* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme

- fix user@0.service failed to start [SME: 12568]
- stop loging in audit crond success
- drop cpu and use esmith:util::ldap [SME: 12663]
This commit is contained in:
Jean-Philippe Pialasse 2024-08-13 16:55:04 -04:00
parent 2a87d8e1ba
commit d0fb8284d6
9 changed files with 123 additions and 182 deletions

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -27,7 +28,8 @@ use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use File::Temp;
use esmith::util::ldap;
use esmith::util;
my $conf = esmith::ConfigDB->open_ro
or die "Could not open Config DB";
@ -36,10 +38,10 @@ my $accounts = esmith::AccountsDB->open
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $result;
my $domain = $conf->get('DomainName')
|| die("Couldn't determine domain name");
$domain = $domain->value;
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my $groupName = $ARGV [1];
@ -97,41 +99,20 @@ if ($ldapauth ne 'enabled')
) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
}
# Create the user's unique group first (in ldap)
my $tmpattr = File::Temp->new();
print $tmpattr "mail: $groupName\@$domain\n";
print $tmpattr "description: $description\n";
$tmpattr->flush();
system(
"/usr/sbin/cpu", "groupadd",
"-a", "$tmpattr",
"-g", $gid,
$groupName
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
undef $tmpattr;
# create group
$result = $ldap->ldapgroup($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
# Now create the dummy user account (in ldap)
system(
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
"-u", $uid,
"-g", $gid,
"-d",
"/home/e-smith",
"-s",
"/bin/false",
"$groupName"
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
#create dedicated group user
$result = $ldap->ldapuser($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
# Set the cn of the dummy user account (in ldap)
$tmpattr = File::Temp->new();
print $tmpattr "cn: $description\n";
$tmpattr->flush();
system(
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod",
"-a", $tmpattr,
"$groupName"
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to update (ldap) user $groupName.\n" );
undef $tmpattr;
# add to supplementary group
# as it is regular group, pm will add www and admin, so no need to add it
my @UserArr = ($groupName);
$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr);
# error code 20 is entry already exits.
$result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" );
# Release lock if we have one
$lock && esmith::lockfile::UnlockFile($lock);
@ -150,8 +131,7 @@ my @groupMembers = split (/,/, $members);
# "www" and "admin" are implicit members of all groups
push @groupMembers, 'admin', 'www';
my $member;
foreach $member (@groupMembers)
foreach my $member (@groupMembers)
{
# Get a list of this member's supplementary groups, then add the
# new group to the list. Finally sort, join and run the usermod
@ -179,13 +159,6 @@ foreach $member (@groupMembers)
system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
}
# root user/group isn't in ldap
@groupList = grep (!/^root$/, @groupList);
$groups = join (',', sort (@groupList));
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
}
exit ($x);

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali Foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -26,6 +27,8 @@ package esmith;
use strict;
use Errno;
use esmith::ConfigDB;
use esmith::util;
use esmith::util::ldap;
my $conf = esmith::ConfigDB->open_ro
or die "Could not open Config DB";
@ -33,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my $groupName = $ARGV [1] or die "Groupname argument missing.";
@ -45,10 +51,12 @@ if ($ldapauth ne 'enabled')
or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" );
}
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
# delete dedicated user group
my $result = $ldap->ldapdeluser($groupName);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
system("/usr/sbin/cpu", "groupdel", "$groupName") == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
# delete group
$result = $ldap->ldapdelgroup($groupName);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
exit ($x);

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 2002-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali Foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -27,17 +28,19 @@ use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use File::Temp;
use esmith::util;
use utf8;
use esmith::util::ldap;
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";
my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $result;
my $domain = $c->get('DomainName')
|| die("Couldn't determine domain name");
$domain = $domain->value;
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = shift || die "Event name arg missing\n";;
my @groups;
@ -78,22 +81,12 @@ foreach my $group (@groups)
or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
}
my $tmpattr = File::Temp->new();
print $tmpattr "cn: $groupDesc\n";
$tmpattr->flush();
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-a", "$tmpattr", "$groupName") == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
$tmpattr = File::Temp->new();
print $tmpattr "mail: $groupName\@$domain\n";
print $tmpattr "description: $groupDesc\n";
$tmpattr->flush();
system(
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupmod",
"-a", "$tmpattr",
"$groupName"
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
undef $tmpattr;
# modify group dedicated user cn
$result = $ldap->ldapmoduser($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
# modify Group description and mail
$result = $ldap->ldapmodgroup($group);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
my @oldMembers = split (/\s+/, $members);
@ -116,7 +109,11 @@ foreach my $group (@groups)
{
$oldMembers{$member} = 1;
}
my (@addMembers, @delMembers);
# applying list of user memberUid for LDAP for this group
$result = $ldap->ldapsetgroupmembers($groupName,\@newMembers);
# error code 20 is entry already exits.
$result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" );
foreach $member (@newMembers, @oldMembers)
{
@ -157,13 +154,8 @@ foreach my $group (@groups)
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
}
# root user/group isn't in ldap
@groupList = grep (!/^root$/, @groupList);
$groups = join (',', sort (@groupList));
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
}
}
} # end of list of groups
exit ($x);

