smeserver-ibays/root/etc/e-smith/events/actions/ibay-modify
Jean-Philippe Pialasse 1d67d9bd64 * Sat May 18 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme
- edit LDAP entries using Net::LDAP rather than cpu [SME: 12687]
2024-05-18 14:07:19 -04:00

293 lines
9.6 KiB
Perl
Executable File

#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali foundation inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#----------------------------------------------------------------------
package esmith;
use strict;
use Errno;
use File::Find;
use esmith::util;
use esmith::templates;
use esmith::AccountsDB;
use esmith::ConfigDB;
use Net::LDAP;
my $conf = esmith::ConfigDB->open_ro
or die "Could not open Config DB";
my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $domain = $conf->get('DomainName')
|| die("Couldn't determine domain name");
$domain = $domain->value;
my $result;
# prepare LDAP bind
my $pw = esmith::util::LdapPassword();
my $base = esmith::util::ldapBase ($domain);
my $ldap = Net::LDAP->new('localhost')
or die "$@";
$ldap->bind(
dn => "cn=root,$base",
password => $pw
);
$ENV{'PATH'} = "/bin";
my $event = $ARGV [0];
my $ibayName = $ARGV [1];
die "ibayName argument missing" unless defined ($ibayName);
my $accountdb = esmith::AccountsDB->open_ro();
my $ibay = $accountdb->get($ibayName) or
die "Couldn't find $ibayName record in accounts db\n";
die "Account $ibayName is not an ibay account; modify ibay event failed.\n"
unless ($ibay->prop('type') eq 'ibay');
if ($event eq 'ibay-create')
{
#------------------------------------------------------------
# Check the Unix account.
#------------------------------------------------------------
#------------------------------------------------------------
# create unix user and group account, unless we switch to ldap authentication
#------------------------------------------------------------
if ($ldapauth ne 'enabled')
{
system(
"/usr/sbin/groupadd",
"-g",
$ibay->prop("Gid"),
$ibayName
) == 0 or ( $x = 255, warn "Failed to create (unix) group $ibayName.\n" );
system(
"/usr/sbin/useradd",
"-u",
$ibay->prop("Uid"),
"-g",
$ibay->prop("Gid"),
"-c",
$ibay->prop("Name"),
"-d",
"/home/e-smith/files/ibays/$ibayName/files",
"-G",
"shared,"
. $ibay->prop("Group"),
"-M",
"-s",
"/bin/false",
"$ibayName"
) == 0 or ( $x = 255, warn "Failed to create (unix) account $ibayName.\n" );
}
#------------------------------------------------------------
# add new ibay group to ldap
#------------------------------------------------------------
$result = $ldap->add("cn=$ibayName,ou=Groups,$base",
attrs => [
"cn"=> $ibayName,
"gidNumber"=> $ibay->prop("Gid"),
"objectClass" => [ 'posixGroup', 'mailboxRelatedObject']
]);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $ibayName.\n" );
#------------------------------------------------------------
# add new ibay user to ldap
#------------------------------------------------------------
$result = $ldap->add("uid=$ibayName,ou=Users,$base",
attrs => [
"uidNumber" => $ibay->prop("Uid"),
"gidNumber" => $ibay->prop("Gid"),
"cn" => $ibay->prop("Name"),
"objectClass" => [ 'account', 'posixAccount', 'shadowAccount'],
"homeDirectory" => "/home/e-smith/files/ibays/$ibayName",
"loginShell" => "/bin/false",
"shadowExpire" => -1,
"shadowFlag" => 134538308,
"shadowInactive" => -1,
"shadowLastChange" => 15997,
"shadowMax" => 99999,
"shadowMin" => -1,
"shadowWarning"=> 7,
]
);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $ibayName.\n" );
#------------------------------------------------------------
# Loop to add new user to groups "shared,". $ibay->prop("Group")
#------------------------------------------------------------
foreach my $grp ( 'shared', $ibay->prop("Group") ) {
$result = $ldap->modify("cn=$grp,ou=Groups,$base",
add => {
"memberUid"=> [ $ibay->prop("Uid")]
});
