smeserver-base/root/etc/e-smith/events/actions/group-create-unix

#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali foundation inc.
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 		
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 		
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
# 
# Technical support for this program is available from Mitel Networks 
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------

package esmith;

use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use esmith::util::ldap;
use esmith::util;

my $conf = esmith::ConfigDB->open_ro
    or die "Could not open Config DB";
my $accounts = esmith::AccountsDB->open
    or die "Could not open accounts DB";

my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $result;

# prepare LDAP bind
my $ldap=esmith::util::ldap->new();

my $event = $ARGV [0];
my $groupName = $ARGV [1];

#------------------------------------------------------------
# Create the group
#------------------------------------------------------------

die "Groupname argument missing." unless defined ($groupName);

my $group = $accounts->get($groupName);

unless ($group && $group->prop('type') eq 'group')
{
    die "Account $groupName is not a group account; create group failed.\n";
}

my $lock = undef;
my $gid;
unless ($gid = $group->prop('Gid'))
{
    use esmith::lockfile;

    $lock = esmith::lockfile::LockFileOrWait("/home/e-smith/db/accounts");
    $gid = $accounts->get_next_uid;
    $group->set_prop('Gid', $gid);
    unless ($group->prop('Uid'))
    {
	$group->set_prop('Uid', $gid);
    }
}
my $uid = $group->prop('Uid');
my $description = $group->prop('Description') || '';

if ($ldapauth ne 'enabled')
{
    # Create the user's unique group first
    system(
            "/usr/sbin/groupadd",
            "-g", $gid,
            $groupName
        ) == 0 or ( $x = 255, warn "Failed to create (unix) group $groupName.\n" );

    # Now create the dummy user account
    system(
            "/usr/sbin/useradd",
            "-u", $uid,
            "-g", $gid,
            "-c", $description,
            "-d",
            "/home/e-smith",
            "-s",
            "/bin/false",
            "$groupName"
        ) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
}

# create group
$result = $ldap->ldapgroup($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );

#create dedicated group user
$result = $ldap->ldapuser($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );

# add to supplementary group
# as it is regular group, pm will add www and admin, so no need to add it
my @UserArr = ($groupName);
$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr);
# error code 20 is entry already exits.
$result  &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" );

# Release lock if we have one
$lock && esmith::lockfile::UnlockFile($lock);

#------------------------------------------------------------
# It would be nice if we could simply edit the line in /etc/group
# and add the list of users, but it's safer to use the "usermod"
# command. This means that for each desired group member, we have
# to fetch the current list of that member's groups, add this new
# group, and update the member's group list.
#------------------------------------------------------------

my $members = $group->prop('Members') || '';
my @groupMembers = split (/,/, $members);

# "www" and "admin" are implicit members of all groups
push @groupMembers, 'admin', 'www';

foreach my $member (@groupMembers)
{
    # Get a list of this member's supplementary groups, then add the
    # new group to the list. Finally sort, join and run the usermod
    # function to update the group list for this member.

    #my $cmd = "/usr/bin/id -G -n '$member'";
    # this will not fail in case of apache aliase before www in passwd
    my $cmd = "/usr/bin/groups '$member' 2>/dev/null | cut -d' ' -f3- ";
    my $groups = `$cmd 2>/dev/null`; 
    if ($? != 0)
    {
	die "Failed to get supplementary group list for $member.\n";
    }
    chomp ($groups);

    my @groupList = split (/\s+/, $groups);
    @groupList = grep (!/^$member$/, @groupList);
    # Apache is an alias for www
    @groupList = map { $_ =~ s/^apache$/www/g; $_ } @groupList;

    push @groupList, $groupName;

    $groups = join (',', sort (@groupList));

    if ($ldapauth ne 'enabled')
    {
        system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
            or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
    }
}

exit ($x);