* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
- fix user@0.service failed to start [SME: 12568] - stop loging in audit crond success - drop cpu and use esmith:util::ldap [SME: 12663]
This commit is contained in:
parent
2a87d8e1ba
commit
d0fb8284d6
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 1999-2005 Mitel Networks Corporation
|
# copyright (C) 1999-2005 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -27,7 +28,8 @@ use strict;
|
|||||||
use Errno;
|
use Errno;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
use esmith::AccountsDB;
|
use esmith::AccountsDB;
|
||||||
use File::Temp;
|
use esmith::util::ldap;
|
||||||
|
use esmith::util;
|
||||||
|
|
||||||
my $conf = esmith::ConfigDB->open_ro
|
my $conf = esmith::ConfigDB->open_ro
|
||||||
or die "Could not open Config DB";
|
or die "Could not open Config DB";
|
||||||
@ -36,10 +38,10 @@ my $accounts = esmith::AccountsDB->open
|
|||||||
|
|
||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
my $result;
|
||||||
|
|
||||||
my $domain = $conf->get('DomainName')
|
# prepare LDAP bind
|
||||||
|| die("Couldn't determine domain name");
|
my $ldap=esmith::util::ldap->new();
|
||||||
$domain = $domain->value;
|
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
my $groupName = $ARGV [1];
|
my $groupName = $ARGV [1];
|
||||||
@ -97,41 +99,20 @@ if ($ldapauth ne 'enabled')
|
|||||||
) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
|
) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create the user's unique group first (in ldap)
|
# create group
|
||||||
my $tmpattr = File::Temp->new();
|
$result = $ldap->ldapgroup($group);
|
||||||
print $tmpattr "mail: $groupName\@$domain\n";
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
|
||||||
print $tmpattr "description: $description\n";
|
|
||||||
$tmpattr->flush();
|
|
||||||
system(
|
|
||||||
"/usr/sbin/cpu", "groupadd",
|
|
||||||
"-a", "$tmpattr",
|
|
||||||
"-g", $gid,
|
|
||||||
$groupName
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
|
|
||||||
undef $tmpattr;
|
|
||||||
|
|
||||||
# Now create the dummy user account (in ldap)
|
#create dedicated group user
|
||||||
system(
|
$result = $ldap->ldapuser($group);
|
||||||
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
|
||||||
"-u", $uid,
|
|
||||||
"-g", $gid,
|
|
||||||
"-d",
|
|
||||||
"/home/e-smith",
|
|
||||||
"-s",
|
|
||||||
"/bin/false",
|
|
||||||
"$groupName"
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
|
|
||||||
|
|
||||||
# Set the cn of the dummy user account (in ldap)
|
# add to supplementary group
|
||||||
$tmpattr = File::Temp->new();
|
# as it is regular group, pm will add www and admin, so no need to add it
|
||||||
print $tmpattr "cn: $description\n";
|
my @UserArr = ($groupName);
|
||||||
$tmpattr->flush();
|
$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr);
|
||||||
system(
|
# error code 20 is entry already exits.
|
||||||
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod",
|
$result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" );
|
||||||
"-a", $tmpattr,
|
|
||||||
"$groupName"
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to update (ldap) user $groupName.\n" );
|
|
||||||
undef $tmpattr;
|
|
||||||
|
|
||||||
# Release lock if we have one
|
# Release lock if we have one
|
||||||
$lock && esmith::lockfile::UnlockFile($lock);
|
$lock && esmith::lockfile::UnlockFile($lock);
|
||||||
@ -150,8 +131,7 @@ my @groupMembers = split (/,/, $members);
|
|||||||
# "www" and "admin" are implicit members of all groups
|
# "www" and "admin" are implicit members of all groups
|
||||||
push @groupMembers, 'admin', 'www';
|
push @groupMembers, 'admin', 'www';
|
||||||
|
|
||||||
my $member;
|
foreach my $member (@groupMembers)
|
||||||
foreach $member (@groupMembers)
|
|
||||||
{
|
{
|
||||||
# Get a list of this member's supplementary groups, then add the
|
# Get a list of this member's supplementary groups, then add the
|
||||||
# new group to the list. Finally sort, join and run the usermod
|
# new group to the list. Finally sort, join and run the usermod
|
||||||
@ -179,13 +159,6 @@ foreach $member (@groupMembers)
|
|||||||
system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
|
system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
|
||||||
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
|
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
# root user/group isn't in ldap
|
|
||||||
@groupList = grep (!/^root$/, @groupList);
|
|
||||||
$groups = join (',', sort (@groupList));
|
