobody)\n"; + print " -? show this help message\n"; + print " ldif file to add to ldap (default: suffix, Groups,"; + print " Users, Computers and builtin users )\n"; + exit (1); +} + +my $_ldifName; + +if (@ARGV >= 1) { + $_ldifName = $ARGV[0]; +} + +my $adminName = $Options{'a'}; +if (!defined($adminName)) { + $adminName = "Administrator"; +} + +my $guestName = $Options{'b'}; +if (!defined($guestName)) { + $guestName = "nobody"; +} + +if (!defined($_ldifName)) { + my $attr; + my $val; + my $objcl; + + if ($suffix =~ m/([^=]+)=([^,]+)/) { + $attr = $1; + $val = $2; + $objcl = $oc{$attr} if (exists $oc{$attr}); + if (!defined($objcl)) { + $objcl = "myhardcodedobjectclass"; + } + } else { + die "can't extract first attr and value from suffix $suffix"; + } + #print "$attr=$val\n"; + + #my $FILE="|cat"; + my $FILE="|$ldapadd -c"; + open (FILE, $FILE) || die "$!\n"; + + print FILE < +Source0: smbldap-groupadd.pl +Source1: smbldap-groupdel.pl +Source2: smbldap-groupmod.pl +Source3: smbldap-groupshow.pl +Source4: smbldap-passwd.pl +Source5: smbldap-useradd.pl +Source6: smbldap-userdel.pl +Source7: smbldap-usermod.pl +Source8: smbldap-usershow.pl +Source9: smbldap_conf.pm +Source10: smbldap_tools.pm +Source11: CONTRIBUTORS +Source12: COPYING +Source13: ChangeLog +Source14: FILES +Source15: README +Source16: TODO +Source17: mkntpwd.tar.gz +Source18: smbldap-populate.pl +Source19: smbldap-migrate-accounts.pl +Source20: smbldap-migrate-groups.pl +Source21: INFRA +BuildRoot: /%{_tmppath}/%{name} +Prefix: /usr/local +BuildRequires: perl >= 5.6 +Requires: perl >= 5.6, openldap, openldap-clients, samba + +%description +In settings with OpenLDAP and Samba-LDAP servers, this collection is +useful to add, modify and delete users and groups, and to change +Unix and Samba passwords. In those context they replace the system +tools to manage users, groups and passwords. + +%prep + +%setup -c -T + +%build +tar zxvf %{SOURCE17} +cd mkntpwd +make + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/%{prefix}/sbin +mkdir -p $RPM_BUILD_ROOT/%{prefix}/share +mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc +mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools + +cd mkntpwd ; make PREFIX=$RPM_BUILD_ROOT/%{prefix} install + +install -m 550 %{SOURCE0} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupadd.pl +install -m 550 %{SOURCE1} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupdel.pl +install -m 550 %{SOURCE2} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupmod.pl +install -m 555 %{SOURCE3} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupshow.pl +install -m 555 %{SOURCE4} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-passwd.pl +install -m 550 %{SOURCE5} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-useradd.pl +install -m 550 %{SOURCE6} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-userdel.pl +install -m 550 %{SOURCE7} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usermod.pl +install -m 555 %{SOURCE8} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usershow.pl +install -m 550 %{SOURCE18} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-populate.pl +install -m 751 %{SOURCE9} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_conf.pm +install -m 555 %{SOURCE10} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_tools.pm +install -m 550 %{SOURCE19} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-accounts.pl +install -m 550 %{SOURCE20} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-groups.pl + +install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/CONTRIBUTORS +install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/COPYING +install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/ChangeLog +install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/FILES +install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/README +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/TODO +install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/INFRA + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +ln -sf %{prefix}/sbin/smbldap_tools.pm /usr/lib/perl5/site_perl/smbldap_tools.pm +ln -sf %{prefix}/sbin/smbldap_conf.pm /usr/lib/perl5/site_perl/smbldap_conf.pm +chgrp 512 %{prefix}/sbin/smbldap-useradd.pl %{prefix}/sbin/smbldap_conf.pm || echo "An error occured while changing groups of smbldap-useradd.pl and smbldap_conf.pm in /usr/local/sbin. For proper operations, please ensure that they have the same posix group as the Samba domain administrator if there's a local Samba PDC." +perl -i -pe 's/_SLAVELDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_MASTERLDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_SUFFIX_/dc=IDEALX,dc=org/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_USERHOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm + +# FIXME: links should not be removed on upgrade +#%postun +#if [ $1 = 0 ] ; then +# rm -f /usr/lib/perl5/site_perl/smbldap_tools.pm +# rm -f /usr/lib/perl5/site_perl/smbldap_conf.pm +#fi + +%files +%defattr(-,root,root) +%{prefix}/sbin/*.pl +%{prefix}/sbin/smbldap_tools.pm +%config %{prefix}/sbin/smbldap_conf.pm +%{prefix}/sbin/mkntpwd +%doc %{prefix}/share/doc/%{name}/TODO +%doc %{prefix}/share/doc/%{name}/README +%doc %{prefix}/share/doc/%{name}/CONTRIBUTORS +%doc %{prefix}/share/doc/%{name}/FILES +%doc %{prefix}/share/doc/%{name}/COPYING + + +%changelog +* Sat Jun 1 2002 Olivier Lemaire 0.7-1 +- some bugfixes about smbldap-populate +- bugfixed the smbpasswd call in smbldap-useradd +- cleaned up the smbldap_conf +- more documentation + +* Tue Apr 30 2002 Brad Langhorst 0.6-2 +- changed requires samba-common to samba +- replaced /usr/local with %{prefix} to allow relocation + +* Tue Feb 5 2002 David Le Corfec 0.6-1 +- v0.6 + +* Mon Feb 4 2002 David Le Corfec 0.5-1 +- v0.5 + +* Mon Jan 14 2002 David Le Corfec 0.3-4 +- internal changes +- should upgrade smoothly from now on + +* Mon Jan 14 2002 David Le Corfec 0.2-1 +- added migration scripts + +* Fri Dec 28 2001 David Le Corfec 0.1-5 +- numeric group for chmod + +* Thu Dec 27 2001 David Le Corfec 0.1-4 +- misc bugfixes + +* Mon Dec 18 2001 David Le Corfec 0.1-3 +- changed files attrs for domain admins to add users +- added smbldap-populate.pl + +* Fri Dec 14 2001 David Le Corfec +- added mkntpwd + +* Wed Dec 12 2001 Olivier Lemaire +- Spec file was generated, and tested atomically. diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl new file mode 100755 index 0000000000..508487af93 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -0,0 +1,460 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-useradd : user (posix,shadow,samba) add + +use strict; +use smbldap_tools; +use smbldap_conf; + + +##################### + +use Getopt::Std; +my %Options; + +my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:?', \%Options); + +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n"; + print " -a is a Windows User (otherwise, Posix stuff only)\n"; + print " -w is a Windows Workstation (otherwise, Posix stuff only)\n"; + print " -x creates rid and primaryGroupID in hex instead of decimal\n"; + print " -u uid\n"; + print " -g gid\n"; + print " -G supplementary comma-separated groups\n"; + print " -n do not create a group\n"; + print " -d home\n"; + print " -s shell\n"; + print " -c gecos\n"; + print " -m creates home directory and copies /etc/skel\n"; + print " -k skeleton dir (with -m)\n"; + print " -P ends by invoking smbldap-passwd.pl\n"; + print " -A can change password ? 0 if no, 1 if yes\n"; + print " -B must change password ? 0 if no, 1 if yes\n"; + print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D homeDrive (letter associated with home share, like 'H:')\n"; + print " -E scriptPath (DOS script to execute on login)\n"; + print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -? show this help message\n"; + exit (1); +} + +# cause problems when dealing with getpwuid because of the +# negative ttl and ldap modification +my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; +} + +# Read options +my $userUidNumber = $Options{'u'}; +if (!defined($userUidNumber)) { + # find first unused uid starting from $UID_START + while (defined(getpwuid($UID_START))) { + $UID_START++; + } + $userUidNumber = $UID_START; +} elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; } + +if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; +} + + +# as rid we use 2 * uid + 1000 +my $userRid = 2 * $userUidNumber + 1000; +if (defined($Options{'x'})) { + $userRid= sprint("%x", $userRid); +} + +my $createGroup = 0; +my $userGidNumber = $Options{'g'}; +# gid not specified ? +if (!defined($userGidNumber)) { + # windows machine => $_defaultComputerGid + if (defined($Options{'w'})) { + $userGidNumber = $_defaultComputerGid; +# } elsif (!defined($Options{'n'})) { + # create new group (redhat style) + # find first unused gid starting from $GID_START +# while (defined(getgrgid($GID_START))) { +# $GID_START++; +# } +# $userGidNumber = $GID_START; + +# $createGroup = 1; + + } else { + # user will have gid = $_defaultUserGid + $userGidNumber = $_defaultUserGid; + } +} else { + my $gid; + if (($gid = parse_group($userGidNumber)) < 0) { + print "$0: unknown group $userGidNumber\n"; + exit (6); + } + $userGidNumber = $gid; +} + +# as grouprid we use 2 * gid + 1001 +my $userGroupRid = 2 * $userGidNumber + 1001; +if (defined($Options{'x'})) { + $userGroupRid = sprint("%x", $userGroupRid); +} +# Read only first @ARGV +my $userName = $ARGV[0]; + +# user must not exist in LDAP (should it be nss-wide ?) +my ($rc, $dn) = get_user_dn2($userName); +if ($rc and defined($dn)) { + print "$0: user $userName exists\n"; + exit (9); +} elsif (!$rc) { + print "$0: error in get_user_dn2\n"; + exit(10); +} + +my $userHomeDirectory; +my $tmp; +if (!defined($userHomeDirectory = $Options{'d'})) +{ + $userHomeDirectory = $_userHomePrefix.$userName; +} +$_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); +$_userGecos = $tmp if (defined($tmp = $Options{'c'})); +$_skeletonDir = $tmp if (defined($tmp = $Options{'k'})); + +######################## + +# MACHINE ACCOUNT +if (defined($tmp = $Options{'w'})) { + + # add a trailing dollar if missing + if ($userName =~ /[^\$]$/s) { + $userName .= "\$"; + } + + #print "About to create machine $userName:\n"; + + if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) { + die "$0: error while adding posix account\n"; + } + + if (!$with_smbpasswd) { + if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { + die "$0: error while adding samba account\n"; + } + } else { + if (!add_samba_machine($userName)) { + die "$0: error while adding samba account\n"; + } + + my $tmpldif = +"dn: uid=$userName,$computersdn +changetype: modify +acctFlags: [W ] + +"; + die "$0: error while modifying accountflags of $userName\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + } + + exit 0; +} + +####################### + +# USER ACCOUNT + +# add posix account first + +my $tmpldif = +"dn: uid=$userName,$usersdn +objectclass: top +objectclass: account +objectclass: posixAccount +cn: $userName +uid: $userName +uidNumber: $userUidNumber +gidNumber: $userGidNumber +homeDirectory: $userHomeDirectory +loginShell: $_userLoginShell +gecos: $_userGecos +description: $_userGecos +userPassword: {crypt}x + +"; + +die "$0: error while adding posix user $userName\n" + unless (do_ldapadd($tmpldif) == 0); + +undef $tmpldif; + +#if ($createGroup) { +# group_add($userName, $userGidNumber); +#} + +group_add_user($userGidNumber, $userName); + +my $grouplist; +# adds to supplementary groups +if (defined($grouplist = $Options{'G'})) { + add_grouplist_user($grouplist, $userName); +} + +# If user was created successfully then we should create his/her home dir +if (defined($tmp = $Options{'m'})) { + if ( !(-e $userHomeDirectory) ) { + system "mkdir $userHomeDirectory 2>/dev/null"; + system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; + system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; + system "chmod 700 $userHomeDirectory 2>/dev/null"; + } +} + + +# Add Samba user infos +if (defined($Options{'a'})) { + if (!$with_smbpasswd) { + + my $winmagic = 2147483647; + my $valpwdcanchange = 0; + my $valpwdmustchange = $winmagic; + my $valacctflags = "[UX]"; + + if (defined($tmp = $Options{'A'})) { + if ($tmp != 0) { + $valpwdcanchange = "0"; + } else { + $valpwdcanchange = "$winmagic"; + } + } + + if (defined($tmp = $Options{'B'})) { + if ($tmp != 0) { + $valpwdmustchange = "0"; + } else { + $valpwdmustchange = "$winmagic"; + } + } + + if (defined($tmp = $Options{'H'})) { + $valacctflags = "$tmp"; + } + + my $tmpldif = +"dn: uid=$userName,$usersdn +changetype: modify +objectclass: top +objectclass: account +objectclass: posixAccount +objectClass: sambaAccount +pwdLastSet: 0 +logonTime: 0 +logoffTime: 2147483647 +kickoffTime: 2147483647 +pwdCanChange: $valpwdcanchange +pwdMustChange: $valpwdmustchange +displayName: $_userGecos +acctFlags: $valacctflags +rid: $userRid + +"; + + die "$0: error while adding samba account to posix user $userName\n" + unless (do_ldapmodify($tmpldif) == 0); + + undef $tmpldif; + } else { + my $FILE="|smbpasswd -s -a $userName >/dev/null" ; + open (FILE, $FILE) || die "$!\n"; + print FILE < 2) + + -c comment + The new user's comment field (gecos). + + -d home_dir + The new user will be created using home_dir as the value for the + user's login directory. The default is to append the login name + to default_home and use that as the login directory name. + + -g initial_group + The group name or number of the user's initial login group. The + group name must exist. A group number must refer to an already + existing group. The default group number is 1. + + -G group,[...] + A list of supplementary groups which the user is also a member + of. Each group is separated from the next by a comma, with no + intervening whitespace. The groups are subject to the same + restrictions as the group given with the -g option. The default + is for the user to belong only to the initial group. + + -m The user's home directory will be created if it does not exist. + The files contained in skeleton_dir will be copied to the home + directory if the -k option is used, otherwise the files con + tained in /etc/skel will be used instead. Any directories con + tained in skeleton_dir or /etc/skel will be created in the + user's home directory as well. The -k option is only valid in + conjunction with the -m option. The default is to not create + the directory and to not copy any files. + + -s shell + The name of the user's login shell. The default is to leave + this field blank, which causes the system to select the default + login shell. + + -u uid The numerical value of the user's ID. This value must be + unique, unless the -o option is used. The value must be non- + negative. The default is to use the smallest ID value greater + than 1000 and greater than every other user. + + -P ends by invoking smbldap-passwd.pl + + -A can change password ? 0 if no, 1 if yes + + -B must change password ? 0 if no, 1 if yes + + -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + + -D homeDrive (letter associated with home share, like 'H:') + + -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + + -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + + -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + +=head1 SEE ALSO + + useradd(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl new file mode 100755 index 0000000000..54309fa5db --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -0,0 +1,122 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-userdel : user (posix,shadow,samba) deletion + +use strict; +use smbldap_tools; + + +##################### + +use Getopt::Std; +my %Options; + +my $ok = getopts('r?', \%Options); + +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-r?] username\n"; + print " -r remove home directory\n"; + exit (1); +} + +# Read only first @ARGV +my $user = $ARGV[0]; + +my $dn; +# user must not exist in LDAP +if (!defined($dn=get_user_dn($user))) { + print "$0: user $user does not exist\n"; + exit (6); +} + +if ($< != 0) { + print "You must be root to delete an user\n"; + exit (1); +} + +my $homedir; +if (defined($Options{'r'})) { + $homedir=get_homedir($user); +} + +# remove user from groups +my $groups = find_groups_of $user; +my @grplines = split(/\n/, $groups); + +my $grp; +foreach $grp (@grplines) { + my $gname = ""; + if ( $grp =~ /dn: cn=([^,]+),/) { + $gname = $1; + #print "xx $gname\n"; + } + if ($gname ne "") { + group_remove_member($gname, $user); + } +} + +# XXX +delete_user($user); + +# delete dir -- be sure that homeDir is not a strange value +if (defined($Options{'r'})) { + if ($homedir !~ /^\/dev/ and $homedir !~ /^\/$/) { + system "rm -rf $homedir"; + } +} + +my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + +exit (0); + +############################################################ + +=head1 NAME + + smbldap-userdel.pl - Delete a user account and related files + +=head1 SYNOPSIS + + smbldap-userdel.pl [-r] login + +=head1 DESCRIPTION + + The smbldap-userdel.pl command modifies the system + account files, deleting all entries that refer to login. + The named user must exist. + + -r Files in the user's home directory will be removed along with + the home directory itself. Files located in other file + systems will have to be searched for and deleted manually. + +=head1 SEE ALSO + + userdel(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl new file mode 100755 index 0000000000..016d7b5422 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -0,0 +1,403 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-usermod : user (posix,shadow,samba) modification + +use strict; +use smbldap_tools; +use smbldap_conf; + + +##################### + +use Getopt::Std; +my %Options; +my $nscd_status; + +my $ok = getopts('A:B:C:D:E:F:H:IJxme:f:u:g:G:d:l:s:c:ok:?', \%Options); +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-awmugdsckxABCDEFGHI?] username\n"; + print " -c gecos\n"; + print " -d home directory\n"; + #print " -m move home directory\n"; + #print " -e expire date (YYYY-MM-DD)\n"; + #print " -f inactive days\n"; + print " -u uid\n"; + print " -o uid can be non unique\n"; + print " -g gid\n"; + print " -G supplementary groups (comma separated)\n"; + print " -l login name\n"; + print " -s shell\n"; + print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n"; + print " -A can change password ? 0 if no, 1 if yes\n"; + print " -B must change password ? 0 if no, 1 if yes\n"; + print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D homeDrive (letter associated with home share, like 'H:')\n"; + print " -E scriptPath (DOS script to execute on login)\n"; + print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -I disable an user. Can't be used with -H or -J\n"; + print " -J enable an user. Can't be used with -H or -I\n"; + print " -? show this help message\n"; + exit (1); +} + +if ($< != 0) { + print "You must be root to modify an user\n"; + exit (1); +} + +# Read only first @ARGV +my $user = $ARGV[0]; + +# Read user datas +my $lines = read_user($user); +if (!defined($lines)) { + print "$0: user $user doesn't exist\n"; + exit (1); +} + +#print "$lines\n"; +my $dn_line; +if ( $lines =~ /(^dn: .*)/ ) { + $dn_line = $1; +} + +chomp($dn_line); + +my $samba = 0; +if ($lines =~ m/objectClass: sambaAccount/) { + $samba = 1; +} + +############ + +my $tmp; +my $mods; + +# Process options +my $changed_uid; +my $_userUidNumber; +my $_userRid; +if (defined($tmp = $Options{'u'})) { + if (defined($Options{'o'})) { + $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + + if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; + } + + if (getpwuid($tmp)) { + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + + print "$0: uid number $tmp exists\n"; + exit (6); + } + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + + } + $_userUidNumber = $tmp; + # as rid we use 2 * uid + 1000 + my $_userRid = 2 * $_userUidNumber + 1000; + if (defined($Options{'x'})) { + $_userRid= sprint("%x", $_userRid); + } + $mods .= "uidNumber: $_userUidNumber\n"; + if ($samba) { + $mods .= "rid: $_userRid\n"; + } + $changed_uid = 1; +} + +my $changed_gid; +my $_userGidNumber; +my $_userGroupRid; +if (defined($tmp = $Options{'g'})) { + $_userGidNumber = parse_group($tmp); + if ($_userGidNumber < 0) { + print "$0: group $tmp doesn't exist\n"; + exit (6); + } +# as grouprid we use 2 * gid + 1001 + my $_userGroupRid = 2 * $_userGidNumber + 1001; + if (defined($Options{'x'})) { + $_userGroupRid = sprint("%x", $_userGroupRid); + } + $mods .= "gidNumber: $_userGidNumber\n"; + if ($samba) { + $mods .= "primaryGroupID: $_userGroupRid\n"; + } + $changed_gid = 1; +} + +my $changed_shell; +my $_userLoginShell; +if (defined($tmp = $Options{'s'})) { + $_userLoginShell = $tmp; + $mods .= "loginShell: $_userLoginShell\n"; + $changed_shell = 1; +} + +my $changed_gecos; +my $_userGecos; +if (defined($tmp = $Options{'c'})) { + $_userGecos = $tmp; + $mods .= "gecos: $_userGecos\n"; + $changed_gecos = 1; +} + +my $changed_homedir; +my $newhomedir; +if (defined($tmp = $Options{'d'})) { + $newhomedir = $tmp; + $mods .= "homeDirectory: $newhomedir\n"; + $changed_homedir = 1; +} + + +if (defined($tmp = $Options{'G'})) { + + # remove user from old groups + my $groups = find_groups_of $user; + my @grplines = split(/\n/, $groups); + + my $grp; + foreach $grp (@grplines) { + my $gname = ""; + if ( $grp =~ /dn: cn=([^,]+),/) { + $gname = $1; + #print "xx $gname\n"; + } + if ($gname ne "") { + group_remove_member($gname, $user); + } + } + + # add user to new groups + add_grouplist_user($tmp, $user); +} + +# +# A : pwdCanChange +# B : pwdMustChange +# C : smbHome +# D : homeDrive +# E : scriptPath +# F : profilePath +# H : acctFlags + +my $attr; +my $winmagic = 2147483647; + +if (defined($tmp = $Options{'A'})) { + $attr = "pwdCanChange"; + if ($tmp != 0) { + $mods .= "$attr: 0\n"; + } else { + $mods .= "$attr: $winmagic\n"; + } +} + +if (defined($tmp = $Options{'B'})) { + $attr = "pwdMustChange"; + if ($tmp != 0) { + $mods .= "$attr: 0\n"; + } else { + $mods .= "$attr: $winmagic\n"; + } +} + +if (defined($tmp = $Options{'C'})) { + $attr = "smbHome"; + #$tmp =~ s/\\/\\\\/g; + $mods .= "$attr: $tmp\n"; +} + +if (defined($tmp = $Options{'D'})) { + $attr = "homeDrive"; + $tmp = $tmp.":" unless ($tmp =~ /:/); + $mods .= "$attr: $tmp\n"; +} + +if (defined($tmp = $Options{'E'})) { + $attr = "scriptPath"; + #$tmp =~ s/\\/\\\\/g; + $mods .= "$attr: $tmp\n"; +} + +if (defined($tmp = $Options{'F'})) { + $attr = "profilePath"; + #$tmp =~ s/\\/\\\\/g; + $mods .= "$attr: $tmp\n"; +} + +if (defined($tmp = $Options{'H'})) { + $attr = "acctFlags"; + #$tmp =~ s/\\/\\\\/g; + $mods .= "$attr: $tmp\n"; +} elsif (defined($tmp = $Options{'I'})) { + my $flags; + + if ( $lines =~ /^acctFlags: (.*)/m ) { + $flags = $1; + } + + chomp($flags); + + if ( !($flags =~ /D/) ) { + my $letters; + if ($flags =~ /(\w+)/) { + $letters = $1; + } + $mods .= "acctFlags: \[D$letters\]\n"; + } +} elsif (defined($tmp = $Options{'J'})) { + my $flags; + + if ( $lines =~ /^acctFlags: (.*)/m ) { + $flags = $1; + } + + chomp($flags); + + if ( $flags =~ /D/ ) { + my $letters; + if ($flags =~ /(\w+)/) { + $letters = $1; + } + $letters =~ s/D//; + $mods .= "acctFlags: \[$letters\]\n"; + } +} + +if ($mods ne '') { + #print "----\n$dn_line\n$mods\n----\n"; + + my $tmpldif = +"$dn_line +changetype: modify +$mods +"; + + die "$0: error while modifying user $user\n" + unless (do_ldapmodify($tmpldif) == 0); + + undef $tmpldif; +} + +$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + +if ($nscd_status == 0) { + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + + +############################################################ + +=head1 NAME + + smbldap-usermod.pl - Modify a user account + +=head1 SYNOPSIS + + smbldap-usermod.pl [-c comment] [-d home_dir] + [-g initial_group] [-G group[,...]] + [-l login_name] [-p passwd] + [-s shell] [-u uid [ -o]] [-x] + [-A canchange] [-B mustchange] [-C smbhome] + [-D homedrive] [-E scriptpath] [-F profilepath] + [-H acctflags] login + +=head1 DESCRIPTION + + The smbldap-usermod.pl command modifies the system account files + to reflect the changes that are specified on the command line. + The options which apply to the usermod command are + + -c comment + The new value of the user's comment field (gecos). + + -d home_dir + The user's new login directory. + + -g initial_group + The group name or number of the user's new initial login group. + The group name must exist. A group number must refer to an + already existing group. The default group number is 1. + + -G group,[...] + A list of supplementary groups which the user is also a member + of. Each group is separated from the next by a comma, with no + intervening whitespace. The groups are subject to the same + restrictions as the group given with the -g option. If the user + is currently a member of a group which is not listed, the user + will be removed from the group + + -l login_name + The name of the user will be changed from login to login_name. + Nothing else is changed. In particular, the user's home direc + tory name should probably be changed to reflect the new login + name. + + -s shell + The name of the user's new login shell. Setting this field to + blank causes the system to select the default login shell. + + -u uid The numerical value of the user's ID. This value must be + unique, unless the -o option is used. The value must be non- + negative. Any files which the user owns and which are + located in the directory tree rooted at the user's home direc + tory will have the file user ID changed automatically. Files + outside of the user's home directory must be altered manually. + + -x Creates rid and primaryGroupID in hex instead of decimal (for + Samba 2.2.2 unpatched only - higher versions always use decimal) + + -A can change password ? 0 if no, 1 if yes + + -B must change password ? 0 if no, 1 if yes + + -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + + -D homeDrive (letter associated with home share, like 'H:') + + -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + + -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + + -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + + -I disable user. Can't be used with -H or -J + + -J enable user. Can't be used with -H or -I + +=head1 SEE ALSO + + usermod(1) + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap-usershow.pl b/examples/LDAP/smbldap-tools/smbldap-usershow.pl new file mode 100755 index 0000000000..b05f087620 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap-usershow.pl @@ -0,0 +1,69 @@ +#!/usr/bin/perl + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose of smbldap-userdisplay : user (posix,shadow,samba) display + +use strict; +use smbldap_tools; + +use Getopt::Std; +my %Options; + +my $ok = getopts('?', \%Options); + +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { + print "Usage: $0 [-?] username\n"; + print " -? show this help message\n"; + exit (1); +} + +# Read only first @ARGV +my $user = $ARGV[0]; + +my $lines = read_user($user); +if (!defined($lines)) { + print "$0: user $user doesn't exist\n"; + exit (1); +} + +print "$lines\n"; + +exit(0); + +############################################################ + +=head1 NAME + + smbldap-usershow.pl - Show a user account informations + +=head1 SYNOPSIS + + smbldap-usershow.pl login + +=head1 DESCRIPTION + + The smbldap-usershow.pl command displays the informations + associated with the login. The named user must exist. + +=cut + +#' diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm new file mode 100644 index 0000000000..9a5a116b98 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -0,0 +1,249 @@ +#!/usr/bin/perl +use strict; +package smbldap_conf; + +# smbldap-tools.conf : Q & D configuration file for smbldap-tools + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + +# Purpose : +# . be the configuration file for all smbldap-tools scripts + +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS +$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP +$with_smbpasswd $mk_ntpasswd +$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind +$ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn +$suffix $usersdn $computersdn +$groupsdn $scope $binddn $bindpasswd +$slaveDN $slavePw $masterDN $masterPw +$_userLoginShell $_userHomePrefix $_userGecos +$_defaultUserGid $_defaultComputerGid +$_skeletonDir $_userSmbHome +$_userProfile $_userHomeDrive +$_userScript $usersou $computersou $groupsou +); + +use Exporter; +$VERSION = 1.00; +@ISA = qw(Exporter); + +@EXPORT = qw( +$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP +$with_smbpasswd $mk_ntpasswd +$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd +$ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn +$computersdn $groupsdn $scope $binddn $bindpasswd +$slaveDN $slavePw $masterDN $masterPw +$_userLoginShell $_userHomePrefix $_userGecos +$_defaultUserGid $_defaultComputerGid $_skeletonDir +$_userSmbHome $_userProfile $_userHomeDrive $_userScript +$usersou $computersou $groupsou +); + + +############################################################################## +# +# General Configuration +# +############################################################################## + +# +# UID and GID starting at... +# + +$UID_START = 1000; +$GID_START = 1000; + +############################################################################## +# +# LDAP Configuration +# +############################################################################## + +# Notes: to use to dual ldap servers backend for Samba, you must patch +# Samba with the dual-head patch from IDEALX. If not using this patch +# just use the same server for slaveLDAP and masterLDAP. +# +# Slave LDAP : needed for read operations +# +# Ex: $slaveLDAP = "127.0.0.1"; +$slaveLDAP = "_SLAVELDAP_"; + +# +# Master LDAP : needed for write operations +# +# Ex: $masterLDAP = "127.0.0.1"; +$masterLDAP = "_MASTERLDAP_"; + +# +# LDAP Suffix +# +# Ex: $suffix = "dc=IDEALX,dc=ORG"; +$suffix = "_SUFFIX_"; + +# +# Where are stored Users +# +# Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG +$usersou = q(_USERS_); + +$usersdn = "ou=$usersou,$suffix"; + +# +# Where are stored Computers +# +# Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG +$computersou = q(_COMPUTERS_); + +$computersdn = "ou=$computersou,$suffix"; + +# +# Where are stored Groups +# +# Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG +$groupsou = q(_GROUPS_); + +$groupsdn = "ou=$groupsou,$suffix"; + +# +# Default scope Used +# +$scope = "sub"; + +# +# Credential Configuration +# +# Bind DN used +# Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org +$binddn = "_BINDDN_"; +# +# Bind DN passwd used +# Ex: $bindpasswd = 'secret'; for 'secret' +$bindpasswd = "_BINDPW_"; + +# +# Notes: if using dual ldap patch, you can specify to different configuration +# By default, we will use the same DN (so it will work for standard Samba +# release) +# +$slaveDN = $binddn; +$slavePw = $bindpasswd; +$masterDN = $binddn; +$masterPw = $bindpasswd; + +############################################################################## +# +# Unix Accounts Configuration +# +############################################################################## + +# Login defs +# +# Default Login Shell +# +# Ex: $_userLoginShell = q(/bin/bash); +$_userLoginShell = q(_LOGINSHELL_); + +# +# Home directory prefix (without username) +# +#Ex: $_userHomePrefix = q(/home/); +$_userHomePrefix = q(_USERHOMEPREFIX_); + +# +# Gecos +# +$_userGecos = q(System User); + +# +# Default User (POSIX and Samba) GID +# +$_defaultUserGid = 100; + +# +# Default Computer (Samba) GID +# +$_defaultComputerGid = 553; + +# +# Skel dir +# +$_skeletonDir = q(/etc/skel); + +############################################################################## +# +# SAMBA Configuration +# +############################################################################## + +# +# The UNC path to home drives location without the username last extension +# (will be dynamically prepended) +# Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes +$_userSmbHome = q(\\\\_PDCNAME_\\homes); + +# +# The UNC path to profiles locations without the username last extension +# (will be dynamically prepended) +# Ex: q(\\\\My-PDC-netbios-name\\profiles) for \\My-PDC-netbios-name\profiles +$_userProfile = q(\\\\_PDCNAME_\\profiles\\); + +# +# The default Home Drive Letter mapping +# (will be automatically mapped at logon time if home directory exist) +# Ex: q(U:) for U: +$_userHomeDrive = q(_HOMEDRIVE_:); + +# +# The default user netlogon script name +# if not used, will be automatically username.cmd +# +#$_userScript = q(startup.cmd); # make sure script file is edited under dos + + +############################################################################## +# +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) +# +############################################################################## + +# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but +# prefer mkntpwd... most of the time, it's a wise choice :-) +$with_smbpasswd = 0; +$smbpasswd = "/usr/bin/smbpasswd"; +$mk_ntpasswd = "/usr/local/sbin/mkntpwd"; + +$ldap_path = "/usr/bin"; +$ldap_opts = "-x"; +$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP -D '$slaveDN' -w '$slavePw'"; +$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP"; +$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldapadd = "$ldap_path/ldapadd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; + + + +1; + +# - The End diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm new file mode 100755 index 0000000000..0a451210f3 --- /dev/null +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -0,0 +1,583 @@ +#! /usr/bin/perl +use strict; +package smbldap_tools; +use smbldap_conf; + +# This code was developped by IDEALX (http://IDEALX.org/) and +# contributors (their names can be found in the CONTRIBUTORS file). +# +# Copyright (C) 2001-2002 IDEALX +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. + + +# ugly funcs using global variables and spawning openldap clients + +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); +use Exporter; +$VERSION = 1.00; +@ISA = qw(Exporter); + +@EXPORT = qw( +get_user_dn +get_group_dn +is_samba_user +is_user_valid +get_dn_from_line +add_posix_machine +add_samba_machine +add_samba_machine_mkntpwd +group_add_user +add_grouplist_user +disable_user +delete_user +group_add +get_homedir +read_user +read_group +find_groups_of +parse_group +group_remove_member +group_get_members +do_ldapadd +do_ldapmodify +get_user_dn2 +); + +# dn_line = get_user_dn($username) +# where dn_line is like "dn: a=b,c=d" +sub get_user_dn +{ + my $user = shift; + my $dn=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^dn:"`; + chomp $dn; + if ($dn eq '') { + return undef; + } + + return $dn; +} + +# return (success, dn) +sub get_user_dn2 +{ + my $user = shift; + + my $sr = `$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'`; + if ($sr eq "") { + print "get_user_dn2: error in ldapsearch : +$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'\n"; + return (0, undef); + } + + my @lines = split(/\n/, $sr); + + my @matches = grep(/^dn:/, @lines); + + my $dn = $matches[0]; + chomp $dn; + if ($dn eq '') { + return (1, undef); + } + + return (1, $dn); +} + +# dn_line = get_group_dn($groupname) +# where dn_line is like "dn: a=b,c=d" +sub get_group_dn +{ + my $group = shift; + my $dn=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))' | grep "^dn:"`; + chomp $dn; + if ($dn eq '') { + return undef; + } + + return $dn; +} + +# bool = is_samba_user($username) +sub is_samba_user +{ + my $user = shift; + my $cmd = "$ldapsearch -b '$suffix' -s '$scope' '(&(objectClass=sambaAccount)(uid=$user))' | grep '^dn:\'"; + my $res=`$cmd`; + chomp $res; + if ($res ne '') { + return 1; + } + return 0; +} + +# bool = is_user_valid($username) +# try to bind with user dn and password to validate current password +sub is_user_valid +{ + my ($user, $dn, $pass) = @_; + my $res=`$ldapsearchnobind -b '$usersdn' -s '$scope' -D '$dn' -w '$pass' '(&(objectclass=posixAccount)(uid=$user))' 2>/dev/null | grep "^dn:"`; + chomp $res; + if ($res eq '') { + return 0; + } + return 1; +} + +# dn = get_dn_from_line ($dn_line) +# helper to get "a=b,c=d" from "dn: a=b,c=d" +sub get_dn_from_line +{ + my $dn = shift; + $dn =~ s/^dn: //; + return $dn; +} + +# success = add_posix_machine($user, $uid, $gid) +sub add_posix_machine +{ + my ($user, $uid, $gid) = @_; + +my $tmpldif = +"dn: uid=$user,$computersdn +objectclass: top +objectclass: posixAccount +cn: $user +uid: $user +uidNumber: $uid +gidNumber: $gid +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer + +"; + + die "$0: error while adding posix account to machine $user\n" + unless (do_ldapadd($tmpldif) == 0); + + undef $tmpldif; + + return 1; +} + +# success = add_samba_machine($computername) +sub add_samba_machine +{ + my $user = shift; + system "smbpasswd -a -m $user"; + + return 1; +} + +sub add_samba_machine_mkntpwd +{ + my ($user, $uid) = @_; + my $rid = 2 * $uid + 1000; # Samba 2.2.2 stuff + + my $name = $user; + $name =~ s/.$//s; + + if ($mk_ntpasswd eq '') { + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + return 0; + } + + my $ntpwd = `$mk_ntpasswd '$name'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + + my $tmpldif = +"dn: uid=$user,$computersdn +changetype: modify +objectclass: top +objectclass: posixAccount +objectClass: sambaAccount +pwdLastSet: 0 +logonTime: 0 +logoffTime: 2147483647 +kickoffTime: 2147483647 +pwdCanChange: 0 +pwdMustChange: 2147483647 +acctFlags: [W ] +lmpassword: $lmpassword +ntpassword: $ntpassword +rid: $rid +primaryGroupID: 0 + +"; + + die "$0: error while adding samba account to $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + return 1; +} + + + +sub group_add_user +{ + my ($group, $userid) = @_; + my $dn_line; + + if (!defined($dn_line = get_group_dn($group))) { + return 1; + } + my $dn = get_dn_from_line($dn_line); + my $members = `$ldapsearch -b '$dn' -s base | grep -i "^memberUid:"`; + chomp($members); + # user already member ? + if ($members =~ m/^memberUid: $userid/) { + return 2; + } + my $mods = ""; + if ($members ne '') { + $mods="$dn_line +changetype: modify +replace: memberUid +$members +memberUid: $userid +"; + } else { + $mods="$dn_line +changetype: modify +add: memberUid +memberUid: $userid +"; + } + + #print "$mods\n"; + + my $tmpldif = +"$mods +"; + + die "$0: error while modifying group $group\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + return 0; +} + +sub add_grouplist_user +{ + my ($grouplist, $user) = @_; + my @array = split(/,/, $grouplist); + foreach my $group (@array) { + group_add_user($group, $user); + } +} + +# XXX FIXME : acctFlags |= D, and not acctFlags = D +sub disable_user +{ + my $user = shift; + my $dn_line; + + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } + + my $tmpldif = +"dn: $dn_line +changetype: modify +replace: userPassword +userPassword: {crypt}!x + +"; + + die "$0: error while modifying user $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + if (is_samba_user($user)) { + + my $tmpldif = +"dn: $dn_line +changetype: modify +replace: acctFlags +acctFlags: [D ] + +"; + + die "$0: error while modifying user $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + } + +} + +# delete_user($user) +sub delete_user +{ + my $user = shift; + my $dn_line; + + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } + + my $dn = get_dn_from_line($dn_line); + system "$ldapdelete $dn >/dev/null"; +} + +# $success = group_add($groupname, $group_gid, $force_using_existing_gid) +sub group_add +{ + my ($gname, $gid, $force) = @_; + + my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + + if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; + } + + if (!defined($gid)) { + while (defined(getgrgid($GID_START))) { + $GID_START++; + } + $gid = $GID_START; + } else { + if (!defined($force)) { + if (defined(getgrgid($gid))) { + return 0; + } + } + } + + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + + my $tmpldif = +"dn: cn=$gname,$groupsdn +objectclass: posixGroup +cn: $gname +gidNumber: $gid + +"; + + die "$0: error while adding posix group $gname\n" + unless (do_ldapadd($tmpldif) == 0); + + undef $tmpldif; + + return 1; +} + +# $homedir = get_homedir ($user) +sub get_homedir +{ + my $user = shift; + my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; + chomp $homeDir; + if ($homeDir eq '') { + return undef; + } + $homeDir =~ s/^homeDirectory: //; + + return $homeDir; +} + +# search for an user +sub read_user +{ + my $user = shift; + my $lines=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' -LLL`; + chomp $lines; + if ($lines eq '') { + return undef; + } + + return $lines; +} + +# search for a group +sub read_group +{ + my $user = shift; + my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(cn=$user))' -LLL`; + chomp $lines; + if ($lines eq '') { + return undef; + } + + return $lines; +} + +# find groups of a given user +sub find_groups_of +{ + my $user = shift; + my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(memberuid=$user))' -LLL | grep "^dn: "`; + chomp $lines; + if ($lines eq '') { + return undef; + } + + return $lines; +} + +# return the gidnumber for a group given as name or gid +# -1 : bad group name +# -2 : bad gidnumber +sub parse_group +{ + my $userGidNumber = shift; + + if ($userGidNumber =~ /[^\d]/ ) { + my $gname = $userGidNumber; + my $gidnum = getgrnam($gname); + if ($gidnum !~ /\d+/) { + return -1; + } else { + $userGidNumber = $gidnum; + } + } elsif (!defined(getgrgid($userGidNumber))) { + return -2; + } + return $userGidNumber; +} + +# remove $user from $group +sub group_remove_member +{ + my ($group, $user) = @_; + + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; + + #print "avant ---\n$members\n"; + $members =~ s/memberUid: $user\n//; + #print "----\n$members\n---\n"; + + chomp($members); + + my $header; + if ($members eq '') { + $header = "changetype: modify\n"; + $header .= "delete: memberUid"; + } else { + $header = "changetype: modify\n"; + $header .= "replace: memberUid"; + } + + my $tmpldif = +"$grp_line +$header +$members +"; + die "$0: error while modifying group $group\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + return 1; +} + +sub group_get_members +{ + my ($group) = @_; + my @members; + + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' memberUid | grep -i "^memberUid:"`; + + my @lines = split (/\n/, $members); + foreach my $line (@lines) { + $line =~ s/^memberUid: //; + push(@members, $line); + } + + return @members; +} + +sub file_write { + my ($filename, $filecontent) = @_; + local *FILE; + open (FILE, "> $filename") || + die "Cannot open $filename for writing: $!\n"; + print FILE $filecontent; + close FILE; +} + +# wrapper for ldapadd +sub do_ldapadd2 +{ + my $ldif = shift; + + my $tempfile = "/tmp/smbldapadd.$$"; + file_write($tempfile, $ldif); + + my $rc = system "$ldapadd < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; +} + +sub do_ldapadd +{ + my $ldif = shift; + + my $FILE = "|$ldapadd >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE </dev/null"; + unlink($tempfile); + return $rc; +} + +sub do_ldapmodify +{ + my $ldif = shift; + + my $FILE = "|$ldapmodify -r >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE < Date: Wed, 20 Aug 2003 21:53:18 +0000 Subject: adding old NDS schema so I can update it (This used to be commit 25753e2a336a72dc2275a0046003c3a659a0f880) --- examples/LDAP/samba-nds.schema | 201 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 examples/LDAP/samba-nds.schema (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema new file mode 100644 index 0000000000..99e56d75dc --- /dev/null +++ b/examples/LDAP/samba-nds.schema @@ -0,0 +1,201 @@ +-- +-- Submitted by Bruno Gimenes Pereti +-- +-- schema file for Novell's eDirectory 8.6 +-- + +SambaAccountSchemaExtensions DEFINITIONS ::= +BEGIN + +-- Password hashes +"lmPassword" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 1 } +} + +"ntPassword" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 2 } +} + +-- Account flags in string format ([UWDX ]) +"acctFlags" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 4 } +} + +-- Password timestamps & policies +"pwdLastSet" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 3 } +} + +"logonTime" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 5 } +} + +"logoffTime" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 6 } +} + +"kickoffTime" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 7 } +} + +"pwdCanChange" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 8 } +} + +"pwdMustChange" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 9 } +} + +-- string settings +"homeDrive" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 10 } +} + +"scriptPath" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 5 1 4 1 7165 2 1 11 } +} + +"profilePath" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 12 } +} + +"userWorkstations" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 13 } +} + +"smbHome" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 17 } +} + +"domain" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_CI_STRING, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 18 } +} + +-- user and group RID +"rid" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 14 } +} + +"primaryGroupID" ATTRIBUTE ::= +{ + Operation ADD, + SyntaxID SYN_INTEGER, + Flags { DS_SINGLE_VALUED_ATTR }, + ASN1ObjID { 1 3 6 1 4 1 7165 2 1 15 } +} + +"sambaAccount" OBJECT-CLASS ::= +{ + Operation ADD, + Flags {DS_AUXILIARY_CLASS}, + SubClassOf {"TOP"}, + MustContain { "uid"}, + MustContain { "rid"}, + MayContain { "CN"}, + MayContain { "lmPassword"}, + MayContain { "ntPassword"}, + MayContain { "pwdLastSet"}, + MayContain { "logonTime"}, + MayContain { "logoffTime"}, + MayContain { "kickoffTime"}, + MayContain { "pwdCanChange"}, + MayContain { "pwdMustChange"}, + MayContain { "acctFlags"}, + MayContain { "displayName"}, + MayContain { "smbHome"}, + MayContain { "homeDrive"}, + MayContain { "scriptPath"}, + MayContain { "profilePath"}, + MayContain { "description"}, + MayContain { "userWorkstations"}, + MayContain { "primaryGroupID"}, + MayContain { "domain"}, + ASN1ObjID { 1 3 6 1 4 1 7165 2 2 3 } +} + +-- Used for Winbind experimentation +"uidPool" OBJECT-CLASS ::= +{ + Operation ADD, + Flags {DS_AUXILIARY_CLASS}, + SubClassOf {"TOP"}, + MustContain { "uidNumber"}, + MustContain { "CN"}, + ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 3 } +} + +"gidPool" OBJECT-CLASS ::= +{ + Operation ADD, + Flags {DS_AUXILIARY_CLASS}, + SubClassOf {"TOP"}, + MustContain { "gidNumber"}, + MustContain { "CN"}, + ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 4 } +} + +END + + -- cgit From 92d05d1f402371b3e8656c58ceab83362f67b0d9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 26 Aug 2003 04:17:05 +0000 Subject: include enhancements from Buchan Milne to generate LDIF modify output in addition to add (This used to be commit 49457669f32ed1d8122633e2d0abdebaf05790da) --- examples/LDAP/convertSambaAccount | 125 ++++++++++++++++++++++++++++++++++---- 1 file changed, 114 insertions(+), 11 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 223c43eada..61e80e1b7b 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -5,24 +5,51 @@ ## ## Copyright Gerald (Jerry) Carter 2003 ## -## Usage: convertSambaAccount +## Usage: convertSambaAccount --sid= \ +## --input= --output= \ +## --changetype=[modify|add] ## use strict; use Net::LDAP::LDIF; +use Getopt::Long; -my ( $domain, $domsid ); + +############################################################################## +## local variables + +my ( $domain, $domsid, $changetype ); my ( $ldif, $ldif2 ); my ( $entry, @objclasses, $obj ); my ( $is_samba_account, $is_samba_group ); my ( %attr_map, %group_attr_map, $key ); +my ( @dels, $deletion, @adds, $addition ); +my ( $result, %options ); -if ( $#ARGV != 2 ) { - print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n"; - exit 1; + +############################################################################## +## Print the option usage + +sub usage { + + print "convertSambaAccount \n"; + print "Options:\n"; + print " --input input LDIF filename\n"; + print " --output output LDIF filename\n"; + print " --sid domain SID\n"; + print " --changetype [modify|add] (default is 'add')\n"; } + +############################################################################## +## MAIN DRIVER ## +############################################################################## + +## +## hashes to map old attribute names to new ones +## + %attr_map = ( lmPassword => 'sambaLMPassword', ntPassword => 'sambaNTPassword', @@ -46,12 +73,54 @@ if ( $#ARGV != 2 ) { ntGroupType => 'sambaGroupType', ); -$domsid = $ARGV[0]; +## +## process command line args +## + +$result = GetOptions(\%options, + "input=s", + "output=s", + "sid=s", + "changetype=s"); + +if (!$result && ($#ARGV != -1)) { + usage(); + exit 1; +} + + +if ( !defined( $options{'sid'} ) ) { + print "You must provide a domain sid\n"; + exit 1; +} + +$domsid = $options{'sid'}; + +$changetype = 'add'; +if ( defined( $options{'changetype'} ) ) { + $changetype = $options{'changetype'}; +} + +## +## open files +## + +$ldif = Net::LDAP::LDIF->new ($options{'input'}, "r") or die $!; + +if ( "$changetype" eq "add" ) { + $ldif2 = Net::LDAP::LDIF->new ($options{'output'}, "w") or die $!; +} +elsif ( "$changetype" eq "modify" ) { + open( OUTPUT, ">$options{'output'}" ) or die $!; +} +else { + print "Bad changetype!\n"; + exit 1; +} -$ldif = Net::LDAP::LDIF->new ($ARGV[1], "r") - or die $!; -$ldif2 = Net::LDAP::LDIF->new ($ARGV[2], "w") - or die $!; +## +## process LDIF +## while ( !$ldif->eof ) { undef ( $entry ); @@ -71,6 +140,8 @@ while ( !$ldif->eof ) { @objclasses = $entry->get_value( "objectClass" ); undef ( $is_samba_account ); undef ( $is_samba_group ); + @adds = (); + @dels = (); foreach $obj ( @objclasses ) { if ( "$obj" eq "sambaAccount" ) { $is_samba_account = 1; @@ -84,6 +155,8 @@ while ( !$ldif->eof ) { ## start editing the sambaAccount ## + @dels = ( 'objectclass: sambaAccount', 'rid' ); + @adds = ('objectclass: sambaSamAccount', "sambaSID: " . ${domsid} . "-" . ${entry}->get_value( 'rid' ) ); $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); $entry->add( 'objectclass' => 'sambaSamAccount' ); @@ -91,6 +164,8 @@ while ( !$ldif->eof ) { $entry->delete( 'rid' ); if ( $entry->get_value( "primaryGroupID" ) ) { + push @adds, "sambaPrimaryGroupSID: " . $domsid."-".$entry->get_value( "primaryGroupID" ); + push @dels, "primaryGroupID"; $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); $entry->delete( 'primaryGroupID' ); } @@ -98,6 +173,8 @@ while ( !$ldif->eof ) { foreach $key ( keys %attr_map ) { if ( defined($entry->get_value($key)) ) { + push @adds, "$attr_map{$key}: " . $entry->get_value($key); + push @dels, "$key"; $entry->add( $attr_map{$key} => $entry->get_value($key) ); $entry->delete( $key ); } @@ -105,13 +182,39 @@ while ( !$ldif->eof ) { } elsif ( defined ( $is_samba_group ) ) { foreach $key ( keys %group_attr_map ) { if ( defined($entry->get_value($key)) ) { + push @adds, "$group_attr_map{$key}: " . $entry->get_value($key); + push @dels, "$key"; $entry->add( $group_attr_map{$key} => $entry->get_value($key) ); $entry->delete( $key ); } } } - $ldif2->write_entry( $entry ); + ## see if we should write full entries or only the changes + + if ( "$changetype" eq "add" ) { + $ldif2->write_entry( $entry ); + } + else { + if ( defined ( $is_samba_account ) || defined ( $is_samba_group ) ){ + if ( @adds + @dels > 0 ) { + print OUTPUT "dn: " . $entry->dn . "\n"; + foreach $addition (@adds) { + $addition =~ /(^\w+):/; + print OUTPUT "add: " . $1 . "\n"; + print OUTPUT "$addition\n-\n"; + } + foreach $deletion (@dels) { + if ( $deletion =~ /^(\w+):\s(.*)/ ) { + print OUTPUT "delete: $1\n$1: $2\n-\n"; + } else { + print OUTPUT "delete: $deletion\n-\n" + } + } + print OUTPUT "\n" + } + } + } } -- cgit From 5e6c6d766f5782dd1f91bf249f5f8ea7878977a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 26 Aug 2003 04:36:27 +0000 Subject: sync with changes from Jerome Tournier @ IDEALX; should now work with sambaSamAccount schema (This used to be commit 5f41cd76b793305e1e9e4da76d58daa2d8438c63) --- examples/LDAP/smbldap-tools/CONTRIBUTORS | 6 +- examples/LDAP/smbldap-tools/ChangeLog | 1 + examples/LDAP/smbldap-tools/TODO | 1 + examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 4 +- .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 2 +- examples/LDAP/smbldap-tools/smbldap-passwd.pl | 13 +- examples/LDAP/smbldap-tools/smbldap-populate.pl | 73 +- examples/LDAP/smbldap-tools/smbldap-tools.spec | 38 +- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 72 +- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 2 +- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 56 +- examples/LDAP/smbldap-tools/smbldap_conf.pm | 64 +- examples/LDAP/smbldap-tools/smbldap_tools.pm | 861 ++++++++++++--------- 13 files changed, 682 insertions(+), 511 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/CONTRIBUTORS b/examples/LDAP/smbldap-tools/CONTRIBUTORS index 9765a57e60..1b308a7266 100644 --- a/examples/LDAP/smbldap-tools/CONTRIBUTORS +++ b/examples/LDAP/smbldap-tools/CONTRIBUTORS @@ -4,7 +4,7 @@ Have contributed directly to this tools, or are always in charge of some aspects of it developments (alphabetical order): - . Terry Davis + . Terry Davis . David Le Corfec . Olivier Lemaire . Jrme Tournier @@ -24,6 +24,6 @@ Many thanks to contributors for bug report and patches: bug report for smbldap-passwd . Xavier Boschian bug report for smbldap-populate - - + . Christophe DUBREUIL + Net::LDAP support in smbldap_tools.pm # - The End diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog index 9a0bc744e1..76b8b3f3c6 100644 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -2,6 +2,7 @@ # ## ChangeLog for SMBLDAP-TOOLS +* 2002-07-24: top and account objectclasses replaced with inetorgperson * 2002-06-03: notes to webmin.idealx.org (idxldapaccounts) * 2002-06-01: release 0.7. tested with 2.2.4 * 2002-05-31: fixed smbldap-populate compliance to smbldap_conf diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO index 57424d462a..71e6695299 100644 --- a/examples/LDAP/smbldap-tools/TODO +++ b/examples/LDAP/smbldap-tools/TODO @@ -4,6 +4,7 @@ ## (BF: Bug Report / FR: Feature Request) +FR * add 'LDAP port' for both slave and master LDAP server in smbldap_conf.pm FR * use RFC2307 best practices (Luke, next time you visit Paris, have a beer at IDEALX'cantina ;-) FR * add mail (sendmail/postfix/qmail/courier) support diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index f9b42f95b4..f248027e91 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,5 +1,5 @@ -#!/usr/bin/perl - +# $Id: smbldap-groupmod.pl,v 1.1.6.2 2003/08/26 04:36:27 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index b1780dec61..0d0efa384c 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -45,7 +45,7 @@ changetype: modify lmpassword: $lmpwd ntpassword: $ntpwd gecos: $gecos -smbHome: $homedir +sambaHomePath: $homedir "; diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl index ef7687a49e..29aee97c50 100755 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -1,6 +1,7 @@ #!/usr/bin/perl # LDAP to unix password sync script for samba +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -113,19 +114,19 @@ if ($samba == 1) { exit(1); } my $ntpwd = `$mk_ntpasswd '$pass'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); # change nt/lm passwords my $tmpldif = "$dn_line changetype: modify -replace: lmpassword -lmpassword: $lmpassword +replace: sambaLMPassword +sambaLMPassword: $sambaLMPassword - changetype: modify -replace: ntpassword -ntpassword: $ntpassword +replace: sambaNTPassword +sambaNTPassword: $sambaNTPassword - "; diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index 5be9ca4262..1676017c67 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -87,6 +87,7 @@ if (!defined($_ldifName)) { die "can't extract first attr and value from suffix $suffix"; } #print "$attr=$val\n"; + my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/); #my $FILE="|cat"; my $FILE="|$ldapadd -c"; @@ -95,7 +96,9 @@ if (!defined($_ldifName)) { print FILE < +Packager: Jerome Tournier Source0: smbldap-groupadd.pl Source1: smbldap-groupdel.pl Source2: smbldap-groupmod.pl @@ -60,8 +60,8 @@ make rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/%{prefix}/sbin mkdir -p $RPM_BUILD_ROOT/%{prefix}/share -mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc -mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools +mkdir -p $RPM_BUILD_ROOT/usr/share/doc +mkdir -p $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools cd mkntpwd ; make PREFIX=$RPM_BUILD_ROOT/%{prefix} install @@ -80,13 +80,13 @@ install -m 555 %{SOURCE10} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_tools.pm install -m 550 %{SOURCE19} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-accounts.pl install -m 550 %{SOURCE20} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-groups.pl -install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/CONTRIBUTORS -install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/COPYING -install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/ChangeLog -install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/FILES -install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/README -install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/TODO -install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/INFRA +install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/CONTRIBUTORS +install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/COPYING +install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/ChangeLog +install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/FILES +install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/README +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/TODO +install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/INFRA %clean rm -rf $RPM_BUILD_ROOT @@ -102,11 +102,11 @@ perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_USERHOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEDRIVE_/H/' %{prefix}/sbin/smbldap_conf.pm # FIXME: links should not be removed on upgrade #%postun @@ -121,14 +121,16 @@ perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm %{prefix}/sbin/smbldap_tools.pm %config %{prefix}/sbin/smbldap_conf.pm %{prefix}/sbin/mkntpwd -%doc %{prefix}/share/doc/%{name}/TODO -%doc %{prefix}/share/doc/%{name}/README -%doc %{prefix}/share/doc/%{name}/CONTRIBUTORS -%doc %{prefix}/share/doc/%{name}/FILES -%doc %{prefix}/share/doc/%{name}/COPYING +%doc /usr/share/doc/%{name}/ %changelog +* Fri Aug 22 2003 Jerome Tournier 0.8-1 +- support for Samba3.0 + +* Thu Sep 26 2002 Grald Macinenti 0.7-2 +- top and account objectclasses replaced by InetOrgPerson + * Sat Jun 1 2002 Olivier Lemaire 0.7-1 - some bugfixes about smbldap-populate - bugfixed the smbpasswd call in smbldap-useradd diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index 508487af93..99c9525e82 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -26,7 +26,6 @@ use strict; use smbldap_tools; use smbldap_conf; - ##################### use Getopt::Std; @@ -51,11 +50,11 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -P ends by invoking smbldap-passwd.pl\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D homeDrive (letter associated with home share, like 'H:')\n"; - print " -E scriptPath (DOS script to execute on login)\n"; - print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; print " -? show this help message\n"; exit (1); } @@ -141,7 +140,7 @@ my $userHomeDirectory; my $tmp; if (!defined($userHomeDirectory = $Options{'d'})) { - $userHomeDirectory = $_userHomePrefix.$userName; + $userHomeDirectory = $_userHomePrefix."/".$userName; } $_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); $_userGecos = $tmp if (defined($tmp = $Options{'c'})); @@ -175,7 +174,7 @@ if (defined($tmp = $Options{'w'})) { my $tmpldif = "dn: uid=$userName,$computersdn changetype: modify -acctFlags: [W ] +sambaAcctFlags: [W ] "; die "$0: error while modifying accountflags of $userName\n" @@ -194,10 +193,10 @@ acctFlags: [W ] my $tmpldif = "dn: uid=$userName,$usersdn -objectclass: top -objectclass: account +objectclass: inetOrgPerson objectclass: posixAccount cn: $userName +sn: $userName uid: $userName uidNumber: $userUidNumber gidNumber: $userGidNumber @@ -228,12 +227,14 @@ if (defined($grouplist = $Options{'G'})) { # If user was created successfully then we should create his/her home dir if (defined($tmp = $Options{'m'})) { + unless ( $userName =~ /\$$/ ) { if ( !(-e $userHomeDirectory) ) { system "mkdir $userHomeDirectory 2>/dev/null"; system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; system "chmod 700 $userHomeDirectory 2>/dev/null"; } + } } @@ -269,19 +270,18 @@ if (defined($Options{'a'})) { my $tmpldif = "dn: uid=$userName,$usersdn changetype: modify -objectclass: top -objectclass: account +objectClass: inetOrgPerson objectclass: posixAccount -objectClass: sambaAccount -pwdLastSet: 0 -logonTime: 0 -logoffTime: 2147483647 -kickoffTime: 2147483647 -pwdCanChange: $valpwdcanchange -pwdMustChange: $valpwdmustchange +objectClass: sambaSAMAccount +sambaPwdLastSet: 0 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: $valpwdcanchange +sambaPwdMustChange: $valpwdmustchange displayName: $_userGecos -acctFlags: $valacctflags -rid: $userRid +sambaAcctFlags: $valacctflags +sambaSID: $smbldap_conf::SID-$userRid "; @@ -329,14 +329,14 @@ if (defined($tmp = $Options{'F'})) { my $tmpldif = "dn: uid=$userName,$usersdn changetype: modify -rid: $userRid -primaryGroupID: $userGroupRid -homeDrive: $valhomedrive -smbHome: $valsmbhome -profilePath: $valprofilepath -scriptPath: $valscriptpath -lmPassword: XXX -ntPassword: XXX +sambaSID: $smbldap_conf::SID-$userRid +sambaPrimaryGroupSID: $smbldap_conf::SID-$userGroupRid +sambaHomeDrive: $valhomedrive +sambaHomePath: $valsmbhome +sambaProfilePath: $valprofilepath +sambaLogonScript: $valscriptpath +sambaLMPassword: XXX +sambaNTPassword: XXX "; @@ -382,7 +382,7 @@ exit 0; For Samba users, rid is 2*uidNumber+1000, and primaryGroupID is 2*gidNumber+1001. Thus you may want to use smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator - to create a domain administrator (admin rid is 0x1F4 = 500 and + to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and grouprid is 0x200 = 512) Without any option, the account created will be an Unix (Posix) @@ -391,7 +391,7 @@ exit 0; -a The user will have a Samba account (and Unix). -w Creates an account for a Samba machine (Workstation), so that - it can join a domain. + it can join a sambaDomainName. -x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else decimal (2.2.2 patched from cvs or 2.2.x, x > 2) @@ -441,15 +441,15 @@ exit 0; -B must change password ? 0 if no, 1 if yes - -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - -D homeDrive (letter associated with home share, like 'H:') + -D sambaHomeDrive (letter associated with home share, like 'H:') - -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') =head1 SEE ALSO diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl index 54309fa5db..435be4fdd0 100755 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index 016d7b5422..dffb95bace 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -50,11 +50,11 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D homeDrive (letter associated with home share, like 'H:')\n"; - print " -E scriptPath (DOS script to execute on login)\n"; - print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; print " -I disable an user. Can't be used with -H or -J\n"; print " -J enable an user. Can't be used with -H or -I\n"; print " -? show this help message\n"; @@ -201,19 +201,19 @@ if (defined($tmp = $Options{'G'})) { } # -# A : pwdCanChange -# B : pwdMustChange -# C : smbHome -# D : homeDrive -# E : scriptPath -# F : profilePath -# H : acctFlags +# A : sambaPwdCanChange +# B : sambaPwdMustChange +# C : sambaHomePath +# D : sambaHomeDrive +# E : sambaLogonScript +# F : sambaProfilePath +# H : sambaAcctFlags my $attr; my $winmagic = 2147483647; if (defined($tmp = $Options{'A'})) { - $attr = "pwdCanChange"; + $attr = "sambaPwdCanChange"; if ($tmp != 0) { $mods .