From ae371ebfe03c95f7b3118c2176cd5a71d925c3e5 Mon Sep 17 00:00:00 2001 From: Brian Read Date: Wed, 12 Jul 2023 08:58:23 +0100 Subject: [PATCH] initial commit of file from CVS for e-smith-ldap on Wed 12 Jul 08:58:23 BST 2023 --- .gitignore | 4 + Makefile | 21 + README.md | 18 +- additional/COPYING | 340 +++++ contriborbase | 1 + createlinks | 75 ++ e-smith-ldap.spec | 1095 +++++++++++++++++ .../configuration/defaults/ldap.init/status | 1 + .../db/configuration/defaults/ldap.init/type | 1 + .../defaults/ldap/Authentication | 1 + .../db/configuration/defaults/ldap/TCPPorts | 1 + .../db/configuration/defaults/ldap/access | 1 + .../configuration/defaults/ldap/defaultCity | 1 + .../defaults/ldap/defaultCompany | 1 + .../defaults/ldap/defaultDepartment | 1 + .../defaults/ldap/defaultPhoneNumber | 1 + .../configuration/defaults/ldap/defaultStreet | 1 + .../db/configuration/defaults/ldap/status | 1 + .../db/configuration/defaults/ldap/type | 1 + .../db/configuration/force/ldap/status | 1 + .../db/configuration/migrate/ldap/GenPassword | 3 + .../e-smith/db/configuration/migrate/ldapssl | 7 + .../events/actions/cleanup-unix-user-group | 20 + .../e-smith/events/actions/gentle-ldap-dump | 61 + root/etc/e-smith/events/actions/ldap-delete | 132 ++ .../e-smith/events/actions/ldap-delete-dumps | 63 + root/etc/e-smith/events/actions/ldap-dump | 63 + root/etc/e-smith/events/actions/ldap-update | 25 + .../e-smith/events/actions/ldap-update-simple | 248 ++++ .../events/actions/reset-ldap-bootstrap | 24 + .../e-smith/events/actions/set-ldap-bootstrap | 24 + root/etc/e-smith/ldap/init/.gitignore | 0 .../en-us/etc/e-smith/web/functions/directory | 92 ++ .../etc/openldap/slapd.conf | 2 + .../etc/openldap/ssl/slapd.pem | 4 + .../home/e-smith/db/ldap/ldif | 2 + .../e-smith/templates/etc/hosts.allow/ldap | 3 + .../etc/openldap/ldap.conf/20ldap-default | 20 + .../etc/openldap/slapd.conf/10schema | 7 + .../etc/openldap/slapd.conf/11rfc2739schema | 1 + .../templates/etc/openldap/slapd.conf/12pid | 3 + .../templates/etc/openldap/slapd.conf/12tls | 18 + .../etc/openldap/slapd.conf/40bind_v2 | 1 + .../templates/etc/openldap/slapd.conf/45limit | 1 + .../etc/openldap/slapd.conf/50database | 1 + .../etc/openldap/slapd.conf/65suffix | 1 + .../etc/openldap/slapd.conf/66checkpoints | 1 + .../etc/openldap/slapd.conf/70directory | 1 + .../etc/openldap/slapd.conf/75rootdn | 1 + .../etc/openldap/slapd.conf/80rootpw | 1 + .../etc/openldap/slapd.conf/85passwordHash | 5 + .../etc/openldap/slapd.conf/90indexes | 6 + .../openldap/slapd.conf/95acls05userPassword | 6 + .../slapd.conf/95acls60sensibleObjects | 18 + .../openldap/slapd.conf/95acls70sensibleAttrs | 11 + .../openldap/slapd.conf/95acls72posixAccount | 8 + .../openldap/slapd.conf/95acls74shadowAccount | 8 + .../openldap/slapd.conf/95acls80sensibleAcl | 27 + .../etc/openldap/slapd.conf/95acls99default | 10 + .../e-smith/templates/etc/rsyslog.conf/32ldap | 4 + .../templates/etc/sysconfig/slapd/05head | 3 + .../etc/sysconfig/slapd/20SLAPD_URLS | 8 + .../templates/etc/sysconfig/slapd/40OPTIONS | 4 + .../templates/etc/sysconfig/slapd/60KRB5 | 4 + .../templates/var/lib/ldap/DB_CONFIG/10memory | 4 + .../templates/var/lib/ldap/DB_CONFIG/30logs | 8 + root/etc/e-smith/tests/.gitignore | 0 root/etc/e-smith/web/functions/directory | 151 +++ root/etc/logrotate.d/ldap | 11 + .../openldap/schema/mailRelatedObject.schema | 6 + .../schema/redhat/rfc822-MailMember.schema | 15 + root/etc/openldap/schema/rfc2739.schema | 98 ++ root/etc/openldap/ssl/.gitignore | 0 root/etc/rc.d/init.d/ldap.init | 90 ++ root/home/e-smith/db/ldap/.gitignore | 0 root/sbin/e-smith/ldif-fix | 419 +++++++ root/sbin/e-smith/systemd/ldap-finish | 21 + root/sbin/e-smith/systemd/ldap-prepare | 54 + root/usr/lib/systemd/system/ldap.init.service | 21 + root/usr/lib/systemd/system/ldap.service | 26 + .../system/slapd.service.d/50koozali.conf | 6 + .../esmith/FormMagick/Panel/directory.pm | 204 +++ root/var/log/bdb/.gitignore | 0 root/var/log/ldap/.gitignore | 0 84 files changed, 3651 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 Makefile create mode 100644 additional/COPYING create mode 100644 contriborbase create mode 100644 createlinks create mode 100644 e-smith-ldap.spec create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap.init/status create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap.init/type create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/Authentication create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/TCPPorts create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/access create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/defaultCity create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/defaultCompany create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/defaultDepartment create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/defaultPhoneNumber create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/defaultStreet create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/status create mode 100644 root/etc/e-smith/db/configuration/defaults/ldap/type create mode 100644 root/etc/e-smith/db/configuration/force/ldap/status create mode 100644 root/etc/e-smith/db/configuration/migrate/ldap/GenPassword create mode 100644 root/etc/e-smith/db/configuration/migrate/ldapssl create mode 100644 root/etc/e-smith/events/actions/cleanup-unix-user-group create mode 100755 root/etc/e-smith/events/actions/gentle-ldap-dump create mode 100755 root/etc/e-smith/events/actions/ldap-delete create mode 100755 root/etc/e-smith/events/actions/ldap-delete-dumps create mode 100755 root/etc/e-smith/events/actions/ldap-dump create mode 100755 root/etc/e-smith/events/actions/ldap-update create mode 100644 root/etc/e-smith/events/actions/ldap-update-simple create mode 100644 root/etc/e-smith/events/actions/reset-ldap-bootstrap create mode 100644 root/etc/e-smith/events/actions/set-ldap-bootstrap create mode 100644 root/etc/e-smith/ldap/init/.gitignore create mode 100755 root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/directory create mode 100644 root/etc/e-smith/templates.metadata/etc/openldap/slapd.conf create mode 100644 root/etc/e-smith/templates.metadata/etc/openldap/ssl/slapd.pem create mode 100644 root/etc/e-smith/templates.metadata/home/e-smith/db/ldap/ldif create mode 100644 root/etc/e-smith/templates/etc/hosts.allow/ldap create mode 100644 root/etc/e-smith/templates/etc/openldap/ldap.conf/20ldap-default create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/11rfc2739schema create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/12pid create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/40bind_v2 create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/45limit create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/50database create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/65suffix create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/66checkpoints create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/70directory create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/75rootdn create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/80rootpw create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl create mode 100644 root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls99default create mode 100644 root/etc/e-smith/templates/etc/rsyslog.conf/32ldap create mode 100644 root/etc/e-smith/templates/etc/sysconfig/slapd/05head create mode 100644 root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS create mode 100644 root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS create mode 100644 root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 create mode 100644 root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/10memory create mode 100644 root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/30logs create mode 100644 root/etc/e-smith/tests/.gitignore create mode 100755 root/etc/e-smith/web/functions/directory create mode 100644 root/etc/logrotate.d/ldap create mode 100644 root/etc/openldap/schema/mailRelatedObject.schema create mode 100644 root/etc/openldap/schema/redhat/rfc822-MailMember.schema create mode 100644 root/etc/openldap/schema/rfc2739.schema create mode 100644 root/etc/openldap/ssl/.gitignore create mode 100644 root/etc/rc.d/init.d/ldap.init create mode 100644 root/home/e-smith/db/ldap/.gitignore create mode 100644 root/sbin/e-smith/ldif-fix create mode 100644 root/sbin/e-smith/systemd/ldap-finish create mode 100644 root/sbin/e-smith/systemd/ldap-prepare create mode 100644 root/usr/lib/systemd/system/ldap.init.service create mode 100644 root/usr/lib/systemd/system/ldap.service create mode 100644 root/usr/lib/systemd/system/slapd.service.d/50koozali.conf create mode 100644 root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/directory.pm create mode 100644 root/var/log/bdb/.gitignore create mode 100644 root/var/log/ldap/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e594810 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.rpm +*.log +*spec-20* +*.tar.xz diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..bcdbd90 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: e-smith-ldap +# $Id: Makefile,v 1.1 2016/02/05 16:04:52 stephdl Exp $ +NAME := e-smith-ldap +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/README.md b/README.md index 185aa94..b026ad5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,17 @@ -# e-smith-ldap +# e-smith-ldap -SMEServer Koozali developed git repo for e-smith-ldap smeserver \ No newline at end of file +SMEServer Koozali developed git repo for e-smith-ldap smeserver + +## Wiki +
https://wiki.koozali.org/ + +## Bugzilla +Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-ldap&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED) + +## Description + +
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.* +*Once it has been checked, then this comment will be deleted* +
+ +e-smith-ldap is an open source, Linux-based software package that provides a secure directory service for enterprises. It is based on an LDAP (Lightweight Directory Access Protocol) server and provides an intuitive web-based administration interface for managing users, groups, policies, and permissions. It also allows for connection to external LDAP servers, providing inter-company synchronization of user accounts. e-smith-ldap is a reliable and secure solution for organizations needing to efficiently manage user access to resources without sacrificing control. It is also a cost-effective, scalable, and easy to use solution for managing large user populations. diff --git a/additional/COPYING b/additional/COPYING new file mode 100644 index 0000000..eeb586b --- /dev/null +++ b/additional/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/contriborbase b/contriborbase new file mode 100644 index 0000000..ef36a67 --- /dev/null +++ b/contriborbase @@ -0,0 +1 @@ +sme10 diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..6a18e94 --- /dev/null +++ b/createlinks @@ -0,0 +1,75 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +panel_link("directory", "manager"); + +foreach (qw(ldap.conf slapd.conf)) +{ +templates2events("/etc/openldap/$_", + qw( + bootstrap-console-save + console-save + ldap-update + e-smith-ldap-update + )); +} + +templates2events("/etc/sysconfig/slapd", + qw( + bootstrap-console-save + console-save + ldap-update + e-smith-ldap-update + )); + + +event_link("ldap-update-simple", "group-create", "95"); +event_link("ldap-update-simple", "group-modify", "95"); +event_link("ldap-delete", "group-delete", "55"); + +event_link("ldap-update-simple", "user-create", "95"); +event_link("ldap-update-simple", "user-modify", "95"); +event_link("ldap-update-simple", "user-modify-admin", "95"); +event_link("ldap-delete", "user-delete", "55"); + +event_link("ldap-update-simple", "password-modify", "95"); +event_link("ldap-update-simple", "user-lock", "55"); + +event_link("ldap-update-simple", "ibay-create", "95"); +event_link("ldap-update-simple", "ibay-modify", "95"); +event_link("ldap-delete", "ibay-delete", "55"); + +event_link("ldap-update-simple", "machine-account-create", "95"); + +event_link("ldap-update", "bootstrap-ldap-save", "80"); +event_link("cleanup-unix-user-group", "bootstrap-ldap-save", "98"); + +event_link("ldap-dump", "pre-backup", "30"); + +event_link("ldap-update", "ldap-update", "80"); +templates2events("/etc/rc.d/init.d/masq", "ldap-update"); +templates2events("/etc/hosts.allow", "ldap-update"); +templates2events("/etc/openldap/ssl/slapd.pem", qw(ssl-update e-smith-ldap-update bootstrap-console-save) ); +safe_symlink("restart", "root/etc/e-smith/events/ldap-update/services2adjust/ldap"); +safe_symlink("restart", "root/etc/e-smith/events/ssl-update/services2adjust/ldap"); +safe_symlink("reload", "root/etc/e-smith/events/ldap-update/services2adjust/masq"); +safe_symlink("reload", "root/etc/e-smith/events/ldap-update/services2adjust/httpd-e-smith"); + +event_link("ldap-delete-dumps", "pre-restore", "25"); + +event_link("set-ldap-bootstrap", "bootstrap-console-save", "95"); +event_link("reset-ldap-bootstrap", "bootstrap-ldap-save", "95"); + + +my $event="e-smith-ldap-update"; + +# systemd-specific action mandatory for this package-update event +event_link("systemd-reload", $event, "89"); +event_link("systemd-default", $event, "88"); +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ldap"); +event_link("ldap-update", $event , "80"); +templates2events("/etc/rsyslog.conf", $event); +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog"); + +exit 0; diff --git a/e-smith-ldap.spec b/e-smith-ldap.spec new file mode 100644 index 0000000..d5b7089 --- /dev/null +++ b/e-smith-ldap.spec @@ -0,0 +1,1095 @@ +# $Id: e-smith-ldap.spec,v 1.24 2023/02/06 06:31:53 jpp Exp $ + +Summary: e-smith server and gateway - LDAP module +%define name e-smith-ldap +Name: %{name} +%define version 5.6.0 +%define release 18 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Networking/Daemons +Source: %{name}-%{version}.tar.xz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArchitectures: noarch +Requires: e-smith-base +Requires: e-smith-lib >= 1.15.1-16 +Requires: openldap >= 2.0.0 +Requires: openldap-clients +Requires: openldap-servers +Requires: perl(Net::LDAP) +Requires: libdb4-utils +Requires: e-smith-formmagick >= 1.4.0-9 +BuildRequires: e-smith-devtools >= 1.13.1-03 +AutoReqProv: no + +%description +e-smith server and gateway software - LDAP module. + +%changelog +* Wed Jul 12 2023 cvs2git.sh aka Brian Read 5.6.0-18.sme +- Roll up patches and move to git repo [SME: 12338] + +* Wed Jul 12 2023 BogusDateBot +- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday, + by assuming the date is correct and changing the weekday. + +* Mon Feb 06 2023 Jean-Philippe Pialasse 5.6.0-17.sme +- remove alias for slapd [SME: 12314] + +* Tue Nov 22 2022 Jean-Philippe Pialasse 5.6.0-16.sme +- fix slapd dropin missing section [SME: 12221] + +* Sun Apr 17 2022 Jean-Philippe Pialasse 5.6.0-15.sme +- add support or rsshusers system group [SME: 11753] + +* Fri Feb 18 2022 Jean-Philippe Pialasse 5.6.0-14.sme +- redirect syslog for ldapt to /var/log/ldap/ldap.log [SME: 11745] + +* Wed Jun 09 2021 Jean-Philippe Pialasse 5.6.0-13.sme +- fix ssl-update reload instead of restart ldap [SME: 11598] + +* Thu Jun 03 2021 Jean-Philippe Pialasse 5.6.0-12.sme +- fix wrong path for templates.metadata [SME: 11595] + +* Sun May 30 2021 Jean-Philippe Pialasse 5.6.0-11.sme +- use template for ssl pem [SME: 11595] + +* Sun Mar 21 2021 Jean-Philippe Pialasse 5.6.0-10.sme +- fix ldap failing to start on initial boot [SME: 11480] + +* Sat Jan 02 2021 Jean-Philipe Pialasse 5.6.0-9.sme +- fix wrong alias to ldap.init [SME: 11301] + +* Fri Dec 11 2020 Jean-Philipe Pialasse 5.6.0-8.sme +- add -update event [SME: 11140] +- move ldap to systemd [SME: 11099] +- move ldap.init to systemd [SME: 11096] + +* Sat May 02 2020 Jean-Philipe Pialasse 5.6.0-7.sme +- New protocol default as TLSv1.2 [SME: 10936] + New property TLSProtocolMin + Ciphers are now ordered with stronger first + +* Thu Feb 23 2017 Daniel Berteaud 5.6.0-6.sme +- Disable SSLv3, but keep the possibility to enable it again [SME: 10108] +- Better default cipher suite, and honor global suite [SME: 10108] + +* Sun Jul 24 2016 Jean-Philipe Pialasse 5.6.0-5.sme +- systemd skip redirect [SME: 9688] +- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday, + by assuming the date is correct and changing the weekday. + Fri Jun 01 2000 --> Fri May 26 2000 or Thu Jun 01 2000 or Fri Jun 02 2000 or .... + Thu Aug 07 2001 --> Thu Aug 02 2001 or Tue Aug 07 2001 or Thu Aug 09 2001 or .... + Tue Jun 10 2010 --> Tue Jun 08 2010 or Thu Jun 10 2010 or Tue Jun 15 2010 or .... + +* Thu May 12 2016 Daniel Berteaud 5.6.0-4.sme +- Add missing shebang in ldap.init script [SME: 9432] + +* Thu May 12 2016 Daniel Berteaud 5.6.0-3.sme +- Rebuild for [SME: 9393] + +* Fri Mar 18 2016 JP Pialasse 5.6.0-2.sme +- fix Requires db4-utils to libdb4-utils [SME: 9319] + +* Fri Feb 05 2016 stephane de Labrusse 5.6.0-1.sme +- Initial release to sme10 + +* Sun Jan 17 2016 Daniel Berteaud 5.4.0-20.sme +- Hook into the new ssl-update event [SME: 9152] + +* Mon Apr 27 2015 Daniel Berteaud 5.4.0-19.sme +- Remove size limit for search result [SME: 8918] + +* Wed Feb 11 2015 Daniel Berteaud 5.4.0-18.sme +- Make pdbedit output independent from locale and timezone so it can be + parsed [SME: 8841] + +* Tue Nov 11 2014 Daniel Berteaud 5.4.0-17.sme +- Symlink /etc/init.d/ldap to /usr/bin/sv [SME: 8635] + +* Tue Nov 11 2014 Daniel Berteaud 5.4.0-16.sme +- Chown all DB files to ldap before staring slapd [SME: 8635] + +* Fri Oct 24 2014 Daniel Berteaud 5.4.0-15.sme +- Set checkpoint in slapd.conf instead of DB_CONFIG [SME: 8621] + +* Fri Oct 24 2014 Daniel Berteaud 5.4.0-14.sme +- Stop ldap on shutdown (rc0 and rc6) [SME: 8611] + +* Fri Oct 24 2014 Daniel Berteaud 5.4.0-13.sme +- Don't overwrite the ldif dump if slapcat's output is empty + (code from Charlie Brady) [SME: 8621] + +* Fri Oct 24 2014 Daniel Berteaud 5.4.0-12.sme +- Run db_recover on startup [SME: 8622] + +* Fri Oct 24 2014 Daniel Berteaud 5.4.0-11.sme +- Don't wipe LDAP DB when the ldif dump is empty [SME: 8619] + +* Wed Nov 13 2013 Daniel Berteaud 5.4.0-10.sme +- Adjust slapd ACL [SME: 8000] + +* Sat Mar 9 2013 Shad L. Lords 5.4.0-9.sme +- Add dummy unused file to slapd.d to prevent openldap-servers + post script from running [SME: 7258] + +* Mon Feb 25 2013 Daniel Berteaud 5.4.0-8.sme +- Use db_archive to remove unused BDB log files [SME: 7403] + +* Sun Feb 24 2013 Daniel Berteaud 5.4.0-7.sme +- Wait for slapd to be ready before running bootstrap-ldap-save [SME: 7395] + +* Fri Feb 22 2013 Daniel Berteaud 5.4.0-6.sme +- Do not remove slapd.d, just make sure it's empty [SME: 7258] + +* Thu Feb 21 2013 Daniel Berteaud 5.4.0-5.sme +- Make sure slapd uses slapd.conf instead of slapd.d [SME: 7258] + +* Tue Feb 19 2013 Daniel Berteaud 5.4.0-4.sme +- Remove now unneeded and out of scope schemacheck directive [SME: 7260] + +* Mon Feb 18 2013 Daniel Berteaud 5.4.0-3.sme +- Stop trying to load autofs.schema [SME: 7259] + +* Wed Feb 13 2013 Daniel Berteaud 5.4.0-2.sme +- Add missing dependency on openldap-servers [SME: 7347] + +* Wed Feb 13 2013 Shad L. Lords 5.4.0-1.sme +- Roll new stream for sme9 +- Perl modules moved to /usr/share/perl5/vendor_perl [SME: 7223] + +* Tue Nov 13 2012 Daniel Berteaud 5.2.0-78.sme +- Fix removing old BDB log files [SME: 7166] + +* Tue Nov 13 2012 Daniel Berteaud 5.2.0-77.sme +- Remove unused BDB log files [SME: 7166] + +* Mon Mar 14 2011 Daniel Berteaud 5.2.0-76.sme +- Check slapd.conf syntax before trying to dump the database [SME: 6452] + +* Mon Mar 14 2011 Daniel Berteaud 5.2.0-75.sme +- Stop using gecos attribute in LDAP [SME: 6539] + +* Wed Dec 1 2010 Shad L. Lords 5.2.0-74.sme +- Fix replace logic in ldif-fix [SME: 6423] + +* Wed Dec 1 2010 Shad L. Lords 5.2.0-73.sme +- Fix permissions on ldif-fix script [SME: 6244] + +* Wed Dec 1 2010 Shad L. Lords 5.2.0-72.sme +- Replace convert_ldif with ldif-fix script [SME: 6244] +- Remove ldif template and expansion [SME: 6421] +- Simplify ldap-update call by calling ldif-fix [SME: 6422] + +* Tue Nov 30 2010 Shad L. Lords 5.2.0-71.sme +- Update ldap database later to pick up samba group maps [SME: 6419] + +* Tue Nov 30 2010 Shad L. Lords 5.2.0-70.sme +- Use correct field (Dept) for ou ldap field [SME: 6417] + +* Tue Nov 30 2010 Shad L. Lords 5.2.0-69.sme +- Add rfc2739.schem back in and include in config so upgrades work [SME: 5159] + +* Tue Nov 30 2010 Daniel Berteaud 5.2.0-68.sme +- Use ldapmodify to load ldif, add -a if no changetype [SME: 6413] + +* Tue Nov 23 2010 Daniel Berteaud 5.2.0-67.sme +- Remove bogus junk attribute from ldif templates [SME: 6396] + +* Mon Nov 22 2010 Shad L. Lords 5.2.0-66.sme +- Change startup order for ldap [SME: 6390] + +* Thu Nov 11 2010 Shad L. Lords 5.2.0-65.sme +- Store locked password instead of expired password [SME: 6360] + +* Wed Nov 10 2010 Daniel Berteaud 5.2.0-64.sme +- Fixed ldif templates error [SME: 6356] + +* Mon Nov 8 2010 Shad L. Lords 5.2.0-63.sme +- Simplify ldap-update for most events [SME: 6354] + +* Fri Nov 5 2010 Shad L. Lords 5.2.0-62.sme +- Adjust call to ldap-update later create/modify/delete [SME: 6284] + +* Thu Nov 4 2010 Shad L. Lords 5.2.0-61.sme +- Apply correct patch for group descriptions/password [SME: 6337] + +* Thu Nov 4 2010 Shad L. Lords 5.2.0-60.sme +- groups don't have password, some don't have description [SME: 6337] + +* Tue Nov 2 2010 Shad L. Lords 5.2.0-59.sme +- Remove unix users/groups if ldap is master [SME: 6325] + +* Tue Nov 2 2010 Shad L. Lords 5.2.0-58.sme +- Disable ldap-delete if ldap is master [SME: 6324] + +* Tue Nov 02 2010 Daniel Berteaud 5.2.0-57.sme +- Enable the new ldap.init service [SME: 6231] + +* Sat Oct 30 2010 Daniel Berteaud 5.2.0-56.sme +- Fix a small typo in reset-ldap-bootstrap [SME: 6231] + +* Fri Oct 29 2010 Shad L. Lords 5.2.0-55.sme +- Add ldap.init script to allow update on reconfig/reboot [SME: 6231] + +* Thu Oct 28 2010 Daniel Berteaud 5.2.0-54.sme +- Fix minor errors in ldap-update [SME: 6312] + +* Wed Oct 27 2010 Shad L. Lords 5.2.0-53.sme +- Add www user/group to ldap [SME: 6312] + +* Wed Oct 27 2010 Daniel Berteaud 5.2.0-52.sme +- Fixes for nobody and shared groups [SME: 6310] + +* Wed Oct 27 2010 Daniel Berteaud 5.2.0-51.sme +- Add nobody and shared groups in LDAP [SME: 6310] + +* Thu Oct 14 2010 Daniel Berteaud 5.2.0-50.sme +- Allow authenticated users to read posixAccount and shadowAccount attrs [SME: 6254] + +* Wed Oct 13 2010 Daniel Berteaud 5.2.0-49.sme +- call ldap-update later during group and user creation [SME: 6284] + +* Thu Oct 7 2010 Daniel Berteaud 5.2.0-48.sme +- Update group membership for deleted accounts [SME: 6276] + +* Thu Oct 7 2010 Daniel Berteaud 5.2.0-47.sme +- Don't call ldap-update on deleted accounts [SME: 6239] + +* Thu Oct 7 2010 Daniel Berteaud 5.2.0-46.sme +- Link ldap-update scripts in needed events [SME: 6239] + +* Sat Oct 2 2010 Daniel Berteaud 5.2.0-45.sme +- Fix toggle anonymous access [SME: 6255] + +* Sat Oct 2 2010 Daniel Berteaud 5.2.0-44.sme +- Toggle anonymous access with AnonymousAccess property [SME: 6255] + +* Sat Oct 2 2010 Daniel Berteaud 5.2.0-43.sme +- Allow authenticated users to see more than just their own entry [SME: 6079] + +* Sat Oct 2 2010 Daniel Berteaud 5.2.0-42.sme +- Deny access to some attributes for anonymous users [SME: 6254] + +* Mon Sep 27 2010 Daniel Berteaud 5.2.0-41.sme +- Add ldap-update support for several accounts [SME: 6249] + +* Mon Sep 27 2010 Shad L. Lords 5.2.0-40.sme +- Make ldif template create single hash [SME: 6240] + +* Mon Sep 27 2010 Daniel Berteaud 5.2.0-39.sme +- Fix ldap-delete script [SME: 6238] + +* Sun Sep 26 2010 Shad L. Lords 5.2.0-38.sme +- Update ldif template to match stored data [SME: 6240] + +* Sun Sep 26 2010 Shad L. Lords 5.2.0-37.sme +- Delete all ldap objects that we now create [SME: 6238] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-36.sme +- Ensure required attributes are present for rename [SME: 6235] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-35.sme +- Fix old record lookups from sme7 [SME: 6235] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-34.sme +- Add ibay and machine accounts into ldap [SME: 6236] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-33.sme +- Rename old ldap record from sme7 if exists [SME: 6235] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-32.sme +- Fix/add base ou entries needed for new schema [SME: 6234] + +* Sat Sep 25 2010 Shad L. Lords 5.2.0-31.sme +- Rewrite ldap-update to make adding classes easier [SME: 6233] + +* Fri Sep 24 2010 Daniel Berteaud 5.2.0-30.sme +- Add sambaSamAccount attributes in LDAP [SME: 6232] + +* Thu Sep 23 2010 Daniel Berteaud 5.2.0-29.sme +- Use full path to config in the run script [SME: 6222] + +* Thu Sep 23 2010 Daniel Berteaud 5.2.0-28.sme +- Add posixAccount attributes in LDAP [SME: 6074] + +* Thu Sep 23 2010 Daniel Berteaud 5.2.0-27.sme +- Create the Computers OU [SME: 6230] + +* Thu Sep 23 2010 Daniel Berteaud 5.2.0-26.sme +- Dump ldap data during the pre-backup event [SME: 6226] + +* Wed Sep 22 2010 Daniel Berteaud 5.2.0-25.sme +- Send slapd logs in /var/log/ldap (multilog) [SME: 6222] +- Force the service to be enabled [SME: 6221] +- Indexe memberUid attribute [SME: 6220] +- Expand slapd.conf during ldap-update event [SME: 6224] +- Split slapd ACL template [SME: 6225] +- Prevent users from reading their password over a unsecured link [SME: 6252] +- Use md5crypt hash when client requests exop [SME: 6223] + +* Wed Sep 22 2010 Daniel Berteaud 5.2.0-24.sme +- Restrict access to the ldif file [SME: 6217] + +* Thu Jun 10 2010 Jonathan Martens 5.2.0-23.sme + Tue Jun 10 2010 --> Tue Jun 08 2010 or Thu Jun 10 2010 or Tue Jun 15 2010 or .... +- Fix ldap-create errors when adding empty groups [SME: 5920] + +* Mon Jun 7 2010 Federico Simoncelli 5.2.0-22.sme +- Update email addresses on domain change (thanks Daniel) [SME: 5984] +- Update admin information (thanks Daniel) [SME: 6014] + +* Tue May 4 2010 Jonathan Martens 5.2.0-21.sme +- Fix indentation in S25ldap-update script [SME: 5914] + +* Fri Apr 30 2010 Filippo Carletti 5.2.0-20.sme +- Don't try to save ibay password to ldap [SME: 5906] + +* Mon Mar 1 2010 Daniel B. 5.2.0-19.sme +- Fix bug reference in spec file + +* Mon Mar 1 2010 Filippo Carletti 5.2.0-18.sme +- Fix admin user password change (Daniel B.) [SME: 5810] + +* Tue Feb 9 2010 Filippo Carletti 5.2.0-17.sme +- Init database if the ldif dump is empty (ie from sme8b) [SME: 5747] + +* Fri Feb 5 2010 Stephen Noble 5.2.0-16.sme +- revert re-init database [SME:5747] + +* Fri Feb 5 2010 Stephen Noble 5.2.0-15.sme +- re-init readonly database on post-upgrade [SME:5747] + +* Thu Feb 4 2010 Daniel B. 5.2.0-14.sme +- Force SSL/TLS for remote authentication [SME: 5748] + +* Wed Feb 3 2010 Stephen Noble 5.2.0-13.sme +- reuse users_groups_ous.patch2 [SME: 5743] + +* Wed Feb 3 2010 Stephen Noble 5.2.0-12.sme +- Separate groups and users with mailboxRelatedObject [SME:5749] + +* Wed Feb 3 2010 Stephen Noble 5.2.0-11.sme +- Set readonly access [SME:5752] + +* Sun Jan 31 2010 Stephen Noble 5.2.0-10.sme +- Fix ldap-update action script to user-lock event [SME: 5720] + +* Sun Jan 31 2010 Stephen Noble 5.2.0-9.sme +- Fix Groups entries [SME: 5743] + +* Sun Jan 31 2010 Stephen Noble 5.2.0-8.sme +- Add Groups entries [SME: 5743] + +* Sun Jan 31 2010 Stephen Noble 5.2.0-7.sme +- Add admin user as a standard user [SME: 5742] + +* Sat Jan 30 2010 Jonathan Martens 5.2.0-6.sme +- Add ldap-update action script to user-lock event [SME: 5720] + +* Wed Jan 27 2010 Federico Simoncelli 5.2.0-5.sme +- Add ldap authentication and tls support [SME: 5720] + +* Wed Jan 13 2010 Filippo Carletti 5.2.0-4.sme +- Update schema for newer openldap and remove calFBurl [SME: 5159] +- Convert ldif dump [SME: 5446] + +* Sun Feb 8 2009 Charlie Brady 5.2.0-3.sme +- Create bdb log directory. [SME: 3018] + +* Tue Jan 27 2009 Charlie Brady 5.2.0-2.sme +- Change ldap backend to bdb, and fix initialisation problem. + [SME: 3018, 2859] + +* Tue Oct 7 2008 Shad L. Lords 5.2.0-1.sme +- Roll new stream to separate sme7/sme8 trees [SME: 4633] + +* Wed Aug 20 2008 Shad L. Lords 4.13.0-1 +- Roll new dev stream. + +* Fri Jul 25 2008 Shad L. Lords 4.12.0-11 +- Separate template to avoid breaking schema [SME: 4171] + +* Sat Jul 5 2008 Jonathan Martens 4.12.0-10 +- Add common tags to e-smith-formmagick's general [SME: 4279] + +* Tue Apr 1 2008 Shad L. Lords 4.12.0-9 +- Add free/busy URL entry to help kronolith contribs [SME: 1806] + +* Wed Feb 13 2008 Stephen Noble 4.12.0-8 +- Remove tags now in general [SME: 3919] + +* Tue Jun 26 2007 Charlie Brady +- Fix format error in ldif template. [SME: 3107] + +* Sun Apr 29 2007 Shad L. Lords +- Clean up spec so package can be built by koji/plague + +* Mon Feb 19 2007 Charlie Brady 4.12.0-6 +- Don't tell slapd to create pid and args files that we don't need + and don't use (and can't create with later openldap version). + [SME: 