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
|
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
exit ($x);
|
exit ($x);
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 1999-2005 Mitel Networks Corporation
|
# copyright (C) 1999-2005 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali Foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -26,6 +27,8 @@ package esmith;
|
|||||||
use strict;
|
use strict;
|
||||||
use Errno;
|
use Errno;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
|
use esmith::util;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $conf = esmith::ConfigDB->open_ro
|
my $conf = esmith::ConfigDB->open_ro
|
||||||
or die "Could not open Config DB";
|
or die "Could not open Config DB";
|
||||||
@ -33,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
|
|||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
|
||||||
|
# prepare LDAP bind
|
||||||
|
my $ldap=esmith::util::ldap->new();
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
my $groupName = $ARGV [1] or die "Groupname argument missing.";
|
my $groupName = $ARGV [1] or die "Groupname argument missing.";
|
||||||
|
|
||||||
@ -45,10 +51,12 @@ if ($ldapauth ne 'enabled')
|
|||||||
or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" );
|
or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0
|
# delete dedicated user group
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
|
my $result = $ldap->ldapdeluser($groupName);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "groupdel", "$groupName") == 0
|
# delete group
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
|
$result = $ldap->ldapdelgroup($groupName);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
|
||||||
|
|
||||||
exit ($x);
|
exit ($x);
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 2002-2005 Mitel Networks Corporation
|
# copyright (C) 2002-2005 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali Foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -27,17 +28,19 @@ use strict;
|
|||||||
use Errno;
|
use Errno;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
use esmith::AccountsDB;
|
use esmith::AccountsDB;
|
||||||
use File::Temp;
|
use esmith::util;
|
||||||
|
use utf8;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
|
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
|
||||||
my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";
|
my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";
|
||||||
|
|
||||||
my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
my $result;
|
||||||
|
|
||||||
my $domain = $c->get('DomainName')
|
# prepare LDAP bind
|
||||||
|| die("Couldn't determine domain name");
|
my $ldap=esmith::util::ldap->new();
|
||||||
$domain = $domain->value;
|
|
||||||
|
|
||||||
my $event = shift || die "Event name arg missing\n";;
|
my $event = shift || die "Event name arg missing\n";;
|
||||||
my @groups;
|
my @groups;
|
||||||
@ -78,22 +81,12 @@ foreach my $group (@groups)
|
|||||||
or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
|
or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
my $tmpattr = File::Temp->new();
|
# modify group dedicated user cn
|
||||||
print $tmpattr "cn: $groupDesc\n";
|
$result = $ldap->ldapmoduser($group);
|
||||||
$tmpattr->flush();
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
|
||||||
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-a", "$tmpattr", "$groupName") == 0
|
# modify Group description and mail
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
|
$result = $ldap->ldapmodgroup($group);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
|
||||||
$tmpattr = File::Temp->new();
|
|
||||||
print $tmpattr "mail: $groupName\@$domain\n";
|
|
||||||
print $tmpattr "description: $groupDesc\n";
|
|
||||||
$tmpattr->flush();
|
|
||||||
system(
|
|
||||||
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupmod",
|
|
||||||
"-a", "$tmpattr",
|
|
||||||
"$groupName"
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
|
|
||||||
undef $tmpattr;
|
|
||||||
|
|
||||||
my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
|
my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
|
||||||
my @oldMembers = split (/\s+/, $members);
|
my @oldMembers = split (/\s+/, $members);
|
||||||
@ -116,7 +109,11 @@ foreach my $group (@groups)
|
|||||||
{
|
{
|
||||||
$oldMembers{$member} = 1;
|
$oldMembers{$member} = 1;
|
||||||
}
|
}
|
||||||
my (@addMembers, @delMembers);
|
|
||||||
|
# applying list of user memberUid for LDAP for this group
|
||||||
|
$result = $ldap->ldapsetgroupmembers($groupName,\@newMembers);