= "$attr: 0\n"; } else { @@ -222,7 +222,7 @@ if (defined($tmp = $Options{'A'})) { } if (defined($tmp = $Options{'B'})) { - $attr = "pwdMustChange"; + $attr = "sambaPwdMustChange"; if ($tmp != 0) { $mods .= "$attr: 0\n"; } else { @@ -231,37 +231,37 @@ if (defined($tmp = $Options{'B'})) { } if (defined($tmp = $Options{'C'})) { - $attr = "smbHome"; + $attr = "sambaHomePath"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'D'})) { - $attr = "homeDrive"; + $attr = "sambaHomeDrive"; $tmp = $tmp.":" unless ($tmp =~ /:/); $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'E'})) { - $attr = "scriptPath"; + $attr = "sambaLogonScript"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'F'})) { - $attr = "profilePath"; + $attr = "sambaProfilePath"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } if (defined($tmp = $Options{'H'})) { - $attr = "acctFlags"; + $attr = "sambaAcctFlags"; #$tmp =~ s/\\/\\\\/g; $mods .= "$attr: $tmp\n"; } elsif (defined($tmp = $Options{'I'})) { my $flags; - if ( $lines =~ /^acctFlags: (.*)/m ) { + if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { $flags = $1; } @@ -272,12 +272,12 @@ if (defined($tmp = $Options{'H'})) { if ($flags =~ /(\w+)/) { $letters = $1; } - $mods .= "acctFlags: \[D$letters\]\n"; + $mods .= "sambaAcctFlags: \[D$letters\]\n"; } } elsif (defined($tmp = $Options{'J'})) { my $flags; - if ( $lines =~ /^acctFlags: (.*)/m ) { + if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { $flags = $1; } @@ -289,7 +289,7 @@ if (defined($tmp = $Options{'H'})) { $letters = $1; } $letters =~ s/D//; - $mods .= "acctFlags: \[$letters\]\n"; + $mods .= "sambaAcctFlags: \[$letters\]\n"; } } @@ -380,15 +380,15 @@ if ($nscd_status == 0) { -B must change password ? 0 if no, 1 if yes - -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes') + -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - -D homeDrive (letter associated with home share, like 'H:') + -D sambaHomeDrive (letter associated with home share, like 'H:') - -E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') + -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') + -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - -H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') -I disable user. Can't be used with -H or -J diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm index 9a5a116b98..dd1d772ea7 100644 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -29,7 +29,7 @@ package smbldap_conf; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$with_smbpasswd $mk_ntpasswd +$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd $ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn $computersdn @@ -48,7 +48,7 @@ $VERSION = 1.00; @EXPORT = qw( $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$with_smbpasswd $mk_ntpasswd +$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd $ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn $computersdn $groupsdn $scope $binddn $bindpasswd @@ -73,6 +73,10 @@ $usersou $computersou $groupsou $UID_START = 1000; $GID_START = 1000; +# Put your own SID +# to obtain this number do: # net getlocalsid +our $SID='S-1-5-21-636805976-1992644568-3666589737'; + ############################################################################## # # LDAP Configuration @@ -86,19 +90,34 @@ $GID_START = 1000; # Slave LDAP : needed for read operations # # Ex: $slaveLDAP = "127.0.0.1"; -$slaveLDAP = "_SLAVELDAP_"; +$slaveLDAP = "127.0.0.1"; + +$slavePort = "389"; # # Master LDAP : needed for write operations # # Ex: $masterLDAP = "127.0.0.1"; -$masterLDAP = "_MASTERLDAP_"; +$masterLDAP = "127.0.0.1"; + + +# +# Master Port +# 389 636 +# Ex: $masterPort = " +$masterPort = "389"; + +# +# Use SSL for LDAP +# +$ldapSSL = "0"; # # LDAP Suffix # # Ex: $suffix = "dc=IDEALX,dc=ORG"; -$suffix = "_SUFFIX_"; +$suffix = "dc=IDEALX,dc=ORG"; + # # Where are stored Users @@ -134,11 +153,11 @@ $scope = "sub"; # # Bind DN used # Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org -$binddn = "_BINDDN_"; +$binddn = "cn=Manager,$suffix"; # # Bind DN passwd used # Ex: $bindpasswd = 'secret'; for 'secret' -$bindpasswd = "_BINDPW_"; +$bindpasswd = "secret"; # # Notes: if using dual ldap patch, you can specify to different configuration @@ -167,7 +186,7 @@ $_userLoginShell = q(_LOGINSHELL_); # Home directory prefix (without username) # #Ex: $_userHomePrefix = q(/home/); -$_userHomePrefix = q(_USERHOMEPREFIX_); +$_userHomePrefix = q(_HOMEPREFIX_); # # Gecos @@ -211,7 +230,7 @@ $_userProfile = q(\\\\_PDCNAME_\\profiles\\); # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: q(U:) for U: -$_userHomeDrive = q(_HOMEDRIVE_:); +$_userHomeDrive = q(_HOMEDRIVE_); # # The default user netlogon script name @@ -232,15 +251,28 @@ $with_smbpasswd = 0; $smbpasswd = "/usr/bin/smbpasswd"; $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; +if ( $ldapSSL eq "0" ) { + $slaveURI = "ldap://$slaveLDAP:$slavePort"; + $masterURI = "ldap://$masterLDAP:$masterPort"; +} +elsif ( $ldapSSL eq "1" ) { + $slaveURI = "ldaps://$slaveLDAP:$slavePort"; + $masterURI = "ldaps://$masterLDAP:$masterPort"; +} +else { + die "ldapSSL option must be either 0 or 1.\n"; +} + + $ldap_path = "/usr/bin"; $ldap_opts = "-x"; -$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP -D '$slaveDN' -w '$slavePw'"; -$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP"; -$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapadd = "$ldap_path/ldapadd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; +$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'"; +$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI"; +$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index 0a451210f3..ad6ef74eb6 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -2,6 +2,7 @@ use strict; package smbldap_tools; use smbldap_conf; +use Net::LDAP; # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -29,6 +30,7 @@ use smbldap_conf; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); use Exporter; $VERSION = 1.00; + @ISA = qw(Exporter); @EXPORT = qw( @@ -59,101 +61,149 @@ get_user_dn2 # dn_line = get_user_dn($username) # where dn_line is like "dn: a=b,c=d" + +#sub ldap_search +#{ +#my ($local_base,$local_scope,$local_filtre)=@_; +#} + + + sub get_user_dn { my $user = shift; - my $dn=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^dn:"`; - chomp $dn; + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn;} + $ldap->unbind; + chomp($dn); if ($dn eq '') { return undef; } - + $dn="dn: ".$dn; return $dn; } -# return (success, dn) -sub get_user_dn2 + +sub get_user_dn2 ## migr { my $user = shift; - - my $sr = `$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'`; - if ($sr eq "") { - print "get_user_dn2: error in ldapsearch : -$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'\n"; - return (0, undef); + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + # $mesg->code && warn $mesg->error; + if ($mesg->code) + { + print("Code erreur : ",$mesg->code,"\n"); + print("Message d'erreur : ",$mesg->error,"\n"); + return (0,undef); + } + + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn; } - - my @lines = split(/\n/, $sr); - - my @matches = grep(/^dn:/, @lines); - - my $dn = $matches[0]; - chomp $dn; + $ldap->unbind; + chomp($dn); if ($dn eq '') { - return (1, undef); + return (1,undef); } - - return (1, $dn); + $dn="dn: ".$dn; + return (1,$dn); } -# dn_line = get_group_dn($groupname) -# where dn_line is like "dn: a=b,c=d" + sub get_group_dn -{ - my $group = shift; - my $dn=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))' | grep "^dn:"`; - chomp $dn; - if ($dn eq '') { - return undef; - } - - return $dn; -} + { + my $group = shift; + my $dn=''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $dn= $entry->dn;} + $ldap->unbind; + chomp($dn); + if ($dn eq '') { + return undef; + } + $dn="dn: ".$dn; + return $dn; + } +# return (success, dn) # bool = is_samba_user($username) sub is_samba_user -{ - my $user = shift; - my $cmd = "$ldapsearch -b '$suffix' -s '$scope' '(&(objectClass=sambaAccount)(uid=$user))' | grep '^dn:\'"; - my $res=`$cmd`; - chomp $res; - if ($res ne '') { - return 1; - } - return 0; -} + { + my $user = shift; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $suffix, + scope => $scope, + filter => "(&(objectClass=sambaSamAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; + $ldap->unbind; + return ($mesg->count ne 0); + } + -# bool = is_user_valid($username) # try to bind with user dn and password to validate current password -sub is_user_valid -{ - my ($user, $dn, $pass) = @_; - my $res=`$ldapsearchnobind -b '$usersdn' -s '$scope' -D '$dn' -w '$pass' '(&(objectclass=posixAccount)(uid=$user))' 2>/dev/null | grep "^dn:"`; - chomp $res; - if ($res eq '') { - return 0; - } - return 1; +sub is_user_valid + { + my ($user, $dn, $pass) = @_; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + my $mesg= $ldap->bind (dn => $dn, password => $pass ); + if ($mesg->code eq 0) + { + $ldap->unbind; + return 1; + } + else + { + if($ldap->bind()) { + $ldap->unbind; + return 0; + } else { + print ("Le serveur LDAP est indisponible.\nVrifier le serveur, les cblages, ..."); + $ldap->unbind; + return 0; + } die "Problme : Contacter votre administrateur"; + } } # dn = get_dn_from_line ($dn_line) # helper to get "a=b,c=d" from "dn: a=b,c=d" sub get_dn_from_line -{ - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; -} + { + my $dn = shift; + $dn =~ s/^dn: //; + return $dn; + } # success = add_posix_machine($user, $uid, $gid) sub add_posix_machine -{ - my ($user, $uid, $gid) = @_; - -my $tmpldif = -"dn: uid=$user,$computersdn -objectclass: top + { + my ($user, $uid, $gid) = @_; + my $tmpldif = + "dn: uid=$user,$computersdn +objectclass: inetOrgPerson objectclass: posixAccount +sn: $user cn: $user uid: $user uidNumber: $uid @@ -164,420 +214,497 @@ description: Computer "; - die "$0: error while adding posix account to machine $user\n" + die "$0: error while adding posix account to machine $user\n" unless (do_ldapadd($tmpldif) == 0); - - undef $tmpldif; - - return 1; -} + undef $tmpldif; + return 1; + } # success = add_samba_machine($computername) sub add_samba_machine { my $user = shift; system "smbpasswd -a -m $user"; - return 1; } sub add_samba_machine_mkntpwd -{ - my ($user, $uid) = @_; - my $rid = 2 * $uid + 1000; # Samba 2.2.2 stuff - - my $name = $user; - $name =~ s/.$//s; - - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - return 0; - } - - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - - my $tmpldif = -"dn: uid=$user,$computersdn + { + my ($user, $uid) = @_; + my $sambaSID = 2 * $uid + 1000; + my $name = $user; + $name =~ s/.$//s; + + if ($mk_ntpasswd eq '') { + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + return 0; + } + + my $ntpwd = `$mk_ntpasswd '$name'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + + my $tmpldif = + "dn: uid=$user,$computersdn changetype: modify -objectclass: top +objectclass: inetOrgPerson objectclass: posixAccount -objectClass: sambaAccount -pwdLastSet: 0 -logonTime: 0 -logoffTime: 2147483647 -kickoffTime: 2147483647 -pwdCanChange: 0 -pwdMustChange: 2147483647 -acctFlags: [W ] -lmpassword: $lmpassword -ntpassword: $ntpassword -rid: $rid -primaryGroupID: 0 +objectClass: sambaSamAccount +sambaPwdLastSet: 0 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +sambaPwdMustChange: 2147483647 +sambaAcctFlags: [W ] +sambaLMPassword: $lmpassword +sambaNTPassword: $ntpassword +sambaSID: $smbldap_conf::SID-$sambaSID +sambaPrimaryGroupSID: $smbldap_conf::SID-0 "; - die "$0: error while adding samba account to $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + die "$0: error while adding samba account to $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; - return 1; -} + return 1; + } sub group_add_user -{ - my ($group, $userid) = @_; - my $dn_line; - - if (!defined($dn_line = get_group_dn($group))) { - return 1; - } - my $dn = get_dn_from_line($dn_line); - my $members = `$ldapsearch -b '$dn' -s base | grep -i "^memberUid:"`; - chomp($members); - # user already member ? - if ($members =~ m/^memberUid: $userid/) { - return 2; - } - my $mods = ""; - if ($members ne '') { - $mods="$dn_line + { + my ($group, $userid) = @_; + my $members=''; + my $dn_line = get_group_dn($group); + if (!defined($dn_line)) { + return 1; + } + my $dn = get_dn_from_line($dn_line); + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base =>$dn, scope => "base", filter => "(objectClass=*)" ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { $members.= $attr.": ".$ent."\n"; } + } + } + } + $ldap->unbind; + chomp($members); + # user already member ? + if ($members =~ m/^memberUid: $userid/) { + return 2; + } + my $mods = ""; + if ($members ne '') { + $mods="$dn_line changetype: modify replace: memberUid $members memberUid: $userid + "; - } else { - $mods="$dn_line + } else { + $mods="$dn_line changetype: modify add: memberUid memberUid: $userid -"; - } +"; + } #print "$mods\n"; - - my $tmpldif = -"$mods + my $tmpldif = + "$mods "; - die "$0: error while modifying group $group\n" + die "$0: error while modifying group $group\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - return 0; -} - -sub add_grouplist_user -{ - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { - group_add_user($group, $user); - } -} - -# XXX FIXME : acctFlags |= D, and not acctFlags = D + undef $tmpldif; + return 0; + } + +sub add_grouplist_user + { + my ($grouplist, $user) = @_; + my @array = split(/,/, $grouplist); + foreach my $group (@array) { + group_add_user($group, $user); + } + } + +# XXX FIXME : sambaAcctFlags |= D, and not sambaAcctFlags = D sub disable_user -{ - my $user = shift; - my $dn_line; + { + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } - my $tmpldif = -"dn: $dn_line + my $tmpldif = + "dn: $dn_line changetype: modify replace: userPassword userPassword: {crypt}!x "; - die "$0: error while modifying user $user\n" + die "$0: error while modifying user $user\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + undef $tmpldif; - if (is_samba_user($user)) { - - my $tmpldif = -"dn: $dn_line + if (is_samba_user($user)) { + + my $tmpldif = + "dn: $dn_line changetype: modify -replace: acctFlags -acctFlags: [D ] +replace: sambaAcctFlags +sambaAcctFlags: [D ] "; - die "$0: error while modifying user $user\n" + die "$0: error while modifying user $user\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - - } - -} + undef $tmpldif; + } + } # delete_user($user) sub delete_user -{ - my $user = shift; - my $dn_line; + { + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } - my $dn = get_dn_from_line($dn_line); - system "$ldapdelete $dn >/dev/null"; -} + my $dn = get_dn_from_line($dn_line); + system "$ldapdelete $dn >/dev/null"; + } # $success = group_add($groupname, $group_gid, $force_using_existing_gid) sub group_add -{ - my ($gname, $gid, $force) = @_; - - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - - if (!defined($gid)) { - while (defined(getgrgid($GID_START))) { - $GID_START++; - } - $gid = $GID_START; - } else { - if (!defined($force)) { - if (defined(getgrgid($gid))) { - return 0; - } - } - } - - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - - my $tmpldif = -"dn: cn=$gname,$groupsdn + { + my ($gname, $gid, $force) = @_; + my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; + } + if (!defined($gid)) { + while (defined(getgrgid($GID_START))) { + $GID_START++; + } + $gid = $GID_START; + } else { + if (!defined($force)) { + if (defined(getgrgid($gid))) { + return 0; + } + } + } + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + my $tmpldif = + "dn: cn=$gname,$groupsdn objectclass: posixGroup cn: $gname gidNumber: $gid "; - die "$0: error while adding posix group $gname\n" + die "$0: error while adding posix group $gname\n" unless (do_ldapadd($tmpldif) == 0); - - undef $tmpldif; - - return 1; -} + undef $tmpldif; + return 1; + } # $homedir = get_homedir ($user) sub get_homedir -{ - my $user = shift; - my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; - chomp $homeDir; - if ($homeDir eq '') { - return undef; - } - $homeDir =~ s/^homeDirectory: //; - - return $homeDir; -} + { + my $user = shift; + my $homeDir=''; + # my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base =>$suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bhomeDirectory\b/){ + foreach my $ent($entry->get_value($attr)) { + $homeDir.= $attr.": ".$ent."\n"; + } + } + } + } + $ldap->unbind; + chomp $homeDir; + if ($homeDir eq '') { + return undef; + } + $homeDir =~ s/^homeDirectory: //; + return $homeDir; + } # search for an user sub read_user -{ - my $user = shift; - my $lines=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' -LLL`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: " . $entry->dn."\n"; + foreach my $attr ($entry->attributes) { + { + $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; + } + } + } + $ldap->unbind; # take down sessio(n + chomp $lines; + if ($lines eq '') { + return undef; + } + return $lines; + } # search for a group sub read_group -{ - my $user = shift; - my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(cn=$user))' -LLL`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(cn=$user))" + ); + + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: " . $entry->dn."\n"; + foreach my $attr ($entry->attributes) { + { + $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; + } + } + } + + $ldap->unbind; # take down sessio(n + chomp $lines; + if ($lines eq '') { + return undef; + } + return $lines; + } # find groups of a given user +##### MODIFIE ######## sub find_groups_of -{ - my $user = shift; - my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(memberuid=$user))' -LLL | grep "^dn: "`; - chomp $lines; - if ($lines eq '') { - return undef; - } - - return $lines; -} + { + my $user = shift; + my $lines =''; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(memberuid=$user))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + $lines.= "dn: ".$entry->dn."\n"; + } + $ldap->unbind; + chomp($lines); + if ($lines eq '') {return undef; } + return $lines; + } # return the gidnumber for a group given as name or gid # -1 : bad group name # -2 : bad gidnumber sub parse_group -{ - my $userGidNumber = shift; - - if ($userGidNumber =~ /[^\d]/ ) { - my $gname = $userGidNumber; - my $gidnum = getgrnam($gname); - if ($gidnum !~ /\d+/) { - return -1; - } else { - $userGidNumber = $gidnum; - } - } elsif (!defined(getgrgid($userGidNumber))) { - return -2; - } - return $userGidNumber; -} + { + my $userGidNumber = shift; + if ($userGidNumber =~ /[^\d]/ ) { + my $gname = $userGidNumber; + my $gidnum = getgrnam($gname); + if ($gidnum !~ /\d+/) { + return -1; + } else { + $userGidNumber = $gidnum; + } + } elsif (!defined(getgrgid($userGidNumber))) { + return -2; + } + return $userGidNumber; + } # remove $user from $group sub group_remove_member -{ - my ($group, $user) = @_; - - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; - - #print "avant ---\n$members\n"; - $members =~ s/memberUid: $user\n//; - #print "----\n$members\n---\n"; - - chomp($members); - - my $header; - if ($members eq '') { - $header = "changetype: modify\n"; - $header .= "delete: memberUid"; - } else { - $header = "changetype: modify\n"; - $header .= "replace: memberUid"; - } - - my $tmpldif = + { + my ($group, $user) = @_; + my $members=''; + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixgroup)(cn=$group))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes) + { + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { + $members.= $attr.": ".$ent."\n"; + } + } + } + } + #print "Valeurs de members :\n$members"; + $ldap->unbind; + # my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; + # print "avant ---\n$members\n"; + $members =~ s/memberUid: $user\n//; + #print "aprs ---\n$members\n"; + chomp($members); + + my $header; + if ($members eq '') { + $header = "changetype: modify\n"; + $header .= "delete: memberUid"; + } else { + $header = "changetype: modify\n"; + $header .= "replace: memberUid"; + } + + my $tmpldif = "$grp_line $header $members "; - die "$0: error while modifying group $group\n" + + #print "Valeur du tmpldif : \n$tmpldif"; + die "$0: error while modifying group $group\n" unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + undef $tmpldif; - return 1; -} + $ldap->unbind; + return 1; + } sub group_get_members -{ - my ($group) = @_; - my @members; - - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' memberUid | grep -i "^memberUid:"`; - - my @lines = split (/\n/, $members); - foreach my $line (@lines) { - $line =~ s/^memberUid: //; - push(@members, $line); - } - - return @members; -} + { + my ($group) = @_; + my $members; + my @resultat; + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { return 0; } + + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; + my $mesg = $ldap->search ( base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixgroup)(cn=$group))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries){ + foreach my $attr ($entry->attributes){ + if ($attr=~/\bmemberUid\b/){ + foreach my $ent($entry->get_value($attr)) { push (@resultat,$ent); } + } + } + } + return @resultat; + } sub file_write { - my ($filename, $filecontent) = @_; - local *FILE; - open (FILE, "> $filename") || - die "Cannot open $filename for writing: $!\n"; - print FILE $filecontent; - close FILE; + my ($filename, $filecontent) = @_; + local *FILE; + open (FILE, "> $filename") || + die "Cannot open $filename for writing: $!\n"; + print FILE $filecontent; + close FILE; } # wrapper for ldapadd sub do_ldapadd2 -{ - my $ldif = shift; + { + my $ldif = shift; + my $tempfile = "/tmp/smbldapadd.$$"; + file_write($tempfile, $ldif); - my $tempfile = "/tmp/smbldapadd.$$"; - file_write($tempfile, $ldif); - - my $rc = system "$ldapadd < $tempfile >/dev/null"; - unlink($tempfile); - return $rc; -} + my $rc = system "$ldapadd < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; + } sub do_ldapadd -{ - my $ldif = shift; - - my $FILE = "|$ldapadd >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE </dev/null"; - unlink($tempfile); - return $rc; -} + { + my $ldif = shift; + my $tempfile = "/tmp/smbldapmod.$$"; + file_write($tempfile, $ldif); + my $rc = system "$ldapmodify -r < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; + } sub do_ldapmodify -{ - my $ldif = shift; - - my $FILE = "|$ldapmodify -r >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE < Date: Wed, 27 Aug 2003 14:44:36 +0000 Subject: add --help to script (This used to be commit 5b20494aff3da9414ac0100220de96750c3f06a3) --- examples/LDAP/convertSambaAccount | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 61e80e1b7b..d2770c75a6 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -35,6 +35,7 @@ sub usage { print "convertSambaAccount \n"; print "Options:\n"; + print " --help print this help message\n"; print " --input input LDIF filename\n"; print " --output output LDIF filename\n"; print " --sid domain SID\n"; @@ -77,7 +78,8 @@ sub usage { ## process command line args ## -$result = GetOptions(\%options, +$result = GetOptions(\%options, + "help", "input=s", "output=s", "sid=s", @@ -88,6 +90,11 @@ if (!$result && ($#ARGV != -1)) { exit 1; } +if ( defined($options{'help'}) ) { + usage(); + exit 0; +} + if ( !defined( $options{'sid'} ) ) { print "You must provide a domain sid\n"; -- cgit From b3f1b28e1e6efb32ff8e9536a45216edffda0eff Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 28 Aug 2003 16:38:59 +0000 Subject: removing outdated scripts and adding comments about 'ldap password syc' (This used to be commit 29885eae591bdbb899d18ac2e7ae355751cd4be6) --- examples/LDAP/export_smbpasswd.pl | 64 ---------------- examples/LDAP/import_smbpasswd.pl | 119 ----------------------------- examples/LDAP/ldapchpasswd | 152 -------------------------------------- examples/LDAP/ldapsync.pl | 5 ++ 4 files changed, 5 insertions(+), 335 deletions(-) delete mode 100644 examples/LDAP/export_smbpasswd.pl delete mode 100644 examples/LDAP/import_smbpasswd.pl delete mode 100644 examples/LDAP/ldapchpasswd (limited to 'examples/LDAP') diff --git a/examples/LDAP/export_smbpasswd.pl b/examples/LDAP/export_smbpasswd.pl deleted file mode 100644 index e4f120bf02..0000000000 --- a/examples/LDAP/export_smbpasswd.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -## -## Example script to export ldap entries into an smbpasswd file format -## using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -###################################################### -## Set these values to whatever you need for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -###################################################### - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -print "##\n"; -print "## Autogenerated smbpasswd file via ldapsearch\n"; -print "## from $LDAPSERVER ($DN)\n"; -print "##\n"; - -## scheck for the existence of the posixAccount first -$result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(objectclass=sambaAccount)" - ); - - - -## loop over the entries we found -while ( $entry = $result->shift_entry() ) { - - @uid = $entry->get_value("uid"); - @uidNumber = $entry->get_value("uidNumber"); - @lm_pw = $entry->get_value("lmpassword"); - @nt_pw = $entry->get_value("ntpassword"); - @acct = $entry->get_value("acctFlags"); - @pwdLastSet = $entry->get_value("pwdLastSet"); - - if (($#uid+1) && ($#uidNumber+1)) { - - $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); - $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); - $acct[0] = "[DU ]" if (! ($#acct+1)); - $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); - - print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; - } - -} - -$ldap->unbind(); -exit 0; - diff --git a/examples/LDAP/import_smbpasswd.pl b/examples/LDAP/import_smbpasswd.pl deleted file mode 100644 index 61ad33c809..0000000000 --- a/examples/LDAP/import_smbpasswd.pl +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/perl -## -## Example script of how you could import a smbpasswd file into an LDAP -## directory using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -################################################# -## set these to a value appropriate for your site -## - -$DN="ou=people,dc=plainjoe,dc=org"; -$ROOTDN="cn=Manager,dc=plainjoe,dc=org"; -# If you use perl special character in your -# rootpw, escape them: -# $rootpw = "secr\@t" instead of $rootpw = "secr@t" -$rootpw = "n0pass"; -$LDAPSERVER="scooby"; - -## -## end local site variables -################################################# - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -## Bind as $ROOTDN so you can do updates -$mesg = $ldap->bind($ROOTDN, password => $rootpw); -$mesg->error() if $mesg->code(); - -while ( $string = ) { - chomp ($string); - - ## Get the account info from the smbpasswd file - @smbentry = split (/:/, $string); - - ## Check for the existence of a system account - @getpwinfo = getpwnam($smbentry[0]); - if (! @getpwinfo ) { - print STDERR "**$smbentry[0] does not have a system account... \n"; - next; - } - ## Calculate RID = uid*2 +1000 - $rid=@getpwinfo[2]*2+1000; - - ## check and see if account info already exists in LDAP. - $result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(uid=$smbentry[0])" - ); - - ## If no LDAP entry exists, create one. - if ( $result->count == 0 ) { - $new_entry = Net::LDAP::Entry->new(); - $new_entry->add( dn => "uid=$smbentry[0],$DN", - uid => $smbentry[0], - rid => $rid, - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - cn => $smbentry[0], - pwdLastSet => hex(substr($smbentry[5],4)), - objectclass => 'sambaAccount' ); - - $result = $ldap->add( $new_entry ); - $result->error() if $result->code(); - print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; - - ## Otherwise, supplement/update the existing entry. - } - elsif ($result->count == 1) - { - # Put the search results into an entry object - $entry = $result->entry(0); - - print "Updating [" . $entry->dn . "]\n"; - - ## Add the objectclass: sambaAccount attribute if it's not there - @values = $entry->get_value( "objectclass" ); - $flag = 1; - foreach $item (@values) { - print "$item\n"; - if ( "$item" eq "sambaAccount" ) { - $flag = 0; - } - } - if ( $flag ) { - ## Adding sambaAccount objectclass requires adding at least rid: - ## uid attribute already exists we know since we searched on it - $entry->add(objectclass => "sambaAccount", - rid => $rid ); - } - - ## Set the other attribute values - $entry->replace(rid => $rid, - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => hex(substr($smbentry[5],4))); - - ## Apply changes to the LDAP server - $updatemesg = $entry->update($ldap); - $updatemesg->error() if $updatemesg->code(); - - ## If we get here, the LDAP search returned more than one value - ## which shouldn't happen under normal circumstances. - } else { - print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; - next; - } -} - -$ldap->unbind(); -exit 0; - - diff --git a/examples/LDAP/ldapchpasswd b/examples/LDAP/ldapchpasswd deleted file mode 100644 index 0776d9bed1..0000000000 --- a/examples/LDAP/ldapchpasswd +++ /dev/null @@ -1,152 +0,0 @@ -#!/usr/bin/perl -w - -# LDAP to unix password sync script for samba-tng -# originally by Jody Haynes -# 2000/12/12 milos@interactivesi.com -# modified for use with MD5 passwords -# 2000/12/16 mami@arena.sci.univr.it -# modified to change lmpassword and ntpassword for samba -# 2001/01/05 mami@arena.sci.univr.it -# modified for being also a /bin/passwd replacement -# 2001/01/29 mami@arena.sci.univr.it -# now there are two small programs: ldapchpasswd to -# change password from unix and ldapsync.pl to sync -# from NT/2000. ldapchpasswd do not need clear password. -# 2001/01/31 mami@arena.sci.univr.it -# add server parameter to ldap commands -# 2001/06/20 mami@arena.sci.univr.it -# add pwdlastset and shadowlastchange update - -$basedn = "ou=Students,dc=univr, dc=it"; -$binddn = "uid=root,dc=univr,dc=it"; -$scope = "sub"; -$server = "my_server"; - -foreach $arg (@ARGV) { - if ($< != 0) { - die "Only root can specify parameters\n"; - } else { - if ( ($arg eq '-?') || ($arg eq '--help') ) { - print "Usage: $0 [-o] [username]\n"; - print " -o, --without-old-password do not ask for old password (root only)\n"; - print " -?, --help show this help message\n"; - exit (-1); - } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { - $oldpass = 1; - } elsif (substr($arg,0) ne '-') { - $user = $arg; - if (!defined(getpwnam($user))) { - die "$0: Unknown user name '$user'\n"; ; - } - } - } -} - -if (!defined($user)) { - $user=$ENV{"USER"}; -} - -# current user's dn -my $dn = ''; - -if ($< == 0) { - system "stty -echo"; - print "LDAP password for root DN: "; - chomp($passwd=); - print "\n"; - system "stty echo"; - # Find dn for user $user binding as root's dn - chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$binddn' -w '$passwd' '(uid=$user)'|head -1`); - if ( ($dn eq '') || ($passwd eq '') ) { - print "Wrong LDAP password for root DN!\n"; - exit (-1); - } -} else { - if (!defined($oldpass)) { - system "stty -echo"; - print "Old password for user $user: "; - chomp($oldpass=); - print "\n"; - system "stty echo"; - - # Find path to uid - chomp($path_to_uid=`ldapsearch -h '$server' -b '$basedn' -s '$scope' '(uid=$user)'|head -1`); - # Find old password for user $user binding as self - chomp($dn=`ldapsearch -h '$server' -b '$basedn' -s '$scope' -D '$path_to_uid' -w '$oldpass' '(uid=$user)'|head -1`); - - if ( ($dn eq '') || ($oldpass eq '') ) { - print "Wrong password for user $user!\n"; - exit (-1); - } - } -} - -system "stty -echo"; -print "New password for user $user: "; -chomp($pass=); -print "\n"; -system "stty echo"; - -system "stty -echo"; -print "Retype new password for user $user: "; -chomp($pass2=); -print "\n"; -system "stty echo"; - -if ( ($pass ne $pass2) || (length($pass)<1) ) { - die "Wrong password!\n"; -} else { -# MD5 password -$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; -$bsalt = "\$1\$"; $esalt = "\$"; -$modsalt = $bsalt.$random.$esalt; -$password = crypt($pass, $modsalt); - -# LanManager and NT clear text passwords -$ntpwd = `/usr/local/sbin/mkntpwd '$pass'`; -chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); -chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - -#$FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w $passwd"; -if ($< != 0) { - $FILE="|/usr/bin/ldapmodify -h '$server' -D '$dn' -w '$oldpass'"; -} else { - $FILE="|/usr/bin/ldapmodify -h '$server' -D '$binddn' -w '$passwd'"; -} - -# Chenge time -$shadowlastchange=int(time/24/3600); -$pwdlastset=sprintf('%x',time); - -open FILE or die; - -print FILE < Date: Thu, 28 Aug 2003 17:00:36 +0000 Subject: remove rcs tag (This used to be commit 7105f4bcabb29126999b5494f6d60d6f766ab5cc) --- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 2 -- 1 file changed, 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index f248027e91..7b5a46b06e 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,5 +1,3 @@ -# $Id: smbldap-groupmod.pl,v 1.1.6.2 2003/08/26 04:36:27 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # -- cgit From 1e5411ca8257ac16195411b7105ebcd6a2bb4fb1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 29 Aug 2003 16:56:59 +0000 Subject: updating README file after I removed some scripts (This used to be commit 90133558073deb96a0e5baf26e44cf1af1acd538) --- examples/LDAP/README | 61 ++++++++++++++++------------------------------------ 1 file changed, 19 insertions(+), 42 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index c7ff16ad08..2f4b4f2a05 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -1,26 +1,11 @@ !== -!== README File for storing smbpasswd in LDAP +!== README File for various LDAP examples !== !== written by Gerald Carter !== -This is a quick and dirty means of converting smbpasswd entries -to sambaAccount entriues in an LDAP directory. - - -Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl --------------------------------------------------------------- -These two scripts are modified versions of -[import|export]_smbpasswd.pl rewritten to use the Net::LDAP -perl module available from - - http://perl-ldap.sourceforge.net - - - - -OpenLDAP 2.0.x --------------- +OpenLDAP 2.x +------------ A sample schema file (samba.schema) has been included for use with OpenLDAP 2.0.x. The OIDs used in this file are owned by @@ -50,39 +35,31 @@ nis.schema and cosine.schema in your slapd.conf file. You must restart the LDAP server for these new included schema files to become active. +SunOne/Netscape DS +------------------ -import_smbpasswd.pl ----------------------- - -Make sure you customize the local site variable in the perl script -(i.e. ldapserver, rootdn, rootpw, etc...). The script reads from -standard input and requires that user entries already exist -in your directories containing the 'objectclass: posixAccount' -value pair. For more information on this object and related schema, -refer to RFC2307 and http://www.padl.com/software.html). +The schema file has not been updated for the sambaSamAccount +objectclass. -The following will import an smbpasswd file into an LDAP directory - $ cat smbpasswd | import_smbpasswd.pl +Novell eDirectory +----------------- +The schema file has not been updated for the sambaSamAccount +objectclass. -export_smbpasswd.pl ----------------------- -Make sure you customize the local site variable in the perl script -(i.e. ldapserver, rootdn, rootpw, etc...). You can then generate -an smbpasswd file by executing - - $ export_smbpasswd.pl > smbpasswd - -NOTE: Server side (or client side) search limites may prevent -all users from being listed. Check you directory server documentation -for details. +smbldap-tools/ +-------------- +This is a collection of perl scripts (wrapped around the standard +OpenLDAP command line tools) for managing Samba and posix accounts +in an LDAP directory. See the README file included with the scripts +for more details. -ldapsync.pl & ldapchgpasswd.pl ------------------------------- +ldapsync.pl +----------- For more information on these scripts, see http://www.mami.net/univr/tng-ldap/howto/ -- cgit From c7dbe58a36db7678a9678e558822a8612c956cf5 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 5 Sep 2003 04:09:25 +0000 Subject: updated schema for 3.0 for eDirectory 8.7 and Netscape DS 4.x (This used to be commit c9c7150a627abe93a5d3c866605f2300a3cc5ec9) --- examples/LDAP/samba-nds.schema | 352 +++++++++++++------------------ examples/LDAP/samba-schema-netscapeds4.x | 158 +++++++++----- 2 files changed, 259 insertions(+), 251 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 99e56d75dc..8369c8404e 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -1,201 +1,151 @@ --- --- Submitted by Bruno Gimenes Pereti --- --- schema file for Novell's eDirectory 8.6 --- - -SambaAccountSchemaExtensions DEFINITIONS ::= -BEGIN - --- Password hashes -"lmPassword" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 1 } -} - -"ntPassword" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 2 } -} - --- Account flags in string format ([UWDX ]) -"acctFlags" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 4 } -} - --- Password timestamps & policies -"pwdLastSet" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 3 } -} - -"logonTime" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 5 } -} - -"logoffTime" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 6 } -} - -"kickoffTime" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 7 } -} - -"pwdCanChange" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 8 } -} - -"pwdMustChange" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 9 } -} - --- string settings -"homeDrive" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 10 } -} - -"scriptPath" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 5 1 4 1 7165 2 1 11 } -} - -"profilePath" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 12 } -} - -"userWorkstations" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 13 } -} - -"smbHome" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 17 } -} - -"domain" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_CI_STRING, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 18 } -} - --- user and group RID -"rid" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 14 } -} - -"primaryGroupID" ATTRIBUTE ::= -{ - Operation ADD, - SyntaxID SYN_INTEGER, - Flags { DS_SINGLE_VALUED_ATTR }, - ASN1ObjID { 1 3 6 1 4 1 7165 2 1 15 } -} - -"sambaAccount" OBJECT-CLASS ::= -{ - Operation ADD, - Flags {DS_AUXILIARY_CLASS}, - SubClassOf {"TOP"}, - MustContain { "uid"}, - MustContain { "rid"}, - MayContain { "CN"}, - MayContain { "lmPassword"}, - MayContain { "ntPassword"}, - MayContain { "pwdLastSet"}, - MayContain { "logonTime"}, - MayContain { "logoffTime"}, - MayContain { "kickoffTime"}, - MayContain { "pwdCanChange"}, - MayContain { "pwdMustChange"}, - MayContain { "acctFlags"}, - MayContain { "displayName"}, - MayContain { "smbHome"}, - MayContain { "homeDrive"}, - MayContain { "scriptPath"}, - MayContain { "profilePath"}, - MayContain { "description"}, - MayContain { "userWorkstations"}, - MayContain { "primaryGroupID"}, - MayContain { "domain"}, - ASN1ObjID { 1 3 6 1 4 1 7165 2 2 3 } -} - --- Used for Winbind experimentation -"uidPool" OBJECT-CLASS ::= -{ - Operation ADD, - Flags {DS_AUXILIARY_CLASS}, - SubClassOf {"TOP"}, - MustContain { "uidNumber"}, - MustContain { "CN"}, - ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 3 } -} - -"gidPool" OBJECT-CLASS ::= -{ - Operation ADD, - Flags {DS_AUXILIARY_CLASS}, - SubClassOf {"TOP"}, - MustContain { "gidNumber"}, - MustContain { "CN"}, - ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 4 } -} - -END - - +## +## Schema file for Novell eDirectory 8.7.x by Uli Iske +## Schema for storing Samba's smbpasswd file in LDAP +## OIDs are owned by the Samba Team +## +####################################################################### +## Attributes used by Samba 3.0 schema ## +####################################################################### + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +####################################################################### +## objectClasses used by Samba 3.0 schema ## +####################################################################### +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $sambaLogonTime $ sambaLogoffTime $sambaKickoffTime $sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $sambaProfilePath $ description $ sambaUserWorkstations $sambaPrimaryGroupSID $ sambaDomainName )) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $sambaAlgorithmicRidBase ) ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' DESC 'Pool for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumber ) ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' DESC 'Mapping from a SID to an ID' SUP top AUXILIARY MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' DESC 'Structural Class for a SID' SUP top STRUCTURAL MUST ( sambaSID ) ) diff --git a/examples/LDAP/samba-schema-netscapeds4.x b/examples/LDAP/samba-schema-netscapeds4.x index c5a11b8b66..9f40966418 100644 --- a/examples/LDAP/samba-schema-netscapeds4.x +++ b/examples/LDAP/samba-schema-netscapeds4.x @@ -1,54 +1,112 @@ # -# LDAP Schema file for SAMBA attribute storage -# This file is suitable for usage with Netscape Directory Server 4.1x -# Adapted by Scott Lawson with help from Ron Creamer -# +# LDAP Schema file for SAMBA 3.0 attribute storage +# For Netscape Directory Server 4.1x +# Prepared by Osman Demirhan + +attribute sambaLMPassword 1.3.6.1.4.1.7165.2.1.24 cis single +attribute sambaNTPassword 1.3.6.1.4.1.7165.2.1.25 cis single +attribute sambaAcctFlags 1.3.6.1.4.1.7165.2.1.26 cis single +attribute sambaPwdLastSet 1.3.6.1.4.1.7165.2.1.27 int single +attribute sambaPwdCanChange 1.3.6.1.4.1.7165.2.1.28 int single +attribute sambaPwdMustChange 1.3.6.1.4.1.7165.2.1.29 int single +attribute sambaLogonTime 1.3.6.1.4.1.7165.2.1.30 int single +attribute sambaLogoffTime 1.3.6.1.4.1.7165.2.1.31 int single +attribute sambaKickoffTime 1.3.6.1.4.1.7165.2.1.32 int single +attribute sambaHomeDrive 1.3.6.1.4.1.7165.2.1.33 cis single +attribute sambaLogonScript 1.3.6.1.4.1.7165.2.1.34 cis single +attribute sambaProfilePath 1.3.6.1.4.1.7165.2.1.35 cis single +attribute sambaUserWorkstations 1.3.6.1.4.1.7165.2.1.36 cis single +attribute sambaHomePath 1.3.6.1.4.1.7165.2.1.37 cis single +attribute sambaDomainName 1.3.6.1.4.1.7165.2.1.38 cis single +attribute sambaSID 1.3.6.1.4.1.7165.2.1.20 cis single +attribute sambaPrimaryGroupSID 1.3.6.1.4.1.7165.2.1.23 cis single +attribute sambaGroupType 1.3.6.1.4.1.7165.2.1.19 int single +attribute sambaNextUserRid 1.3.6.1.4.1.7165.2.1.21 int single +attribute sambaNextGroupRid 1.3.6.1.4.1.7165.2.1.22 int single +attribute sambaNextRid 1.3.6.1.4.1.7165.2.1.39 int single +attribute sambaAlgorithmicRidBase 1.3.6.1.4.1.7165.2.1.40 int single + +objectclass sambaSamAccount + oid + 1.3.6.1.4.1.7165.2.2.6 + superior + top + requires + objectClass, + uid, + sambaSID + allows + cn, + sambaLMPassword, + sambaNTPassword, + sambaPwdLastSet, + sambaLogonTime, + sambaLogoffTime, + sambaKickoffTime, + sambaPwdCanChange, + sambaPwdMustChange, + sambaAcctFlags, + displayName, + sambaHomePath, + sambaHomeDrive, + sambaLogonScript, + sambaProfilePath, + description, + sambaUserWorkstations, + sambaPrimaryGroupSID, + sambaDomainName + +objectclass sambaGroupMapping + oid + 1.3.6.1.4.1.7165.2.2.4 + superior + top + requires + gidNumber, + sambaSID, + sambaGroupType + allows + displayName, + description + +objectclass sambaDomain + oid + 1.3.6.1.4.1.7165.2.2.5 + superior + top + requires + sambaDomainName, + sambaSID + allows + sambaNextRid, + sambaNextGroupRid, + sambaNextUserRid, + sambaAlgorithmicRidBase -attribute lmPassword 1.3.6.1.4.1.7165.2.1.1 cis single -attribute ntPassword 1.3.6.1.4.1.7165.2.1.2 cis single -attribute acctFlags 1.3.6.1.4.1.7165.2.1.4 cis single -attribute pwdLastSet 1.3.6.1.4.1.7165.2.1.3 int single -attribute logonTime 1.3.6.1.4.1.7165.2.1.5 int single -attribute logoffTime 1.3.6.1.4.1.7165.2.1.6 int single -attribute kickoffTime 1.3.6.1.4.1.7165.2.1.7 int single -attribute pwdCanChange 1.3.6.1.4.1.7165.2.1.8 int single -attribute pwdMustChange 1.3.6.1.4.1.7165.2.1.9 int single -attribute homedrive 1.3.6.1.4.1.7165.2.1.10 cis single -attribute scriptPath 1.3.6.1.4.1.7165.2.1.11 cis single -attribute profilePath 1.3.6.1.4.1.7165.2.1.12 cis single -attribute userWorkstations 1.3.6.1.4.1.7165.2.1.13 cis single -attribute rid 1.3.6.1.4.1.7165.2.1.14 int single -attribute primaryGroupID 1.3.6.1.4.1.7165.2.1.15 int single -attribute smbHome 1.3.6.1.4.1.7165.2.1.17 cis single -attribute domain 1.3.6.1.4.1.7165.2.1.18 cis single +objectclass sambaUnixIdPool + oid + 1.3.6.1.4.1.7165.1.2.2.7 + superior + top + requires + uidNumber, + gidNumber -objectclass sambaAccount - oid - 1.3.1.5.1.4.1.7165.2.2.2 - superior - top - requires - objectClass, - uid, - rid - allows - cn, - lmPassword, - ntPassword, - pwdLastSet, - logonTime, - logoffTime, - KickoffTime, - pwdCanChange, - pwdMustChange, - acctFlags, - displayName, - smbHome, - homeDrive, - scriptPath, - profilePath, - description, - userWorkstations, - primaryGroupID, - domain +objectclass sambaIdmapEntry + oid + 1.3.6.1.4.1.7165.1.2.2.8 + superior + top + requires + sambaSID + allows + uidNumber, + gidNumber +objectclass sambaSidEntry + oid + 1.3.6.1.4.1.7165.1.2.2.9 + superior + top + requires + sambaSID -- cgit From 09ea546e5c7178f52856bdd104731c33d45d8a01 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 8 Sep 2003 15:59:45 +0000 Subject: samba 3.0 schema filr netscape DS 5.x from Darren Chew (This used to be commit 3f97a5ce47bbdd3010dd8e234a7aa5838b524b46) --- examples/LDAP/samba-schema-netscapeds5.x | 109 ++++++++++--------------------- 1 file changed, 35 insertions(+), 74 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x index 0abc9d82e2..37c3347465 100644 --- a/examples/LDAP/samba-schema-netscapeds5.x +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -1,74 +1,35 @@ -## -## submitted by Martin.Dehn@comparex.de -## -## Experiement sambaAccount schema file Netscape DS 5.0 -## -## INSTALL-DIRECTORY/slapd-your_name/config/schema/samba-schema-netscapeds5.ldif -## -dn: cn=schema -objectClass: top -objectClass: ldapSubentry -objectClass: subschema -cn: schema -aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo - us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow - (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, - o=NetscapeRoot";) -aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group - "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) -aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld - ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) -modifiersName: cn=directory manager -modifyTimestamp: 20020322124844Z -objectClasses: ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTUR - AL MAY ( acctFlags $ domain $ homeDrive $ kickoffTime $ lmPassword $ logofft - ime $ logonTime $ ntPassword $ primaryGroupID $ profilePath $ pwdCanChange $ - pwdLastSet $ pwdMustChange $ rid $ scriptPath $ smbHome $ userWorkstations - ) X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT script pa - th' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined - ' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logon time' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT profile - path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defin - ed' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' DESC 'NT passwd c - an change' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user - defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome' SYNTAX - 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' SYNTAX 1.3.6.1.4.1 - .1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' DESC 'Windows NT domai - n Samba' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user de - fined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT home drive - ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' - ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logofftime' DESC 'logoff Time' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'NT Group - RID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defin - ed' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' DESC 'LanManager Pa - sswd' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defin - ed' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' DESC 'NT pwdmust - chnage' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user def - ined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account Flags' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC 'userWo - rkstations' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user - defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kickoff T - ime' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user define - d' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'rid' SYNTAX 1.3.6.1 - .4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' DESC 'NT Passwd' SY - NTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) -nsSchemaCSN: 3c9b282c000000000000 - +## +## Garren Chew +## +## Samba 3.0 schema file for Netscape DS 5.x +## +## INSTALL-DIRECTORY/slapd-your_name/config/schema/samba-schema-netscapeds5.ldif + +objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -- cgit From 314b7f7cca1bdbcf88a2af3c587150db4c878f34 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 9 Sep 2003 03:54:11 +0000 Subject: syncing files (This used to be commit 88725350d248fe017b77c7609544888ba40b7995) --- examples/LDAP/smbldap-tools/CONTRIBUTORS | 2 -- examples/LDAP/smbldap-tools/ChangeLog | 2 -- examples/LDAP/smbldap-tools/FILES | 2 -- examples/LDAP/smbldap-tools/INFRASTRUCTURE | 2 -- examples/LDAP/smbldap-tools/INSTALL | 2 -- examples/LDAP/smbldap-tools/README | 3 --- examples/LDAP/smbldap-tools/TODO | 2 -- examples/LDAP/smbldap-tools/smbldap-tools.spec | 1 - 8 files changed, 16 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/CONTRIBUTORS b/examples/LDAP/smbldap-tools/CONTRIBUTORS index 1b308a7266..59dafcc89e 100644 --- a/examples/LDAP/smbldap-tools/CONTRIBUTORS +++ b/examples/LDAP/smbldap-tools/CONTRIBUTORS @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/CONTRIBUTORS,v $ -# ## Authors and actives contributors to SMBLDAP-TOOLS Have contributed directly to this tools, or are always in charge of diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog index 76b8b3f3c6..0994cb4931 100644 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/ChangeLog,v $ -# ## ChangeLog for SMBLDAP-TOOLS * 2002-07-24: top and account objectclasses replaced with inetorgperson diff --git a/examples/LDAP/smbldap-tools/FILES b/examples/LDAP/smbldap-tools/FILES index 48ee571b29..0343c53d60 100644 --- a/examples/LDAP/smbldap-tools/FILES +++ b/examples/LDAP/smbldap-tools/FILES @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/FILES,v $ -# ## File listing for SMBLDAP-TOOLS CONTRIBUTORS : authors and contributors diff --git a/examples/LDAP/smbldap-tools/INFRASTRUCTURE b/examples/LDAP/smbldap-tools/INFRASTRUCTURE index 75b80bb4c8..25fbda8599 100644 --- a/examples/LDAP/smbldap-tools/INFRASTRUCTURE +++ b/examples/LDAP/smbldap-tools/INFRASTRUCTURE @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $ -# ## Some notes about the architecture diff --git a/examples/LDAP/smbldap-tools/INSTALL b/examples/LDAP/smbldap-tools/INSTALL index f4c72751a7..d5ca07826f 100644 --- a/examples/LDAP/smbldap-tools/INSTALL +++ b/examples/LDAP/smbldap-tools/INSTALL @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INSTALL,v $ -# ## How To Install SMBLDAP-TOOLS Quick & Dirty: diff --git a/examples/LDAP/smbldap-tools/README b/examples/LDAP/smbldap-tools/README index add0175c0c..3b4bf2da0d 100644 --- a/examples/LDAP/smbldap-tools/README +++ b/examples/LDAP/smbldap-tools/README @@ -1,6 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/README,v $ -# - Latest version may be found at http://samba.idealx.org/ diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO index 71e6695299..25cc30c684 100644 --- a/examples/LDAP/smbldap-tools/TODO +++ b/examples/LDAP/smbldap-tools/TODO @@ -1,5 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/TODO,v $ -# ## TODO list - First In, Last in the list... ## (BF: Bug Report / FR: Feature Request) diff --git a/examples/LDAP/smbldap-tools/smbldap-tools.spec b/examples/LDAP/smbldap-tools/smbldap-tools.spec index ddaed458da..7924ae20e2 100755 --- a/examples/LDAP/smbldap-tools/smbldap-tools.spec +++ b/examples/LDAP/smbldap-tools/smbldap-tools.spec @@ -1,4 +1,3 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/smbldap-tools.spec,v $ %define version 0.8 %define release 1 %define name smbldap-tools -- cgit From 150d3d535c808a22536477e9a59b76d1e66609d9 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 11 Sep 2003 18:32:44 +0000 Subject: Updated 3.0 schema files for IBM Directory Server 5.1 Keeps with IBM convention of separate attributetype and objectclass definitions. (This used to be commit 5dcf974c22b4bd54193dff876020bacd5b1691b2) --- examples/LDAP/samba.schema.at.IBM-DS | 46 ++++++++++++++++++++++++++++++++++++ examples/LDAP/samba.schema.oc.IBM-DS | 15 ++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 examples/LDAP/samba.schema.at.IBM-DS create mode 100644 examples/LDAP/samba.schema.oc.IBM-DS (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS new file mode 100644 index 0000000000..5aa70b5101 --- /dev/null +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -0,0 +1,46 @@ +## Samba 3.0 schema for IBM Directory Server 5.1 - object classes only + +attributetypes=( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password'EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS new file mode 100644 index 0000000000..202c332407 --- /dev/null +++ b/examples/LDAP/samba.schema.oc.IBM-DS @@ -0,0 +1,15 @@ +## Samba 3.0 schema for IBM Directory Server 5.1 - object classes only + +objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName )) + +objectclasses=( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) + +objectclasses=( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) + +objectclasses=( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) + +objectclasses=( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) + +objectclasses=( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) + + -- cgit From 05d50e91cc5cb814a608ad8da6a46ec564aca04f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 19 Sep 2003 18:53:07 +0000 Subject: insert missing sh-bang (This used to be commit 64fa24dbabd8d211d276e19745561a11b7465158) --- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 1 + 1 file changed, 1 insertion(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index 7b5a46b06e..4a891a2772 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,3 +1,4 @@ +#!/usr/bin/perl # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # -- cgit From d1b4886688d0323ee070e87c80bcd540f15e7ceb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 20 Sep 2003 15:20:31 +0000 Subject: updates to SunOne DS schema from André Fiebach (This used to be commit bd9b90a391e3346ff22888bbc589e65ccdddd482) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/LDAP/samba-schema-netscapeds5.x | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x index 37c3347465..e750039acb 100644 --- a/examples/LDAP/samba-schema-netscapeds5.x +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -1,10 +1,30 @@ ## -## Garren Chew +## Darren Chew +## Andre Fiebach ## ## Samba 3.0 schema file for Netscape DS 5.x ## ## INSTALL-DIRECTORY/slapd-your_name/config/schema/samba-schema-netscapeds5.ldif - +#################################################################### +# Sun One DS do not load the schema without this lines +# André Fiebach +dn: cn=schema +objectClass: top +objectClass: ldapSubentry +objectClass: subschema +cn: schema +aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo + us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow + (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, + o=NetscapeRoot";) +aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group + "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) +aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld + ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) +modifiersName: cn=directory manager +modifyTimestamp: 20020322124844Z +#################################################################### objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) X-ORIGIN 'user defined' ) -- cgit From af7ed6225c3b890b5e7bac6b9bd9029e35c37b4a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 20 Sep 2003 15:28:24 +0000 Subject: fix from Brad Langhorst to correctly check if the primaryGroupID has been set (This used to be commit 5c45b799d1b87fed8afa4665e075f2c8ccb6da84) --- examples/LDAP/convertSambaAccount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index d2770c75a6..e00d0a2326 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -170,7 +170,7 @@ while ( !$ldif->eof ) { $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); $entry->delete( 'rid' ); - if ( $entry->get_value( "primaryGroupID" ) ) { + if ( defined($entry->get_value( "primaryGroupID" )) ) { push @adds, "sambaPrimaryGroupSID: " . $domsid."-".$entry->get_value( "primaryGroupID" ); push @dels, "primaryGroupID"; $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); -- cgit From 79cb5593a8a99647426d3deb70babc64f43473f8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 23 Sep 2003 20:39:22 +0000 Subject: update smbldap-tool sscripts from Jérôme Tournier (This used to be commit c1546a5311a4e9ad2d6566e71e11c6d5f8f120a9) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/LDAP/smbldap-tools/AUTHORS | 0 examples/LDAP/smbldap-tools/NEWS | 0 examples/LDAP/smbldap-tools/smbldap-groupadd.pl | 5 +- examples/LDAP/smbldap-tools/smbldap-groupdel.pl | 9 +- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 112 ++--- examples/LDAP/smbldap-tools/smbldap-groupshow.pl | 6 +- .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 60 ++- .../LDAP/smbldap-tools/smbldap-migrate-groups.pl | 6 +- examples/LDAP/smbldap-tools/smbldap-passwd.pl | 58 ++- examples/LDAP/smbldap-tools/smbldap-populate.pl | 45 +- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 176 ++++--- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 3 + examples/LDAP/smbldap-tools/smbldap-usermod.pl | 203 ++++---- examples/LDAP/smbldap-tools/smbldap-usershow.pl | 5 +- examples/LDAP/smbldap-tools/smbldap_conf.pm | 118 ++--- examples/LDAP/smbldap-tools/smbldap_tools.pm | 551 ++++++++++----------- 16 files changed, 694 insertions(+), 663 deletions(-) delete mode 100644 examples/LDAP/smbldap-tools/AUTHORS delete mode 100644 examples/LDAP/smbldap-tools/NEWS (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/AUTHORS b/examples/LDAP/smbldap-tools/AUTHORS deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/examples/LDAP/smbldap-tools/NEWS b/examples/LDAP/smbldap-tools/NEWS deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl index ee804b34d3..91cd2dad53 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -23,6 +23,9 @@ # Purpose of smbldap-groupadd : group (posix) add use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use Getopt::Std; diff --git a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl index 3d072585b2..89d0d993ac 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -23,6 +23,9 @@ # Purpose of smbldap-groupdel : group (posix) deletion use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; @@ -48,9 +51,7 @@ if (!defined($dn_line = get_group_dn($_groupName))) { my $dn = get_dn_from_line($dn_line); -my $rc = system "$ldapdelete $dn >/dev/null"; -die "$0: error while deleting group $_groupName\n" - unless ($rc == 0); +group_del($dn); my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index 4a891a2772..f897101602 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -23,6 +23,9 @@ use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; @@ -70,45 +73,30 @@ if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) { } } if (!($gid == $tmp)) { - my $tmpldif = -"dn: cn=$groupName,$groupsdn -changetype: modify -replace: gidNumber -gidNumber: $tmp - -"; - die "$0: error while modifying group $groupName\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + changes => [ + replace => [gidNumber => $tmp] + ] + ); + $modify->code && die "failed to modify entry: ", $modify->error ; + # take down session + $ldap_master->unbind } } -if (defined($newname)) { - my $FILE="|$ldapmodrdn >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <moddn ( + "cn=$groupName,$groupsdn", + newrdn => "cn=$newname", + deleteoldrdn => "1", + newsuperior => "$groupsdn" + ); + $modify->code && die "failed to modify entry: ", $modify->error ; + # take down session + $ldap_master->unbind } # Add members @@ -117,16 +105,24 @@ if (defined($Options{'m'})) { my @members = split( /,/, $members ); my $member; foreach $member ( @members ) { - my $tmpldif = -"dn: cn=$groupName,$groupsdn -changetype: modify -add: memberUid -memberUid: $member - -"; - die "$0: error while modifying group $groupName\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + if (is_unix_user($member)) { + if (is_group_member("cn=$groupName,$groupsdn",$member)) { + print "User $member already in the group\n"; + } else { + print "adding user $member to group $groupName\n"; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + changes => [ + add => [memberUid => $member] + ] + ); + $modify->code && warn "failed to add entry: ", $modify->error ; + # take down session + $ldap_master->unbind + } + } else { + print "User $member does not exist: create it first !\n"; + } } } @@ -136,16 +132,20 @@ if (defined($Options{'x'})) { my @members = split( /,/, $members ); my $member; foreach $member ( @members ) { - my $tmpldif = -"dn: cn=$groupName,$groupsdn -changetype: modify -delete: memberUid -memberUid: $member - -"; - die "$0: error while modifying group $groupName\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + if (is_group_member("cn=$groupName,$groupsdn",$member)) { + print "deleting user $member from group $groupName\n"; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + changes => [ + delete => [memberUid => $member] + ] + ); + $modify->code && warn "failed to delete entry: ", $modify->error ; + # take down session + $ldap_master->unbind + } else { + print "User $member is not in the group $groupName!\n"; + } } } diff --git a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl index bc5b4d98fb..18fe082e66 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -26,8 +26,10 @@ # . originally by David Le Corfec use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; - use Getopt::Std; my %Options; diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index 0d0efa384c..86f52cb53e 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -25,10 +25,13 @@ use strict; use Getopt::Std; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; -# smbldap-migrate.pl (-? for help) +# smbldap-migrate.pl (-? or -h for help) # # Read pwdump entries on stdin, and add them to the ldap server. # Output uncreated/unmodified entries (see parameters -C -U) @@ -38,20 +41,19 @@ use smbldap_conf; sub modify_account { my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_; - - my $tmpldif = -"dn: uid=$login,$basedn -changetype: modify -lmpassword: $lmpwd -ntpassword: $ntpwd -gecos: $gecos -sambaHomePath: $homedir - -"; - - die "$0: error while modifying user $login\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + # bind to a directory with dn and password + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ("uid=$login,$basedn", + changes => [ + replace => [lmpassword => "$lmpwd"], + replace => [ntpassword => "$ntpwd"], + replace => [gecos => "$gecos"], + replace => [sambaHomePath => "$homedir"] + ] + ); + $modify->code && die "failed to modify entry: ", $modify->error ; + # take down the session + $ldap_master->unbind; } ##################### @@ -59,9 +61,9 @@ sambaHomePath: $homedir my %Options; -my $ok = getopts('awA:CUW:?', \%Options); +my $ok = getopts('awA:CUW:?h', \%Options); -if ( (!