2477] + +* Sat Jan 13 2007 Shad L. Lords 4.12.0-5 +- Make success/failure messages standard [SME: 2289] + +* Thu Dec 07 2006 Shad L. Lords +- Update to new release naming. No functional changes. +- Make Packager generic + +* Wed Nov 08 2006 Charlie Brady 4.12.0-03 +- Correct permissions on slapd.conf. [SME: 2037] + +* Thu Sep 28 2006 Charlie Brady 4.12.0-02 +- Don't attempt to create IPv6 socket (log noise). [SME: 1946] + +* Wed Mar 15 2006 Charlie Brady 4.12.0-01 +- Roll stable stream version. [SME: 1016] + +* Sun Jan 22 2006 Charlie Brady 4.11.3-08 +- Use correct utf8 encoding for non-ascii attributes. [SME: 537] + +* Fri Jan 20 2006 Charlie Brady 4.11.3-07 +- Reexpand hosts.allow template during ldap-update. [SME: 520] + +* Thu Jan 19 2006 Charlie Brady 4.11.3-06 +- Reexpand masq template during ldap-update. [SME: 520] + +* Mon Jan 16 2006 Charlie Brady 4.11.3-05 +- Remove obsolete ldap-rebuild script. [SME: 463] + +* Sun Jan 15 2006 Charlie Brady 4.11.3-04 +- Delete old contents of directory if domain name is changed. + [SME: 393] + +* Wed Nov 30 2005 Gordon Rowell 4.11.3-03 +- Bump release number only + +* Mon Nov 21 2005 Charlie Brady +- [4.11.3-02] +- Work around slapd's failure to accept 'objectClass: group' (in spite + of schema checking being disabled). [SF: 1362868] + +* Fri Oct 14 2005 Gordon Rowell +- [4.11.3-01] +- Remove L10Ns from base packages [SF: 1309520] + +* Fri Oct 14 2005 Gordon Rowell +- [4.11.2-01] +- New dev stream before relocating L10Ns + +* Fri Sep 30 2005 Gordon Rowell +- [4.11.1-19] +- Added Italian L10N - Thanks Filippo Carletti [SF: 1309266] + +* Mon Sep 26 2005 Gordon Rowell +- [4.11.1-18] +- Added German L10N - Thanks Dietmar Berteld [SF: 1293325] + +* Tue Sep 6 2005 Charlie Brady +- [4.11.1-17] +- Add template fragment to allow bind using LDAP version + 2. [SF: 1282697] + +* Wed Jul 27 2005 Charlie Brady +- [4.11.1-16] +- Move masq fragement from template to db [SF: 1241415] +- Remove all use of deprecated esmith::config API. + +* Mon Jun 13 2005 Charlie Brady +- [4.11.1-15] +- Remove unused and deprecated kerberosobject schema. + +* Fri Apr 15 2005 Charlie Brady +- [4.11.1-14] +- Fix typo in services2adjust symlink for apache. + +* Fri Apr 15 2005 Charlie Brady +- [4.11.1-13] +- Drop back to simple schema, and 6.x version of ldap-update script. + More thought needed about how to extend the schema and how to handle + property deletions. + +* Thu Apr 14 2005 Charlie Brady +- [4.11.1-12] +- Remove full restart of apache from panel, and add sigusr1 to ldap-update + event handling. +- Update ldif file templates and ldap-update script to fill out the schema + a little, to remove bogus adding of user attribute to group entries, and + to allow removal of properties which have been nulled out. + +* Fri Apr 1 2005 Charlie Brady +- [4.11.1-11] +- Comment out for now the utf8 conversion, as it's not working + yet. + +* Wed Mar 23 2005 Charlie Brady +- [4.11.1-10] +- Remove explicit generic_template_expand symlink in ldap-update + event - not required. +- Create "finish" script to do ldif file dump on shutdown. +- Add templates for ldif file used during ldap rebuild. +- Handle latin->utf8 conversion in ldif templates. + +* Tue Mar 8 2005 Charlie Brady +- [4.11.1-09] +- Use generic adjust-services in place of adjust-masq [MN00065576] + +* Tue Mar 8 2005 Charlie Brady +- [4.11.1-08] +- Remove dangling ldap-conf symlink. [MN00064130] + +* Tue Jan 25 2005 Charlie Brady +- [4.11.1-07] +- Remove ldap-delete-dumps from post-backup event. It leaves ldap + stopped and with no directory contents. [MN00025069] +- Added ldap-delete-dumps to post-backup to prevent potential ldap database + clobbering on post-upgrade. [msoulier MN00025069] +- Update e-smith-devtools BuildRequires, and createlinks script. + [MN00064130] + +* Tue Jan 18 2005 Charlie Brady +- [4.11.1-06] +- Use generic_template_expand action where possible, in place + of specific actions. Update e-smith-lib dependency. [MN00064130] + +* Wed Dec 29 2004 Charlie Brady +- [4.11.1-05] +- Create missing /service symlink, and add down file to service + directory to control startup sequence. [charlieb MN00062133] + +* Mon Dec 20 2004 Charlie Brady +- [4.11.1-04] +- Use supervise to run slapd. [charlieb MN00062133] + +* Tue Nov 9 2004 Charlie Brady +- [4.11.1-03] +- Include redhat/rfc822-MailMember.schema specification from earlier + RedHat openldap packages (missing in RHEL3). [charlieb MN00056724] +- Remove deprecated ldap-startup script. Add ldap service default fragments + and a migrate fragment to initialize the password. [charlieb MN00056726] +- Remove obsolete conf-migrate-ldap-variables action [charlieb MN00056733] + +* Tue Sep 28 2004 Michael Soulier +- [4.11.1-02] +- Updated requires with new perl dependencies. [msoulier MN00040240] + +* Mon May 10 2004 Michael Soulier +- [4.11.1-01] +- Updated createlinks. +- Added ldap-delete-dumps to post-backup to prevent potential ldap database + clobbering on post-upgrade. [msoulier MN00025069] + +* Thu Sep 4 2003 Charlie Brady +- [4.11.0-01] +- Changing version to development stream number - 4.11.0 + +* Wed Jul 9 2003 Charlie Brady +- [4.10.0-02] +- Avoid restart of slapd during bootstrap-console-save event. + [charlieb 9338] + +* Thu Jun 26 2003 Charlie Brady +- [4.10.0-01] +- Changing version to stable stream number - 4.10.0 + +* Tue May 6 2003 Lijie Deng +- [4.9.0-12] +- Add Spanish lexicon for directory panel [lijied 3793] + +* Wed Apr 16 2003 Michael Soulier +- [4.9.0-11] +- Modified French translation [lijied 7949] +- Modified ldap-dump to take its domainname from /etc/openldap/ldap.conf, and + be aware of domainname changes. [msoulier 6747] + +* Thu Apr 3 2003 Lijie Deng +- [4.9.0-10] +- Removed 'Mitel Networks SME Server' branding [lijied 8016] + +* Thu Mar 27 2003 Lijie Deng +- [4.9.0-09] +- Modified French lexicon to use lang="fr", rename the lexicon + directory to fr [lijied 6787] + +* Tue Mar 25 2003 Lijie Deng +- [4.9.0-08] +- Modified directory access en-us and fr-ca text [lijied 4081] + +* Tue Mar 18 2003 Lijie Deng +- [4.9.0-07] +- Split out ./etc/openldap/ldap.conf/template-begin [lijied 3295] + +* Mon Mar 17 2003 Lijie Deng +- [4.9.0-06] +- Deleted empty template-end file [lijied 3295] + +* Thu Mar 6 2003 Lijie Deng +- [4.9.0-05] +- Modified directory panel order [lijied 7356] + +* Tue Mar 4 2003 Lijie Deng +- [4.9.0-04] +- Split en-us lexicon from directory panel [lijied 4030] + +* Fri Feb 28 2003 Lijie Deng +- [4.9.0-03] +- s/HostsAllowSpec/hosts_allow_spec/ [charlieb 5650] +- Remodified the lexicon file [lijied 5003] + +* Fri Feb 28 2003 Charlie Brady +- [4.9.0-02] +- Added French lexicon for directory [lijied 5003] +- Re-do hosts.allow template to use esmith::ConfigDB::HostsAllowSpec. + Add dependency on up-to-date e-smith-lib. [charlieb 5650] + +* Wed Nov 20 2002 Mike Dickson +- [4.9.0-01] +- Changing to development stream; version upped to 4.9.0 + +* Fri Oct 11 2002 Charlie Brady +- [4.8.0-01] +- Roll to maintained version number to 4.8.0 + +* Wed Oct 2 2002 Charlie Brady +- [4.7.6-14] +- Override the default backgrounding of ldap restart in + gentle-ldap-dump action [charlieb 2745] +- Remove deprecated serviceControl enable/disable calls from + ldap-startup [charlieb 4458] + +* Tue Sep 24 2002 Mark Knox +- [4.7.6-13] +- Use esmith::util and shut down LDAP in foreground [markk 2745] + +* Tue Sep 24 2002 Mark Knox +- [4.7.6-12] +- Add pre-restore event and ldap-delete-dumps action [markk 2745] + +* Thu Sep 12 2002 Charlie Brady +- [4.7.6-11] +- Fix permission/ownership of /etc/openldap/slapd.conf. [charlieb 4862] + +* Tue Sep 10 2002 Charlie Brady +- [4.7.6-10] +- Remove redundant "my" in ldap-rebuild (causes warning). [charlieb 2745] + +* Thu Sep 5 2002 Charlie Brady +- [4.7.6-09] +- Remove stray ; (where are those code police?). [charlieb 2745] + +* Tue Sep 3 2002 Charlie Brady +- [4.7.6-08] +- Fix $c->get('DomainName') => $c->get('DomainName')->value snafu + [charlieb 2745] + +* Mon Sep 2 2002 Charlie Brady +- [4.7.6-07] +- Fix Domain => DomainName snafu. [charlieb 2745] + +* Thu Aug 29 2002 Charlie Brady +- [4.7.6-06] +- Create new gentle-ldap-dump action, and include it in pre-backup + event. [charlieb 2745] + +* Thu Aug 29 2002 Charlie Brady +- [4.7.6-05] +- Revert ldap-dump to slapcat version, and remove symlinks from all + actions. The ldap init script is being modified to call ldap-dump + after slapd shutdown. [charlieb 4739] + +* Tue Aug 27 2002 Charlie Brady +- [4.7.6-04] +- Rewrite ldap-dump to use Net::LDAP::LDIF so that it reads data from + ldap daemon rather than directly from ldap db files. [charlieb 4057] + +* Tue Aug 27 2002 Charlie Brady +- [4.7.6-03] +- Fix run-time problems in OO conversion of ldap-update [charlieb 4057] + +* Fri Aug 23 2002 Charlie Brady +- [4.7.6-02] +- Change ldap-rebuild to build directory using LDIF dump if found, + and new data otherwise. [charlieb 4057] +- Re-write ldap-update and ldap-rebuild to use OO db accesses, + for clarity. [charlieb 4057] +- Dump LDAP directory every time we change it. [charlieb 4057] + +* Tue Aug 20 2002 Charlie Brady +- [4.7.6-01] +- Add program to do LDIF dump of ldap directory. [charlieb 4057] + +* Mon Aug 19 2002 Charlie Brady +- [4.7.5-01] +- Remove unnecessary actions: ldap-rebuild from console-save event and + ldap-conf from ldap-update event. [charlieb 4057] +- Change ldap-update action so that when run during the ldap-update + event it iterates through user and group accounts and updates records + with current values. Link ldap-update action into ldap-update event + in place of ldap-rebuild action. [charlieb 4057] + +* Mon Aug 19 2002 Charlie Brady +- [4.7.4-01] +- Use new adjust-masq action rather than restart-masq during ldap-update. + [charlieb 4501] + +* Thu Aug 15 2002 Charlie Brady +- [4.7.3-01] +- Add rc7.d symlink and don't set deprecated InitscriptsOrder property + [charlieb 4458] +- Change use of allow_tcp_in() function to allow dynamic reconfig. + [charlieb 4501] + +* Thu Aug 8 2002 Charlie Brady +- [4.7.2-01] +- Change inbound rule to use allow_tcp_in() function. The + function actually implements connection tracking. [charlieb 4499] + +* Wed Jul 17 2002 Charlie Brady +- [4.7.1-01] +- Change masq script fragment to use iptables. [charlieb 1268] + +* Wed Jun 5 2002 Charlie Brady +- [4.7.0-01] +- Changing version to development stream number 4.7.0 + +* Fri May 31 2002 Charlie Brady +- [4.6.0-01] +- Changing version to maintained stream number to 4.6.0 + +* Thu May 23 2002 Gordon Rowell +- [4.5.10-01] +- RPM rebuild forced by cvsroot2rpm + +* Mon May 6 2002 Gordon Rowell +- [4.5.9-01] +- Localise SAVE button [gordonr 3222] + +* Fri May 3 2002 Charlie Brady +- [4.5.8-01] +- Remove /etc/e-smith/tests/.dummy. Make empty /etc/e-smith/tests in %build. + [charlieb 3343] + +* Wed May 1 2002 Gordon Rowell +- [4.5.7-01] +- esmith::AccountDB -> esmith::AccountsDB [schwern 3287] + +* Thu Apr 25 2002 Gordon Rowell +- [4.5.6-01] +- Added header and footer to page [gordonr 3223] +- Added nav bar entries to lexicon [gordonr 3155] + +* Mon Apr 15 2002 Gordon Rowell +- [4.5.5-01] +- Adjusted site-perl -> site_perl + +* Mon Apr 15 2002 Gordon Rowell +- [4.5.4-01] +- Language en-> en-us + +* Wed Apr 10 2002 Kirrily Robert +- [4.5.3-01] +- Added i18n'd directory panel + +* Mon Mar 25 2002 Kirrily Robert +- [4.5.2-01] +- Checking for success of CVS import + +* Mon Mar 25 2002 Kirrily Robert +- [4.5.1-01] +- rollRPM: Rolled version number to 4.5.1-01. Includes patches up to 4.5.0-02. + +* Mon Mar 25 2002 Kirrily Robert +- [4.5.0-02] +- removed extraneous rmdir in setup section that was breaking the build + +* Mon Mar 25 2002 Kirrily Robert +- [4.5.0-01] +- rollRPM: Rolled version number to 4.5.0-01. Includes patches up to 4.4.0-08. + +* Fri Nov 16 2001 Charlie Brady +- [4.4.0-08] +- Fix code which adds the "ldap" user - it was trying to use "ldap" as + a supplementary group (using -G) rather than as initial group (-g). +- Remove two $! from warn statements as they are won't contain useful + information. + +* Wed Nov 07 2001 Tony Clayton +- [4.4.0-07] +- rebranding to Mitel Networks + +* Thu Oct 18 2001 Charlie Brady +- [4.4.0-06] +- Fix regeneration of ldap password every time slapd.conf was + re-expanded. See Bugzilla #1966 for details. + +* Thu Oct 18 2001 Charlie Brady +- [4.4.0-05] +- Added code to add "ldap" user and group if necessary + +* Tue Aug 28 2001 Gordon Rowell +- [4.4.0-04] +- Removed deprecated post-restore event directory + +* Fri Aug 17 2001 Adrian Chung +- [4.4.0-03] +- Add restart-httpd-full call to end of web panel, after + user confirmation of update has been sent. + +* Fri Aug 17 2001 gordonr +- [4.4.0-02] +- Autorebuild by rebuildRPM + +* Wed Aug 8 2001 Charlie Brady +- [4.4.0-01] +- Rolled version number to 4.4.0-01. Includes patches upto 4.3.1-05. + +* Wed Aug 8 2001 Charlie Brady +- [4.3.1-05] +- Use Net::LDAP module in ldap-delete and ldap-update. Something broke + in the ldap{add,modify,delete} versions of the scripts, and it's easy + to debug, and probably more efficient to just write to the perl API. + +* Wed Aug 8 2001 Charlie Brady +- [4.3.1-04] +- Change uid/gid before execing slapadd, so that created db files have + correct ownership +- Reformat ldap-rebuild to fit in 80 columns. + +* Tue Aug 7 2001 Charlie Brady +- [4.3.1-03] +- Use slapadd instead of ldif2ldbm program for ldap-rebuild. Use pipe + rather than temp file. +- Re-add "schemacheck off" to slapd.conf - we don't pass the strict + checking which is recommended. + +* Tue Aug 7 2001 Charlie Brady +- [4.3.1-02] +- openldap v2 changes - change ownership of slapd.conf, use different + bundled schema files, and add indexes. + +* Tue Aug 7 2001 Charlie Brady +- [4.3.1-01] +- Rolled version number to 4.3.1-01. Includes patches upto 4.3.0-07. + +* Tue Aug 07 2001 Charlie Brady +- [4.3.0-07] +- Break slapd.conf template into fragments, and include in-line + at.conf and co.conf fragements, rather than use include feature. + This is to make configuration stable across versions of openldap. + +* Thu Aug 02 2001 Gordon Rowell +- [4.3.0-06] +- More branding changes + +* Sun Jul 29 2001 Jason Miller +- [4.3.0-05] +- Branding text changes to the directory web panel + +* Fri Jul 6 2001 Peter Samuel +- [4.3.0-04] +- Change license to GPL + +* Wed Jul 04 2001 Gordon Rowell +- [4.3.0-03] +- Use esmith::util::LdapPassword instead of direct file access + +* Tue May 29 2001 Tony Clayton +- [4.3.0-02] +- fixed actions that had tied %conf when calling serviceControl (2 actions) + +* Sun Apr 29 2001 