|
||||||
|
# error code 20 is entry already exits.
|
||||||
|
$result && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" );
|
||||||
|
|
||||||
foreach $member (@newMembers, @oldMembers)
|
foreach $member (@newMembers, @oldMembers)
|
||||||
{
|
{
|
||||||
@ -157,13 +154,8 @@ foreach my $group (@groups)
|
|||||||
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
|
or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
# root user/group isn't in ldap
|
}
|
||||||
@groupList = grep (!/^root$/, @groupList);
|
|
||||||
$groups = join (',', sort (@groupList));
|
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
|
} # end of list of groups
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
exit ($x);
|
exit ($x);
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 1999-2005 Mitel Networks Corporation
|
# copyright (C) 1999-2005 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -27,7 +28,9 @@ use strict;
|
|||||||
use Errno;
|
use Errno;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
use esmith::AccountsDB;
|
use esmith::AccountsDB;
|
||||||
use File::Temp;
|
use esmith::util;
|
||||||
|
use utf8;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $conf = esmith::ConfigDB->open_ro;
|
my $conf = esmith::ConfigDB->open_ro;
|
||||||
my $accounts = esmith::AccountsDB->open;
|
my $accounts = esmith::AccountsDB->open;
|
||||||
@ -35,9 +38,8 @@ my $accounts = esmith::AccountsDB->open;
|
|||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
|
||||||
my $domain = $conf->get('DomainName')
|
# prepare LDAP bind
|
||||||
|| die("Couldn't determine domain name");
|
my $ldap=esmith::util::ldap->new();
|
||||||
$domain = $domain->value;
|
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
my $userName = $ARGV [1];
|
my $userName = $ARGV [1];
|
||||||
@ -65,13 +67,13 @@ unless ($uid = $acct->prop('Uid'))
|
|||||||
$acct->set_prop('Uid', $uid);
|
$acct->set_prop('Uid', $uid);
|
||||||
}
|
}
|
||||||
my $gid = $acct->prop('Gid') || $uid;
|
my $gid = $acct->prop('Gid') || $uid;
|
||||||
my $first = $acct->prop('FirstName') || '';
|
my $first = stringToASCII($acct->prop('FirstName')) || '';
|
||||||
my $last = $acct->prop('LastName') || '';
|
my $last = stringToASCII($acct->prop('LastName')) || '';
|
||||||
my $phone = $acct->prop('Phone') || '';
|
my $phone = stringToASCII($acct->prop('Phone')) || '';
|
||||||
my $company = $acct->prop('Company') || '';
|
my $company = stringToASCII($acct->prop('Company')) || '';
|
||||||
my $dept = $acct->prop('Dept') || '';
|
my $dept = stringToASCII($acct->prop('Dept')) || '';
|
||||||
my $city = $acct->prop('City') || '';
|
my $city = stringToASCII($acct->prop('City')) || '';
|
||||||
my $street = $acct->prop('Street') || '';
|
my $street = stringToASCII($acct->prop('Street')) || '';
|
||||||
my $shell = $acct->prop('Shell') || '/usr/bin/false';
|
my $shell = $acct->prop('Shell') || '/usr/bin/false';
|
||||||
my $groups = "shared";
|
my $groups = "shared";
|
||||||
|
|
||||||
@ -101,38 +103,17 @@ if ($ldapauth ne 'enabled')
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Create the user's unique group first (in ldap)
|
# Create the user's unique group first (in ldap)
|
||||||
system(
|
my $result = $ldap->ldapgroup($acct);
|
||||||
"/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
|
||||||
"-g",
|
|
||||||
$gid,
|
|
||||||
$userName
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
|
|
||||||
|
|
||||||
# Now create the user account (in ldap)
|
# Now create the user account (in ldap)
|
||||||
my $tmpattr = File::Temp->new();
|
$result = $ldap->ldapuser($acct);
|
||||||
print $tmpattr "telephoneNumber: $phone\n";
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
|
||||||
print $tmpattr "o: $company\n";
|
|
||||||
print $tmpattr "ou: $dept\n";
|
|
||||||
print $tmpattr "l: $city\n";
|
|
||||||
print $tmpattr "street: $street\n";
|
|
||||||
$tmpattr->flush();
|
|
||||||
system(
|
|
||||||
"/usr/sbin/cpu", "useradd",
|
|
||||||
"-u", $uid,
|
|
||||||
"-g", $gid,
|
|
||||||
"-f", "$first",
|
|
||||||
"-E", "$last",
|
|
||||||
"-e", "$userName\@$domain",
|
|
||||||
"-a", "$tmpattr",
|
|
||||||
"-d", "/home/e-smith/files/users/$userName",
|
|
||||||
"-G", "$groups",
|
|
||||||
"-m",
|
|
||||||
"-k/etc/e-smith/skel/user",
|
|
||||||
"-s", "$shell",
|
|
||||||
$userName
|
|
||||||
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
|
|
||||||
undef $tmpattr;
|
|
||||||
|
|
||||||
|
# add to supplementary group
|
||||||
|
my @UserArr = ($userName);
|
||||||
|
$result = $ldap->ldapsetgroupmembers($userName,\@UserArr);
|
||||||
|
$result && ( $result != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $userName to supplementary group.\n" );
|