$ok) || ($Options{'?'}) ) { +if ( (!$ok) || ($Options{'?'}) || ($Options{'h'}) ) { print "Usage: $0 [-awAWCU?]\n"; print " -a process only people, ignore computers\n"; print " -w process only computers, ignore persons\n"; @@ -69,7 +71,7 @@ if ( (!$ok) || ($Options{'?'}) ) { print " -W option string passed verbatim to smbldap-useradd for computers\n"; print " -C if entry not found, don't create it and log it to stdout (default: create it)\n"; print " -U if entry found, don't update it and log it to stdout (default: update it)\n"; - print " -? show this help message\n"; + print " -?|-h show this help message\n"; exit (1); } @@ -81,8 +83,7 @@ my %errors = ( 'user' => 0, 'machine' => 0); my %existing = ( 'user' => 0, 'machine' => 0); my $specialskipped = 0; -while (<>) -{ +while (<>) { my ($login, $rid, $lmpwd, $ntpwd, $gecos, $homedir, $b) = split(/:/, $_); my $usertype; my $userbasedn; @@ -99,8 +100,7 @@ while (<>) $usertype = "-w $Options{'W'}"; $userbasedn = $computersdn; - } - else { # people + } else { # people $processed{'user'}++; if (defined($Options{'w'})) { print STDERR "ignoring $login\n"; @@ -124,7 +124,7 @@ while (<>) # normalize gecos if (!($gecos eq "")) { - $gecos =~ tr//AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; + $gecos =~ tr/ÁÀÂÄáàâäÇçÉÈÊËÆéèêëæÍÌÏÎíìîÏÑñÓÒÔÖóòôöÚÙÜÛúùüûÝýÿ/AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; } else { $gecos = $_userGecos; } @@ -142,25 +142,21 @@ while (<>) next; } # lem modif... a retirer si pb - if ($entry_type eq "user") - { + if ($entry_type eq "user") { modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); } $created{$entry_type}++; - } - else { # uid doesn't exist and no create => log + } else { # uid doesn't exist and no create => log print "$_"; $logged{$entry_type}++; } - } - else { # account exists + } else { # account exists $existing{$entry_type}++; if (!defined($Options{'U'})) { # exists and modify modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); $updated{$entry_type}++; - } - else { # exists and log + } else { # exists and log print "$_"; $logged{$entry_type}++; } diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl index 0d3dd07d50..c60be18caf 100644 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl @@ -26,6 +26,9 @@ use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; use Getopt::Std; @@ -175,8 +178,7 @@ my $group_desc; my $has_members = 0; my @members = (); -while (<>) -{ +while (<>) { my $line = $_; chomp($line); next if ( $line =~ m/^\s*$/ ); diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl index 29aee97c50..7845e5548e 100755 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # LDAP to unix password sync script for samba # @@ -27,6 +27,9 @@ # . may also replace /bin/passwd use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; @@ -105,6 +108,9 @@ if ($pass ne $pass2) { exit (10); } +# First, connecting to the directory +my $ldap_master=connect_ldap_master(); + # only modify smb passwords if smb user if ($samba == 1) { if (!$with_smbpasswd) { @@ -116,25 +122,19 @@ if ($samba == 1) { my $ntpwd = `$mk_ntpasswd '$pass'`; chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); - -# change nt/lm passwords - my $tmpldif = -"$dn_line -changetype: modify -replace: sambaLMPassword -sambaLMPassword: $sambaLMPassword -- -changetype: modify -replace: sambaNTPassword -sambaNTPassword: $sambaNTPassword -- - -"; - die "$0: error while modifying password for $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - } - else { + # the sambaPwdLastSet must be updating + my $date=time; + # Let's change nt/lm passwords + my $modify = $ldap_master->modify ( "$dn", + changes => [ + replace => [sambaLMPassword => "$sambaLMPassword"], + replace => [sambaNTPassword => "$sambaNTPassword"], + replace => [sambaPwdLastSet => "$date"] + ] + ); + $modify->code && warn "failed to modify entry: ", $modify->error ; + + } else { if ($< != 0) { my $FILE="|$smbpasswd -s >/dev/null"; open (FILE, $FILE) || die "$!\n"; @@ -157,13 +157,19 @@ EOF } } } + # change unix password -$ret = system "$ldappasswd $dn -s '$pass' > /dev/null"; -if ($ret == 0) { - print "all authentication tokens updated successfully\n"; -} else { - return $ret; -} +my $hash_password = `slappasswd -h {$hash_encrypt} -s '$pass'`; +chomp($hash_password); +my $modify = $ldap_master->modify ( "$dn", + changes => [ + replace => [userPassword => "$hash_password"] + ] + ); +$modify->code && warn "Unable to change password : ", $modify->error ; + +# take down session +$ldap_master->unbind; exit 0; diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index 1676017c67..ce497672a9 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # Populate a LDAP base for Samba-LDAP usage # @@ -27,10 +27,13 @@ # . For lazy people, replace ldapadd (with only an ldif parameter) use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; - use Getopt::Std; +use Net::LDAP::LDIF; use vars qw(%oc); @@ -56,6 +59,7 @@ if ( (!$ok) || ($Options{'?'}) ) { } my $_ldifName; +my $tmp_ldif_file="/tmp/$$.ldif"; if (@ARGV >= 1) { $_ldifName = $ARGV[0]; @@ -76,6 +80,7 @@ if (!defined($_ldifName)) { my $val; my $objcl; + print "Using builtin directory structure\n"; if ($suffix =~ m/([^=]+)=([^,]+)/) { $attr = $1; $val = $2; @@ -90,8 +95,8 @@ if (!defined($_ldifName)) { my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/); #my $FILE="|cat"; - my $FILE="|$ldapadd -c"; - open (FILE, $FILE) || die "$!\n"; + my $FILE=$tmp_ldif_file; + open (FILE, ">$FILE") || die "Can't open file $FILE: $!\n"; print FILE <new($tmp_ldif_file, "r", onerror => 'undef' ); +while( not $ldif->eof() ) { + my $entry = $ldif->read_entry(); + if ( $ldif->error() ) { + print "Error msg: ",$ldif->error(),"\n"; + print "Error lines:\n",$ldif->error_lines(),"\n"; + } else { + my $dn = $entry->dn; + print "adding new entry: $dn\n"; + my $result=$ldap_master->add($entry); + $result->code && warn "failed to add entry: ", $result->error ; + } +} +$ldap_master->unbind; +system "rm -f $tmp_ldif_file"; exit(0); @@ -280,9 +299,7 @@ exit(0); If you give an extra parameter, it is assumed to be the ldif file to use instead of the builtin one. Options -a and -b - will be ignored. This usage mode makes the command behave - like ldapadd(1) with extra parameters taken from the smbldap-tools - config (smbldap_conf.pm). + will be ignored. =head1 FILES diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index 99c9525e82..a84d9f68b2 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -23,6 +23,10 @@ # Purpose of smbldap-useradd : user (posix,shadow,samba) add use strict; + +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; @@ -31,7 +35,7 @@ use smbldap_conf; use Getopt::Std; my %Options; -my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:?', \%Options); +my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:N:S:?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n"; @@ -55,6 +59,8 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -E sambaLogonScript (DOS script to execute on login)\n"; print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -N canonical name\n"; + print " -S surname\n"; print " -? show this help message\n"; exit (1); } @@ -75,7 +81,9 @@ if (!defined($userUidNumber)) { $UID_START++; } $userUidNumber = $UID_START; -} elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; } +} elsif (getpwuid($userUidNumber)) { + die "Uid already exists.\n"; +} if ($nscd_status == 0) { system "/etc/init.d/nscd start > /dev/null 2>&1"; @@ -126,6 +134,14 @@ if (defined($Options{'x'})) { # Read only first @ARGV my $userName = $ARGV[0]; +# untaint $userName (can finish with one or two $) +if ($userName =~ /^([\w -]+\$?)$/) { + $userName = $1; +} else { + print "$0: illegal username\n"; + exit (1); +} + # user must not exist in LDAP (should it be nss-wide ?) my ($rc, $dn) = get_user_dn2($userName); if ($rc and defined($dn)) { @@ -137,17 +153,24 @@ if ($rc and defined($dn)) { } my $userHomeDirectory; +my ($userCN, $userSN); my $tmp; -if (!defined($userHomeDirectory = $Options{'d'})) -{ +if (!defined($userHomeDirectory = $Options{'d'})) { $userHomeDirectory = $_userHomePrefix."/".$userName; } $_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); $_userGecos = $tmp if (defined($tmp = $Options{'c'})); $_skeletonDir = $tmp if (defined($tmp = $Options{'k'})); +$userCN = ($Options{'c'} || $userName); +$userCN = $tmp if (defined($tmp = $Options{'N'})); +$userSN = $userName; +$userSN = $tmp if (defined($tmp = $Options{'S'})); + ######################## +my $ldap_master=connect_ldap_master(); + # MACHINE ACCOUNT if (defined($tmp = $Options{'w'})) { @@ -163,55 +186,47 @@ if (defined($tmp = $Options{'w'})) { } if (!$with_smbpasswd) { - if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { - die "$0: error while adding samba account\n"; - } + # (jtournier) + # Objectclass sambaSAMAccount is now added directly by samba when joigning the domain (for samba3) + #if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { + # die "$0: error while adding samba account\n"; + #} } else { if (!add_samba_machine($userName)) { die "$0: error while adding samba account\n"; } - - my $tmpldif = -"dn: uid=$userName,$computersdn -changetype: modify -sambaAcctFlags: [W ] - -"; - die "$0: error while modifying accountflags of $userName\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + my $modify = $ldap_master->modify ( "$dn", + changes => [ + replace => [sambaAcctFlags => '[W ]'] + ] + ); + $modify->code && warn "failed to modify entry: ", $modify->error ; } exit 0; } -####################### - # USER ACCOUNT - # add posix account first -my $tmpldif = -"dn: uid=$userName,$usersdn -objectclass: inetOrgPerson -objectclass: posixAccount -cn: $userName -sn: $userName -uid: $userName -uidNumber: $userUidNumber -gidNumber: $userGidNumber -homeDirectory: $userHomeDirectory -loginShell: $_userLoginShell -gecos: $_userGecos -description: $_userGecos -userPassword: {crypt}x - -"; +my $add = $ldap_master->add ("uid=$userName,$usersdn", + attr => [ + 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], + 'cn' => "$userCN", + 'sn' => "$userSN", + 'uid' => "$userName", + 'uidNumber' => "$userUidNumber", + 'gidNumber' => "$userGidNumber", + 'homeDirectory' => "$userHomeDirectory", + 'loginShell' => "$_userLoginShell", + 'gecos' => "$_userGecos", + 'description' => "$_userGecos", + 'userPassword' => "{crypt}x" + ] + ); + +$add->code && warn "failed to add entry: ", $add->error ; -die "$0: error while adding posix user $userName\n" - unless (do_ldapadd($tmpldif) == 0); - -undef $tmpldif; #if ($createGroup) { # group_add($userName, $userGidNumber); @@ -267,28 +282,24 @@ if (defined($Options{'a'})) { $valacctflags = "$tmp"; } - my $tmpldif = -"dn: uid=$userName,$usersdn -changetype: modify -objectClass: inetOrgPerson -objectclass: posixAccount -objectClass: sambaSAMAccount -sambaPwdLastSet: 0 -sambaLogonTime: 0 -sambaLogoffTime: 2147483647 -sambaKickoffTime: 2147483647 -sambaPwdCanChange: $valpwdcanchange -sambaPwdMustChange: $valpwdmustchange -displayName: $_userGecos -sambaAcctFlags: $valacctflags -sambaSID: $smbldap_conf::SID-$userRid - -"; + + my $modify = $ldap_master->modify ( "uid=$userName,$usersdn", + changes => [ + add => [objectClass => 'sambaSAMAccount'], + add => [sambaPwdLastSet => '0'], + add => [sambaLogonTime => '0'], + add => [sambaLogoffTime => '2147483647'], + add => [sambaKickoffTime => '2147483647'], + add => [sambaPwdCanChange => "$valpwdcanchange"], + add => [sambaPwdMustChange => "$valpwdmustchange"], + add => [displayName => "$_userGecos"], + add => [sambaAcctFlags => "$valacctflags"], + add => [sambaSID => "$SID-$userRid"] + ] + ); - die "$0: error while adding samba account to posix user $userName\n" - unless (do_ldapmodify($tmpldif) == 0); + $modify->code && die "failed to add entry: ", $modify->error ; - undef $tmpldif; } else { my $FILE="|smbpasswd -s -a $userName >/dev/null" ; open (FILE, $FILE) || die "$!\n"; @@ -326,24 +337,24 @@ if (defined($tmp = $Options{'F'})) { $valprofilepath = "$tmp"; } - my $tmpldif = -"dn: uid=$userName,$usersdn -changetype: modify -sambaSID: $smbldap_conf::SID-$userRid -sambaPrimaryGroupSID: $smbldap_conf::SID-$userGroupRid -sambaHomeDrive: $valhomedrive -sambaHomePath: $valsmbhome -sambaProfilePath: $valprofilepath -sambaLogonScript: $valscriptpath -sambaLMPassword: XXX -sambaNTPassword: XXX - -"; - - die "$0: error while modifying samba account of user $userName\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + + my $modify = $ldap_master->modify ( "uid=$userName,$usersdn", + changes => [ + add => [sambaPrimaryGroupSID => "$SID-$userGroupRid"], + add => [sambaHomeDrive => "$valhomedrive"], + add => [sambaHomePath => "$valsmbhome"], + add => [sambaProfilePath => "$valprofilepath"], + add => [sambaLogonScript => "$valscriptpath"], + add => [sambaLMPassword => 'XXX'], + add => [sambaNTPassword => 'XXX'] + ] + ); + + $modify->code && die "failed to add entry: ", $modify->error ; + } +$ldap_master->unbind; # take down session + if (defined($Options{'P'})) { exec "/usr/local/sbin/smbldap-passwd.pl $userName" @@ -418,8 +429,8 @@ exit 0; -m The user's home directory will be created if it does not exist. The files contained in skeleton_dir will be copied to the home - directory if the -k option is used, otherwise the files con - tained in /etc/skel will be used instead. Any directories con + directory if the -k option is used, otherwise the files con­ + tained in /etc/skel will be used instead. Any directories con­ tained in skeleton_dir or /etc/skel will be created in the user's home directory as well. The -k option is only valid in conjunction with the -m option. The default is to not create @@ -451,6 +462,11 @@ exit 0; -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') + -N canonical name (defaults to gecos or username, if gecos not set) + + -S surname (defaults to username) + + =head1 SEE ALSO useradd(1) diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl index 435be4fdd0..1a1a3214b5 100755 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -23,6 +23,9 @@ # Purpose of smbldap-userdel : user (posix,shadow,samba) deletion use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index dffb95bace..f25c730fc8 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -23,6 +23,9 @@ # Purpose of smbldap-usermod : user (posix,shadow,samba) modification use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; @@ -33,13 +36,13 @@ use Getopt::Std; my %Options; my $nscd_status; -my $ok = getopts('A:B:C:D:E:F:H:IJxme:f:u:g:G:d:l:s:c:ok:?', \%Options); -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-awmugdsckxABCDEFGHI?] username\n"; +my $ok = getopts('A:B:C:D:E:F:H:IJN:S:xme:f:u:g:G:d:l:s:c:ok:?h', \%Options); +if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { + print "Usage: $0 [-awmugdsckxABCDEFGHI?h] username\n"; + print "Available options are:\n"; print " -c gecos\n"; print " -d home directory\n"; #print " -m move home directory\n"; - #print " -e expire date (YYYY-MM-DD)\n"; #print " -f inactive days\n"; print " -u uid\n"; print " -o uid can be non unique\n"; @@ -47,6 +50,10 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -G supplementary groups (comma separated)\n"; print " -l login name\n"; print " -s shell\n"; + print " -N canonical name\n"; + print " -S surname\n"; + print " For samba users:\n"; + print " -e expire date (\"YYYY-MM-DD HH:MM:SS\")\n"; print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; @@ -57,7 +64,7 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; print " -I disable an user. Can't be used with -H or -J\n"; print " -J enable an user. Can't be used with -H or -I\n"; - print " -? show this help message\n"; + print " -?|-h show this help message\n"; exit (1); } @@ -69,30 +76,23 @@ if ($< != 0) { # Read only first @ARGV my $user = $ARGV[0]; -# Read user datas -my $lines = read_user($user); -if (!defined($lines)) { +# Read user data +my $user_entry = read_user_entry($user); +if (!defined($user_entry)) { print "$0: user $user doesn't exist\n"; exit (1); } -#print "$lines\n"; -my $dn_line; -if ( $lines =~ /(^dn: .*)/ ) { - $dn_line = $1; -} - -chomp($dn_line); - my $samba = 0; -if ($lines =~ m/objectClass: sambaAccount/) { +if (grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) { $samba = 1; } -############ +# get the dn of the user +my $dn= $user_entry->dn(); my $tmp; -my $mods; +my @mods; # Process options my $changed_uid; @@ -119,15 +119,15 @@ if (defined($tmp = $Options{'u'})) { } } + push(@mods, 'uidNumber', $tmp); $_userUidNumber = $tmp; + if ($samba) { # as rid we use 2 * uid + 1000 my $_userRid = 2 * $_userUidNumber + 1000; if (defined($Options{'x'})) { $_userRid= sprint("%x", $_userRid); } - $mods .= "uidNumber: $_userUidNumber\n"; - if ($samba) { - $mods .= "rid: $_userRid\n"; + push(@mods, 'sambaSID', $SID.'-'.$_userRid); } $changed_uid = 1; } @@ -141,42 +141,42 @@ if (defined($tmp = $Options{'g'})) { print "$0: group $tmp doesn't exist\n"; exit (6); } + push(@mods, 'gidNumber', $_userGidNumber); + if ($samba) { # as grouprid we use 2 * gid + 1001 my $_userGroupRid = 2 * $_userGidNumber + 1001; if (defined($Options{'x'})) { $_userGroupRid = sprint("%x", $_userGroupRid); } - $mods .= "gidNumber: $_userGidNumber\n"; - if ($samba) { - $mods .= "primaryGroupID: $_userGroupRid\n"; + push(@mods, 'sambaPrimaryGroupSid', $SID.'-'.$_userGroupRid); } $changed_gid = 1; } -my $changed_shell; -my $_userLoginShell; if (defined($tmp = $Options{'s'})) { - $_userLoginShell = $tmp; - $mods .= "loginShell: $_userLoginShell\n"; - $changed_shell = 1; + push(@mods, 'loginShell' => $tmp); } -my $changed_gecos; -my $_userGecos; + if (defined($tmp = $Options{'c'})) { - $_userGecos = $tmp; - $mods .= "gecos: $_userGecos\n"; - $changed_gecos = 1; + push(@mods, 'gecos' => $tmp, + 'description' => $tmp); + if ($samba == 1) { + push(@mods, 'displayName' => $tmp); + } } -my $changed_homedir; -my $newhomedir; if (defined($tmp = $Options{'d'})) { - $newhomedir = $tmp; - $mods .= "homeDirectory: $newhomedir\n"; - $changed_homedir = 1; + push(@mods, 'homeDirectory' => $tmp); } +if (defined($tmp = $Options{'N'})) { + push(@mods, 'cn' => $tmp); +} + +if (defined($tmp = $Options{'S'})) { + push(@mods, 'sn' => $tmp); +} if (defined($tmp = $Options{'G'})) { @@ -212,102 +212,135 @@ if (defined($tmp = $Options{'G'})) { my $attr; my $winmagic = 2147483647; +my $samba = is_samba_user($user); + +if (defined($tmp = $Options{'e'})) { + if ($samba == 1) { + my $kickoffTime=`date --date='$tmp' +%s`; + chomp($kickoffTime); + push(@mods, 'sambakickoffTime' => $kickoffTime); + } else { + print "User $user is not a samba user\n"; + } +} + +my $_sambaPwdCanChange; if (defined($tmp = $Options{'A'})) { + if ($samba == 1) { $attr = "sambaPwdCanChange"; if ($tmp != 0) { - $mods .= "$attr: 0\n"; + $_sambaPwdCanChange=0; } else { - $mods .= "$attr: $winmagic\n"; + $_sambaPwdCanChange=$winmagic; + } + push(@mods, 'sambaPwdCanChange' => $_sambaPwdCanChange); + } else { + print "User $user is not a samba user\n"; } } +my $_sambaPwdMustChange; if (defined($tmp = $Options{'B'})) { - $attr = "sambaPwdMustChange"; + if ($samba == 1) { if ($tmp != 0) { - $mods .= "$attr: 0\n"; + $_sambaPwdMustChange=0; + } else { + $_sambaPwdMustChange=$winmagic; + } + push(@mods, 'sambaPwdMustChange' => $_sambaPwdMustChange); } else { - $mods .= "$attr: $winmagic\n"; + print "User $user is not a samba user\n"; } } if (defined($tmp = $Options{'C'})) { - $attr = "sambaHomePath"; + if ($samba == 1) { #$tmp =~ s/\\/\\\\/g; - $mods .= "$attr: $tmp\n"; + push(@mods, 'sambaHomePath' => $tmp); + } else { + print "User $user is not a samba user\n"; + } } +my $_sambaHomeDrive; if (defined($tmp = $Options{'D'})) { - $attr = "sambaHomeDrive"; + if ($samba == 1) { $tmp = $tmp.":" unless ($tmp =~ /:/); - $mods .= "$attr: $tmp\n"; + push(@mods, 'sambaHomeDrive' => $tmp); + } else { + print "User $user is not a samba user\n"; + } } if (defined($tmp = $Options{'E'})) { - $attr = "sambaLogonScript"; + if ($samba == 1) { #$tmp =~ s/\\/\\\\/g; - $mods .= "$attr: $tmp\n"; + push(@mods, 'sambaLogonScript' => $tmp); + } else { + print "User $user is not a samba user\n"; + } } if (defined($tmp = $Options{'F'})) { - $attr = "sambaProfilePath"; + if ($samba == 1) { #$tmp =~ s/\\/\\\\/g; - $mods .= "$attr: $tmp\n"; + push(@mods, 'sambaProfilePath' => $tmp); + } else { + print "User $user is not a samba user\n"; + } } +if ($samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) { + my $_sambaAcctFlags; if (defined($tmp = $Options{'H'})) { - $attr = "sambaAcctFlags"; #$tmp =~ s/\\/\\\\/g; - $mods .= "$attr: $tmp\n"; -} elsif (defined($tmp = $Options{'I'})) { + $_sambaAcctFlags=$tmp; + } else { + # I or J my $flags; + $flags = $user_entry->get_value('sambaAcctFlags'); - if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { - $flags = $1; - } - - chomp($flags); - + if (defined($tmp = $Options{'I'})) { if ( !($flags =~ /D/) ) { my $letters; if ($flags =~ /(\w+)/) { $letters = $1; } - $mods .= "sambaAcctFlags: \[D$letters\]\n"; + $_sambaAcctFlags="\[D$letters\]"; } } elsif (defined($tmp = $Options{'J'})) { - my $flags; - - if ( $lines =~ /^sambaAcctFlags: (.*)/m ) { - $flags = $1; - } - - chomp($flags); - if ( $flags =~ /D/ ) { my $letters; if ($flags =~ /(\w+)/) { $letters = $1; } $letters =~ s/D//; - $mods .= "sambaAcctFlags: \[$letters\]\n"; + $_sambaAcctFlags="\[$letters\]"; + } } } -if ($mods ne '') { - #print "----\n$dn_line\n$mods\n----\n"; - - my $tmpldif = -"$dn_line -changetype: modify -$mods -"; - die "$0: error while modifying user $user\n" - unless (do_ldapmodify($tmpldif) == 0); + if ("$_sambaAcctFlags" ne '') { + push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags); + } - undef $tmpldif; +} elsif (!$samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) { + print "User $user is not a samba user\n"; } +# Let's connect to the directory first +my $ldap_master=connect_ldap_master(); + +# apply changes +my $modify = $ldap_master->modify ( "$dn", + 'replace' => { @mods } + ); +$modify->code && warn "failed to modify entry: ", $modify->error ; + +# take down session +$ldap_master->unbind; + $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { @@ -358,7 +391,7 @@ if ($nscd_status == 0) { -l login_name The name of the user will be changed from login to login_name. - Nothing else is changed. In particular, the user's home direc + Nothing else is changed. In particular, the user's home direc­ tory name should probably be changed to reflect the new login name. @@ -369,7 +402,7 @@ if ($nscd_status == 0) { -u uid The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be non- negative. Any files which the user owns and which are - located in the directory tree rooted at the user's home direc + located in the directory tree rooted at the user's home direc­ tory will have the file user ID changed automatically. Files outside of the user's home directory must be altered manually. diff --git a/examples/LDAP/smbldap-tools/smbldap-usershow.pl b/examples/LDAP/smbldap-tools/smbldap-usershow.pl index b05f087620..555b35ffd8 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usershow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usershow.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -23,6 +23,9 @@ # Purpose of smbldap-userdisplay : user (posix,shadow,samba) display use strict; +use FindBin; +use FindBin qw($RealBin); +use lib "$RealBin/"; use smbldap_tools; use Getopt::Std; diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm index dd1d772ea7..c3d5c1732c 100644 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -30,16 +30,14 @@ package smbldap_conf; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd -$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind -$ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn -$suffix $usersdn $computersdn +$ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn $groupsdn $scope $binddn $bindpasswd $slaveDN $slavePw $masterDN $masterPw $_userLoginShell $_userHomePrefix $_userGecos $_defaultUserGid $_defaultComputerGid $_skeletonDir $_userSmbHome $_userProfile $_userHomeDrive -$_userScript $usersou $computersou $groupsou +$_userScript $usersou $computersou $groupsou $SID $hash_encrypt ); use Exporter; @@ -49,14 +47,13 @@ $VERSION = 1.00; @EXPORT = qw( $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd -$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd -$ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn +$ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn $groupsdn $scope $binddn $bindpasswd $slaveDN $slavePw $masterDN $masterPw $_userLoginShell $_userHomePrefix $_userGecos $_defaultUserGid $_defaultComputerGid $_skeletonDir $_userSmbHome $_userProfile $_userHomeDrive $_userScript -$usersou $computersou $groupsou +$usersou $computersou $groupsou $SID $hash_encrypt ); @@ -66,16 +63,13 @@ $usersou $computersou $groupsou # ############################################################################## -# # UID and GID starting at... -# - $UID_START = 1000; $GID_START = 1000; # Put your own SID -# to obtain this number do: # net getlocalsid -our $SID='S-1-5-21-636805976-1992644568-3666589737'; +# to obtain this number do: "net getlocalsid" +$SID='S-1-5-21-3516781642-1962875130-3438800523'; ############################################################################## # @@ -86,84 +80,65 @@ our $SID='S-1-5-21-636805976-1992644568-3666589737'; # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. -# -# Slave LDAP : needed for read operations -# +# Those two servers declarations can also be used when you have +# . one master LDAP server where all writing operations must be done +# . one slave LDAP server where all reading operations must be done +# (typically a replication directory) + # Ex: $slaveLDAP = "127.0.0.1"; $slaveLDAP = "127.0.0.1"; - $slavePort = "389"; -# # Master LDAP : needed for write operations -# # Ex: $masterLDAP = "127.0.0.1"; $masterLDAP = "127.0.0.1"; - - -# -# Master Port -# 389 636 -# Ex: $masterPort = " $masterPort = "389"; -# # Use SSL for LDAP -# +# If set to "1", this option will use start_tls for connection +# (you should also used the port 389) $ldapSSL = "0"; -# # LDAP Suffix -# # Ex: $suffix = "dc=IDEALX,dc=ORG"; $suffix = "dc=IDEALX,dc=ORG"; -# # Where are stored Users -# # Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG $usersou = q(_USERS_); - $usersdn = "ou=$usersou,$suffix"; -# # Where are stored Computers -# # Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG $computersou = q(_COMPUTERS_); - $computersdn = "ou=$computersou,$suffix"; -# # Where are stored Groups -# # Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG $groupsou = q(_GROUPS_); - $groupsdn = "ou=$groupsou,$suffix"; -# # Default scope Used -# $scope = "sub"; -# -# Credential Configuration -# +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +$hash_encrypt="SSHA"; + +############################ +# Credential Configuration # +############################ # Bind DN used # Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org $binddn = "cn=Manager,$suffix"; -# + # Bind DN passwd used # Ex: $bindpasswd = 'secret'; for 'secret' $bindpasswd = "secret"; -# # Notes: if using dual ldap patch, you can specify to different configuration # By default, we will use the same DN (so it will work for standard Samba # release) -# $slaveDN = $binddn; $slavePw = $bindpasswd; $masterDN = $binddn; @@ -176,36 +151,24 @@ $masterPw = $bindpasswd; ############################################################################## # Login defs -# # Default Login Shell -# # Ex: $_userLoginShell = q(/bin/bash); $_userLoginShell = q(_LOGINSHELL_); -# # Home directory prefix (without username) -# #Ex: $_userHomePrefix = q(/home/); $_userHomePrefix = q(_HOMEPREFIX_); -# # Gecos -# $_userGecos = q(System User); -# # Default User (POSIX and Samba) GID -# -$_defaultUserGid = 100; +$_defaultUserGid = 513; -# # Default Computer (Samba) GID -# $_defaultComputerGid = 553; -# # Skel dir -# $_skeletonDir = q(/etc/skel); ############################################################################## @@ -214,28 +177,23 @@ $_skeletonDir = q(/etc/skel); # ############################################################################## -# # The UNC path to home drives location without the username last extension # (will be dynamically prepended) # Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes $_userSmbHome = q(\\\\_PDCNAME_\\homes); -# # The UNC path to profiles locations without the username last extension # (will be dynamically prepended) -# Ex: q(\\\\My-PDC-netbios-name\\profiles) for \\My-PDC-netbios-name\profiles +# Ex: q(\\\\My-PDC-netbios-name\\profiles\\) for \\My-PDC-netbios-name\profiles $_userProfile = q(\\\\_PDCNAME_\\profiles\\); -# # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: q(U:) for U: $_userHomeDrive = q(_HOMEDRIVE_); -# # The default user netlogon script name # if not used, will be automatically username.cmd -# #$_userScript = q(startup.cmd); # make sure script file is edited under dos @@ -251,28 +209,28 @@ $with_smbpasswd = 0; $smbpasswd = "/usr/bin/smbpasswd"; $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; -if ( $ldapSSL eq "0" ) { +# those next externals commands are kept fot the migration scripts and +# for the populate script: this will be updated as soon as possible $slaveURI = "ldap://$slaveLDAP:$slavePort"; $masterURI = "ldap://$masterLDAP:$masterPort"; -} -elsif ( $ldapSSL eq "1" ) { - $slaveURI = "ldaps://$slaveLDAP:$slavePort"; - $masterURI = "ldaps://$masterLDAP:$masterPort"; -} -else { - die "ldapSSL option must be either 0 or 1.\n"; -} - $ldap_path = "/usr/bin"; + +if ( $ldapSSL eq "0" ) { $ldap_opts = "-x"; -$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'"; -$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI"; +} elsif ( $ldapSSL eq "1" ) { + $ldap_opts = "-x -Z"; +} else { + die "ldapSSL option must be either 0 or 1.\n"; +} + +#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'"; +#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI"; $ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; +#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index ad6ef74eb6..8001442fe8 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#! /usr/bin/perl -w use strict; package smbldap_tools; use smbldap_conf; @@ -36,7 +36,9 @@ $VERSION = 1.00; @EXPORT = qw( get_user_dn get_group_dn + is_group_member is_samba_user + is_unix_user is_user_valid get_dn_from_line add_posix_machine @@ -47,8 +49,10 @@ add_grouplist_user disable_user delete_user group_add + group_del get_homedir read_user + read_user_entry read_group find_groups_of parse_group @@ -57,32 +61,74 @@ group_get_members do_ldapadd do_ldapmodify get_user_dn2 + connect_ldap_master + connect_ldap_slave ); -# dn_line = get_user_dn($username) -# where dn_line is like "dn: a=b,c=d" - -#sub ldap_search -#{ -#my ($local_base,$local_scope,$local_filtre)=@_; -#} - +sub connect_ldap_master + { + # bind to a directory with dn and password + my $ldap_master = Net::LDAP->new( + "$masterLDAP", + port => "$masterPort", + version => 3, + # debug => 0xffff, + ) + or die "erreur LDAP: Can't contact master ldap server ($@)"; + if ($ldapSSL == 1) { + $ldap_master->start_tls( + # verify => 'require', + # clientcert => 'mycert.pem', + # clientkey => 'mykey.pem', + # decryptkey => sub { 'secret'; }, + # capath => '/usr/local/cacerts/' + ); + } + $ldap_master->bind ( "$binddn", + password => "$masterPw" + ); + return($ldap_master); + } +sub connect_ldap_slave + { + # bind to a directory with dn and password + my $ldap_slave = Net::LDAP->new( + "$slaveLDAP", + port => "$slavePort", + version => 3, + # debug => 0xffff, + ) + or die "erreur LDAP: Can't contact slave ldap server ($@)"; + if ($ldapSSL == 1) { + $ldap_slave->start_tls( + # verify => 'require', + # clientcert => 'mycert.pem', + # clientkey => 'mykey.pem', + # decryptkey => sub { 'secret'; }, + # capath => '/usr/local/cacerts/' + ); + } + $ldap_slave->bind ( "$binddn", + password => "$slavePw" + ); + return($ldap_slave); + } sub get_user_dn { my $user = shift; my $dn=''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base => $suffix, + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); $mesg->code && die $mesg->error; foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn;} - $ldap->unbind; + $dn= $entry->dn; + } + $ldap_slave->unbind; chomp($dn); if ($dn eq '') { return undef; @@ -92,28 +138,21 @@ sub get_user_dn } -sub get_user_dn2 ## migr +sub get_user_dn2 { my $user = shift; my $dn=''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base => $suffix, + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); - # $mesg->code && warn $mesg->error; - if ($mesg->code) - { - print("Code erreur : ",$mesg->code,"\n"); - print("Message d'erreur : ",$mesg->error,"\n"); - return (0,undef); - } + $mesg->code && warn "failed to perform search; ", $mesg->error; foreach my $entry ($mesg->all_entries) { $dn= $entry->dn; } - $ldap->unbind; + $ldap_slave->unbind; chomp($dn); if ($dn eq '') { return (1,undef); @@ -127,16 +166,16 @@ sub get_group_dn { my $group = shift; my $dn=''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base => $groupsdn, + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $groupsdn, scope => $scope, filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" ); $mesg->code && die $mesg->error; foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn;} - $ldap->unbind; + $dn= $entry->dn; + } + $ldap_slave->unbind; chomp($dn); if ($dn eq '') { return undef; @@ -150,14 +189,41 @@ sub get_group_dn sub is_samba_user { my $user = shift; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base => $suffix, + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $suffix, scope => $scope, filter => "(&(objectClass=sambaSamAccount)(uid=$user))" ); $mesg->code && die $mesg->error; - $ldap->unbind; + $ldap_slave->unbind; + return ($mesg->count ne 0); + } + +sub is_unix_user + { + my $user = shift; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $suffix, + scope => $scope, + filter => "(&(objectClass=posixAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; + $ldap_slave->unbind; + return ($mesg->count ne 0); + } + +sub is_group_member + { + my $dn_group = shift; + my $user = shift; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( + base => "$dn_group", + scope => 'base', + filter => "(&(memberUid=$user))" + ); + $mesg->code && die $mesg->error; + $ldap_slave->unbind; return ($mesg->count ne 0); } @@ -168,21 +234,19 @@ sub is_user_valid my ($user, $dn, $pass) = @_; my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; my $mesg= $ldap->bind (dn => $dn, password => $pass ); - if ($mesg->code eq 0) - { + if ($mesg->code eq 0) { $ldap->unbind; return 1; - } - else - { + } else { if($ldap->bind()) { $ldap->unbind; return 0; } else { - print ("Le serveur LDAP est indisponible.\nVrifier le serveur, les cblages, ..."); + print ("The LDAP directory is not available.\n Check the server, cables ..."); $ldap->unbind; return 0; - } die "Problme : Contacter votre administrateur"; + } + die "Problem : contact your administrator"; } } @@ -199,27 +263,29 @@ sub get_dn_from_line sub add_posix_machine { my ($user, $uid, $gid) = @_; - my $tmpldif = - "dn: uid=$user,$computersdn -objectclass: inetOrgPerson -objectclass: posixAccount -sn: $user -cn: $user -uid: $user -uidNumber: $uid -gidNumber: $gid -homeDirectory: /dev/null -loginShell: /bin/false -description: Computer - -"; - - die "$0: error while adding posix account to machine $user\n" - unless (do_ldapadd($tmpldif) == 0); - undef $tmpldif; - return 1; + # bind to a directory with dn and password + my $ldap_master=connect_ldap_master(); + my $add = $ldap_master->add ( "uid=$user,$computersdn", + attr => [ + 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], + 'cn' => "$user", + 'sn' => "$user", + 'uid' => "$user", + 'uidNumber' => "$uid", + 'gidNumber' => "$gid", + 'homeDirectory' => '/dev/null', + 'loginShell' => '/bin/false', + 'description' => 'Computer', + ] + ); + + $add->code && warn "failed to add entry: ", $add->error ; + # take down the session + $ldap_master->unbind; + } + # success = add_samba_machine($computername) sub add_samba_machine { @@ -244,33 +310,31 @@ sub add_samba_machine_mkntpwd chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - my $tmpldif = - "dn: uid=$user,$computersdn -changetype: modify -objectclass: inetOrgPerson -objectclass: posixAccount -objectClass: sambaSamAccount -sambaPwdLastSet: 0 -sambaLogonTime: 0 -sambaLogoffTime: 2147483647 -sambaKickoffTime: 2147483647 -sambaPwdCanChange: 0 -sambaPwdMustChange: 2147483647 -sambaAcctFlags: [W ] -sambaLMPassword: $lmpassword -sambaNTPassword: $ntpassword -sambaSID: $smbldap_conf::SID-$sambaSID -sambaPrimaryGroupSID: $smbldap_conf::SID-0 - -"; - - die "$0: error while adding samba account to $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "uid=$user,$computersdn", + changes => [ + replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], + add => [sambaPwdLastSet => '0'], + add => [sambaLogonTime => '0'], + add => [sambaLogoffTime => '2147483647'], + add => [sambaKickoffTime => '2147483647'], + add => [sambaPwdCanChange => '0'], + add => [sambaPwdMustChange => '0'], + add => [sambaAcctFlags => '[W ]'], + add => [sambaLMPassword => "$lmpassword"], + add => [sambaNTPassword => "$ntpassword"], + add => [sambaSID => "$SID-$sambaSID"], + add => [sambaPrimaryGroupSID => "$SID-0"] + ] + ); + + $modify->code && die "failed to add entry: ", $modify->error ; return 1; - } + # take down the session + $ldap_master->unbind; + } sub group_add_user @@ -278,55 +342,43 @@ sub group_add_user my ($group, $userid) = @_; my $members=''; my $dn_line = get_group_dn($group); + if (!defined(get_group_dn($group))) { + print "$0: group \"$group\" doesn't exist\n"; + exit (6); + } if (!defined($dn_line)) { return 1; } - my $dn = get_dn_from_line($dn_line); - - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base =>$dn, scope => "base", filter => "(objectClass=*)" ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries){ - foreach my $attr ($entry->attributes) - { - if ($attr=~/\bmemberUid\b/){ - foreach my $ent($entry->get_value($attr)) { $members.= $attr.": ".$ent."\n"; } - } + my $dn = get_dn_from_line("$dn_line"); + # on look if the user is already present in the group + my $is_member=is_group_member($dn,$userid); + if ($is_member == 1) { + print "User \"$userid\" already member of the group \"$group\".\n"; + } else { + # bind to a directory with dn and password + my $ldap_master=connect_ldap_master(); + # It does not matter if the user already exist, Net::LDAP will add the user + # if he does not exist, and ignore him if his already in the directory. + my $modify = $ldap_master->modify ( "$dn", + changes => [ + add => [memberUid => $userid] + ] + ); + $modify->code && die "failed to modify entry: ", $modify->error ; + # take down session + $ldap_master->unbind; } } - $ldap->unbind; - chomp($members); - # user already member ? - if ($members =~ m/^memberUid: $userid/) { - return 2; - } - my $mods = ""; - if ($members ne '') { - $mods="$dn_line -changetype: modify -replace: memberUid -$members -memberUid: $userid - -"; - } else { - $mods="$dn_line -changetype: modify -add: memberUid -memberUid: $userid -"; - } - #print "$mods\n"; - my $tmpldif = - "$mods -"; - - die "$0: error while modifying group $group\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - return 0; +sub group_del + { + my $group_dn=shift; + # bind to a directory with dn and password + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->delete ($group_dn); + $modify->code && die "failed to delete group : ", $modify->error ; + # take down session + $ldap_master->unbind; } sub add_grouplist_user @@ -338,43 +390,34 @@ sub add_grouplist_user } } -# XXX FIXME : sambaAcctFlags |= D, and not sambaAcctFlags = D sub disable_user { my $user = shift; my $dn_line; + my $dn = get_dn_from_line($dn_line); if (!defined($dn_line = get_user_dn($user))) { print "$0: user $user doesn't exist\n"; exit (10); } - - my $tmpldif = - "dn: $dn_line -changetype: modify -replace: userPassword -userPassword: {crypt}!x - -"; - - die "$0: error while modifying user $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "$dn", + changes => [ + replace => [userPassword => '{crypt}!x'] + ] + ); + $modify->code && die "failed to modify entry: ", $modify->error ; if (is_samba_user($user)) { - - my $tmpldif = - "dn: $dn_line -changetype: modify -replace: sambaAcctFlags -sambaAcctFlags: [D ] - -"; - - die "$0: error while modifying user $user\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; + my $modify = $ldap_master->modify ( "$dn", + changes => [ + replace => [sambaAcctFlags => '[D ]'] + ] + ); + $modify->code && die "failed to modify entry: ", $modify->error ; } + # take down session + $ldap_master->unbind; } # delete_user($user) @@ -389,7 +432,9 @@ sub delete_user } my $dn = get_dn_from_line($dn_line); - system "$ldapdelete $dn >/dev/null"; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->delete($dn); + $ldap_master->unbind; } # $success = group_add($groupname, $group_gid, $force_using_existing_gid) @@ -415,17 +460,18 @@ sub group_add if ($nscd_status == 0) { system "/etc/init.d/nscd start > /dev/null 2>&1"; } - my $tmpldif = - "dn: cn=$gname,$groupsdn -objectclass: posixGroup -cn: $gname -gidNumber: $gid - -"; - - die "$0: error while adding posix group $gname\n" - unless (do_ldapadd($tmpldif) == 0); - undef $tmpldif; + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->add ( "cn=$gname,$groupsdn", + attrs => [ + objectClass => 'posixGroup', + cn => "$gname", + gidNumber => "$gid" + ] + ); + + $modify->code && die "failed to add entry: ", $modify->error ; + # take down session + $ldap_master->unbind; return 1; } @@ -434,14 +480,15 @@ sub get_homedir { my $user = shift; my $homeDir=''; - # my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base =>$suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( + base =>$suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); $mesg->code && die $mesg->error; foreach my $entry ($mesg->all_entries){ - foreach my $attr ($entry->attributes) - { + foreach my $attr ($entry->attributes) { if ($attr=~/\bhomeDirectory\b/){ foreach my $ent($entry->get_value($attr)) { $homeDir.= $attr.": ".$ent."\n"; @@ -449,7 +496,7 @@ sub get_homedir } } } - $ldap->unbind; + $ldap_slave->unbind; chomp $homeDir; if ($homeDir eq '') { return undef; @@ -463,9 +510,8 @@ sub read_user { my $user = shift; my $lines =''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( # perform a search + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( # perform a search base => $suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" @@ -480,7 +526,8 @@ sub read_user } } } - $ldap->unbind; # take down sessio(n + # take down session + $ldap_slave->unbind; chomp $lines; if ($lines eq '') { return undef; @@ -488,14 +535,31 @@ sub read_user return $lines; } +# search for a user +# return the attributes in an array +sub read_user_entry + { + my $user = shift; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( # perform a search + base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); + + $mesg->code && die $mesg->error; + my $entry = $mesg->entry(); + $ldap_slave->unbind; + return $entry; + } + # search for a group sub read_group { my $user = shift; my $lines =''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( # perform a search + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( # perform a search base => $groupsdn, scope => $scope, filter => "(&(objectclass=posixGroup)(cn=$user))" @@ -510,8 +574,8 @@ sub read_group } } } - - $ldap->unbind; # take down sessio(n + # take down session + $ldap_slave->unbind; chomp $lines; if ($lines eq '') { return undef; @@ -525,9 +589,8 @@ sub find_groups_of { my $user = shift; my $lines =''; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( # perform a search + my $ldap_slave=connect_ldap_slave; + my $mesg = $ldap_slave->search ( # perform a search base => $groupsdn, scope => $scope, filter => "(&(objectclass=posixGroup)(memberuid=$user))" @@ -536,9 +599,11 @@ sub find_groups_of foreach my $entry ($mesg->all_entries) { $lines.= "dn: ".$entry->dn."\n"; } - $ldap->unbind; + $ldap_slave->unbind; chomp($lines); - if ($lines eq '') {return undef; } + if ($lines eq '') { + return undef; + } return $lines; } @@ -571,53 +636,20 @@ sub group_remove_member if (!defined($grp_line)) { return 0; } - - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixgroup)(cn=$group))" + my $dn = get_dn_from_line($grp_line); + # we test if the user exist in the group + my $is_member=is_group_member($dn,$user); + if ($is_member == 1) { + my $ldap_master=connect_ldap_master(); + # delete only the user from the group + my $modify = $ldap_master->modify ( "$dn", + changes => [ + delete => [memberUid => ["$user"]] + ] ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries){ - foreach my $attr ($entry->attributes) - { - if ($attr=~/\bmemberUid\b/){ - foreach my $ent($entry->get_value($attr)) { - $members.= $attr.": ".$ent."\n"; - } + $modify->code && die "failed to delete entry: ", $modify->error ; + $ldap_master->unbind; } - } - } - #print "Valeurs de members :\n$members"; - $ldap->unbind; - # my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; - # print "avant ---\n$members\n"; - $members =~ s/memberUid: $user\n//; - #print "aprs ---\n$members\n"; - chomp($members); - - my $header; - if ($members eq '') { - $header = "changetype: modify\n"; - $header .= "delete: memberUid"; - } else { - $header = "changetype: modify\n"; - $header .= "replace: memberUid"; - } - - my $tmpldif = -"$grp_line -$header -$members -"; - - #print "Valeur du tmpldif : \n$tmpldif"; - die "$0: error while modifying group $group\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - - $ldap->unbind; return 1; } @@ -627,11 +659,14 @@ sub group_get_members my $members; my @resultat; my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { return 0; } + if (!defined($grp_line)) { + return 0; + } my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; $ldap->bind ; - my $mesg = $ldap->search ( base => $groupsdn, + my $mesg = $ldap->search ( + base => $groupsdn, scope => $scope, filter => "(&(objectclass=posixgroup)(cn=$group))" ); @@ -639,57 +674,13 @@ sub group_get_members foreach my $entry ($mesg->all_entries){ foreach my $attr ($entry->attributes){ if ($attr=~/\bmemberUid\b/){ - foreach my $ent($entry->get_value($attr)) { push (@resultat,$ent); } + foreach my $ent ($entry->get_value($attr)) { + push (@resultat,$ent); } } } - return @resultat; - } - -sub file_write { - my ($filename, $filecontent) = @_; - local *FILE; - open (FILE, "> $filename") || - die "Cannot open $filename for writing: $!\n"; - print FILE $filecontent; - close FILE; } - -# wrapper for ldapadd -sub do_ldapadd2 - { - my $ldif = shift; - my $tempfile = "/tmp/smbldapadd.$$"; - file_write($tempfile, $ldif); - - my $rc = system "$ldapadd < $tempfile >/dev/null"; - unlink($tempfile); - return $rc; - } - -sub do_ldapadd - { - my $ldif = shift; - my $FILE = "|$ldapadd >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE </dev/null"; - unlink($tempfile); - return $rc; + return @resultat; } sub do_ldapmodify -- cgit From 3886d6a7a138c2082a1418f57b7d7b03390d0b90 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 5 Nov 2003 04:17:21 +0000 Subject: added note about stripping comments from LDIF; bug 642 (This used to be commit 3f67b2bbfdbedc76d7265fc5333d5f71577d9c7b) --- examples/LDAP/convertSambaAccount | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index e00d0a2326..4357dbc8f8 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -9,6 +9,12 @@ ## --input= --output= \ ## --changetype=[modify|add] ## +## You can generate an input ldif file using: +## $ ldapsearch -LL -x -h ldapsrv -D cn=root,dc=company,dc=com \ +## -b dc=copmany,dc=com > /tmp/samba3.alpha23.ldif +## +## Note the "-LL" so no additional comments are generated +## use strict; -- cgit From 5df2fd4175049247bf105698e9abfd32272bf96e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 4 Dec 2003 04:52:00 +0000 Subject: support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/LDAP/samba.schema | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 14cd720588..3ec30c46d8 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -236,6 +236,11 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaMungedDial' + DESC '' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + ## ## SID, of any type ## @@ -308,7 +313,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ - sambaPrimaryGroupSID $ sambaDomainName )) + sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial)) ## ## Group mapping info -- cgit From 83c64db05443a4cd68ac884ff9df71df6c22f180 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 4 Dec 2003 05:02:53 +0000 Subject: sync OID with HEAD (This used to be commit d463abb035a19dce84902039623275cd72e16edc) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 3ec30c46d8..a2225faa58 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -236,7 +236,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) -attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaMungedDial' +attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) -- cgit From dc058d980b369578b56c53972e8033fc77ee0b48 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 4 Dec 2003 21:59:20 +0000 Subject: updating top 0.8.2-1 of the smbldap tools (This used to be commit b798f30f0a83ba00ebbe1b82983ca6690642ad02) --- examples/LDAP/smbldap-tools/CONTRIBUTORS | 10 +- examples/LDAP/smbldap-tools/ChangeLog | 105 ++++- examples/LDAP/smbldap-tools/FILES | 2 + examples/LDAP/smbldap-tools/INFRA | 93 ++++ examples/LDAP/smbldap-tools/INSTALL | 2 + examples/LDAP/smbldap-tools/README | 3 + examples/LDAP/smbldap-tools/TODO | 2 + examples/LDAP/smbldap-tools/smbldap-groupadd.pl | 97 ++++- examples/LDAP/smbldap-tools/smbldap-groupdel.pl | 15 +- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 157 +++++-- examples/LDAP/smbldap-tools/smbldap-groupshow.pl | 6 +- .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 44 +- .../LDAP/smbldap-tools/smbldap-migrate-groups.pl | 90 ++-- examples/LDAP/smbldap-tools/smbldap-passwd.pl | 118 ++--- examples/LDAP/smbldap-tools/smbldap-populate.pl | 135 ++++-- examples/LDAP/smbldap-tools/smbldap-tools.spec | 70 +-- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 358 ++++++++------- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 34 +- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 272 +++++++----- examples/LDAP/smbldap-tools/smbldap-usershow.pl | 6 +- examples/LDAP/smbldap-tools/smbldap_conf.pm | 66 +-- examples/LDAP/smbldap-tools/smbldap_tools.pm | 482 ++++++++++++--------- 22 files changed, 1354 insertions(+), 813 deletions(-) create mode 100644 examples/LDAP/smbldap-tools/INFRA (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/CONTRIBUTORS b/examples/LDAP/smbldap-tools/CONTRIBUTORS index 59dafcc89e..d080dd020e 100644 --- a/examples/LDAP/smbldap-tools/CONTRIBUTORS +++ b/examples/LDAP/smbldap-tools/CONTRIBUTORS @@ -1,13 +1,19 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/CONTRIBUTORS,v $ +# ## Authors and actives contributors to SMBLDAP-TOOLS Have contributed directly to this tools, or are always in charge of -some aspects of it developments (alphabetical order): +some aspects of it developments: + . Jrme Tournier . Terry Davis . David Le Corfec . Olivier Lemaire - . Jrme Tournier Many thanks to contributors for bug report and patches: + . Marc Schoechlin + load the perl-modules without setting environment-variables or making symlinks + . Alexander Bergolth + more Net::LDAP support . Gert-Jan Braas bug report for 2.2.3 samba.schema . Jody Haynes diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog index 0994cb4931..e6394d1add 100644 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -1,28 +1,89 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/ChangeLog,v $ +# $id: $ +# ## ChangeLog for SMBLDAP-TOOLS -* 2002-07-24: top and account objectclasses replaced with inetorgperson -* 2002-06-03: notes to webmin.idealx.org (idxldapaccounts) -* 2002-06-01: release 0.7. tested with 2.2.4 -* 2002-05-31: fixed smbldap-populate compliance to smbldap_conf - cleaned up smbldap_conf to be more readable - some more documentation - bugfixes on smbldap-passwd and smbldap-populate -* 2002-05-16: modified default mode on homes: now 700 -* 2002-05-13: fixed spec (relocation and reqs) -* 2002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl +2003-11-18: + . new option '-a' to smbldap-usermod.pl that allow adding the sambaSAMAccount + objectclass to an existing posixAccount +2003-11-07: + . patch that allow adding user to a group when the group is in a higher level depth + then ou=Groups (for example, ou=grp1,ou=Groups,...) + . check the unicity of a group when adding/removing a user to this group +2003-10-28: + . new option '-p' in smbldap-groupadd.pl to 'print' the gidNumber + of the group to STDOUT. This is needed by samba (see the man page) +2003-10-19: + . new function does_sid_exist that check if samaSID sttribute is already + defined for another use or another group +2003-10-13: + . smbldap-populate.pl now also add the group mapping +2003-10-01: + . one can now comment the two directives '$_userSmbHome' and '$_userProfile' + if you want to use the smb.conf directives instead ('logon home' and + 'logon path' respectively), or if you want to desable roaming profiles + . Patch from Alexander Bergolth : the sambaPrimaryGroupSID + of a user is now set to the sambaSID of his primary group +2003-09-29: + . added new option '$_defaultMaxPasswordAge' in smbldap_conf.pm to specifie + how long a password is valid + . The '-B' option was not always valid: to force a user to change his password: + . the attribut sambaPwdLastSet must be != 0 + . the attribut sambaAcctFlags must not match the 'X' flag + . logon script is set (for every one) to the default '_userScript' value if it is defined + . Patch from Alexander Bergolth : + gid-sid group mapping to smbldap-groupadd.pl and smbldap-groupmod.pl +2003-09-19: Patch from Marc Schoechlin + . load the perl-modules without setting environment-variables or making symlinks +2003-09-18: Patch from Alexander Bergolth + . options "-u", "-g", "-s" and "-c" are now functionnal + . the existence of samba account was made on sambaAccount and + not sambaSAMAccount as it should be for samba3 + . new function read_user_entry to smbldap_tools.pm that returns + a Net::LDAP:Entry object of the user + . Use this object to get the dn and user attributes instead of + producing an ldif and searching for attributes within that ldif +2003-09-15: + . change machine account creation to not add the sambaSAMAccount objectclass. + It is now added directly by samba when joigning the domain + . new option in smbldap-usermod.pl: '-e' to set an expire date + . Start_tls support activated when ldapSSL is set to 1 + . Net::LDAP support more scripts + . bugs correction +2003-09-02: + . sambaPwdLastSet is updated when smbldap-passwd.pl is used + . add a function is_group_member to test the existence of a + user in a particular group + . add a function is_unix_user to test if a particular user exist + . Net::LDAP support more scripts +2003-08-15: + . Samba3.0 support +2003-08-01: + . Final version for samba 2.2.8a (cvs tag SAMBA-2-2-8a-FINAL) + . OpenLDAP 2.1 support (only one structural objectclass allowed) +2002-07-24: top and account objectclasses replaced with inetorgperson +2002-06-03: notes to webmin.idealx.org (idxldapaccounts) +2002-06-01: release 0.7. tested with 2.2.4 +2002-05-31: fixed smbldap-populate compliance to smbldap_conf + cleaned up smbldap_conf to be more readable + some more documentation + bugfixes on smbldap-passwd and smbldap-populate +2002-05-16: modified default mode on homes: now 700 +2002-05-13: fixed spec (relocation and reqs) +2002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl (rid is now mandatory in the sambaAccount objectClass) -* 2002-02-14: just modified default populate for Administrator -* 2002-02-05: release 0.6. enable/disable user in usermod -* 2002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups - from a net group dump. added samba parameters to smbldap-useradd - and smbldap-usermod. -* 2002-01-12: added smbldap-migrate-accounts to migrate users/machines - accounts from a PWDUMP dump -* 2001-12-13: added smbldap-populate to create the initial base -* 2001-12-13: initial release 0.1 -* 2001-12-12: fixed the SPEC file for RedHat -* 2001-12-03: cleaned the code and use strict; -* 2001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG) +2002-02-14: just modified default populate for Administrator +2002-02-05: release 0.6. enable/disable user in usermod +2002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups + from a net group dump. added samba parameters to smbldap-useradd + and smbldap-usermod. +2002-01-12: added smbldap-migrate-accounts to migrate users/machines + accounts from a PWDUMP dump +2001-12-13: added smbldap-populate to create the initial base +2001-12-13: initial release 0.1 +2001-12-12: fixed the SPEC file for RedHat +2001-12-03: cleaned the code and use strict; +2001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG) # - The End diff --git a/examples/LDAP/smbldap-tools/FILES b/examples/LDAP/smbldap-tools/FILES index 0343c53d60..48ee571b29 100644 --- a/examples/LDAP/smbldap-tools/FILES +++ b/examples/LDAP/smbldap-tools/FILES @@ -1,3 +1,5 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/FILES,v $ +# ## File listing for SMBLDAP-TOOLS CONTRIBUTORS : authors and contributors diff --git a/examples/LDAP/smbldap-tools/INFRA b/examples/LDAP/smbldap-tools/INFRA new file mode 100644 index 0000000000..fe5ce8df2b --- /dev/null +++ b/examples/LDAP/smbldap-tools/INFRA @@ -0,0 +1,93 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/Attic/INFRA,v $ +# +## Some notes about the architecture + + +Global Architecture for smbdlap-tools +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +smbldap-tools help you manage users and groups for Unix and Samba, +using LDAP. They may be used in any context, and are kept relatively +simplier enought to let you customize them to you needs. + +They need the following objectClasses to work: + . sambaAccount: from samba.schema for Samba 2.2 branch + . posixAccount and posixGroup : from nis.schema + . organizationalUnit and dcObject: from core.schema + +They will probably use in a near future some additional objectClasses +to support : + . mail features (sendmail/postfix/qmail/courier). + . conform to RFC2307 best practices (and so some maps too like merging + Netbios computers (sambaAccounts) with ipHosts + +For ease of visualization of the LDAP objects by human standards, we +used a DIT like this one : + . dc=IDEALX,dc=org : the company/organization suffix + . ou=Users : to store users accounts + . ou=Computers : to store computers accounts + . ou=Groups : to store system groups +Of course, you're free to use a different naming scheme and DIT (see +smbldap_conf.pm). + + +Built in groups initial population +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +smbldap-populate.pl populate the LDAP directory with some built in groups +using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As +far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have +real inpact on the Samba and Windows population. To activate this group as +the Domain Administrators Group, use the following smb.conf directive (see +man smb.conf for more): + + domain admin group = " @"Domain Admins" " + +However, to make pdb_ldap accept bind without being uid=0, a quick and +dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch). +This patch is Q&D because the check is there because Samba store admin +credentials to establish the LDAP connection. The uid == 0 check was to +ensure that a normal user could not get write access to the LDAP backend. +A more logical situation should be done for 2.2.5 by checking if the user +is a member of the domain admin group (reported to Jerremy and Gerald +2002-05-28). + +Other built in groups are really cosmetic ones with Samba 2.2.x. We did not +removed them because one of these days, we whish to use Samba 3.0 where +Windows Group Support should be operational. + +Why these specific gidNumbers ? +It's about unix/windows mapping of numerical ids with Samba. Ids below 1024 +are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the +"Domain Administrators" NT group. The magic number is found in Samba sources +and possibly other Samba/Windows documentations. + +The goal is to have a set of Unix users who are Domain Administrators and can +modify Samba datas (eg. LDAP content), with commandline tools or within +Windows via Samba. + +Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap +server). You give the domain administrator's login and password in the +appropriate ws settings, then the ws contacts the samba server, which checks +the credentials and use them as unix user to run the smbldap-tools (if I +remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin +for Samba (thus Windows). Using nss_ldap, you also have an account with +gid 512. + + +Known BUGS and WORKAROUND used +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP, +but written as decimal. Fixed in CVS by reading as decimal. By default +smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd +behaviour. + +The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however +as the check is there because Samba store admin credentials to establish the +LDAP connection. The uid == 0 check was to ensure that a normal user could +not get write access to the LDAP backend. A more logical situation should be +done for 2.2.5 by checking if the user is a member of the domain admin group +(reported to Jerremy and Gerald 2002-05-28). + +# - The End diff --git a/examples/LDAP/smbldap-tools/INSTALL b/examples/LDAP/smbldap-tools/INSTALL index d5ca07826f..f4c72751a7 100644 --- a/examples/LDAP/smbldap-tools/INSTALL +++ b/examples/LDAP/smbldap-tools/INSTALL @@ -1,3 +1,5 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INSTALL,v $ +# ## How To Install SMBLDAP-TOOLS Quick & Dirty: diff --git a/examples/LDAP/smbldap-tools/README b/examples/LDAP/smbldap-tools/README index 3b4bf2da0d..add0175c0c 100644 --- a/examples/LDAP/smbldap-tools/README +++ b/examples/LDAP/smbldap-tools/README @@ -1,3 +1,6 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/README,v $ +# + Latest version may be found at http://samba.idealx.org/ diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO index 25cc30c684..71e6695299 100644 --- a/examples/LDAP/smbldap-tools/TODO +++ b/examples/LDAP/smbldap-tools/TODO @@ -1,3 +1,5 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/TODO,v $ +# ## TODO list - First In, Last in the list... ## (BF: Bug Report / FR: Feature Request) diff --git a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl index 91cd2dad53..a659800482 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-groupadd.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -27,33 +29,104 @@ use FindBin; use FindBin qw($RealBin); use lib "$RealBin/"; use smbldap_tools; - +use smbldap_conf; use Getopt::Std; my %Options; -my $ok = getopts('og:?', \%Options); +my $ok = getopts('ag:or:s:t:p?