* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme

- fix user@0.service failed to start [SME: 12568] - stop loging in audit crond success - drop cpu and use esmith:util::ldap [SME: 12663]
2024-08-13 16:55:04 -04:00 · 2024-08-13 16:55:04 -04:00 · d0fb8284d6
commit d0fb8284d6
parent 2a87d8e1ba
9 changed files with 123 additions and 182 deletions
--- a/root/etc/e-smith/events/actions/group-create-unix
+++ b/root/etc/e-smith/events/actions/group-create-unix
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
 # copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -27,7 +28,8 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util::ldap;
 use esmith::util;
 my $conf = esmith::ConfigDB->open_ro
    or die "Could not open Config DB";
@ -36,10 +38,10 @@ my $accounts = esmith::AccountsDB->open
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 my $result;
-my $domain = $conf->get('DomainName')
+# prepare LDAP bind
-    || die("Couldn't determine domain name");
+my $ldap=esmith::util::ldap->new();
 $domain = $domain->value;
 my $event = $ARGV [0];
 my $groupName = $ARGV [1];
@ -97,41 +99,20 @@ if ($ldapauth ne 'enabled')
        ) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
 }
-# Create the user's unique group first (in ldap)
+# create group
-my $tmpattr = File::Temp->new();
+$result = $ldap->ldapgroup($group);
-print $tmpattr "mail: $groupName\@$domain\n";
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
 print $tmpattr "description: $description\n";
 $tmpattr->flush();
 system(
        "/usr/sbin/cpu", "groupadd",
        "-a", "$tmpattr",
        "-g", $gid,
        $groupName
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
 undef $tmpattr;
-# Now create the dummy user account (in ldap)
+#create dedicated group user
-system(
+$result = $ldap->ldapuser($group);
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
        "-u", $uid,
        "-g", $gid,
        "-d",
        "/home/e-smith",
        "-s",
        "/bin/false",
        "$groupName"
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
-# Set the cn of the dummy user account (in ldap)
+# add to supplementary group
-$tmpattr = File::Temp->new();
+# as it is regular group, pm will add www and admin, so no need to add it
-print $tmpattr "cn: $description\n";
+my @UserArr = ($groupName);
-$tmpattr->flush();
+$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr);
-system( 
+# error code 20 is entry already exits.
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod",
+$result  &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" );
        "-a", $tmpattr,
        "$groupName"
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to update (ldap) user $groupName.\n" );
 undef $tmpattr;
 # Release lock if we have one
 $lock && esmith::lockfile::UnlockFile($lock);
@ -150,8 +131,7 @@ my @groupMembers = split (/,/, $members);
 # "www" and "admin" are implicit members of all groups
 push @groupMembers, 'admin', 'www';
-my $member;
+foreach my $member (@groupMembers)
 foreach $member (@groupMembers)
 {
    # Get a list of this member's supplementary groups, then add the
    # new group to the list. Finally sort, join and run the usermod
@ -179,13 +159,6 @@ foreach $member (@groupMembers)
        system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
            or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
    }
    # root user/group isn't in ldap
    @groupList = grep (!/^root$/, @groupList);
    $groups = join (',', sort (@groupList));
    system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
 }
 exit ($x);
--- a/root/etc/e-smith/events/actions/group-delete-unix
+++ b/root/etc/e-smith/events/actions/group-delete-unix
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
 # copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -26,6 +27,8 @@ package esmith;
 use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::util;
 use esmith::util::ldap;
 my $conf = esmith::ConfigDB->open_ro
    or die "Could not open Config DB";
@ -33,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 # prepare LDAP bind
 my $ldap=esmith::util::ldap->new();
 my $event = $ARGV [0];
 my $groupName = $ARGV [1] or die "Groupname argument missing.";
@ -45,10 +51,12 @@ if ($ldapauth ne 'enabled')
        or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" );
 }
-system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0
+# delete dedicated user group
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
+my $result = $ldap->ldapdeluser($groupName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