Charlie Brady +- [4.3.0-01] +- Rolled version number to 4.3.0-01. Includes patches upto 4.2.0-03. + +* Thu Feb 8 2001 Adrian Chung +- Rolling release number for GPG signing. + +* Fri Jan 26 2001 Charlie Brady +- [4.2.0-01] +- Added packet filter fragment to selectively allow external LDAP access +- Linked conf- and restart-masq actions into update-ldap event + +* Thu Jan 25 2001 Peter Samuel +- [4.2.0-01] +- Rolled version number to 4.2.0-01. Includes patches upto 4.1.0-17. + +* Tue Jan 16 2001 Adrian Chung +- [4.1.0-17] +- Add ldap-rebuild to bootstrap-console-save +- required to initialize ldap database. + +* Fri Jan 12 2001 Charlie Brady +- [4.1.0-16] +- Remove ldap-conf from post-upgrade action (it was occuring before + ldap-startup, which caused a problem). +- Delete obsolete post-restore action. + +* Fri Jan 12 2001 Adrian Chung +- [4.1.0-15] +- split ldap-rebuild into ldap-conf and ldap-rebuild. + +* Thu Jan 11 2001 Gordon Rowell +- [4.1.0-14] +- Use serviceControl() + +* Thu Jan 11 2001 Charlie Brady +- [4.1.0-13] +- Fix perl warning in migrate variables script - simplify a chunk of code + while doing it. + +* Wed Jan 10 2001 Charlie Brady +- [4.1.0-12] +- Add genLdapPassword to ldap-startup - it somehow has been lost and never + happens. +- Remove ldap-startup from console-save +- Add ldap-startup to post-restore action +- Add new bootstrap-console-save event +- Change demo phone number from 999... to 555.... to save UK emergency + services + +* Tue Jan 09 2001 Jason Miller +- [4.1.0-11] +- updated ldap-startup to set the defaults on a fresh + installation +- undid some bad changes to the conf-migrate-ldap-variables + script + +* Mon Jan 08 2001 Jason Miller +- [4.1.0-5] through [4.1.0-9] +- changed directory web panel to read from new configuration + database parameters +- updated action scripts to take into account the new ldap + database parameters +- added conf-migrate-ldap-variables as a new action in + both post-upgrade and post-restore + +* Fri Jan 05 2001 Jason Miller +- [4.1.0-4] +- updated copyright and fixed directory panel error in + not checking prototypes for subroutines + +* Tue Dec 12 2000 Gordon Rowell +- [4.1.0-3] +- Fixed e-smith-lib dependency + +* Mon Dec 11 2000 Tony Clayton +- [4.1.0-2] +- upgraded ldap-rebuild action to conform to new processTemplate +- created dependency on e-smith-lib-4.1.0-13 + +* Wed Dec 06 2000 Peter Samuel +- [4.1.0-1] +- Rolled version to 4.1.0-1. Includes patches up to 4.0.6-3 + +* Tue Oct 31 2000 Charlie Brady +- Fix some old bugs in event scripts - esmith::db was not in use + list. +- Replace db_get_type calls with db_get_prop +- Re-write ldap hosts.allow template. +- Remove duplicate my $status in ldap-rebuild. + +* Mon Oct 30 2000 Charlie Brady +- Merge services database back into configuration + +* Wed Oct 25 2000 Charlie Brady +- Roll version number to 4.0.6-1. + +* Thu Oct 19 2000 Adrian Chung +- Update web/functions/directory script to pass merged + confServicesCombined hash to esmith::cgi::gen... + functions. + +* Thu Oct 12 2000 Charlie Brady +- Fix obsolete reference to LDAPServerMode. +- Reformat to break long lines. + +* Fri Oct 06 2000 Charlie Brady +- Delete %post action, and set the default services db value + in post-install action + +* Thu Oct 05 2000 Jason Miller +- change .spec to use db:setdefault() function + +* Wed Oct 04 2000 Jason Miller +- %post event for enabling ldap service automatically + (no more post-install code required) +- dependencies on e-smith-lib > 0.1-21 +- only expand templates if ldapd enabled +- only add to hosts.allow if ldapd enabled +- enable/disable service dependant on services database + +* Tue Oct 03 2000 Charlie Brady +- Update services database when enabling/disabling startup. + +* Tue Oct 03 2000 Adrian Chung +- Added ldap service checking wrapper to action scripts. + +* Mon Sep 25 2000 Paul Nesbit +- replaced references to e-smith.net with e-smith.com + +* Fri Aug 25 2000 Charlie Brady +- Added build dependency on e-smith-devtools, and dependency on + e-smith-lib. Generate file list with genfilelist. + +* Thu Aug 24 2000 Gordon Rowell +- Rewrote ldap-startup to use serviceControl() + +* Wed Jul 12 2000 Joseph Morrison +- Add -1 argument to split commands to handle null final values in + configuration records + +* Fri Jun 16 2000 Charlie Brady +- Rewrite createlinks in perl +- Don't mark template files as config files. + +* Mon Jun 12 2000 Charlie Brady +- Use new multi-arg form of backgroundCommand. + +* Thu Jun 01 2000 Charlie Brady + Fri Jun 01 2000 --> Fri May 26 2000 or Thu Jun 01 2000 or Fri Jun 02 2000 or .... +- First created - broken out of e-smith-base 4.0.11. + +%prep +%setup +mkdir -p root/etc/openldap/ssl +rm -rf root/service root/var/service root/etc/rc.d/init.d/supervise + +%build +perl createlinks + +%install +rm -rf $RPM_BUILD_ROOT +(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT) +rm -f %{name}-%{version}-%{release}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --file /sbin/e-smith/systemd/ldap-certificate 'attr(0554,root,root)' \ + --file /sbin/e-smith/systemd/ldap-prepare 'attr(0554,root,root)' \ + --file /sbin/e-smith/systemd/ldap-finish 'attr(0554,root,root)' \ + --file /var/service/ldap/ldif-fix 'attr(0750,root,root)' \ + --file /var/service/ldap/finish 'attr(0750,root,root)' \ + --dir /var/log/bdb 'attr(0700,ldap,ldap)' \ + --dir /home/e-smith/db/ldap 'attr(0750,root,ldap)' \ + --dir /var/log/ldap 'attr(0750,root,root)' \ + --dir /etc/openldap/ssl 'attr(0750,root,ldap)' \ + > %{name}-%{version}-%{release}-filelist +echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %{name}-%{version}-%{release}-filelist +%defattr(-,root,root) + +%pre +if [ -L /etc/systemd/system/slapd.service ] ; then + /usr/bin/unlink /etc/systemd/system/slapd.service +fi +if [ $1 -gt 1 ] ; then + if [ -e /var/service/ldap/run ] ; then + /usr/bin/sv d ldap + /usr/bin/sv d ldap/log + fi +fi diff --git a/root/etc/e-smith/db/configuration/defaults/ldap.init/status b/root/etc/e-smith/db/configuration/defaults/ldap.init/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap.init/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/ldap.init/type b/root/etc/e-smith/db/configuration/defaults/ldap.init/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap.init/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/Authentication b/root/etc/e-smith/db/configuration/defaults/ldap/Authentication new file mode 100644 index 0000000..7a68b11 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/Authentication @@ -0,0 +1 @@ +disabled diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/TCPPorts b/root/etc/e-smith/db/configuration/defaults/ldap/TCPPorts new file mode 100644 index 0000000..a266f67 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/TCPPorts @@ -0,0 +1 @@ +389,636 diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/access b/root/etc/e-smith/db/configuration/defaults/ldap/access new file mode 100644 index 0000000..3e18ebf --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/access @@ -0,0 +1 @@ +private diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/defaultCity b/root/etc/e-smith/db/configuration/defaults/ldap/defaultCity new file mode 100644 index 0000000..21dbf7c --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/defaultCity @@ -0,0 +1 @@ +Ottawa diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/defaultCompany b/root/etc/e-smith/db/configuration/defaults/ldap/defaultCompany new file mode 100644 index 0000000..2a2f418 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/defaultCompany @@ -0,0 +1 @@ +XYZ Corporation diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/defaultDepartment b/root/etc/e-smith/db/configuration/defaults/ldap/defaultDepartment new file mode 100644 index 0000000..c098216 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/defaultDepartment @@ -0,0 +1 @@ +Main diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/defaultPhoneNumber b/root/etc/e-smith/db/configuration/defaults/ldap/defaultPhoneNumber new file mode 100644 index 0000000..ed5caa5 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/defaultPhoneNumber @@ -0,0 +1 @@ +555-5555 diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/defaultStreet b/root/etc/e-smith/db/configuration/defaults/ldap/defaultStreet new file mode 100644 index 0000000..f58056e --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/defaultStreet @@ -0,0 +1 @@ +123 Main Street diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/status b/root/etc/e-smith/db/configuration/defaults/ldap/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/ldap/type b/root/etc/e-smith/db/configuration/defaults/ldap/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ldap/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/db/configuration/force/ldap/status b/root/etc/e-smith/db/configuration/force/ldap/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/force/ldap/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/migrate/ldap/GenPassword b/root/etc/e-smith/db/configuration/migrate/ldap/GenPassword new file mode 100644 index 0000000..525e1eb --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/ldap/GenPassword @@ -0,0 +1,3 @@ +{ + -f "/etc/openldap/ldap.pw" || esmith::util::genLdapPassword(); +} diff --git a/root/etc/e-smith/db/configuration/migrate/ldapssl b/root/etc/e-smith/db/configuration/migrate/ldapssl new file mode 100644 index 0000000..85dec06 --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/ldapssl @@ -0,0 +1,7 @@ +{ + + #this has been replaced by TLSProtocolMin with new default + $DB->get_prop_and_delete('ldap', 'SSLv3'); + + +} diff --git a/root/etc/e-smith/events/actions/cleanup-unix-user-group b/root/etc/e-smith/events/actions/cleanup-unix-user-group new file mode 100644 index 0000000..6ddee16 --- /dev/null +++ b/root/etc/e-smith/events/actions/cleanup-unix-user-group @@ -0,0 +1,20 @@ +#!/bin/bash -e + +ldapauth=$(/sbin/e-smith/config getprop ldap Authentication || echo disabled) + +# Exit unless ldap auth is enabled +[ "$ldapauth" == "enabled" ] || exit 0 + +# Users and group accounts are now stored in LDAP, so we need to delete them +# from the old passwd / group / shadow database + +for USER in $(/usr/bin/getent passwd | sort | cut -d':' -f1 | uniq -d); do + /usr/sbin/luserdel -G $USER +done + +for GROUP in $(/usr/bin/getent group | sort | cut -d':' -f1 | uniq -d); do + /usr/sbin/lgroupdel $GROUP +done + +# And add the admin back in the root group, which is not in the LDAP database +/usr/bin/gpasswd -a admin root diff --git a/root/etc/e-smith/events/actions/gentle-ldap-dump b/root/etc/e-smith/events/actions/gentle-ldap-dump new file mode 100755 index 0000000..2918f01 --- /dev/null +++ b/root/etc/e-smith/events/actions/gentle-ldap-dump @@ -0,0 +1,61 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; +use esmith::util; + +# Stop now if slapd.conf has syntax error +unless (system("/usr/sbin/slaptest -u 2>/dev/null") == 0){ + die "Aborting ldap dump because of errors in slapd.conf\n"; +} + +my $c = esmith::ConfigDB->open_ro; +my $domain = $c->get('DomainName') + || die("Couldn't determine domain name"); +$domain = $domain->value; + +# First try to run slapcat, which may fail if slapd is running +exit 0 unless + system("/usr/sbin/slapcat", "-l", "/home/e-smith/db/ldap/$domain.ldif"); + +# and failing that, restart ldap, which will generate a dump file +# in the process + +my $l = $c->get('ldap'); +my $status = $l->prop('status') || "disabled"; +die "Couldn't run slapcat, and ldap is disabled. Won't restart." . + "No LDIF dump produced\n" + unless ($status eq "enabled" ); +esmith::util::serviceControl + ( + NAME => 'ldap', + ACTION => 'restart', + BACKGROUND => 'false', + ) || + die "Couldn't restart ldap"; + +exit (0); diff --git a/root/etc/e-smith/events/actions/ldap-delete b/root/etc/e-smith/events/actions/ldap-delete new file mode 100755 index 0000000..c842f2b --- /dev/null +++ b/root/etc/e-smith/events/actions/ldap-delete @@ -0,0 +1,132 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 1999-2005 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +#---------------------------------------------------------------------- + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; +use esmith::util; +use Net::LDAP; + +my $db = esmith::ConfigDB->open_ro or die "Could not open config db"; + +exit(0) if ($db->get('ldap')->prop('Authentication') || 'disabled') eq 'enabled'; + +unless ($db->get('ldap')->prop('status') eq "enabled" ) +{ + warn "Not running action script $0, LDAP service not enabled!\n"; + exit(0); +} + +my $event = $ARGV [0]; +my $name = $ARGV [1]; + +die "Username argument missing." unless defined ($name); + +#------------------------------------------------------------ +# Delete user from LDAP directory. First read LDAP password +#------------------------------------------------------------ +my $pw = esmith::util::LdapPassword(); +my $base = esmith::util::ldapBase ($db->get('DomainName')->value); + +#------------------------------------------------------------ +# Delete LDAP entry. +#------------------------------------------------------------ +my $ldap = Net::LDAP->new('localhost') + or die "$@"; + +$ldap->bind( + dn => "cn=root,$base", + password => $pw +); + +my $mesg; + +# Delete any user object with this name +$mesg = $ldap->search( base=> "uid=$name,ou=Users,$base", filter => '(ObjectClass=*)', scope => 'base' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search uid=$name,ou=Users,$base: ", $mesg->error; +} +else +{ + $ldap->delete($mesg->entry(0)); +} + +# Delete any computer object with this name +$mesg = $ldap->search( base=> "uid=$name,ou=Computers,$base", filter => '(ObjectClass=*)', scope => 'base' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search uid=$name,ou=Computers,$base: ", $mesg->error; +} +else +{ + $ldap->delete($mesg->entry(0)); +} + +# Delete any (old) user/computer object with this name +$mesg = $ldap->search( base=> "uid=$name,$base", filter => '(ObjectClass=*)', scope => 'base' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search uid=$name,$base: ", $mesg->error; +} +else +{ + $ldap->delete($mesg->entry(0)); +} + +# Delete any group object with this name +$mesg = $ldap->search( base=> "cn=$name,ou=Groups,$base", filter => '(ObjectClass=*)', scope => 'base' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search cn=$name,ou=Groups,$base: ", $mesg->error; +} +else +{ + $ldap->delete($mesg->entry(0)); +} + +# Delete any (old) group object with this name +$mesg = $ldap->search( base=> "cn=$name,$base", filter => '(ObjectClass=*)', scope => 'base' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search cn=$name,$base: ", $mesg->error; +} +else +{ + $ldap->delete($mesg->entry(0)); +} + +# Remove group membership for the account we are deleting +$mesg = $ldap->search( base=> "ou=Groups,$base", filter => "(memberUid=$name)", scope => 'one' ); +if ($mesg->code && $mesg->code != 32) +{ + warn "Failed ldap search memberUid=$name,ou=Groups,$base: ", $mesg->error; +} +else +{ + $ldap->delete($_, 'memberUid' => [ $name ] ) foreach $mesg->entries(); +} + +$ldap->unbind; + +exit (0); diff --git a/root/etc/e-smith/events/actions/ldap-delete-dumps b/root/etc/e-smith/events/actions/ldap-delete-dumps new file mode 100755 index 0000000..d5834a4 --- /dev/null +++ b/root/etc/e-smith/events/actions/ldap-delete-dumps @@ -0,0 +1,63 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; +use esmith::util; + +my $conf = esmith::ConfigDB->open; +my $domain = $conf->get('DomainName') + || die("Couldn't determine domain name"); +$domain = $domain->value; + +my $ldap = $conf->get('ldap'); +if($ldap and $ldap->prop('status') eq 'enabled') +{ + esmith::util::serviceControl( + NAME => 'ldap', + ACTION => 'stop', + BACKGROUND => 'false') + or die "Unable to stop ldap\n"; +} + +my $file = "/home/e-smith/db/ldap/$domain.ldif"; +if(-e $file) +{ + unlink($file) or die "Unable to unlink $file: $!