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -27,7 +28,9 @@ use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use File::Temp;
use esmith::util;
use utf8;
use esmith::util::ldap;
my $conf = esmith::ConfigDB->open_ro;
my $accounts = esmith::AccountsDB->open;
@ -35,9 +38,8 @@ my $accounts = esmith::AccountsDB->open;
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $domain = $conf->get('DomainName')
|| die("Couldn't determine domain name");
$domain = $domain->value;
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my $userName = $ARGV [1];
@ -65,13 +67,13 @@ unless ($uid = $acct->prop('Uid'))
$acct->set_prop('Uid', $uid);
}
my $gid = $acct->prop('Gid') || $uid;
my $first = $acct->prop('FirstName') || '';
my $last = $acct->prop('LastName') || '';
my $phone = $acct->prop('Phone') || '';
my $company = $acct->prop('Company') || '';
my $dept = $acct->prop('Dept') || '';
my $city = $acct->prop('City') || '';
my $street = $acct->prop('Street') || '';
my $first = stringToASCII($acct->prop('FirstName')) || '';
my $last = stringToASCII($acct->prop('LastName')) || '';
my $phone = stringToASCII($acct->prop('Phone')) || '';
my $company = stringToASCII($acct->prop('Company')) || '';
my $dept = stringToASCII($acct->prop('Dept')) || '';
my $city = stringToASCII($acct->prop('City')) || '';
my $street = stringToASCII($acct->prop('Street')) || '';
my $shell = $acct->prop('Shell') || '/usr/bin/false';
my $groups = "shared";
@ -101,38 +103,17 @@ if ($ldapauth ne 'enabled')
}
# Create the user's unique group first (in ldap)
system(
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
"-g",
$gid,
$userName
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
my $result = $ldap->ldapgroup($acct);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
# Now create the user account (in ldap)
my $tmpattr = File::Temp->new();
print $tmpattr "telephoneNumber: $phone\n";
print $tmpattr "o: $company\n";
print $tmpattr "ou: $dept\n";
print $tmpattr "l: $city\n";
print $tmpattr "street: $street\n";
$tmpattr->flush();
system(
"/usr/sbin/cpu", "useradd",
"-u", $uid,
"-g", $gid,
"-f", "$first",
"-E", "$last",
"-e", "$userName\@$domain",
"-a", "$tmpattr",
"-d", "/home/e-smith/files/users/$userName",
"-G", "$groups",
"-m",
"-k/etc/e-smith/skel/user",
"-s", "$shell",
$userName
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
undef $tmpattr;
$result = $ldap->ldapuser($acct);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
# add to supplementary group
my @UserArr = ($userName);
$result = $ldap->ldapsetgroupmembers($userName,\@UserArr);
$result && ( $result != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $userName to supplementary group.\n" );
# Release lock if we have one
$lock && esmith::lockfile::UnlockFile($lock);
@ -141,13 +122,15 @@ $lock && esmith::lockfile::UnlockFile($lock);
chmod 0700, "/home/e-smith/files/users/$userName";
# lock user password
if ($ldapauth ne 'enabled')
{
system("/usr/bin/passwd", "-l", "$userName")
and ( $x = 255, warn "Could not lock (unix) password for $userName\n" );
}
system("/usr/sbin/cpu", "usermod", "-L", "$userName")
and ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Could not lock (ldap) password for $userName\n" );
# esmith::util::ldap already lock user on creation, this avoid one more ldap write access.
system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali Foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -27,6 +28,7 @@ use strict;
use Errno;
use esmith::util;
use esmith::ConfigDB;
use esmith::util::ldap;
my $conf = esmith::ConfigDB->open_ro
or die "Could not open Config DB";
@ -34,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my $userName = $ARGV [1];
@ -53,11 +58,21 @@ if ($ldapauth ne 'enabled')
( $x = 255, warn "Failed to delete (unix) account $userName.\n" );
}
}
else
{
my $discard = `/bin/rm -rf /home/e-smith/files/users/$userName`;
if ($? != 0)
{
( $x = 255, warn "Failed to delete home dir of account $userName.\n" );
}
system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
}
# delete user
my $result = $ldap->ldapdeluser($userName);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
# delete user dedicated group
$result = $ldap->ldapdelgroup($userName);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
exit ($x);

