* Mon Sep 23 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme

- fix result variable not initialized [SME: 12663]

createlinks

@@ -64,6 +64,7 @@ foreach (qw(
     /etc/resolv.conf
     /etc/sysctl.conf
     /var/service/wan/dhclient.config
+    /lib/modprobe.d/systemd.conf
     ))
 {
     templates2events($_, qw(console-save bootstrap-console-save smeserver-base-update));
@@ -308,6 +309,7 @@ templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $even
 event_link("systemd-journald", $event, "02");
 event_link("fix-startup", $event, "05");
 event_link("init-accounts", $event, "05");
+event_link("mail-spool-fix", $event, "05");
 event_link("logrotate-migrate", $event, "06");
 event_link("rotate_logfiles", $event, "07");
 event_link("set-hostname", $event, "10");
@@ -324,6 +326,7 @@ event_link("conf-routes", $event, "89");
 event_link("systemd-default", $event, "88");
 event_link("systemd-isolate", $event, "89");
 event_link("systemd-reload", $event, "89");
+event_link("fix-noise-el8", $event, "89");
 event_link("raidmonitor-check", $event, "92");
 
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/network");
@@ -456,6 +459,7 @@ event_link("conf-modules", $event, "30");
 event_link("create-mnt-floppy", $event, "50");
 event_link("systemd-default", $event, "88");
 event_link("systemd-reload", $event, "89");
+event_link("fix-noise-el8", $event, "89");
 
 #--------------------------------------------------
 # actions for post-upgrade event
@@ -468,6 +472,7 @@ templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $even
 event_link("systemd-journald", $event, "02");
 event_link("fix-startup", $event, "05");
 event_link("init-accounts", $event, "05");
+event_link("mail-spool-fix", $event, "05");
 event_link("logrotate-migrate", $event, "06");
 event_link("rotate_logfiles", $event, "07");
 event_link("conf-startup", $event, "10");
@@ -511,6 +516,7 @@ $event = "user-create";
 event_link("user-create-unix", $event, "04");
 event_link("count-active-user-accounts", $event, "25");
 event_link("user-group-modify", $event, "85");
+event_link("mail-spool-fix", $event, "89");
 
 #--------------------------------------------------
 # actions for user-delete event
@@ -522,6 +528,7 @@ event_link("user-delete-groups-and-pseudonyms", $event, "02");
 event_link("user-delete-unix", $event, "15");
 event_link("initialize-default-databases", $event, "23");
 event_link("count-active-user-accounts", $event, "25");
+event_link("mail-spool-fix", $event, "89");
 
 #--------------------------------------------------
 # actions for user-modify event
@@ -623,6 +630,7 @@ templates2events("/home/e-smith/ssl.pem/pem", $event);
 $event = "email-update";
 event_link("systemd-default", $event, "88");
 event_link("systemd-reload", $event, "89");
+event_link("mail-spool-fix", $event, "89");
 
 #--------------------------------------------------
 # actions for webapps-update event

root/etc/dnf/plugins/post-transaction-actions.d/smeserver.action

@@ -0,0 +1,2 @@
+# cockpit noise [SME: 12575]
+cockpit-ws:any:ln -sfn /dev/null /etc/motd.d/cockpit 

root/etc/e-smith/events/actions/fix-noise-el8

@@ -0,0 +1,4 @@
+#!/bin/bash
+# remove cockpit alert forever [SME: 12575]
+ln -sfn /dev/null /etc/motd.d/cockpit 
+

root/etc/e-smith/events/actions/group-create-unix

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
+# copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,7 +28,8 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util::ldap;
+use esmith::util;
 
 my $conf = esmith::ConfigDB->open_ro
     or die "Could not open Config DB";
@@ -36,10 +38,10 @@ my $accounts = esmith::AccountsDB->open
 
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
+my $result;
 