\n"; +} + +my $ldapdir = "/var/lib/ldap"; +opendir DIR, $ldapdir; +foreach my $file (grep(!/^\./, readdir DIR)) +{ + if(-f "$ldapdir/$file") + { + unlink("$ldapdir/$file") + or warn "Unable to unlink $ldapdir/$file: $!\n"; + } +} +closedir DIR; + diff --git a/root/etc/e-smith/events/actions/ldap-dump b/root/etc/e-smith/events/actions/ldap-dump new file mode 100755 index 0000000..e03ba3e --- /dev/null +++ b/root/etc/e-smith/events/actions/ldap-dump @@ -0,0 +1,63 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; + +# Stop now if slapd.conf has syntax error +unless (system("/usr/sbin/slaptest -u 2>/dev/null") == 0){ + die "Aborting ldap dump because of errors in slapd.conf\n"; +} + +my $domain = esmith::ConfigDB->open->get('DomainName') + || die("Couldn't determine domain name"); +$domain = $domain->value; +my $ldapconf = '/etc/openldap/ldap.conf'; +open(LDCONF, "<$ldapconf") or die "Can't open $ldapconf: $!\n"; +my @basedn = grep { /^BASE/ } ; +close(LDCONF); + +# It should look something like this +# BASE dc=sme1,dc=nssg,dc=mitel,dc=com +unless (@basedn) +{ + die "Failed to find the basedn in $ldapconf\n"; +} +chomp( my $basedn = $basedn[0] ); +$basedn =~ s/^BASE //; +$basedn =~ s/dc=//g; +$basedn =~ s/,/./g; +# If the basedn is not equal to the domain, remove any ldif file stored under +# the new domain, so it starts from scratch. +if ($basedn ne $domain) +{ + my $backup = "/home/e-smith/db/ldap/$domain.ldif"; + unlink $backup if -e $backup; +} +$domain = $basedn; + +exec("/usr/sbin/slapcat", "-l", "/home/e-smith/db/ldap/$domain.ldif"); +exit 1; diff --git a/root/etc/e-smith/events/actions/ldap-update b/root/etc/e-smith/events/actions/ldap-update new file mode 100755 index 0000000..d2b9279 --- /dev/null +++ b/root/etc/e-smith/events/actions/ldap-update @@ -0,0 +1,25 @@ +#!/bin/bash + +#---------------------------------------------------------------------- +# copyright (C) 1999, 2000 e-smith, inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from e-smith, inc. +# For details, please visit our web site at www.e-smith.com or +# call us on 1 888 ESMITH 1 (US/Canada toll free) or +1 613 564 8000 +#---------------------------------------------------------------------- + +/sbin/e-smith/ldif-fix --update diff --git a/root/etc/e-smith/events/actions/ldap-update-simple b/root/etc/e-smith/events/actions/ldap-update-simple new file mode 100644 index 0000000..d61b975 --- /dev/null +++ b/root/etc/e-smith/events/actions/ldap-update-simple @@ -0,0 +1,248 @@ +#!/usr/bin/perl -w + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; +use esmith::AccountsDB; +use esmith::util; +use Net::LDAP; +use Date::Parse; + +$ENV{'LANG'} = 'C'; +$ENV{'TZ'} = ''; + +my $c = esmith::ConfigDB->open_ro; +my $a = esmith::AccountsDB->open_ro; + +my $l = $c->get('ldap'); +my $status = $l->prop('status') || "disabled"; +unless ($status eq "enabled" ) +{ + warn "Not running action script $0, LDAP service not enabled!\n"; + exit(0); +} + +exit(0) if ($c->get('ldap')->prop('Authentication') || 'disabled') eq 'enabled'; + +my $domain = $c->get('DomainName') + || die("Couldn't determine domain name"); +$domain = $domain->value; + +my $schema = '/etc/openldap/schema/samba.schema'; + +my $event = shift || die "Event name must be specified"; + +my @name = @ARGV; +die "Account name argument missing." unless scalar (@name) >= 1; + +#------------------------------------------------------------ +# Update LDAP database entry. +#------------------------------------------------------------ +my $base = esmith::util::ldapBase ($domain); +my $pw = esmith::util::LdapPassword(); + +my $ldap = Net::LDAP->new('localhost') + or die "$@"; + +$ldap->bind( + dn => "cn=root,$base", + password => $pw +); + +my @accounts; +my $account; +foreach my $name (@name) +{ + $account = $a->get($name); + die "Account $name not found.\n" unless defined $account; + my $type = $account->prop('type') || "unknown"; + + die "Account $name is not a user, group, ibay, machine account; update LDAP entry failed.\n" + unless ($type =~ m{^(?:user|group|ibay|machine)$} or $name eq 'admin'); + + push @accounts, $account; +} + +#------------------------------------------------------------ +# Read all samba groups (can't do individual lookups) +#------------------------------------------------------------ + +my $groupmap = (); + +# Only do if schema is found +if ( -f "$schema" and -x '/usr/bin/net' ) +{ + foreach (`/usr/bin/net groupmap list 2> /dev/null`){ + chomp; + next if m{\(S-1-5-32-\d+\)}; + $groupmap->{$3} = { name => "$1", sid => "$2" } if (/^(.*) \((S-.*-\d+)\) -> (.*)$/); + } +} + +#------------------------------------------------------------ +# Create a list of updates that need to happen +#------------------------------------------------------------ + +my $updates; +foreach my $acct (@accounts) +{ + my $key = $acct->key; + my $type = $acct->prop('type'); + my $desc = undef; + my $dn; + + if ($type =~ m{^(?:user|group|ibay|machine)$} or $key eq 'admin') + { + #------------------------------------------------------------ + # Do the user portion + #------------------------------------------------------------ + if ($type eq 'machine') + { + $dn = "uid=$key,ou=Computers,$base"; + } + else + { + $dn = "uid=$key,ou=Users,$base"; + } + utf8::upgrade($dn); + + # Read information from getent passwd + @{$updates->{$dn}}{'uid','userPassword'} = getpwnam($key); + unless ($updates->{$dn}->{uid}) + { + delete $updates->{$dn}; + next; + } + $updates->{$dn}->{userPassword} = "!*" if $updates->{$dn}->{userPassword} eq '!!'; + $updates->{$dn}->{userPassword} =~ s/^/{CRYPT}/ unless $updates->{$dn}->{userPassword} =~ m/^{/; + + # Samba parameters if we find the samba.schema + if ( -f "$schema" and -x '/usr/bin/pdbedit' ) + { + my $line = `/usr/bin/pdbedit -wu '$key' 2> /dev/null`; + chomp($line); + if ($line) + { + @{$updates->{$dn}}{'junk','junk','sambaLMPassword','sambaNTPassword'} = split(/:/,$line); + foreach $line (`/usr/bin/pdbedit -vu '$key' 2> /dev/null`) + { + chomp($line); + $updates->{$dn}->{sambaSID} = $1 if $line =~ m{User SID:\s+(S-.*)$}; + $updates->{$dn}->{displayName} = $1 if $line =~ m{Full Name:\s+(.*)$}; + $updates->{$dn}->{sambaPrimaryGroupSID} = $1 if $line =~ m{Primary Group SID:\s+(S-.*)$}; + $updates->{$dn}->{sambaAcctFlags} = $1 if $line =~ m{Account Flags:\s+(.*)$}; + $updates->{$dn}->{sambaPwdLastSet} = str2time($1) if $line =~ m{Password last set:\s+(.*)$}; + } + push @{$updates->{$dn}->{objectClass}}, 'sambaSamAccount'; + } + else + { + $updates->{$dn}->{sambaLMPassword} = []; + $updates->{$dn}->{sambaNTPassword} = []; + $updates->{$dn}->{sambaSID} = []; + $updates->{$dn}->{displayName} = []; + $updates->{$dn}->{sambaPrimaryGroupSID} = []; + $updates->{$dn}->{sambaAcctFlags} = []; + $updates->{$dn}->{sambaPwdLastSet} = []; + } + } + } +} +endpwent(); + +#------------------------------------------------------------ +# Do the group portion (only if we have samba) +#------------------------------------------------------------ +if ( -f "$schema" ) +{ + foreach my $group ( (map { $_->key } $a->users), (map { $_->key } $a->groups), qw/admin nobody shared/ ){ + my $dn = "cn=$group,ou=Groups,$base"; + utf8::upgrade($dn); + + if ( exists $groupmap->{$group} ) + { + push @{$updates->{$dn}->{objectClass}}, 'sambaGroupMapping'; + $updates->{$dn}->{displayName} = $groupmap->{$group}->{name}; + $updates->{$dn}->{sambaSID} = $groupmap->{$group}->{sid}; + $updates->{$dn}->{sambaGroupType} = '2'; + } + else + { + $updates->{$dn}->{displayName} = []; + $updates->{$dn}->{sambaSID} = []; + $updates->{$dn}->{sambaGroupType} = []; + } + } +} + +#------------------------------------------------------------ +# Update LDAP database entry. +#------------------------------------------------------------ +foreach my $dn (keys %$updates) +{ + # Try and find record + my $result = $ldap->search( base => $dn, filter => '(objectClass=*)', scope => 'base' ); + warn "failed looking up entry $dn: ", $result->error if $result->code && $result->code != 32; + my $code = $result->code; + my @objectClass = $code == 32 ? () : $result->entry(0)->get_value('objectClass'); + + # Clean up attributes and convert to utf8 + delete $updates->{$dn}->{'junk'}; + foreach my $attr ( keys %{$updates->{$dn}} ) + { + if ( ref($updates->{$dn}->{$attr}) eq 'ARRAY' ) + { + if ( $code == 32 and scalar(@{$updates->{$dn}->{$attr}}) == 0 ) + { + delete $updates->{$dn}->{$attr}; + } + else + { + for (my $c = 0; $c < scalar(@{$updates->{$dn}->{$attr}}); $c++) + { + utf8::upgrade($updates->{$dn}->{$attr}[$c]); + } + } + } + else + { + if ($updates->{$dn}->{$attr} !~ /^\s*$/) + { + utf8::upgrade($updates->{$dn}->{$attr}); + } + elsif ( $code == 32 ) + { + delete $updates->{$dn}->{$attr}; + } + else + { + $updates->{$dn}->{$attr} = []; + } + } + } + + # Perform insert or update + if ( $code == 32 ) + { + $result = $ldap->add( $dn, attrs => [ %{$updates->{$dn}} ] ); + $result->code && warn "failed to add entry $dn: ", $result->error; + } + else + { + # Don't overwrite objectClass (just update if necessary) + my $seen = (); + + # Remove samba objectClasses if removing samba attributes + @{$seen}{'sambaSamAccount','sambaGroupMapping'} = (1,1) if ref($updates->{$dn}->{sambaSID}) eq 'ARRAY'; + + @{$updates->{$dn}->{objectClass}} = grep { ! $seen->{$_}++ } (@{$updates->{$dn}->{objectClass}}, @objectClass ); + + $result = $ldap->modify( $dn, replace => $updates->{$dn}); + $result->code && warn "failed to modify entry $dn: ", $result->error; + } +} +$ldap->unbind; + +exit (0); diff --git a/root/etc/e-smith/events/actions/reset-ldap-bootstrap b/root/etc/e-smith/events/actions/reset-ldap-bootstrap new file mode 100644 index 0000000..45c0267 --- /dev/null +++ b/root/etc/e-smith/events/actions/reset-ldap-bootstrap @@ -0,0 +1,24 @@ +#!/bin/sh +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +/sbin/e-smith/config delprop ldap Bootstrap diff --git a/root/etc/e-smith/events/actions/set-ldap-bootstrap b/root/etc/e-smith/events/actions/set-ldap-bootstrap new file mode 100644 index 0000000..5c28167 --- /dev/null +++ b/root/etc/e-smith/events/actions/set-ldap-bootstrap @@ -0,0 +1,24 @@ +#!/bin/sh +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +/sbin/e-smith/config setprop ldap Bootstrap run diff --git a/root/etc/e-smith/ldap/init/.gitignore b/root/etc/e-smith/ldap/init/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/directory b/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/directory new file mode 100755 index 0000000..569b03e --- /dev/null +++ b/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/directory @@ -0,0 +1,92 @@ + + + FORM_TITLE + Change LDAP directory settings + + +LABEL_ROOT +Server root + + + +DESCRIPTION + +The LDAP server provides a network-available listing of the user accounts +and groups on your server, and can be accessed using an LDAP client such as the Address Book feature in Netscape Communicator. Configure your LDAP client with the local IP address of your server, port number 389, and the server root parameter shown below. + + + +DESC_DIRECTORY_ACCESS + You can control access to your LDAP directory: the private setting allows access only from your local network, and the public setting allows access from anywhere on the Internet. + + +DIRECTORY_ACCESS +LDAP directory access + + + DESC_DEPARTMENT + +These fields are the LDAP defaults for your organization. +Whenever you create a new user account, you will be prompted +to enter all of these fields (they can be different for each +user) but the values you set here +will show up as defaults. This is a convenience to make it +faster to create user accounts. + + + + DEPARTMENT + Default department + + + + COMPANY + Default company + + + STREET + Default Street address + + + + CITY + Default City + + + + PHONENUMBER + Default Phone Number + + + +DESC_EXISTING + +You can either leave existing user accounts as they are, using the above defaults only for +new users, or you can apply the above defaults to all existing users as well. + + + + + + +EXISTING +Existing users + + +SUCCESS +The new LDAP default settings have been saved. + + + +LEAVE +Leave as they are + + +UPDATE +Update with new defaults + + + Directory + Directory + + diff --git a/root/etc/e-smith/templates.metadata/etc/openldap/slapd.conf b/root/etc/e-smith/templates.metadata/etc/openldap/slapd.conf new file mode 100644 index 0000000..6d71d92 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/openldap/slapd.conf @@ -0,0 +1,2 @@ +GID="ldap" +PERMS=0640 diff --git a/root/etc/e-smith/templates.metadata/etc/openldap/ssl/slapd.pem b/root/etc/e-smith/templates.metadata/etc/openldap/ssl/slapd.pem new file mode 100644 index 0000000..11e6b48 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/openldap/ssl/slapd.pem @@ -0,0 +1,4 @@ +TEMPLATE_PATH="/home/e-smith/ssl.pem" +OUTPUT_FILENAME="/etc/openldap/ssl/slapd.pem" +GID="ldap" +PERMS=0640 diff --git a/root/etc/e-smith/templates.metadata/home/e-smith/db/ldap/ldif b/root/etc/e-smith/templates.metadata/home/e-smith/db/ldap/ldif new file mode 100644 index 0000000..75aef2f --- /dev/null +++ b/root/etc/e-smith/templates.metadata/home/e-smith/db/ldap/ldif @@ -0,0 +1,2 @@ +TEMPLATE_PATH="/home/e-smith/db/ldap/ldif" +OUTPUT_FILENAME=use esmith::ConfigDB; my $d = esmith::ConfigDB->open_ro->get('DomainName')->value; "/home/e-smith/db/ldap/$d.ldif" diff --git a/root/etc/e-smith/templates/etc/hosts.allow/ldap b/root/etc/e-smith/templates/etc/hosts.allow/ldap new file mode 100644 index 0000000..d45c3ac --- /dev/null +++ b/root/etc/e-smith/templates/etc/hosts.allow/ldap @@ -0,0 +1,3 @@ +{ + "# LDAP servers\n" . $DB->hosts_allow_spec('ldap', 'slapd') +} diff --git a/root/etc/e-smith/templates/etc/openldap/ldap.conf/20ldap-default b/root/etc/e-smith/templates/etc/openldap/ldap.conf/20ldap-default new file mode 100644 index 0000000..f09d772 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/ldap.conf/20ldap-default @@ -0,0 +1,20 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable. + +#BASE dc=OpenLDAP, dc=Org +#HOST ldap.openldap.org + +#HOST ldap.openldap.org ldap-master.openldap.org:666 +#PORT 389 + +BASE { esmith::util::ldapBase ($DomainName); } +HOST localhost +PORT 389 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema b/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema new file mode 100644 index 0000000..9eb49aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema @@ -0,0 +1,7 @@ + +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/redhat/rfc822-MailMember.schema +include /etc/openldap/schema/mailRelatedObject.schema diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/11rfc2739schema b/root/etc/e-smith/templates/etc/openldap/slapd.conf/11rfc2739schema new file mode 100644 index 0000000..17f3814 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/11rfc2739schema @@ -0,0 +1 @@ +include /etc/openldap/schema/rfc2739.schema diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/12pid b/root/etc/e-smith/templates/etc/openldap/slapd.conf/12pid new file mode 100644 index 0000000..d670189 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/12pid @@ -0,0 +1,3 @@ + +pidfile /var/run/openldap/slapd.pid + diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls b/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls new file mode 100644 index 0000000..0086174 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls @@ -0,0 +1,18 @@ + +TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' } +TLSProtocolMin { my $TLSProtocolMin = $ldap{TLSProtocolMin} || 'TLSv1.2'; +if ( $TLSProtocolMin eq 'SSLv3' ){ + $OUT = " 3.0"; +} elsif ( $TLSProtocolMin eq 'TLSv1.0' || $TLSProtocolMin eq 'TLSv1' ){ + $OUT = " 3.1"; +} elsif ( $TLSProtocolMin eq 'TLSv1.1' ){ + $OUT = " 3.2"; +} elsif ( $TLSProtocolMin eq 'TLSv1.2' ){ + $OUT = " 3.3"; +} +} +TLSCACertificateFile /etc/openldap/ssl/slapd.pem +TLSCertificateFile /etc/openldap//ssl/slapd.pem +TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem +TLSVerifyClient never + diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/40bind_v2 b/root/etc/e-smith/templates/etc/openldap/slapd.conf/40bind_v2 new file mode 100644 index 0000000..d12a645 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/40bind_v2 @@ -0,0 +1 @@ +allow bind_v2 diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/45limit b/root/etc/e-smith/templates/etc/openldap/slapd.conf/45limit new file mode 100644 index 0000000..9f97565 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/45limit @@ -0,0 +1 @@ +sizelimit unlimited diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/50database b/root/etc/e-smith/templates/etc/openldap/slapd.conf/50database new file mode 100644 index 0000000..2dcc149 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/50database @@ -0,0 +1 @@ +database bdb diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/65suffix b/root/etc/e-smith/templates/etc/openldap/slapd.conf/65suffix new file mode 100644 index 0000000..99d924d --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/65suffix @@ -0,0 +1 @@ +suffix "{ esmith::util::ldapBase ($DomainName); }" diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/66checkpoints b/root/etc/e-smith/templates/etc/openldap/slapd.conf/66checkpoints new file mode 100644 index 0000000..730a21b --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/66checkpoints @@ -0,0 +1 @@ +checkpoint 512 5 diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/70directory b/root/etc/e-smith/templates/etc/openldap/slapd.conf/70directory new file mode 100644 index 0000000..0ff1ff2 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/70directory @@ -0,0 +1 @@ +directory /var/lib/ldap diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/75rootdn b/root/etc/e-smith/templates/etc/openldap/slapd.conf/75rootdn new file mode 100644 index 0000000..edd4d0f --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/75rootdn @@ -0,0 +1 @@ +rootdn "cn=root,{ esmith::util::ldapBase ($DomainName); }" diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/80rootpw b/root/etc/e-smith/templates/etc/openldap/slapd.conf/80rootpw new file mode 100644 index 0000000..7989fe1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/80rootpw @@ -0,0 +1 @@ +rootpw { esmith::util::LdapPassword (); } diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash b/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash new file mode 100644 index 0000000..b0c11ce --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash @@ -0,0 +1,5 @@ + +# Use md5crypt +password-hash \{CRYPT\} +password-crypt-salt-format "$1$%.8s" + diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes b/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes new file mode 100644 index 0000000..0cf00c1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes @@ -0,0 +1,6 @@ +# Indices to maintain +#index objectClass eq +index objectClass,uid,uidNumber,gidNumber eq +index memberUid eq +index cn,mail,surname,givenname eq,subinitial + diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword new file mode 100644 index 0000000..a27eed8 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword @@ -0,0 +1,6 @@ +access to attrs=userPassword + by self peername.ip="127.0.0.1" read + by self ssf=128 read + by anonymous peername.ip="127.0.0.1" auth + by anonymous ssf=128 auth + by * none diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects new file mode 100644 index 0000000..8bf71dd --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects @@ -0,0 +1,18 @@ +# Anonymous users should only be able to see SME users and groups for addressbook purpose +# Prevent access to system, dummy and machine accounts + +access to dn.children=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson)) + by users peername.ip="127.0.0.1" read + by users ssf=128 read + by anonymous none + +access to dn.children=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject)) + by users peername.ip="127.0.0.1" read + by users ssf=128 read + by anonymous none + +access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); } + by users peername.ip="127.0.0.1" read + by users ssf=128 read + by anonymous none + diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs new file mode 100644 index 0000000..48b9c56 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs @@ -0,0 +1,11 @@ +{ + +# Array of attrs which should not be visible anonymously +@anon = (); + +# Array of attrs which should not be visible by other users +@users = (); + +$OUT .= ''; + +} diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount new file mode 100644 index 0000000..7f86d29 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount @@ -0,0 +1,8 @@ +{ + +# Sensible attributes related to posixAccount +push @anon, qw/loginShell gidNumber homeDirectory uidNumber/; + +$OUT .= ''; + +} diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount new file mode 100644 index 0000000..6960e5b --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount @@ -0,0 +1,8 @@ +{ + +# Sensible attributes related to shadowAccount +push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; + +$OUT .= ''; + +} diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl new file mode 100644 index 0000000..635e097 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl @@ -0,0 +1,27 @@ +{ +my $anon_attrs = join(",",@anon); +my $users_attrs = join(",",@users); + +unless ($anon_attrs eq ''){ + $OUT .=<<"HERE"; +access to attrs=$anon_attrs + by self peername.ip="127.0.0.1" read + by self ssf=128 read + by users peername.ip="127.0.0.1" read + by users ssf=128 read + by * none + +HERE +} + +unless ($users_attrs eq ''){ + $OUT .=<<"HERE"; +access to attrs=$users_attrs + by self peername.ip="127.0.0.1" read + by self ssf=128 read + by * none + +HERE +} + +} diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls99default b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls99default new file mode 100644 index 0000000..480456a --- /dev/null +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls99default @@ -0,0 +1,10 @@ +{ + +$anonAccess = (($ldap{'AnonymousAccess'} || 'enabled') eq 'enabled') ? 'read':'none'; +$OUT .= ''; +} +access to * + by users read + by anonymous {"$anonAccess";} + by * none + diff --git a/root/etc/e-smith/templates/etc/rsyslog.conf/32ldap b/root/etc/e-smith/templates/etc/rsyslog.conf/32ldap new file mode 100644 index 0000000..edf3b9d --- /dev/null +++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32ldap @@ -0,0 +1,4 @@ +#ldap +:programname, isequal, "slapd" /var/log/ldap/ldap.log +& stop + diff --git a/root/etc/e-smith/templates/etc/sysconfig/slapd/05head b/root/etc/e-smith/templates/etc/sysconfig/slapd/05head new file mode 100644 index 0000000..8e37dcb --- /dev/null +++ b/root/etc/e-smith/templates/etc/sysconfig/slapd/05head @@ -0,0 +1,3 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + diff --git a/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS b/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS new file mode 100644 index 0000000..7cc4c63 --- /dev/null +++ b/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS @@ -0,0 +1,8 @@ + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldap:/// ldaps:/// ldapi:///" + diff --git a/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS b/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS new file mode 100644 index 0000000..8f416a9 --- /dev/null +++ b/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS @@ -0,0 +1,4 @@ + +# Any custom options +SLAPD_OPTIONS=" -4 -d { $ldap{LogLevel} || 256 } -s 0 " + diff --git a/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 b/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 new file mode 100644 index 0000000..1e4fa1e --- /dev/null +++ b/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 @@ -0,0 +1,4 @@ + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" + diff --git a/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/10memory b/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/10memory new file mode 100644 index 0000000..62d3afd --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/10memory @@ -0,0 +1,4 @@ +# +# Set the database in memory cache size. +# +set_cachesize 0 2097152 0 diff --git a/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/30logs b/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/30logs new file mode 100644 index 0000000..11197c3 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/ldap/DB_CONFIG/30logs @@ -0,0 +1,8 @@ +# +# Set log values. +# +set_lg_regionmax 1048576 +set_lg_max 10485760 +set_lg_bsize 2097152 +set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE diff --git a/root/etc/e-smith/tests/.gitignore b/root/etc/e-smith/tests/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/e-smith/web/functions/directory b/root/etc/e-smith/web/functions/directory new file mode 100755 index 0000000..34d7a47 --- /dev/null +++ b/root/etc/e-smith/web/functions/directory @@ -0,0 +1,151 @@ +#!/usr/bin/perl -wT +# vim:ft=xml: + +#---------------------------------------------------------------------- +# heading : Configuration +# description : Directory +# navigation : 6000 6300 +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.e-smith.com for details. +#---------------------------------------------------------------------- + + +use strict; +use esmith::util; +use esmith::FormMagick::Panel::directory; +my $f = esmith::FormMagick::Panel::directory->new(); +$f->display(); + +=head1 TESTING + + +=begin testing + +use esmith::FormMagick::Tester; +use esmith::TestUtils; +use esmith::ConfigDB; +my $panel = 'directory'; +my $panel_path = "/etc/e-smith/web/functions/".$panel; +my $ua = esmith::FormMagick::Tester->new(); + + + +is (mode($panel_path), '4750', "Check permissions on script"); +ok ($ua->get_panel($panel), "ABOUT TO RUN L10N TESTS"); +is ($ua->{status}, 200, "200 OK"); +like($ua->{content}, qr/FORM_TITLE/, "Saw untranslated form title"); +ok ($ua->set_language("en-us"), "Set language to U.S. English"); +ok ($ua->get_panel($panel), "Get panel"); + +is ($ua->{status}, 200, "200 OK"); + +like($ua->{content}, qr/LDAP directory settings/, "Saw translated form title"); + +# Testing changes + +ok ($ua->get_panel($panel), "Testing panel retrieval"); +can_ok($ua, "field"); + +# Destructive testing: + +ok ($ua->{form}->find_input('Department'), 'Finding the Department field'); + +$ua->field('Department' => 'TestDept' ); +$ua->field('Existing' => 'update'); + +ok ($ua->click("Save"), "Click Save"); +is ($ua->{status}, 200, "200 OK"); +like($ua->{content}, qr/settings have been saved/, "Saw validation messages"); + +# Gotta open this later, so we don't cache stale data +my $db = esmith::ConfigDB->open; + +ok($db->get('ldap')->prop('defaultDepartment') eq 'TestDept'); + +my $a = esmith::AccountsDB->open; +my @users = $a->users(); +foreach $user (@users) { + ok( $user->prop('Dept') eq 'TestDept'); +} + + +=end testing + +=cut + +__DATA__ +
+ + DESCRIPTION + + + + + + + + DESC_DIRECTORY_ACCESS + + + + + DESC_DEPARTMENT + + + + + + + + + + + + + + + + + + + + DESC_EXISTING + + + + + +
