From d0fb8284d60669351986fce052d8ba60f9a8ad4b Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Tue, 13 Aug 2024 16:55:04 -0400 Subject: [PATCH] * Wed May 15 2024 Jean-Philippe Pialasse 11.0.0-10.sme - fix user@0.service failed to start [SME: 12568] - stop loging in audit crond success - drop cpu and use esmith:util::ldap [SME: 12663] --- .../e-smith/events/actions/group-create-unix | 65 ++++++------------ .../e-smith/events/actions/group-delete-unix | 16 +++-- .../e-smith/events/actions/group-modify-unix | 48 ++++++------- .../e-smith/events/actions/user-create-unix | 67 +++++++------------ .../e-smith/events/actions/user-delete-unix | 23 +++++-- .../e-smith/events/actions/user-lock-passwd | 12 +++- .../e-smith/events/actions/user-modify-unix | 61 +++-------------- .../templates/etc/pam.d/system-auth/50session | 2 + smeserver-base.spec | 11 ++- 9 files changed, 123 insertions(+), 182 deletions(-) diff --git a/root/etc/e-smith/events/actions/group-create-unix b/root/etc/e-smith/events/actions/group-create-unix index 5213eac..3b92a8b 100755 --- a/root/etc/e-smith/events/actions/group-create-unix +++ b/root/etc/e-smith/events/actions/group-create-unix @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 1999-2005 Mitel Networks Corporation +# copyright (C) 2024 Koozali foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,7 +28,8 @@ use strict; use Errno; use esmith::ConfigDB; use esmith::AccountsDB; -use File::Temp; +use esmith::util::ldap; +use esmith::util; my $conf = esmith::ConfigDB->open_ro or die "Could not open Config DB"; @@ -36,10 +38,10 @@ my $accounts = esmith::AccountsDB->open my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value +my $result; -my $domain = $conf->get('DomainName') - || die("Couldn't determine domain name"); -$domain = $domain->value; +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); my $event = $ARGV [0]; my $groupName = $ARGV [1]; @@ -97,41 +99,20 @@ if ($ldapauth ne 'enabled') ) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" ); } -# Create the user's unique group first (in ldap) -my $tmpattr = File::Temp->new(); -print $tmpattr "mail: $groupName\@$domain\n"; -print $tmpattr "description: $description\n"; -$tmpattr->flush(); -system( - "/usr/sbin/cpu", "groupadd", - "-a", "$tmpattr", - "-g", $gid, - $groupName - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" ); -undef $tmpattr; +# create group +$result = $ldap->ldapgroup($group); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" ); -# Now create the dummy user account (in ldap) -system( - "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd", - "-u", $uid, - "-g", $gid, - "-d", - "/home/e-smith", - "-s", - "/bin/false", - "$groupName" - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" ); +#create dedicated group user +$result = $ldap->ldapuser($group); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" ); -# Set the cn of the dummy user account (in ldap) -$tmpattr = File::Temp->new(); -print $tmpattr "cn: $description\n"; -$tmpattr->flush(); -system( - "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", - "-a", $tmpattr, - "$groupName" - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to update (ldap) user $groupName.\n" ); -undef $tmpattr; +# add to supplementary group +# as it is regular group, pm will add www and admin, so no need to add it +my @UserArr = ($groupName); +$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr); +# error code 20 is entry already exits. +$result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" ); # Release lock if we have one $lock && esmith::lockfile::UnlockFile($lock); @@ -150,8 +131,7 @@ my @groupMembers = split (/,/, $members); # "www" and "admin" are implicit members of all groups push @groupMembers, 'admin', 'www'; -my $member; -foreach $member (@groupMembers) +foreach my $member (@groupMembers) { # Get a list of this member's supplementary groups, then add the # new group to the list. Finally sort, join and run the usermod @@ -179,13 +159,6 @@ foreach $member (@groupMembers) system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0 or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" ); } - - # root user/group isn't in ldap - @groupList = grep (!