# error code 20 is entry already exits.
$result->code && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $ibayName to supplementary group $grp.\n" );
}
#------------------------------------------------------------
# Create the ibay files and set the password.
#------------------------------------------------------------
system("/bin/cp", "-Rp", "/etc/e-smith/skel/ibay",
"/home/e-smith/files/ibays/$ibayName") == 0
or ( $x = 255, warn "Error copying ibay skeletal files" );
processTemplate( {
TEMPLATE_PATH=>"/home/e-smith/files/ibays/html/index.html",
OUTPUT_FILENAME=>"/home/e-smith/files/ibays/$ibayName/html/index.html",
MORE_DATA=>{IBAY_NAME=>$ibayName},
} );
if ($ldapauth ne 'enabled')
{
system("/usr/bin/passwd", "-l", $ibayName) == 0
or ( $x = 255, warn "Error locking (unix) account $ibayName" );
}
#------------------------------------------------------------
# lock password in ldap
#------------------------------------------------------------
$result = $ldap->modify("uid=$ibayName,ou=Users,$base",
replace => { 'userPassword' => "{crypt}!*"});
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Error locking (ldap) account $ibayName.\n" );
}
elsif ($event eq 'ibay-modify' and $ibayName ne 'Primary')
{
#------------------------------------------------------------
# Modify ibay description in /etc/passwd using "usermod"
#------------------------------------------------------------
if ($ldapauth ne 'enabled')
{
system("/usr/sbin/usermod", "-c", $ibay->prop("Name"),
"-G", "shared," . $ibay->prop("Group"), "$ibayName") == 0
or ( $x = 255, warn "Failed to modify (unix) account $ibayName.\n" );
}
#------------------------------------------------------------
# Modify ibay description in ldap"
#------------------------------------------------------------
$result = $ldap->modify("uid=$ibayName,ou=Users,$base",
replace => {
"cn" => $ibay->prop("Name"),
}
);
$result->code && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify email of (ldap) account $ibayName.\n" );
#------------------------------------------------------------
# Loop to add new user to groups "shared,". $ibay->prop("Group")
#------------------------------------------------------------
foreach my $grp ( 'shared', $ibay->prop("Group") ) {
$result = $ldap->modify("cn=$grp,ou=Groups,$base",
add=> {
"memberUid"=> [ $ibay->prop("Uid")]
} );
# error code 20 is entry already exits.
$result->code && ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to add (ldap) account $ibayName to supplementary group $grp.\n" );
}
}
#------------------------------------------------------------
# Fix permissions on ibay files.
#------------------------------------------------------------
#--------------------------------------------------
# main directory is writeable only by root
#--------------------------------------------------
chdir "/home/e-smith/files/ibays/$ibayName"
or ( $x = 255, warn "Could not chdir to /home/e-smith/files/ibays/$ibayName" );
esmith::util::chownFile("root", "root", ".");
chmod 0755, ".";
#--------------------------------------------------
# fix ownership of subdirectories
#--------------------------------------------------
#--------------------------------------------------
# Set the group as www if it was admin, since
# while set as admin, the web server no longer has
# access to the ibay HTML directory, and web pages.
#--------------------------------------------------
my %properties = $ibay->props;
$::group = ($properties{'Group'} eq "admin") ? "www" : $properties {'Group'};
# Make sensible defaults
$::owner = undef;
$::fileperm = 0600;
$::dirperm = 0550;
if ($properties {'UserAccess'} eq 'wr-admin-rd-group')
{
$::owner = "admin";
$::fileperm = 0640;
$::dirperm = 02750;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-group')
{
$::fileperm = 0660;
$::dirperm = 02770;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-everyone')
{
$::fileperm = 0664;
$::dirperm = 02775;
}
else
{
warn("Value of UserAccess bad or unset");
}
sub process
{
if (-l)
{
$File::Find::prune = 1;
}
else
{
esmith::util::chownFile($::owner, $::group, $_);
if (-d)
{
chmod $::dirperm, $_;
}
elsif (-f)
{
# Preserve execute permissions on files
my $experm = (stat($_))[2] & 0111;
$experm |= $::fileperm;
chmod $experm, $_;
}
}
}
find(\&process, glob("*"));
exit ($x);