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-go?] groupname\n"; - print " -g gid\n"; - print " -o gid is not unique\n"; - print " -? show this help message\n"; - exit (1); + print "Usage: $0 [-agorst?] groupname\n"; + print " -a add automatic group mapping entry\n"; + print " -g gid\n"; + print " -o gid is not unique\n"; + print " -r group-rid\n"; + print " -s group-sid\n"; + print " -t group-type\n"; + print " -p print the gidNumber to stdout\n"; + print " -? show this help message\n"; + exit (1); } my $_groupName = $ARGV[0]; if (defined(get_group_dn($_groupName))) { - print "$0: group $_groupName exists\n"; - exit (6); + warn "$0: group $_groupName exists\n"; + exit (6); } my $_groupGidNumber = $Options{'g'}; +if (! defined ($_groupGidNumber = group_add($_groupName, $_groupGidNumber, $Options{'o'}))) { + warn "$0: error adding group $_groupName\n"; + exit (6); +} + +my $group_sid; +my $tmp; +if ($tmp= $Options{'s'}) { + if ($tmp =~ /^S-(?:\d+-)+\d+$/) { + $group_sid = $tmp; + } else { + warn "$0: illegal group-rid $tmp\n"; + exit(7); + } +} elsif ($Options{'r'} || $Options{'a'}) { + my $group_rid; + if ($tmp= $Options{'r'}) { + if ($tmp =~ /^\d+$/) { + $group_rid = $tmp; + } else { + warn "$0: illegal group-rid $tmp\n"; + exit(7); + } + } else { + # algorithmic mapping + $group_rid = 2*$_groupGidNumber+1001; + } + $group_sid = $SID.'-'.$group_rid; +} + +if ($Options{'r'} || $Options{'a'} || $Options{'s'}) { + # let's test if this SID already exist + my $test_exist_sid=does_sid_exist($group_sid,$groupsdn); + if ($test_exist_sid->count == 1) { + warn "Group SID already owned by\n"; + # there should not exist more than one entry, but ... + foreach my $entry ($test_exist_sid->all_entries) { + my $dn= $entry->dn; + chomp($dn); + warn "$dn\n"; + } + exit(7); + } +} -if (!group_add($_groupName, $_groupGidNumber, $Options{'o'})) { - print "$0: error adding group $_groupName\n"; - exit (6); +if ($group_sid) { + my $group_type; + my $tmp; + if ($tmp= $Options{'t'}) { + unless (defined($group_type = &group_type_by_name($tmp))) { + warn "$0: unknown group type $tmp\n"; + exit(8); + } + } else { + $group_type = group_type_by_name('domain'); + } + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "cn=$_groupName,$groupsdn", + add => { + 'objectClass' => 'sambaGroupMapping', + 'sambaSID' => $group_sid, + 'sambaGroupType' => $group_type + } + ); + $modify->code && warn "failed to delete entry: ", $modify->error ; + # take down session + $ldap_master->unbind } +if ($Options{'p'}) { + print STDOUT "$_groupGidNumber"; +} exit(0); ######################################## diff --git a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl index 89d0d993ac..0f5b0998da 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-groupdel.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -30,23 +32,22 @@ use smbldap_tools; use smbldap_conf; ##################### - use Getopt::Std; my %Options; my $ok = getopts('?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 groupname\n"; - print " -? show this help message\n"; - exit (1); + print "Usage: $0 groupname\n"; + print " -? show this help message\n"; + exit (1); } my $_groupName = $ARGV[0]; my $dn_line; if (!defined($dn_line = get_group_dn($_groupName))) { - print "$0: group $_groupName doesn't exist\n"; - exit (6); + print "$0: group $_groupName doesn't exist\n"; + exit (6); } my $dn = get_dn_from_line($dn_line); @@ -56,7 +57,7 @@ group_del($dn); my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; + system "/etc/init.d/nscd restart > /dev/null 2>&1"; } #if (defined($dn_line = get_group_dn($_groupName))) { diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index f897101602..eeb67d5712 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,4 +1,7 @@ #!/usr/bin/perl -w + +# $Id: smbldap-groupmod.pl,v 1.1.6.6 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -29,29 +32,33 @@ use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; - ##################### use Getopt::Std; my %Options; -my $ok = getopts('og:n:m:x:?', \%Options); +my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] groupname\n"; - print " -g new gid\n"; - print " -o gid is not unique\n"; - print " -n new group name\n"; - print " -m add members (comma delimited)\n"; - print " -x delete members (comma delimted)\n"; - print " -? show this help message\n"; - exit (1); + print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n"; + print " -a add automatic group mapping entry\n"; + print " -g new gid\n"; + print " -o gid is not unique\n"; + print " -n new group name\n"; + print " -m add members (comma delimited)\n"; + print " -r group-rid\n"; + print " -s group-sid\n"; + print " -t group-type\n"; + print " -x delete members (comma delimted)\n"; + print " -? show this help message\n"; + exit (1); } my $groupName = $ARGV[0]; +my $group_entry; -if (!defined(get_group_dn($groupName))) { - print "$0: group $groupName doesn't exist\n"; - exit (6); +if (! ($group_entry = read_group_entry($groupName))) { + print "$0: group $groupName doesn't exist\n"; + exit (6); } my $newname = $Options{'n'}; @@ -59,20 +66,24 @@ my $newname = $Options{'n'}; my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; + system "/etc/init.d/nscd restart > /dev/null 2>&1"; } my $gid = getgrnam($groupName); +unless (defined ($gid)) { + print "$0: group $groupName not found!\n"; + exit(6); +} my $tmp; if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) { - if (!defined($Options{'o'})) { + if (!defined($Options{'o'})) { if (defined(getgrgid($tmp))) { - print "$0: gid $tmp exists\n"; - exit (6); + print "$0: gid $tmp exists\n"; + exit (6); } - } - if (!($gid == $tmp)) { + } + if (!($gid == $tmp)) { my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", changes => [ @@ -82,7 +93,7 @@ if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) { $modify->code && die "failed to modify entry: ", $modify->error ; # take down session $ldap_master->unbind - } + } } @@ -101,17 +112,19 @@ if (defined($newname)) { # Add members if (defined($Options{'m'})) { - my $members = $Options{'m'}; - my @members = split( /,/, $members ); - my $member; - foreach $member ( @members ) { + my $members = $Options{'m'}; + my @members = split( /,/, $members ); + my $member; + foreach $member ( @members ) { + my $group_entry=read_group_entry($groupName); + $groupsdn=$group_entry->dn; if (is_unix_user($member)) { - if (is_group_member("cn=$groupName,$groupsdn",$member)) { + if (is_group_member($groupsdn,$member)) { print "User $member already in the group\n"; } else { print "adding user $member to group $groupName\n"; my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + my $modify = $ldap_master->modify ($groupsdn, changes => [ add => [memberUid => $member] ] @@ -123,19 +136,21 @@ if (defined($Options{'m'})) { } else { print "User $member does not exist: create it first !\n"; } - } + } } # Delete members if (defined($Options{'x'})) { - my $members = $Options{'x'}; - my @members = split( /,/, $members ); - my $member; - foreach $member ( @members ) { - if (is_group_member("cn=$groupName,$groupsdn",$member)) { + my $members = $Options{'x'}; + my @members = split( /,/, $members ); + my $member; + foreach $member ( @members ) { + my $group_entry=read_group_entry($groupName); + $groupsdn=$group_entry->dn; + if (is_group_member("$groupsdn",$member)) { print "deleting user $member from group $groupName\n"; my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + my $modify = $ldap_master->modify ($groupsdn, changes => [ delete => [memberUid => $member] ] @@ -146,13 +161,73 @@ if (defined($Options{'x'})) { } else { print "User $member is not in the group $groupName!\n"; } - } + } +} + +my $group_sid; +if ($tmp= $Options{'s'}) { + if ($tmp =~ /^S-(?:\d+-)+\d+$/) { + $group_sid = $tmp; + } else { + print "$0: illegal group-rid $tmp\n"; + exit(7); + } +} elsif ($Options{'r'} || $Options{'a'}) { + my $group_rid; + if ($tmp= $Options{'r'}) { + if ($tmp =~ /^\d+$/) { + $group_rid = $tmp; + } else { + print "$0: illegal group-rid $tmp\n"; + exit(7); + } + } else { + # algorithmic mapping + $group_rid = 2*$gid+1001; + } + $group_sid = $SID.'-'.$group_rid; +} + +if ($group_sid) { + my @adds; + my @mods; + push(@mods, 'sambaSID' => $group_sid); + + if ($tmp= $Options{'t'}) { + my $group_type; + if (defined($group_type = &group_type_by_name($tmp))) { + push(@mods, 'sambaGroupType' => $group_type); + } else { + print "$0: unknown group type $tmp\n"; + exit(8); + } + } else { + if (! defined($group_entry->get_value('sambaGroupType'))) { + push(@mods, 'sambaGroupType' => group_type_by_name('domain')); + } + } + + my @oc = $group_entry->get_value('objectClass'); + unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) { + push (@adds, 'objectClass' => 'sambaGroupMapping'); + } + + my $ldap_master=connect_ldap_master(); + my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", + changes => [ + 'add' => [ @adds ], + 'replace' => [ @mods ] + ] + ); + $modify->code && warn "failed to delete entry: ", $modify->error ; + # take down session + $ldap_master->unbind } $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; + system "/etc/init.d/nscd restart > /dev/null 2>&1"; } exit (0); @@ -161,19 +236,19 @@ exit (0); =head1 NAME - smbldap-groupmod.pl - Modify a group +smbldap-groupmod.pl - Modify a group =head1 SYNOPSIS - smbldap-groupmod.pl [-g gid [-o]] [-n group_name ] group +smbldap-groupmod.pl [-g gid [-o]] [-n group_name ] group =head1 DESCRIPTION - The smbldap-groupmod.pl command modifies the system account files to - reflect the changes that are specified on the command line. - The options which apply to the smbldap-groupmod command are +The smbldap-groupmod.pl command modifies the system account files to + reflect the changes that are specified on the command line. + The options which apply to the smbldap-groupmod command are - -g gid The numerical value of the group's ID. This value must be + -g gid The numerical value of the group's ID. This value must be unique, unless the -o option is used. The value must be non- negative. Any files which the old group ID is the file group ID must have the file group ID changed manually. diff --git a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl index 18fe082e66..9c30f0fc12 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-groupshow.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -36,8 +38,8 @@ my %Options; my $ok = getopts('?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-?] group\n"; - print " -? show this help message\n"; + print "Usage: $0 [-?] group\n"; + print " -? show this help message\n"; exit (1); } diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index 86f52cb53e..05f9b27600 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-migrate-accounts.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -39,8 +41,8 @@ use smbldap_conf; # Errors, debug and stats are output to stderr. sub modify_account -{ - my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_; + { + my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_; # bind to a directory with dn and password my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ("uid=$login,$basedn", @@ -54,7 +56,7 @@ sub modify_account $modify->code && die "failed to modify entry: ", $modify->error ; # take down the session $ldap_master->unbind; -} + } ##################### @@ -64,15 +66,15 @@ my %Options; my $ok = getopts('awA:CUW:?h', \%Options); if ( (!$ok) || ($Options{'?'}) || ($Options{'h'}) ) { - print "Usage: $0 [-awAWCU?]\n"; - print " -a process only people, ignore computers\n"; - print " -w process only computers, ignore persons\n"; - print " -A option string passed verbatim to smbldap-useradd for persons\n"; - print " -W option string passed verbatim to smbldap-useradd for computers\n"; - print " -C if entry not found, don't create it and log it to stdout (default: create it)\n"; - print " -U if entry found, don't update it and log it to stdout (default: update it)\n"; + print "Usage: $0 [-awAWCU?]\n"; + print " -a process only people, ignore computers\n"; + print " -w process only computers, ignore persons\n"; + print " -A option string passed verbatim to smbldap-useradd for persons\n"; + print " -W option string passed verbatim to smbldap-useradd for computers\n"; + print " -C if entry not found, don't create it and log it to stdout (default: create it)\n"; + print " -U if entry found, don't update it and log it to stdout (default: update it)\n"; print " -?|-h show this help message\n"; - exit (1); + exit (1); } my %processed = ( 'user' => 0, 'machine' => 0); @@ -90,7 +92,7 @@ while (<>) { my $entry_type = 'user'; - if ($login =~ m/.*\$$/ ) { # computer + if ($login =~ m/.*\$$/ ) { # computer $processed{'machine'}++; $entry_type = 'machine'; if (defined($Options{'a'})) { @@ -117,14 +119,14 @@ while (<>) { } # normalize homedir -# uncomment to replace configured share with share from pwdump -# if ($homedir eq "") { - $homedir = $_userSmbHome; -# } + # uncomment to replace configured share with share from pwdump + # if ($homedir eq "") { + $homedir = $_userSmbHome; + # } # normalize gecos if (!($gecos eq "")) { - $gecos =~ tr/ÁÀÂÄáàâäÇçÉÈÊËÆéèêëæÍÌÏÎíìîÏÑñÓÒÔÖóòôöÚÙÜÛúùüûÝýÿ/AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; + $gecos =~ tr//AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; } else { $gecos = $_userGecos; } @@ -141,12 +143,12 @@ while (<>) { print STDERR "error adding $login, skipping\n"; next; } - # lem modif... a retirer si pb + # lem modif... a retirer si pb if ($entry_type eq "user") { modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); - } + } - $created{$entry_type}++; + $created{$entry_type}++; } else { # uid doesn't exist and no create => log print "$_"; $logged{$entry_type}++; @@ -187,7 +189,7 @@ print STDERR "special users skipped: $specialskipped\n"; =head1 NAME - smbldap-migrate.pl - Migrate NT accounts to LDAP +smbldap-migrate.pl - Migrate NT accounts to LDAP =head1 SYNOPSIS diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl index c60be18caf..37a0286b06 100644 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl +# $Id: smbldap-migrate-groups.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -33,52 +35,50 @@ use smbldap_tools; use smbldap_conf; use Getopt::Std; - - sub process_rec_group -{ + { my ($group, $mb) = @_; my @members; if (!(@members = group_get_members($group))) { - return 0; + return 0; } foreach my $m (@members) { - if ( !($m =~ m/^\*/) ) { + if ( !($m =~ m/^\*/) ) { push @{$mb}, $m; - } else { + } else { my $gname = $m; $gname =~ s/^.//; if (!process_rec_group($gname, $mb)) { - print "recursive group not added : $gname\n"; + print "recursive group not added : $gname\n"; } - } + } } -} + } # given a group dn and a list of members, update the group sub modify_group -{ + { my ($group, $dn_line, @members, $recgroup) = @_; my $m; my @new_mb; foreach $m (@members) { - if ( ($m =~ m/^\*/) ) { + if ( ($m =~ m/^\*/) ) { my $gname = $m; $gname =~ s/^.//; if (!$recgroup) { - print "recursive group not added : $gname\n"; + print "recursive group not added : $gname\n"; } else { - if (!process_rec_group($gname, \@new_mb)) { + if (!process_rec_group($gname, \@new_mb)) { print "recursive group not added : $gname\n"; - } + } } - } else { + } else { push @new_mb, $m; - } + } } # new_mb contains flat members from group dump @@ -94,7 +94,7 @@ sub modify_group my $mbs; foreach $m (@new_mb) { - $mbs .= "memberUid: $m\n"; + $mbs .= "memberUid: $m\n"; } my $mods="$dn_line @@ -105,16 +105,16 @@ $mbs #print "$mods\n"; my $tmpldif = -"$mods + "$mods "; die "$0: error while modifying group $group\n" - unless (do_ldapmodify($tmpldif) == 0); + unless (do_ldapmodify($tmpldif) == 0); undef $tmpldif; -} + } sub display_group -{ + { my ($group, @members) = @_; print "Group name $group\n"; @@ -122,43 +122,43 @@ sub display_group my $m; my $i = 0; foreach $m (@members) { - print "$m "; - if ($i % 5 == 0) { + print "$m "; + if ($i % 5 == 0) { print "\n"; - } - $i++; + } + $i++; } -} + } sub process_group -{ + { my ($group, @members, $nocreate, $noupdate, $recgroup) = @_; my $dn_line; if (!defined($dn_line = get_group_dn($group))) { - # group not found, create it ? - if (!$nocreate) { + # group not found, create it ? + if (!$nocreate) { system "/usr/local/sbin/smbldap-groupadd.pl \"$group\"; sleep 5"; if (!defined($dn_line = get_group_dn($group))) { - return 1; + return 1; } modify_group($group, $dn_line, @members, $recgroup); - } else { + } else { # don't create print "not created:\n"; display_group($group, @members); - } + } } else { - # group found, update it ? - if (!$noupdate) { + # group found, update it ? + if (!$noupdate) { modify_group($group, $dn_line, @members, $recgroup); - } else { + } else { # don't update print "not updated:\n"; display_group($group, @members); - } + } } -} + } ################################################### @@ -166,11 +166,11 @@ my %Options; my $ok = getopts('CUr?', \%Options); if ( (!$ok) || ($Options{'?'}) ) { - print "Usage: $0 [-CUr?] < group_dump\n"; - print " -C don't create group if it doesn't exist\n"; - print " -U don't update group if it exists\n"; - print " -r recursively process groups\n"; - exit(1); + print "Usage: $0 [-CUr?] < group_dump\n"; + print " -C don't create group if it doesn't exist\n"; + print " -U don't update group if it exists\n"; + print " -r recursively process groups\n"; + exit(1); } my $group_name; @@ -184,13 +184,13 @@ while (<>) { next if ( $line =~ m/^\s*$/ ); if ($group_name eq "") { - if ( $line =~ m/^Group name\s+(.+).$/ ) { + if ( $line =~ m/^Group name\s+(.+).$/ ) { $group_name = $1; next; - } + } } if ($group_desc eq "") { - if ( $line =~ m/^Comment\s+(.*)$/ ) { + if ( $line =~ m/^Comment\s+(.*)$/ ) { $group_desc = $1; next; } diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl index 7845e5548e..97680dcd46 100755 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -1,7 +1,8 @@ #!/usr/bin/perl -w # LDAP to unix password sync script for samba -# +# $Id: smbldap-passwd.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ + # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -23,7 +24,7 @@ # USA. # Purpose : -# . ldap-unix passwd sync for SAMBA-2.2.2 + LDAP +# . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP # . may also replace /bin/passwd use strict; @@ -40,29 +41,29 @@ my $ret; my $arg; foreach $arg (@ARGV) { - if ($< != 0) { - die "Only root can specify parameters\n"; - } else { - if ( ($arg eq '-?') || ($arg eq '--help') ) { - print "Usage: $0 [username]\n"; - print " -?, --help show this help message\n"; - exit (6); - } elsif (substr($arg,0) ne '-') { - $user = $arg; - } - $oldpass = 1; + if ($< != 0) { + die "Only root can specify parameters\n"; + } else { + if ( ($arg eq '-?') || ($arg eq '--help') ) { + print "Usage: $0 [username]\n"; + print " -?, --help show this help message\n"; + exit (6); + } elsif (substr($arg,0) ne '-') { + $user = $arg; } + $oldpass = 1; + } } if (!defined($user)) { - $user=$ENV{"USER"}; + $user=$ENV{"USER"}; } # test existence of user in LDAP my $dn_line; if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); + print "$0: user $user doesn't exist\n"; + exit (10); } my $dn = get_dn_from_line($dn_line); @@ -73,17 +74,17 @@ print "Changing password for $user\n"; # non-root user if (!defined($oldpass)) { - # prompt for current password - system "stty -echo"; - print "(current) UNIX password: "; - chomp($oldpass=); - print "\n"; - system "stty echo"; - - if (!is_user_valid($user, $dn, $oldpass)) { - print "Authentication failure\n"; - exit (10); - } + # prompt for current password + system "stty -echo"; + print "(current) UNIX password: "; + chomp($oldpass=); + print "\n"; + system "stty echo"; + + if (!is_user_valid($user, $dn, $oldpass)) { + print "Authentication failure\n"; + exit (10); + } } # prompt for new password @@ -104,8 +105,8 @@ print "\n"; system "stty echo"; if ($pass ne $pass2) { - print "New passwords don't match!\n"; - exit (10); + print "New passwords don't match!\n"; + exit (10); } # First, connecting to the directory @@ -113,59 +114,64 @@ my $ldap_master=connect_ldap_master(); # only modify smb passwords if smb user if ($samba == 1) { - if (!$with_smbpasswd) { -# generate LanManager and NT clear text passwords + if (!$with_smbpasswd) { + # generate LanManager and NT clear text passwords if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - exit(1); + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + exit(1); } my $ntpwd = `$mk_ntpasswd '$pass'`; - chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); + chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); # the sambaPwdLastSet must be updating my $date=time; + my @mods; + push(@mods, 'sambaLMPassword' => $sambaLMPassword); + push(@mods, 'sambaNTPassword' => $sambaNTPassword); + push(@mods, 'sambaPwdLastSet' => $date); + if (defined $_defaultMaxPasswordAge) { + my $new_sambaPwdMustChange=$date+$_defaultMaxPasswordAge*24*60*60; + push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange); + push(@mods, 'sambaAcctFlags' => '[U]'); + } # Let's change nt/lm passwords my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [sambaLMPassword => "$sambaLMPassword"], - replace => [sambaNTPassword => "$sambaNTPassword"], - replace => [sambaPwdLastSet => "$date"] - ] + 'replace' => { @mods } ); $modify->code && warn "failed to modify entry: ", $modify->error ; } else { if ($< != 0) { - my $FILE="|$smbpasswd -s >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <modify ( "$dn", - changes => [ - replace => [userPassword => "$hash_password"] - ] - ); + changes => [ + replace => [userPassword => "$hash_password"] + ] + ); $modify->code && warn "Unable to change password : ", $modify->error ; # take down session @@ -186,7 +192,7 @@ smbldap-passwd.pl - change user password =head1 DESCRIPTION - smbldap-passwd.pl changes passwords for user accounts. A normal user +smbldap-passwd.pl changes passwords for user accounts. A normal user may only change the password for their own account, the super user may change the password for any account. diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index ce497672a9..0992c5b751 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -2,6 +2,8 @@ # Populate a LDAP base for Samba-LDAP usage # +# $Id: smbldap-populate.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ + # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -39,66 +41,66 @@ use vars qw(%oc); # objectclass of the suffix %oc = ( - "ou" => "organizationalUnit", - "o" => "organization", - "dc" => "dcObject", -); + "ou" => "organizationalUnit", + "o" => "organization", + "dc" => "dcObject", + ); my %Options; my $ok = getopts('a:b:?', \%Options); if ( (!$ok) || ($Options{'?'}) ) { - print "Usage: $0 [-ab?] [ldif]\n"; - print " -a administrator login name (default: Administrator)\n"; - print " -b guest login name (default: nobody)\n"; - print " -? show this help message\n"; - print " ldif file to add to ldap (default: suffix, Groups,"; - print " Users, Computers and builtin users )\n"; - exit (1); + print "Usage: $0 [-ab?] [ldif]\n"; + print " -a administrator login name (default: Administrator)\n"; + print " -b guest login name (default: nobody)\n"; + print " -? show this help message\n"; + print " ldif file to add to ldap (default: suffix, Groups,"; + print " Users, Computers and builtin users )\n"; + exit (1); } my $_ldifName; my $tmp_ldif_file="/tmp/$$.ldif"; if (@ARGV >= 1) { - $_ldifName = $ARGV[0]; + $_ldifName = $ARGV[0]; } my $adminName = $Options{'a'}; if (!defined($adminName)) { - $adminName = "Administrator"; + $adminName = "Administrator"; } my $guestName = $Options{'b'}; if (!defined($guestName)) { - $guestName = "nobody"; + $guestName = "nobody"; } if (!defined($_ldifName)) { - my $attr; - my $val; - my $objcl; + my $attr; + my $val; + my $objcl; print "Using builtin directory structure\n"; - if ($suffix =~ m/([^=]+)=([^,]+)/) { + if ($suffix =~ m/([^=]+)=([^,]+)/) { $attr = $1; $val = $2; $objcl = $oc{$attr} if (exists $oc{$attr}); if (!defined($objcl)) { - $objcl = "myhardcodedobjectclass"; + $objcl = "myhardcodedobjectclass"; } - } else { + } else { die "can't extract first attr and value from suffix $suffix"; - } - #print "$attr=$val\n"; - my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/); + } + #print "$attr=$val\n"; + my ($organisation,$ext) = ($suffix =~ m/dc=(.*),dc=(.*)$/); - #my $FILE="|cat"; + #my $FILE="|cat"; my $FILE=$tmp_ldif_file; open (FILE, ">$FILE") || die "Can't open file $FILE: $!\n"; - print FILE <= 5.6 @@ -86,13 +88,21 @@ install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/FILES install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/README install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/TODO install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/INFRA +install -m 644 %{SOURCE22} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/smb.conf %clean rm -rf $RPM_BUILD_ROOT %post -ln -sf %{prefix}/sbin/smbldap_tools.pm /usr/lib/perl5/site_perl/smbldap_tools.pm -ln -sf %{prefix}/sbin/smbldap_conf.pm /usr/lib/perl5/site_perl/smbldap_conf.pm +# from smbldap-tools-0.8-2, librairies are loaded with the FindBin perl package +if [ -f /usr/lib/perl5/site_perl/smbldap_tools.pm ]; +then + rm -f /usr/lib/perl5/site_perl/smbldap_tools.pm +fi +if [ -f /usr/lib/perl5/site_perl/smbldap_conf.pm ]; +then + rm -f /usr/lib/perl5/site_perl/smbldap_conf.pm +fi chgrp 512 %{prefix}/sbin/smbldap-useradd.pl %{prefix}/sbin/smbldap_conf.pm || echo "An error occured while changing groups of smbldap-useradd.pl and smbldap_conf.pm in /usr/local/sbin. For proper operations, please ensure that they have the same posix group as the Samba domain administrator if there's a local Samba PDC." perl -i -pe 's/_SLAVELDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_MASTERLDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm @@ -101,11 +111,11 @@ perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEPREFIX_/\/home/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEDRIVE_/H/' %{prefix}/sbin/smbldap_conf.pm +perl -i -pe 's/_HOMEDRIVE_/H:/' %{prefix}/sbin/smbldap_conf.pm # FIXME: links should not be removed on upgrade #%postun @@ -118,53 +128,13 @@ perl -i -pe 's/_HOMEDRIVE_/H/' %{prefix}/sbin/smbldap_conf.pm %defattr(-,root,root) %{prefix}/sbin/*.pl %{prefix}/sbin/smbldap_tools.pm -%config %{prefix}/sbin/smbldap_conf.pm +%config(noreplace) %{prefix}/sbin/smbldap_conf.pm %{prefix}/sbin/mkntpwd %doc /usr/share/doc/%{name}/ %changelog -* Fri Aug 22 2003 Jerome Tournier 0.8-1 -- support for Samba3.0 +* Fri Nov 28 2003 Jerome Tournier 0.8.2-1 +- new smb.conf file as example configuration file +- see Changelog file for updates in scripts -* Thu Sep 26 2002 Grald Macinenti 0.7-2 -- top and account objectclasses replaced by InetOrgPerson - -* Sat Jun 1 2002 Olivier Lemaire 0.7-1 -- some bugfixes about smbldap-populate -- bugfixed the smbpasswd call in smbldap-useradd -- cleaned up the smbldap_conf -- more documentation - -* Tue Apr 30 2002 Brad Langhorst 0.6-2 -- changed requires samba-common to samba -- replaced /usr/local with %{prefix} to allow relocation - -* Tue Feb 5 2002 David Le Corfec 0.6-1 -- v0.6 - -* Mon Feb 4 2002 David Le Corfec 0.5-1 -- v0.5 - -* Mon Jan 14 2002 David Le Corfec 0.3-4 -- internal changes -- should upgrade smoothly from now on - -* Mon Jan 14 2002 David Le Corfec 0.2-1 -- added migration scripts - -* Fri Dec 28 2001 David Le Corfec 0.1-5 -- numeric group for chmod - -* Thu Dec 27 2001 David Le Corfec 0.1-4 -- misc bugfixes - -* Mon Dec 18 2001 David Le Corfec 0.1-3 -- changed files attrs for domain admins to add users -- added smbldap-populate.pl - -* Fri Dec 14 2001 David Le Corfec -- added mkntpwd - -* Wed Dec 12 2001 Olivier Lemaire -- Spec file was generated, and tested atomically. diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index a84d9f68b2..49086e519b 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-useradd.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -35,102 +37,92 @@ use smbldap_conf; use Getopt::Std; my %Options; -my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:N:S:?', \%Options); +my $ok = getopts('anmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:N:S:?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n"; - print " -a is a Windows User (otherwise, Posix stuff only)\n"; - print " -w is a Windows Workstation (otherwise, Posix stuff only)\n"; - print " -x creates rid and primaryGroupID in hex instead of decimal\n"; - print " -u uid\n"; - print " -g gid\n"; - print " -G supplementary comma-separated groups\n"; - print " -n do not create a group\n"; - print " -d home\n"; - print " -s shell\n"; - print " -c gecos\n"; - print " -m creates home directory and copies /etc/skel\n"; - print " -k skeleton dir (with -m)\n"; - print " -P ends by invoking smbldap-passwd.pl\n"; - print " -A can change password ? 0 if no, 1 if yes\n"; - print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; - print " -E sambaLogonScript (DOS script to execute on login)\n"; - print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; - print " -N canonical name\n"; - print " -S surname\n"; - print " -? show this help message\n"; - exit (1); + print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n"; + print " -a is a Windows User (otherwise, Posix stuff only)\n"; + print " -w is a Windows Workstation (otherwise, Posix stuff only)\n"; + print " -u uid\n"; + print " -g gid\n"; + print " -G supplementary comma-separated groups\n"; + print " -n do not create a group\n"; + print " -d home\n"; + print " -s shell\n"; + print " -c gecos\n"; + print " -m creates home directory and copies /etc/skel\n"; + print " -k skeleton dir (with -m)\n"; + print " -P ends by invoking smbldap-passwd.pl\n"; + print " -A can change password ? 0 if no, 1 if yes\n"; + print " -B must change password ? 0 if no, 1 if yes\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -N canonical name\n"; + print " -S surname\n"; + print " -? show this help message\n"; + exit (1); } + # cause problems when dealing with getpwuid because of the # negative ttl and ldap modification my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; + system "/etc/init.d/nscd stop > /dev/null 2>&1"; } + # Read options my $userUidNumber = $Options{'u'}; if (!defined($userUidNumber)) { - # find first unused uid starting from $UID_START - while (defined(getpwuid($UID_START))) { - $UID_START++; - } - $userUidNumber = $UID_START; + # find first unused uid starting from $UID_START + while (defined(getpwuid($UID_START))) { + $UID_START++; + } + $userUidNumber = $UID_START; } elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; } if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; + system "/etc/init.d/nscd start > /dev/null 2>&1"; } -# as rid we use 2 * uid + 1000 -my $userRid = 2 * $userUidNumber + 1000; -if (defined($Options{'x'})) { - $userRid= sprint("%x", $userRid); -} - my $createGroup = 0; my $userGidNumber = $Options{'g'}; # gid not specified ? if (!defined($userGidNumber)) { - # windows machine => $_defaultComputerGid - if (defined($Options{'w'})) { + # windows machine => $_defaultComputerGid + if (defined($Options{'w'})) { $userGidNumber = $_defaultComputerGid; -# } elsif (!defined($Options{'n'})) { + # } elsif (!defined($Options{'n'})) { # create new group (redhat style) # find first unused gid starting from $GID_START -# while (defined(getgrgid($GID_START))) { -# $GID_START++; -# } -# $userGidNumber = $GID_START; + # while (defined(getgrgid($GID_START))) { + # $GID_START++; + # } + # $userGidNumber = $GID_START; -# $createGroup = 1; + # $createGroup = 1; - } else { + } else { # user will have gid = $_defaultUserGid $userGidNumber = $_defaultUserGid; - } + } } else { - my $gid; - if (($gid = parse_group($userGidNumber)) < 0) { + my $gid; + if (($gid = parse_group($userGidNumber)) < 0) { print "$0: unknown group $userGidNumber\n"; exit (6); - } - $userGidNumber = $gid; + } + $userGidNumber = $gid; } -# as grouprid we use 2 * gid + 1001 -my $userGroupRid = 2 * $userGidNumber + 1001; -if (defined($Options{'x'})) { - $userGroupRid = sprint("%x", $userGroupRid); -} # Read only first @ARGV my $userName = $ARGV[0]; @@ -145,18 +137,49 @@ if ($userName =~ /^([\w -]+\$?)$/) { # user must not exist in LDAP (should it be nss-wide ?) my ($rc, $dn) = get_user_dn2($userName); if ($rc and defined($dn)) { - print "$0: user $userName exists\n"; - exit (9); + print "$0: user $userName exists\n"; + exit (9); } elsif (!$rc) { - print "$0: error in get_user_dn2\n"; - exit(10); + print "$0: error in get_user_dn2\n"; + exit(10); +} + +my $group_entry; +my $userGroupSID; +my $userRid; +if ($Options{'a'}) { + # as grouprid we use the value of the sambaSID attribute for + # group of gidNumber=$userGidNumber + $group_entry = read_group_entry_gid($userGidNumber); + $userGroupSID = $group_entry->get_value('sambaSID'); + unless ($userGroupSID) { + print "$0: unknown group SID not set for unix group $userGidNumber\n"; + print "check if your unix group is mapped to an NT group\n"; + exit (7); + } + + # as rid we use 2 * uid + 1000 + $userRid = 2 * $userUidNumber + 1000; + # let's test if this SID already exist + my $user_sid="$SID-$userRid"; + my $test_exist_sid=does_sid_exist($user_sid,$usersdn); + if ($test_exist_sid->count == 1) { + print "User SID already owned by\n"; + # there should not exist more than one entry, but ... + foreach my $entry ($test_exist_sid->all_entries) { + my $dn= $entry->dn; + chomp($dn); + print "$dn\n"; + } + exit(7); + } } my $userHomeDirectory; my ($userCN, $userSN); my $tmp; if (!defined($userHomeDirectory = $Options{'d'})) { - $userHomeDirectory = $_userHomePrefix."/".$userName; + $userHomeDirectory = $_userHomePrefix."/".$userName; } $_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); $_userGecos = $tmp if (defined($tmp = $Options{'c'})); @@ -174,26 +197,26 @@ my $ldap_master=connect_ldap_master(); # MACHINE ACCOUNT if (defined($tmp = $Options{'w'})) { - # add a trailing dollar if missing - if ($userName =~ /[^\$]$/s) { + # add a trailing dollar if missing + if ($userName =~ /[^\$]$/s) { $userName .= "\$"; - } + } - #print "About to create machine $userName:\n"; + #print "About to create machine $userName:\n"; - if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) { + if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) { die "$0: error while adding posix account\n"; - } + } - if (!$with_smbpasswd) { + if (!$with_smbpasswd) { # (jtournier) # Objectclass sambaSAMAccount is now added directly by samba when joigning the domain (for samba3) #if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { # die "$0: error while adding samba account\n"; #} - } else { + } else { if (!add_samba_machine($userName)) { - die "$0: error while adding samba account\n"; + die "$0: error while adding samba account\n"; } my $modify = $ldap_master->modify ( "$dn", changes => [ @@ -201,9 +224,9 @@ if (defined($tmp = $Options{'w'})) { ] ); $modify->code && warn "failed to modify entry: ", $modify->error ; - } + } - exit 0; + exit 0; } # USER ACCOUNT @@ -237,56 +260,62 @@ group_add_user($userGidNumber, $userName); my $grouplist; # adds to supplementary groups if (defined($grouplist = $Options{'G'})) { - add_grouplist_user($grouplist, $userName); + add_grouplist_user($grouplist, $userName); } # If user was created successfully then we should create his/her home dir if (defined($tmp = $Options{'m'})) { - unless ( $userName =~ /\$$/ ) { + unless ( $userName =~ /\$$/ ) { if ( !(-e $userHomeDirectory) ) { - system "mkdir $userHomeDirectory 2>/dev/null"; - system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; - system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; - system "chmod 700 $userHomeDirectory 2>/dev/null"; + system "mkdir $userHomeDirectory 2>/dev/null"; + system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; + system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; + system "chmod 700 $userHomeDirectory 2>/dev/null"; } - } + } } # Add Samba user infos if (defined($Options{'a'})) { - if (!$with_smbpasswd) { + if (!$with_smbpasswd) { my $winmagic = 2147483647; my $valpwdcanchange = 0; my $valpwdmustchange = $winmagic; + my $valpwdlastset = 0; my $valacctflags = "[UX]"; if (defined($tmp = $Options{'A'})) { - if ($tmp != 0) { + if ($tmp != 0) { $valpwdcanchange = "0"; - } else { + } else { $valpwdcanchange = "$winmagic"; - } + } } if (defined($tmp = $Options{'B'})) { - if ($tmp != 0) { + if ($tmp != 0) { $valpwdmustchange = "0"; - } else { + # To force a user to change his password: + # . the attribut sambaPwdLastSet must be != 0 + # . the attribut sambaAcctFlags must not match the 'X' flag + $valpwdlastset=$winmagic; + $valacctflags = "[U]"; + } else { $valpwdmustchange = "$winmagic"; - } + } } if (defined($tmp = $Options{'H'})) { - $valacctflags = "$tmp"; + $valacctflags = "$tmp"; } my $modify = $ldap_master->modify ( "uid=$userName,$usersdn", changes => [ add => [objectClass => 'sambaSAMAccount'], - add => [sambaPwdLastSet => '0'], + add => [sambaPwdLastSet => "$valpwdlastset"], add => [sambaLogonTime => '0'], add => [sambaLogoffTime => '2147483647'], add => [sambaKickoffTime => '2147483647'], @@ -300,7 +329,7 @@ if (defined($Options{'a'})) { $modify->code && die "failed to add entry: ", $modify->error ; - } else { + } else { my $FILE="|smbpasswd -s -a $userName >/dev/null" ; open (FILE, $FILE) || die "$!\n"; print FILE <modify ( "uid=$userName,$usersdn", changes => [ - add => [sambaPrimaryGroupSID => "$SID-$userGroupRid"], + add => [sambaPrimaryGroupSID => "$userGroupSID"], add => [sambaHomeDrive => "$valhomedrive"], - add => [sambaHomePath => "$valsmbhome"], - add => [sambaProfilePath => "$valprofilepath"], add => [sambaLogonScript => "$valscriptpath"], add => [sambaLMPassword => 'XXX'], add => [sambaNTPassword => 'XXX'] ] ); + $modify = $ldap_master->modify ( "uid=$userName,$usersdn", + 'replace' => { @mods } + ); + $modify->code && die "failed to add entry: ", $modify->error ; @@ -357,7 +405,7 @@ $ldap_master->unbind; # take down session if (defined($Options{'P'})) { - exec "/usr/local/sbin/smbldap-passwd.pl $userName" + exec "/usr/local/sbin/smbldap-passwd.pl $userName" } exit 0; @@ -366,57 +414,57 @@ exit 0; =head1 NAME - smbldap-useradd.pl - Create a new user or update default new - user information +smbldap-useradd.pl - Create a new user or update default new + user information =head1 SYNOPSIS - smbldap-useradd.pl [-c comment] [-d home_dir] - [-g initial_group] [-G group[,...]] - [-m [-k skeleton_dir]] - [-s shell] [-u uid [ -o]] [-P] - [-A canchange] [-B mustchange] [-C smbhome] - [-D homedrive] [-E scriptpath] [-F profilepath] - [-H acctflags] login +smbldap-useradd.pl [-c comment] [-d home_dir] + [-g initial_group] [-G group[,...]] + [-m [-k skeleton_dir]] + [-s shell] [-u uid [ -o]] [-P] + [-A canchange] [-B mustchange] [-C smbhome] + [-D homedrive] [-E scriptpath] [-F profilepath] + [-H acctflags] login =head1 DESCRIPTION - Creating New Users - The smbldap-useradd.pl command creates a new user account using - the values specified on the command line and the default - values from the system. - The new user account will be entered into the system - files as needed, the home directory will be created, and - initial files copied, depending on the command line options. +Creating New Users + The smbldap-useradd.pl command creates a new user account using + the values specified on the command line and the default + values from the system. + The new user account will be entered into the system + files as needed, the home directory will be created, and + initial files copied, depending on the command line options. - You have to use smbldap-passwd to set the user password. - For Samba users, rid is 2*uidNumber+1000, and primaryGroupID - is 2*gidNumber+1001. Thus you may want to use - smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator - to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and - grouprid is 0x200 = 512) + You have to use smbldap-passwd to set the user password. + For Samba users, rid is 2*uidNumber+1000, and primaryGroupID + is 2*gidNumber+1001. Thus you may want to use + smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator + to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and + grouprid is 0x200 = 512) - Without any option, the account created will be an Unix (Posix) - account. The following options may be used to add information: + Without any option, the account created will be an Unix (Posix) + account. The following options may be used to add information: - -a The user will have a Samba account (and Unix). +-a The user will have a Samba account (and Unix). - -w Creates an account for a Samba machine (Workstation), so that - it can join a sambaDomainName. + -w Creates an account for a Samba machine (Workstation), so that + it can join a sambaDomainName. - -x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else - decimal (2.2.2 patched from cvs or 2.2.x, x > 2) + -x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else + decimal (2.2.2 patched from cvs or 2.2.x, x > 2) - -c comment - The new user's comment field (gecos). + -c comment + The new user's comment field (gecos). -d home_dir The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name - to default_home and use that as the login directory name. + to default_home and use that as the login directory name. - -g initial_group - The group name or number of the user's initial login group. The + -g initial_group + The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1. @@ -428,20 +476,20 @@ exit 0; is for the user to belong only to the initial group. -m The user's home directory will be created if it does not exist. - The files contained in skeleton_dir will be copied to the home - directory if the -k option is used, otherwise the files con­ - tained in /etc/skel will be used instead. Any directories con­ - tained in skeleton_dir or /etc/skel will be created in the - user's home directory as well. The -k option is only valid in + The files contained in skeleton_dir will be copied to the home + directory if the -k option is used, otherwise the files con + tained in /etc/skel will be used instead. Any directories con + tained in skeleton_dir or /etc/skel will be created in the + user's home directory as well. The -k option is only valid in conjunction with the -m option. The default is to not create the directory and to not copy any files. -s shell The name of the user's login shell. The default is to leave - this field blank, which causes the system to select the default - login shell. + this field blank, which causes the system to select the default + login shell. - -u uid The numerical value of the user's ID. This value must be + -u uid The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be non- negative. The default is to use the smallest ID value greater than 1000 and greater than every other user. diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl index 1a1a3214b5..449c56d3d5 100755 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl +# $Id: smbldap-userdel.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -37,9 +39,9 @@ my %Options; my $ok = getopts('r?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-r?] username\n"; - print " -r remove home directory\n"; - exit (1); + print "Usage: $0 [-r?] username\n"; + print " -r remove home directory\n"; + exit (1); } # Read only first @ARGV @@ -48,34 +50,34 @@ my $user = $ARGV[0]; my $dn; # user must not exist in LDAP if (!defined($dn=get_user_dn($user))) { - print "$0: user $user does not exist\n"; - exit (6); + print "$0: user $user does not exist\n"; + exit (6); } if ($< != 0) { - print "You must be root to delete an user\n"; - exit (1); + print "You must be root to delete an user\n"; + exit (1); } my $homedir; if (defined($Options{'r'})) { - $homedir=get_homedir($user); + $homedir=get_homedir($user); } # remove user from groups my $groups = find_groups_of $user; -my @grplines = split(/\n/, $groups); +my @grplines = split(/\n/,$groups); my $grp; foreach $grp (@grplines) { - my $gname = ""; - if ( $grp =~ /dn: cn=([^,]+),/) { + my $gname = ""; + if ( $grp =~ /dn: cn=([^,]+),/) { $gname = $1; #print "xx $gname\n"; - } - if ($gname ne "") { + } + if ($gname ne "") { group_remove_member($gname, $user); - } + } } # XXX @@ -83,9 +85,9 @@ delete_user($user); # delete dir -- be sure that homeDir is not a strange value if (defined($Options{'r'})) { - if ($homedir !~ /^\/dev/ and $homedir !~ /^\/$/) { + if ($homedir !~ /^\/dev/ and $homedir !~ /^\/$/) { system "rm -rf $homedir"; - } + } } my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index f25c730fc8..96fc8c38db 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -1,5 +1,7 @@ -#!/usr/bin/perl +#!/usr/bin/perl -w +# $Id: smbldap-usermod.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -29,48 +31,48 @@ use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; - ##################### use Getopt::Std; my %Options; my $nscd_status; -my $ok = getopts('A:B:C:D:E:F:H:IJN:S:xme:f:u:g:G:d:l:s:c:ok:?h', \%Options); +my $ok = getopts('A:B:C:D:E:F:H:IJN:S:Pame:f:u:g:G:d:l:s:c:ok:?h', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { print "Usage: $0 [-awmugdsckxABCDEFGHI?h] username\n"; print "Available options are:\n"; - print " -c gecos\n"; - print " -d home directory\n"; - #print " -m move home directory\n"; - #print " -f inactive days\n"; - print " -u uid\n"; - print " -o uid can be non unique\n"; - print " -g gid\n"; - print " -G supplementary groups (comma separated)\n"; - print " -l login name\n"; - print " -s shell\n"; + print " -c gecos\n"; + print " -d home directory\n"; + #print " -m move home directory\n"; + #print " -f inactive days\n"; + print " -u uid\n"; + print " -o uid can be non unique\n"; + print " -g gid\n"; + print " -G supplementary groups (comma separated)\n"; + print " -l login name\n"; + print " -s shell\n"; print " -N canonical name\n"; print " -S surname\n"; + print " -P ends by invoking smbldap-passwd.pl\n"; print " For samba users:\n"; + print " -a add sambaSAMAccount objectclass\n"; print " -e expire date (\"YYYY-MM-DD HH:MM:SS\")\n"; - print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n"; - print " -A can change password ? 0 if no, 1 if yes\n"; - print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; - print " -E sambaLogonScript (DOS script to execute on login)\n"; - print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; - print " -I disable an user. Can't be used with -H or -J\n"; - print " -J enable an user. Can't be used with -H or -I\n"; + print " -A can change password ? 0 if no, 1 if yes\n"; + print " -B must change password ? 0 if no, 1 if yes\n"; + print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; + print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; + print " -E sambaLogonScript (DOS script to execute on login)\n"; + print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; + print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; + print " -I disable an user. Can't be used with -H or -J\n"; + print " -J enable an user. Can't be used with -H or -I\n"; print " -?|-h show this help message\n"; - exit (1); + exit (1); } if ($< != 0) { - print "You must be root to modify an user\n"; - exit (1); + print "You must be root to modify an user\n"; + exit (1); } # Read only first @ARGV @@ -79,13 +81,13 @@ my $user = $ARGV[0]; # Read user data my $user_entry = read_user_entry($user); if (!defined($user_entry)) { - print "$0: user $user doesn't exist\n"; - exit (1); + print "$0: user $user doesn't exist\n"; + exit (1); } my $samba = 0; if (grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) { - $samba = 1; + $samba = 1; } # get the dn of the user @@ -93,64 +95,94 @@ my $dn= $user_entry->dn(); my $tmp; my @mods; +if (defined($tmp = $Options{'a'})) { + # Let's connect to the directory first + my $ldap_master=connect_ldap_master(); + my $winmagic = 2147483647; + my $valpwdcanchange = 0; + my $valpwdmustchange = $winmagic; + my $valpwdlastset = 0; + my $valacctflags = "[UX]"; + my $user_entry=read_user_entry($user); + my $uidNumber = $user_entry->get_value('uidNumber'); + my $userRid = 2 * $uidNumber + 1000; + # apply changes + my $modify = $ldap_master->modify ( "$dn", + changes => [ + add => [objectClass => 'sambaSAMAccount'], + add => [sambaPwdLastSet => "$valpwdlastset"], + add => [sambaLogonTime => '0'], + add => [sambaLogoffTime => '2147483647'], + add => [sambaKickoffTime => '2147483647'], + add => [sambaPwdCanChange => "$valpwdcanchange"], + add => [sambaPwdMustChange => "$valpwdmustchange"], + add => [displayName => "$_userGecos"], + add => [sambaSID=> "$SID-$userRid"], + add => [sambaAcctFlags => "$valacctflags"], + ] + ); + $modify->code && warn "failed to modify entry: ", $modify->error ; +} # Process options my $changed_uid; my $_userUidNumber; my $_userRid; if (defined($tmp = $Options{'u'})) { - if (defined($Options{'o'})) { + if (defined($Options{'o'})) { $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; + system "/etc/init.d/nscd stop > /dev/null 2>&1"; } if (getpwuid($tmp)) { - if ($nscd_status == 0) { + if ($nscd_status == 0) { system "/etc/init.d/nscd start > /dev/null 2>&1"; - } + } - print "$0: uid number $tmp exists\n"; - exit (6); + print "$0: uid number $tmp exists\n"; + exit (6); } if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; + system "/etc/init.d/nscd start > /dev/null 2>&1"; } - } + } push(@mods, 'uidNumber', $tmp); - $_userUidNumber = $tmp; + $_userUidNumber = $tmp; if ($samba) { # as rid we use 2 * uid + 1000 my $_userRid = 2 * $_userUidNumber + 1000; if (defined($Options{'x'})) { - $_userRid= sprint("%x", $_userRid); + $_userRid= sprint("%x", $_userRid); } push(@mods, 'sambaSID', $SID.'-'.$_userRid); - } - $changed_uid = 1; + } + $changed_uid = 1; } my $changed_gid; my $_userGidNumber; -my $_userGroupRid; +my $_userGroupSID; if (defined($tmp = $Options{'g'})) { - $_userGidNumber = parse_group($tmp); - if ($_userGidNumber < 0) { + $_userGidNumber = parse_group($tmp); + if ($_userGidNumber < 0) { print "$0: group $tmp doesn't exist\n"; exit (6); - } + } push(@mods, 'gidNumber', $_userGidNumber); if ($samba) { -# as grouprid we use 2 * gid + 1001 - my $_userGroupRid = 2 * $_userGidNumber + 1001; - if (defined($Options{'x'})) { - $_userGroupRid = sprint("%x", $_userGroupRid); - } - push(@mods, 'sambaPrimaryGroupSid', $SID.'-'.$_userGroupRid); + # as grouprid we use the sambaSID attribute's value of the group + my $group_entry = read_group_entry_gid($_userGidNumber); + my $_userGroupSID = $group_entry->get_value('sambaSID'); + unless ($_userGroupSID) { + print "$0: unknown group SID not set for unix group $_userGidNumber\n"; + exit (7); } - $changed_gid = 1; + push(@mods, 'sambaPrimaryGroupSid', $_userGroupSID); + } + $changed_gid = 1; } if (defined($tmp = $Options{'s'})) { @@ -158,7 +190,7 @@ if (defined($tmp = $Options{'s'})) { } -if (defined($tmp = $Options{'c'})) { +if (defined($tmp = $Options{'c'})) { push(@mods, 'gecos' => $tmp, 'description' => $tmp); if ($samba == 1) { @@ -180,24 +212,24 @@ if (defined($tmp = $Options{'S'})) { if (defined($tmp = $Options{'G'})) { - # remove user from old groups - my $groups = find_groups_of $user; - my @grplines = split(/\n/, $groups); + # remove user from old groups + my $groups = find_groups_of $user; + my @grplines = split(/\n/,$groups); - my $grp; - foreach $grp (@grplines) { + my $grp; + foreach $grp (@grplines) { my $gname = ""; if ( $grp =~ /dn: cn=([^,]+),/) { - $gname = $1; - #print "xx $gname\n"; + $gname = $1; + #print "xx $gname\n"; } if ($gname ne "") { - group_remove_member($gname, $user); + group_remove_member($gname, $user); } - } + } - # add user to new groups - add_grouplist_user($tmp, $user); + # add user to new groups + add_grouplist_user($tmp, $user); } # @@ -212,7 +244,7 @@ if (defined($tmp = $Options{'G'})) { my $attr; my $winmagic = 2147483647; -my $samba = is_samba_user($user); +$samba = is_samba_user($user); if (defined($tmp = $Options{'e'})) { if ($samba == 1) { @@ -234,9 +266,9 @@ if (defined($tmp = $Options{'A'})) { $_sambaPwdCanChange=$winmagic; } push(@mods, 'sambaPwdCanChange' => $_sambaPwdCanChange); - } else { + } else { print "User $user is not a samba user\n"; - } + } } my $_sambaPwdMustChange; @@ -244,13 +276,31 @@ if (defined($tmp = $Options{'B'})) { if ($samba == 1) { if ($tmp != 0) { $_sambaPwdMustChange=0; + # To force a user to change his password: + # . the attribut sambaPwdLastSet must be != 0 + # . the attribut sambaAcctFlags must not match the 'X' flag + my $_sambaAcctFlags; + my $flags = $user_entry->get_value('sambaAcctFlags'); + if ( $flags =~ /X/ ) { + my $letters; + if ($flags =~ /(\w+)/) { + $letters = $1; + } + $letters =~ s/X//; + $_sambaAcctFlags="\[$letters\]"; + push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags); + } + my $_sambaPwdLastSet = $user_entry->get_value('sambaPwdLastSet'); + if ($_sambaPwdLastSet == 0) { + push(@mods, 'sambaPwdLastSet' => $winmagic); + } } else { $_sambaPwdMustChange=$winmagic; } push(@mods, 'sambaPwdMustChange' => $_sambaPwdMustChange); - } else { + } else { print "User $user is not a samba user\n"; - } + } } if (defined($tmp = $Options{'C'})) { @@ -292,7 +342,7 @@ if (defined($tmp = $Options{'F'})) { if ($samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) { my $_sambaAcctFlags; -if (defined($tmp = $Options{'H'})) { + if (defined($tmp = $Options{'H'})) { #$tmp =~ s/\\/\\\\/g; $_sambaAcctFlags=$tmp; } else { @@ -301,24 +351,24 @@ if (defined($tmp = $Options{'H'})) { $flags = $user_entry->get_value('sambaAcctFlags'); if (defined($tmp = $Options{'I'})) { - if ( !($flags =~ /D/) ) { - my $letters; - if ($flags =~ /(\w+)/) { - $letters = $1; - } + if ( !($flags =~ /D/) ) { + my $letters; + if ($flags =~ /(\w+)/) { + $letters = $1; + } $_sambaAcctFlags="\[D$letters\]"; - } -} elsif (defined($tmp = $Options{'J'})) { - if ( $flags =~ /D/ ) { - my $letters; - if ($flags =~ /(\w+)/) { - $letters = $1; - } - $letters =~ s/D//; + } + } elsif (defined($tmp = $Options{'J'})) { + if ( $flags =~ /D/ ) { + my $letters; + if ($flags =~ /(\w+)/) { + $letters = $1; + } + $letters =~ s/D//; $_sambaAcctFlags="\[$letters\]"; } - } -} + } + } if ("$_sambaAcctFlags" ne '') { @@ -344,7 +394,11 @@ $ldap_master->unbind; $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; + system "/etc/init.d/nscd restart > /dev/null 2>&1"; +} + +if (defined($Options{'P'})) { + exec "/usr/local/sbin/smbldap-passwd.pl $user" } @@ -352,32 +406,32 @@ if ($nscd_status == 0) { =head1 NAME - smbldap-usermod.pl - Modify a user account +smbldap-usermod.pl - Modify a user account =head1 SYNOPSIS - smbldap-usermod.pl [-c comment] [-d home_dir] - [-g initial_group] [-G group[,...]] - [-l login_name] [-p passwd] - [-s shell] [-u uid [ -o]] [-x] - [-A canchange] [-B mustchange] [-C smbhome] - [-D homedrive] [-E scriptpath] [-F profilepath] - [-H acctflags] login +smbldap-usermod.pl [-c comment] [-d home_dir] + [-g initial_group] [-G group[,...]] + [-l login_name] [-p passwd] + [-s shell] [-u uid [ -o]] [-x] + [-A canchange] [-B mustchange] [-C smbhome] + [-D homedrive] [-E scriptpath] [-F profilepath] + [-H acctflags] login =head1 DESCRIPTION - The smbldap-usermod.pl command modifies the system account files - to reflect the changes that are specified on the command line. - The options which apply to the usermod command are +The smbldap-usermod.pl command modifies the system account files + to reflect the changes that are specified on the command line. + The options which apply to the usermod command are - -c comment - The new value of the user's comment field (gecos). + -c comment + The new value of the user's comment field (gecos). -d home_dir The user's new login directory. - -g initial_group - The group name or number of the user's new initial login group. + -g initial_group + The group name or number of the user's new initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1. @@ -391,18 +445,18 @@ if ($nscd_status == 0) { -l login_name The name of the user will be changed from login to login_name. - Nothing else is changed. In particular, the user's home direc­ - tory name should probably be changed to reflect the new login - name. + Nothing else is changed. In particular, the user's home direc + tory name should probably be changed to reflect the new login + name. - -s shell - The name of the user's new login shell. Setting this field to + -s shell + The name of the user's new login shell. Setting this field to blank causes the system to select the default login shell. -u uid The numerical value of the user's ID. This value must be - unique, unless the -o option is used. The value must be non- - negative. Any files which the user owns and which are - located in the directory tree rooted at the user's home direc­ + unique, unless the -o option is used. The value must be non- + negative. Any files which the user owns and which are + located in the directory tree rooted at the user's home direc tory will have the file user ID changed automatically. Files outside of the user's home directory must be altered manually. diff --git a/examples/LDAP/smbldap-tools/smbldap-usershow.pl b/examples/LDAP/smbldap-tools/smbldap-usershow.pl index 555b35ffd8..c1e35a5be2 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usershow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usershow.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl -w +# $Id: smbldap-usershow.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -34,8 +36,8 @@ my %Options; my $ok = getopts('?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-?] username\n"; - print " -? show this help message\n"; + print "Usage: $0 [-?] username\n"; + print " -? show this help message\n"; exit (1); } diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm index c3d5c1732c..07961903ca 100644 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -2,6 +2,9 @@ use strict; package smbldap_conf; +# $Dource: $ +# $Id: smbldap_conf.pm,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ +# # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and @@ -28,33 +31,33 @@ package smbldap_conf; # . be the configuration file for all smbldap-tools scripts use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS -$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd -$ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn -$groupsdn $scope $binddn $bindpasswd -$slaveDN $slavePw $masterDN $masterPw -$_userLoginShell $_userHomePrefix $_userGecos -$_defaultUserGid $_defaultComputerGid -$_skeletonDir $_userSmbHome -$_userProfile $_userHomeDrive -$_userScript $usersou $computersou $groupsou $SID $hash_encrypt -); + $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP + $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd + $ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn + $groupsdn $scope $binddn $bindpasswd + $slaveDN $slavePw $masterDN $masterPw + $_userLoginShell $_userHomePrefix $_userGecos + $_defaultUserGid $_defaultComputerGid + $_skeletonDir $_userSmbHome + $_userProfile $_userHomeDrive + $_userScript $usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge + ); use Exporter; $VERSION = 1.00; @ISA = qw(Exporter); @EXPORT = qw( -$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP -$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd -$ldap_path $ldap_opts $ldapmodify $suffix $usersdn -$computersdn $groupsdn $scope $binddn $bindpasswd -$slaveDN $slavePw $masterDN $masterPw -$_userLoginShell $_userHomePrefix $_userGecos -$_defaultUserGid $_defaultComputerGid $_skeletonDir -$_userSmbHome $_userProfile $_userHomeDrive $_userScript -$usersou $computersou $groupsou $SID $hash_encrypt -); + $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP + $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd + $ldap_path $ldap_opts $ldapmodify $suffix $usersdn + $computersdn $groupsdn $scope $binddn $bindpasswd + $slaveDN $slavePw $masterDN $masterPw + $_userLoginShell $_userHomePrefix $_userGecos + $_defaultUserGid $_defaultComputerGid $_skeletonDir + $_userSmbHome $_userProfile $_userHomeDrive $_userScript + $usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge + ); ############################################################################## @@ -101,7 +104,7 @@ $ldapSSL = "0"; # LDAP Suffix # Ex: $suffix = "dc=IDEALX,dc=ORG"; -$suffix = "dc=IDEALX,dc=ORG"; +$suffix = "dc=IDEALX,dc=COM"; # Where are stored Users @@ -156,7 +159,7 @@ $masterPw = $bindpasswd; $_userLoginShell = q(_LOGINSHELL_); # Home directory prefix (without username) -#Ex: $_userHomePrefix = q(/home/); +# Ex: $_userHomePrefix = q(/home/); $_userHomePrefix = q(_HOMEPREFIX_); # Gecos @@ -171,6 +174,11 @@ $_defaultComputerGid = 553; # Skel dir $_skeletonDir = q(/etc/skel); +# Default password validation time (time in days) Comment the next line if +# you don't want password to be enable for $_defaultMaxPasswordAge days (be +# careful to the sambaPwdMustChange attribute's value) +$_defaultMaxPasswordAge = 45; + ############################################################################## # # SAMBA Configuration @@ -180,11 +188,15 @@ $_skeletonDir = q(/etc/skel); # The UNC path to home drives location without the username last extension # (will be dynamically prepended) # Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes +# Just comment this if you want to use the smb.conf 'logon home' directive +# and/or desabling roaming profiles $_userSmbHome = q(\\\\_PDCNAME_\\homes); # The UNC path to profiles locations without the username last extension # (will be dynamically prepended) # Ex: q(\\\\My-PDC-netbios-name\\profiles\\) for \\My-PDC-netbios-name\profiles +# Just comment this if you want to use the smb.conf 'logon path' directive +# and/or desabling roaming profiles $_userProfile = q(\\\\_PDCNAME_\\profiles\\); # The default Home Drive Letter mapping @@ -194,7 +206,7 @@ $_userHomeDrive = q(_HOMEDRIVE_); # The default user netlogon script name # if not used, will be automatically username.cmd -#$_userScript = q(startup.cmd); # make sure script file is edited under dos +# $_userScript = q(startup.cmd); # make sure script file is edited under dos ############################################################################## @@ -211,13 +223,13 @@ $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; # those next externals commands are kept fot the migration scripts and # for the populate script: this will be updated as soon as possible - $slaveURI = "ldap://$slaveLDAP:$slavePort"; - $masterURI = "ldap://$masterLDAP:$masterPort"; +$slaveURI = "ldap://$slaveLDAP:$slavePort"; +$masterURI = "ldap://$masterLDAP:$masterPort"; $ldap_path = "/usr/bin"; if ( $ldapSSL eq "0" ) { -$ldap_opts = "-x"; + $ldap_opts = "-x"; } elsif ( $ldapSSL eq "1" ) { $ldap_opts = "-x -Z"; } else { diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index 8001442fe8..b7b134f3fd 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -4,6 +4,8 @@ package smbldap_tools; use smbldap_conf; use Net::LDAP; +# $Id: smbldap_tools.pm,v 1.1.6.4 2003/12/04 21:59:20 jerry Exp $ +# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # @@ -34,36 +36,40 @@ $VERSION = 1.00; @ISA = qw(Exporter); @EXPORT = qw( -get_user_dn -get_group_dn + get_user_dn + get_group_dn is_group_member -is_samba_user + is_samba_user is_unix_user -is_user_valid -get_dn_from_line -add_posix_machine -add_samba_machine -add_samba_machine_mkntpwd -group_add_user -add_grouplist_user -disable_user -delete_user -group_add + is_user_valid + does_sid_exist + get_dn_from_line + add_posix_machine + add_samba_machine + add_samba_machine_mkntpwd + group_add_user + add_grouplist_user + disable_user + delete_user + group_add group_del -get_homedir -read_user + get_homedir + read_user read_user_entry -read_group -find_groups_of -parse_group -group_remove_member -group_get_members -do_ldapadd -do_ldapmodify -get_user_dn2 + read_group + read_group_entry + read_group_entry_gid + find_groups_of + parse_group + group_remove_member + group_get_members + do_ldapadd + do_ldapmodify + get_user_dn2 connect_ldap_master connect_ldap_slave -); + group_type_by_name + ); sub connect_ldap_master { @@ -116,14 +122,14 @@ sub connect_ldap_slave } sub get_user_dn -{ + { my $user = shift; my $dn=''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); $mesg->code && die $mesg->error; foreach my $entry ($mesg->all_entries) { $dn= $entry->dn; @@ -131,70 +137,70 @@ sub get_user_dn $ldap_slave->unbind; chomp($dn); if ($dn eq '') { - return undef; + return undef; } $dn="dn: ".