/^root$/, @groupList); - $groups = join (',', sort (@groupList)); - - system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" ); } exit ($x); diff --git a/root/etc/e-smith/events/actions/group-delete-unix b/root/etc/e-smith/events/actions/group-delete-unix index 5a6af53..3e5db62 100755 --- a/root/etc/e-smith/events/actions/group-delete-unix +++ b/root/etc/e-smith/events/actions/group-delete-unix @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 1999-2005 Mitel Networks Corporation +# copyright (C) 2024 Koozali Foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,6 +27,8 @@ package esmith; use strict; use Errno; use esmith::ConfigDB; +use esmith::util; +use esmith::util::ldap; my $conf = esmith::ConfigDB->open_ro or die "Could not open Config DB"; @@ -33,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); + my $event = $ARGV [0]; my $groupName = $ARGV [1] or die "Groupname argument missing."; @@ -45,10 +51,12 @@ if ($ldapauth ne 'enabled') or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" ); } -system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" ); +# delete dedicated user group +my $result = $ldap->ldapdeluser($groupName); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" ); -system("/usr/sbin/cpu", "groupdel", "$groupName") == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" ); +# delete group +$result = $ldap->ldapdelgroup($groupName); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" ); exit ($x); diff --git a/root/etc/e-smith/events/actions/group-modify-unix b/root/etc/e-smith/events/actions/group-modify-unix index 5233f79..8e2af57 100755 --- a/root/etc/e-smith/events/actions/group-modify-unix +++ b/root/etc/e-smith/events/actions/group-modify-unix @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 2002-2005 Mitel Networks Corporation +# copyright (C) 2024 Koozali Foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,17 +28,19 @@ use strict; use Errno; use esmith::ConfigDB; use esmith::AccountsDB; -use File::Temp; +use esmith::util; +use utf8; +use esmith::util::ldap; my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n"; my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n"; my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value +my $result; -my $domain = $c->get('DomainName') - || die("Couldn't determine domain name"); -$domain = $domain->value; +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); my $event = shift || die "Event name arg missing\n";; my @groups; @@ -78,22 +81,12 @@ foreach my $group (@groups) or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" ); } - my $tmpattr = File::Temp->new(); - print $tmpattr "cn: $groupDesc\n"; - $tmpattr->flush(); - system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-a", "$tmpattr", "$groupName") == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" ); - - $tmpattr = File::Temp->new(); - print $tmpattr "mail: $groupName\@$domain\n"; - print $tmpattr "description: $groupDesc\n"; - $tmpattr->flush(); - system( - "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupmod", - "-a", "$tmpattr", - "$groupName" - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" ); - undef $tmpattr; + # modify group dedicated user cn + $result = $ldap->ldapmoduser($group); + $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" ); + # modify Group description and mail + $result = $ldap->ldapmodgroup($group); + $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" ); my ($name, $passwd, $gid, $members) = getgrnam ($groupName); my @oldMembers = split (/\s+/, $members); @@ -116,7 +109,11 @@ foreach my $group (@groups) { $oldMembers{$member} = 1; } - my (@addMembers, @delMembers); + + # applying list of user memberUid for LDAP for this group + $result = $ldap->ldapsetgroupmembers($groupName,\@newMembers); + # error code 20 is entry already exits. + $result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" ); foreach $member (@newMembers, @oldMembers) { @@ -157,13 +154,8 @@ foreach my $group (@groups) or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" ); } - # root user/group isn't in ldap - @groupList = grep (!