||||||
|
|
||||||
# Release lock if we have one
|
# Release lock if we have one
|
||||||
$lock && esmith::lockfile::UnlockFile($lock);
|
$lock && esmith::lockfile::UnlockFile($lock);
|
||||||
@ -141,13 +122,15 @@ $lock && esmith::lockfile::UnlockFile($lock);
|
|||||||
|
|
||||||
chmod 0700, "/home/e-smith/files/users/$userName";
|
chmod 0700, "/home/e-smith/files/users/$userName";
|
||||||
|
|
||||||
|
# lock user password
|
||||||
if ($ldapauth ne 'enabled')
|
if ($ldapauth ne 'enabled')
|
||||||
{
|
{
|
||||||
system("/usr/bin/passwd", "-l", "$userName")
|
system("/usr/bin/passwd", "-l", "$userName")
|
||||||
and ( $x = 255, warn "Could not lock (unix) password for $userName\n" );
|
and ( $x = 255, warn "Could not lock (unix) password for $userName\n" );
|
||||||
}
|
}
|
||||||
system("/usr/sbin/cpu", "usermod", "-L", "$userName")
|
|
||||||
and ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Could not lock (ldap) password for $userName\n" );
|
# esmith::util::ldap already lock user on creation, this avoid one more ldap write access.
|
||||||
|
|
||||||
system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
|
system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
|
||||||
and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );
|
and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );
|
||||||
|
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 1999-2005 Mitel Networks Corporation
|
# copyright (C) 1999-2005 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali Foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -27,6 +28,7 @@ use strict;
|
|||||||
use Errno;
|
use Errno;
|
||||||
use esmith::util;
|
use esmith::util;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $conf = esmith::ConfigDB->open_ro
|
my $conf = esmith::ConfigDB->open_ro
|
||||||
or die "Could not open Config DB";
|
or die "Could not open Config DB";
|
||||||
@ -34,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
|
|||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
|
||||||
|
# prepare LDAP bind
|
||||||
|
my $ldap=esmith::util::ldap->new();
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
my $userName = $ARGV [1];
|
my $userName = $ARGV [1];
|
||||||
|
|
||||||
@ -53,11 +58,21 @@ if ($ldapauth ne 'enabled')
|
|||||||
( $x = 255, warn "Failed to delete (unix) account $userName.\n" );
|
( $x = 255, warn "Failed to delete (unix) account $userName.\n" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
my $discard = `/bin/rm -rf /home/e-smith/files/users/$userName`;
|
||||||
|
if ($? != 0)
|
||||||
|
{
|
||||||
|
( $x = 255, warn "Failed to delete home dir of account $userName.\n" );
|
||||||
|
}
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0
|
}
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
|
# delete user
|
||||||
|
my $result = $ldap->ldapdeluser($userName);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
|
||||||
|
|
||||||
system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0
|
# delete user dedicated group
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
|
$result = $ldap->ldapdelgroup($userName);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
|
||||||
|
|
||||||
exit ($x);
|
exit ($x);
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
#----------------------------------------------------------------------
|
#----------------------------------------------------------------------
|
||||||
# copyright (C) 2001-2006 Mitel Networks Corporation
|
# copyright (C) 2001-2006 Mitel Networks Corporation
|
||||||
|
# copyright (C) 2024 Koozali foundation inc.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
@ -25,6 +26,7 @@ use Errno;
|
|||||||
use esmith::AccountsDB;
|
use esmith::AccountsDB;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
use English;
|
use English;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $a = esmith::AccountsDB->open or die "Could not open accounts db";
|
my $a = esmith::AccountsDB->open or die "Could not open accounts db";
|
||||||
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
|
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
|
||||||
@ -32,6 +34,9 @@ my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
|
|||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
|
||||||
|
# prepare LDAP bind
|
||||||
|
my $ldap=esmith::util::ldap->new();
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
|
|
||||||
my @users_to_lock = bad_password_users();
|
my @users_to_lock = bad_password_users();
|
||||||
@ -54,13 +59,16 @@ sub lock_user
|
|||||||
|
|
||||||
my $u = $a->get($userName) or die "No account record for user $userName";
|
my $u = $a->get($userName) or die "No account record for user $userName";