diff --git a/root/etc/logrotate.d/ldap b/root/etc/logrotate.d/ldap new file mode 100644 index 0000000..cc4b31f --- /dev/null +++ b/root/etc/logrotate.d/ldap @@ -0,0 +1,11 @@ +/var/log/ldap/*.log { + daily + missingok + notifempty + delaycompress + sharedscripts + postrotate + # OpenLDAP logs via syslog, restart syslog if running + /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true + endscript +} diff --git a/root/etc/openldap/schema/mailRelatedObject.schema b/root/etc/openldap/schema/mailRelatedObject.schema new file mode 100644 index 0000000..d972198 --- /dev/null +++ b/root/etc/openldap/schema/mailRelatedObject.schema @@ -0,0 +1,6 @@ +objectClass ( 1.3.6.1.4.1.5427.1.389.6.9 + NAME 'mailboxRelatedObject' + DESC 'For pointing to an associated RFC822 (functional) mailbox from any entry' + AUXILIARY + MAY ( mail $ displayName ) ) + diff --git a/root/etc/openldap/schema/redhat/rfc822-MailMember.schema b/root/etc/openldap/schema/redhat/rfc822-MailMember.schema new file mode 100644 index 0000000..757d80f --- /dev/null +++ b/root/etc/openldap/schema/redhat/rfc822-MailMember.schema @@ -0,0 +1,15 @@ +attributetype + ( 1.3.6.1.4.1.42.2.27.2.1.15 + NAME 'rfc822MailMember' + DESC 'rfc822 mail address of group member(s)' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +objectclass ( 1.3.6.1.4.1.42.2.27.1.2.5 + NAME 'nisMailAlias' + SUP top STRUCTURAL + DESC 'NIS mail alias' + MUST cn + MAY rfc822MailMember ) + + diff --git a/root/etc/openldap/schema/rfc2739.schema b/root/etc/openldap/schema/rfc2739.schema new file mode 100644 index 0000000..406aa8d --- /dev/null +++ b/root/etc/openldap/schema/rfc2739.schema @@ -0,0 +1,98 @@ +# +# http://www.faqs.org/rfcs/rfc2739.html +# +# From the RFC: +# The calCalURI contains the URI to a snapshot of the user's entire +# default calendar. The calFBURL contains the URI to the user's default +# busy time data. The calCAPURI represents contains a URI that can be +# used to communicate with the user's calendar. The calCalAdrURI +# contains a URI that points to the location to which event requests +# should be sent for that user. +# +# The calOtherCalURIs is a multi-valued property containing URIs to +# snapshots of other calendars that the user may have. The +# calOtherFBURLs is a multi-valued property containing URIs to other +# free/busy data that the user may have. The calOtherCAPURIs attribute +# is a multi-valued property containing URIs to other calendars that +# the user may have. The calOtherCalAdrURIs attribute is a multi-valued +# property containing URIs to other locations that a user may want +# event requests sent to. +# +# There is no predetermined order to the values in either multi-valued +# property. + +# EQUALITY caseIgnoreIA5Match + +attribute (1.2.840.113556.1.4.478 + NAME 'calCalURI' + DESC 'Snapshot of users entire default calendar' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.479 + NAME 'calFBURL' + DESC 'URI of the uses free and busy information' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.480 + NAME 'calCAPURI' + DESC 'URI used to communicate with the users calendar' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.481 + NAME 'calCalAdrURI' + DESC 'URI to which event requests should be sent for the user' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.482 + NAME 'calOtherCalURIs' + DESC 'URIs to non-default calendars belonging to the user' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.483 + NAME 'calOtherFBURLs' + DESC 'URIs to non-default free and busy information files' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.484 + NAME 'calOtherCAPURIs' + DESC 'URIs for communicating with non-default calendars' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +attribute (1.2.840.113556.1.4.485 + NAME 'calOtherCalAdrURIs' + DESC 'Destinations for event requests to non-default calendars' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) + +objectclass (1.2.840.113556.1.5.87 + NAME 'calEntry' + DESC 'Calendering and Free Busy information' + SUP top AUXILIARY + MAY (calCalURI $ calFBURL $ calCAPURI $ calCalAdrURI $ + calOtherCalURIs $ calOtherFBURLs $ calOtherCAPURIs $ + calOtherCalAdrURIs + ) + ) diff --git a/root/etc/openldap/ssl/.gitignore b/root/etc/openldap/ssl/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/rc.d/init.d/ldap.init b/root/etc/rc.d/init.d/ldap.init new file mode 100644 index 0000000..0b8b3c4 --- /dev/null +++ b/root/etc/rc.d/init.d/ldap.init @@ -0,0 +1,90 @@ +#!/bin/bash +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +# Source function library. +SYSTEMCTL_SKIP_REDIRECT=1 +. /etc/rc.d/init.d/functions + +if [ $# -lt 1 ]; then + echo "Usage: $0 " 1>&2 + exit 1 +fi +# We should only do something if $1 is 'start'. +if [ $1 != "start" ] && [ $1 != "restart" ]; then + exit 0 +fi + +for i in $(seq 1 10) +do + /usr/bin/ldapwhoami -x > /dev/null 2>&1 + if [ $? = 0 ] + then + exit_value=0 + for link in $((echo /etc/e-smith/ldap/init/50bootstrap; find /etc/e-smith/ldap/init -type f -o -type l) | sort) + do + F=$(basename $link | sed 's/S\?[0-9][0-9]_\?//') + case $F in + bootstrap) + BOOTSTRAP=$(/sbin/e-smith/db configuration getprop ldap Bootstrap) + if [ "$BOOTSTRAP" == "run" ]; then + action "Running bootstrap-ldap-save" /sbin/e-smith/signal-event bootstrap-ldap-save + fi + ;; + *.ldif) + action "Loading $F into ldap" perl -e ' + use esmith::util; + use esmith::ConfigDB; + + my $c = esmith::ConfigDB->open_ro; + my $domain = $c->get("DomainName") + || die("Could not determine domain name"); + my $base = esmith::util::ldapBase ($domain->value); + my $pw = esmith::util::LdapPassword(); + + open (STDERR, "|/usr/bin/logger -p local1.info -t ldap.init"); + open (STDOUT, ">&STDERR"); + my $link = shift || die "Missing filename"; + my @add = system("/bin/grep -q changetype $link") == 0 ? () : ("-a"); + exec "/usr/bin/ldapmodify", @add, "-c", "-x", "-H", "ldap://localhost/", + "-D", "cn=root,$base", "-w", "$pw", "-f", "$link";' $link && /bin/rm $link + ;; + *) + action "Loading $F into ldap" perl -e ' + open (STDERR, "|/usr/bin/logger -p local1.info -t ldap.init"); + open (STDOUT, ">&STDERR"); + exec shift; ' $link && /bin/rm $link + ;; + esac + # Record any failure for the final return value. + if [ $? -ne 0 ]; then + exit_value=1 + fi + done + + exit $exit_value + fi + echo "Waiting for slapd to startup" >&2 + sleep 2 +done + +exit 1 diff --git a/root/home/e-smith/db/ldap/.gitignore b/root/home/e-smith/db/ldap/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/sbin/e-smith/ldif-fix b/root/sbin/e-smith/ldif-fix new file mode 100644 index 0000000..ee14668 --- /dev/null +++ b/root/sbin/e-smith/ldif-fix @@ -0,0 +1,419 @@ +#!/usr/bin/perl -T + +use strict; +use warnings; +use Net::LDAP; +use Net::LDAP::LDIF; +use Date::Parse; +use esmith::ConfigDB; +use esmith::AccountsDB; +use esmith::util; +use Getopt::Long qw(:config bundling); + +$ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/sbin'; +$ENV{'LANG'} = 'C'; +$ENV{'TZ'} = ''; + +sub dnsort { + my %type = ( add => 1, modrdn => 2, moddn => 2, modify => 3, delete => 4); + my %attr = ( dc => 1, ou => 2, cn => 3, uid => 4); + + my ($oa) = ($a->get_value('newrdn') || $a->dn) =~ /^([^=]+)=/; + my ($ob) = ($b->get_value('newrdn') || $b->dn) =~ /^([^=]+)=/; + my ($ua, $ub) = map { my $tu = $_->get_value('uidnumber'); defined $tu && $tu ne '' ? $tu : -1 } ($a, $b); + my ($ga, $gb) = map { my $tg = $_->get_value('gidnumber'); defined $tg && $tg ne '' ? $tg : -1 } ($a, $b); + + ($attr{$oa} || 9) <=> ($attr{$ob} || 9) || ($type{$a->changetype} || 9) <=> ($type{$b->changetype} || 9) || + $ua <=> $ub || $ga <=> $gb || ($a->get_value('newrdn') || $a->dn) cmp ($b->get_value('newrdn') || $b->dn); +} + +my $c = esmith::ConfigDB->open_ro; +my $a = esmith::AccountsDB->open_ro; + +my $auth = $c->get('ldap')->prop('Authentication') || 'disabled'; +my $schema = '/etc/openldap/schema/samba.schema'; + +my $domain = $c->get('DomainName')->value; +my $basedn = esmith::util::ldapBase($domain); + +my $userou = 'ou=Users'; +my $groupou = 'ou=Groups'; +my $compou = 'ou=Computers'; + +my ($dc) = split /\./, $domain; +my $company = $c->get_prop('ldap', 'defaultCompany') || $domain; + +my %opt; +GetOptions ( \%opt, "diff|d", "update|u", "input|i=s", "output|o=s" ); +$opt{input} = '/usr/sbin/slapcat -c 2> /dev/null|' unless $opt{input} && ($opt{input} eq '-' || -f "$opt{input}" || -c "$opt{input}"); +$opt{diff} = 1 if $opt{update}; +if ( $opt{output} && $opt{output} =~ m{^([-\w/.]+)$}) { + $opt{output} = $1; +} else { + $opt{output} = '-'; +} + +my ($data, $dn); + +# Top object (base) +$data->{$basedn} = { + objectclass => [qw/organization dcObject top/], + dc => $dc, + o => $company, +}; + +# Top containers for users/groups/computers +foreach (qw/Users Groups Computers/) { + $data->{"ou=$_,$basedn"} = { + objectclass => [qw/organizationalUnit top/], + ou => $_, + }; +} + +# Common accounts needed for SME to work properly +$data->{"cn=nobody,$groupou,$basedn"}->{objectclass} = [ qw/posixGroup/ ]; +$data->{"uid=www,$userou,$basedn"}->{objectclass} = [ qw/account/ ]; +$data->{"cn=www,$groupou,$basedn"} = { objectclass => [ qw/posixGroup/ ], memberuid => [ qw/admin/ ] }; +$data->{"cn=rsshusers,$groupou,$basedn"}->{objectclass} = [ qw/posixGroup/ ]; +$data->{"cn=shared,$groupou,$basedn"} = { + objectclass => [ qw/posixGroup mailboxRelatedObject/ ], + mail => "everyone\@$domain", + memberuid => [ qw/www/ ] +}; + +# Read in accounts database information +foreach my $acct ($a->get('admin'), $a->users, $a->groups, $a->ibays, $a->get_all_by_prop(type => 'machine')) { + my $key = $acct->key; + my $type = $acct->prop('type'); + + next if $key eq 'Primary'; + + $dn = "uid=$key,".($type eq 'machine' ? $compou : $userou).",$basedn"; + if ($type =~ /^(?:user|group|machine|ibay)$/ || $key eq 'admin') { + if ($type eq 'user' || $key eq 'admin') { + # Allow removal of obsolete person objectclass and samba attributes + push @{$data->{$dn}->{_delete}->{objectclass}}, 'person'; + + + push @{$data->{$dn}->{objectclass}}, 'inetOrgPerson'; + $data->{$dn}->{mail} = "$key\@$domain"; + @{$data->{$dn}}{qw/givenname sn telephonenumber o ou l street/} = + map { $acct->prop($_) || [] } qw/FirstName LastName Phone Company Dept City Street/; + $data->{$dn}->{cn} = $acct->prop('FirstName').' '.$acct->prop('LastName'); + } + else { + push @{$data->{$dn}->{objectclass}}, 'account'; + } + + # users/ibays need to be a member of shared + push @{$data->{"cn=shared,$groupou,$basedn"}->{memberuid}}, $key if $type =~ /^(user|ibay)$/ || $key eq 'admin'; + + # users need to be a member of rsshusers if their shell is /usr/bin/rssh + push @{$data->{"cn=rsshusers,$groupou,$basedn"}->{memberuid}}, $key if ($type =~ /^(user)$/ || $key eq 'admin') && (($acct->prop('Shell') || '/usr/bin/rssh') eq '/usr/bin/rssh'); + + if ($auth ne 'enabled') { + # Allow removal of shadow properties + push @{$data->{$dn}->{_delete}->{objectclass}}, 'shadowAccount'; + $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/userPassword shadowLastChange shadowMin shadowMax + shadowWarning shadowInactive shadowExpire shadowFlag/; + + if ( -f "$schema" ) { + # If we will be adding samba properties then allow removal + push @{$data->{$dn}->{_delete}->{objectclass}}, 'sambaSamAccount'; + $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/displayName sambaAcctFlags sambaLMPassword sambaNTPassword + sambaNTPassword sambaPrimaryGroupSID sambaPwdLastSet sambaSID/; + } + } + } + + $dn = "cn=$key,$groupou,$basedn"; + push @{$data->{$dn}->{objectclass}}, 'posixGroup'; + if ($type eq 'group') { + # Allways replace memberuid with new set + $data->{$dn}->{_delete}->{memberuid} = 1; + + push @{$data->{$dn}->{objectclass}}, 'mailboxRelatedObject'; + + $data->{$dn}->{mail} = "$key\@$domain"; + $data->{$dn}->{description} = $acct->prop('Description') || []; + push @{$data->{$dn}->{memberuid}}, split /,/, ($acct->prop('Members') || ''); + + # www needs to be a memeber of every group + push @{$data->{$dn}->{memberuid}}, 'www'; + + if ($auth ne 'enabled' && -f "$schema" ) { + # If we will be adding samba properties then allow removal + push @{$data->{$dn}->{_delete}->{objectclass}}, 'sambaGroupMapping'; + $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/displayName sambaGroupType sambaSID/; + } + } + elsif ($type eq 'ibay') { + $dn = "cn=".$acct->prop('Group').",$groupou,$basedn"; + push @{$data->{$dn}->{memberuid}}, $acct->key; + } +} + +if ($auth ne 'enabled') { + # Read in information from unix (passwd) system + open PASSWD, '/etc/passwd'; + while () { + chomp; + my @passwd = split /:/, $_; + next unless scalar @passwd == 7; + + $dn = "uid=$passwd[0],".($passwd[0] =~ /\$$/ ? $compou : $userou).",$basedn"; + next unless exists $data->{$dn}; + + push @{$data->{$dn}->{objectclass}}, 'posixAccount'; + @{$data->{$dn}}{qw/cn uid uidnumber gidnumber homedirectory loginshell/} = + map { $passwd[$_] ? $passwd[$_] : [] } (4,0,2,3,5,6); + } + close (PASSWD); + + # Shadow file defaults (pulled from cpu.conf) + my %shadow_def = ( 1 => [], 2 => 11192, 3 => -1, 4 => 99999, 5 => 7, 6 => -1, 7 => -1, 8 => 134538308 ); + + # Read in information from unix (shadow) system + open SHADOW, '/etc/shadow'; + while () { + chomp; + my @shadow = split /:/, $_; + next unless scalar @shadow >= 6; + $shadow[1] = '!*' if $shadow[1] eq '!!'; + $shadow[1] = "{CRYPT}$shadow[1]" unless $shadow[1] =~ /^\{/; + + $dn = "uid=$shadow[0],".($shadow[0] =~ /\$$/ ? $compou : $userou).",$basedn"; + next unless exists $data->{$dn}; + + push @{$data->{$dn}->{objectclass}}, 'shadowAccount'; + @{$data->{$dn}}{ map { lc($_) } qw/userPassword shadowLastChange shadowMin shadowMax shadowWarning shadowInactive + shadowExpire shadowFlag/} = map { $shadow[$_] ? $shadow[$_] : $shadow_def{$_} } (1..8); + } + close (SHADOW); + + # Read in information from unix (group) system + open GROUP, '/etc/group'; + while () { + chomp; + my @group = split /:/, $_; + next unless scalar @group >= 3; + $group[3] = [ split /,/, ($group[3] || '') ]; + + $dn = "cn=$group[0],$groupou,$basedn"; + next unless exists $data->{$dn}; + + push @{$data->{$dn}->{objectclass}}, 'posixGroup'; + @{$data->{$dn}}{qw/cn gidnumber/} = map { $group[$_] ? $group[$_] : [] } (0,2); + push @{$data->{$dn}->{memberuid}}, @{$group[3]}; + } + close (GROUP); + + my %smbprop = ( + 'User SID' => 'sambasid', + 'Account Flags' => 'sambaacctflags', + 'Primary Group SID' => 'sambaprimarygroupsid', + 'Full Name' => 'displayname', + 'Password last set' => 'sambapwdlastset', + ); + + # Read in information from unix (smbpasswd) system + if ( -f "$schema" && -x '/usr/bin/pdbedit' ) { + $dn = undef; + open SMBDETAIL, '/usr/bin/pdbedit -vL 2> /dev/null|'; + while () { + chomp; + + $dn = ("uid=$1,".($1 =~ /\$$/ ? $compou : $userou).",$basedn") if m/^Unix username:\s+(\S.*)$/; + next unless $dn && exists $data->{$dn}; + + # Map the samba account properties that we care about + $data->{$dn}->{$smbprop{$1}} = ($2 ? str2time($2) : (defined $3 ? $3 : [])) + if m/^(.+):\s+(?:(\S.*\d{4} \d{2}:\d{2}:\d{2}.*)|(.*))$/ && exists $smbprop{$1}; + } + close (SMBDETAIL); + + open SMBPASSWD, '/usr/bin/pdbedit -wL 2> /dev/null|'; + while () { + chomp; + my @smbpasswd = split /:/, $_; + next unless scalar @smbpasswd >= 6; + + $dn = "uid=$smbpasswd[0],".