$dn; return $dn; -} + } sub get_user_dn2 -{ + { my $user = shift; my $dn=''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); $mesg->code && warn "failed to perform search; ", $mesg->error; foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; + $dn= $entry->dn; } $ldap_slave->unbind; chomp($dn); if ($dn eq '') { - return (1,undef); + return (1,undef); } $dn="dn: ".$dn; return (1,$dn); -} + } sub get_group_dn { - my $group = shift; - my $dn=''; + my $group = shift; + my $dn=''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { + scope => $scope, + filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { $dn= $entry->dn; } $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { + chomp($dn); + if ($dn eq '') { return undef; - } - $dn="dn: ".$dn; - return $dn; + } + $dn="dn: ".$dn; + return $dn; } # return (success, dn) # bool = is_samba_user($username) sub is_samba_user { - my $user = shift; + my $user = shift; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=sambaSamAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; + scope => $scope, + filter => "(&(objectClass=sambaSamAccount)(uid=$user))" + ); + $mesg->code && die $mesg->error; $ldap_slave->unbind; return ($mesg->count ne 0); } @@ -217,52 +223,68 @@ sub is_group_member my $dn_group = shift; my $user = shift; my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( - base => "$dn_group", + my $mesg = $ldap_slave->search ( base => $dn_group, scope => 'base', filter => "(&(memberUid=$user))" ); $mesg->code && die $mesg->error; $ldap_slave->unbind; - return ($mesg->count ne 0); + return ($mesg->count ne 0); } +# all entries = does_sid_exist($sid,$scope) +sub does_sid_exist + { + my $sid = shift; + my $dn_group=shift; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( base => $dn_group, + scope => $scope, + filter => "(sambaSID=$sid)" + #filter => "(&(objectClass=sambaSAMAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" + ); + $mesg->code && die $mesg->error; + $ldap_slave->unbind; + return ($mesg); + } # try to bind with user dn and password to validate current password sub is_user_valid { - my ($user, $dn, $pass) = @_; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - my $mesg= $ldap->bind (dn => $dn, password => $pass ); + my ($user, $dn, $pass) = @_; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + my $mesg= $ldap->bind (dn => $dn, password => $pass ); if ($mesg->code eq 0) { - $ldap->unbind; - return 1; + $ldap->unbind; + return 1; } else { - if($ldap->bind()) { + if ($ldap->bind()) { $ldap->unbind; return 0; - } else { + } else { print ("The LDAP directory is not available.\n Check the server, cables ..."); $ldap->unbind; return 0; } die "Problem : contact your administrator"; } -} + } + # dn = get_dn_from_line ($dn_line) # helper to get "a=b,c=d" from "dn: a=b,c=d" sub get_dn_from_line { - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; + my $dn = shift; + $dn =~ s/^dn: //; + return $dn; } + # success = add_posix_machine($user, $uid, $gid) sub add_posix_machine { - my ($user, $uid, $gid) = @_; + my ($user, $uid, $gid) = @_; # bind to a directory with dn and password my $ldap_master=connect_ldap_master(); my $add = $ldap_master->add ( "uid=$user,$computersdn", @@ -288,27 +310,27 @@ sub add_posix_machine # success = add_samba_machine($computername) sub add_samba_machine -{ + { my $user = shift; system "smbpasswd -a -m $user"; return 1; -} + } sub add_samba_machine_mkntpwd { - my ($user, $uid) = @_; - my $sambaSID = 2 * $uid + 1000; - my $name = $user; - $name =~ s/.$//s; + my ($user, $uid) = @_; + my $sambaSID = 2 * $uid + 1000; + my $name = $user; + $name =~ s/.$//s; - if ($mk_ntpasswd eq '') { + if ($mk_ntpasswd eq '') { print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; return 0; - } + } - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + my $ntpwd = `$mk_ntpasswd '$name'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ( "uid=$user,$computersdn", @@ -330,7 +352,7 @@ sub add_samba_machine_mkntpwd $modify->code && die "failed to add entry: ", $modify->error ; - return 1; + return 1; # take down the session $ldap_master->unbind; @@ -339,16 +361,16 @@ sub add_samba_machine_mkntpwd sub group_add_user { - my ($group, $userid) = @_; - my $members=''; - my $dn_line = get_group_dn($group); + my ($group, $userid) = @_; + my $members=''; + my $dn_line = get_group_dn($group); if (!defined(get_group_dn($group))) { print "$0: group \"$group\" doesn't exist\n"; exit (6); } - if (!defined($dn_line)) { + if (!defined($dn_line)) { return 1; - } + } my $dn = get_dn_from_line("$dn_line"); # on look if the user is already present in the group my $is_member=is_group_member($dn,$userid); @@ -367,8 +389,8 @@ sub group_add_user $modify->code && die "failed to modify entry: ", $modify->error ; # take down session $ldap_master->unbind; - } - } + } + } sub group_del { @@ -383,23 +405,23 @@ sub group_del sub add_grouplist_user { - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { + my ($grouplist, $user) = @_; + my @array = split(/,/, $grouplist); + foreach my $group (@array) { group_add_user($group, $user); - } + } } sub disable_user { - my $user = shift; - my $dn_line; + my $user = shift; + my $dn_line; my $dn = get_dn_from_line($dn_line); - - if (!defined($dn_line = get_user_dn($user))) { + + if (!defined($dn_line = get_user_dn($user))) { print "$0: user $user doesn't exist\n"; exit (10); - } + } my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ( "$dn", changes => [ @@ -408,14 +430,14 @@ sub disable_user ); $modify->code && die "failed to modify entry: ", $modify->error ; - if (is_samba_user($user)) { + if (is_samba_user($user)) { my $modify = $ldap_master->modify ( "$dn", changes => [ replace => [sambaAcctFlags => '[D ]'] ] ); $modify->code && die "failed to modify entry: ", $modify->error ; - } + } # take down session $ldap_master->unbind; } @@ -423,43 +445,43 @@ sub disable_user # delete_user($user) sub delete_user { - my $user = shift; - my $dn_line; + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { + if (!defined($dn_line = get_user_dn($user))) { print "$0: user $user doesn't exist\n"; exit (10); - } + } - my $dn = get_dn_from_line($dn_line); + my $dn = get_dn_from_line($dn_line); my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->delete($dn); $ldap_master->unbind; } -# $success = group_add($groupname, $group_gid, $force_using_existing_gid) +# $gid = group_add($groupname, $group_gid, $force_using_existing_gid) sub group_add { - my ($gname, $gid, $force) = @_; - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - if ($nscd_status == 0) { + my ($gname, $gid, $force) = @_; + my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + if ($nscd_status == 0) { system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - if (!defined($gid)) { + } + if (!defined($gid)) { while (defined(getgrgid($GID_START))) { - $GID_START++; + $GID_START++; } $gid = $GID_START; - } else { + } else { if (!defined($force)) { - if (defined(getgrgid($gid))) { - return 0; - } + if (defined(getgrgid($gid))) { + return undef; + } } - } - if ($nscd_status == 0) { + } + if ($nscd_status == 0) { system "/etc/init.d/nscd start > /dev/null 2>&1"; - } + } my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->add ( "cn=$gname,$groupsdn", attrs => [ @@ -472,67 +494,67 @@ sub group_add $modify->code && die "failed to add entry: ", $modify->error ; # take down session $ldap_master->unbind; - return 1; + return $gid; } # $homedir = get_homedir ($user) sub get_homedir { - my $user = shift; - my $homeDir=''; + my $user = shift; + my $homeDir=''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( base =>$suffix, scope => $scope, filter => "(&(objectclass=posixAccount)(uid=$user))" ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries){ + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { foreach my $attr ($entry->attributes) { - if ($attr=~/\bhomeDirectory\b/){ - foreach my $ent($entry->get_value($attr)) { + if ($attr=~/\bhomeDirectory\b/) { + foreach my $ent ($entry->get_value($attr)) { $homeDir.= $attr.": ".$ent."\n"; - } + } } - } - } + } + } $ldap_slave->unbind; - chomp $homeDir; - if ($homeDir eq '') { + chomp $homeDir; + if ($homeDir eq '') { return undef; - } - $homeDir =~ s/^homeDirectory: //; - return $homeDir; + } + $homeDir =~ s/^homeDirectory: //; + return $homeDir; } # search for an user sub read_user { - my $user = shift; - my $lines =''; + my $user = shift; + my $lines =''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); + base => $suffix, + scope => $scope, + filter => "(&(objectclass=posixAccount)(uid=$user))" + ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { $lines.= "dn: " . $entry->dn."\n"; foreach my $attr ($entry->attributes) { - { + { $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } + } } - } + } # take down session $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { + chomp $lines; + if ($lines eq '') { return undef; - } - return $lines; + } + return $lines; } # search for a user @@ -556,86 +578,124 @@ sub read_user_entry # search for a group sub read_group { - my $user = shift; - my $lines =''; + my $user = shift; + my $lines =''; my $ldap_slave=connect_ldap_slave(); my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$user))" - ); + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(cn=$user))" + ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { $lines.= "dn: " . $entry->dn."\n"; foreach my $attr ($entry->attributes) { - { + { $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } + } } - } + } # take down session $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { + chomp $lines; + if ($lines eq '') { return undef; - } - return $lines; + } + return $lines; } # find groups of a given user ##### MODIFIE ######## sub find_groups_of { - my $user = shift; - my $lines =''; + my $user = shift; + my $lines =''; my $ldap_slave=connect_ldap_slave; my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(memberuid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(memberuid=$user))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { $lines.= "dn: ".$entry->dn."\n"; - } + } $ldap_slave->unbind; - chomp($lines); + chomp($lines); if ($lines eq '') { return undef; } - return $lines; + return $lines; + } + +sub read_group_entry { + my $group = shift; + my $entry; + my %res; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(cn=$group))" + ); + + $mesg->code && die $mesg->error; + my $nb=$mesg->count; + if ($nb > 1) { + print "Error: $nb groups exist \"cn=$group\"\n"; + foreach $entry ($mesg->all_entries) { my $dn=$entry->dn; print " $dn\n"; } + exit 11; + } else { + $entry = $mesg->shift_entry(); } + return $entry; +} + +sub read_group_entry_gid { + my $group = shift; + my %res; + my $ldap_slave=connect_ldap_slave(); + my $mesg = $ldap_slave->search ( # perform a search + base => $groupsdn, + scope => $scope, + filter => "(&(objectclass=posixGroup)(gidNumber=$group))" + ); + + $mesg->code && die $mesg->error; + my $entry = $mesg->shift_entry(); + return $entry; +} # return the gidnumber for a group given as name or gid # -1 : bad group name # -2 : bad gidnumber sub parse_group { - my $userGidNumber = shift; - if ($userGidNumber =~ /[^\d]/ ) { + my $userGidNumber = shift; + if ($userGidNumber =~ /[^\d]/ ) { my $gname = $userGidNumber; my $gidnum = getgrnam($gname); if ($gidnum !~ /\d+/) { - return -1; + return -1; } else { - $userGidNumber = $gidnum; + $userGidNumber = $gidnum; } - } elsif (!defined(getgrgid($userGidNumber))) { + } elsif (!defined(getgrgid($userGidNumber))) { return -2; - } - return $userGidNumber; + } + return $userGidNumber; } # remove $user from $group sub group_remove_member { - my ($group, $user) = @_; - my $members=''; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { + my ($group, $user) = @_; + my $members=''; + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { return 0; - } + } my $dn = get_dn_from_line($grp_line); # we test if the user exist in the group my $is_member=is_group_member($dn,$user); @@ -646,40 +706,40 @@ sub group_remove_member changes => [ delete => [memberUid => ["$user"]] ] - ); + ); $modify->code && die "failed to delete entry: ", $modify->error ; $ldap_master->unbind; - } - return 1; + } + return 1; } sub group_get_members { - my ($group) = @_; - my $members; - my @resultat; - my $grp_line = get_group_dn($group); + my ($group) = @_; + my $members; + my @resultat; + my $grp_line = get_group_dn($group); if (!defined($grp_line)) { return 0; } - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; + my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; + $ldap->bind ; my $mesg = $ldap->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixgroup)(cn=$group))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries){ - foreach my $attr ($entry->attributes){ - if ($attr=~/\bmemberUid\b/){ + scope => $scope, + filter => "(&(objectclass=posixgroup)(cn=$group))" + ); + $mesg->code && die $mesg->error; + foreach my $entry ($mesg->all_entries) { + foreach my $attr ($entry->attributes) { + if ($attr=~/\bmemberUid\b/) { foreach my $ent ($entry->get_value($attr)) { push (@resultat,$ent); - } + } + } } - } -} + } return @resultat; } @@ -697,5 +757,17 @@ EOF return $rc; } +sub group_type_by_name { + my $type_name = shift; + my %groupmap = ( + 'domain' => 2, + 'local' => 4, + 'builtin' => 5 + ); + return $groupmap{$type_name}; +} + + + 1; -- cgit From 814591c0c5054b29978ba9c4b8842b921fe2bc89 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 5 Dec 2003 13:57:02 +0000 Subject: * removing extra file * updating version in Makefile (This used to be commit 3249e69274c00922c6d8710019c19d8c8add8255) --- examples/LDAP/smbldap-tools/INFRA | 93 ------------------------------ examples/LDAP/smbldap-tools/INFRASTRUCTURE | 11 ++++ examples/LDAP/smbldap-tools/Makefile | 2 +- 3 files changed, 12 insertions(+), 94 deletions(-) delete mode 100644 examples/LDAP/smbldap-tools/INFRA (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/INFRA b/examples/LDAP/smbldap-tools/INFRA deleted file mode 100644 index fe5ce8df2b..0000000000 --- a/examples/LDAP/smbldap-tools/INFRA +++ /dev/null @@ -1,93 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/Attic/INFRA,v $ -# -## Some notes about the architecture - - -Global Architecture for smbdlap-tools -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -smbldap-tools help you manage users and groups for Unix and Samba, -using LDAP. They may be used in any context, and are kept relatively -simplier enought to let you customize them to you needs. - -They need the following objectClasses to work: - . sambaAccount: from samba.schema for Samba 2.2 branch - . posixAccount and posixGroup : from nis.schema - . organizationalUnit and dcObject: from core.schema - -They will probably use in a near future some additional objectClasses -to support : - . mail features (sendmail/postfix/qmail/courier). - . conform to RFC2307 best practices (and so some maps too like merging - Netbios computers (sambaAccounts) with ipHosts - -For ease of visualization of the LDAP objects by human standards, we -used a DIT like this one : - . dc=IDEALX,dc=org : the company/organization suffix - . ou=Users : to store users accounts - . ou=Computers : to store computers accounts - . ou=Groups : to store system groups -Of course, you're free to use a different naming scheme and DIT (see -smbldap_conf.pm). - - -Built in groups initial population -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -smbldap-populate.pl populate the LDAP directory with some built in groups -using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As -far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have -real inpact on the Samba and Windows population. To activate this group as -the Domain Administrators Group, use the following smb.conf directive (see -man smb.conf for more): - - domain admin group = " @"Domain Admins" " - -However, to make pdb_ldap accept bind without being uid=0, a quick and -dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch). -This patch is Q&D because the check is there because Samba store admin -credentials to establish the LDAP connection. The uid == 0 check was to -ensure that a normal user could not get write access to the LDAP backend. -A more logical situation should be done for 2.2.5 by checking if the user -is a member of the domain admin group (reported to Jerremy and Gerald -2002-05-28). - -Other built in groups are really cosmetic ones with Samba 2.2.x. We did not -removed them because one of these days, we whish to use Samba 3.0 where -Windows Group Support should be operational. - -Why these specific gidNumbers ? -It's about unix/windows mapping of numerical ids with Samba. Ids below 1024 -are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the -"Domain Administrators" NT group. The magic number is found in Samba sources -and possibly other Samba/Windows documentations. - -The goal is to have a set of Unix users who are Domain Administrators and can -modify Samba datas (eg. LDAP content), with commandline tools or within -Windows via Samba. - -Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap -server). You give the domain administrator's login and password in the -appropriate ws settings, then the ws contacts the samba server, which checks -the credentials and use them as unix user to run the smbldap-tools (if I -remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin -for Samba (thus Windows). Using nss_ldap, you also have an account with -gid 512. - - -Known BUGS and WORKAROUND used -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP, -but written as decimal. Fixed in CVS by reading as decimal. By default -smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd -behaviour. - -The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however -as the check is there because Samba store admin credentials to establish the -LDAP connection. The uid == 0 check was to ensure that a normal user could -not get write access to the LDAP backend. A more logical situation should be -done for 2.2.5 by checking if the user is a member of the domain admin group -(reported to Jerremy and Gerald 2002-05-28). - -# - The End diff --git a/examples/LDAP/smbldap-tools/INFRASTRUCTURE b/examples/LDAP/smbldap-tools/INFRASTRUCTURE index 25fbda8599..e14ec70e02 100644 --- a/examples/LDAP/smbldap-tools/INFRASTRUCTURE +++ b/examples/LDAP/smbldap-tools/INFRASTRUCTURE @@ -1,3 +1,5 @@ +# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $ +# ## Some notes about the architecture @@ -41,6 +43,15 @@ man smb.conf for more): domain admin group = " @"Domain Admins" " +However, to make pdb_ldap accept bind without being uid=0, a quick and +dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch). +This patch is Q&D because the check is there because Samba store admin +credentials to establish the LDAP connection. The uid == 0 check was to +ensure that a normal user could not get write access to the LDAP backend. +A more logical situation should be done for 2.2.5 by checking if the user +is a member of the domain admin group (reported to Jerremy and Gerald +2002-05-28). + Other built in groups are really cosmetic ones with Samba 2.2.x. We did not removed them because one of these days, we whish to use Samba 3.0 where Windows Group Support should be operational. diff --git a/examples/LDAP/smbldap-tools/Makefile b/examples/LDAP/smbldap-tools/Makefile index 3e5eac427d..783a3571a9 100644 --- a/examples/LDAP/smbldap-tools/Makefile +++ b/examples/LDAP/smbldap-tools/Makefile @@ -1,5 +1,5 @@ PACKAGE=smbldap-tools -RELEASE=0.7 +RELEASE=0.8.2-1 DESTDIR = $(PACKAGE)-$(RELEASE) dist: distclean $(DESTDIR).tgz -- cgit From 8dc02df11cca84dcc2cc45f2e9f4d4aa6248bad9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 5 Dec 2003 14:06:55 +0000 Subject: removing RCS tags (This used to be commit 9a7774306dfa29f0b343343844a2c08650d5ba1a) --- examples/LDAP/smbldap-tools/smbldap-groupadd.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-groupdel.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-groupshow.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-passwd.pl | 1 - examples/LDAP/smbldap-tools/smbldap-populate.pl | 1 - examples/LDAP/smbldap-tools/smbldap-useradd.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 2 -- examples/LDAP/smbldap-tools/smbldap-usershow.pl | 2 -- examples/LDAP/smbldap-tools/smbldap_conf.pm | 3 --- examples/LDAP/smbldap-tools/smbldap_tools.pm | 2 -- 14 files changed, 27 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl index a659800482..e242d6e223 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-groupadd.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl index 0f5b0998da..4f6839ebe5 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-groupdel.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl index eeb67d5712..3f9741e015 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-groupmod.pl,v 1.1.6.6 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl index 9c30f0fc12..a9d368763e 100755 --- a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-groupshow.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index 05f9b27600..0a66eaaa08 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-migrate-accounts.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl index 37a0286b06..a2b07bf817 100644 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -# $Id: smbldap-migrate-groups.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl index 97680dcd46..afbc87a058 100755 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-passwd.pl @@ -1,7 +1,6 @@ #!/usr/bin/perl -w # LDAP to unix password sync script for samba -# $Id: smbldap-passwd.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index 0992c5b751..4677383cde 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -2,7 +2,6 @@ # Populate a LDAP base for Samba-LDAP usage # -# $Id: smbldap-populate.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index 49086e519b..9d90e4ec9a 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-useradd.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl index 449c56d3d5..f1e69e209c 100755 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ b/examples/LDAP/smbldap-tools/smbldap-userdel.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -# $Id: smbldap-userdel.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index 96fc8c38db..de6ca43902 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-usermod.pl,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap-usershow.pl b/examples/LDAP/smbldap-tools/smbldap-usershow.pl index c1e35a5be2..173480d76c 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usershow.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usershow.pl @@ -1,7 +1,5 @@ #!/usr/bin/perl -w -# $Id: smbldap-usershow.pl,v 1.1.6.3 2003/12/04 21:59:19 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm index 07961903ca..257c205a2c 100644 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ b/examples/LDAP/smbldap-tools/smbldap_conf.pm @@ -2,9 +2,6 @@ use strict; package smbldap_conf; -# $Dource: $ -# $Id: smbldap_conf.pm,v 1.1.6.4 2003/12/04 21:59:19 jerry Exp $ -# # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index b7b134f3fd..527dd8390f 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -4,8 +4,6 @@ package smbldap_tools; use smbldap_conf; use Net::LDAP; -# $Id: smbldap_tools.pm,v 1.1.6.4 2003/12/04 21:59:20 jerry Exp $ -# # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # -- cgit From 2ff5ed955566e676e9d683c72e315a13a555b4dd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 16 Dec 2003 18:14:10 +0000 Subject: Small fix from Jérôme Tournier Jeremy. (This used to be commit 6ce7932520c0e5417e3b8a214a97244d10bdf4ad) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl index 0a66eaaa08..54e4d7f7e3 100755 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl @@ -45,8 +45,8 @@ sub modify_account my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ("uid=$login,$basedn", changes => [ - replace => [lmpassword => "$lmpwd"], - replace => [ntpassword => "$ntpwd"], + replace => [sambaLMPassword => "$lmpwd"], + replace => [sambaNTpassword => "$ntpwd"], replace => [gecos => "$gecos"], replace => [sambaHomePath => "$homedir"] ] -- cgit From db21c4e3367a6a987eca1df1629b4ff92350a348 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 6 Jan 2004 14:40:35 +0000 Subject: fix case in objectclass name (not that it really matters); patch from Darren Chew (This used to be commit 86e0015b06eb9590a6a3e64cb4fe5a88a9f156c2) --- examples/LDAP/smbldap-tools/ChangeLog | 6 +++--- examples/LDAP/smbldap-tools/smbldap-populate.pl | 4 ++-- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 4 ++-- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 4 ++-- examples/LDAP/smbldap-tools/smbldap_tools.pm | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog index e6394d1add..e4e3768385 100644 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ b/examples/LDAP/smbldap-tools/ChangeLog @@ -4,7 +4,7 @@ ## ChangeLog for SMBLDAP-TOOLS 2003-11-18: - . new option '-a' to smbldap-usermod.pl that allow adding the sambaSAMAccount + . new option '-a' to smbldap-usermod.pl that allow adding the sambaSamAccount objectclass to an existing posixAccount 2003-11-07: . patch that allow adding user to a group when the group is in a higher level depth @@ -38,13 +38,13 @@ 2003-09-18: Patch from Alexander Bergolth . options "-u", "-g", "-s" and "-c" are now functionnal . the existence of samba account was made on sambaAccount and - not sambaSAMAccount as it should be for samba3 + not sambaSamAccount as it should be for samba3 . new function read_user_entry to smbldap_tools.pm that returns a Net::LDAP:Entry object of the user . Use this object to get the dn and user attributes instead of producing an ldif and searching for attributes within that ldif 2003-09-15: - . change machine account creation to not add the sambaSAMAccount objectclass. + . change machine account creation to not add the sambaSamAccount objectclass. It is now added directly by samba when joigning the domain . new option in smbldap-usermod.pl: '-e' to set an expire date . Start_tls support activated when ldapSSL is set to 1 diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl index 4677383cde..b691a84850 100755 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ b/examples/LDAP/smbldap-tools/smbldap-populate.pl @@ -122,7 +122,7 @@ dn: uid=$adminName,$usersdn cn: $adminName sn: $adminName objectClass: inetOrgPerson -objectClass: sambaSAMAccount +objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 512 uid: $adminName @@ -149,7 +149,7 @@ dn: uid=$guestName,$usersdn cn: $guestName sn: $guestName objectClass: inetOrgPerson -objectClass: sambaSAMAccount +objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 514 uid: $guestName diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl index 9d90e4ec9a..918bd4a4f6 100755 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ b/examples/LDAP/smbldap-tools/smbldap-useradd.pl @@ -208,7 +208,7 @@ if (defined($tmp = $Options{'w'})) { if (!$with_smbpasswd) { # (jtournier) - # Objectclass sambaSAMAccount is now added directly by samba when joigning the domain (for samba3) + # Objectclass sambaSamAccount is now added directly by samba when joigning the domain (for samba3) #if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { # die "$0: error while adding samba account\n"; #} @@ -312,7 +312,7 @@ if (defined($Options{'a'})) { my $modify = $ldap_master->modify ( "uid=$userName,$usersdn", changes => [ - add => [objectClass => 'sambaSAMAccount'], + add => [objectClass => 'sambaSamAccount'], add => [sambaPwdLastSet => "$valpwdlastset"], add => [sambaLogonTime => '0'], add => [sambaLogoffTime => '2147483647'], diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl index de6ca43902..70151b7412 100755 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ b/examples/LDAP/smbldap-tools/smbldap-usermod.pl @@ -53,7 +53,7 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { print " -S surname\n"; print " -P ends by invoking smbldap-passwd.pl\n"; print " For samba users:\n"; - print " -a add sambaSAMAccount objectclass\n"; + print " -a add sambaSamAccount objectclass\n"; print " -e expire date (\"YYYY-MM-DD HH:MM:SS\")\n"; print " -A can change password ? 0 if no, 1 if yes\n"; print " -B must change password ? 0 if no, 1 if yes\n"; @@ -107,7 +107,7 @@ if (defined($tmp = $Options{'a'})) { # apply changes my $modify = $ldap_master->modify ( "$dn", changes => [ - add => [objectClass => 'sambaSAMAccount'], + add => [objectClass => 'sambaSamAccount'], add => [sambaPwdLastSet => "$valpwdlastset"], add => [sambaLogonTime => '0'], add => [sambaLogoffTime => '2147483647'], diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index 527dd8390f..d33a65b7d1 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -239,7 +239,7 @@ sub does_sid_exist my $mesg = $ldap_slave->search ( base => $dn_group, scope => $scope, filter => "(sambaSID=$sid)" - #filter => "(&(objectClass=sambaSAMAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" + #filter => "(&(objectClass=sambaSamAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" ); $mesg->code && die $mesg->error; $ldap_slave->unbind; @@ -333,7 +333,7 @@ sub add_samba_machine_mkntpwd my $ldap_master=connect_ldap_master(); my $modify = $ldap_master->modify ( "uid=$user,$computersdn", changes => [ - replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], + replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSamAccount']], add => [sambaPwdLastSet => '0'], add => [sambaLogonTime => '0'], add => [sambaLogoffTime => '2147483647'], -- cgit From 590a53b62c05c1834a323750bf6690fa3cae21a1 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Sat, 14 Feb 2004 14:05:17 +0000 Subject: sync IBM Directory Server schema with openldap schema...add munged dial (This used to be commit 3b1d922ab4fdf3d2d5d8b56b7c5d2882b91000b9) --- examples/LDAP/samba.schema.at.IBM-DS | 1 + examples/LDAP/samba.schema.oc.IBM-DS | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index 5aa70b5101..5164f578e8 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -44,3 +44,4 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid t attributetypes=( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS index 202c332407..86e1dee0ac 100644 --- a/examples/LDAP/samba.schema.oc.IBM-DS +++ b/examples/LDAP/samba.schema.oc.IBM-DS @@ -1,6 +1,6 @@ ## Samba 3.0 schema for IBM Directory Server 5.1 - object classes only -objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName )) +objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial )) objectclasses=( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) -- cgit From 88129f85c0316c183e94d3afc93cf319636d7322 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Sat, 14 Feb 2004 14:25:40 +0000 Subject: Fix whitespace to reduce diff from HEAD (This used to be commit eba512ee1c723392ce553a6b04a7de6c57dd7b1d) --- examples/LDAP/samba.schema.at.IBM-DS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index 5164f578e8..b2c3c875dc 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -44,4 +44,4 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid t attributetypes=( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) -- cgit From b9c35e961d44958f64e72a1c0986b998c193c570 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Sun, 22 Feb 2004 20:25:43 +0000 Subject: Add bad password count/time attributes (This used to be commit 184bef8413b17a0e42d1c5bce3d08ae1533818ca) --- examples/LDAP/samba.schema | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index a2225faa58..8ff06f2a2a 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -202,6 +202,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' + DESC 'Bad password attempt count' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' + DESC 'Time of the last bad password attempt' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ## ## string settings @@ -313,7 +323,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ - sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial)) + sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ + sambaBadPasswordCount $ sambaBadPasswordTime)) ## ## Group mapping info -- cgit From 60670f27abeac3c111059970e8ed565d65c9ea56 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 7 Apr 2004 12:49:36 +0000 Subject: r119: missed a file in volker patch (This used to be commit bccee79653a6f5c368bf8d39fccc65fd0e5b7417) --- examples/LDAP/samba.schema | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 8ff06f2a2a..71c954a0c0 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -270,6 +270,11 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' + DESC 'Security ID List' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + ## ## group mapping attributes ## @@ -332,7 +337,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) - MAY ( displayName $ description )) + MAY ( displayName $ description $ sambaSIDList )) ## ## Whole-of-domain info -- cgit From 81996162d6ecb6236dfb154eac8ed6d4f0ad1079 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 14 Apr 2004 20:44:26 +0000 Subject: r223: According to Thomas Mueller, thomas.mueller@christ-wasser.de, the two lines removed (modifiersName and modifyTimestamp) lead to warnings upon startup of the netscape directory server. I can't check this, but it sounds logical. Thanks, Volker (This used to be commit 770b85c32fdd7addd7becf6a42cace91f411b363) --- examples/LDAP/samba-schema-netscapeds5.x | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x index e750039acb..56f66a54a5 100644 --- a/examples/LDAP/samba-schema-netscapeds5.x +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -1,6 +1,7 @@ ## ## Darren Chew ## Andre Fiebach +## Thomas Mueller 12.04.2003, thomas.mueller@christ-wasser.de ## ## Samba 3.0 schema file for Netscape DS 5.x ## @@ -22,8 +23,6 @@ aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) -modifiersName: cn=directory manager -modifyTimestamp: 20020322124844Z #################################################################### objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description ) X-ORIGIN 'user defined' ) -- cgit From 1c5867502a47371e24519ffeb4165c69cab63482 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 Jul 2004 22:46:51 +0000 Subject: r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" . Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9) --- examples/LDAP/samba.schema | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 71c954a0c0..0ad94f973d 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -251,6 +251,11 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPasswordHistory' + DESC 'MD4 hash of the unicode password' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + ## ## SID, of any type ## @@ -329,7 +334,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ - sambaBadPasswordCount $ sambaBadPasswordTime)) + sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory)) ## ## Group mapping info -- cgit From 76cf406197d216bda0a11ccf8dcc7867fcb7707a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 Jul 2004 22:59:15 +0000 Subject: r1390: Improve description of attribute. Jeremy. (This used to be commit ff7236a5f20d16069b31383105604a694236ec65) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 0ad94f973d..1ff6274d5b 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -252,7 +252,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPasswordHistory' - DESC 'MD4 hash of the unicode password' + DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) -- cgit From 161d3eeb4b6e32fda6ba9eabad54bf7d8dc43e54 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 6 Aug 2004 05:35:46 +0000 Subject: r1663: fixing syntax error in OID for sambaUnixIdPool, sambaSidEntry, & sambaIdmapEntry (This used to be commit 6e4c58b26d19f56162de961ae8338071aeeedde7) --- examples/LDAP/samba.schema | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 1ff6274d5b..d87815b3ab 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -355,17 +355,17 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL sambaAlgorithmicRidBase ) ) ## used for idmap_ldap module -objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY +objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY +objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL +objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) -- cgit From 7af12653687768ea08ca225914e6558ab74c95f0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Aug 2004 17:58:27 +0000 Subject: r1809: Patch from Richard Renard to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit ac0fdf9503b34a70eaae5e7cf0764dbaec0263ee) --- examples/LDAP/samba.schema | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index d87815b3ab..8c6b8cb4e3 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -212,6 +212,10 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaLogonHours' + DESC 'Logon Hours' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) ## ## string settings @@ -334,7 +338,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ - sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory)) + sambaBadPasswordCount $ sambaBadPasswordTime $ + sambaPasswordHistory $ sambaLogonHours)) ## ## Group mapping info -- cgit From 7b568196788a0c9239c33add7ed1b20c2685ca1f Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 20 Aug 2004 14:59:10 +0000 Subject: r1960: sambaPasswordHistory had a duplicate OID bump up the attribute number to 52 to avoid conflicts (This used to be commit 9368f0c1d2cb9942293cf2429474a1a100339572) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 8c6b8cb4e3..51e5ffb45e 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -255,7 +255,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) -attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPasswordHistory' +attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) -- cgit From feea4517e35c3c2d960945e783f1efc29250f2dd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 20 Aug 2004 15:38:49 +0000 Subject: r1962: fixing schema file; synching with trunk; trying to prevent this from happening again (This used to be commit f1a0fae13fa2e6baf66c4c5a51bef87d442d9ba6) --- examples/LDAP/get_next_oid | 11 ++++++++ examples/LDAP/samba.schema | 68 ++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 examples/LDAP/get_next_oid (limited to 'examples/LDAP') diff --git a/examples/LDAP/get_next_oid b/examples/LDAP/get_next_oid new file mode 100644 index 0000000000..54af6301f1 --- /dev/null +++ b/examples/LDAP/get_next_oid @@ -0,0 +1,11 @@ +#!/bin/bash + +nextattrib=`cat samba.schema | grep -i attributetype.*\(.*1.3.6.1.4.1.7165. | awk '{print $3}' | cut -d. -f 10 | tail -1` +(( nextattrib += 1 )) + +echo "attributetype ( 1.3.6.1.4.1.7165.2.1.$nextattrib NAME ...." + +nextoc=`cat samba.schema | grep -i objectclass.*\(.*1.3.6.1.4.1.7165. | awk '{print $3}' | cut -d. -f 10 | tail -1` +(( nextoc += 1 )) + +echo "objectclass ( 1.3.6.1.4.1.7165.2.2.$nextoc NAME ...." diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 51e5ffb45e..8ababa9005 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,6 +10,25 @@ ## 1.3.6.1.4.1.7165.2.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## +## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ +## +## Run the 'get_next_oid' bash script in this directory to find the +## next available OID for attribute type and object classes. +## +## $ ./get_next_oid +## attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME .... +## objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME .... +## +## Also ensure that new entries adhere to the declaration style +## used throughout this file +## +## ( 1.3.6.1.4.1.7165.2.XX.XX NAME .... +## ^ ^ ^ +## +## The spaces are required for the get_next_oid script (and for +## readability). +## +## ------------------------------------------------------------------ ######################################################################## ## HISTORICAL ## @@ -212,7 +231,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaLogonHours' +attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) @@ -255,7 +274,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) -attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPasswordHistory' +attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) @@ -316,6 +335,51 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' + DESC 'Share Name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' + DESC 'Option Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' + DESC 'A boolean option' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' + DESC 'An integer option' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' + DESC 'A string option' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' + DESC 'A string list option' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + + +attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' + SUP name ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' + DESC 'Privileges List' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' + DESC 'Trust Password Flags' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + ####################################################################### ## objectClasses used by Samba 3.0 schema ## -- cgit From 455bc1db4113ed8248cb8d7f41a30899f5aace81 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 20 Aug 2004 15:54:54 +0000 Subject: r1964: more schema fixes syncing between branches (This used to be commit 49fba32217d9a9a186a28805011bdb567ac968de) --- examples/LDAP/get_next_oid | 8 ++++++-- examples/LDAP/samba.schema | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 4 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/get_next_oid b/examples/LDAP/get_next_oid index 54af6301f1..bf00200375 100644 --- a/examples/LDAP/get_next_oid +++ b/examples/LDAP/get_next_oid @@ -1,11 +1,15 @@ #!/bin/bash -nextattrib=`cat samba.schema | grep -i attributetype.*\(.*1.3.6.1.4.1.7165. | awk '{print $3}' | cut -d. -f 10 | tail -1` +nextattrib=`cat samba.schema | grep -i attributetype.*\(.*1.3.6.1.4.1.7165. | grep -v '^#' | \ + awk '{print $3}' | cut -d. -f 10 | sort -n | tail -1` + (( nextattrib += 1 )) echo "attributetype ( 1.3.6.1.4.1.7165.2.1.$nextattrib NAME ...." -nextoc=`cat samba.schema | grep -i objectclass.*\(.*1.3.6.1.4.1.7165. | awk '{print $3}' | cut -d. -f 10 | tail -1` +nextoc=`cat samba.schema | grep -i objectclass.*\(.*1.3.6.1.4.1.7165. | grep -v '^#' | \ + awk '{print $3}' | cut -d. -f 10 | sort -n | tail -1` + (( nextoc += 1 )) echo "objectclass ( 1.3.6.1.4.1.7165.2.2.$nextoc NAME ...." diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 8ababa9005..17ea2d9fd2 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -413,6 +413,14 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) +## +## Trust password for trust relationships (any kind) +## +objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL + DESC 'Samba Trust Password' + MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) + MAY ( sambaSID $ sambaPwdLastSet )) + ## ## Whole-of-domain info ## @@ -423,7 +431,9 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) +## ## used for idmap_ldap module +## objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) @@ -435,6 +445,27 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY MAY ( uidNumber $ gidNumber ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL - DESC 'Structural Class for a SID' - MUST ( sambaSID ) ) + DESC 'Structural Class for a SID' + MUST ( sambaSID ) ) + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY + DESC 'Samba Configuration Section' + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL + DESC 'Samba Share Section' + MUST ( sambaShareName ) + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL + DESC 'Samba Configuration Option' + MUST ( sambaOptionName ) + MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ + sambaStringListoption $ description ) ) + + +objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY + DESC 'Samba Privilege' + MUST ( sambaSID ) + MAY ( sambaPrivilegeList ) ) -- cgit From 0211bf0dee5d5c964740278fbd7f686e2b69cb26 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 2 Sep 2004 15:26:36 +0000 Subject: r2189: adding some comments to the schema file (This used to be commit 1438c2960f1213ddf98e7e874e1d060f2d57089c) --- examples/LDAP/samba.schema | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 17ea2d9fd2..7dc4de54b3 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,6 +10,10 @@ ## 1.3.6.1.4.1.7165.2.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## +## Printer support +## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes +## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses +## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ ## ## Run the 'get_next_oid' bash script in this directory to find the @@ -30,6 +34,11 @@ ## ## ------------------------------------------------------------------ +# objectIdentifier SambaRoot 1.3.6.1.4.1.7165 +# objectIdentifier Samba3 SambaRoot:2 +# objectIdentifier Samba3Attrib Samba3:1 +# objectIdentifier Samba3ObjectClass Samba3:2 + ######################################################################## ## HISTORICAL ## ######################################################################## -- cgit From 1e8cb5430807a5975af33d7305cb66e0d4819a01 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Oct 2004 15:37:47 +0000 Subject: r3088: update nds schema file from Uli Iske (This used to be commit 3e28c576951051439e6b5e1022ab76a44e30ff9d) --- examples/LDAP/samba-nds.schema | 219 +++++++++++++++++++++++++++++++++++------ 1 file changed, 189 insertions(+), 30 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 8369c8404e..c623b4da67 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -1,151 +1,310 @@ ## -## Schema file for Novell eDirectory 8.7.x by Uli Iske -## Schema for storing Samba's smbpasswd file in LDAP +## Schema file for Novell eDirectory by Uli Iske +## Schema for storing Samba user accounts and group maps in LDAP +## OIDs are owned by the Samba Team +## +## Prerequisite schemas rfc2307-usergroup.ldif +## +## 1.3.6.1.4.1.7165.2.1.x - attributetypes +## 1.3.6.1.4.1.7165.2.2.x - objectclasses +## ## OIDs are owned by the Samba Team ## ####################################################################### ## Attributes used by Samba 3.0 schema ## ####################################################################### +## +## Password hashes +## + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +## +## Account flags in string format ((UWDX ]) +## + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +## +## Password timestamps & policies +## + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +## +## String settings +## + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + +## +## SID, of any type +## dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## +## Primary group SID, compatible with ntSid +## dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + +## +## group mapping attributes +## dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +## +## Store info on domain +## dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +## +## unused +## +## dn: cn=schema +## changetype: modify +## add: attributetypes +## attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' SUP name ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' DESC 'Privileges List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ####################################################################### ## objectClasses used by Samba 3.0 schema ## ####################################################################### + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) + +## +## Group mapping info +## + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList)) + +## +## Trust password for trust relationships (any kind) +## + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) + +## +## Whole-of-domain info +## + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase )) + +## +## used for idmap_ldap module +## + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' DESC 'Pool for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumber )) + dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $sambaLogonTime $ sambaLogoffTime $sambaKickoffTime $sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $sambaProfilePath $ description $ sambaUserWorkstations $sambaPrimaryGroupSID $ sambaDomainName )) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' DESC 'Mapping from a SID to an ID' SUP top AUXILIARY MUST ( sambaSID ) MAY ( uidNumber $ gidNumber )) dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' DESC 'Structural Class for a SID' SUP top STRUCTURAL MUST ( sambaSID )) dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $sambaAlgorithmicRidBase ) ) +objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' DESC 'Samba Configuration Section' SUP top AUXILIARY MAY ( description )) dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' DESC 'Pool for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumber ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba Share Section' SUP top STRUCTURAL MUST ( sambaShareName ) MAY ( description )) dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' DESC 'Mapping from a SID to an ID' SUP top AUXILIARY MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 'Samba Configuration Option' SUP top STRUCTURAL MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description )) dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' DESC 'Structural Class for a SID' SUP top STRUCTURAL MUST ( sambaSID ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' DESC 'Samba Privilege' SUP top AUXILIARY MUST ( sambaSID ) MAY ( sambaPrivilegeList )) -- cgit From e86235fbdcfe8dd71b2ee887052e27f67a240fab Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 20 Jan 2005 16:31:42 +0000 Subject: r4867: Removing smbldap-tools from the svn tree. I'll include the latest version in the actual release tarballs. Have spoken to the idealx developers about this. Updated README to reflect the changte for people using svn. Removed ldapsync.pl since it is no longer needed when using the smbldap-tools (only keep things you support). (This used to be commit f745e5119f420d4826ac395037880666761e05e8) --- examples/LDAP/README | 20 +- examples/LDAP/ldapsync.pl | 122 ---- examples/LDAP/smbldap-tools/CONTRIBUTORS | 33 - examples/LDAP/smbldap-tools/COPYING | 340 --------- examples/LDAP/smbldap-tools/ChangeLog | 89 --- examples/LDAP/smbldap-tools/FILES | 43 -- examples/LDAP/smbldap-tools/INFRASTRUCTURE | 93 --- examples/LDAP/smbldap-tools/INSTALL | 28 - examples/LDAP/smbldap-tools/Makefile | 35 - examples/LDAP/smbldap-tools/README | 87 --- examples/LDAP/smbldap-tools/TODO | 28 - examples/LDAP/smbldap-tools/cgi/README | 27 - examples/LDAP/smbldap-tools/cgi/ldappass.cgi | 202 ------ examples/LDAP/smbldap-tools/mkntpwd/Makefile | 62 -- examples/LDAP/smbldap-tools/mkntpwd/getopt.c | 756 -------------------- examples/LDAP/smbldap-tools/mkntpwd/getopt.h | 133 ---- examples/LDAP/smbldap-tools/mkntpwd/md4.c | 171 ----- examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c | 253 ------- examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h | 17 - examples/LDAP/smbldap-tools/mkntpwd/smbdes.c | 337 --------- examples/LDAP/smbldap-tools/smbldap-groupadd.pl | 158 ----- examples/LDAP/smbldap-tools/smbldap-groupdel.pl | 93 --- examples/LDAP/smbldap-tools/smbldap-groupmod.pl | 283 -------- examples/LDAP/smbldap-tools/smbldap-groupshow.pl | 74 -- .../LDAP/smbldap-tools/smbldap-migrate-accounts.pl | 230 ------ .../LDAP/smbldap-tools/smbldap-migrate-groups.pl | 225 ------ examples/LDAP/smbldap-tools/smbldap-passwd.pl | 227 ------ examples/LDAP/smbldap-tools/smbldap-populate.pl | 370 ---------- examples/LDAP/smbldap-tools/smbldap-tools.spec | 140 ---- examples/LDAP/smbldap-tools/smbldap-useradd.pl | 522 -------------- examples/LDAP/smbldap-tools/smbldap-userdel.pl | 125 ---- examples/LDAP/smbldap-tools/smbldap-usermod.pl | 488 ------------- examples/LDAP/smbldap-tools/smbldap-usershow.pl | 72 -- examples/LDAP/smbldap-tools/smbldap_conf.pm | 248 ------- examples/LDAP/smbldap-tools/smbldap_tools.pm | 771 --------------------- 35 files changed, 5 insertions(+), 6897 deletions(-) delete mode 100644 examples/LDAP/ldapsync.pl delete mode 100644 examples/LDAP/smbldap-tools/CONTRIBUTORS delete mode 100644 examples/LDAP/smbldap-tools/COPYING delete mode 100644 examples/LDAP/smbldap-tools/ChangeLog delete mode 100644 examples/LDAP/smbldap-tools/FILES delete mode 100644 examples/LDAP/smbldap-tools/INFRASTRUCTURE delete mode 100644 examples/LDAP/smbldap-tools/INSTALL delete mode 100644 examples/LDAP/smbldap-tools/Makefile delete mode 100644 examples/LDAP/smbldap-tools/README delete mode 100644 examples/LDAP/smbldap-tools/TODO delete mode 100644 examples/LDAP/smbldap-tools/cgi/README delete mode 100755 examples/LDAP/smbldap-tools/cgi/ldappass.cgi delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/Makefile delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/getopt.c delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/getopt.h delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/md4.c delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h delete mode 100644 examples/LDAP/smbldap-tools/mkntpwd/smbdes.c delete mode 100755 examples/LDAP/smbldap-tools/smbldap-groupadd.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-groupdel.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-groupmod.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-groupshow.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl delete mode 100644 examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-passwd.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-populate.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-tools.spec delete mode 100755 examples/LDAP/smbldap-tools/smbldap-useradd.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-userdel.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-usermod.pl delete mode 100755 examples/LDAP/smbldap-tools/smbldap-usershow.pl delete mode 100644 examples/LDAP/smbldap-tools/smbldap_conf.pm delete mode 100755 examples/LDAP/smbldap-tools/smbldap_tools.pm (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index 2f4b4f2a05..aa3207fd1f 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -52,22 +52,12 @@ objectclass. smbldap-tools/ -------------- -This is a collection of perl scripts (wrapped around the standard -OpenLDAP command line tools) for managing Samba and posix accounts -in an LDAP directory. See the README file included with the scripts -for more details. +The smbldap-tools have been removed from the samba svn +tree. The latest version will continue to be included +in Samba releases. - -ldapsync.pl ------------ -For more information on these scripts, see - - http://www.mami.net/univr/tng-ldap/howto/ - - -The ldapsync.pl script requires a small command (smbencrypt) -for generating LanMan and NT password hashes which -can be found at ftp://samba.org/pub/samba/contributed/ +The smbldap-tools package can be downloaded individually from +http://samba.idealx.org/dist/ !== !== end of README diff --git a/examples/LDAP/ldapsync.pl b/examples/LDAP/ldapsync.pl deleted file mode 100644 index c112bcc34c..0000000000 --- a/examples/LDAP/ldapsync.pl +++ /dev/null @@ -1,122 +0,0 @@ -#!/usr/bin/perl -w - -# LDAP to unix password sync script for samba-tng -# originally by Jody Haynes -# 12/12/2000 milos@interactivesi.com -# modified for use with MD5 passwords -# 12/16/2000 mami@arena.sci.univr.it -# modified to change lmpassword and ntpassword for samba -# 05/01/2001 mami@arena.sci.univr.it -# modified for being also a /bin/passwd replacement -# -# ACHTUNG!! For servers that support the LDAP Modify password -# extended op (e.g. OpenLDAP), see the "ldap password -# sync" option in smb.conf(5). -# - -$basedn = "ou=Students,dc=univr, dc=it"; -$binddn = "uid=root,dc=univr,dc=it"; -$scope = "sub"; -$passwd = "mysecret"; - -foreach $arg (@ARGV) { - if ($< != 0) { - die "Only root can specify parameters\n"; - } else { - if ( ($arg eq '-?') || ($arg eq '--help') ) { - print "Usage: $0 [-o] [username]\n"; - print " -o, --without-old-password do not ask for old password (root only)\n"; - print " -?, --help show this help message\n"; - exit (-1); - } elsif ( ($arg eq '-o') || ($arg eq '--without-old-password') ) { - $oldpass = 1; - } elsif (substr($arg,0) ne '-') { - $user = $arg; - if (!defined(getpwnam($user))) { - die "$0: Unknown user name '$user'\n"; ; - } - } - } -} - -if (!defined($user)) { - $user=$ENV{"USER"}; -} - -if (!defined($oldpass)) { - system "stty -echo"; - print "Old password for user $user: "; - chomp($oldpass=); - print "\n"; - system "stty echo"; - - $ntpwd = `/usr/local/sbin/smbencrypt '$oldpass'`; - $lmpassword = substr($ntpwd, 0, index($ntpwd, ':')); chomp $lmpassword; - $ntpassword = substr($ntpwd, index($ntpwd, ':')+1); chomp $ntpassword; - - # Find dn for user $user (maybe check unix password too?) - $dn=`ldapsearch -b '$basedn' -s '$scope' '(&(uid=$user)(lmpassword=$lmpassword)(ntpassword=$ntpassword))'|head -1`; - chomp $dn; - - if ($dn eq '') { - print "Wrong password for user $user!\n"; - exit (-1); - } -} else { - # Find dn for user $user - $dn=`ldapsearch -b '$basedn' -s '$scope' '(uid=$user)'|head -1`; - chomp $dn; -} - -system "stty -echo"; -print "New password for user $user: "; -chomp($pass=); -print "\n"; -system "stty echo"; - -system "stty -echo"; -print "Retype new password for user $user: "; -chomp($pass2=); -print "\n"; -system "stty echo"; - -if ($pass ne $pass2) { - die "Wrong password!\n"; -} else { -# MD5 password -$random = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]; -$bsalt = "\$1\$"; $esalt = "\$"; -$modsalt = $bsalt.$random.