|
||||||
|
|
||||||
|
# lock in unix shadow/passwd if used.
|
||||||
if ($ldapauth ne 'enabled')
|
if ($ldapauth ne 'enabled')
|
||||||
{
|
{
|
||||||
system("/usr/bin/passwd", "-l", $userName) == 0
|
system("/usr/bin/passwd", "-l", $userName) == 0
|
||||||
or ( $x = 255, warn "Error locking (unix) account $userName" );
|
or ( $x = 255, warn "Error locking (unix) account $userName" );
|
||||||
}
|
}
|
||||||
system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0
|
# lock in LDAP
|
||||||
or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName" );
|
$result = $ldap->ldaplockuser($userName);
|
||||||
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName.\n" );
|
||||||
|
# lock in samba
|
||||||
system("/usr/bin/smbpasswd", "-d", $userName) == 0
|
system("/usr/bin/smbpasswd", "-d", $userName) == 0
|
||||||
or ( $x = 255, warn "Error locking (smb) account $userName" );
|
or ( $x = 255, warn "Error locking (smb) account $userName" );
|
||||||
$u->set_prop('PasswordSet', 'no');
|
$u->set_prop('PasswordSet', 'no');
|
||||||
|
@ -22,29 +22,17 @@ use strict;
|
|||||||
use Errno;
|
use Errno;
|
||||||
use esmith::AccountsDB;
|
use esmith::AccountsDB;
|
||||||
use esmith::ConfigDB;
|
use esmith::ConfigDB;
|
||||||
use Net::LDAP;
|
|
||||||
use esmith::util;
|
use esmith::util;
|
||||||
|
use utf8;
|
||||||
|
use esmith::util::ldap;
|
||||||
|
|
||||||
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
|
my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
|
||||||
|
|
||||||
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
|
||||||
my $x = 0; # exit value
|
my $x = 0; # exit value
|
||||||
|
|
||||||
my $domain = $conf->get('DomainName')
|
|
||||||
|| die("Couldn't determine domain name");
|
|
||||||
$domain = $domain->value;
|
|
||||||
|
|
||||||
# prepare LDAP bind
|
# prepare LDAP bind
|
||||||
my $pw = esmith::util::LdapPassword();
|
my $ldap=esmith::util::ldap->new();
|
||||||
my $base = esmith::util::ldapBase ($domain);
|
|
||||||
|
|
||||||
my $ldap = Net::LDAP->new('localhost')
|
|
||||||
or die "$@";
|
|
||||||
|
|
||||||
$ldap->bind(
|
|
||||||
dn => "cn=root,$base",
|
|
||||||
password => $pw
|
|
||||||
);
|
|
||||||
|
|
||||||
my $event = $ARGV [0];
|
my $event = $ARGV [0];
|
||||||
my $userName = $ARGV [1];
|
my $userName = $ARGV [1];
|
||||||
@ -94,22 +82,14 @@ foreach my $u (@users)
|
|||||||
system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0
|
system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0
|
||||||
or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" );
|
or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
my @new_shell = ($new_shell);
|
|
||||||
$result = $ldap->modify("uid=$userName,ou=Users,$base",
|
|
||||||
replace => {
|
|
||||||
loginShell => \@new_shell
|
|
||||||
}
|
|
||||||
);
|
|
||||||
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify shell of (ldap) account $userName.\n" );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#------------------------------------------------------------
|
#------------------------------------------------------------
|
||||||
# Modify user's first name and last name if required,
|
# Modify user's first name and last name if required,
|
||||||
# in /etc/passwd using "usermod"
|
# in /etc/passwd using "usermod"
|
||||||
#------------------------------------------------------------
|
#------------------------------------------------------------
|
||||||
my $first = $u->prop('FirstName') || "";
|
my $first = stringToASCII($u->prop('FirstName') || "");
|
||||||
my $last = $u->prop('LastName') || "";
|
my $last = stringToASCII($u->prop('LastName') || "");
|
||||||
my $new_comment = "$first $last";
|
my $new_comment = "$first $last";
|
||||||
|
|
||||||
unless ($comment eq $new_comment)
|
unless ($comment eq $new_comment)
|
||||||
@ -119,36 +99,11 @@ foreach my $u (@users)
|
|||||||
system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0
|
system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0
|
||||||
or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" );
|
or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
my @new_comment = ($new_comment);
|
|
||||||
my @first = ($first);
|
|
||||||
my @last = ($last);
|
|
||||||
$result = $ldap->modify("uid=$userName,ou=Users,$base",
|
|
||||||
replace => {
|
|
||||||
givenName => \@first,
|
|
||||||
sn => \@last,
|
|
||||||
cn => \@new_comment,
|
|
||||||
displayName => \@new_comment
|
|
||||||
}
|
|
||||||
);
|
|
||||||
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify comment/name of (ldap) account $userName.\n" );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
my @new_phone = ($u->prop('Phone')) || ();