-system("/usr/sbin/cpu", "groupdel", "$groupName") == 0
+# delete group
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
+$result = $ldap->ldapdelgroup($groupName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
 exit ($x);
--- a/root/etc/e-smith/events/actions/group-modify-unix
+++ b/root/etc/e-smith/events/actions/group-modify-unix
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 2002-2005 Mitel Networks Corporation
 # copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -27,17 +28,19 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util;
 use utf8;
 use esmith::util::ldap;
 my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
 my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";
 my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 my $result;
-my $domain = $c->get('DomainName')
+# prepare LDAP bind
-    || die("Couldn't determine domain name");
+my $ldap=esmith::util::ldap->new();
 $domain = $domain->value;
 my $event = shift || die "Event name arg missing\n";;
 my @groups;
@ -78,22 +81,12 @@ foreach my $group (@groups)
            or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
    }
-    my $tmpattr = File::Temp->new();
+    # modify group dedicated user cn
-    print $tmpattr "cn: $groupDesc\n";
+    $result = $ldap->ldapmoduser($group);
-    $tmpattr->flush();
+    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
-    system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-a", "$tmpattr", "$groupName") == 0
+    # modify Group description and mail
-        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
+    $result = $ldap->ldapmodgroup($group);
-
+    $result  && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
    $tmpattr = File::Temp->new();
    print $tmpattr "mail: $groupName\@$domain\n";
    print $tmpattr "description: $groupDesc\n";
    $tmpattr->flush();
    system(
            "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupmod", 
            "-a", "$tmpattr",
            "$groupName"
        ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
    undef $tmpattr;
    my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
    my @oldMembers = split (/\s+/, $members);
@ -116,7 +109,11 @@ foreach my $group (@groups)
    {
 	$oldMembers{$member} = 1;
    }
-    my (@addMembers, @delMembers);
+
    # applying list of user memberUid for LDAP for this group
    $result = $ldap->ldapsetgroupmembers($groupName,\@newMembers);
    # error code 20 is entry already exits.
    $result &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" );
    foreach $member (@newMembers, @oldMembers)
    {
@ -157,13 +154,8 @@ foreach my $group (@groups)
                or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
        }
        # root user/group isn't in ldap
        @groupList = grep (!/^root$/, @groupList);
        $groups = join (',', sort (@groupList));
        system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
            or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
    }
-}
+
 } # end of list of groups
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-create-unix
+++ b/root/etc/e-smith/events/actions/user-create-unix
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
 # copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -27,7 +28,9 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util;
 use utf8;
 use esmith::util::ldap;
 my $conf = esmith::ConfigDB->open_ro;
 my $accounts = esmith::AccountsDB->open;
@ -35,9 +38,8 @@ my $accounts = esmith::AccountsDB->open;
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
-my $domain = $conf->get('DomainName')
+# prepare LDAP bind
-    || die("Couldn't determine domain name");
+my $ldap=esmith::util::ldap->new();
 $domain = $domain->value;
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
@ -65,13 +67,13 @@ unless ($uid = $acct->prop('Uid'))
    $acct->set_prop('Uid', $uid);
 }
 my $gid = $acct->prop('Gid') || $uid;
-my $first = $acct->prop('FirstName') || '';
+my $first = stringToASCII($acct->prop('FirstName')) || '';
-my $last = $acct->prop('LastName') || '';
+my $last = stringToASCII($acct->prop('LastName')) || '';
-my $phone = $acct->prop('Phone') || '';
+my $phone = stringToASCII($acct->prop('Phone')) || '';
-my $company = $acct->prop('Company') || '';
+my $company = stringToASCII($acct->prop('Company')) || '';
-my $dept = $acct->prop('Dept') || '';
+my $dept = stringToASCII($acct->prop('Dept')) || '';
-my $city = $acct->prop('City') || '';