$esalt; -$password = crypt($pass, $modsalt); - -# LanManager and NT clear text passwords -$ntpwd = `/usr/local/sbin/smbencrypt '$pass'`; -chomp($lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); -chomp($ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - -$FILE="|/usr/bin/ldapmodify -D '$binddn' -w $passwd"; - -open FILE or die; - -print FILE < - . Terry Davis - . David Le Corfec - . Olivier Lemaire - -Many thanks to contributors for bug report and patches: - . Marc Schoechlin - load the perl-modules without setting environment-variables or making symlinks - . Alexander Bergolth - more Net::LDAP support - . Gert-Jan Braas - bug report for 2.2.3 samba.schema - . Jody Haynes - originaly passwd.pl - . Brad Langhorst - package relocatability - . Mirko Manea - originaly useradd.pl - . Alain Richard - bug report and Perl tips - . Roland Schulz - bug report for smbldap-passwd - . Xavier Boschian - bug report for smbldap-populate - . Christophe DUBREUIL - Net::LDAP support in smbldap_tools.pm -# - The End diff --git a/examples/LDAP/smbldap-tools/COPYING b/examples/LDAP/smbldap-tools/COPYING deleted file mode 100644 index 32d0e6014a..0000000000 --- a/examples/LDAP/smbldap-tools/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/examples/LDAP/smbldap-tools/ChangeLog b/examples/LDAP/smbldap-tools/ChangeLog deleted file mode 100644 index e4e3768385..0000000000 --- a/examples/LDAP/smbldap-tools/ChangeLog +++ /dev/null @@ -1,89 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/ChangeLog,v $ -# $id: $ -# -## ChangeLog for SMBLDAP-TOOLS - -2003-11-18: - . new option '-a' to smbldap-usermod.pl that allow adding the sambaSamAccount - objectclass to an existing posixAccount -2003-11-07: - . patch that allow adding user to a group when the group is in a higher level depth - then ou=Groups (for example, ou=grp1,ou=Groups,...) - . check the unicity of a group when adding/removing a user to this group -2003-10-28: - . new option '-p' in smbldap-groupadd.pl to 'print' the gidNumber - of the group to STDOUT. This is needed by samba (see the man page) -2003-10-19: - . new function does_sid_exist that check if samaSID sttribute is already - defined for another use or another group -2003-10-13: - . smbldap-populate.pl now also add the group mapping -2003-10-01: - . one can now comment the two directives '$_userSmbHome' and '$_userProfile' - if you want to use the smb.conf directives instead ('logon home' and - 'logon path' respectively), or if you want to desable roaming profiles - . Patch from Alexander Bergolth : the sambaPrimaryGroupSID - of a user is now set to the sambaSID of his primary group -2003-09-29: - . added new option '$_defaultMaxPasswordAge' in smbldap_conf.pm to specifie - how long a password is valid - . The '-B' option was not always valid: to force a user to change his password: - . the attribut sambaPwdLastSet must be != 0 - . the attribut sambaAcctFlags must not match the 'X' flag - . logon script is set (for every one) to the default '_userScript' value if it is defined - . Patch from Alexander Bergolth : - gid-sid group mapping to smbldap-groupadd.pl and smbldap-groupmod.pl -2003-09-19: Patch from Marc Schoechlin - . load the perl-modules without setting environment-variables or making symlinks -2003-09-18: Patch from Alexander Bergolth - . options "-u", "-g", "-s" and "-c" are now functionnal - . the existence of samba account was made on sambaAccount and - not sambaSamAccount as it should be for samba3 - . new function read_user_entry to smbldap_tools.pm that returns - a Net::LDAP:Entry object of the user - . Use this object to get the dn and user attributes instead of - producing an ldif and searching for attributes within that ldif -2003-09-15: - . change machine account creation to not add the sambaSamAccount objectclass. - It is now added directly by samba when joigning the domain - . new option in smbldap-usermod.pl: '-e' to set an expire date - . Start_tls support activated when ldapSSL is set to 1 - . Net::LDAP support more scripts - . bugs correction -2003-09-02: - . sambaPwdLastSet is updated when smbldap-passwd.pl is used - . add a function is_group_member to test the existence of a - user in a particular group - . add a function is_unix_user to test if a particular user exist - . Net::LDAP support more scripts -2003-08-15: - . Samba3.0 support -2003-08-01: - . Final version for samba 2.2.8a (cvs tag SAMBA-2-2-8a-FINAL) - . OpenLDAP 2.1 support (only one structural objectclass allowed) -2002-07-24: top and account objectclasses replaced with inetorgperson -2002-06-03: notes to webmin.idealx.org (idxldapaccounts) -2002-06-01: release 0.7. tested with 2.2.4 -2002-05-31: fixed smbldap-populate compliance to smbldap_conf - cleaned up smbldap_conf to be more readable - some more documentation - bugfixes on smbldap-passwd and smbldap-populate -2002-05-16: modified default mode on homes: now 700 -2002-05-13: fixed spec (relocation and reqs) -2002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl - (rid is now mandatory in the sambaAccount objectClass) -2002-02-14: just modified default populate for Administrator -2002-02-05: release 0.6. enable/disable user in usermod -2002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups - from a net group dump. added samba parameters to smbldap-useradd - and smbldap-usermod. -2002-01-12: added smbldap-migrate-accounts to migrate users/machines - accounts from a PWDUMP dump -2001-12-13: added smbldap-populate to create the initial base -2001-12-13: initial release 0.1 -2001-12-12: fixed the SPEC file for RedHat -2001-12-03: cleaned the code and use strict; -2001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG) - - -# - The End diff --git a/examples/LDAP/smbldap-tools/FILES b/examples/LDAP/smbldap-tools/FILES deleted file mode 100644 index 48ee571b29..0000000000 --- a/examples/LDAP/smbldap-tools/FILES +++ /dev/null @@ -1,43 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/FILES,v $ -# -## File listing for SMBLDAP-TOOLS - -CONTRIBUTORS : authors and contributors -COPYING : licence -FILES : this file listing -README : introduction and usage -TODO : feature request and bug report list -ChangeLog : changelog - -Core: -=-=-= -smbldap-groupadd.pl : to add a new group - (objectclass: posixGroup) -smbldap-groupdel.pl : to delete a group - (objectclass: posixGroup) -smbldap-groupmod.pl : to modify a group (mostly used to add user to a group) - (objectclass: posixGroup) -smbldap-groupshow.pl : to view a group - (objectclass: posixGroup) -smbldap_conf.pm : global configuration datas -smbldap_tools.pm : functions -smbldap-useradd.pl : to add a new user - (objectclass: posixAccount and/or sambaAccount) -smbldap-userdel.pl : to delete a user - (objectclass: posixAccount and/or sambaAccount) -smbldap-usermod.pl : to modify an user datas - (objectclass: posixAccount and/or sambaAccount) -smbldap-usershow.pl : to view an user datas - (objectclass: posixAccount and/or sambaAccount) -smbldap-passwd.pl : to sync passwd (Unix and Samba) - (a replacement for the system passwd utility) -smbldap-populate.pl : to add a builtin ldif to initialize your LDAP master for - smbldap use, or to add a specified ldif -smbldap-tools.spec : SPEC file for RedHat RPM package format - -Migration: -=-=-=-=-=- -smbldap-migrate-accounts.pl : add NT sam entries from pwdump to ldap -smbldap-migrate-groups.pl : add any LDAP posixGroups from the output of the 'net group' NT command - -# - The End diff --git a/examples/LDAP/smbldap-tools/INFRASTRUCTURE b/examples/LDAP/smbldap-tools/INFRASTRUCTURE deleted file mode 100644 index e14ec70e02..0000000000 --- a/examples/LDAP/smbldap-tools/INFRASTRUCTURE +++ /dev/null @@ -1,93 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $ -# -## Some notes about the architecture - - -Global Architecture for smbdlap-tools -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -smbldap-tools help you manage users and groups for Unix and Samba, -using LDAP. They may be used in any context, and are kept relatively -simplier enought to let you customize them to you needs. - -They need the following objectClasses to work: - . sambaAccount: from samba.schema for Samba 2.2 branch - . posixAccount and posixGroup : from nis.schema - . organizationalUnit and dcObject: from core.schema - -They will probably use in a near future some additional objectClasses -to support : - . mail features (sendmail/postfix/qmail/courier). - . conform to RFC2307 best practices (and so some maps too like merging - Netbios computers (sambaAccounts) with ipHosts - -For ease of visualization of the LDAP objects by human standards, we -used a DIT like this one : - . dc=IDEALX,dc=org : the company/organization suffix - . ou=Users : to store users accounts - . ou=Computers : to store computers accounts - . ou=Groups : to store system groups -Of course, you're free to use a different naming scheme and DIT (see -smbldap_conf.pm). - - -Built in groups initial population -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -smbldap-populate.pl populate the LDAP directory with some built in groups -using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As -far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have -real inpact on the Samba and Windows population. To activate this group as -the Domain Administrators Group, use the following smb.conf directive (see -man smb.conf for more): - - domain admin group = " @"Domain Admins" " - -However, to make pdb_ldap accept bind without being uid=0, a quick and -dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch). -This patch is Q&D because the check is there because Samba store admin -credentials to establish the LDAP connection. The uid == 0 check was to -ensure that a normal user could not get write access to the LDAP backend. -A more logical situation should be done for 2.2.5 by checking if the user -is a member of the domain admin group (reported to Jerremy and Gerald -2002-05-28). - -Other built in groups are really cosmetic ones with Samba 2.2.x. We did not -removed them because one of these days, we whish to use Samba 3.0 where -Windows Group Support should be operational. - -Why these specific gidNumbers ? -It's about unix/windows mapping of numerical ids with Samba. Ids below 1024 -are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the -"Domain Administrators" NT group. The magic number is found in Samba sources -and possibly other Samba/Windows documentations. - -The goal is to have a set of Unix users who are Domain Administrators and can -modify Samba datas (eg. LDAP content), with commandline tools or within -Windows via Samba. - -Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap -server). You give the domain administrator's login and password in the -appropriate ws settings, then the ws contacts the samba server, which checks -the credentials and use them as unix user to run the smbldap-tools (if I -remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin -for Samba (thus Windows). Using nss_ldap, you also have an account with -gid 512. - - -Known BUGS and WORKAROUND used -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP, -but written as decimal. Fixed in CVS by reading as decimal. By default -smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd -behaviour. - -The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however -as the check is there because Samba store admin credentials to establish the -LDAP connection. The uid == 0 check was to ensure that a normal user could -not get write access to the LDAP backend. A more logical situation should be -done for 2.2.5 by checking if the user is a member of the domain admin group -(reported to Jerremy and Gerald 2002-05-28). - -# - The End diff --git a/examples/LDAP/smbldap-tools/INSTALL b/examples/LDAP/smbldap-tools/INSTALL deleted file mode 100644 index f4c72751a7..0000000000 --- a/examples/LDAP/smbldap-tools/INSTALL +++ /dev/null @@ -1,28 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INSTALL,v $ -# -## How To Install SMBLDAP-TOOLS - -Quick & Dirty: -=-=-=-=-=-=-=- - . Copy all those scripts in /usr/local/sbin/ - . Modify smbldap_conf.pm to match your configuration - . If not already done : "smbpasswd -w secret" to set up - the ldap admin password in secrets.tdb - . Either add /usr/local/sbin in $PERLLIB or run the scripts - from this directory, or make a symlink from /usr/local/sbin/*.pm - to /usr/lib/perl5/. - . to allow a domain admin to add user using "add user script" in smb.conf : - chmod 753 smbldap_conf.pm - chmod 750 smbldap-useradd.pl - chgrp 512 smbldap_conf.pm smbldap-useradd.pl (512 = 0x200 = Domain Admins) - Have your admin belong to this group - In smb.conf : domain admin group = " @"Domain Admins" " - -RedHat RPM: -=-=-=-=-=-= -Install smbldap-tools-0.7-1.i386.rpm -Modify /usr/local/sbin/smbldap_conf.pm to match you configuration -If not already done : "smbpasswd -w secret" to set up -the ldap admin password in secrets.tdb - -# - The End diff --git a/examples/LDAP/smbldap-tools/Makefile b/examples/LDAP/smbldap-tools/Makefile deleted file mode 100644 index 783a3571a9..0000000000 --- a/examples/LDAP/smbldap-tools/Makefile +++ /dev/null @@ -1,35 +0,0 @@ -PACKAGE=smbldap-tools -RELEASE=0.8.2-1 -DESTDIR = $(PACKAGE)-$(RELEASE) - -dist: distclean $(DESTDIR).tgz - -$(DESTDIR).tgz: .diststamp - rm -rf $(DESTDIR) - mkdir $(DESTDIR) - # copy files - cp CONTRIBUTORS $(DESTDIR) - cp COPYING $(DESTDIR) - cp ChangeLog $(DESTDIR) - cp FILES $(DESTDIR) - cp INSTALL $(DESTDIR) - cp README $(DESTDIR) - cp TODO $(DESTDIR) - cp INFRASTRUCTURE $(DESTDIR) - tar cf mkntpwd.tar mkntpwd - gzip mkntpwd.tar - cp mkntpwd.tar.gz $(DESTDIR) - cp smbldap-*.pl $(DESTDIR) - cp smbldap_*.pm $(DESTDIR) - # copy directories - tar cvzf $(DESTDIR).tgz $(DESTDIR) - rm -rf $(DESTDIR) - touch .diststamp - -.diststamp: - -distclean: - rm -f *~ - rm -f $(DESTDIR).tgz - rm -f mkntpwd.tar.gz - diff --git a/examples/LDAP/smbldap-tools/README b/examples/LDAP/smbldap-tools/README deleted file mode 100644 index add0175c0c..0000000000 --- a/examples/LDAP/smbldap-tools/README +++ /dev/null @@ -1,87 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/README,v $ -# - -Latest version may be found at http://samba.idealx.org/ - - -What those tools are for? -=-=-=-=-=-=-=-=-=-=-=-=-= - -A collection of scripts, over user{add,del,mod} and group{add,del,mod} -system tools to manipulate users and groups stored in LDAP directory, -for DEN system like SAMBA-LDAP and pam/nss_ldap systems. - -Additionnaly, some scripts are designed to ease your migration from -a Windows NT 4.0 PDC Server to a Samba-LDAP PDC Server (Killer?;-): -smbldap-populate, smbldap-migrate-groups, smbldap-migrate-accounts. - -They are currently used with Samba 2.2.4, therefore you may (will) have -to make some fixes for Samba TNG and Samba 3.0. Hint: contribs welcome :) - -In the future, some other function may come (like backup and restore, -Novell migration tools, samba system activity report, dealing with -mail functions, compliance to RFC2307...): consult TODO. - - -What do SMBLDAP-TOOLS provide? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Those tools provide the following functions : - . populate LDAP database with a basic LDIF - . add a user or group - . delete a user or group - . modify all users or groups data (all attributes types stored in - posixAccount and sambaAccount object class) -Taking care of : - . staying compatible with all standard system tools options - (user/group{add,del,mod}) - . be extensible for future developments - (manipulation of shadow account options, for example) - . error management, in the way system tools do -Constraints : - . usage of PERL (portability) - . all options must be placed in an external configuration file - . english localization - -The current release uses the "mkntpwd" program, in mkntpwd.tar.gz -in the current directory. It comes from -http://www.demog.berkeley.edu/~aperrin/tips/src/mkntpwd.tar.gz -It allows to not use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) - -What do SMBLDAP-TOOLS deliver? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -Contents : - . scripts (see FILES) - . user documentation in pod format, included in the sources - (or just use the -? option) - -These tools aim at delivering the same functionality as the corresponding -system tools. However they may not be all implemented yet. -Current limitations : - . no shadow support - . cannot change uid with usermod - . no UTF-8 support (thus ASCII-7 only) - - -How to generate documentation? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Just issue the following command: - perldoc name_of_script.pl (ex: perldoc smbldap-useradd.pl) - -Where can I find the latest release of those scripts? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -Just fire any web browser to http://samba.IDEALX.org/ -and/or contact samba@IDEALX.org - -Additionnaly, you will find an useful Webmin module -at http://webmin.IDEALX.org/ if interested in a graphical -user interface to manager user and groups accounts via Webmin -for your Samba+LDAP PDC. - -Let us know if these tools helped you, or if we should enhance -them with some functions you want them to support. - -Sincerly, - LEM - -# - The End diff --git a/examples/LDAP/smbldap-tools/TODO b/examples/LDAP/smbldap-tools/TODO deleted file mode 100644 index 71e6695299..0000000000 --- a/examples/LDAP/smbldap-tools/TODO +++ /dev/null @@ -1,28 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/TODO,v $ -# -## TODO list - First In, Last in the list... -## (BF: Bug Report / FR: Feature Request) - - -FR * add 'LDAP port' for both slave and master LDAP server in smbldap_conf.pm -FR * use RFC2307 best practices (Luke, next time you visit Paris, have a - beer at IDEALX'cantina ;-) -FR * add mail (sendmail/postfix/qmail/courier) support -FR * bugfix, really : allow non-root users to change passwd - (currently the config must be unreadable because of bindpasswd) -FR * make smbldap-tools to use system configuration files - (/etc/login.defs and /etc/ldap.conf for example) -FR * rewrite smbldap-tools using perl-ldap. In fact, this 0.x - release use ldap system tools (ldapadd,ldapdelete,ldapmodify) -FR * add shadowAccounts manipulation support -FR * internationalize the SMBLDAP-TOOLS -FR * add smbldap-sar : Samba System Activity Report to help - supporting Samba/LDAP sysadmin activity -FR * add smbldap-backup/smbldap-restore to backup and restore - a SAM (in LDAP) database. No sorcery, just LDIF, but usefull - for non-LDAP gurus -FR * adding migration tools from migration from W2K and NetWare to Samba-LDAP -FR * adapt smbldap-tools to use Samba 3.0 - - -# - The End diff --git a/examples/LDAP/smbldap-tools/cgi/README b/examples/LDAP/smbldap-tools/cgi/README deleted file mode 100644 index 7a4fc0c02b..0000000000 --- a/examples/LDAP/smbldap-tools/cgi/README +++ /dev/null @@ -1,27 +0,0 @@ -Description: - A cgi to allow users to change their passwords via a web browser. - -Installation: - Drop this into a cgi-enabled directory on your webserver. - Edit it and change the CONFIGURATION section to suit your environment. - READ THE NOTES SECTION. - -Notes: This script will run as the user who runs your web server. So, to invoke the smbpasswd call, you must implement sudo. - Example of /etc/sudoers: - - # Host alias specification - # User alias specification - User_Alias PASSWD = apache - # Cmnd alias specification - Cmnd_Alias PASSWD = /usr/bin/smbpasswd - # User privilege specification - root ALL=(ALL) ALL - PASSWD ALL= NOPASSWD: PASSWD - - This concept is probably very insecure and broken. That is why this is a 0.1 release. :) - - -Feel free to drop me suggestions. I am a perl learner so I am always open to suggestions. - -Terry Davis -tdavis@approbation.org diff --git a/examples/LDAP/smbldap-tools/cgi/ldappass.cgi b/examples/LDAP/smbldap-tools/cgi/ldappass.cgi deleted file mode 100755 index 4a5ecb8f3a..0000000000 --- a/examples/LDAP/smbldap-tools/cgi/ldappass.cgi +++ /dev/null @@ -1,202 +0,0 @@ -#!/usr/bin/perl - -################################################################################ -# -# changepass.pl - A program to allow users to change their passwords -# via a web browser. -# Terry Davis -# -# URLs -# Net::LDAP - http:// -# usermod and this file - http://www.cloudamster.com/cloudmaster/projects -# -# Release History: -# Version 0.1 - initial write -# -# ToDo: -# ... the ToDo section is on the ToDo list... -# -# Limitations: -# The password cannot contain single and double quotes.....welcome to quoting hell.... -# -# Notes: -# This code is largely based on work done by Danny Sauer - http://www.cloudamster.com/cloudmaster/projects -# His work is not licensed and is marked as 'freely distributable'. -# Thank you to Danny for his hard work on the initial work. -# -################################################################################ - -use CGI qw(:standard); -use Net::LDAP; - -# CONFIGURATION SECTION -$masterLDAP = "ldap.idealx.org"; -$basedn = "dc=IDEALX,dc=org"; -$masterPw = ""; -$masterDN = "cn=manager,$basedn"; -$ldap_path = "/usr/bin"; -$ldap_opts = "-x"; -$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; -$usersdn = "ou=Users,$basedn"; -# END CONFIGURATION - - - -# DONT EDIT ANYTHING BELOW THIS LINE -$logtag = "Login:"; -$passtag = "Current password:"; -$npasstag1 = "New password:"; -$npasstag2 = "Retype new pasword:"; -$error = ""; -$color = ""; -$stopcolor = ""; - -if(param()){ - nologin() unless ($username = param('login')); - nopass() unless ($oldpass = param('oldpass')); - nonewpass(1) unless ($newpass1 = param('newpass')); - nonewpass(2) unless ($newpass2 = param('newpass2')); - verifyuser($username) or die "bad user"; - verifypass($username, $oldpass) or die "bad pass"; - testnewpass($newpass1, $newpass2) or die "bad new pass"; - changepass($username, $newpass1) or die "couldn't change pass"; - printsuccess(); -}else{ - printpage(); -} -exit(0); - -sub verifyuser{ - local $user = shift; - $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; - $ldap->bind(); - if (0 < $ldap->search(base => $basedn, filter => "(uid=$user)")->count){ - return 1; - } - $logtag = $color . $logtag . $color; - $error = "No such user"; - printpage(); - return 0; -} - -sub verifypass{ - $uid = shift; - $pass = shift; - $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; - $binddn = "uid=$uid,ou=People,$basedn"; - return 1 if($ldap->bind( $binddn, password => $pass)->code == 0); - if($ldap->bind()){ - $passtag = $color . $passtag . $color; - $error = "Incorrect password"; - printpage(); - return 0; - }else{ - print header, start_html(-title=>"LDAP dead"); - print h2("
The LDAP server is temporarily unavailable."), - p,"Please try again later
"; - return 0; - }die "Something (or someone) is defective, contact your friendly Systems Administrator"; -} - -sub testnewpass{ - $p1 = shift; $p2 = shift; - if ($p1 ne $p2){ - $npasstag1 = $color . $npasstag1 . $color; - $npasstag2 = $color . $npasstag2 . $color; - $error = "Passwords don't match ($p1 vs $p2)"; - printpage(); - return 0; - } - if ($p1 =~ /"/ ){ - $npasstag1 = $color . $npasstag1 . $color; - $npasstag2 = $color . $npasstag2 . $color; - $error = "Passwords cannot contain double quotes. Sorry"; - printpage(); - return 0; - } - if ($p1 =~ /'/ ){ - $npasstag1 = $color . $npasstag1 . $color; - $npasstag2 = $color . $npasstag2 . $color; - $error = "Passwords cannot contain single quotes. Sorry"; - printpage(); - return 0; - } - return 1; -} - -sub changepass{ - local $user = shift; - local $newpass = shift; - local $dn = "uid=$user,$usersdn"; - system "$ldappasswd $dn -s '$newpass' > /dev/null"; - `/usr/bin/sudo /usr/bin/smbpasswd $user "$newpass"`; - exit(1); -} - -sub nologin{ - $logtag = $color . $logtag . $color; - $error = "You need to enter a Login Name"; - printpage(); - exit(1); -} - -sub nopass{ - $passtag = $color . $passtag . $color; - $error = "Please enter your old password"; - printpage(); - exit(1); -} - -sub nonewpass{ - $f=shift; - $npasstag1 = $color . $npasstag1 . $color if($f==1); - $npasstag2 = $color . $npasstag2 . $color if($f==2); - $error = "You need to enter your new password"; - $error .= " twice" if($f==2); - printpage(); - exit(1); -} - -sub printpage{ - print header, - start_html(-title=> "Password Change Page", - -author=> 'tdavis@birddog.com', - -BGCOLOR=> 'WHITE'), - h3('Password Change Page'), - startform(-method=>'POST'), - "", - "", - "
", - $logtag, - "", - textfield(-name=>'login', -default=>$login, - -size=>15, -maxlength=>20), - "
", - $passtag, - "", - password_field(-name=>'oldpass', -size=>15, -maxlength=>25), - "
", - $npasstag1, - "", - password_field(-name=>'newpass', -size=>15, -maxlength=>25), - "
", - $npasstag2, - "", - password_field(-name=>'newpass2', -size=>15, -maxlength=>25), - "
", - submit(-name=>"change"),reset(), - "
", - "", - endform(), - "$error", - end_html; -} - -sub printsuccess(){ - print header, - start_html(-title=> "Success", - -BGCOLOR=> 'WHITE'), - h1("Password Succesfully Changed"), - "
", - end_html; -} diff --git a/examples/LDAP/smbldap-tools/mkntpwd/Makefile b/examples/LDAP/smbldap-tools/mkntpwd/Makefile deleted file mode 100644 index 23c9d471b0..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/Makefile +++ /dev/null @@ -1,62 +0,0 @@ -# Makefile for l0phtcrack - mudge@l0pht.com 11/1/96 - -# C compiler -#CC=cc -CC=gcc - -# Uncomment the following to add symbols to the code for debugging -#DEBUG=-g -Wall -D_DEBUG -#DEBUG=-D_DEBUG - -# Optimization for the compiler -#OPTIMIZE= -OPTIMIZE=-O2 - -# Choose your architecture -# note that if you are on a big-endian machine like SUN's -# I haven't tweaked the mem-cmp's and md4 stuff to be in -# the correct order yet. You're on your own right now. -# -# FreeBSD -ARCH=-DMPU8086 -STATIC= -XLIBS= -# -# SUNOS -#ARCH=-DBIGENDIAN -#STATIC= -#OPTIMIZE=-O2 -#XLIBS= -# -# ULTRA_SPARC w/ native compiler -#ARCH=-DBIGENDIAN -#STATIC= -#OPTIMIZE=-fast -xO4 -xdepend -xchip=ultra -xarch=v8plus -#XLIBS= -# -# SunOS/Solaris w/gcc -#ARCH=-DBIGENDIAN -DTEST -#STATIC= -#OPTIMIZE=-O2 -#XLIBS= -# -# NeXTStep 3.2 -#CC=cc -#ARCH=-DBIGENDIAN -#STATIC=-Bstatic -#OPTIMIZE= -#XLIBS= - -CFLAGS= $(DEBUG) $(OPTIMIZE) $(ARCH) $(VISUAL) $(PERMUTE) $(STATIC) - -OBJS = getopt.o md4.o mkntpwd.o smbdes.o - -mkntpwd: $(OBJS) - $(CC) $(CFLAGS) $(XLIBS) -o mkntpwd $(OBJS) - -clean: - rm -f core *.o mkntpwd - -install: mkntpwd - install -m 555 mkntpwd $(PREFIX)/sbin/mkntpwd - diff --git a/examples/LDAP/smbldap-tools/mkntpwd/getopt.c b/examples/LDAP/smbldap-tools/mkntpwd/getopt.c deleted file mode 100644 index 5b2e7a9100..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/getopt.c +++ /dev/null @@ -1,756 +0,0 @@ -/* Getopt for GNU. - NOTE: getopt is now part of the C library, so if you don't know what - "Keep this file name-space clean" means, talk to roland@gnu.ai.mit.edu - before changing it! - - Copyright (C) 1987, 88, 89, 90, 91, 92, 93, 94 - Free Software Foundation, Inc. - -This file is part of the GNU C Library. Its master source is NOT part of -the C library, however. The master source lives in /gd/gnu/lib. - -The GNU C Library is free software; you can redistribute it and/or -modify it under the terms of the GNU Library General Public License as -published by the Free Software Foundation; either version 2 of the -License, or (at your option) any later version. - -The GNU C Library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Library General Public License for more details. - -You should have received a copy of the GNU Library General Public -License along with the GNU C Library; see the file COPYING.LIB. If -not, write to the Free Software Foundation, Inc., 675 Mass Ave, -Cambridge, MA 02139, USA. */ - -/* This tells Alpha OSF/1 not to define a getopt prototype in . - Ditto for AIX 3.2 and . */ -#ifndef _NO_PROTO -#define _NO_PROTO -#endif - -#ifdef HAVE_CONFIG_H -#include -#endif - -#if !defined (__STDC__) || !__STDC__ -/* This is a separate conditional since some stdc systems - reject `defined (const)'. */ -#ifndef const -#define const -#endif -#endif - -#include - -#ifdef WIN32 -#include -#endif - -/* Comment out all this code if we are using the GNU C Library, and are not - actually compiling the library itself. This code is part of the GNU C - Library, but also included in many other GNU distributions. Compiling - and linking in this code is a waste when using the GNU C library - (especially if it is a shared library). Rather than having every GNU - program understand `configure --with-gnu-libc' and omit the object files, - it is simpler to just do this in the source for each such file. */ - -#if defined (_LIBC) || !defined (__GNU_LIBRARY__) - - -/* This needs to come after some library #include - to get __GNU_LIBRARY__ defined. */ -#ifdef __GNU_LIBRARY__ -/* Don't include stdlib.h for non-GNU C libraries because some of them - contain conflicting prototypes for getopt. */ -#include -#endif /* GNU C library. */ - -/* This version of `getopt' appears to the caller like standard Unix `getopt' - but it behaves differently for the user, since it allows the user - to intersperse the options with the other arguments. - - As `getopt' works, it permutes the elements of ARGV so that, - when it is done, all the options precede everything else. Thus - all application programs are extended to handle flexible argument order. - - Setting the environment variable POSIXLY_CORRECT disables permutation. - Then the behavior is completely standard. - - GNU application programs can use a third alternative mode in which - they can distinguish the relative order of options and other arguments. */ - -#include "getopt.h" - -/* For communication from `getopt' to the caller. - When `getopt' finds an option that takes an argument, - the argument value is returned here. - Also, when `ordering' is RETURN_IN_ORDER, - each non-option ARGV-element is returned here. */ - -char *optarg = NULL; - -/* Index in ARGV of the next element to be scanned. - This is used for communication to and from the caller - and for communication between successive calls to `getopt'. - - On entry to `getopt', zero means this is the first call; initialize. - - When `getopt' returns EOF, this is the index of the first of the - non-option elements that the caller should itself scan. - - Otherwise, `optind' communicates from one call to the next - how much of ARGV has been scanned so far. */ - -/* XXX 1003.2 says this must be 1 before any call. */ -int optind = 0; - -/* The next char to be scanned in the option-element - in which the last option character we returned was found. - This allows us to pick up the scan where we left off. - - If this is zero, or a null string, it means resume the scan - by advancing to the next ARGV-element. */ - -static char *nextchar; - -/* Callers store zero here to inhibit the error message - for unrecognized options. */ - -int opterr = 1; - -/* Set to an option character which was unrecognized. - This must be initialized on some systems to avoid linking in the - system's own getopt implementation. */ - -int optopt = '?'; - -/* Describe how to deal with options that follow non-option ARGV-elements. - - If the caller did not specify anything, - the default is REQUIRE_ORDER if the environment variable - POSIXLY_CORRECT is defined, PERMUTE otherwise. - - REQUIRE_ORDER means don't recognize them as options; - stop option processing when the first non-option is seen. - This is what Unix does. - This mode of operation is selected by either setting the environment - variable POSIXLY_CORRECT, or using `+' as the first character - of the list of option characters. - - PERMUTE is the default. We permute the contents of ARGV as we scan, - so that eventually all the non-options are at the end. This allows options - to be given in any order, even with programs that were not written to - expect this. - - RETURN_IN_ORDER is an option available to programs that were written - to expect options and other ARGV-elements in any order and that care about - the ordering of the two. We describe each non-option ARGV-element - as if it were the argument of an option with character code 1. - Using `-' as the first character of the list of option characters - selects this mode of operation. - - The special argument `--' forces an end of option-scanning regardless - of the value of `ordering'. In the case of RETURN_IN_ORDER, only - `--' can cause `getopt' to return EOF with `optind' != ARGC. */ - -static enum -{ - REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER -} ordering; - -/* Value of POSIXLY_CORRECT environment variable. */ -static char *posixly_correct; - -#ifdef __GNU_LIBRARY__ -/* We want to avoid inclusion of string.h with non-GNU libraries - because there are many ways it can cause trouble. - On some systems, it contains special magic macros that don't work - in GCC. */ -#include -#define my_index strchr -#else - -/* Avoid depending on library functions or files - whose names are inconsistent. */ - -char *getenv (); - -static char * -my_index (str, chr) - const char *str; - int chr; -{ - while (*str) - { - if (*str == chr) - return (char *) str; - str++; - } - return 0; -} - -/* If using GCC, we can safely declare strlen this way. - If not using GCC, it is ok not to declare it. */ -#ifdef __GNUC__ -/* Note that Motorola Delta 68k R3V7 comes with GCC but not stddef.h. - That was relevant to code that was here before. */ -#if !defined (__STDC__) || !__STDC__ -/* gcc with -traditional declares the built-in strlen to return int, - and has done so at least since version 2.4.5. -- rms. */ -extern int strlen (const char *); -#endif /* not __STDC__ */ -#endif /* __GNUC__ */ - -#endif /* not __GNU_LIBRARY__ */ - -/* Handle permutation of arguments. */ - -/* Describe the part of ARGV that contains non-options that have - been skipped. `first_nonopt' is the index in ARGV of the first of them; - `last_nonopt' is the index after the last of them. */ - -static int first_nonopt; -static int last_nonopt; - -/* Exchange two adjacent subsequences of ARGV. - One subsequence is elements [first_nonopt,last_nonopt) - which contains all the non-options that have been skipped so far. - The other is elements [last_nonopt,optind), which contains all - the options processed since those non-options were skipped. - - `first_nonopt' and `last_nonopt' are relocated so that they describe - the new indices of the non-options in ARGV after they are moved. */ - -static void -exchange (argv) - char **argv; -{ - int bottom = first_nonopt; - int middle = last_nonopt; - int top = optind; - char *tem; - - /* Exchange the shorter segment with the far end of the longer segment. - That puts the shorter segment into the right place. - It leaves the longer segment in the right place overall, - but it consists of two parts that need to be swapped next. */ - - while (top > middle && middle > bottom) - { - if (top - middle > middle - bottom) - { - /* Bottom segment is the short one. */ - int len = middle - bottom; - register int i; - - /* Swap it with the top part of the top segment. */ - for (i = 0; i < len; i++) - { - tem = argv[bottom + i]; - argv[bottom + i] = argv[top - (middle - bottom) + i]; - argv[top - (middle - bottom) + i] = tem; - } - /* Exclude the moved bottom segment from further swapping. */ - top -= len; - } - else - { - /* Top segment is the short one. */ - int len = top - middle; - register int i; - - /* Swap it with the bottom part of the bottom segment. */ - for (i = 0; i < len; i++) - { - tem = argv[bottom + i]; - argv[bottom + i] = argv[middle + i]; - argv[middle + i] = tem; - } - /* Exclude the moved top segment from further swapping. */ - bottom += len; - } - } - - /* Update records for the slots the non-options now occupy. */ - - first_nonopt += (optind - last_nonopt); - last_nonopt = optind; -} - -/* Initialize the internal data when the first call is made. */ - -static const char * -_getopt_initialize (optstring) - const char *optstring; -{ - /* Start processing options with ARGV-element 1 (since ARGV-element 0 - is the program name); the sequence of previously skipped - non-option ARGV-elements is empty. */ - - first_nonopt = last_nonopt = optind = 1; - - nextchar = NULL; - - posixly_correct = getenv ("POSIXLY_CORRECT"); - - /* Determine how to handle the ordering of options and nonoptions. */ - - if (optstring[0] == '-') - { - ordering = RETURN_IN_ORDER; - ++optstring; - } - else if (optstring[0] == '+') - { - ordering = REQUIRE_ORDER; - ++optstring; - } - else if (posixly_correct != NULL) - ordering = REQUIRE_ORDER; - else - ordering = PERMUTE; - - return optstring; -} - -/* Scan elements of ARGV (whose length is ARGC) for option characters - given in OPTSTRING. - - If an element of ARGV starts with '-', and is not exactly "-" or "--", - then it is an option element. The characters of this element - (aside from the initial '-') are option characters. If `getopt' - is called repeatedly, it returns successively each of the option characters - from each of the option elements. - - If `getopt' finds another option character, it returns that character, - updating `optind' and `nextchar' so that the next call to `getopt' can - resume the scan with the following option character or ARGV-element. - - If there are no more option characters, `getopt' returns `EOF'. - Then `optind' is the index in ARGV of the first ARGV-element - that is not an option. (The ARGV-elements have been permuted - so that those that are not options now come last.) - - OPTSTRING is a string containing the legitimate option characters. - If an option character is seen that is not listed in OPTSTRING, - return '?' after printing an error message. If you set `opterr' to - zero, the error message is suppressed but we still return '?'. - - If a char in OPTSTRING is followed by a colon, that means it wants an arg, - so the following text in the same ARGV-element, or the text of the following - ARGV-element, is returned in `optarg'. Two colons mean an option that - wants an optional arg; if there is text in the current ARGV-element, - it is returned in `optarg', otherwise `optarg' is set to zero. - - If OPTSTRING starts with `-' or `+', it requests different methods of - handling the non-option ARGV-elements. - See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above. - - Long-named options begin with `--' instead of `-'. - Their names may be abbreviated as long as the abbreviation is unique - or is an exact match for some defined option. If they have an - argument, it follows the option name in the same ARGV-element, separated - from the option name by a `=', or else the in next ARGV-element. - When `getopt' finds a long-named option, it returns 0 if that option's - `flag' field is nonzero, the value of the option's `val' field - if the `flag' field is zero. - - The elements of ARGV aren't really const, because we permute them. - But we pretend they're const in the prototype to be compatible - with other systems. - - LONGOPTS is a vector of `struct option' terminated by an - element containing a name which is zero. - - LONGIND returns the index in LONGOPT of the long-named option found. - It is only valid when a long-named option has been found by the most - recent call. - - If LONG_ONLY is nonzero, '-' as well as '--' can introduce - long-named options. */ - -int -_getopt_internal (argc, argv, optstring, longopts, longind, long_only) - int argc; - char *const *argv; - const char *optstring; - const struct option *longopts; - int *longind; - int long_only; -{ - optarg = NULL; - - if (optind == 0) - optstring = _getopt_initialize (optstring); - - if (nextchar == NULL || *nextchar == '\0') - { - /* Advance to the next ARGV-element. */ - - if (ordering == PERMUTE) - { - /* If we have just processed some options following some non-options, - exchange them so that the options come first. */ - - if (first_nonopt != last_nonopt && last_nonopt != optind) - exchange ((char **) argv); - else if (last_nonopt != optind) - first_nonopt = optind; - - /* Skip any additional non-options - and extend the range of non-options previously skipped. */ - - while (optind < argc - && (argv[optind][0] != '-' || argv[optind][1] == '\0')) - optind++; - last_nonopt = optind; - } - - /* The special ARGV-element `--' means premature end of options. - Skip it like a null option, - then exchange with previous non-options as if it were an option, - then skip everything else like a non-option. */ - - if (optind != argc && !strcmp (argv[optind], "--")) - { - optind++; - - if (first_nonopt != last_nonopt && last_nonopt != optind) - exchange ((char **) argv); - else if (first_nonopt == last_nonopt) - first_nonopt = optind; - last_nonopt = argc; - - optind = argc; - } - - /* If we have done all the ARGV-elements, stop the scan - and back over any non-options that we skipped and permuted. */ - - if (optind == argc) - { - /* Set the next-arg-index to point at the non-options - that we previously skipped, so the caller will digest them. */ - if (first_nonopt != last_nonopt) - optind = first_nonopt; - return EOF; - } - - /* If we have come to a non-option and did not permute it, - either stop the scan or describe it to the caller and pass it by. */ - - if ((argv[optind][0] != '-' || argv[optind][1] == '\0')) - { - if (ordering == REQUIRE_ORDER) - return EOF; - optarg = argv[optind++]; - return 1; - } - - /* We have found another option-ARGV-element. - Skip the initial punctuation. */ - - nextchar = (argv[optind] + 1 - + (longopts != NULL && argv[optind][1] == '-')); - } - - /* Decode the current option-ARGV-element. */ - - /* Check whether the ARGV-element is a long option. - - If long_only and the ARGV-element has the form "-f", where f is - a valid short option, don't consider it an abbreviated form of - a long option that starts with f. Otherwise there would be no - way to give the -f short option. - - On the other hand, if there's a long option "fubar" and - the ARGV-element is "-fu", do consider that an abbreviation of - the long option, just like "--fu", and not "-f" with arg "u". - - This distinction seems to be the most useful approach. */ - - if (longopts != NULL - && (argv[optind][1] == '-' - || (long_only && (argv[optind][2] || !my_index (optstring, argv[optind][1]))))) - { - char *nameend; - const struct option *p; - const struct option *pfound = NULL; - int exact = 0; - int ambig = 0; - int indfound = 0; /* set to zero by Anton */ - int option_index; - - for (nameend = nextchar; *nameend && *nameend != '='; nameend++) - /* Do nothing. */ ; - - /* Test all long options for either exact match - or abbreviated matches. */ - for (p = longopts, option_index = 0; p->name; p++, option_index++) - if (!strncmp(p->name, nextchar, nameend - nextchar)) - { - if ((unsigned int)(nameend - nextchar) == (unsigned int)strlen (p->name)) - { - /* Exact match found. */ - pfound = p; - indfound = option_index; - exact = 1; - break; - } - else if (pfound == NULL) - { - /* First nonexact match found. */ - pfound = p; - indfound = option_index; - } - else - /* Second or later nonexact match found. */ - ambig = 1; - } - - if (ambig && !exact) - { - if (opterr) - fprintf (stderr, "%s: option `%s' is ambiguous\n", - argv[0], argv[optind]); - nextchar += strlen (nextchar); - optind++; - return '?'; - } - - if (pfound != NULL) - { - option_index = indfound; - optind++; - if (*nameend) - { - /* Don't test has_arg with >, because some C compilers don't - allow it to be used on enums. */ - if (pfound->has_arg) - optarg = nameend + 1; - else - { - if (opterr) - { - if (argv[optind - 1][1] == '-') - /* --option */ - fprintf (stderr, - "%s: option `--%s' doesn't allow an argument\n", - argv[0], pfound->name); - else - /* +option or -option */ - fprintf (stderr, - "%s: option `%c%s' doesn't allow an argument\n", - argv[0], argv[optind - 1][0], pfound->name); - } - nextchar += strlen (nextchar); - return '?'; - } - } - else if (pfound->has_arg == 1) - { - if (optind < argc) - optarg = argv[optind++]; - else - { - if (opterr) - fprintf (stderr, "%s: option `%s' requires an argument\n", - argv[0], argv[optind - 1]); - nextchar += strlen (nextchar); - return optstring[0] == ':' ? ':' : '?'; - } - } - nextchar += strlen (nextchar); - if (longind != NULL) - *longind = option_index; - if (pfound->flag) - { - *(pfound->flag) = pfound->val; - return 0; - } - return pfound->val; - } - - /* Can't find it as a long option. If this is not getopt_long_only, - or the option starts with '--' or is not a valid short - option, then it's an error. - Otherwise interpret it as a short option. */ - if (!long_only || argv[optind][1] == '-' - || my_index (optstring, *nextchar) == NULL) - { - if (opterr) - { - if (argv[optind][1] == '-') - /* --option */ - fprintf (stderr, "%s: unrecognized option `--%s'\n", - argv[0], nextchar); - else - /* +option or -option */ - fprintf (stderr, "%s: unrecognized option `%c%s'\n", - argv[0], argv[optind][0], nextchar); - } - nextchar = (char *) ""; - optind++; - return '?'; - } - } - - /* Look at and handle the next short option-character. */ - - { - char c = *nextchar++; - char *temp = my_index (optstring, c); - - /* Increment `optind' when we start to process its last character. */ - if (*nextchar == '\0') - ++optind; - - if (temp == NULL || c == ':') - { - if (opterr) - { - if (posixly_correct) - /* 1003.2 specifies the format of this message. */ - fprintf (stderr, "%s: illegal option -- %c\n", argv[0], c); - else - fprintf (stderr, "%s: invalid option -- %c\n", argv[0], c); - } - optopt = c; - return '?'; - } - if (temp[1] == ':') - { - if (temp[2] == ':') - { - /* This is an option that accepts an argument optionally. */ - if (*nextchar != '\0') - { - optarg = nextchar; - optind++; - } - else - optarg = NULL; - nextchar = NULL; - } - else - { - /* This is an option that requires an argument. */ - if (*nextchar != '\0') - { - optarg = nextchar; - /* If we end this ARGV-element by taking the rest as an arg, - we must advance to the next element now. */ - optind++; - } - else if (optind == argc) - { - if (opterr) - { - /* 1003.2 specifies the format of this message. */ - fprintf (stderr, "%s: option requires an argument -- %c\n", - argv[0], c); - } - optopt = c; - if (optstring[0] == ':') - c = ':'; - else - c = '?'; - } - else - /* We already incremented `optind' once; - increment it again when taking next ARGV-elt as argument. */ - optarg = argv[optind++]; - nextchar = NULL; - } - } - return c; - } -} - -int -getopt (argc, argv, optstring) - int argc; - char *const *argv; - const char *optstring; -{ - return _getopt_internal (argc, argv, optstring, - (const struct option *) 0, - (int *) 0, - 0); -} - -#endif /* _LIBC or not __GNU_LIBRARY__. */ - -#ifdef TEST - -/* Compile with -DTEST to make an executable for use in testing - the above definition of `getopt'. */ - -int -main (argc, argv) - int argc; - char **argv; -{ - int c; - int digit_optind = 0; - - while (1) - { - int this_option_optind = optind ? optind : 1; - - c = getopt (argc, argv, "abc:d:0123456789"); - if (c == EOF) - break; - - switch (c) - { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - if (digit_optind != 0 && digit_optind != this_option_optind) - printf ("digits occur in two different argv-elements.\n"); - digit_optind = this_option_optind; - printf ("option %c\n", c); - break; - - case 'a': - printf ("option a\n"); - break; - - case 'b': - printf ("option b\n"); - break; - - case 'c': - printf ("option c with value `%s'\n", optarg); - break; - - case '?': - break; - - default: - printf ("?? getopt returned character code 0%o ??\n", c); - } - } - - if (optind < argc) - { - printf ("non-option ARGV-elements: "); - while (optind < argc) - printf ("%s ", argv[optind++]); - printf ("\n"); - } - - exit (0); -} - -#endif /* TEST */ diff --git a/examples/LDAP/smbldap-tools/mkntpwd/getopt.h b/examples/LDAP/smbldap-tools/mkntpwd/getopt.h deleted file mode 100644 index f3696d955d..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/getopt.h +++ /dev/null @@ -1,133 +0,0 @@ -/* Declarations for getopt. - Copyright (C) 1989, 90, 91, 92, 93, 94 Free Software Foundation, Inc. - -This file is part of the GNU C Library. Its master source is NOT part of -the C library, however. The master source lives in /gd/gnu/lib. - -The GNU C Library is free software; you can redistribute it and/or -modify it under the terms of the GNU Library General Public License as -published by the Free Software Foundation; either version 2 of the -License, or (at your option) any later version. - -The GNU C Library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Library General Public License for more details. - -You should have received a copy of the GNU Library General Public -License along with the GNU C Library; see the file COPYING.LIB. If -not, write to the Free Software Foundation, Inc., 675 Mass Ave, -Cambridge, MA 02139, USA. */ - -#ifndef _GETOPT_H -#define _GETOPT_H 1 - -#ifdef __cplusplus -extern "C" { -#endif - -/* For communication from `getopt' to the caller. - When `getopt' finds an option that takes an argument, - the argument value is returned here. - Also, when `ordering' is RETURN_IN_ORDER, - each non-option ARGV-element is returned here. */ - -extern char *optarg; - -/* Index in ARGV of the next element to be scanned. - This is used for communication to and from the caller - and for communication between successive calls to `getopt'. - - On entry to `getopt', zero means this is the first call; initialize. - - When `getopt' returns EOF, this is the index of the first of the - non-option elements that the caller should itself scan. - - Otherwise, `optind' communicates from one call to the next - how much of ARGV has been scanned so far. */ - -extern int optind; - -/* Callers store zero here to inhibit the error message `getopt' prints - for unrecognized options. */ - -extern int opterr; - -/* Set to an option character which was unrecognized. */ - -extern int optopt; - -/* Describe the long-named options requested by the application. - The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector - of `struct option' terminated by an element containing a name which is - zero. - - The field `has_arg' is: - no_argument (or 0) if the option does not take an argument, - required_argument (or 1) if the option requires an argument, - optional_argument (or 2) if the option takes an optional argument. - - If the field `flag' is not NULL, it points to a variable that is set - to the value given in the field `val' when the option is found, but - left unchanged if the option is not found. - - To have a long-named option do something other than set an `int' to - a compiled-in constant, such as set a value from `optarg', set the - option's `flag' field to zero and its `val' field to a nonzero - value (the equivalent single-letter option character, if there is - one). For long options that have a zero `flag' field, `getopt' - returns the contents of the `val' field. */ - -struct option -{ -#if defined (__STDC__) && __STDC__ - const char *name; -#else - char *name; -#endif - /* has_arg can't be an enum because some compilers complain about - type mismatches in all the code that assumes it is an int. */ - int has_arg; - int *flag; - int val; -}; - -/* Names for the values of the `has_arg' field of `struct option'. */ - -#define no_argument 0 -#define required_argument 1 -#define optional_argument 2 - -#if defined (__STDC__) && __STDC__ -#ifdef __GNU_LIBRARY__ -/* Many other libraries have conflicting prototypes for getopt, with - differences in the consts, in stdlib.h. To avoid compilation - errors, only prototype getopt for the GNU C library. */ -extern int getopt (int argc, char *const *argv, const char *shortopts); -#else /* not __GNU_LIBRARY__ */ -extern int getopt (); -#endif /* __GNU_LIBRARY__ */ -extern int getopt_long (int argc, char *const *argv, const char *shortopts, - const struct option *longopts, int *longind); -extern int getopt_long_only (int argc, char *const *argv, - const char *shortopts, - const struct option *longopts, int *longind); - -/* Internal only. Users should not call this directly. */ -extern int _getopt_internal (int argc, char *const *argv, - const char *shortopts, - const struct option *longopts, int *longind, - int long_only); -#else /* not __STDC__ */ -extern int getopt (); -extern int getopt_long (); -extern int getopt_long_only (); - -extern int _getopt_internal (); -#endif /* __STDC__ */ - -#ifdef __cplusplus -} -#endif - -#endif /* _GETOPT_H */ diff --git a/examples/LDAP/smbldap-tools/mkntpwd/md4.c b/examples/LDAP/smbldap-tools/mkntpwd/md4.c deleted file mode 100644 index 1c9c2e6ecd..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/md4.c +++ /dev/null @@ -1,171 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 1.9. - a implementation of MD4 designed for use in the SMB authentication protocol - Copyright (C) Andrew Tridgell 1997 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - - -/* NOTE: This code makes no attempt to be fast! - - It assumes that a int is at least 32 bits long -*/ - -typedef unsigned int uint32; - -static uint32 A, B, C, D; - -static uint32 F(uint32 X, uint32 Y, uint32 Z) -{ - return (X&Y) | ((~X)&Z); -} - -static uint32 G(uint32 X, uint32 Y, uint32 Z) -{ - return (X&Y) | (X&Z) | (Y&Z); -} - -static uint32 H(uint32 X, uint32 Y, uint32 Z) -{ - return X^Y^Z; -} - -static uint32 lshift(uint32 x, int s) -{ - x &= 0xFFFFFFFF; - return ((x<>(32-s)); -} - -#define ROUND1(a,b,c,d,k,s) a = lshift(a + F(b,c,d) + X[k], s) -#define ROUND2(a,b,c,d,k,s) a = lshift(a + G(b,c,d) + X[k] + (uint32)0x5A827999,s) -#define ROUND3(a,b,c,d,k,s) a = lshift(a + H(b,c,d) + X[k] + (uint32)0x6ED9EBA1,s) - -/* this applies md4 to 64 byte chunks */ -static void mdfour64(uint32 *M) -{ - int j; - uint32 AA, BB, CC, DD; - uint32 X[16]; - - for (j=0;j<16;j++) - X[j] = M[j]; - - AA = A; BB = B; CC = C; DD = D; - - ROUND1(A,B,C,D, 0, 3); ROUND1(D,A,B,C, 1, 7); - ROUND1(C,D,A,B, 2, 11); ROUND1(B,C,D,A, 3, 19); - ROUND1(A,B,C,D, 4, 3); ROUND1(D,A,B,C, 5, 7); - ROUND1(C,D,A,B, 6, 11); ROUND1(B,C,D,A, 7, 19); - ROUND1(A,B,C,D, 8, 3); ROUND1(D,A,B,C, 9, 7); - ROUND1(C,D,A,B, 10, 11); ROUND1(B,C,D,A, 11, 19); - ROUND1(A,B,C,D, 12, 3); ROUND1(D,A,B,C, 13, 7); - ROUND1(C,D,A,B, 14, 11); ROUND1(B,C,D,A, 15, 19); - - ROUND2(A,B,C,D, 0, 3); ROUND2(D,A,B,C, 4, 5); - ROUND2(C,D,A,B, 8, 9); ROUND2(B,C,D,A, 12, 13); - ROUND2(A,B,C,D, 1, 3); ROUND2(D,A,B,C, 5, 5); - ROUND2(C,D,A,B, 9, 9); ROUND2(B,C,D,A, 13, 13); - ROUND2(A,B,C,D, 2, 3); ROUND2(D,A,B,C, 6, 5); - ROUND2(C,D,A,B, 10, 9); ROUND2(B,C,D,A, 14, 13); - ROUND2(A,B,C,D, 3, 3); ROUND2(D,A,B,C, 7, 5); - ROUND2(C,D,A,B, 11, 9); ROUND2(B,C,D,A, 15, 13); - - ROUND3(A,B,C,D, 0, 3); ROUND3(D,A,B,C, 8, 9); - ROUND3(C,D,A,B, 4, 11); ROUND3(B,C,D,A, 12, 15); - ROUND3(A,B,C,D, 2, 3); ROUND3(D,A,B,C, 10, 9); - ROUND3(C,D,A,B, 6, 11); ROUND3(B,C,D,A, 14, 15); - ROUND3(A,B,C,D, 1, 3); ROUND3(D,A,B,C, 9, 9); - ROUND3(C,D,A,B, 5, 11); ROUND3(B,C,D,A, 13, 15); - ROUND3(A,B,C,D, 3, 3); ROUND3(D,A,B,C, 11, 9); - ROUND3(C,D,A,B, 7, 11); ROUND3(B,C,D,A, 15, 15); - - A += AA; B += BB; C += CC; D += DD; - - A &= 0xFFFFFFFF; B &= 0xFFFFFFFF; - C &= 0xFFFFFFFF; D &= 0xFFFFFFFF; - - for (j=0;j<16;j++) - X[j] = 0; -} - -static void copy64(uint32 *M, unsigned char *in) -{ - int i; - - for (i=0;i<16;i++) - M[i] = (in[i*4+3]<<24) | (in[i*4+2]<<16) | - (in[i*4+1]<<8) | (in[i*4+0]<<0); -} - -static void copy4(unsigned char *out,uint32 x) -{ - out[0] = x&0xFF; - out[1] = (x>>8)&0xFF; - out[2] = (x>>16)&0xFF; - out[3] = (x>>24)&0xFF; -} - -/* produce a md4 message digest from data of length n bytes */ -void mdfour(unsigned char *out, unsigned char *in, int n) -{ - unsigned char buf[128]; - uint32 M[16]; - uint32 b = n * 8; - int i; - - A = 0x67452301; - B = 0xefcdab89; - C = 0x98badcfe; - D = 0x10325476; - - while (n > 64) { - copy64(M, in); - mdfour64(M); - in += 64; - n -= 64; - } - - for (i=0;i<128;i++) - buf[i] = 0; - memcpy(buf, in, n); - buf[n] = 0x80; - - if (n <= 55) { - copy4(buf+56, b); - copy64(M, buf); - mdfour64(M); - } else { - copy4(buf+120, b); - copy64(M, buf); - mdfour64(M); - copy64(M, buf+64); - mdfour64(M); - } - - for (i=0;i<128;i++) - buf[i] = 0; - copy64(M, buf); - - copy4(out, A); - copy4(out+4, B); - copy4(out+8, C); - copy4(out+12, D); - - A = B = C = D = 0; -} - - diff --git a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c deleted file mode 100644 index 0c7d61e134..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.c +++ /dev/null @@ -1,253 +0,0 @@ -/* - This code is based on work from - L0phtcrack 1.5 06.02.97 mudge@l0pht.com - - The code also contains sources from: - . routines from the samba code source - md4.c smbdes.c - - Anton Roeckseisen (anton@genua.de) - -*/ - -/* - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "mkntpwd.h" - -void str_to_key(unsigned char *,unsigned char *); -void usage(char *); -int PutUniCode(char *dst,char *src); -void printlanhash(char *tmp); -void mdfour(unsigned char *out, unsigned char *in, int n); -void E_P16(unsigned char *p14,unsigned char *p16); - - -void main(int argc, char **argv) { - extern char *optarg; - int c; - - int printlan = 0; - char lanpwd[LMPASSWDLEN+1]; - int printnt = 0; - char inputfile[FILENAMEBUFFER+1] = ""; - FILE* InputFilePtr; - int just_pwd = 0; - int i; - char hashout[17]; - - char ntpasswd[NTPASSWDLEN+1]; - char *hold; - unsigned char *p16; - int uni_len; - char passwd[NTPASSWDLEN+1]; - - if (argc==1) - usage(argv[0]); - - if (argc==2) - just_pwd=1; - else - just_pwd=0; - - lanpwd[0] = '\0'; - ntpasswd[0] = '\0'; - - while ( (c = getopt(argc, argv, "L:N:f:")) != EOF){ - switch(c) { - case 'L': - printlan++; - strncpy(lanpwd,optarg,LMPASSWDLEN); - lanpwd[LMPASSWDLEN]='\0'; - for (i=0;i0 && passwd[strlen(passwd)-1]=='\n') - passwd[strlen(passwd)-1]='\0'; - - /* create LANMAN-password (shorter) */ - strncpy(lanpwd,passwd,LMPASSWDLEN); - lanpwd[LMPASSWDLEN]='\0'; - for (i=0;i1 && just_pwd==1) { - strncpy(lanpwd,argv[1],LMPASSWDLEN); - lanpwd[LMPASSWDLEN]='\0'; - for (i=0;i0) { - memset(hashout,'\0',17); - E_P16((uchar *)lanpwd,hashout); - printlanhash(hashout); - } - - if (printnt >0) { - - if (printlan>0) printf(":"); - - memset(ntpasswd, '\0', sizeof(ntpasswd)); - - if (passwd[strlen(passwd)-1] == '\n') /* strip the \n - this - is done in LowerString for the case sensitive - check */ - passwd[strlen(passwd)-1] = '\0'; - - hold = (char *)malloc(NTPASSWDLEN * 2); /* grab space for - unicode */ - if (hold == NULL){ - fprintf(stderr, "out of memory...crackntdialog hold\n"); - exit(1); - } - - uni_len = PutUniCode(hold, passwd); /* convert to - unicode and return correct - unicode length for md4 */ - - p16 = (unsigned char*)malloc(17); /* grab space for md4 hash */ - if (p16 == NULL){ - fprintf(stderr, "out of memory...crackntdialect p16\n"); - exit(1); - } - - memset(p16,'\0',17); - mdfour(p16,hold, uni_len); - - printlanhash(p16); - - free(p16); - free(hold); - } - - printf("\n"); - - exit(0); - -} - -/*****************************************************************************/ -/*****************************************************************************/ -/*****************************************************************************/ - -void usage(char *progname){ - char *p; - - p = strrchr(progname, '\\'); - if (p == NULL) - p = progname; - else - p++; - - fprintf(stderr, "Usage: %s [-L lanmgrpwd] [-N ntpasswd]\n",p); - fprintf(stderr, " %s password\n",p); - fprintf(stderr, " %s -f [-] [filename]\n\n",p); - fprintf(stderr, " -L lanmgrpasswd LanManager cleartextpwd <= 14 chars\n"); - fprintf(stderr, " -N ntpasswd NT cleartextpwd <=128 chars (usually <=14)\n\n"); - fprintf(stderr, " with both options present the encrypted LanManager-Pwd is \n"); - fprintf(stderr, " printed first, followed by a ':' and the encrypted NT-Pwd.\n\n"); - fprintf(stderr, " The second usage behaves like %s -L pwd -N pwd\n\n",p); - fprintf(stderr, " The third usage reads the password from STDIN or a File. Printout\n"); - fprintf(stderr, " is the same as second.\n\n"); - fprintf(stderr, "anton@genua.de\n\n"); - exit(1); -} - - -/******************************************************************* -write a string in unicoode format -********************************************************************/ -int PutUniCode(char *dst,char *src) -{ - int ret = 0; - while (*src) { - dst[ret++] = src[0]; - dst[ret++] = 0; - src++; - } - dst[ret++]=0; - dst[ret++]=0; - return(ret-2); /* the way they do the md4 hash they don't represent - the last null. ie 'A' becomes just 0x41 0x00 - not - 0x41 0x00 0x00 0x00 */ -} - -/* - print binary buffer as hex-string -*/ -void printlanhash(char *tmp) { - - int i; - unsigned char c; - char outbuffer[33]; - - - /* build string from binary hash */ - for(i=0;i<16;i++) { - c=tmp[i]; - sprintf(outbuffer+2*i,"%x",(c>>4) & 0x0f); - sprintf(outbuffer+2*i+1,"%x",c & 0x0f); - } - - /* convert to uppercase */ - for(i=0;i<32;i++) - outbuffer[i] = toupper(outbuffer[i]); - outbuffer[32]='\0'; - - /* print out hex-string */ - printf("%s",outbuffer); -} - - diff --git a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h b/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h deleted file mode 100644 index 9a020b8d28..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/mkntpwd.h +++ /dev/null @@ -1,17 +0,0 @@ -#include -#include -#include -#include -#include - -typedef short int16; -typedef int int32; -typedef unsigned short uint16; -typedef unsigned int uint32; -typedef unsigned char uchar; - -#define MAX_STRING 255 -#define MAX_WORD 128 -#define LMPASSWDLEN 14 -#define NTPASSWDLEN 128 -#define FILENAMEBUFFER 128 diff --git a/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c b/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c deleted file mode 100644 index e4f8280f9b..0000000000 --- a/examples/LDAP/smbldap-tools/mkntpwd/smbdes.c +++ /dev/null @@ -1,337 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 1.9. - - a partial implementation of DES designed for use in the - SMB authentication protocol - - Copyright (C) Andrew Tridgell 1997 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - - -/* NOTES: - - This code makes no attempt to be fast! In fact, it is a very - slow implementation - - This code is NOT a complete DES implementation. It implements only - the minimum necessary for SMB authentication, as used by all SMB - products (including every copy of Microsoft Windows95 ever sold) - - In particular, it can only do a unchained forward DES pass. This - means it is not possible to use this code for encryption/decryption - of data, instead it is only useful as a "hash" algorithm. - - There is no entry point into this code that allows normal DES operation. - - I believe this means that this code does not come under ITAR - regulations but this is NOT a legal opinion. If you are concerned - about the applicability of ITAR regulations to this code then you - should confirm it for yourself (and maybe let me know if you come - up with a different answer to the one above) -*/ - - - -static int perm1[56] = {57, 49, 41, 33, 25, 17, 9, - 1, 58, 50, 42, 34, 26, 18, - 10, 2, 59, 51, 43, 35, 27, - 19, 11, 3, 60, 52, 44, 36, - 63, 55, 47, 39, 31, 23, 15, - 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, - 21, 13, 5, 28, 20, 12, 4}; - -static int perm2[48] = {14, 17, 11, 24, 1, 5, - 3, 28, 15, 6, 21, 10, - 23, 19, 12, 4, 26, 8, - 16, 7, 27, 20, 13, 2, - 41, 52, 31, 37, 47, 55, - 30, 40, 51, 45, 33, 48, - 44, 49, 39, 56, 34, 53, - 46, 42, 50, 36, 29, 32}; - -static int perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, - 60, 52, 44, 36, 28, 20, 12, 4, - 62, 54, 46, 38, 30, 22, 14, 6, - 64, 56, 48, 40, 32, 24, 16, 8, - 57, 49, 41, 33, 25, 17, 9, 1, - 59, 51, 43, 35, 27, 19, 11, 3, - 61, 53, 45, 37, 29, 21, 13, 5, - 63, 55, 47, 39, 31, 23, 15, 7}; - -static int perm4[48] = { 32, 1, 2, 3, 4, 5, - 4, 5, 6, 7, 8, 9, - 8, 9, 10, 11, 12, 13, - 12, 13, 14, 15, 16, 17, - 16, 17, 18, 19, 20, 21, - 20, 21, 22, 23, 24, 25, - 24, 25, 26, 27, 28, 29, - 28, 29, 30, 31, 32, 1}; - -static int perm5[32] = { 16, 7, 20, 21, - 29, 12, 28, 17, - 1, 15, 23, 26, - 5, 18, 31, 10, - 2, 8, 24, 14, - 32, 27, 3, 9, - 19, 13, 30, 6, - 22, 11, 4, 25}; - - -static int perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, - 39, 7, 47, 15, 55, 23, 63, 31, - 38, 6, 46, 14, 54, 22, 62, 30, - 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, - 35, 3, 43, 11, 51, 19, 59, 27, - 34, 2, 42, 10, 50, 18, 58, 26, - 33, 1, 41, 9, 49, 17, 57, 25}; - - -static int sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; - -static int sbox[8][4][16] = { - {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, - {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, - {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, - {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, - - {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, - {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, - {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, - {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, - - {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, - {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, - {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, - {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, - - {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, - {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, - {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, - {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, - - {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, - {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, - {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, - {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, - - {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, - {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, - {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, - {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, - - {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, - {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, - {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, - {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, - - {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, - {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, - {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, - {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; - -static void permute(char *out, char *in, int *p, int n) -{ - int i; - for (i=0;i>1; - key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); - key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); - key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); - key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); - key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); - key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); - key[7] = str[6]&0x7F; - for (i=0;i<8;i++) { - key[i] = (key[i]<<1); - } -} - - -static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key) -{ - int i; - char outb[64]; - char inb[64]; - char keyb[64]; - unsigned char key2[8]; - - str_to_key(key, key2); - - for (i=0;i<64;i++) { - inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0; - keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0; - outb[i] = 0; - } - - dohash(outb, inb, keyb); - - for (i=0;i<8;i++) { - out[i] = 0; - } - - for (i=0;i<64;i++) { - if (outb[i]) - out[i/8] |= (1<<(7-(i%8))); - } -} - -void E_P16(unsigned char *p14,unsigned char *p16) -{ - unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; - smbhash(p16, sp8, p14); - smbhash(p16+8, sp8, p14+7); -} - -void E_P24(unsigned char *p21, unsigned char *c8, unsigned char *p24) -{ - smbhash(p24, c8, p21); - smbhash(p24+8, c8, p21+7); - smbhash(p24+16, c8, p21+14); -} - -void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key) -{ - unsigned char buf[8]; - - smbhash(buf, in, key); - smbhash(out, buf, key+9); -} - -void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key) -{ - unsigned char buf[8]; - static unsigned char key2[8]; - - smbhash(buf, in, key); - key2[0] = key[7]; - smbhash(out, buf, key2); -} - diff --git a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl b/examples/LDAP/smbldap-tools/smbldap-groupadd.pl deleted file mode 100755 index e242d6e223..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-groupadd.pl +++ /dev/null @@ -1,158 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-groupadd : group (posix) add - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; -use Getopt::Std; -my %Options; - -my $ok = getopts('ag:or:s:t:p?', \%Options); -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-agorst?] groupname\n"; - print " -a add automatic group mapping entry\n"; - print " -g gid\n"; - print " -o gid is not unique\n"; - print " -r group-rid\n"; - print " -s group-sid\n"; - print " -t group-type\n"; - print " -p print the gidNumber to stdout\n"; - print " -? show this help message\n"; - exit (1); -} - -my $_groupName = $ARGV[0]; - -if (defined(get_group_dn($_groupName))) { - warn "$0: group $_groupName exists\n"; - exit (6); -} - -my $_groupGidNumber = $Options{'g'}; -if (! defined ($_groupGidNumber = group_add($_groupName, $_groupGidNumber, $Options{'o'}))) { - warn "$0: error adding group $_groupName\n"; - exit (6); -} - -my $group_sid; -my $tmp; -if ($tmp= $Options{'s'}) { - if ($tmp =~ /^S-(?:\d+-)+\d+$/) { - $group_sid = $tmp; - } else { - warn "$0: illegal group-rid $tmp\n"; - exit(7); - } -} elsif ($Options{'r'} || $Options{'a'}) { - my $group_rid; - if ($tmp= $Options{'r'}) { - if ($tmp =~ /^\d+$/) { - $group_rid = $tmp; - } else { - warn "$0: illegal group-rid $tmp\n"; - exit(7); - } - } else { - # algorithmic mapping - $group_rid = 2*$_groupGidNumber+1001; - } - $group_sid = $SID.'