-my $domain = $conf->get('DomainName')
-    || die("Couldn't determine domain name");
-$domain = $domain->value;
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
 
 my $event = $ARGV [0];
 my $groupName = $ARGV [1];
@@ -97,41 +99,20 @@ if ($ldapauth ne 'enabled')
         ) == 0 or ( $x = 255, warn "Failed to create (unix) user $groupName.\n" );
 }
 
-# Create the user's unique group first (in ldap)
-my $tmpattr = File::Temp->new();
-print $tmpattr "mail: $groupName\@$domain\n";
-print $tmpattr "description: $description\n";
-$tmpattr->flush();
-system(
-        "/usr/sbin/cpu", "groupadd",
-        "-a", "$tmpattr",
-        "-g", $gid,
-        $groupName
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
-undef $tmpattr;
+# create group
+$result = $ldap->ldapgroup($group);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $groupName.\n" );
 
-# Now create the dummy user account (in ldap)
-system(
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
-        "-u", $uid,
-        "-g", $gid,
-        "-d",
-        "/home/e-smith",
-        "-s",
-        "/bin/false",
-        "$groupName"
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
+#create dedicated group user
+$result = $ldap->ldapuser($group);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) user $groupName.\n" );
 
-# Set the cn of the dummy user account (in ldap)
-$tmpattr = File::Temp->new();
-print $tmpattr "cn: $description\n";
-$tmpattr->flush();
-system( 
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod",
-        "-a", $tmpattr,
-        "$groupName"
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to update (ldap) user $groupName.\n" );
-undef $tmpattr;
+# add to supplementary group
+# as it is regular group, pm will add www and admin, so no need to add it
+my @UserArr = ($groupName);
+$result = $ldap->ldapsetgroupmembers($groupName,\@UserArr);
+# error code 20 is entry already exits.
+$result  &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $groupName to supplementary group.\n" );
 
 # Release lock if we have one
 $lock && esmith::lockfile::UnlockFile($lock);
@@ -150,8 +131,7 @@ my @groupMembers = split (/,/, $members);
 # "www" and "admin" are implicit members of all groups
 push @groupMembers, 'admin', 'www';
 
-my $member;
-foreach $member (@groupMembers)
+foreach my $member (@groupMembers)
 {
     # Get a list of this member's supplementary groups, then add the
     # new group to the list. Finally sort, join and run the usermod
@@ -179,13 +159,6 @@ foreach $member (@groupMembers)
         system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
             or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
     }
-
-    # root user/group isn't in ldap
-    @groupList = grep (!/^root$/, @groupList);
-    $groups = join (',', sort (@groupList));
-
-    system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
-        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
 }
 
 exit ($x);

root/etc/e-smith/events/actions/group-delete-unix

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
+# copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -26,6 +27,8 @@ package esmith;
 use strict;
 use Errno;
 use esmith::ConfigDB;
+use esmith::util;
+use esmith::util::ldap;
 
 my $conf = esmith::ConfigDB->open_ro
     or die "Could not open Config DB";
@@ -33,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
+
 my $event = $ARGV [0];
 my $groupName = $ARGV [1] or die "Groupname argument missing.";
 
@@ -45,10 +51,15 @@ if ($ldapauth ne 'enabled')
         or ( $x = 255, warn "Failed to delete (unix) group $groupName.\n" );
 }
 
-system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
+# delete dedicated user group
+my $result = $ldap->ldapdeluser($groupName);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete dummy user for (ldap) group $groupName.\n" );
 
-system("/usr/sbin/cpu", "groupdel", "$groupName") == 0
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
+# delete group
+$result = $ldap->ldapdelgroup($groupName);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group $groupName.\n" );
+
+# delete mail spool file
+unless ($x == 255) { unlink("/var/spool/mail/$groupName") or ( $x = 255, warn "Failed to delete /var/spool/mail/$groupName.\n" );}
 
 exit ($x);

root/etc/e-smith/events/actions/group-modify-unix

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 2002-2005 Mitel Networks Corporation
+# copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,17 +28,19 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util;
+use utf8;
+use esmith::util::ldap;
 
 my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
 my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";
 
 my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
+my $result;
 