/^root$/, @groupList); - $groups = join (',', sort (@groupList)); - - system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" ); } -} + +} # end of list of groups exit ($x); diff --git a/root/etc/e-smith/events/actions/user-create-unix b/root/etc/e-smith/events/actions/user-create-unix index 5f9c33d..a34842e 100755 --- a/root/etc/e-smith/events/actions/user-create-unix +++ b/root/etc/e-smith/events/actions/user-create-unix @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 1999-2005 Mitel Networks Corporation +# copyright (C) 2024 Koozali foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,7 +28,9 @@ use strict; use Errno; use esmith::ConfigDB; use esmith::AccountsDB; -use File::Temp; +use esmith::util; +use utf8; +use esmith::util::ldap; my $conf = esmith::ConfigDB->open_ro; my $accounts = esmith::AccountsDB->open; @@ -35,9 +38,8 @@ my $accounts = esmith::AccountsDB->open; my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value -my $domain = $conf->get('DomainName') - || die("Couldn't determine domain name"); -$domain = $domain->value; +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -65,13 +67,13 @@ unless ($uid = $acct->prop('Uid')) $acct->set_prop('Uid', $uid); } my $gid = $acct->prop('Gid') || $uid; -my $first = $acct->prop('FirstName') || ''; -my $last = $acct->prop('LastName') || ''; -my $phone = $acct->prop('Phone') || ''; -my $company = $acct->prop('Company') || ''; -my $dept = $acct->prop('Dept') || ''; -my $city = $acct->prop('City') || ''; -my $street = $acct->prop('Street') || ''; +my $first = stringToASCII($acct->prop('FirstName')) || ''; +my $last = stringToASCII($acct->prop('LastName')) || ''; +my $phone = stringToASCII($acct->prop('Phone')) || ''; +my $company = stringToASCII($acct->prop('Company')) || ''; +my $dept = stringToASCII($acct->prop('Dept')) || ''; +my $city = stringToASCII($acct->prop('City')) || ''; +my $street = stringToASCII($acct->prop('Street')) || ''; my $shell = $acct->prop('Shell') || '/usr/bin/false'; my $groups = "shared"; @@ -101,38 +103,17 @@ if ($ldapauth ne 'enabled') } # Create the user's unique group first (in ldap) -system( - "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd", - "-g", - $gid, - $userName - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" ); +my $result = $ldap->ldapgroup($acct); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" ); # Now create the user account (in ldap) -my $tmpattr = File::Temp->new(); -print $tmpattr "telephoneNumber: $phone\n"; -print $tmpattr "o: $company\n"; -print $tmpattr "ou: $dept\n"; -print $tmpattr "l: $city\n"; -print $tmpattr "street: $street\n"; -$tmpattr->flush(); -system( - "/usr/sbin/cpu", "useradd", - "-u", $uid, - "-g", $gid, - "-f", "$first", - "-E", "$last", - "-e", "$userName\@$domain", - "-a", "$tmpattr", - "-d", "/home/e-smith/files/users/$userName", - "-G", "$groups", - "-m", - "-k/etc/e-smith/skel/user", - "-s", "$shell", - $userName - ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" ); -undef $tmpattr; +$result = $ldap->ldapuser($acct); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" ); +# add to supplementary group +my @UserArr = ($userName); +$result = $ldap->ldapsetgroupmembers($userName,\@UserArr); +$result && ( $result != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $userName to supplementary group.