-'.$group_rid; -} - -if ($Options{'r'} || $Options{'a'} || $Options{'s'}) { - # let's test if this SID already exist - my $test_exist_sid=does_sid_exist($group_sid,$groupsdn); - if ($test_exist_sid->count == 1) { - warn "Group SID already owned by\n"; - # there should not exist more than one entry, but ... - foreach my $entry ($test_exist_sid->all_entries) { - my $dn= $entry->dn; - chomp($dn); - warn "$dn\n"; - } - exit(7); - } -} - -if ($group_sid) { - my $group_type; - my $tmp; - if ($tmp= $Options{'t'}) { - unless (defined($group_type = &group_type_by_name($tmp))) { - warn "$0: unknown group type $tmp\n"; - exit(8); - } - } else { - $group_type = group_type_by_name('domain'); - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "cn=$_groupName,$groupsdn", - add => { - 'objectClass' => 'sambaGroupMapping', - 'sambaSID' => $group_sid, - 'sambaGroupType' => $group_type - } - ); - $modify->code && warn "failed to delete entry: ", $modify->error ; - # take down session - $ldap_master->unbind -} - -if ($Options{'p'}) { - print STDOUT "$_groupGidNumber"; -} -exit(0); - -######################################## - -=head1 NAME - - smbldap-groupadd.pl - Create a new group - -=head1 SYNOPSIS - - smbldap-groupadd.pl [-g gid [-o]] group - -=head1 DESCRIPTION - The smbldap-groupadd.pl command creates a new group account using - the values specified on the command line and the default values - from the system. The new group will be entered into the system - files as needed. The options which apply to the groupadd command are - - -g gid The numerical value of the group's ID. This value must be - unique, unless the -o option is used. The value must be non- - negative. The default is to use the smallest ID value greater - than 1000 and greater than every other group. - -=head1 SEE ALSO - - groupadd(1) - -=cut - -#' - diff --git a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl b/examples/LDAP/smbldap-tools/smbldap-groupdel.pl deleted file mode 100755 index 4f6839ebe5..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-groupdel.pl +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-groupdel : group (posix) deletion - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -##################### -use Getopt::Std; -my %Options; - -my $ok = getopts('?', \%Options); -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 groupname\n"; - print " -? show this help message\n"; - exit (1); -} - -my $_groupName = $ARGV[0]; - -my $dn_line; -if (!defined($dn_line = get_group_dn($_groupName))) { - print "$0: group $_groupName doesn't exist\n"; - exit (6); -} - -my $dn = get_dn_from_line($dn_line); - -group_del($dn); - -my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; -} - -#if (defined($dn_line = get_group_dn($_groupName))) { -# print "$0: failed to delete group\n"; -# exit (7); -#} - - -exit (0); - -############################################################ - -=head1 NAME - - smbldap-groupdel.pl - Delete a group - -=head1 SYNOPSIS - - smbldap-groupdel.pl group - -=head1 DESCRIPTION - - The smbldap-groupdel.pl command modifies the system account files, - deleting all entries that refer to group. The named group must exist. - - You must manually check all filesystems to insure that no files remain - with the named group as the file group ID. - -=head1 SEE ALSO - - groupdel(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl b/examples/LDAP/smbldap-tools/smbldap-groupmod.pl deleted file mode 100755 index 3f9741e015..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-groupmod.pl +++ /dev/null @@ -1,283 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-groupmod : group (posix) modification - - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -##################### - -use Getopt::Std; -my %Options; - -my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options); -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n"; - print " -a add automatic group mapping entry\n"; - print " -g new gid\n"; - print " -o gid is not unique\n"; - print " -n new group name\n"; - print " -m add members (comma delimited)\n"; - print " -r group-rid\n"; - print " -s group-sid\n"; - print " -t group-type\n"; - print " -x delete members (comma delimted)\n"; - print " -? show this help message\n"; - exit (1); -} - -my $groupName = $ARGV[0]; -my $group_entry; - -if (! ($group_entry = read_group_entry($groupName))) { - print "$0: group $groupName doesn't exist\n"; - exit (6); -} - -my $newname = $Options{'n'}; - -my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; -} - -my $gid = getgrnam($groupName); -unless (defined ($gid)) { - print "$0: group $groupName not found!\n"; - exit(6); -} - -my $tmp; -if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) { - if (!defined($Options{'o'})) { - if (defined(getgrgid($tmp))) { - print "$0: gid $tmp exists\n"; - exit (6); - } - } - if (!($gid == $tmp)) { - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", - changes => [ - replace => [gidNumber => $tmp] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down session - $ldap_master->unbind - } -} - - -if (defined($newname)) { - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->moddn ( - "cn=$groupName,$groupsdn", - newrdn => "cn=$newname", - deleteoldrdn => "1", - newsuperior => "$groupsdn" - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down session - $ldap_master->unbind -} - -# Add members -if (defined($Options{'m'})) { - my $members = $Options{'m'}; - my @members = split( /,/, $members ); - my $member; - foreach $member ( @members ) { - my $group_entry=read_group_entry($groupName); - $groupsdn=$group_entry->dn; - if (is_unix_user($member)) { - if (is_group_member($groupsdn,$member)) { - print "User $member already in the group\n"; - } else { - print "adding user $member to group $groupName\n"; - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ($groupsdn, - changes => [ - add => [memberUid => $member] - ] - ); - $modify->code && warn "failed to add entry: ", $modify->error ; - # take down session - $ldap_master->unbind - } - } else { - print "User $member does not exist: create it first !\n"; - } - } -} - -# Delete members -if (defined($Options{'x'})) { - my $members = $Options{'x'}; - my @members = split( /,/, $members ); - my $member; - foreach $member ( @members ) { - my $group_entry=read_group_entry($groupName); - $groupsdn=$group_entry->dn; - if (is_group_member("$groupsdn",$member)) { - print "deleting user $member from group $groupName\n"; - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ($groupsdn, - changes => [ - delete => [memberUid => $member] - ] - ); - $modify->code && warn "failed to delete entry: ", $modify->error ; - # take down session - $ldap_master->unbind - } else { - print "User $member is not in the group $groupName!\n"; - } - } -} - -my $group_sid; -if ($tmp= $Options{'s'}) { - if ($tmp =~ /^S-(?:\d+-)+\d+$/) { - $group_sid = $tmp; - } else { - print "$0: illegal group-rid $tmp\n"; - exit(7); - } -} elsif ($Options{'r'} || $Options{'a'}) { - my $group_rid; - if ($tmp= $Options{'r'}) { - if ($tmp =~ /^\d+$/) { - $group_rid = $tmp; - } else { - print "$0: illegal group-rid $tmp\n"; - exit(7); - } - } else { - # algorithmic mapping - $group_rid = 2*$gid+1001; - } - $group_sid = $SID.'-'.$group_rid; -} - -if ($group_sid) { - my @adds; - my @mods; - push(@mods, 'sambaSID' => $group_sid); - - if ($tmp= $Options{'t'}) { - my $group_type; - if (defined($group_type = &group_type_by_name($tmp))) { - push(@mods, 'sambaGroupType' => $group_type); - } else { - print "$0: unknown group type $tmp\n"; - exit(8); - } - } else { - if (! defined($group_entry->get_value('sambaGroupType'))) { - push(@mods, 'sambaGroupType' => group_type_by_name('domain')); - } - } - - my @oc = $group_entry->get_value('objectClass'); - unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) { - push (@adds, 'objectClass' => 'sambaGroupMapping'); - } - - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "cn=$groupName,$groupsdn", - changes => [ - 'add' => [ @adds ], - 'replace' => [ @mods ] - ] - ); - $modify->code && warn "failed to delete entry: ", $modify->error ; - # take down session - $ldap_master->unbind -} - -$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; -} - -exit (0); - -############################################################ - -=head1 NAME - -smbldap-groupmod.pl - Modify a group - -=head1 SYNOPSIS - -smbldap-groupmod.pl [-g gid [-o]] [-n group_name ] group - -=head1 DESCRIPTION - -The smbldap-groupmod.pl command modifies the system account files to - reflect the changes that are specified on the command line. - The options which apply to the smbldap-groupmod command are - - -g gid The numerical value of the group's ID. This value must be - unique, unless the -o option is used. The value must be non- - negative. Any files which the old group ID is the file - group ID must have the file group ID changed manually. - - -n group_name - The name of the group will be changed from group to group_name. - - -m members - The members to be added to the group in comma-delimeted form. - - -x members - The members to be removed from the group in comma-delimted form. - -=head1 EXAMPLES - - smbldap-groupmod.pl -g 253 development - This will change the GID of the 'development' group to '253'. - - smbldap-groupmod.pl -n Idiots Managers - This will change the name of the 'Managers' group to 'Idiots'. - - smbldap-groupmod.pl -m "jdoe,jsmith" "Domain Admins" - This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group. - - smbldap-groupmod.pl -x "jdoe,jsmith" "Domain Admins" - This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group. - -=head1 SEE ALSO - - groupmod(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl b/examples/LDAP/smbldap-tools/smbldap-groupshow.pl deleted file mode 100755 index a9d368763e..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-groupshow.pl +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-groupshow : user (posix,shadow,samba) display -# -# History : -# . originally by David Le Corfec - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use Getopt::Std; -my %Options; - -my $ok = getopts('?', \%Options); - -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-?] group\n"; - print " -? show this help message\n"; - exit (1); -} - -# Read only first @ARGV -my $group = $ARGV[0]; - -my $lines = read_group($group); -if (!defined($lines)) { - print "$0: group $group doesn't exist\n"; - exit (1); -} - -print "$lines\n"; - -exit(0); - -############################################################ - -=head1 NAME - - smbldap-groupshow.pl - Display group informations - -=head1 SYNOPSIS - - smbldap-groupshow.pl groupname - -=head1 DESCRIPTION - - The smbldap-groupshow.pl command displays informations - associated with the given group. - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl deleted file mode 100755 index 54e4d7f7e3..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-accounts.pl +++ /dev/null @@ -1,230 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-migrate-accounts : add NT sam entries from pwdump -# to ldap - -use strict; -use Getopt::Std; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -# smbldap-migrate.pl (-? or -h for help) -# -# Read pwdump entries on stdin, and add them to the ldap server. -# Output uncreated/unmodified entries (see parameters -C -U) -# in pwdump format to stdout. -# Errors, debug and stats are output to stderr. - -sub modify_account - { - my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ("uid=$login,$basedn", - changes => [ - replace => [sambaLMPassword => "$lmpwd"], - replace => [sambaNTpassword => "$ntpwd"], - replace => [gecos => "$gecos"], - replace => [sambaHomePath => "$homedir"] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down the session - $ldap_master->unbind; - } - -##################### - - -my %Options; - -my $ok = getopts('awA:CUW:?h', \%Options); - -if ( (!$ok) || ($Options{'?'}) || ($Options{'h'}) ) { - print "Usage: $0 [-awAWCU?]\n"; - print " -a process only people, ignore computers\n"; - print " -w process only computers, ignore persons\n"; - print " -A option string passed verbatim to smbldap-useradd for persons\n"; - print " -W option string passed verbatim to smbldap-useradd for computers\n"; - print " -C if entry not found, don't create it and log it to stdout (default: create it)\n"; - print " -U if entry found, don't update it and log it to stdout (default: update it)\n"; - print " -?|-h show this help message\n"; - exit (1); -} - -my %processed = ( 'user' => 0, 'machine' => 0); -my %created = ( 'user' => 0, 'machine' => 0); -my %updated = ( 'user' => 0, 'machine' => 0); -my %logged = ( 'user' => 0, 'machine' => 0); -my %errors = ( 'user' => 0, 'machine' => 0); -my %existing = ( 'user' => 0, 'machine' => 0); -my $specialskipped = 0; - -while (<>) { - my ($login, $rid, $lmpwd, $ntpwd, $gecos, $homedir, $b) = split(/:/, $_); - my $usertype; - my $userbasedn; - - my $entry_type = 'user'; - - if ($login =~ m/.*\$$/ ) { # computer - $processed{'machine'}++; - $entry_type = 'machine'; - if (defined($Options{'a'})) { - print STDERR "ignoring $login\n"; - next; - } - - $usertype = "-w $Options{'W'}"; - $userbasedn = $computersdn; - } else { # people - $processed{'user'}++; - if (defined($Options{'w'})) { - print STDERR "ignoring $login\n"; - next; - } - if ($rid < 1000) { - $specialskipped++; - print STDERR "$login seems to be a special Win account (rid=$rid), skipping\n"; - next; - } - - $usertype = "-a $Options{'A'}"; - $userbasedn = $usersdn; - } - - # normalize homedir - # uncomment to replace configured share with share from pwdump - # if ($homedir eq "") { - $homedir = $_userSmbHome; - # } - - # normalize gecos - if (!($gecos eq "")) { - $gecos =~ tr//AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/; - } else { - $gecos = $_userGecos; - } - - my $user_exists = is_samba_user($login); - - if (!$user_exists) { - if (!defined($Options{'C'})) { - # uid doesn't exist and we want to create it - my $addcmd = "/usr/local/sbin/smbldap-useradd.pl $usertype $login > /dev/null"; - print STDERR "$addcmd\n"; - my $r = system "$addcmd"; - if ($r != 0) { - print STDERR "error adding $login, skipping\n"; - next; - } - # lem modif... a retirer si pb - if ($entry_type eq "user") { - modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); - } - - $created{$entry_type}++; - } else { # uid doesn't exist and no create => log - print "$_"; - $logged{$entry_type}++; - } - } else { # account exists - $existing{$entry_type}++; - if (!defined($Options{'U'})) { # exists and modify - modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir); - $updated{$entry_type}++; - } else { # exists and log - print "$_"; - $logged{$entry_type}++; - } - } -} - -my $sum; - -$sum = $processed{'user'} + $processed{'machine'}; -print STDERR "processed: all=$sum user=$processed{'user'} machine=$processed{'machine'}\n"; - -$sum = $existing{'user'} + $existing{'machine'}; -print STDERR "existing: all=$sum user=$existing{'user'} machine=$existing{'machine'}\n"; - -$sum = $created{'user'} + $created{'machine'}; -print STDERR "created: all=$sum user=$created{'user'} machine=$created{'machine'}\n"; - -$sum = $updated{'user'} + $updated{'machine'}; -print STDERR "updated: all=$sum user=$updated{'user'} machine=$updated{'machine'}\n"; - -$sum = $logged{'user'} + $logged{'machine'}; -print STDERR "logged: all=$sum user=$logged{'user'} machine=$logged{'machine'}\n"; - -print STDERR "special users skipped: $specialskipped\n"; - - -######################################## - -=head1 NAME - -smbldap-migrate.pl - Migrate NT accounts to LDAP - -=head1 SYNOPSIS - - smbldap-migrate.pl [-a] [-w] [-A opts] [-W opts] [-C] [-U] [-?] - -=head1 DESCRIPTION - - This command reads from stdin account entries as created by pwdump, - a tool to dump an user database on NT. - Depending of the options, some account entries may be output on - stdout. All errors and informations are sent to stderr. - - -a process only people, ignore computers - - -w process only computers, ignore persons - - -A opts - a string containing arguments to pass verbatim to - smbldap-useradd when adding users, eg "-m -x". - You don't have to specify -a in this string. - - -W opts - a string containing arguments to pass verbatim to - smbldap-useradd when adding computers, eg "-m -x". - You don't have to specify -w in this string. - - -C if NT account not found in LDAP, don't create it and log it to stdout - (default: create it) - - -U if NT account found in LDAP, don't update it and log it to stdout - (default: update it) - - -? show the help message - -=cut - -#' - -# The End - diff --git a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl b/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl deleted file mode 100644 index a2b07bf817..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-migrate-groups.pl +++ /dev/null @@ -1,225 +0,0 @@ -#!/usr/bin/perl - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-migrate-groups : to parse a Windows -# group dump and populate Unix groups -# Reads group dump on stdin - - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; -use Getopt::Std; - -sub process_rec_group - { - my ($group, $mb) = @_; - my @members; - - if (!(@members = group_get_members($group))) { - return 0; - } - - foreach my $m (@members) { - if ( !($m =~ m/^\*/) ) { - push @{$mb}, $m; - } else { - my $gname = $m; - $gname =~ s/^.//; - if (!process_rec_group($gname, $mb)) { - print "recursive group not added : $gname\n"; - } - } - } - } - - -# given a group dn and a list of members, update the group -sub modify_group - { - my ($group, $dn_line, @members, $recgroup) = @_; - my $m; - my @new_mb; - - foreach $m (@members) { - if ( ($m =~ m/^\*/) ) { - my $gname = $m; - $gname =~ s/^.//; - if (!$recgroup) { - print "recursive group not added : $gname\n"; - } else { - if (!process_rec_group($gname, \@new_mb)) { - print "recursive group not added : $gname\n"; - } - } - } else { - push @new_mb, $m; - } - } - - # new_mb contains flat members from group dump - # now append them to existing members - push @new_mb, group_get_members($group); - # uniq them - my %saw; - @saw{@new_mb} = (); - @new_mb = keys %saw; - - my $nmb = $#new_mb + 1; - print STDERR "Group $group now has $nmb member(s)\n"; - - my $mbs; - foreach $m (@new_mb) { - $mbs .= "memberUid: $m\n"; - } - - my $mods="$dn_line -changetype: modify -replace: memberUid -$mbs -"; - - #print "$mods\n"; - my $tmpldif = - "$mods -"; - - die "$0: error while modifying group $group\n" - unless (do_ldapmodify($tmpldif) == 0); - undef $tmpldif; - } - -sub display_group - { - my ($group, @members) = @_; - - print "Group name $group\n"; - print "Members\n"; - my $m; - my $i = 0; - foreach $m (@members) { - print "$m "; - if ($i % 5 == 0) { - print "\n"; - } - $i++; - } - } - -sub process_group - { - my ($group, @members, $nocreate, $noupdate, $recgroup) = @_; - - my $dn_line; - if (!defined($dn_line = get_group_dn($group))) { - # group not found, create it ? - if (!$nocreate) { - system "/usr/local/sbin/smbldap-groupadd.pl \"$group\"; sleep 5"; - if (!defined($dn_line = get_group_dn($group))) { - return 1; - } - modify_group($group, $dn_line, @members, $recgroup); - } else { - # don't create - print "not created:\n"; - display_group($group, @members); - } - } else { - # group found, update it ? - if (!$noupdate) { - modify_group($group, $dn_line, @members, $recgroup); - } else { - # don't update - print "not updated:\n"; - display_group($group, @members); - } - } - } - -################################################### - -my %Options; - -my $ok = getopts('CUr?', \%Options); -if ( (!$ok) || ($Options{'?'}) ) { - print "Usage: $0 [-CUr?] < group_dump\n"; - print " -C don't create group if it doesn't exist\n"; - print " -U don't update group if it exists\n"; - print " -r recursively process groups\n"; - exit(1); -} - -my $group_name; -my $group_desc; -my $has_members = 0; -my @members = (); - -while (<>) { - my $line = $_; - chomp($line); - next if ( $line =~ m/^\s*$/ ); - - if ($group_name eq "") { - if ( $line =~ m/^Group name\s+(.+).$/ ) { - $group_name = $1; - next; - } - } - if ($group_desc eq "") { - if ( $line =~ m/^Comment\s+(.*)$/ ) { - $group_desc = $1; - next; - } - } - next if ( $line =~ m/^-+.$/ ); - if (!$has_members) { - if ( $line =~ m/^Members/ ) { - $has_members = 1; - next; - } - } else { - if ( $line =~ m/^The command completed successfully/ ) { - last; - } else { - push(@members, split(/\s+/, $line)); - next; - } - } - - #print; -} - -if ( $#members > -1) { - process_group($group_name, @members, $Options{'C'}, $Options{'U'}, $Options{'r'}); -} - -#print "gn=$group_name\n"; -#print "gd=$group_desc\n"; -#my $m; -#foreach $m (@members) -#{ -# print "$m "; -#} -#print "\n"; diff --git a/examples/LDAP/smbldap-tools/smbldap-passwd.pl b/examples/LDAP/smbldap-tools/smbldap-passwd.pl deleted file mode 100755 index afbc87a058..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-passwd.pl +++ /dev/null @@ -1,227 +0,0 @@ -#!/usr/bin/perl -w - -# LDAP to unix password sync script for samba - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose : -# . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP -# . may also replace /bin/passwd - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -my $user; -my $oldpass; -my $ret; - -my $arg; - -foreach $arg (@ARGV) { - if ($< != 0) { - die "Only root can specify parameters\n"; - } else { - if ( ($arg eq '-?') || ($arg eq '--help') ) { - print "Usage: $0 [username]\n"; - print " -?, --help show this help message\n"; - exit (6); - } elsif (substr($arg,0) ne '-') { - $user = $arg; - } - $oldpass = 1; - } -} - -if (!defined($user)) { - $user=$ENV{"USER"}; -} - -# test existence of user in LDAP -my $dn_line; -if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); -} - -my $dn = get_dn_from_line($dn_line); - -my $samba = is_samba_user($user); - -print "Changing password for $user\n"; - -# non-root user -if (!defined($oldpass)) { - # prompt for current password - system "stty -echo"; - print "(current) UNIX password: "; - chomp($oldpass=); - print "\n"; - system "stty echo"; - - if (!is_user_valid($user, $dn, $oldpass)) { - print "Authentication failure\n"; - exit (10); - } -} - -# prompt for new password - -my $pass; -my $pass2; - -system "stty -echo"; -print "New password : "; -chomp($pass=); -print "\n"; -system "stty echo"; - -system "stty -echo"; -print "Retype new password : "; -chomp($pass2=); -print "\n"; -system "stty echo"; - -if ($pass ne $pass2) { - print "New passwords don't match!\n"; - exit (10); -} - -# First, connecting to the directory -my $ldap_master=connect_ldap_master(); - -# only modify smb passwords if smb user -if ($samba == 1) { - if (!$with_smbpasswd) { - # generate LanManager and NT clear text passwords - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - exit(1); - } - my $ntpwd = `$mk_ntpasswd '$pass'`; - chomp(my $sambaLMPassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $sambaNTPassword = substr($ntpwd, index($ntpwd, ':')+1)); - # the sambaPwdLastSet must be updating - my $date=time; - my @mods; - push(@mods, 'sambaLMPassword' => $sambaLMPassword); - push(@mods, 'sambaNTPassword' => $sambaNTPassword); - push(@mods, 'sambaPwdLastSet' => $date); - if (defined $_defaultMaxPasswordAge) { - my $new_sambaPwdMustChange=$date+$_defaultMaxPasswordAge*24*60*60; - push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange); - push(@mods, 'sambaAcctFlags' => '[U]'); - } - # Let's change nt/lm passwords - my $modify = $ldap_master->modify ( "$dn", - 'replace' => { @mods } - ); - $modify->code && warn "failed to modify entry: ", $modify->error ; - - } else { - if ($< != 0) { - my $FILE="|$smbpasswd -s >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <modify ( "$dn", - changes => [ - replace => [userPassword => "$hash_password"] - ] - ); -$modify->code && warn "Unable to change password : ", $modify->error ; - -# take down session -$ldap_master->unbind; - -exit 0; - - -# - The End - -=head1 NAME - -smbldap-passwd.pl - change user password - -=head1 SYNOPSIS - - smbldap-passwd.pl [name] - -=head1 DESCRIPTION - -smbldap-passwd.pl changes passwords for user accounts. A normal user - may only change the password for their own account, the super user may - change the password for any account. - - Password Changes - The user is first prompted for their old password, if one is present. - This password is then tested against the stored password by binding - to the server. The user has only one chance to enter the correct pass- - word. The super user is permitted to bypass this step so that forgot- - ten passwords may be changed. - - The user is then prompted for a replacement password. As a general - guideline, passwords should consist of 6 to 8 characters including - one or more from each of following sets: - - Lower case alphabetics - - Upper case alphabetics - - Digits 0 thru 9 - - Punctuation marks - - passwd will prompt again and compare the second entry against the first. - Both entries are require to match in order for the password to be - changed. - -=head1 SEE ALSO - - passwd(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-populate.pl b/examples/LDAP/smbldap-tools/smbldap-populate.pl deleted file mode 100755 index b691a84850..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-populate.pl +++ /dev/null @@ -1,370 +0,0 @@ -#!/usr/bin/perl -w - -# Populate a LDAP base for Samba-LDAP usage -# - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose : -# . Create an initial LDAP database suitable for Samba 2.2 -# . For lazy people, replace ldapadd (with only an ldif parameter) - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; -use Getopt::Std; -use Net::LDAP::LDIF; - -use vars qw(%oc); - -# objectclass of the suffix -%oc = ( - "ou" => "organizationalUnit", - "o" => "organization", - "dc" => "dcObject", - ); - - -my %Options; - -my $ok = getopts('a:b:?', \%Options); -if ( (!$ok) || ($Options{'?'}) ) { - print "Usage: $0 [-ab?] [ldif]\n"; - print " -a administrator login name (default: Administrator)\n"; - print " -b guest login name (default: nobody)\n"; - print " -? show this help message\n"; - print " ldif file to add to ldap (default: suffix, Groups,"; - print " Users, Computers and builtin users )\n"; - exit (1); -} - -my $_ldifName; -my $tmp_ldif_file="/tmp/$$.ldif"; - -if (@ARGV >= 1) { - $_ldifName = $ARGV[0]; -} - -my $adminName = $Options{'a'}; -if (!defined($adminName)) { - $adminName = "Administrator"; -} - -my $guestName = $Options{'b'}; -if (!defined($guestName)) { - $guestName = "nobody"; -} - -if (!defined($_ldifName)) { - my $attr; - my $val; - my $objcl; - - print "Using builtin directory structure\n"; - if ($suffix =~ m/([^=]+)=([^,]+)/) { - $attr = $1; - $val = $2; - $objcl = $oc{$attr} if (exists $oc{$attr}); - if (!defined($objcl)) { - $objcl = "myhardcodedobjectclass"; - } - } else { - die "can't extract first attr and value from suffix $suffix"; - } - #print "$attr=$val\n"; - my ($organisation,$ext) = ($suffix =~ m/dc=(.*),dc=(.*)$/); - - #my $FILE="|cat"; - my $FILE=$tmp_ldif_file; - open (FILE, ">$FILE") || die "Can't open file $FILE: $!\n"; - - print FILE <new($tmp_ldif_file, "r", onerror => 'undef' ); -while( not $ldif->eof() ) { - my $entry = $ldif->read_entry(); - if ( $ldif->error() ) { - print "Error msg: ",$ldif->error(),"\n"; - print "Error lines:\n",$ldif->error_lines(),"\n"; - } else { - my $dn = $entry->dn; - print "adding new entry: $dn\n"; - my $result=$ldap_master->add($entry); - $result->code && warn "failed to add entry: ", $result->error ; - } -} -$ldap_master->unbind; -system "rm -f $tmp_ldif_file"; -exit(0); - - -######################################## - -=head1 NAME - -smbldap-populate.pl - Populate your LDAP database - -=head1 SYNOPSIS - - smbldap-populate.pl [ldif-file] - -=head1 DESCRIPTION - - The smbldap-populate.pl command helps to populate an LDAP server - by adding the necessary entries : base suffix (doesn't abort - if already there), organizational units for users, groups and - computers, builtin users : Administrator and guest, builtin - groups (though posixAccount only, no SambaTNG support). - - -a name Your local administrator login name (default: Administrator) - -b name Your local guest login name (default: nobody) - - If you give an extra parameter, it is assumed to be the ldif - file to use instead of the builtin one. Options -a and -b - will be ignored. - -=head1 FILES - - /usr/lib/perl5/site-perl/smbldap_conf.pm : Global parameters. - -=head1 SEE ALSO - - smp(1) - -=cut - -#' - - - -# - The End diff --git a/examples/LDAP/smbldap-tools/smbldap-tools.spec b/examples/LDAP/smbldap-tools/smbldap-tools.spec deleted file mode 100755 index 0275c8096f..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-tools.spec +++ /dev/null @@ -1,140 +0,0 @@ -# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/smbldap-tools.spec,v $ -%define version 0.8.2 -%define release 1 -%define name smbldap-tools -%define realname smbldap-tools - -Summary: User & Group administration tools for Samba-OpenLDAP -Name: %{name} -version: %{version} -Release: %{release} -Group: System Environment/Base -License: GPL - -Vendor: IDEALX S.A.S. -URL: http://samba.IDEALX.org/ -Packager: Jerome Tournier -Source0: smbldap-groupadd.pl -Source1: smbldap-groupdel.pl -Source2: smbldap-groupmod.pl -Source3: smbldap-groupshow.pl -Source4: smbldap-passwd.pl -Source5: smbldap-useradd.pl -Source6: smbldap-userdel.pl -Source7: smbldap-usermod.pl -Source8: smbldap-usershow.pl -Source9: smbldap_conf.pm -Source10: smbldap_tools.pm -Source11: CONTRIBUTORS -Source12: COPYING -Source13: ChangeLog -Source14: FILES -Source15: README -Source16: TODO -Source17: mkntpwd.tar.gz -Source18: smbldap-populate.pl -Source19: smbldap-migrate-accounts.pl -Source20: smbldap-migrate-groups.pl -Source21: INFRA -Source22: smb.conf -BuildRoot: /%{_tmppath}/%{name} -Prefix: /usr/local -BuildRequires: perl >= 5.6 -Requires: perl >= 5.6, openldap, openldap-clients, samba - -%description -In settings with OpenLDAP and Samba-LDAP servers, this collection is -useful to add, modify and delete users and groups, and to change -Unix and Samba passwords. In those context they replace the system -tools to manage users, groups and passwords. - -%prep - -%setup -c -T - -%build -tar zxvf %{SOURCE17} -cd mkntpwd -make - -%install -rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/%{prefix}/sbin -mkdir -p $RPM_BUILD_ROOT/%{prefix}/share -mkdir -p $RPM_BUILD_ROOT/usr/share/doc -mkdir -p $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools - -cd mkntpwd ; make PREFIX=$RPM_BUILD_ROOT/%{prefix} install - -install -m 550 %{SOURCE0} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupadd.pl -install -m 550 %{SOURCE1} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupdel.pl -install -m 550 %{SOURCE2} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupmod.pl -install -m 555 %{SOURCE3} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupshow.pl -install -m 555 %{SOURCE4} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-passwd.pl -install -m 550 %{SOURCE5} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-useradd.pl -install -m 550 %{SOURCE6} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-userdel.pl -install -m 550 %{SOURCE7} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usermod.pl -install -m 555 %{SOURCE8} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usershow.pl -install -m 550 %{SOURCE18} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-populate.pl -install -m 751 %{SOURCE9} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_conf.pm -install -m 555 %{SOURCE10} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_tools.pm -install -m 550 %{SOURCE19} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-accounts.pl -install -m 550 %{SOURCE20} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-groups.pl - -install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/CONTRIBUTORS -install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/COPYING -install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/ChangeLog -install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/FILES -install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/README -install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/TODO -install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/INFRA -install -m 644 %{SOURCE22} $RPM_BUILD_ROOT/usr/share/doc/smbldap-tools/smb.conf - -%clean -rm -rf $RPM_BUILD_ROOT - -%post -# from smbldap-tools-0.8-2, librairies are loaded with the FindBin perl package -if [ -f /usr/lib/perl5/site_perl/smbldap_tools.pm ]; -then - rm -f /usr/lib/perl5/site_perl/smbldap_tools.pm -fi -if [ -f /usr/lib/perl5/site_perl/smbldap_conf.pm ]; -then - rm -f /usr/lib/perl5/site_perl/smbldap_conf.pm -fi -chgrp 512 %{prefix}/sbin/smbldap-useradd.pl %{prefix}/sbin/smbldap_conf.pm || echo "An error occured while changing groups of smbldap-useradd.pl and smbldap_conf.pm in /usr/local/sbin. For proper operations, please ensure that they have the same posix group as the Samba domain administrator if there's a local Samba PDC." -perl -i -pe 's/_SLAVELDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_MASTERLDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_SUFFIX_/dc=IDEALX,dc=org/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEPREFIX_/\/home/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm -perl -i -pe 's/_HOMEDRIVE_/H:/' %{prefix}/sbin/smbldap_conf.pm - -# FIXME: links should not be removed on upgrade -#%postun -#if [ $1 = 0 ] ; then -# rm -f /usr/lib/perl5/site_perl/smbldap_tools.pm -# rm -f /usr/lib/perl5/site_perl/smbldap_conf.pm -#fi - -%files -%defattr(-,root,root) -%{prefix}/sbin/*.pl -%{prefix}/sbin/smbldap_tools.pm -%config(noreplace) %{prefix}/sbin/smbldap_conf.pm -%{prefix}/sbin/mkntpwd -%doc /usr/share/doc/%{name}/ - - -%changelog -* Fri Nov 28 2003 Jerome Tournier 0.8.2-1 -- new smb.conf file as example configuration file -- see Changelog file for updates in scripts - diff --git a/examples/LDAP/smbldap-tools/smbldap-useradd.pl b/examples/LDAP/smbldap-tools/smbldap-useradd.pl deleted file mode 100755 index 918bd4a4f6..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-useradd.pl +++ /dev/null @@ -1,522 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-useradd : user (posix,shadow,samba) add - -use strict; - -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -##################### - -use Getopt::Std; -my %Options; - -my $ok = getopts('anmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:N:S:?', \%Options); - -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n"; - print " -a is a Windows User (otherwise, Posix stuff only)\n"; - print " -w is a Windows Workstation (otherwise, Posix stuff only)\n"; - print " -u uid\n"; - print " -g gid\n"; - print " -G supplementary comma-separated groups\n"; - print " -n do not create a group\n"; - print " -d home\n"; - print " -s shell\n"; - print " -c gecos\n"; - print " -m creates home directory and copies /etc/skel\n"; - print " -k skeleton dir (with -m)\n"; - print " -P ends by invoking smbldap-passwd.pl\n"; - print " -A can change password ? 0 if no, 1 if yes\n"; - print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; - print " -E sambaLogonScript (DOS script to execute on login)\n"; - print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; - print " -N canonical name\n"; - print " -S surname\n"; - print " -? show this help message\n"; - exit (1); -} - - -# cause problems when dealing with getpwuid because of the -# negative ttl and ldap modification -my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; -} - - -# Read options -my $userUidNumber = $Options{'u'}; -if (!defined($userUidNumber)) { - # find first unused uid starting from $UID_START - while (defined(getpwuid($UID_START))) { - $UID_START++; - } - $userUidNumber = $UID_START; -} elsif (getpwuid($userUidNumber)) { - die "Uid already exists.\n"; -} - -if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; -} - - -my $createGroup = 0; -my $userGidNumber = $Options{'g'}; -# gid not specified ? -if (!defined($userGidNumber)) { - # windows machine => $_defaultComputerGid - if (defined($Options{'w'})) { - $userGidNumber = $_defaultComputerGid; - # } elsif (!defined($Options{'n'})) { - # create new group (redhat style) - # find first unused gid starting from $GID_START - # while (defined(getgrgid($GID_START))) { - # $GID_START++; - # } - # $userGidNumber = $GID_START; - - # $createGroup = 1; - - } else { - # user will have gid = $_defaultUserGid - $userGidNumber = $_defaultUserGid; - } -} else { - my $gid; - if (($gid = parse_group($userGidNumber)) < 0) { - print "$0: unknown group $userGidNumber\n"; - exit (6); - } - $userGidNumber = $gid; -} - -# Read only first @ARGV -my $userName = $ARGV[0]; - -# untaint $userName (can finish with one or two $) -if ($userName =~ /^([\w -]+\$?)$/) { - $userName = $1; -} else { - print "$0: illegal username\n"; - exit (1); -} - -# user must not exist in LDAP (should it be nss-wide ?) -my ($rc, $dn) = get_user_dn2($userName); -if ($rc and defined($dn)) { - print "$0: user $userName exists\n"; - exit (9); -} elsif (!$rc) { - print "$0: error in get_user_dn2\n"; - exit(10); -} - -my $group_entry; -my $userGroupSID; -my $userRid; -if ($Options{'a'}) { - # as grouprid we use the value of the sambaSID attribute for - # group of gidNumber=$userGidNumber - $group_entry = read_group_entry_gid($userGidNumber); - $userGroupSID = $group_entry->get_value('sambaSID'); - unless ($userGroupSID) { - print "$0: unknown group SID not set for unix group $userGidNumber\n"; - print "check if your unix group is mapped to an NT group\n"; - exit (7); - } - - # as rid we use 2 * uid + 1000 - $userRid = 2 * $userUidNumber + 1000; - # let's test if this SID already exist - my $user_sid="$SID-$userRid"; - my $test_exist_sid=does_sid_exist($user_sid,$usersdn); - if ($test_exist_sid->count == 1) { - print "User SID already owned by\n"; - # there should not exist more than one entry, but ... - foreach my $entry ($test_exist_sid->all_entries) { - my $dn= $entry->dn; - chomp($dn); - print "$dn\n"; - } - exit(7); - } -} - -my $userHomeDirectory; -my ($userCN, $userSN); -my $tmp; -if (!defined($userHomeDirectory = $Options{'d'})) { - $userHomeDirectory = $_userHomePrefix."/".$userName; -} -$_userLoginShell = $tmp if (defined($tmp = $Options{'s'})); -$_userGecos = $tmp if (defined($tmp = $Options{'c'})); -$_skeletonDir = $tmp if (defined($tmp = $Options{'k'})); -$userCN = ($Options{'c'} || $userName); -$userCN = $tmp if (defined($tmp = $Options{'N'})); -$userSN = $userName; -$userSN = $tmp if (defined($tmp = $Options{'S'})); - - -######################## - -my $ldap_master=connect_ldap_master(); - -# MACHINE ACCOUNT -if (defined($tmp = $Options{'w'})) { - - # add a trailing dollar if missing - if ($userName =~ /[^\$]$/s) { - $userName .= "\$"; - } - - #print "About to create machine $userName:\n"; - - if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) { - die "$0: error while adding posix account\n"; - } - - if (!$with_smbpasswd) { - # (jtournier) - # Objectclass sambaSamAccount is now added directly by samba when joigning the domain (for samba3) - #if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) { - # die "$0: error while adding samba account\n"; - #} - } else { - if (!add_samba_machine($userName)) { - die "$0: error while adding samba account\n"; - } - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [sambaAcctFlags => '[W ]'] - ] - ); - $modify->code && warn "failed to modify entry: ", $modify->error ; - } - - exit 0; -} - -# USER ACCOUNT -# add posix account first - -my $add = $ldap_master->add ("uid=$userName,$usersdn", - attr => [ - 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], - 'cn' => "$userCN", - 'sn' => "$userSN", - 'uid' => "$userName", - 'uidNumber' => "$userUidNumber", - 'gidNumber' => "$userGidNumber", - 'homeDirectory' => "$userHomeDirectory", - 'loginShell' => "$_userLoginShell", - 'gecos' => "$_userGecos", - 'description' => "$_userGecos", - 'userPassword' => "{crypt}x" - ] - ); - -$add->code && warn "failed to add entry: ", $add->error ; - - -#if ($createGroup) { -# group_add($userName, $userGidNumber); -#} - -group_add_user($userGidNumber, $userName); - -my $grouplist; -# adds to supplementary groups -if (defined($grouplist = $Options{'G'})) { - add_grouplist_user($grouplist, $userName); -} - -# If user was created successfully then we should create his/her home dir -if (defined($tmp = $Options{'m'})) { - unless ( $userName =~ /\$$/ ) { - if ( !(-e $userHomeDirectory) ) { - system "mkdir $userHomeDirectory 2>/dev/null"; - system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null"; - system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null"; - system "chmod 700 $userHomeDirectory 2>/dev/null"; - } - } -} - - -# Add Samba user infos -if (defined($Options{'a'})) { - if (!$with_smbpasswd) { - - my $winmagic = 2147483647; - my $valpwdcanchange = 0; - my $valpwdmustchange = $winmagic; - my $valpwdlastset = 0; - my $valacctflags = "[UX]"; - - if (defined($tmp = $Options{'A'})) { - if ($tmp != 0) { - $valpwdcanchange = "0"; - } else { - $valpwdcanchange = "$winmagic"; - } - } - - if (defined($tmp = $Options{'B'})) { - if ($tmp != 0) { - $valpwdmustchange = "0"; - # To force a user to change his password: - # . the attribut sambaPwdLastSet must be != 0 - # . the attribut sambaAcctFlags must not match the 'X' flag - $valpwdlastset=$winmagic; - $valacctflags = "[U]"; - } else { - $valpwdmustchange = "$winmagic"; - } - } - - if (defined($tmp = $Options{'H'})) { - $valacctflags = "$tmp"; - } - - - my $modify = $ldap_master->modify ( "uid=$userName,$usersdn", - changes => [ - add => [objectClass => 'sambaSamAccount'], - add => [sambaPwdLastSet => "$valpwdlastset"], - add => [sambaLogonTime => '0'], - add => [sambaLogoffTime => '2147483647'], - add => [sambaKickoffTime => '2147483647'], - add => [sambaPwdCanChange => "$valpwdcanchange"], - add => [sambaPwdMustChange => "$valpwdmustchange"], - add => [displayName => "$_userGecos"], - add => [sambaAcctFlags => "$valacctflags"], - add => [sambaSID => "$SID-$userRid"] - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - - } else { - my $FILE="|smbpasswd -s -a $userName >/dev/null" ; - open (FILE, $FILE) || die "$!\n"; - print FILE <modify ( "uid=$userName,$usersdn", - changes => [ - add => [sambaPrimaryGroupSID => "$userGroupSID"], - add => [sambaHomeDrive => "$valhomedrive"], - add => [sambaLogonScript => "$valscriptpath"], - add => [sambaLMPassword => 'XXX'], - add => [sambaNTPassword => 'XXX'] - ] - ); - $modify = $ldap_master->modify ( "uid=$userName,$usersdn", - 'replace' => { @mods } - ); - - - $modify->code && die "failed to add entry: ", $modify->error ; - -} -$ldap_master->unbind; # take down session - - -if (defined($Options{'P'})) { - exec "/usr/local/sbin/smbldap-passwd.pl $userName" -} - -exit 0; - -######################################## - -=head1 NAME - -smbldap-useradd.pl - Create a new user or update default new - user information - -=head1 SYNOPSIS - -smbldap-useradd.pl [-c comment] [-d home_dir] - [-g initial_group] [-G group[,...]] - [-m [-k skeleton_dir]] - [-s shell] [-u uid [ -o]] [-P] - [-A canchange] [-B mustchange] [-C smbhome] - [-D homedrive] [-E scriptpath] [-F profilepath] - [-H acctflags] login - -=head1 DESCRIPTION - -Creating New Users - The smbldap-useradd.pl command creates a new user account using - the values specified on the command line and the default - values from the system. - The new user account will be entered into the system - files as needed, the home directory will be created, and - initial files copied, depending on the command line options. - - You have to use smbldap-passwd to set the user password. - For Samba users, rid is 2*uidNumber+1000, and primaryGroupID - is 2*gidNumber+1001. Thus you may want to use - smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator - to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and - grouprid is 0x200 = 512) - - Without any option, the account created will be an Unix (Posix) - account. The following options may be used to add information: - --a The user will have a Samba account (and Unix). - - -w Creates an account for a Samba machine (Workstation), so that - it can join a sambaDomainName. - - -x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else - decimal (2.2.2 patched from cvs or 2.2.x, x > 2) - - -c comment - The new user's comment field (gecos). - - -d home_dir - The new user will be created using home_dir as the value for the - user's login directory. The default is to append the login name - to default_home and use that as the login directory name. - - -g initial_group - The group name or number of the user's initial login group. The - group name must exist. A group number must refer to an already - existing group. The default group number is 1. - - -G group,[...] - A list of supplementary groups which the user is also a member - of. Each group is separated from the next by a comma, with no - intervening whitespace. The groups are subject to the same - restrictions as the group given with the -g option. The default - is for the user to belong only to the initial group. - - -m The user's home directory will be created if it does not exist. - The files contained in skeleton_dir will be copied to the home - directory if the -k option is used, otherwise the files con - tained in /etc/skel will be used instead. Any directories con - tained in skeleton_dir or /etc/skel will be created in the - user's home directory as well. The -k option is only valid in - conjunction with the -m option. The default is to not create - the directory and to not copy any files. - - -s shell - The name of the user's login shell. The default is to leave - this field blank, which causes the system to select the default - login shell. - - -u uid The numerical value of the user's ID. This value must be - unique, unless the -o option is used. The value must be non- - negative. The default is to use the smallest ID value greater - than 1000 and greater than every other user. - - -P ends by invoking smbldap-passwd.pl - - -A can change password ? 0 if no, 1 if yes - - -B must change password ? 0 if no, 1 if yes - - -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - - -D sambaHomeDrive (letter associated with home share, like 'H:') - - -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - - -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - - -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') - - -N canonical name (defaults to gecos or username, if gecos not set) - - -S surname (defaults to username) - - -=head1 SEE ALSO - - useradd(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-userdel.pl b/examples/LDAP/smbldap-tools/smbldap-userdel.pl deleted file mode 100755 index f1e69e209c..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-userdel.pl +++ /dev/null @@ -1,125 +0,0 @@ -#!/usr/bin/perl - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-userdel : user (posix,shadow,samba) deletion - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; - - -##################### - -use Getopt::Std; -my %Options; - -my $ok = getopts('r?', \%Options); - -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-r?] username\n"; - print " -r remove home directory\n"; - exit (1); -} - -# Read only first @ARGV -my $user = $ARGV[0]; - -my $dn; -# user must not exist in LDAP -if (!defined($dn=get_user_dn($user))) { - print "$0: user $user does not exist\n"; - exit (6); -} - -if ($< != 0) { - print "You must be root to delete an user\n"; - exit (1); -} - -my $homedir; -if (defined($Options{'r'})) { - $homedir=get_homedir($user); -} - -# remove user from groups -my $groups = find_groups_of $user; -my @grplines = split(/\n/,$groups); - -my $grp; -foreach $grp (@grplines) { - my $gname = ""; - if ( $grp =~ /dn: cn=([^,]+),/) { - $gname = $1; - #print "xx $gname\n"; - } - if ($gname ne "") { - group_remove_member($gname, $user); - } -} - -# XXX -delete_user($user); - -# delete dir -- be sure that homeDir is not a strange value -if (defined($Options{'r'})) { - if ($homedir !~ /^\/dev/ and $homedir !~ /^\/$/) { - system "rm -rf $homedir"; - } -} - -my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; -} - -exit (0); - -############################################################ - -=head1 NAME - - smbldap-userdel.pl - Delete a user account and related files - -=head1 SYNOPSIS - - smbldap-userdel.pl [-r] login - -=head1 DESCRIPTION - - The smbldap-userdel.pl command modifies the system - account files, deleting all entries that refer to login. - The named user must exist. - - -r Files in the user's home directory will be removed along with - the home directory itself. Files located in other file - systems will have to be searched for and deleted manually. - -=head1 SEE ALSO - - userdel(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-usermod.pl b/examples/LDAP/smbldap-tools/smbldap-usermod.pl deleted file mode 100755 index 70151b7412..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-usermod.pl +++ /dev/null @@ -1,488 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-usermod : user (posix,shadow,samba) modification - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; -use smbldap_conf; - -##################### - -use Getopt::Std; -my %Options; -my $nscd_status; - -my $ok = getopts('A:B:C:D:E:F:H:IJN:S:Pame:f:u:g:G:d:l:s:c:ok:?h', \%Options); -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { - print "Usage: $0 [-awmugdsckxABCDEFGHI?h] username\n"; - print "Available options are:\n"; - print " -c gecos\n"; - print " -d home directory\n"; - #print " -m move home directory\n"; - #print " -f inactive days\n"; - print " -u uid\n"; - print " -o uid can be non unique\n"; - print " -g gid\n"; - print " -G supplementary groups (comma separated)\n"; - print " -l login name\n"; - print " -s shell\n"; - print " -N canonical name\n"; - print " -S surname\n"; - print " -P ends by invoking smbldap-passwd.pl\n"; - print " For samba users:\n"; - print " -a add sambaSamAccount objectclass\n"; - print " -e expire date (\"YYYY-MM-DD HH:MM:SS\")\n"; - print " -A can change password ? 0 if no, 1 if yes\n"; - print " -B must change password ? 0 if no, 1 if yes\n"; - print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n"; - print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n"; - print " -E sambaLogonScript (DOS script to execute on login)\n"; - print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n"; - print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n"; - print " -I disable an user. Can't be used with -H or -J\n"; - print " -J enable an user. Can't be used with -H or -I\n"; - print " -?|-h show this help message\n"; - exit (1); -} - -if ($< != 0) { - print "You must be root to modify an user\n"; - exit (1); -} - -# Read only first @ARGV -my $user = $ARGV[0]; - -# Read user data -my $user_entry = read_user_entry($user); -if (!defined($user_entry)) { - print "$0: user $user doesn't exist\n"; - exit (1); -} - -my $samba = 0; -if (grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) { - $samba = 1; -} - -# get the dn of the user -my $dn= $user_entry->dn(); - -my $tmp; -my @mods; -if (defined($tmp = $Options{'a'})) { - # Let's connect to the directory first - my $ldap_master=connect_ldap_master(); - my $winmagic = 2147483647; - my $valpwdcanchange = 0; - my $valpwdmustchange = $winmagic; - my $valpwdlastset = 0; - my $valacctflags = "[UX]"; - my $user_entry=read_user_entry($user); - my $uidNumber = $user_entry->get_value('uidNumber'); - my $userRid = 2 * $uidNumber + 1000; - # apply changes - my $modify = $ldap_master->modify ( "$dn", - changes => [ - add => [objectClass => 'sambaSamAccount'], - add => [sambaPwdLastSet => "$valpwdlastset"], - add => [sambaLogonTime => '0'], - add => [sambaLogoffTime => '2147483647'], - add => [sambaKickoffTime => '2147483647'], - add => [sambaPwdCanChange => "$valpwdcanchange"], - add => [sambaPwdMustChange => "$valpwdmustchange"], - add => [displayName => "$_userGecos"], - add => [sambaSID=> "$SID-$userRid"], - add => [sambaAcctFlags => "$valacctflags"], - ] - ); - $modify->code && warn "failed to modify entry: ", $modify->error ; -} - -# Process options -my $changed_uid; -my $_userUidNumber; -my $_userRid; -if (defined($tmp = $Options{'u'})) { - if (defined($Options{'o'})) { - $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - - if (getpwuid($tmp)) { - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - - print "$0: uid number $tmp exists\n"; - exit (6); - } - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - - } - push(@mods, 'uidNumber', $tmp); - $_userUidNumber = $tmp; - if ($samba) { - # as rid we use 2 * uid + 1000 - my $_userRid = 2 * $_userUidNumber + 1000; - if (defined($Options{'x'})) { - $_userRid= sprint("%x", $_userRid); - } - push(@mods, 'sambaSID', $SID.'-'.$_userRid); - } - $changed_uid = 1; -} - -my $changed_gid; -my $_userGidNumber; -my $_userGroupSID; -if (defined($tmp = $Options{'g'})) { - $_userGidNumber = parse_group($tmp); - if ($_userGidNumber < 0) { - print "$0: group $tmp doesn't exist\n"; - exit (6); - } - push(@mods, 'gidNumber', $_userGidNumber); - if ($samba) { - # as grouprid we use the sambaSID attribute's value of the group - my $group_entry = read_group_entry_gid($_userGidNumber); - my $_userGroupSID = $group_entry->get_value('sambaSID'); - unless ($_userGroupSID) { - print "$0: unknown group SID not set for unix group $_userGidNumber\n"; - exit (7); - } - push(@mods, 'sambaPrimaryGroupSid', $_userGroupSID); - } - $changed_gid = 1; -} - -if (defined($tmp = $Options{'s'})) { - push(@mods, 'loginShell' => $tmp); -} - - -if (defined($tmp = $Options{'c'})) { - push(@mods, 'gecos' => $tmp, - 'description' => $tmp); - if ($samba == 1) { - push(@mods, 'displayName' => $tmp); - } -} - -if (defined($tmp = $Options{'d'})) { - push(@mods, 'homeDirectory' => $tmp); -} - -if (defined($tmp = $Options{'N'})) { - push(@mods, 'cn' => $tmp); -} - -if (defined($tmp = $Options{'S'})) { - push(@mods, 'sn' => $tmp); -} - -if (defined($tmp = $Options{'G'})) { - - # remove user from old groups - my $groups = find_groups_of $user; - my @grplines = split(/\n/,$groups); - - my $grp; - foreach $grp (@grplines) { - my $gname = ""; - if ( $grp =~ /dn: cn=([^,]+),/) { - $gname = $1; - #print "xx $gname\n"; - } - if ($gname ne "") { - group_remove_member($gname, $user); - } - } - - # add user to new groups - add_grouplist_user($tmp, $user); -} - -# -# A : sambaPwdCanChange -# B : sambaPwdMustChange -# C : sambaHomePath -# D : sambaHomeDrive -# E : sambaLogonScript -# F : sambaProfilePath -# H : sambaAcctFlags - -my $attr; -my $winmagic = 2147483647; - -$samba = is_samba_user($user); - -if (defined($tmp = $Options{'e'})) { - if ($samba == 1) { - my $kickoffTime=`date --date='$tmp' +%s`; - chomp($kickoffTime); - push(@mods, 'sambakickoffTime' => $kickoffTime); - } else { - print "User $user is not a samba user\n"; - } -} - -my $_sambaPwdCanChange; -if (defined($tmp = $Options{'A'})) { - if ($samba == 1) { - $attr = "sambaPwdCanChange"; - if ($tmp != 0) { - $_sambaPwdCanChange=0; - } else { - $_sambaPwdCanChange=$winmagic; - } - push(@mods, 'sambaPwdCanChange' => $_sambaPwdCanChange); - } else { - print "User $user is not a samba user\n"; - } -} - -my $_sambaPwdMustChange; -if (defined($tmp = $Options{'B'})) { - if ($samba == 1) { - if ($tmp != 0) { - $_sambaPwdMustChange=0; - # To force a user to change his password: - # . the attribut sambaPwdLastSet must be != 0 - # . the attribut sambaAcctFlags must not match the 'X' flag - my $_sambaAcctFlags; - my $flags = $user_entry->get_value('sambaAcctFlags'); - if ( $flags =~ /X/ ) { - my $letters; - if ($flags =~ /(\w+)/) { - $letters = $1; - } - $letters =~ s/X//; - $_sambaAcctFlags="\[$letters\]"; - push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags); - } - my $_sambaPwdLastSet = $user_entry->get_value('sambaPwdLastSet'); - if ($_sambaPwdLastSet == 0) { - push(@mods, 'sambaPwdLastSet' => $winmagic); - } - } else { - $_sambaPwdMustChange=$winmagic; - } - push(@mods, 'sambaPwdMustChange' => $_sambaPwdMustChange); - } else { - print "User $user is not a samba user\n"; - } -} - -if (defined($tmp = $Options{'C'})) { - if ($samba == 1) { - #$tmp =~ s/\\/\\\\/g; - push(@mods, 'sambaHomePath' => $tmp); - } else { - print "User $user is not a samba user\n"; - } -} - -my $_sambaHomeDrive; -if (defined($tmp = $Options{'D'})) { - if ($samba == 1) { - $tmp = $tmp.":" unless ($tmp =~ /:/); - push(@mods, 'sambaHomeDrive' => $tmp); - } else { - print "User $user is not a samba user\n"; - } -} - -if (defined($tmp = $Options{'E'})) { - if ($samba == 1) { - #$tmp =~ s/\\/\\\\/g; - push(@mods, 'sambaLogonScript' => $tmp); - } else { - print "User $user is not a samba user\n"; - } -} - -if (defined($tmp = $Options{'F'})) { - if ($samba == 1) { - #$tmp =~ s/\\/\\\\/g; - push(@mods, 'sambaProfilePath' => $tmp); - } else { - print "User $user is not a samba user\n"; - } -} - -if ($samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) { - my $_sambaAcctFlags; - if (defined($tmp = $Options{'H'})) { - #$tmp =~ s/\\/\\\\/g; - $_sambaAcctFlags=$tmp; - } else { - # I or J - my $flags; - $flags = $user_entry->get_value('sambaAcctFlags'); - - if (defined($tmp = $Options{'I'})) { - if ( !($flags =~ /D/) ) { - my $letters; - if ($flags =~ /(\w+)/) { - $letters = $1; - } - $_sambaAcctFlags="\[D$letters\]"; - } - } elsif (defined($tmp = $Options{'J'})) { - if ( $flags =~ /D/ ) { - my $letters; - if ($flags =~ /(\w+)/) { - $letters = $1; - } - $letters =~ s/D//; - $_sambaAcctFlags="\[$letters\]"; - } - } - } - - - if ("$_sambaAcctFlags" ne '') { - push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags); - } - -} elsif (!$samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) { - print "User $user is not a samba user\n"; -} - -# Let's connect to the directory first -my $ldap_master=connect_ldap_master(); - -# apply changes -my $modify = $ldap_master->modify ( "$dn", - 'replace' => { @mods } - ); -$modify->code && warn "failed to modify entry: ", $modify->error ; - -# take down session -$ldap_master->unbind; - -$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - -if ($nscd_status == 0) { - system "/etc/init.d/nscd restart > /dev/null 2>&1"; -} - -if (defined($Options{'P'})) { - exec "/usr/local/sbin/smbldap-passwd.pl $user" -} - - -############################################################ - -=head1 NAME - -smbldap-usermod.pl - Modify a user account - -=head1 SYNOPSIS - -smbldap-usermod.pl [-c comment] [-d home_dir] - [-g initial_group] [-G group[,...]] - [-l login_name] [-p passwd] - [-s shell] [-u uid [ -o]] [-x] - [-A canchange] [-B mustchange] [-C smbhome] - [-D homedrive] [-E scriptpath] [-F profilepath] - [-H acctflags] login - -=head1 DESCRIPTION - -The smbldap-usermod.pl command modifies the system account files - to reflect the changes that are specified on the command line. - The options which apply to the usermod command are - - -c comment - The new value of the user's comment field (gecos). - - -d home_dir - The user's new login directory. - - -g initial_group - The group name or number of the user's new initial login group. - The group name must exist. A group number must refer to an - already existing group. The default group number is 1. - - -G group,[...] - A list of supplementary groups which the user is also a member - of. Each group is separated from the next by a comma, with no - intervening whitespace. The groups are subject to the same - restrictions as the group given with the -g option. If the user - is currently a member of a group which is not listed, the user - will be removed from the group - - -l login_name - The name of the user will be changed from login to login_name. - Nothing else is changed. In particular, the user's home direc - tory name should probably be changed to reflect the new login - name. - - -s shell - The name of the user's new login shell. Setting this field to - blank causes the system to select the default login shell. - - -u uid The numerical value of the user's ID. This value must be - unique, unless the -o option is used. The value must be non- - negative. Any files which the user owns and which are - located in the directory tree rooted at the user's home direc - tory will have the file user ID changed automatically. Files - outside of the user's home directory must be altered manually. - - -x Creates rid and primaryGroupID in hex instead of decimal (for - Samba 2.2.2 unpatched only - higher versions always use decimal) - - -A can change password ? 0 if no, 1 if yes - - -B must change password ? 0 if no, 1 if yes - - -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes') - - -D sambaHomeDrive (letter associated with home share, like 'H:') - - -E sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat') - - -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo') - - -H sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]') - - -I disable user. Can't be used with -H or -J - - -J enable user. Can't be used with -H or -I - -=head1 SEE ALSO - - usermod(1) - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap-usershow.pl b/examples/LDAP/smbldap-tools/smbldap-usershow.pl deleted file mode 100755 index 173480d76c..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap-usershow.pl +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/perl -w - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose of smbldap-userdisplay : user (posix,shadow,samba) display - -use strict; -use FindBin; -use FindBin qw($RealBin); -use lib "$RealBin/"; -use smbldap_tools; - -use Getopt::Std; -my %Options; - -my $ok = getopts('?', \%Options); - -if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) { - print "Usage: $0 [-?] username\n"; - print " -? show this help message\n"; - exit (1); -} - -# Read only first @ARGV -my $user = $ARGV[0]; - -my $lines = read_user($user); -if (!defined($lines)) { - print "$0: user $user doesn't exist\n"; - exit (1); -} - -print "$lines\n"; - -exit(0); - -############################################################ - -=head1 NAME - - smbldap-usershow.pl - Show a user account informations - -=head1 SYNOPSIS - - smbldap-usershow.pl login - -=head1 DESCRIPTION - - The smbldap-usershow.pl command displays the informations - associated with the login. The named user must exist. - -=cut - -#' diff --git a/examples/LDAP/smbldap-tools/smbldap_conf.pm b/examples/LDAP/smbldap-tools/smbldap_conf.pm deleted file mode 100644 index 257c205a2c..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap_conf.pm +++ /dev/null @@ -1,248 +0,0 @@ -#!