-my $domain = $c->get('DomainName')
-    || die("Couldn't determine domain name");
-$domain = $domain->value;
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
 
 my $event = shift || die "Event name arg missing\n";;
 my @groups;
@@ -51,6 +54,11 @@ else
     @groups = $a->groups;
 }
 
+# fix www missing in shared
+my ( $name,   $passwd,   $gid,       $members  ) = getgrnam('shared');
+my @mb= split(/ /, $members);
+system("usermod -a -G shared www") unless ( grep(/^www$/, @mb) ) ;
+
 foreach my $group (@groups)
 {
     my $groupName = $group->key;
@@ -78,22 +86,12 @@ foreach my $group (@groups)
             or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
     }
 
-    my $tmpattr = File::Temp->new();
-    print $tmpattr "cn: $groupDesc\n";
-    $tmpattr->flush();
-    system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-a", "$tmpattr", "$groupName") == 0
-        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
-
-    $tmpattr = File::Temp->new();
-    print $tmpattr "mail: $groupName\@$domain\n";
-    print $tmpattr "description: $groupDesc\n";
-    $tmpattr->flush();
-    system(
-            "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupmod", 
-            "-a", "$tmpattr",
-            "$groupName"
-        ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
-    undef $tmpattr;
+    # modify group dedicated user cn
+    $result = $ldap->ldapmoduser($group);
+    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
+    # modify Group description and mail
+    $result = $ldap->ldapmodgroup($group);
+    $result  && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );
 
     my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
     my @oldMembers = split (/\s+/, $members);
@@ -116,7 +114,11 @@ foreach my $group (@groups)
     {
 	$oldMembers{$member} = 1;
     }
-    my (@addMembers, @delMembers);
+
+    # applying list of user memberUid for LDAP for this group
+    $result = $ldap->ldapsetgroupmembers($groupName,\@newMembers);
+    # error code 20 is entry already exits.
+    $result &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" );
 
     foreach $member (@newMembers, @oldMembers)
     {
@@ -128,18 +130,23 @@ foreach my $group (@groups)
 	# We need to add or remove this member from the group
 	# Get the supplementary group list for the member we are adding or
 	# deleting.
-	my $cmd = "/usr/bin/id -G -n '$member'";
+	#my $cmd = "/usr/bin/id -G -n '$member'";
+  # this will not fail in case of apache before www in passwd
+  my $cmd = "/usr/bin/groups '$member'"; 
 	my $groups = `$cmd 2>/dev/null`; 
 	if ($? != 0)
 	{
 	    die "Failed to get supplementary group list for $member.\n";
 	}
+  $groups =~ s/^.*:\s+//;
 	chomp ($groups);
 
 	my @groupList = split (/\s+/, $groups);
 	@groupList = grep (!/^$member$/, @groupList);
 	# Apache is an alias for www
 	@groupList = map { $_ =~ s/^apache$/www/g; $_ } @groupList;
+  # www needs to be in shared
+  push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));
 
 	if ($oldMembers{$member})
 	{
@@ -157,13 +164,8 @@ foreach my $group (@groups)
                 or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
         }
 
-        # root user/group isn't in ldap
-        @groupList = grep (!/^root$/, @groupList);
-        $groups = join (',', sort (@groupList));
-
-        system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0
-            or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group list for $member.\n" );
     }
-}
+
+} # end of list of groups
 
 exit ($x);