View File

@ -2,6 +2,7 @@
#----------------------------------------------------------------------
# copyright (C) 2001-2006 Mitel Networks Corporation
# copyright (C) 2024 Koozali foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -25,6 +26,7 @@ use Errno;
use esmith::AccountsDB;
use esmith::ConfigDB;
use English;
use esmith::util::ldap;
my $a = esmith::AccountsDB->open or die "Could not open accounts db";
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
@ -32,6 +34,9 @@ my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
# prepare LDAP bind
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my @users_to_lock = bad_password_users();
@ -54,13 +59,16 @@ sub lock_user
my $u = $a->get($userName) or die "No account record for user $userName";
# lock in unix shadow/passwd if used.
if ($ldapauth ne 'enabled')
{
system("/usr/bin/passwd", "-l", $userName) == 0
or ( $x = 255, warn "Error locking (unix) account $userName" );
}
system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName" );
# lock in LDAP
$result = $ldap->ldaplockuser($userName);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName.\n" );
# lock in samba
system("/usr/bin/smbpasswd", "-d", $userName) == 0
or ( $x = 255, warn "Error locking (smb) account $userName" );
$u->set_prop('PasswordSet', 'no');

View File

@ -22,29 +22,17 @@ use strict;
use Errno;
use esmith::AccountsDB;
use esmith::ConfigDB;
use Net::LDAP;
use esmith::util;
use utf8;
use esmith::util::ldap;
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $domain = $conf->get('DomainName')
|| die("Couldn't determine domain name");
$domain = $domain->value;
# prepare LDAP bind
my $pw = esmith::util::LdapPassword();
my $base = esmith::util::ldapBase ($domain);
my $ldap = Net::LDAP->new('localhost')
or die "$@";
$ldap->bind(
dn => "cn=root,$base",
password => $pw
);
my $ldap=esmith::util::ldap->new();
my $event = $ARGV [0];
my $userName = $ARGV [1];
@ -94,22 +82,14 @@ foreach my $u (@users)
system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0
or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" );
}
my @new_shell = ($new_shell);
$result = $ldap->modify("uid=$userName,ou=Users,$base",
replace => {
loginShell => \@new_shell
}
);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify shell of (ldap) account $userName.\n" );
}
#------------------------------------------------------------
# Modify user's first name and last name if required,
# in /etc/passwd using "usermod"
#------------------------------------------------------------
my $first = $u->prop('FirstName') || "";
my $last = $u->prop('LastName') || "";
my $first = stringToASCII($u->prop('FirstName') || "");
my $last = stringToASCII($u->prop('LastName') || "");
my $new_comment = "$first $last";
unless ($comment eq $new_comment)
@ -119,36 +99,11 @@ foreach my $u (@users)
system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0
or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" );
}
my @new_comment = ($new_comment);
my @first = ($first);
my @last = ($last);
$result = $ldap->modify("uid=$userName,ou=Users,$base",
replace => {
givenName => \@first,
sn => \@last,
cn => \@new_comment,
displayName => \@new_comment
}
);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify comment/name of (ldap) account $userName.\n" );
}
my @new_phone = ($u->prop('Phone')) || ();
my @new_company = ($u->prop('Company')) || ();
my @new_dept = ($u->prop('Dept')) || ();
my @new_city = ($u->prop('City')) || ();
my @new_street = ($u->prop('Street')) || ();
$result = $ldap->modify("uid=$userName,ou=Users,$base",
replace => {
telephoneNumber => \@new_phone,
o => \@new_company,
ou => \@new_dept,
l => \@new_city,
street => \@new_street
}
);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
# we do all the test in ldap pm to avoid 3 differents write access, which are costly.
$result = $ldap->ldapuser($u);
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
}

View File

@ -1,4 +1,6 @@
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet_success use_uid
session required pam_unix.so
{
my $status = $ldap{Authentication} || 'disabled';

View File

@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
%define name smeserver-base
Name: %{name}
%define version 11.0.0
%define release 9
%define release 10
Version: %{version}
Release: %{release}%{?dist}
License: GPL
@ -15,7 +15,7 @@ Source: %{name}-%{version}.tar.xz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
Requires: pwauth
Requires: smeserver-lib >= 2.2.0-2
Requires: smeserver-lib >= 11.0.0-7
Requires: server-manager-images, server-manager
Requires: smeserver-formmagick >= 1.4.0-12
Requires: plymouth
@ -50,7 +50,7 @@ Requires: smeserver-runit >= 2.6.0-7
Requires: smeserver-php >= 3.0.0-22
Requires: smeserver-yum >= 2.6.0-43
Obsoletes: nss_ldap < 254
Requires: cpu >= 1.4.3
Obsoletes: cpu
Obsoletes: rlinetd, e-smith-mod_ssl
Obsoletes: e-smith-serial-console
Obsoletes: sshell
@ -184,6 +184,11 @@ fi
%changelog
* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
- fix user@0.service failed to start [SME: 12568]
- stop loging in audit crond success
- drop cpu and use esmith:util::ldap [SME: 12663]
* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
- fix self-signed cert renewd when not necessary [SME: 12606]