|
# we do all the test in ldap pm to avoid 3 differents write access, which are costly.
|
||||||
my @new_company = ($u->prop('Company')) || ();
|
$result = $ldap->ldapuser($u);
|
||||||
my @new_dept = ($u->prop('Dept')) || ();
|
$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
|
||||||
my @new_city = ($u->prop('City')) || ();
|
|
||||||
my @new_street = ($u->prop('Street')) || ();
|
|
||||||
$result = $ldap->modify("uid=$userName,ou=Users,$base",
|
|
||||||
replace => {
|
|
||||||
telephoneNumber => \@new_phone,
|
|
||||||
o => \@new_company,
|
|
||||||
ou => \@new_dept,
|
|
||||||
l => \@new_city,
|
|
||||||
street => \@new_street
|
|
||||||
}
|
|
||||||
);
|
|
||||||
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
session required pam_limits.so
|
session required pam_limits.so
|
||||||
|
-session optional pam_systemd.so
|
||||||
|
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet_success use_uid
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
{
|
{
|
||||||
my $status = $ldap{Authentication} || 'disabled';
|
my $status = $ldap{Authentication} || 'disabled';
|
||||||
|
@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
|
|||||||
%define name smeserver-base
|
%define name smeserver-base
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
%define version 11.0.0
|
%define version 11.0.0
|
||||||
%define release 9
|
%define release 10
|
||||||
Version: %{version}
|
Version: %{version}
|
||||||
Release: %{release}%{?dist}
|
Release: %{release}%{?dist}
|
||||||
License: GPL
|
License: GPL
|
||||||
@ -15,7 +15,7 @@ Source: %{name}-%{version}.tar.xz
|
|||||||
|
|
||||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
|
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
|
||||||
Requires: pwauth
|
Requires: pwauth
|
||||||
Requires: smeserver-lib >= 2.2.0-2
|
Requires: smeserver-lib >= 11.0.0-7
|
||||||
Requires: server-manager-images, server-manager
|
Requires: server-manager-images, server-manager
|
||||||
Requires: smeserver-formmagick >= 1.4.0-12
|
Requires: smeserver-formmagick >= 1.4.0-12
|
||||||
Requires: plymouth
|
Requires: plymouth
|
||||||
@ -50,7 +50,7 @@ Requires: smeserver-runit >= 2.6.0-7
|
|||||||
Requires: smeserver-php >= 3.0.0-22
|
Requires: smeserver-php >= 3.0.0-22
|
||||||
Requires: smeserver-yum >= 2.6.0-43
|
Requires: smeserver-yum >= 2.6.0-43
|
||||||
Obsoletes: nss_ldap < 254
|
Obsoletes: nss_ldap < 254
|
||||||
Requires: cpu >= 1.4.3
|
Obsoletes: cpu
|
||||||
Obsoletes: rlinetd, e-smith-mod_ssl
|
Obsoletes: rlinetd, e-smith-mod_ssl
|
||||||
Obsoletes: e-smith-serial-console
|
Obsoletes: e-smith-serial-console
|
||||||
Obsoletes: sshell
|
Obsoletes: sshell
|
||||||
@ -184,6 +184,11 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
|
||||||
|
- fix user@0.service failed to start [SME: 12568]
|
||||||
|
- stop loging in audit crond success
|
||||||
|
- drop cpu and use esmith:util::ldap [SME: 12663]
|
||||||
|
|
||||||
* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
|
* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
|
||||||
- fix self-signed cert renewd when not necessary [SME: 12606]
|
- fix self-signed cert renewd when not necessary [SME: 12606]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user