root/etc/e-smith/events/actions/mail-spool-fix

@@ -0,0 +1,47 @@
+#! /bin/bash
+
+#----------------------------------------------------------------------
+# copyright (C) 2023 Koozali SME Server
+#               
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#               
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#               
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+#----------------------------------------------------------------------
+
+# fix ownership of spool folder content
+pushd /var/spool/mail/ >/dev/null
+for file in *; do
+  if [ ! -f "$file" ]; then
+    continue
+  fi
+  if ( ! `id -u $file 2>/dev/null 1>&2`) ; then
+    echo "$file user does not exist deleting mail spool file" 
+    rm -f /var/spool/mail/$file
+    continue
+  fi
+  userf=$(stat -c %U /var/spool/mail/$file 2>/dev/null)
+  if [[ "$userf" != "$file" ]]; then
+    uidf=$(stat -c %u /var/spool/mail/$file 2>/dev/null)
+    uiduser=$(id -u $file 2>/dev/null )
+    # extra step needed if username has an alias eg www=apache
+    if [[ "$uidf" != "$uiduser" ]]; then
+    echo "fixing ownership of $file spool mail"
+    # extra security we want to clean it from sensitive information
+    echo ""> /var/spool/mail/$file
+    chown $file /var/spool/mail/$file
+    fi
+  fi
+done
+popd >/dev/null
+

root/etc/e-smith/events/actions/systemd-default

@@ -105,7 +105,7 @@ foreach my $filen (reverse sort keys %files) {
 	    my $multiple = $service;
 	    ($multiple = $service ) =~ s/([a-zA-Z0-9\-_.]+@)(.*)/$1.service/ if ( $service =~ /@/ );
 	    #print "$stats $service $multiple\n";
-	    next unless ( -e "/usr/lib/systemd/system/$service" or -e "/etc/lib/systemd/system/$service" or -e "/usr/lib/systemd/system/$multiple");
+	    next unless ( -e "/usr/lib/systemd/system/$service" or -e "/etc/systemd/system/$service" or -e "/usr/lib/systemd/system/$multiple");
 	    # eliminate duplicates, this way we keep only the last entry of the lowest file as we do it in reverse order of file,
 	    # but from top to bottom of file.
 	    $services{$service}=$stats;

root/etc/e-smith/events/actions/user-create-unix

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
+# copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,7 +28,9 @@ use strict;
 use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
-use File::Temp;
+use esmith::util;
+use utf8;
+use esmith::util::ldap;
 
 my $conf = esmith::ConfigDB->open_ro;
 my $accounts = esmith::AccountsDB->open;
@@ -35,9 +38,8 @@ my $accounts = esmith::AccountsDB->open;
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 
-my $domain = $conf->get('DomainName')
-    || die("Couldn't determine domain name");
-$domain = $domain->value;
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
 
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
@@ -65,13 +67,13 @@ unless ($uid = $acct->prop('Uid'))
     $acct->set_prop('Uid', $uid);
 }
 my $gid = $acct->prop('Gid') || $uid;
-my $first = $acct->prop('FirstName') || '';
-my $last = $acct->prop('LastName') || '';
-my $phone = $acct->prop('Phone') || '';
-my $company = $acct->prop('Company') || '';
-my $dept = $acct->prop('Dept') || '';
-my $city = $acct->prop('City') || '';
-my $street = $acct->prop('Street') || '';
+my $first = stringToASCII($acct->prop('FirstName')) || '';
+my $last = stringToASCII($acct->prop('LastName')) || '';
+my $phone = stringToASCII($acct->prop('Phone')) || '';
+my $company = stringToASCII($acct->prop('Company')) || '';
+my $dept = stringToASCII($acct->prop('Dept')) || '';
+my $city = stringToASCII($acct->prop('City')) || '';
+my $street = stringToASCII($acct->prop('Street')) || '';
 my $shell = $acct->prop('Shell') || '/usr/bin/false';
 my $groups = "shared";
 
@@ -101,38 +103,17 @@ if ($ldapauth ne 'enabled')
 }
 
 # Create the user's unique group first (in ldap)
-system(
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
-        "-g",
-        $gid,
-        $userName
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
+my $result = $ldap->ldapgroup($acct);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $userName.\n" );
 