+my $city = stringToASCII($acct->prop('City')) || '';
-my $street = $acct->prop('Street') || '';
+my $street = stringToASCII($acct->prop('Street')) || '';
 my $shell = $acct->prop('Shell') || '/usr/bin/false';
 my $groups = "shared";
@ -101,38 +103,17 @@ if ($ldapauth ne 'enabled')
 }
 # Create the user's unique group first (in ldap)
-system(
+my $result = $ldap->ldapgroup($acct);
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
        "-g",
        $gid,
        $userName
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
 # Now create the user account (in ldap)
-my $tmpattr = File::Temp->new();
+$result = $ldap->ldapuser($acct);
-print $tmpattr "telephoneNumber: $phone\n";
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
 print $tmpattr "o: $company\n";
 print $tmpattr "ou: $dept\n";
 print $tmpattr "l: $city\n";
 print $tmpattr "street: $street\n";
 $tmpattr->flush();
 system(
        "/usr/sbin/cpu", "useradd",
        "-u", $uid,
        "-g", $gid,
        "-f", "$first",
        "-E", "$last",
        "-e", "$userName\@$domain",
        "-a", "$tmpattr",
        "-d", "/home/e-smith/files/users/$userName",
        "-G", "$groups",
        "-m",
        "-k/etc/e-smith/skel/user",
        "-s", "$shell",
        $userName
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
 undef $tmpattr;
 # add to supplementary group
 my @UserArr = ($userName);
 $result = $ldap->ldapsetgroupmembers($userName,\@UserArr);
 $result &&  ( $result != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $userName to supplementary group.\n" );
 # Release lock if we have one
 $lock && esmith::lockfile::UnlockFile($lock);
@ -141,13 +122,15 @@ $lock && esmith::lockfile::UnlockFile($lock);
 chmod 0700, "/home/e-smith/files/users/$userName";
 # lock user password
 if ($ldapauth ne 'enabled')
 {
    system("/usr/bin/passwd", "-l", "$userName")
        and ( $x = 255, warn "Could not lock (unix) password for $userName\n" );
 }
-system("/usr/sbin/cpu", "usermod", "-L", "$userName")
+
-    and ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Could not lock (ldap) password for $userName\n" );
+# esmith::util::ldap already lock user on creation, this avoid one more ldap write access.
 system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
    and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );
--- a/root/etc/e-smith/events/actions/user-delete-unix
+++ b/root/etc/e-smith/events/actions/user-delete-unix
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
 # copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -27,6 +28,7 @@ use strict;
 use Errno;
 use esmith::util;
 use esmith::ConfigDB;
 use esmith::util::ldap;
 my $conf = esmith::ConfigDB->open_ro
    or die "Could not open Config DB";
@ -34,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 # prepare LDAP bind
 my $ldap=esmith::util::ldap->new();
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
@ -53,11 +58,21 @@ if ($ldapauth ne 'enabled')
        ( $x = 255, warn "Failed to delete (unix) account $userName.\n" );
    }
 }
 else
 {
    my $discard = `/bin/rm -rf /home/e-smith/files/users/$userName`;
    if ($? != 0)
    {
        ( $x = 255, warn "Failed to delete home dir of account $userName.\n" );
    }
-system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0
+}
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
+# delete user
 my $result = $ldap->ldapdeluser($userName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
-system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0
+# delete user dedicated group
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
+$result = $ldap->ldapdelgroup($userName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-lock-passwd
+++ b/root/etc/e-smith/events/actions/user-lock-passwd
@ -2,6 +2,7 @@
 #----------------------------------------------------------------------
 # copyright (C) 2001-2006 Mitel Networks Corporation
 # copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -25,6 +26,7 @@ use Errno;
 use esmith::AccountsDB;
 use esmith::ConfigDB;
 use English;
 use esmith::util::ldap;
 my $a = esmith::AccountsDB->open or die "Could not open accounts db";
 my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
@ -32,6 +34,9 @@ my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 # prepare LDAP bind
 my $ldap=esmith::util::ldap->new();
 my $event = $ARGV [0];
 my @users_to_lock = bad_password_users();
@ -54,13 +59,16 @@ sub lock_user
    my $u = $a->get($userName) or die "No account record for user $userName";