/usr/bin/perl -use strict; -package smbldap_conf; - -# smbldap-tools.conf : Q & D configuration file for smbldap-tools - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - -# Purpose : -# . be the configuration file for all smbldap-tools scripts - -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS - $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP - $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd - $ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn - $groupsdn $scope $binddn $bindpasswd - $slaveDN $slavePw $masterDN $masterPw - $_userLoginShell $_userHomePrefix $_userGecos - $_defaultUserGid $_defaultComputerGid - $_skeletonDir $_userSmbHome - $_userProfile $_userHomeDrive - $_userScript $usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge - ); - -use Exporter; -$VERSION = 1.00; -@ISA = qw(Exporter); - -@EXPORT = qw( - $UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP - $slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd - $ldap_path $ldap_opts $ldapmodify $suffix $usersdn - $computersdn $groupsdn $scope $binddn $bindpasswd - $slaveDN $slavePw $masterDN $masterPw - $_userLoginShell $_userHomePrefix $_userGecos - $_defaultUserGid $_defaultComputerGid $_skeletonDir - $_userSmbHome $_userProfile $_userHomeDrive $_userScript - $usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge - ); - - -############################################################################## -# -# General Configuration -# -############################################################################## - -# UID and GID starting at... -$UID_START = 1000; -$GID_START = 1000; - -# Put your own SID -# to obtain this number do: "net getlocalsid" -$SID='S-1-5-21-3516781642-1962875130-3438800523'; - -############################################################################## -# -# LDAP Configuration -# -############################################################################## - -# Notes: to use to dual ldap servers backend for Samba, you must patch -# Samba with the dual-head patch from IDEALX. If not using this patch -# just use the same server for slaveLDAP and masterLDAP. -# Those two servers declarations can also be used when you have -# . one master LDAP server where all writing operations must be done -# . one slave LDAP server where all reading operations must be done -# (typically a replication directory) - -# Ex: $slaveLDAP = "127.0.0.1"; -$slaveLDAP = "127.0.0.1"; -$slavePort = "389"; - -# Master LDAP : needed for write operations -# Ex: $masterLDAP = "127.0.0.1"; -$masterLDAP = "127.0.0.1"; -$masterPort = "389"; - -# Use SSL for LDAP -# If set to "1", this option will use start_tls for connection -# (you should also used the port 389) -$ldapSSL = "0"; - -# LDAP Suffix -# Ex: $suffix = "dc=IDEALX,dc=ORG"; -$suffix = "dc=IDEALX,dc=COM"; - - -# Where are stored Users -# Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG -$usersou = q(_USERS_); -$usersdn = "ou=$usersou,$suffix"; - -# Where are stored Computers -# Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG -$computersou = q(_COMPUTERS_); -$computersdn = "ou=$computersou,$suffix"; - -# Where are stored Groups -# Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG -$groupsou = q(_GROUPS_); -$groupsdn = "ou=$groupsou,$suffix"; - -# Default scope Used -$scope = "sub"; - -# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) -$hash_encrypt="SSHA"; - -############################ -# Credential Configuration # -############################ -# Bind DN used -# Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org -$binddn = "cn=Manager,$suffix"; - -# Bind DN passwd used -# Ex: $bindpasswd = 'secret'; for 'secret' -$bindpasswd = "secret"; - -# Notes: if using dual ldap patch, you can specify to different configuration -# By default, we will use the same DN (so it will work for standard Samba -# release) -$slaveDN = $binddn; -$slavePw = $bindpasswd; -$masterDN = $binddn; -$masterPw = $bindpasswd; - -############################################################################## -# -# Unix Accounts Configuration -# -############################################################################## - -# Login defs -# Default Login Shell -# Ex: $_userLoginShell = q(/bin/bash); -$_userLoginShell = q(_LOGINSHELL_); - -# Home directory prefix (without username) -# Ex: $_userHomePrefix = q(/home/); -$_userHomePrefix = q(_HOMEPREFIX_); - -# Gecos -$_userGecos = q(System User); - -# Default User (POSIX and Samba) GID -$_defaultUserGid = 513; - -# Default Computer (Samba) GID -$_defaultComputerGid = 553; - -# Skel dir -$_skeletonDir = q(/etc/skel); - -# Default password validation time (time in days) Comment the next line if -# you don't want password to be enable for $_defaultMaxPasswordAge days (be -# careful to the sambaPwdMustChange attribute's value) -$_defaultMaxPasswordAge = 45; - -############################################################################## -# -# SAMBA Configuration -# -############################################################################## - -# The UNC path to home drives location without the username last extension -# (will be dynamically prepended) -# Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes -# Just comment this if you want to use the smb.conf 'logon home' directive -# and/or desabling roaming profiles -$_userSmbHome = q(\\\\_PDCNAME_\\homes); - -# The UNC path to profiles locations without the username last extension -# (will be dynamically prepended) -# Ex: q(\\\\My-PDC-netbios-name\\profiles\\) for \\My-PDC-netbios-name\profiles -# Just comment this if you want to use the smb.conf 'logon path' directive -# and/or desabling roaming profiles -$_userProfile = q(\\\\_PDCNAME_\\profiles\\); - -# The default Home Drive Letter mapping -# (will be automatically mapped at logon time if home directory exist) -# Ex: q(U:) for U: -$_userHomeDrive = q(_HOMEDRIVE_); - -# The default user netlogon script name -# if not used, will be automatically username.cmd -# $_userScript = q(startup.cmd); # make sure script file is edited under dos - - -############################################################################## -# -# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) -# -############################################################################## - -# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but -# prefer mkntpwd... most of the time, it's a wise choice :-) -$with_smbpasswd = 0; -$smbpasswd = "/usr/bin/smbpasswd"; -$mk_ntpasswd = "/usr/local/sbin/mkntpwd"; - -# those next externals commands are kept fot the migration scripts and -# for the populate script: this will be updated as soon as possible -$slaveURI = "ldap://$slaveLDAP:$slavePort"; -$masterURI = "ldap://$masterLDAP:$masterPort"; - -$ldap_path = "/usr/bin"; - -if ( $ldapSSL eq "0" ) { - $ldap_opts = "-x"; -} elsif ( $ldapSSL eq "1" ) { - $ldap_opts = "-x -Z"; -} else { - die "ldapSSL option must be either 0 or 1.\n"; -} - -#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'"; -#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI"; -$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; -#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; - - - -1; - -# - The End diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm deleted file mode 100755 index d33a65b7d1..0000000000 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ /dev/null @@ -1,771 +0,0 @@ -#! /usr/bin/perl -w -use strict; -package smbldap_tools; -use smbldap_conf; -use Net::LDAP; - -# This code was developped by IDEALX (http://IDEALX.org/) and -# contributors (their names can be found in the CONTRIBUTORS file). -# -# Copyright (C) 2001-2002 IDEALX -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -# USA. - - -# ugly funcs using global variables and spawning openldap clients - -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); -use Exporter; -$VERSION = 1.00; - -@ISA = qw(Exporter); - -@EXPORT = qw( - get_user_dn - get_group_dn - is_group_member - is_samba_user - is_unix_user - is_user_valid - does_sid_exist - get_dn_from_line - add_posix_machine - add_samba_machine - add_samba_machine_mkntpwd - group_add_user - add_grouplist_user - disable_user - delete_user - group_add - group_del - get_homedir - read_user - read_user_entry - read_group - read_group_entry - read_group_entry_gid - find_groups_of - parse_group - group_remove_member - group_get_members - do_ldapadd - do_ldapmodify - get_user_dn2 - connect_ldap_master - connect_ldap_slave - group_type_by_name - ); - -sub connect_ldap_master - { - # bind to a directory with dn and password - my $ldap_master = Net::LDAP->new( - "$masterLDAP", - port => "$masterPort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact master ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_master->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_master->bind ( "$binddn", - password => "$masterPw" - ); - return($ldap_master); - } - -sub connect_ldap_slave - { - # bind to a directory with dn and password - my $ldap_slave = Net::LDAP->new( - "$slaveLDAP", - port => "$slavePort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact slave ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_slave->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_slave->bind ( "$binddn", - password => "$slavePw" - ); - return($ldap_slave); - } - -sub get_user_dn - { - my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return undef; - } - $dn="dn: ".$dn; - return $dn; - } - - -sub get_user_dn2 - { - my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && warn "failed to perform search; ", $mesg->error; - - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return (1,undef); - } - $dn="dn: ".$dn; - return (1,$dn); - } - - -sub get_group_dn - { - my $group = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return undef; - } - $dn="dn: ".$dn; - return $dn; - } - -# return (success, dn) -# bool = is_samba_user($username) -sub is_samba_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=sambaSamAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_unix_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_group_member - { - my $dn_group = shift; - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => 'base', - filter => "(&(memberUid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -# all entries = does_sid_exist($sid,$scope) -sub does_sid_exist - { - my $sid = shift; - my $dn_group=shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => $scope, - filter => "(sambaSID=$sid)" - #filter => "(&(objectClass=sambaSamAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg); - } - -# try to bind with user dn and password to validate current password -sub is_user_valid - { - my ($user, $dn, $pass) = @_; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - my $mesg= $ldap->bind (dn => $dn, password => $pass ); - if ($mesg->code eq 0) { - $ldap->unbind; - return 1; - } else { - if ($ldap->bind()) { - $ldap->unbind; - return 0; - } else { - print ("The LDAP directory is not available.\n Check the server, cables ..."); - $ldap->unbind; - return 0; - } - die "Problem : contact your administrator"; - } - } - - -# dn = get_dn_from_line ($dn_line) -# helper to get "a=b,c=d" from "dn: a=b,c=d" -sub get_dn_from_line - { - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; - } - - -# success = add_posix_machine($user, $uid, $gid) -sub add_posix_machine - { - my ($user, $uid, $gid) = @_; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $add = $ldap_master->add ( "uid=$user,$computersdn", - attr => [ - 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], - 'cn' => "$user", - 'sn' => "$user", - 'uid' => "$user", - 'uidNumber' => "$uid", - 'gidNumber' => "$gid", - 'homeDirectory' => '/dev/null', - 'loginShell' => '/bin/false', - 'description' => 'Computer', - ] - ); - - $add->code && warn "failed to add entry: ", $add->error ; - # take down the session - $ldap_master->unbind; - - } - - -# success = add_samba_machine($computername) -sub add_samba_machine - { - my $user = shift; - system "smbpasswd -a -m $user"; - return 1; - } - -sub add_samba_machine_mkntpwd - { - my ($user, $uid) = @_; - my $sambaSID = 2 * $uid + 1000; - my $name = $user; - $name =~ s/.$//s; - - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - return 0; - } - - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "uid=$user,$computersdn", - changes => [ - replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSamAccount']], - add => [sambaPwdLastSet => '0'], - add => [sambaLogonTime => '0'], - add => [sambaLogoffTime => '2147483647'], - add => [sambaKickoffTime => '2147483647'], - add => [sambaPwdCanChange => '0'], - add => [sambaPwdMustChange => '0'], - add => [sambaAcctFlags => '[W ]'], - add => [sambaLMPassword => "$lmpassword"], - add => [sambaNTPassword => "$ntpassword"], - add => [sambaSID => "$SID-$sambaSID"], - add => [sambaPrimaryGroupSID => "$SID-0"] - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - - return 1; - # take down the session - $ldap_master->unbind; - - } - - -sub group_add_user - { - my ($group, $userid) = @_; - my $members=''; - my $dn_line = get_group_dn($group); - if (!defined(get_group_dn($group))) { - print "$0: group \"$group\" doesn't exist\n"; - exit (6); - } - if (!defined($dn_line)) { - return 1; - } - my $dn = get_dn_from_line("$dn_line"); - # on look if the user is already present in the group - my $is_member=is_group_member($dn,$userid); - if ($is_member == 1) { - print "User \"$userid\" already member of the group \"$group\".\n"; - } else { - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - # It does not matter if the user already exist, Net::LDAP will add the user - # if he does not exist, and ignore him if his already in the directory. - my $modify = $ldap_master->modify ( "$dn", - changes => [ - add => [memberUid => $userid] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - } - } - -sub group_del - { - my $group_dn=shift; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete ($group_dn); - $modify->code && die "failed to delete group : ", $modify->error ; - # take down session - $ldap_master->unbind; - } - -sub add_grouplist_user - { - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { - group_add_user($group, $user); - } - } - -sub disable_user - { - my $user = shift; - my $dn_line; - my $dn = get_dn_from_line($dn_line); - - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [userPassword => '{crypt}!x'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - - if (is_samba_user($user)) { - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [sambaAcctFlags => '[D ]'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - } - # take down session - $ldap_master->unbind; - } - -# delete_user($user) -sub delete_user - { - my $user = shift; - my $dn_line; - - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } - - my $dn = get_dn_from_line($dn_line); - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete($dn); - $ldap_master->unbind; - } - -# $gid = group_add($groupname, $group_gid, $force_using_existing_gid) -sub group_add - { - my ($gname, $gid, $force) = @_; - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - if (!defined($gid)) { - while (defined(getgrgid($GID_START))) { - $GID_START++; - } - $gid = $GID_START; - } else { - if (!defined($force)) { - if (defined(getgrgid($gid))) { - return undef; - } - } - } - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->add ( "cn=$gname,$groupsdn", - attrs => [ - objectClass => 'posixGroup', - cn => "$gname", - gidNumber => "$gid" - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - return $gid; - } - -# $homedir = get_homedir ($user) -sub get_homedir - { - my $user = shift; - my $homeDir=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( - base =>$suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bhomeDirectory\b/) { - foreach my $ent ($entry->get_value($attr)) { - $homeDir.= $attr.": ".$ent."\n"; - } - } - } - } - $ldap_slave->unbind; - chomp $homeDir; - if ($homeDir eq '') { - return undef; - } - $homeDir =~ s/^homeDirectory: //; - return $homeDir; - } - -# search for an user -sub read_user - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } - -# search for a user -# return the attributes in an array -sub read_user_entry - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->entry(); - $ldap_slave->unbind; - return $entry; - } - -# search for a group -sub read_group - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } - -# find groups of a given user -##### MODIFIE ######## -sub find_groups_of - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave; - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(memberuid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: ".$entry->dn."\n"; - } - $ldap_slave->unbind; - chomp($lines); - if ($lines eq '') { - return undef; - } - return $lines; - } - -sub read_group_entry { - my $group = shift; - my $entry; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$group))" - ); - - $mesg->code && die $mesg->error; - my $nb=$mesg->count; - if ($nb > 1) { - print "Error: $nb groups exist \"cn=$group\"\n"; - foreach $entry ($mesg->all_entries) { my $dn=$entry->dn; print " $dn\n"; } - exit 11; - } else { - $entry = $mesg->shift_entry(); - } - return $entry; -} - -sub read_group_entry_gid { - my $group = shift; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(gidNumber=$group))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->shift_entry(); - return $entry; -} - -# return the gidnumber for a group given as name or gid -# -1 : bad group name -# -2 : bad gidnumber -sub parse_group - { - my $userGidNumber = shift; - if ($userGidNumber =~ /[^\d]/ ) { - my $gname = $userGidNumber; - my $gidnum = getgrnam($gname); - if ($gidnum !~ /\d+/) { - return -1; - } else { - $userGidNumber = $gidnum; - } - } elsif (!defined(getgrgid($userGidNumber))) { - return -2; - } - return $userGidNumber; - } - -# remove $user from $group -sub group_remove_member - { - my ($group, $user) = @_; - my $members=''; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $dn = get_dn_from_line($grp_line); - # we test if the user exist in the group - my $is_member=is_group_member($dn,$user); - if ($is_member == 1) { - my $ldap_master=connect_ldap_master(); - # delete only the user from the group - my $modify = $ldap_master->modify ( "$dn", - changes => [ - delete => [memberUid => ["$user"]] - ] - ); - $modify->code && die "failed to delete entry: ", $modify->error ; - $ldap_master->unbind; - } - return 1; - } - -sub group_get_members - { - my ($group) = @_; - my $members; - my @resultat; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixgroup)(cn=$group))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bmemberUid\b/) { - foreach my $ent ($entry->get_value($attr)) { - push (@resultat,$ent); - } - } - } - } - return @resultat; - } - -sub do_ldapmodify - { - my $ldif = shift; - my $FILE = "|$ldapmodify -r >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE < 2, - 'local' => 4, - 'builtin' => 5 - ); - return $groupmap{$type_name}; -} - - - -1; - -- cgit From b4afdc08d5336e4a337e453443d7af1d8655a31a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 22 Jan 2005 03:37:09 +0000 Subject: r4925: Migrate Account Policies to passdb (esp. replicating ldapsam). Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5) --- examples/LDAP/samba.schema | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 7dc4de54b3..997e79f698 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -389,6 +389,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +attributetype ( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' + DESC 'Account Policy Name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' + DESC 'Account Policy Value' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ####################################################################### ## objectClasses used by Samba 3.0 schema ## @@ -478,3 +488,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY MUST ( sambaSID ) MAY ( sambaPrivilegeList ) ) +objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL + DESC 'Samba Account Policy' + MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue ) + MAY ( description ) ) + -- cgit From b1288c61a9fde624db7ed945de723dc7193632ee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 24 Jan 2005 17:42:19 +0000 Subject: r4965: comment out some unused attributes and oc's (This used to be commit d95c9c4d74ea2fb7e5aac4a58888ab6fbc571dfb) --- examples/LDAP/samba.schema | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 997e79f698..9cfa0dd7eb 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -376,13 +376,13 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' - SUP name ) +##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' +## SUP name ) -attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' - DESC 'Privileges List' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) +##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' +## DESC 'Privileges List' +## EQUALITY caseIgnoreIA5Match +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' @@ -483,10 +483,11 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURA sambaStringListoption $ description ) ) -objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY - DESC 'Samba Privilege' - MUST ( sambaSID ) - MAY ( sambaPrivilegeList ) ) +## retired during privilege rewrite +##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY +## DESC 'Samba Privilege' +## MUST ( sambaSID ) +## MAY ( sambaPrivilegeList ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL DESC 'Samba Account Policy' -- cgit From 575ff396254cc433b8b73a9d8d2e649dde9b364d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Jan 2005 17:36:41 +0000 Subject: r5060: BUG 2286: fix typoe on sambaConfig oc definition (This used to be commit e2ce048654fdb98a50622ac60abae18c6b6ba4d2) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 9cfa0dd7eb..2205c17309 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -467,7 +467,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY +objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) -- cgit From df529258657108eac450bc0f2bc872d4af8c6f70 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 31 Jan 2005 13:26:00 +0000 Subject: r5132: netscape DS 5.2 schema update from Richard Renard (This used to be commit 33ac88c6a7bfe4e6d391b841bd4461086af27e4e) --- examples/LDAP/samba-schema-netscapeds5.x | 40 +++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x index 56f66a54a5..1e0d18b6ba 100644 --- a/examples/LDAP/samba-schema-netscapeds5.x +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -2,6 +2,9 @@ ## Darren Chew ## Andre Fiebach ## Thomas Mueller 12.04.2003, thomas.mueller@christ-wasser.de +## Richard Renard rrenard@idealx.com 2005-01-28 +## - added support for MungedDial, BadPasswordCount, BadPasswordTime, PasswordHistory, LogonHours +## - in Sun One 5.2 copy it as 99samba-schema-netscapeds5.ldif ## ## Samba 3.0 schema file for Netscape DS 5.x ## @@ -9,22 +12,22 @@ #################################################################### # Sun One DS do not load the schema without this lines # André Fiebach -dn: cn=schema -objectClass: top -objectClass: ldapSubentry -objectClass: subschema -cn: schema -aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo - us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow - (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, - o=NetscapeRoot";) -aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group - "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) -aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld - ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) -#################################################################### -objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName ) X-ORIGIN 'user defined' ) +dn: cn=schema +objectClass: top +objectClass: ldapSubentry +objectClass: subschema +cn: schema +aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo + us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow + (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, + o=NetscapeRoot";) +aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group + "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=samba,dc=org";) +aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld + ap:///cn=slapd-sambaldap, cn=iPlanet Directory Server, cn=Server Group, cn=iPlanetDirectory.samba.org, ou=samba.org, o=NetscapeRoot";) +#################################################################### +objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) X-ORIGIN 'user defined' ) @@ -45,6 +48,11 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) -- cgit From a3ee24ec7f9a6a4497e2e26eed1bf769990588a8 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 1 Mar 2005 14:00:25 +0000 Subject: r5600: Bring IBM Directory Server schema up to date with openldap schema (This used to be commit 639de6afc09709774fbcce1a8149bde172bd542e) --- examples/LDAP/samba.schema.at.IBM-DS | 30 +++++++++++++++++++++++++++++- examples/LDAP/samba.schema.oc.IBM-DS | 12 ++++++++++-- 2 files changed, 39 insertions(+), 3 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index b2c3c875dc..7c9c30da46 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -44,4 +44,32 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid t attributetypes=( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributetypes=( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'munged dial' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' DESC 'Account Policy Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' DESC 'Account Policy Value' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS index 86e1dee0ac..2b00a5e8c6 100644 --- a/examples/LDAP/samba.schema.oc.IBM-DS +++ b/examples/LDAP/samba.schema.oc.IBM-DS @@ -1,8 +1,8 @@ ## Samba 3.0 schema for IBM Directory Server 5.1 - object classes only -objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial )) +objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) -objectclasses=( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description )) +objectclasses=( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) objectclasses=( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) @@ -12,4 +12,12 @@ objectclasses=( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIAR objectclasses=( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) +objectclasses=( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) +objectclasses=( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) ) + +objectclasses=( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) ) + +objectclasses=( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) + +objectclasses=( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL DESC 'Samba Account Policy' MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue ) MAY ( description ) ) -- cgit From 90dfded4df4afca142a36d3b6dd7f668ba4eba81 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 8 Mar 2005 11:02:48 +0000 Subject: r5689: Allow for better protection of sensitive attributes in IBM Directory Server. (This used to be commit dafdd8d0741311ed0f0b35d30062f0052446f8c4) --- examples/LDAP/samba.schema.at.IBM-DS | 3 +++ 1 file changed, 3 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index 7c9c30da46..f14d8e164d 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -1,8 +1,10 @@ ## Samba 3.0 schema for IBM Directory Server 5.1 - object classes only attributetypes=( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +IBMAttributetypes=( 1.3.6.1.4.1.7165.2.1.24 DBNAME( 'sambaLMPassword' 'sambaLMPassword' ) ACCESS-CLASS critical ) attributetypes=( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password'EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +IBMAttributetypes=( 1.3.6.1.4.1.7165.2.1.25 DBNAME( 'sambaNTPassword' 'sambaNTPassword' ) ACCESS-CLASS critical ) attributetypes=( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) @@ -67,6 +69,7 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID L attributetypes=( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes=( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) +IBMAttributetypes=( 1.3.6.1.4.1.7165.2.1.54 DBNAME( 'sambaPasswordHistory' 'sambaPasswordHistory' ) ACCESS-CLASS critical ) attributetypes=( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) -- cgit From fa6085a5bfdd7969e582e635f971fe78b69108ca Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Mar 2005 01:25:16 +0000 Subject: r5847: Fixes from Lars Müller and Vince Brimhall @Novell for NDS schema. Jeremy. (This used to be commit 0d3075b2c06709b05513d4be1530ef6df2471480) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/LDAP/samba-nds.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index c623b4da67..de01f5115a 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALIT dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) ## ## SID, of any type -- cgit From 9454668a90ab453761c6064835cbc7ac36f9341b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 23 Aug 2005 14:02:12 +0000 Subject: r9523: Fix password history for eDirectory (by allowing to store more then 1 password history entry in LDAP...) Thanks to Bernhard Borgmann @ Novell for showing me how to debug eDirecory. Guenther (This used to be commit a6e8de5c3c44d39724c81d371339e67bb0c4f416) --- examples/LDAP/samba-nds.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index de01f5115a..bb03a67d4d 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALIT dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) ## ## SID, of any type -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- examples/LDAP/samba.schema | 76 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 63 insertions(+), 13 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 2205c17309..daf4588ead 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -389,16 +389,68 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -attributetype ( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' - DESC 'Account Policy Name' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) +# "min password length" +attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' + DESC 'Minimal password length (default: 5)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' - DESC 'Account Policy Value' +# "password history" +attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' + DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "user must logon to change password" +attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' + DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "maximum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' + DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "minimum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' + DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "lockout duration" +attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' + DESC 'Lockout duration in minutes (default: 30, -1 => forever)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "reset count minutes" +attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' + DESC 'Reset time after lockout in minutes (default: 30)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "bad lockout attempt" +attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' + DESC 'Lockout users after bad logon attempts (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "disconnect time" +attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' + DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "refuse machine password change" +attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' + DESC 'Allow Machine Password changes (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + + + ####################################################################### ## objectClasses used by Samba 3.0 schema ## @@ -448,7 +500,11 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ - sambaAlgorithmicRidBase ) ) + sambaAlgorithmicRidBase $ + sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ + sambaMaxPwdAge $ sambaMinPwdAge $ + sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ + sambaForceLogoff $ sambaRefuseMachinePwdChange )) ## ## used for idmap_ldap module @@ -488,9 +544,3 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURA ## DESC 'Samba Privilege' ## MUST ( sambaSID ) ## MAY ( sambaPrivilegeList ) ) - -objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL - DESC 'Samba Account Policy' - MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue ) - MAY ( description ) ) - -- cgit From 3e80ef29a60373a443668357f63ad6f7fda6dab2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 23 Dec 2005 14:45:56 +0000 Subject: r12452: Fix Bug #3053 to allow esp. older eDirectory releases to load our LDAP schema. Maybe "Base64 encoded user parameter string" is not much clearer then "munged dial" - anyone got a better description ? Guenther (This used to be commit 02ccde5f4792e34ad88b7adb5ebaf1747cb8151f) --- examples/LDAP/samba-nds.schema | 2 +- examples/LDAP/samba-schema-netscapeds5.x | 2 +- examples/LDAP/samba.schema | 2 +- examples/LDAP/samba.schema.at.IBM-DS | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index bb03a67d4d..7bfa5040f8 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -123,7 +123,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows N dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) dn: cn=schema changetype: modify diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x index 1e0d18b6ba..efc528b786 100644 --- a/examples/LDAP/samba-schema-netscapeds5.x +++ b/examples/LDAP/samba-schema-netscapeds5.x @@ -48,7 +48,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index daf4588ead..e7ecc9e070 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -279,7 +279,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' - DESC '' + DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index f14d8e164d..375a0baede 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -58,7 +58,7 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string attributetypes=( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'munged dial' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributetypes=( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributetypes=( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -- cgit From 661be1d332a7f38de3f8b8dd98c7873ac687556f Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 27 Jan 2006 15:14:55 +0000 Subject: r13187: IBM Tivoli Directory Server schema updates from John Janosik (This used to be commit d45cc5e4f38bd1aa69d5c3ae8d19e2ea98976fac) --- examples/LDAP/samba.schema.at.IBM-DS | 21 +++++++++++++++++++++ examples/LDAP/samba.schema.oc.IBM-DS | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index 375a0baede..4f4c0567a9 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -76,3 +76,24 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hour attributetypes=( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' DESC 'Account Policy Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetypes=( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' DESC 'Account Policy Value' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetypes=( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS index 2b00a5e8c6..575aed4b1a 100644 --- a/examples/LDAP/samba.schema.oc.IBM-DS +++ b/examples/LDAP/samba.schema.oc.IBM-DS @@ -4,7 +4,7 @@ objectclasses=( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY objectclasses=( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) -objectclasses=( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) +objectclasses=( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ) ) objectclasses=( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) -- cgit From 8b54e0b2a042b6624f8b360dc7bc9e4b691c47eb Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 2 Feb 2006 16:25:58 +0000 Subject: r13290: Adding Account Policy LDAP attributes for eDirectory schema. Guenther (This used to be commit de012e33a75e0aa72fbfe2cf1258689e0d7680e2) --- examples/LDAP/samba-nds.schema | 53 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 7bfa5040f8..8e8c5bcdf3 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -234,6 +234,57 @@ changetype: modify add: attributetypes attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + + ####################################################################### ## objectClasses used by Samba 3.0 schema ## ####################################################################### @@ -268,7 +319,7 @@ objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 'Samba T dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase )) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange )) ## ## used for idmap_ldap module -- cgit From 5133ab016e8400e815b6dae9947206e57332616b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 16:00:34 +0000 Subject: r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index e7ecc9e070..4e1556eba5 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -295,9 +295,9 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) - ## ## Primary group SID, compatible with ntSid ## -- cgit From 46e1ce559eb85ac49c3275e12d44b3336e59e937 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Aug 2006 06:44:31 +0000 Subject: r17487: Allocate some OID space for Samba4, so we don't trip on each other. Andrew Bartlett (This used to be commit 199a33ac80977782869b24ce86dcd51cb16d3851) --- examples/LDAP/samba.schema | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 4e1556eba5..61626907b2 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -14,6 +14,10 @@ ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses ## +## Samba4 +## 1.3.6.1.4.1.7165.4.1.x - attributetypes +## 1.3.6.1.4.1.7165.4.2.x - objectclasses +## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ ## ## Run the 'get_next_oid' bash script in this directory to find the @@ -38,6 +42,7 @@ # objectIdentifier Samba3 SambaRoot:2 # objectIdentifier Samba3Attrib Samba3:1 # objectIdentifier Samba3ObjectClass Samba3:2 +# objectIdentifier Samba4 SambaRoot:4 ######################################################################## ## HISTORICAL ## -- cgit From d1495cbda64364a9e80820c2c066e35e80da3120 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 6 Jan 2007 01:10:20 +0000 Subject: r20578: - allocate an OID range for samba4 LDB/LDAP Controls - allocate an OID range for conflicting attributes/classes metze (This used to be commit 6fedd69f5e9a647cd50b08dba517e1f27a06a802) --- examples/LDAP/samba.schema | 2 ++ 1 file changed, 2 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 61626907b2..10b10cc569 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -17,6 +17,8 @@ ## Samba4 ## 1.3.6.1.4.1.7165.4.1.x - attributetypes ## 1.3.6.1.4.1.7165.4.2.x - objectclasses +## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls +## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track ## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ ## -- cgit From f450a654714603c28625156c6939d7fad57d370d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 6 Jan 2007 10:10:25 +0000 Subject: r20585: - allocate an OID range for LDB/LDAP extended operations metze (This used to be commit 5373897ef54ba5d04d214cd7a32d2c971059314c) --- examples/LDAP/samba.schema | 1 + 1 file changed, 1 insertion(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 10b10cc569..d0d5bd1b7a 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -18,6 +18,7 @@ ## 1.3.6.1.4.1.7165.4.1.x - attributetypes ## 1.3.6.1.4.1.7165.4.2.x - objectclasses ## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls +## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track ## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ -- cgit From ed36771b3b9ef8f466f2f2a547802c2e4d6bdf64 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 18 Jan 2007 22:08:38 +0000 Subject: r20884: patch from Michael Adam to add new sambaTrustedDomainPassword object class (This used to be commit a209c3084913c69d1978cb31818f2db99e216c9a) --- examples/LDAP/samba.schema | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index d0d5bd1b7a..061fb9791a 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -500,6 +500,15 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTUR MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) +## +## Trust password for trusted domains +## (to be stored beneath the trusting sambaDomain object in the DIT) +## +objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL + DESC 'Samba Trusted Domain Password' + MUST ( sambaDomainName $ sambaSID $ + sambaNTPassword $ sambaPwdLastSet )) + ## ## Whole-of-domain info ## -- cgit From 7556355b28dce1ba3777c782c43a953f219eedd2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 23 Jan 2007 16:50:27 +0000 Subject: r20979: Fix description, thanks to Michael Adam (This used to be commit 4610465d7f8b1d145b4923f03bd1559c79ad8e70) --- examples/LDAP/samba.schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 061fb9791a..31a7a67b8e 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -292,7 +292,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' - DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' + DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) -- cgit From df04cb69f78637864b5b171c5797d3247339472e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 10 Sep 2007 15:14:39 +0000 Subject: r25057: Add a schema file ready to be used in Fedora/RedHat Directory Server (This used to be commit 501e8b6c79afdefb9955b92e5c25dbe1033ab518) --- examples/LDAP/samba-schema-FDS.ldif | 156 ++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 examples/LDAP/samba-schema-FDS.ldif (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba-schema-FDS.ldif b/examples/LDAP/samba-schema-FDS.ldif new file mode 100644 index 0000000000..e88559fc8a --- /dev/null +++ b/examples/LDAP/samba-schema-FDS.ldif @@ -0,0 +1,156 @@ +## schema file for Fedora/RedHat Directory Server +## +## NOTE: this file can be copied as 60samba.ldif into your instance schema +## directory: +## cp samba-schema-FDS.ldif /etc/dirsrv/slapd-/schema/60schema.ldif +## +## Schema for storing Samba user accounts and group maps in LDAP +## OIDs are owned by the Samba Team +## +## Prerequisite schemas - uid (cosine.schema) +## - displayName (inetorgperson.schema) +## - gidNumber (nis.schema) +## +## 1.3.6.1.4.1.7165.2.1.x - attributeTypess +## 1.3.6.1.4.1.7165.2.2.x - objectClasseses +## +## Printer support +## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess +## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses +## +## Samba4 +## 1.3.6.1.4.1.7165.4.1.x - attributeTypess +## 1.3.6.1.4.1.7165.4.2.x - objectClasseses +## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls +## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations +## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track +## +dn: cn=schema +## +####################################################################### +## Attributes used by Samba 3.0 schema ## +####################################################################### +## +## Password hashes## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) +## +## Account flags in string format ([UWDX ]) +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +## +## Password timestamps & policies +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) +## +## string settings +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) +## +## SID, of any type +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +## +## Primary group SID, compatible with ntSid +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) +## +## group mapping attributes +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +## +## Store info on the domain +## +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' +## SUP name ) +## +##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' +## DESC 'Privileges List' +## EQUALITY caseIgnoreIA5Match +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# "min password length" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "password history" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "user must logon to change password" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "maximum password age" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "minimum password age" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "lockout duration" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "reset count minutes" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "bad lockout attempt" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "disconnect time" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# "refuse machine password change" +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +## +####################################################################### +## objectClasses: used by Samba 3.0 schema ## +####################################################################### +## +## The X.500 data model (and therefore LDAPv3) says that each entry can +## only have one structural objectClasses. OpenLDAP 2.0 does not enforce +## this currently but will in v2.1 +## +## added new objectClasses: (and OID) for 3.0 to help us deal with backwards +## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) +## +## Group mapping info +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) +## +## Trust password for trust relationships (any kind) +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) +## +## Whole-of-domain info +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange )) +## +## used for idmap_ldap module +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) ) +objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) ) +## retired during privilege rewrite +##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY +## DESC 'Samba Privilege' +## MUST ( sambaSID ) +## MAY ( sambaPrivilegeList ) ) -- cgit From c6df77f63f2fc8bb706c6d97d6da139b11f24107 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Sep 2007 16:25:47 +0000 Subject: r25088: Change the objectclass sambaTrustedDomainPassword to have the current and possibly the previous trust password stored as clear text passwords. (Previous use of NTPassword was a mistake - this is a hash value.) Michael (This used to be commit 0beae52ff469903adbfefdffd93a34bb7ad7d68d) --- examples/LDAP/samba.schema | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 31a7a67b8e..1818ca971f 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -457,6 +457,17 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' + DESC 'Clear text password (used for trusted domain passwords)' + EQUALITY octetStringMatch + 1.3.6.1.4.1.1466.115.121.1.40 ) + +# +attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' + DESC 'Previous clear text password (used for trusted domain passwords)' + EQUALITY octetStringMatch + 1.3.6.1.4.1.1466.115.121.1.40 ) @@ -507,7 +518,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTUR objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL DESC 'Samba Trusted Domain Password' MUST ( sambaDomainName $ sambaSID $ - sambaNTPassword $ sambaPwdLastSet )) + sambaClearTextPassword $ sambaPwdLastSet ) + MAY ( sambaPreviousClearTextPassword )) ## ## Whole-of-domain info -- cgit From b6c64fab5e95b2e4b3a0ae84e912ff1fd3267401 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Sep 2007 16:30:38 +0000 Subject: r25090: Fix a syntax error just introduced into the LDAP schema. Michael (This used to be commit 7dc68ce0fb4490761326eaaca516fde3bf642ed5) --- examples/LDAP/samba.schema | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 1818ca971f..8f82dddeb3 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -461,13 +461,13 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch - 1.3.6.1.4.1.1466.115.121.1.40 ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) # attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' DESC 'Previous clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch - 1.3.6.1.4.1.1466.115.121.1.40 ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -- cgit From d80fcfce908cd88c11e084abbc4e1d79ea49697d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 13 Sep 2007 12:51:00 +0000 Subject: r25127: Add ol-schema-migrate.pl to the repo. This script is useful for migrating OpenLDAP schema files to FDS/RHDS lidf schema files. License kindly updated to GPLv3+ at our request. Simo. (This used to be commit ab7770b34b3202a5836cfa098187eeed1bd16be3) --- examples/LDAP/README | 26 ++- examples/LDAP/ol-schema-migrate.pl | 384 +++++++++++++++++++++++++++++++++++++ 2 files changed, 402 insertions(+), 8 deletions(-) create mode 100755 examples/LDAP/ol-schema-migrate.pl (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index aa3207fd1f..9fbabc977c 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -17,22 +17,22 @@ and add an include for it in the /etc/openldap/slapd.conf file. Note that samba.schema relies upon the uid and uidNumber attributes from the RFC2307 schema (i.e. nis.schema) -If you choose to import /etc/passwd, nis, or nisplus tables -into ldap, you can use migration tools provided by PADL Software -which are located at +If you choose to import /etc/passwd, nis, or nisplus tables +into ldap, you can use migration tools provided by PADL Software +which are located at http://www.padl.com/tools.html It is not a requirement that a user's /etc/passwd account is stored in LDAP for the samba.schema file to work (although -the whole point of storing smbpasswd in LDAP is to have a +the whole point of storing smbpasswd in LDAP is to have a single location for user accounts, right?) The padl tools will leave you with LDIF files which you can import into OpenLDAP. Before you can import them, you need to include nis.schema and cosine.schema in your slapd.conf file. -You must restart the LDAP server for these new included schema files +You must restart the LDAP server for these new included schema files to become active. SunOne/Netscape DS @@ -48,15 +48,25 @@ Novell eDirectory The schema file has not been updated for the sambaSamAccount objectclass. +Fedora Directory Server / +RedHat Directory Server / +Netscape Directory Server +------------------------- + +An *updated* schema file has been provided, plus a very useful script from +Mike Jackson and Alyseo is available. +ol-schema-migrate.pl can be used to migrate OpenLDAP schema files to FDS +schema ldif files, it can also be used to validate the schema files to +make sure no duplicate OIDs or malformed entries are found. smbldap-tools/ -------------- -The smbldap-tools have been removed from the samba svn -tree. The latest version will continue to be included +The smbldap-tools have been removed from the samba svn +tree. The latest version will continue to be included in Samba releases. -The smbldap-tools package can be downloaded individually from +The smbldap-tools package can be downloaded individually from http://samba.idealx.org/dist/ !== diff --git a/examples/LDAP/ol-schema-migrate.pl b/examples/LDAP/ol-schema-migrate.pl new file mode 100755 index 0000000000..12392cb4cd --- /dev/null +++ b/examples/LDAP/ol-schema-migrate.pl @@ -0,0 +1,384 @@ +#!/usr/bin/perl -w +# +# Convert OpenLDAP schema files into Fedora DS format with RFC2252 compliant printing +# +# First Release : Mike Jackson 14 June 2005 +# http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl +# Professional LDAP consulting for large and small projects +# +# - 6 Dec 2005 +# - objectclass element ordering +# +# Second Release : Alyseo 05 Februrary 2006 +# Francois Billard +# Yacine Kheddache +# http://www.alyseo.com/ +# +# - 05 Februrary 2006 +# - parsing improvement to accept non-RFC compliant schemas (like ISPMAN) +# - adding RFC element : Usage, No-user-modification, collective keywords +# - 08 Februrary 2006 +# - adding help & usage +# - now this script can also beautify your schemas: "-b" +# - count attributes and objects class: "-c" +# - display items that can not be converted (empty OID...): "-d" +# - 15 February 2006 +# - adding workaround for Fedora DS bug 181465: +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181465 +# - adding duplicated OID check: "-d" +# Useful to manually correct nasty schemas like: +# https://sourceforge.net/tracker/?func=detail&atid=108390&aid=1429276&group_id=8390 +# - 13 September 2007 +# Based on Samba Team GPL Compliance Officer request, license has been updated from +# GPL to GPLv3+ +# +# - Fedora DS bug you need to correct by hand : +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179956 +# +# GPLv3+ license +# + +my $optionCount = 0; +my $optionPrint = 0; +my $optionBadEntries = 0; +my $optionHelp = 0; +my $filename = "" ; + +foreach (@ARGV) { + $optionHelp = 1 if ( /^-h$/); + $optionCount = 1 if ( /^-c$/); + $optionPrint = 1 if ( /^-b$/); + $optionBadEntries = 1 if ( /^-d$/); + $filename = $_ if ( ! /^-b$/ && ! /^-c$/ && ! /^-d$/); +} + +die "Usage : ol-schema-migrate-v2.pl [ -c ] [ -b ] [ -d ] schema\n" . + " -c\tcount attribute and object class\n" . + " -b\tconvert and beautify your schema\n" . + " -d\tdisplay unrecognized elements, find empty and duplicated OID\n" . + " -h\tthis help\n" if ($filename eq "" || ($optionHelp || (!$optionCount && !$optionPrint && !$optionBadEntries))); + +if($optionCount) { + print "Schema verification counters:\n"; + my $ldapdata = &getSourceFile($filename); + print "".(defined($ldapdata->{attributes}) ? @{$ldapdata->{attributes}} : 0) . " attributes\n"; + print "".(defined($ldapdata->{objectclass}) ? @{$ldapdata->{objectclass}} : 0) . " object classes\n\n" +} + +if($optionPrint) { + my $ldapdata = &getSourceFile($filename); + &printit($ldapdata); +} + +if($optionBadEntries) { + print "Display unrecognized entries:\n"; + my $ldapdata = &getSourceFile($filename); + my $errorsAttr = 0; + my $errorsObjc = 0; + my $errorsDup = 0; + my $emptyOid = 0; + my %dup; + + foreach (@{$ldapdata->{attributes}}) { + my $attr = $_; + + push @{$dup{$attr->{OID}}{attr}}, {NAME => $attr->{NAME}, LINENUMBER => $attr->{LINENUMBER}}; + + $attr->{DATA} =~ s/\n/ /g; + $attr->{DATA} =~ s/\r//g; + $attr->{DATA} =~ s/attribute[t|T]ypes?:?\s*\(//; + $attr->{DATA} =~ s/\Q$attr->{OID}// if(defined $attr->{OID}); + $attr->{DATA} =~ s/NAME\s*\Q$attr->{NAME}// if(defined $attr->{NAME}); + $attr->{DATA} =~ s/DESC\s*'\Q$attr->{DESC}'// if(defined $attr->{DESC}); + $attr->{DATA} =~ s/$attr->{OBSOLETE}// if(defined $attr->{OBSOLETE}); + $attr->{DATA} =~ s/SUP\s*\Q$attr->{SUP}// if(defined $attr->{SUP}); + $attr->{DATA} =~ s/EQUALITY\s*\Q$attr->{EQUALITY}// if(defined $attr->{EQUALITY}); + $attr->{DATA} =~ s/ORDERING\s*\Q$attr->{ORDERING}// if(defined $attr->{ORDERING}); + $attr->{DATA} =~ s/SUBSTR\s*\Q$attr->{SUBSTR}// if(defined $attr->{SUBSTR}); + $attr->{DATA} =~ s/SYNTAX\s*\Q$attr->{SYNTAX}// if(defined $attr->{SYNTAX}); + $attr->{DATA} =~ s/SINGLE-VALUE// if(defined $attr->{SINGLEVALUE}); + $attr->{DATA} =~ s/NO-USER-MODIFICATION// if(defined $attr->{NOUSERMOD}); + $attr->{DATA} =~ s/COLLECTIVE// if(defined $attr->{COLLECTIVE}); + $attr->{DATA} =~ s/USAGE\s*\Q$attr->{USAGE}// if(defined $attr->{USAGE}); + $attr->{DATA} =~ s/\)\s$//; + $attr->{DATA} =~ s/^\s+(\S)/\n$1/ ; + $attr->{DATA} =~ s/(\S)\s+$/$1\n/; + do { + $errorsAttr ++; + do { $emptyOid ++; + print "Warning : no OID for attributes element at line $attr->{LINENUMBER} \n"; + } if( !defined($attr->{OID})); + print "### Unknow element embedded in ATTRIBUTE at line $attr->{LINENUMBER} :\n$attr->{DATA}\n" + } if($attr->{DATA} =~ /\w/); + } + + foreach (@{$ldapdata->{objectclass}}) { + my $objc = $_; + push @{$dup{$objc->{OID}}{objc}} , {NAME => $objc->{NAME}, LINENUMBER => $objc->{LINENUMBER}}; + $objc->{DATA} =~ s/\n/ /g; + $objc->{DATA} =~ s/\r//g; + $objc->{DATA} =~ s/^object[c|C]lasse?s?:?\s*\(?//; + $objc->{DATA} =~ s/\Q$objc->{OID}// if(defined $objc->{OID}); + $objc->{DATA} =~ s/NAME\s*\Q$objc->{NAME}\E// if(defined $objc->{NAME}); + $objc->{DATA} =~ s/DESC\s*'\Q$objc->{DESC}\E'// if(defined $objc->{DESC}); + $objc->{DATA} =~ s/OBSOLETE// if(defined $objc->{OBSOLETE}); + $objc->{DATA} =~ s/SUP\s*\Q$objc->{SUP}// if(defined $objc->{SUP}); + $objc->{DATA} =~ s/\Q$objc->{TYPE}// if(defined $objc->{TYPE}); + $objc->{DATA} =~ s/MUST\s*\Q$objc->{MUST}\E\s*// if(defined $objc->{MUST}); + $objc->{DATA} =~ s/MUST\s*\(?\s*\Q$objc->{MUST}\E\s*\)?// if(defined $objc->{MUST}); + $objc->{DATA} =~ s/MAY\s*\Q$objc->{MAY}\E// if(defined $objc->{MAY}); + $objc->{DATA} =~ s/\)\s$//; + $objc->{DATA} =~ s/^\s+(\S)/\n$1/ ; + $objc->{DATA} =~ s/(\S)\s+$/$1\n/; + + do { + print "#" x 80 ."\n"; + $errorsObjc ++; + do { $emptyOid++ ; + print "Warning : no OID for object class element at line $objc->{LINENUMBER} \n"; + } if( $objc->{OID} eq ""); + print "### Unknow element embedded in OBJECT CLASS at line $objc->{LINENUMBER} :\n$objc->{DATA}\n" + } if($objc->{DATA} =~ /\w/); + } + + my $nbDup = 0; + foreach (keys %dup) { + my $sumOid = 0; + $sumOid += @{$dup{$_}{attr}} if(defined (@{$dup{$_}{attr}})); + $sumOid += @{$dup{$_}{objc}} if(defined (@{$dup{$_}{objc}})); + if( $sumOid > 1 && $_ ne "") { + $nbDup ++; + print "#" x 80 ."\n"; + print "Duplicate OID founds : $_\n"; + foreach (@{$dup{$_}{attr}}) { + + print "Attribute : $_->{NAME} (line : $_->{LINENUMBER})\n"; + } + foreach (@{$dup{$_}{objc}}) { + print "Object class : $_->{NAME} (line : $_->{LINENUMBER})\n"; + } + + } + } + + print "\n$errorsAttr errors detected in ATTRIBUTES list\n"; + print "$errorsObjc errors detected in OBJECT CLASS list\n"; + print "$nbDup duplicate OID founds\n"; + print "$emptyOid empty OID fields founds\n\n"; + +} + + +sub printit { + my $ldapdata = shift; + &printSeparator; + print "dn: cn=schema\n"; + &printSeparator; + + # print elements in RFC2252 order + + foreach (@{$ldapdata->{attributes}}) { + my $attr = $_; + print "attributeTypes: (\n"; + print " $attr->{OID}\n"; + print " NAME $attr->{NAME}\n"; + print " DESC '$attr->{DESC}'\n" if(defined $attr->{DESC}); + print " OBSOLETE\n" if(defined $attr->{OBSOLETE}); + print " SUP $attr->{SUP}\n" if(defined $attr->{SUP}); + print " EQUALITY $attr->{EQUALITY}\n" if(defined $attr->{EQUALITY}); + print " ORDERING $attr->{ORDERING}\n" if(defined $attr->{ORDERING}); + print " SUBSTR $attr->{SUBSTR}\n" if(defined $attr->{SUBSTR}); + print " SYNTAX $attr->{SYNTAX}\n" if(defined $attr->{SYNTAX}); + print " SINGLE-VALUE\n" if(defined $attr->{SINGLEVALUE}); + print " NO-USER-MODIFICATION\n" if(defined $attr->{NOUSERMOD}); + print " COLLECTIVE\n" if(defined $attr->{COLLECTIVE}); + print " USAGE $attr->{USAGE}\n" if(defined $attr->{USAGE}); + print " )\n"; + &printSeparator; + } + + foreach (@{$ldapdata->{objectclass}}) { + my $objc = $_; + # next 3 lines : Fedora DS space sensitive bug workaround + $objc->{SUP} =~ s/^\(\s*(.*?)\s*\)$/\( $1 \)/ if (defined $objc->{SUP}); + $objc->{MUST} =~ s/^\(\s*(.*?)\s*\)$/\( $1 \)/ if (defined $objc->{MUST}); + $objc->{MAY} =~ s/^\(\s*(.*?)\s*\)$/\( $1 \)/ if (defined $objc->{MAY}); + + print "objectClasses: (\n"; + print " $objc->{OID}\n"; + print " NAME $objc->{NAME}\n"; + print " DESC '$objc->{DESC}'\n" if(defined $objc->{DESC}); + print " OBSOLETE\n" if(defined $objc->{OBSOLETE}); + print " SUP $objc->{SUP}\n" if(defined $objc->{SUP}); + print " $objc->{TYPE}\n" if(defined $objc->{TYPE}); + print " MUST $objc->{MUST}\n" if(defined $objc->{MUST}); + print " MAY $objc->{MAY}\n" if(defined $objc->{MAY}); + print " )\n"; + &printSeparator; + } +} + +sub printSeparator { + print "#\n"; + print "#" x 80 . "\n"; + print "#\n"; +} + +sub getSourceFile { + my @data = &getFile(shift); + my %result; + my $result = \%result; + my @allattrs; + my @allattrsLineNumber; + my @allobjc; + my @allobjcLineNumber; + my $at = 0; + my $oc = 0; + my $at_string; + my $oc_string; + my $idx = 0; + my $beginParenthesis = 0; + my $endParenthesis = 0; + my $lineNumber = 0; + for(@data) { + $lineNumber++; + next if (/^\s*\#/); # skip comments + + if($at) { + s/ +/ /; # remove embedded tabs + s/\t/ /; # remove multiple spaces after the $ sign + + $at_string .= $_; + $beginParenthesis = 0; # Use best matching elements + $endParenthesis = 0; + for(my $i=0;$ i < length($at_string); $i++) { + $beginParenthesis++ if(substr ($at_string,$i,1) eq "("); + $endParenthesis++ if(substr ($at_string,$i,1) eq ")"); + } + if($beginParenthesis == $endParenthesis) { + push @allattrs, $at_string; + $at = 0; + $at_string = ""; + $endParenthesis = 0; + $beginParenthesis = 0; + } + } + + if (/^attribute[t|T]ype/) { + my $line = $_; + push @allattrsLineNumber, $lineNumber; # keep starting line number + for(my $i=0;$ i < length($line); $i++) { + $beginParenthesis++ if(substr ($line, $i, 1) eq "("); + $endParenthesis++ if(substr ($line, $i, 1) eq ")"); + } + if($beginParenthesis == $endParenthesis && $beginParenthesis != 0) { + push @allattrs, $line; + $endParenthesis = 0; + $beginParenthesis = 0; + } else { + $at_string = $line; + $at = 1; + } + } + + ##################################### + + if($oc) { + s/ +/ /; + s/\t/ /; + + $oc_string .= $_; + $endParenthesis = 0; # best methode to accept an elements : + $beginParenthesis = 0; # left parenthesis sum == right parenthesis sum, so we are sure to + for(my $i=0;$ i < length($oc_string); $i++) { # have an element. + $beginParenthesis++ if(substr ($oc_string, $i, 1) eq "("); + $endParenthesis++ if(substr ($oc_string, $i, 1) eq ")"); + } + if($beginParenthesis == $endParenthesis) { + push @allobjc, $oc_string; + $oc = 0; + $oc_string = ""; + $endParenthesis = 0; + $beginParenthesis = 0; + } + } + + if (/^object[c|C]lass/) { + my $line = $_; + push @allobjcLineNumber, $lineNumber; # keep starting line number + for(my $i=0;$ i < length($line); $i++) { + $beginParenthesis++ if(substr ($line, $i, 1) eq "("); + $endParenthesis++ if(substr ($line, $i, 1) eq ")"); + } + if($beginParenthesis == $endParenthesis && $beginParenthesis != 0) { + push @allobjc, $line; + $endParenthesis = 0; + $beginParenthesis = 0; + } else { + $oc_string = $line; + $oc = 1; + } + } + } + + # Parsing attribute elements + + for(@allattrs) { + s/\n/ /g; + s/\r//g; + s/ +/ /g; + s/\t/ /g; + $result->{attributes}->[$idx]->{DATA} = $_ if($optionBadEntries); # keep original data + $result->{attributes}->[$idx]->{LINENUMBER} = $allattrsLineNumber[$idx]; + $result->{attributes}->[$idx]->{OID} = $1 if (m/^attribute[t|T]ypes?:?\s*\(?\s*([\.\d]*?)\s+/); + $result->{attributes}->[$idx]->{NAME} = $1 if (m/NAME\s+('.*?')\s*/ || m/NAME\s+(\(.*?\))/); + $result->{attributes}->[$idx]->{DESC} = $1 if (m/DESC\s+'(.*?)'\s*/); + $result->{attributes}->[$idx]->{OBSOLETE} = "OBSOLETE" if (m/OBSOLETE/); + $result->{attributes}->[$idx]->{SUP} = $1 if (m/SUP\s+(.*?)\s/); + $result->{attributes}->[$idx]->{EQUALITY} = $1 if (m/EQUALITY\s+(.*?)\s/); + $result->{attributes}->[$idx]->{ORDERING} = $1 if (m/ORDERING\s+(.*?)\s/); + $result->{attributes}->[$idx]->{SUBSTR} = $1 if (m/SUBSTR\s+(.*?)\s/); + $result->{attributes}->[$idx]->{SYNTAX} = $1 if (m/SYNTAX\s+(.*?)(\s|\))/); + $result->{attributes}->[$idx]->{SINGLEVALUE} = "SINGLE-VALUE" if (m/SINGLE-VALUE/); + $result->{attributes}->[$idx]->{COLLECTIVE} = "COLLECTIVE" if (m/COLLECTIVE/); + $result->{attributes}->[$idx]->{USAGE} = $1 if (m/USAGE\s+(.*?)\s/); + $result->{attributes}->[$idx]->{NOUSERMOD} = "NO-USER-MODIFICATION" if (m/NO-USER-MODIFICATION/); + $idx ++; + } + + $idx = 0; + + # Parsing object class elements + + for(@allobjc) { + s/\n/ /g; + s/\r//g; + s/ +/ /g; + s/\t/ /g; + $result->{objectclass}->[$idx]->{DATA} = $_ if($optionBadEntries); # keep original data + $result->{objectclass}->[$idx]->{LINENUMBER} = $allobjcLineNumber[$idx]; + $result->{objectclass}->[$idx]->{OID} = $1 if (m/^object[c|C]lasse?s?:?\s*\(?\s*([\.\d]*?)\s+/); + $result->{objectclass}->[$idx]->{NAME} = $1 if (m/NAME\s+('.*?')\s*/ || m/NAME\s+(\(.*?\))/); + $result->{objectclass}->[$idx]->{DESC} = $1 if (m/DESC\s+'(.*?)'\s*/); + $result->{objectclass}->[$idx]->{OBSOLETE} = "OBSOLETE" if (m/OBSOLETE/); + $result->{objectclass}->[$idx]->{SUP} = $1 if (m/SUP\s+([^()]+?)\s/ || m/SUP\s+(\(.+?\))\s/); + $result->{objectclass}->[$idx]->{TYPE} = $1 if (m/((?:STRUCTURAL)|(?:AUXILIARY)|(?:ABSTRACT))/); + $result->{objectclass}->[$idx]->{MUST} = $1 if (m/MUST\s+(\w+)\)?/ || m/MUST\s+(\(.*?\))(\s|\))/s); + $result->{objectclass}->[$idx]->{MAY} = $1 if (m/MAY\s+(\w+)\)?/ || m/MAY\s+(\(.*?\))(\s|\))/s); + + $idx++; + } + + return $result; +} + +sub getFile { + my @data; + my $file = shift; + die "File not found : $file\n" if(! -e $file); + open FH, $file; + @data = ; + close FH; + @data; +} + -- cgit From 9a6502a96bb64aceea0b550896a61ba806ee5be5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Jun 2008 10:42:27 +0200 Subject: Fix location of smbldap-tools Thanks to Miguel Medalha for pointing this out (This used to be commit 359b8d53d839bbf503915004c52bce9f09e6d785) --- examples/LDAP/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/LDAP') diff --git a/examples/LDAP/README b/examples/LDAP/README index 9fbabc977c..f6ce3a986e 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -67,7 +67,7 @@ tree. The latest version will continue to be included in Samba releases. The smbldap-tools package can be downloaded individually from -http://samba.idealx.org/dist/ +https://gna.org/projects/smbldap-tools/ !== !== end of README -- cgit