 # Now create the user account (in ldap)
-my $tmpattr = File::Temp->new();
-print $tmpattr "telephoneNumber: $phone\n";
-print $tmpattr "o: $company\n";
-print $tmpattr "ou: $dept\n";
-print $tmpattr "l: $city\n";
-print $tmpattr "street: $street\n";
-$tmpattr->flush();
-system(
-        "/usr/sbin/cpu", "useradd",
-        "-u", $uid,
-        "-g", $gid,
-        "-f", "$first",
-        "-E", "$last",
-        "-e", "$userName\@$domain",
-        "-a", "$tmpattr",
-        "-d", "/home/e-smith/files/users/$userName",
-        "-G", "$groups",
-        "-m",
-        "-k/etc/e-smith/skel/user",
-        "-s", "$shell",
-        $userName
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
-undef $tmpattr;
+$result = $ldap->ldapuser($acct);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $userName.\n" );
 
+# add to supplementary group
+my @UserArr = ($userName);
+$result = $ldap->ldapsetgroupmembers($userName,\@UserArr);
+$result &&  ( $result != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $userName to supplementary group.\n" );
 
 # Release lock if we have one
 $lock && esmith::lockfile::UnlockFile($lock);
@@ -141,13 +122,15 @@ $lock && esmith::lockfile::UnlockFile($lock);
 
 chmod 0700, "/home/e-smith/files/users/$userName";
 
+# lock user password
 if ($ldapauth ne 'enabled')
 {
     system("/usr/bin/passwd", "-l", "$userName")
         and ( $x = 255, warn "Could not lock (unix) password for $userName\n" );
 }
-system("/usr/sbin/cpu", "usermod", "-L", "$userName")
-    and ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Could not lock (ldap) password for $userName\n" );
+
+# esmith::util::ldap already lock user on creation, this avoid one more ldap write access.
+
 system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
     and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );
 

root/etc/e-smith/events/actions/user-delete-unix

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 1999-2005 Mitel Networks Corporation
+# copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,6 +28,7 @@ use strict;
 use Errno;
 use esmith::util;
 use esmith::ConfigDB;
+use esmith::util::ldap;
 
 my $conf = esmith::ConfigDB->open_ro
     or die "Could not open Config DB";
@@ -34,6 +36,9 @@ my $conf = esmith::ConfigDB->open_ro
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
+
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
 
@@ -53,11 +58,21 @@ if ($ldapauth ne 'enabled')
         ( $x = 255, warn "Failed to delete (unix) account $userName.\n" );
     }
 }
+else
+{
+    my $discard = `/bin/rm -rf /home/e-smith/files/users/$userName`;
+    if ($? != 0)
+    {
+        ( $x = 255, warn "Failed to delete home dir of account $userName.\n" );
+    }
 
-system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
+}
+# delete user
+my $result = $ldap->ldapdeluser($userName);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) account $userName.\n" );
 
-system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0
-    or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
+# delete user dedicated group
+$result = $ldap->ldapdelgroup($userName);
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
 
 exit ($x);

root/etc/e-smith/events/actions/user-lock-passwd

@@ -2,6 +2,7 @@
 
 #----------------------------------------------------------------------
 # copyright (C) 2001-2006 Mitel Networks Corporation
+# copyright (C) 2024 Koozali foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,13 +26,18 @@ use Errno;
 use esmith::AccountsDB;
 use esmith::ConfigDB;
 use English;
+use esmith::util::ldap;
 
 my $a = esmith::AccountsDB->open or die "Could not open accounts db";
 my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
 
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
+my $result;
 my $x = 0; # exit value
 
+# prepare LDAP bind
+my $ldap=esmith::util::ldap->new();
+
 my $event = $ARGV [0];
 
 my @users_to_lock = bad_password_users();
@@ -54,13 +60,16 @@ sub lock_user
 
     my $u = $a->get($userName) or die "No account record for user $userName";
 