    # lock in unix shadow/passwd if used.
    if ($ldapauth ne 'enabled')
    {
        system("/usr/bin/passwd", "-l", $userName) == 0
            or ( $x = 255, warn "Error locking (unix) account $userName" );
    }
-    system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0
+    # lock in LDAP
-        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName" );
+    $result = $ldap->ldaplockuser($userName);
    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName.\n" );
    # lock in samba
    system("/usr/bin/smbpasswd", "-d", $userName) == 0
        or ( $x = 255, warn "Error locking (smb) account $userName" );
    $u->set_prop('PasswordSet', 'no');
--- a/root/etc/e-smith/events/actions/user-modify-unix
+++ b/root/etc/e-smith/events/actions/user-modify-unix
@ -22,29 +22,17 @@ use strict;
 use Errno;
 use esmith::AccountsDB;
 use esmith::ConfigDB;
 use Net::LDAP;
 use esmith::util;
 use utf8;
 use esmith::util::ldap;
 my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 my $domain = $conf->get('DomainName')
    || die("Couldn't determine domain name");
 $domain = $domain->value;
 # prepare LDAP bind
-my $pw = esmith::util::LdapPassword();
+my $ldap=esmith::util::ldap->new();
 my $base = esmith::util::ldapBase ($domain);
 my $ldap = Net::LDAP->new('localhost')
    or die "$@";
 $ldap->bind(
    dn => "cn=root,$base",
    password => $pw
 );
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
@ -94,22 +82,14 @@ foreach my $u (@users)
            system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0
                or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" );
        }
        my @new_shell = ($new_shell);
        $result = $ldap->modify("uid=$userName,ou=Users,$base",
                      replace => {
                          loginShell => \@new_shell
                      }
        );
        $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify shell of (ldap) account $userName.\n" );
    }
    #------------------------------------------------------------
    # Modify user's first name and last name if required,
    # in /etc/passwd using "usermod"
    #------------------------------------------------------------
-    my $first = $u->prop('FirstName') || "";
+    my $first = stringToASCII($u->prop('FirstName') || "");
-    my $last = $u->prop('LastName') || "";
+    my $last = stringToASCII($u->prop('LastName') || "");
    my $new_comment = "$first $last";
    unless ($comment eq $new_comment)
@ -119,36 +99,11 @@ foreach my $u (@users)
            system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0
                or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" );
        }
        my @new_comment = ($new_comment);
        my @first = ($first);
        my @last = ($last);
        $result = $ldap->modify("uid=$userName,ou=Users,$base",
                      replace => {
                          givenName => \@first,
                          sn => \@last,
                          cn => \@new_comment,
                          displayName => \@new_comment
                      }
        );
        $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify comment/name of (ldap) account $userName.\n" );
    }
-    my @new_phone = ($u->prop('Phone')) || ();
+    # we do all the test in ldap pm to avoid 3 differents write access, which are costly.
-    my @new_company = ($u->prop('Company')) || ();
+    $result = $ldap->ldapuser($u);
-    my @new_dept = ($u->prop('Dept')) || ();
+    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
    my @new_city = ($u->prop('City')) || ();
    my @new_street = ($u->prop('Street')) || ();
    $result = $ldap->modify("uid=$userName,ou=Users,$base",
                            replace => {
                                telephoneNumber => \@new_phone,
                                o => \@new_company,
                                ou => \@new_dept,
                                l => \@new_city,
                                street => \@new_street
                            }
    );
    $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
 }
--- a/root/etc/e-smith/templates/etc/pam.d/system-auth/50session
+++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/50session
@ -1,4 +1,6 @@
 session     required      pam_limits.so
 -session    optional                                     pam_systemd.so
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet_success use_uid
 session     required      pam_unix.so
 {
    my $status = $ldap{Authentication} || 'disabled';
--- a/smeserver-base.spec
+++ b/smeserver-base.spec
@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 9
+%define release 10
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@ -15,7 +15,7 @@ Source: %{name}-%{version}.tar.xz
 BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
 Requires: pwauth
-Requires: smeserver-lib >= 2.2.0-2
+Requires: smeserver-lib >= 11.0.0-7
 Requires: server-manager-images, server-manager
 Requires: smeserver-formmagick >= 1.4.0-12
 Requires: plymouth
@ -50,7 +50,7 @@ Requires: smeserver-runit >= 2.6.0-7
 Requires: smeserver-php >= 3.0.0-22
 Requires: smeserver-yum >= 2.6.0-43 
 Obsoletes: nss_ldap < 254
-Requires: cpu >= 1.4.3
+Obsoletes: cpu
 Obsoletes: rlinetd, e-smith-mod_ssl
 Obsoletes: e-smith-serial-console
 Obsoletes: sshell
@ -184,6 +184,11 @@ fi
 %changelog
 * Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
 - fix user@0.service failed to start [SME: 12568]
 - stop loging in audit crond success
 - drop cpu and use esmith:util::ldap [SME: 12663]
 * Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
 - fix self-signed cert renewd when not necessary [SME: 12606]