($smbpasswd[0] =~ /\$$/ ? $compou : $userou).",$basedn"; + next unless exists $data->{$dn} && exists $data->{$dn}->{uidnumber} && $data->{$dn}->{uidnumber} eq $smbpasswd[1]; + + push @{$data->{$dn}->{objectclass}}, 'sambaSamAccount'; + @{$data->{$dn}}{qw/sambalmpassword sambantpassword/} = map { $smbpasswd[$_] ? $smbpasswd[$_] : [] } (2,3); + } + close (SMBPASSWD); + } + + if ( -f "$schema" && -x '/usr/bin/net' ) { + open GROUPMAP, '/usr/bin/net groupmap list 2> /dev/null|'; + while () { + chomp; + + if (m/^(.+) \((.+)\) -> (.+)$/) { + # Skip local machine accounts + next if $2 =~ /S-1-5-32-\d+/; + + $dn = "cn=$3,$groupou,$basedn"; + next unless exists $data->{$dn}; + + push @{$data->{$dn}->{objectclass}}, 'sambaGroupMapping'; + @{$data->{$dn}}{qw/displayname sambasid sambagrouptype/} = ($1, $2, 2); + } + } + close (GROUPMAP); + } +} + +my @ldif; + +# Loop through ldap data and update as necessary +my $reader = Net::LDAP::LDIF->new( $opt{input}, 'r', onerror => 'undef' ); +while( not $reader->eof()) { + my $entry = $reader->read_entry() || next; + $dn = $entry->dn; + + # Ensure the basedn is correct + $dn = "$1$basedn" if $dn =~ /^((?:(?!dc=)[^,]+,)*)dc=/; + + # Ensure correct ou is part of user/groups/computers + if ($dn =~ /^(uid=([^,\$]+)(\$)?),((?:(?!dc=)[^,]+,)*)dc=/) { + if ( defined $3 && $3 eq '$') { + $dn = "$1,$compou,$basedn"; + } + elsif (grep /posixGroup/, @{$entry->get_value('objectclass', asref => 1) || []}) { + $dn = "cn=$2,$groupou,$basedn"; + + # Cleanup attributes that the modrdn will perform + $entry->add(cn => $2); + $entry->delete(uid => [$2]); + } + else { + $dn = "$1,$userou,$basedn"; + } + } + elsif ($dn =~ /^(cn=[^,]+),((?:(?!dc=)[^,]+,)*)dc=/) { + $dn = "$1,$groupou,$basedn" unless $2 =~ /^ou=auto\./; + } + + # Don't process records twice + next if $data->{$dn}->{_done}; + + # Rename existing entry into place if we can + if ($dn ne $entry->dn) { + my $rdn = Net::LDAP::Entry->new; + $rdn->dn($entry->dn); + $rdn->changetype('modrdn'); + my ($newdn, $newbase) = split /,/, $dn, 2; + $rdn->add(newrdn => $newdn, deleteoldrdn => 1, newsuperior => $newbase); + push @ldif, $rdn; + + # Now we can change the entry to new dn + $entry->dn($dn); + } + + # Change type to modify so that we can keep track of changes we make + $entry->changetype('modify'); + + # Hack to make upgrades work (add calEntry if calFGUrl attributes exists) + if ($entry->exists('calFBURL') && -f "/etc/openldap/schema/rfc2739.schema") { + push @{$data->{$dn}->{objectclass}}, 'calEntry'; + } + + my %attributes = (); + @attributes{ keys %{$data->{$dn}}, exists $data->{$dn}->{_delete} ? map { lc($_) } keys %{$data->{$dn}->{_delete}} : () } = (); + + foreach my $attr (sort keys %attributes) { + # Skip the pseudo attributes + next if $attr =~ /^_/; + + my @l = @{$entry->get_value($attr, asref => 1) || []}; + my @u = exists $data->{$dn}->{$attr} ? (ref $data->{$dn}->{$attr} ? @{$data->{$dn}->{$attr}} : ($data->{$dn}->{$attr})) : (); + + # Figure out differences between attributes + my (@lonly, @uonly, @donly, %lseen, %useen, %dseen) = () x 6; + + # Unique lists of what is in ldap and what needs to be in ldap + @lseen{@l} = (); + @useen{@u} = (); + + # Create list of attributes that aren't in the other + @uonly = grep { ! exists $lseen{$_} } keys %useen; + @lonly = grep { ! exists $useen{$_} } keys %lseen; + + # Determine which of the ldap only attributes we need to remove + if ((keys %useen == 1 && keys %lseen == 1) || (keys %useen == 0 && exists $data->{$dn}->{$attr})) { + # Replacing a single entry or erasing entire entry + @donly = @lonly; + } + elsif ($data->{$dn}->{_delete} && $data->{$dn}->{_delete}->{$attr}) { + if (my $ref = ref($data->{$dn}->{_delete}->{$attr})) { + # Map hash keys or array elemts to valid values to delete + @dseen{$ref eq 'HASH' ? keys %{$data->{$dn}->{_delete}->{$attr}} : @{$data->{$dn}->{_delete}->{$attr}}} = (); + @donly = grep { exists $dseen{$_} } @lonly; + } + else { + # Permission to remove all values + @donly = @lonly; + } + } + + if (@donly && @donly == keys %lseen) { + # If we are removing all ldap attributes do a remove or full delete + if (@uonly) { + $entry->replace($attr => [ @uonly ]); + } + else { + $entry->delete($attr => []); + } + } + else { + $entry->delete($attr => [ @donly ]) if @donly; + $entry->add($attr => [ @uonly ]) if @uonly; + } + } + + $data->{$dn}->{_done} = 1; + push @ldif, $entry; +} +$reader->done(); + +# Add missing records that didn't exist in ldap yet +foreach $dn (grep { ! exists $data->{$_}->{_done} } sort keys %$data) { + my $entry = Net::LDAP::Entry->new; + $entry->dn($dn); + + foreach my $attr (sort keys %{$data->{$dn}}) { + # Skip the pseudo attributes + next if $attr =~ /^_/; + + my %seen = (); + @seen{ref $data->{$dn}->{$attr} ? @{$data->{$dn}->{$attr}} : ($data->{$dn}->{$attr})} = (); + $entry->add($attr => [ sort keys %seen ]) if keys %seen != 0; + } + + push @ldif, $entry; +} + +#------------------------------------------------------------ +# Update LDAP database entry. +#------------------------------------------------------------ +my $ldap; +if ($opt{update}) { + $ldap = Net::LDAP->new('localhost') or die "$@"; + $ldap->bind( dn => "cn=root,$basedn", password => esmith::util::LdapPassword() ); +} + +my $writer = Net::LDAP::LDIF->new( $opt{output}, 'w', onerror => 'undef', wrap => 0, sort => 1, change => $opt{diff} ); +foreach my $entry (sort dnsort @ldif) { + if ($opt{update} && ($entry->changetype ne 'modify' || @{$entry->{changes}}) ) { + my $result = $entry->update($ldap); + warn "Failure to ",$entry->changetype," ",$entry->dn,": ",$result->error,"\n" if $result->code; + } + + if ($writer->{change} || $entry->changetype !~ /modr?dn/) { + $writer->write_entry($entry); + } +} diff --git a/root/sbin/e-smith/systemd/ldap-finish b/root/sbin/e-smith/systemd/ldap-finish new file mode 100644 index 0000000..3aaedf3 --- /dev/null +++ b/root/sbin/e-smith/systemd/ldap-finish @@ -0,0 +1,21 @@ +#! /bin/sh + +exec 2>&1 + +LDIF=$(readlink -n /etc/openldap/ldif) +TMP=$LDIF.$$ +if /usr/sbin/slapcat -l $TMP +then + mv -f $TMP $LDIF +else + echo slapcat dump of ldif failed - shutting down ldap service >&2 + echo probable corruption of ldap backend files >&2 + + # Don't bother to keep a zero length dump file + if test ! -s $TMP + then + rm -f $TMP + fi + +fi + diff --git a/root/sbin/e-smith/systemd/ldap-prepare b/root/sbin/e-smith/systemd/ldap-prepare new file mode 100644 index 0000000..ab4e01c --- /dev/null +++ b/root/sbin/e-smith/systemd/ldap-prepare @@ -0,0 +1,54 @@ +#! /bin/sh + + +domain=$(/sbin/e-smith/config get DomainName) +ldif="/home/e-smith/db/ldap/$domain.ldif" + +if [ -e /etc/openldap/ldif ] +then + old_ldif=$(readlink /etc/openldap/ldif) + if [ "$old_ldif" != "$ldif" ] + then + # The domain name has changed, so we need to delete + # the old directory contents. We still have the old + # dump. + mv -f $old_ldif $ldif + find /var/lib/ldap -type f | xargs rm -f + fi +fi + +if [ -f /var/lib/ldap/nextid.dbb ] +then + # We are upgrading from an earlier version which used + # ldbm backend format. Delete the backend files, and + # restore from ldif + find /var/lib/ldap -type f | xargs rm -f +fi + +# Set up symlink for ldap dump at shutdown +ln -sf $ldif /etc/openldap/ldif + +/sbin/e-smith/expand-template /var/lib/ldap/DB_CONFIG + +# Make sure we use the slapd.conf file instead of the new slapd.d +touch /etc/openldap/slapd.d/unused +find /etc/openldap/slapd.d/ -mindepth 1 -maxdepth 1 -not -name unused -exec rm -rf {} \; +/sbin/e-smith/expand-template /etc/openldap/slapd.conf + +# Prime directory if required +if [ \! -f /var/lib/ldap/id2entry.bdb ] +then + if [ -e /etc/openldap/ldif ] + then + /sbin/e-smith/ldif-fix -i /etc/openldap/ldif | setuidgid ldap slapadd -c + else + /sbin/e-smith/ldif-fix -i /dev/null | setuidgid ldap slapadd -c + fi +else + setuidgid ldap /usr/bin/db_recover -v -h /var/lib/ldap +fi + +# Make sure all DB files belongs to ldap:ldap +find /var/lib/ldap -not -name DB_CONFIG -exec chown ldap:ldap {} \; + +exit 0 diff --git a/root/usr/lib/systemd/system/ldap.init.service b/root/usr/lib/systemd/system/ldap.init.service new file mode 100644 index 0000000..f6009e9 --- /dev/null +++ b/root/usr/lib/systemd/system/ldap.init.service @@ -0,0 +1,21 @@ +[Unit] +Description=Koozali SME Server ldap.init +After=syslog.target network-online.target ldap.service + +[Service] +Type=forking +Restart=no +TimeoutSec=5min +IgnoreSIGPIPE=no +KillMode=process +GuessMainPID=no +RemainAfterExit=yes +ExecStartPre=/sbin/e-smith/service-status ldap.init +ExecStart=/etc/rc.d/init.d/ldap.init start +ExecStop=/etc/rc.d/init.d/ldap.init stop + + +[Install] +WantedBy=sme-server.target + + diff --git a/root/usr/lib/systemd/system/ldap.service b/root/usr/lib/systemd/system/ldap.service new file mode 100644 index 0000000..e971604 --- /dev/null +++ b/root/usr/lib/systemd/system/ldap.service @@ -0,0 +1,26 @@ +[Unit] +Description=Koozali SME Server OpenLDAP Server Daemon +After=syslog.target network-online.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html + +[Service] +Type=simple +PIDFile=/var/run/openldap/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldaps:/// ldapi:///" "SLAPD_OPTIONS=-4 -d 256 -s 0" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/sbin/e-smith/service-status ldap +ExecStartPre=/sbin/e-smith/expand-template /etc/openldap/ssl/slapd.pem +ExecStartPre=/sbin/e-smith/systemd/ldap-prepare +#ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS +TimeoutStartSec=300 +Restart=always + +ExecStopPost=/sbin/e-smith/systemd/ldap-finish + +[Install] +WantedBy=sme-server.target diff --git a/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf b/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf new file mode 100644 index 0000000..bf901bf --- /dev/null +++ b/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf @@ -0,0 +1,6 @@ +[Service] +# disabled +# we are using ldap.service +ExecStart=/usr/bin/true +ExecStartPre= +PIDFile= diff --git a/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/directory.pm b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/directory.pm new file mode 100644 index 0000000..146a815 --- /dev/null +++ b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/directory.pm @@ -0,0 +1,204 @@ +#!/usr/bin/perl -w + +# +# $Id: directory.pm,v 1.3 2003/12/18 17:19:54 msoulier Exp $ +# + +package esmith::FormMagick::Panel::directory; + +use strict; +use esmith::AccountsDB; +use esmith::ConfigDB; +use esmith::FormMagick; +use esmith::util; +use File::Basename; +use Exporter; +use Carp; + +our @ISA = qw(esmith::FormMagick Exporter); + +our @EXPORT = qw( + get_ldap_base get_value get_prop change_settings +); + +our $VERSION = sprintf '%d.%03d', q$Revision: 1.3 $ =~ /: (\d+).(\d+)/; + +our $db = esmith::ConfigDB->open(); + + +# {{{ header + +=pod + +=head1 NAME + +esmith::FormMagick::Panels::directory - useful panel functions + +=head1 SYNOPSIS + + use esmith::FormMagick::Panels::directory; + + my $panel = esmith::FormMagick::Panel::directory->new(); + $panel->display(); + +=head1 DESCRIPTION + +=cut + +# }}} + +# {{{ new + +=head2 new(); + +Exactly as for esmith::FormMagick + +=begin testing + + +use_ok('esmith::FormMagick::Panel::directory'); +use vars qw($panel); +ok($panel = esmith::FormMagick::Panel::directory->new(), "Create panel object"); +isa_ok($panel, 'esmith::FormMagick::Panel::directory'); + +=end testing + +=cut + + + +sub new { + shift; + my $self = esmith::FormMagick->new(); + $self->{calling_package} = (caller)[0]; + bless $self; + return $self; +} + +# }}} + +# {{{ get_prop + +=head2 get_prop ITEM PROP + +A simple accessor for esmith::ConfigDB::Record::prop + +=cut + +sub get_prop { + my $fm = shift; + my $item = shift; + my $prop = shift; + + my $record = $db->get($item); + if ($record) { + return $record->prop($prop); + } + else { + return ''; + } + +} + +# }}} + +=head2 get_ldap_base + +Gets the LDAP base for this domain + +=cut + +sub get_ldap_base { + return esmith::util::ldapBase(get_value('','DomainName')); +} + + +# {{{ get_value + +=head2 get_value ITEM + +A simple accessor for esmith::ConfigDB::Record::value + +=cut + +sub get_value { + my $fm = shift; + my $item = shift; + + my $record = $db->get($item); + if ($record) { + return $record->value(); + } + else { + return ''; + } +} + +# }}} + +=head1 ACTION + + +# {{{ change_settings + +=head2 change_settings + +If everything has been validated, properly, go ahead and set the new settings + +=cut + + + +sub change_settings { + my ($fm) = @_; + + my $q = $fm->{'cgi'}; + + my $access = $q->param ('Access') || 'private'; + my $department = $q->param ('Department') || ""; + my $company = $q->param ('Company') || ""; + my $street = $q->param ('Street') || ""; + my $city = $q->param ('City') || ""; + my $phone = $q->param ('PhoneNumber') || ""; + my $existing = $q->param ('Existing') || 'leave' ; + $db->get('ldap')->set_prop('access', $access); + $db->get('ldap')->set_prop('defaultDepartment', $department); + $db->get('ldap')->set_prop('defaultCompany', $company); + $db->get('ldap')->set_prop('defaultStreet', $street); + $db->get('ldap')->set_prop('defaultCity', $city); + $db->get('ldap')->set_prop('defaultPhoneNumber', $phone); + + #------------------------------------------------------------ + # If requested, update the account records for all existing users. + # Don't need to signal any special events for this, since we're only + # changing LDAP information. If we were changing the user names + # or email parameters, we'd have to signal events to trigger the + # right updates. + #------------------------------------------------------------ + + if ($existing eq 'update') { + my $a = esmith::AccountsDB->open; + my @users = $a->users(); + + foreach my $user (@users) { + $user->set_prop('Phone', $phone); + $user->set_prop('Company', $company); + $user->set_prop('Dept', $department); + $user->set_prop('City', $city); + $user->set_prop('Street', $street); + + } + } + #------------------------------------------------------------ + # Update the system + #------------------------------------------------------------ + + system ("/sbin/e-smith/signal-event ldap-update") == 0 + or return $fm->error('ERROR_UPDATING_CONFIGURATION'); + + return $fm->success('SUCCESS'); +} + +# }}} + +1; diff --git a/root/var/log/bdb/.gitignore b/root/var/log/bdb/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/var/log/ldap/.gitignore b/root/var/log/ldap/.gitignore new file mode 100644 index 0000000..e69de29