+    # lock in unix shadow/passwd if used.
     if ($ldapauth ne 'enabled')
     {
         system("/usr/bin/passwd", "-l", $userName) == 0
             or ( $x = 255, warn "Error locking (unix) account $userName" );
     }
-    system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0
-        or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName" );
+    # lock in LDAP
+    $result = $ldap->ldaplockuser($userName);
+    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $userName.\n" );
+    # lock in samba
     system("/usr/bin/smbpasswd", "-d", $userName) == 0
         or ( $x = 255, warn "Error locking (smb) account $userName" );
     $u->set_prop('PasswordSet', 'no');

root/etc/e-smith/events/actions/user-modify-unix

@@ -22,29 +22,17 @@ use strict;
 use Errno;
 use esmith::AccountsDB;
 use esmith::ConfigDB;
-use Net::LDAP;
 use esmith::util;
+use utf8;
+use esmith::util::ldap;
 
 my $conf = esmith::ConfigDB->open or die "Could not open configuration db";
 
 my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 
-my $domain = $conf->get('DomainName')
-    || die("Couldn't determine domain name");
-$domain = $domain->value;
-
 # prepare LDAP bind
-my $pw = esmith::util::LdapPassword();
-my $base = esmith::util::ldapBase ($domain);
-
-my $ldap = Net::LDAP->new('localhost')
-    or die "$@";
-
-$ldap->bind(
-    dn => "cn=root,$base",
-    password => $pw
-);
+my $ldap=esmith::util::ldap->new();
 
 my $event = $ARGV [0];
 my $userName = $ARGV [1];
@@ -94,22 +82,14 @@ foreach my $u (@users)
             system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0
                 or ( $x = 255, warn "Failed to modify shell of (unix) account $userName.\n" );
         }
-
-        my @new_shell = ($new_shell);
-        $result = $ldap->modify("uid=$userName,ou=Users,$base",
-                      replace => {
-                          loginShell => \@new_shell
-                      }
-        );
-        $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify shell of (ldap) account $userName.\n" );
     }
 
     #------------------------------------------------------------
     # Modify user's first name and last name if required,
     # in /etc/passwd using "usermod"
     #------------------------------------------------------------
-    my $first = $u->prop('FirstName') || "";
-    my $last = $u->prop('LastName') || "";
+    my $first = stringToASCII($u->prop('FirstName') || "");
+    my $last = stringToASCII($u->prop('LastName') || "");
     my $new_comment = "$first $last";
 
     unless ($comment eq $new_comment)
@@ -119,36 +99,11 @@ foreach my $u (@users)
             system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0
                 or ( $x = 255, warn "Failed to modify comment of (unix) account $userName.\n" );
         }
-
-        my @new_comment = ($new_comment);
-        my @first = ($first);
-        my @last = ($last);
-        $result = $ldap->modify("uid=$userName,ou=Users,$base",
-                      replace => {
-                          givenName => \@first,
-                          sn => \@last,
-                          cn => \@new_comment,
-                          displayName => \@new_comment
-                      }
-        );
-        $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify comment/name of (ldap) account $userName.\n" );
     }
 
-    my @new_phone = ($u->prop('Phone')) || ();
-    my @new_company = ($u->prop('Company')) || ();
-    my @new_dept = ($u->prop('Dept')) || ();
-    my @new_city = ($u->prop('City')) || ();
-    my @new_street = ($u->prop('Street')) || ();
-    $result = $ldap->modify("uid=$userName,ou=Users,$base",
-                            replace => {
-                                telephoneNumber => \@new_phone,
-                                o => \@new_company,
-                                ou => \@new_dept,
-                                l => \@new_city,
-                                street => \@new_street
-                            }
-    );
-    $result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
+    # we do all the test in ldap pm to avoid 3 differents write access, which are costly.
+    $result = $ldap->ldapuser($u);
+    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $userName.\n" );
 
 }
 

root/etc/e-smith/templates/etc/pam.d/system-auth/50session

@@ -1,4 +1,6 @@
 session     required      pam_limits.so
+-session    optional                                     pam_systemd.so
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet_success use_uid
 session     required      pam_unix.so
 {
     my $status = $ldap{Authentication} || 'disabled';

root/etc/e-smith/templates/etc/systemd/system-preset/49-koozali.preset/20services