\n" ); # Release lock if we have one $lock && esmith::lockfile::UnlockFile($lock); @@ -141,13 +122,15 @@ $lock && esmith::lockfile::UnlockFile($lock); chmod 0700, "/home/e-smith/files/users/$userName"; +# lock user password if ($ldapauth ne 'enabled') { system("/usr/bin/passwd", "-l", "$userName") and ( $x = 255, warn "Could not lock (unix) password for $userName\n" ); } -system("/usr/sbin/cpu", "usermod", "-L", "$userName") - and ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Could not lock (ldap) password for $userName\n" ); + +# esmith::util::ldap already lock user on creation, this avoid one more ldap write access. + system("/usr/bin/smbpasswd", "-a", "-d", "$userName") and ( $x = 255, warn "Could not lock (smb) password for $userName\n" ); diff --git a/root/etc/e-smith/events/actions/user-delete-unix b/root/etc/e-smith/events/actions/user-delete-unix index a3d8b46..4219a6e 100755 --- a/root/etc/e-smith/events/actions/user-delete-unix +++ b/root/etc/e-smith/events/actions/user-delete-unix @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 1999-2005 Mitel Networks Corporation +# copyright (C) 2024 Koozali Foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,6 +28,7 @@ use strict; use Errno; use esmith::util; use esmith::ConfigDB; +use esmith::util::ldap; my $conf = esmith::ConfigDB->open_ro or die "Could not open Config DB"; @@ -34,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); + my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -53,11 +58,21 @@ if ($ldapauth ne 'enabled') ( $x = 255, warn "Failed to delete (unix) account $userName.\n" ); } } +else +{ + my $discard = `/bin/rm -rf /home/e-smith/files/users/$userName`; + if ($? != 0) + { + ( $x = 255, warn "Failed to delete home dir of account $userName.\n" ); + } -system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" ); +} +# delete user +my $result = $ldap->ldapdeluser($userName); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" ); -system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" ); +# delete user dedicated group +$result = $ldap->ldapdelgroup($userName); +$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" ); exit ($x); diff --git a/root/etc/e-smith/events/actions/user-lock-passwd b/root/etc/e-smith/events/actions/user-lock-passwd index 80338f6..dee69a1 100644 --- a/root/etc/e-smith/events/actions/user-lock-passwd +++ b/root/etc/e-smith/events/actions/user-lock-passwd @@ -2,6 +2,7 @@ #---------------------------------------------------------------------- # copyright (C) 2001-2006 Mitel Networks Corporation +# copyright (C) 2024 Koozali foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -25,6 +26,7 @@ use Errno; use esmith::AccountsDB; use esmith::ConfigDB; use English; +use esmith::util::ldap; my $a = esmith::AccountsDB->open or die "Could not open accounts db"; my $conf = esmith::ConfigDB->open or die "Could not open configuration db"; @@ -32,6 +34,9 @@ my $conf = esmith::ConfigDB->open or die "Could not open configuration db"; my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value +# prepare LDAP bind +my $ldap=esmith::util::ldap->new(); + my $event = $ARGV [0]; my @users_to_lock = bad_password_users(); @@ -54,13 +59,16 @@ sub lock_user my $u = $a->get($userName) or die "No account record for user $userName"; + # lock in unix shadow/passwd if used. if ($ldapauth ne 'enabled') { system("/usr/bin/passwd", "-l", $userName) == 0 or ( $x = 255, warn "Error locking (unix) account $userName" ); } - system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0 - or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName" ); + # lock in LDAP + $result = $ldap->ldaplockuser($userName); + $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName.\n" ); + # lock in samba system("/usr/bin/smbpasswd", "-d", $userName) == 0 or ( $x = 255, warn "Error locking (smb) account $userName" ); $u->set_prop('PasswordSet', 'no'); diff --git a/root/etc/e-smith/events/actions/user-modify-unix b/root/etc/e-smith/events/actions/user-modify-unix index 420a909..c7207cf 100755 --- a/root/etc/e-smith/events/actions/user-modify-unix +++ b/root/etc/e-smith/events/actions/user-modify-unix @@ -22,29 +22,17 @@ use strict; use Errno; use esmith::AccountsDB; use esmith::ConfigDB; -use Net::LDAP; use esmith::util; +use utf8; +use esmith::util::ldap; my $conf = esmith::ConfigDB->open or die "Could not open configuration db"; my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value -my $domain = $conf->get('DomainName') - || die("Couldn't determine domain name"); -$domain = $domain->value; - # prepare LDAP bind -my $pw = esmith::util::LdapPassword(); -my $base = esmith::util::ldapBase ($domain); - -my $ldap = Net::LDAP->new('localhost') - or die "$@"; - -$ldap->bind( - dn => "cn=root,$base", - password => $pw -); +my $ldap=esmith::util::ldap->new(); my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -94,22 +82,14 @@ foreach my $u (@users) system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0 or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" ); } - - my @new_shell = ($new_shell); - $result = $ldap->modify("uid=$userName,ou=Users,$base", - replace => { - loginShell => \@new_shell - } - ); - $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify shell of (ldap) account $userName.\n" ); } #------------------------------------------------------------ # Modify user's first name and last name if required, # in /etc/passwd using "usermod" #------------------------------------------------------------ - my $first = $u->prop('FirstName') || ""; - my $last = $u->prop('LastName') || ""; + my $first = stringToASCII($u->prop('FirstName') || ""); + my $last = stringToASCII($u->prop('LastName') || ""); my $new_comment = "$first $last"; unless ($comment eq $new_comment) @@ -119,36 +99,11 @@ foreach my $u (@users) system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0 or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" ); } - - my @new_comment = ($new_comment); - my @first = ($first); - my @last = ($last); - $result = $ldap->modify("uid=$userName,ou=Users,$base", - replace => { - givenName => \@first, - sn => \@last, - cn => \@new_comment, - displayName => \@new_comment - } - ); - $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify comment/name of (ldap) account $userName.\n" ); } - my @new_phone = ($u->prop('Phone')) || (); - my @new_company = ($u->prop('Company')) || (); - my @new_dept = ($u->prop('Dept')) || (); - my @new_city = ($u->prop('City')) || (); - my @new_street = ($u->prop('Street')) || (); - $result = $ldap->modify("uid=$userName,ou=Users,$base", - replace => { - telephoneNumber => \@new_phone, - o => \@new_company, - ou => \@new_dept, - l => \@new_city, - street => \@new_street - } - ); - $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" ); + # we do all the test in ldap pm to avoid 3 differents write access, which are costly. + $result = $ldap->ldapuser($u); + $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" ); } diff --git a/root/etc/e-smith/templates/etc/pam.d/system-auth/50session b/root/etc/e-smith/templates/etc/pam.d/system-auth/50session index 3e0d87e..92f2577 100644 --- a/root/etc/e-smith/templates/etc/pam.d/system-auth/50session +++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/50session @@ -1,4 +1,6 @@ session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet_success use_uid session required pam_unix.so { my $status = $ldap{Authentication} || 'disabled'; diff --git a/smeserver-base.spec b/smeserver-base.spec index d8b4bcd..4c3539d 100644 --- a/smeserver-base.spec +++ b/smeserver-base.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module %define name smeserver-base Name: %{name} %define version 11.0.0 -%define release 9 +%define release 10 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -15,7 +15,7 @@ Source: %{name}-%{version}.tar.xz BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot Requires: pwauth -Requires: smeserver-lib >= 2.2.0-2 +Requires: smeserver-lib >= 11.0.0-7 Requires: server-manager-images, server-manager Requires: smeserver-formmagick >= 1.4.0-12 Requires: plymouth @@ -50,7 +50,7 @@ Requires: smeserver-runit >= 2.6.0-7 Requires: smeserver-php >= 3.0.0-22 Requires: smeserver-yum >= 2.6.0-43 Obsoletes: nss_ldap < 254 -Requires: cpu >= 1.4.3 +Obsoletes: cpu Obsoletes: rlinetd, e-smith-mod_ssl Obsoletes: e-smith-serial-console Obsoletes: sshell @@ -184,6 +184,11 @@ fi %changelog +* Wed May 15 2024 Jean-Philippe Pialasse 11.0.0-10.sme +- fix user@0.service failed to start [SME: 12568] +- stop loging in audit crond success +- drop cpu and use esmith:util::ldap [SME: 12663] + * Wed Apr 17 2024 Jean-Philippe Pialasse 11.0.0-9.sme - fix self-signed cert renewd when not necessary [SME: 12606]