@@ -11,7 +11,7 @@ foreach my $service ($c->get_all_by_prop(type => 'service')){
   my $multiple = $servicename;
   ($multiple = $servicename ) =~ s/([a-zA-Z0-9\-_.]+@)(.*)/$1.service/ if ( $servicename =~ /@/ );
 
-  $OUT .= "# Systemd service file  does not exist :	" unless -e "/usr/lib/systemd/system/$servicename" || -e "/etc/lib/systemd/system/$servicename" ||  -e "/usr/lib/systemd/system/$multiple";
+  $OUT .= "# Systemd service file  does not exist :	" unless -e "/usr/lib/systemd/system/$servicename" || -e "/etc/systemd/system/$servicename" ||  -e "/usr/lib/systemd/system/$multiple";
   $OUT .= "$status $servicename\n";
   $OUT .= "$status $multiple\n" unless $multiple eq $servicename ;
   

root/etc/e-smith/templates/home/e-smith/ssl.crt

@@ -4,6 +4,8 @@
     use Date::Parse;
     use Cwd;
     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
+    use esmith::Logger;
+    tie *FH, 'esmith::Logger';
     my $here = getcwd;
 
     my $Country = $modSSL{Country} || "--";
@@ -52,16 +54,16 @@
 	my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
 
         if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
-            my $expected_issuer = '/C='.$Country .
-                              '/ST='.$State;
-            $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
-            $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
-            $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
-            $expected_issuer .= "/CN=$commonName" .
-                                  "/emailAddress=$email";
+            my $expected_issuer = 'C = '.$Country .
+                              ', ST = '.$State;
+            $expected_issuer .= ', L = ' . ($defaultCity ? $defaultCity : 'Default City');
+            $expected_issuer .= ', O = ' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
+            $expected_issuer .= ", OU = $defaultDepartment" if $defaultDepartment;
+            $expected_issuer .= ", CN = $commonName" .
+                                  ", emailAddress = $email";
             my $issuer = `openssl x509 -issuer -noout -in $crt`;
             chomp $issuer;
-            $issuer =~ s/^issuer= //;
+            $issuer =~ s/^issuer=//;
             my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
             chomp $signatureAlg;
             $signatureAlg =~ s/^ *Signature Algorithm: //;
@@ -70,6 +72,9 @@
             # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
 	    $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
 	    chomp $expected_subjectAltName;
+            print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer);
+            print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption");
+            print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName);
             if (
 	                 ($issuer eq $expected_issuer)
 	              && ($signatureAlg ne "sha1WithRSAEncryption")
@@ -117,4 +122,5 @@
     }
     close(SSL) or die "Closing openssl pipe reported: $!";
     chdir $here;
+    close FH;
 }

root/etc/e-smith/templates/lib/modprobe.d/systemd.conf/10bond

@@ -0,0 +1,18 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# When bonding module is loaded, it creates bond0 by default due to max_bonds
+# option default value 1. This interferes with the network configuration
+# management / networkd, as it is not possible to detect whether this bond0 was
+# intentionally configured by the user, or should be managed by
+# networkd/NM/etc. Therefore disable bond0 creation.
+# KOOZALI SME Server we do use it, and do not use NM, so enabling
+options bonding max_bonds=1
+
+

root/etc/e-smith/templates/lib/modprobe.d/systemd.conf/10dummy

@@ -0,0 +1,5 @@
+# Do the same for dummy0.
+# KOOZALI SME Server,we do use it too, so enabling
+
+options dummy numdummies=1
+

root/etc/logrotate.d/systemd

@@ -2,7 +2,7 @@
     missingok
     sharedscripts
     postrotate
-        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
+        /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
     endscript
 }
 

root/etc/tmpfiles.d/portreserve.conf

@@ -0,0 +1 @@
+d /run/portreserve 0755 root root 10d

root/sbin/e-smith/systemd/network-pre

@@ -0,0 +1,4 @@
+#!/bin/bash
+# make sure that dummy driver is enabled
+/usr/sbin/lsmod |/usr/bin/grep -q dummy || /usr/sbin/modprobe dummy numdummies=1
+

root/usr/lib/systemd/system/networking.service

@@ -7,6 +7,7 @@ Conflicts=NetworkManager.service
 
 [Service]
 Type=oneshot
+ExecStartPre=/sbin/e-smith/systemd/network-pre
 ExecStart=/etc/rc.d/init.d/network start
 ExecStop=/etc/rc.d/init.d/network stop
 ExecReload=/etc/rc.d/init.d/network restart

smeserver-base.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 7
+%define release 14
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -15,7 +15,7 @@ Source: %{name}-%{version}.tar.xz
 
 BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
 Requires: pwauth
-Requires: smeserver-lib >= 2.2.0-2
+Requires: smeserver-lib >= 11.0.0-7
 Requires: server-manager-images, server-manager
 Requires: smeserver-formmagick >= 1.4.0-12
 Requires: plymouth
@@ -39,6 +39,7 @@ Requires: smeserver-bootloader
 Requires: mdadm
 Requires: pv
 Requires: dhcp-server
+Requires: dhcp-client
 Requires: diald
 Requires: /usr/bin/passwd
 Requires: nss-pam-ldapd
@@ -49,7 +50,7 @@ Requires: smeserver-runit >= 2.6.0-7
 Requires: smeserver-php >= 3.0.0-22
 Requires: smeserver-yum >= 2.6.0-43 
 Obsoletes: nss_ldap < 254
-Requires: cpu >= 1.4.3
+Obsoletes: cpu
 Obsoletes: rlinetd, e-smith-mod_ssl
 Obsoletes: e-smith-serial-console
 Obsoletes: sshell
@@ -63,7 +64,8 @@ BuildRequires: perl, perl(Test::Inline) >= 0.12
 BuildRequires: smeserver-devtools >= 1.13.1-03
 BuildRequires: gettext
 Requires: gdisk
-
+Requires: ppp
+Requires: rp-pppoe 
 %define dbfiles accounts configuration domains hosts networks
 AutoReqProv: no
 
@@ -101,6 +103,7 @@ rm -rf $RPM_BUILD_ROOT
 mkdir -p $RPM_BUILD_ROOT/etc/selinux
 (cd root   ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
+    --file /sbin/e-smith/systemd/network-pre 'attr(0554,root,root)' \
     --file /sbin/e-smith/systemd/mdmonitor-pre 'attr(0554,root,root)' \
     --file /sbin/e-smith/systemd/rsyslog-pre 'attr(0554,root,root)' \
     --file /etc/cron.daily/conf-mod_ssl 'attr(0544,root,root)' \
@@ -181,6 +184,36 @@ fi
 
 
 %changelog
+* Mon Sep 23 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme
+- fix result variable not initialized [SME: 12663]
+
+* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- fix mail spool perms [SME: 12654]
+- fix motd noise related to cockpit [SME: 12575]
+- fix /run vs /var/run temps dir noise [SME: 12639]
+
+* Wed Aug 14 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- fix 3 regressions from SME10 [SME: 12654]
+  fix www missing from shared and few groups [SME: 12146]
+  fix group deletion leaves mail spool file [SME: 12431]
+  fix path to /etc/systemd for seeking service files [SME: 12421]
+
+* Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- fix new systemd.log does not fill after log rotate [SME: 12688]
+
+* Wed May 15 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
+- fix user@0.service failed to start [SME: 12568]
+- stop loging in audit crond success
+- drop cpu and use esmith:util::ldap [SME: 12663]
+
+* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
+- fix self-signed cert renewd when not necessary [SME: 12606]
+
+* Tue Apr 16 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
+- add requirement for ppp [SME: 12622]
+- add requirement for rp-pppoe [SME: 12628]
+- enable modprobe dummy and bond [SME: 12627] 
+
 * Sat Apr 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme
 - fix init-accounts [SME: 12546]