diff --git a/root/etc/e-smith/events/actions/update-reverse-group b/root/etc/e-smith/events/actions/update-reverse-group new file mode 100644 index 0000000..4fc60f4 --- /dev/null +++ b/root/etc/e-smith/events/actions/update-reverse-group @@ -0,0 +1,144 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall Services +# dani@firewall-services.com +# copyright (C) 2025 Koozali Foundation inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from e-smith, inc. +# For details, please visit our web site at www.e-smith.com or +# call us on 1 888 ESMITH 1 (US/Canada toll free) or +1 613 564 8000 +#---------------------------------------------------------------------- + +package esmith; + +use strict; +use Errno; +use esmith::ConfigDB; +use esmith::AccountsDB; +use esmith::util; +use Net::LDAP; + +my $c = esmith::ConfigDB->open_ro; +my $a = esmith::AccountsDB->open_ro; + +# TODO : enabled by default ? +my $reverse = $i->prop('LdapReverseGroups') || 'disabled'; +my $x = 0; + +exit (0) if ($reverse eq 'disabled'); + +# TODO : either migrate this code to esmith::ldap or use it there. +my $l = $c->get('ldap'); +my $status = $l->prop('status') || "disabled"; +unless ($status eq "enabled" ){ + warn "Not running action script $0, LDAP service not enabled!\n"; + exit(0); +} + +my $hostname = $c->get('SystemName') + || die("Couldn't determine system name"); +$hostname = $hostname->value; + +my $domain = $c->get('DomainName') + || die("Couldn't determine domain name"); +$domain = $domain->value; + +my @accounts; +my $account; +my $event = shift || die "Event name must be specified"; +if ($event eq 'ldap-update' or + $event eq 'bootstrap-ldap-save' or + $event =~ m/group\-(create|modify|delete)/){ + @accounts = ($a->users); + push(@accounts, $a->get('admin')); +} +else{ + my @name = @ARGV; + die "Account name argument missing." unless scalar (@name) >= 1; + + foreach my $name (@name){ + $account = $a->get($name); + die "Account $name not found.\n" unless defined $account; + my $type = $account->prop('type') || "unknown"; + + die "Account $name is not a user account; update LDAP entry failed.\n" + unless ($type eq 'user' or $name eq 'admin'); + push @accounts, $account; + } +} + +my $base = esmith::util::ldapBase ($domain); +my $pw = esmith::util::LdapPassword(); + +my $ldap = Net::LDAP->new('localhost') or die "$@"; + +$ldap->bind( + dn => "cn=root,$base", + password => $pw +); + +my $result; +foreach my $acct (@accounts){ + my $key = $acct->key; + + # Ensure this account has the iPasserelleUser objectclass + $result = $ldap->search( + base => "ou=Users,". $base, + scope => 'sub', + filter => "uid=$key" + ); + $result->code && ($x = 255, warn "Error looking for entry uid=$key,ou=Users,$base: ", $result->error); + my @oc = (); + my @oldgroups = (); + foreach my $entry ($result->all_entries()){ + push @oc, $entry->get_value('objectClass'); + push @oldgroups, $entry->get_value('posixMemberOf'); + } + + unless (grep { $_ =~ /iPasserelleUser/i } @oc){ + push @oc, 'iPasserelleUser'; + + $result = $ldap->modify( + "uid=$key,ou=Users,$base", + replace => { + objectClass => \@oc + } + ); + $result->code && ($x = 255, warn "failed to modify entry uid=$key,ou=Users,$base: ", $result->error); + } + + my @groups = $a->user_group_list($key); + @oldgroups = sort @oldgroups; + @groups = sort @groups; + my $oldgroups = join('\0', @oldgroups); + my $groups = join('\0', @groups); + + unless ($oldgroups eq $groups){ + $result = $ldap->modify( + "uid=$key,ou=Users,$base", + replace => { + posixMemberOf => \@groups + } + ); + $result->code && ($x = 255, warn "failed to modify entry uid=$key,ou=Users,$base: ", $result->error); + } +} + +$ldap->unbind; + +exit ($x); diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema b/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema index 9eb49aa..eb783c4 100644 --- a/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/10schema @@ -5,3 +5,4 @@ include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/mailRelatedObject.schema +include /etc/openldap/schema/koozaliExtra.schema diff --git a/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes b/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes index 0cf00c1..a1c7a3c 100644 --- a/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes +++ b/root/etc/e-smith/templates/etc/openldap/slapd.conf/90indexes @@ -3,4 +3,5 @@ index objectClass,uid,uidNumber,gidNumber eq index memberUid eq index cn,mail,surname,givenname eq,subinitial - +index posixMemberOf eq +index preferredMail eq,subinitial diff --git a/root/etc/openldap/schema/koozaliExtra.schema b/root/etc/openldap/schema/koozaliExtra.schema new file mode 100644 index 0000000..46c01cd --- /dev/null +++ b/root/etc/openldap/schema/koozaliExtra.schema @@ -0,0 +1,21 @@ +attributetype ( 1.3.6.1.4.1.37518.1.1.2.1 NAME 'posixMemberOf' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.37518.1.1.2.2 NAME 'preferredMail' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.37518.1.1.2.3 NAME 'extensionNumber' + DESC 'Internal Telephone Number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) + +attributetype ( 1.3.6.1.4.1.37518.1.1.2.4 NAME 'desktopLoginShell' + DESC 'The path to the login shell for desktop machines' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) diff --git a/smeserver-ldap.spec b/smeserver-ldap.spec index 99be2f4..2e6256b 100644 --- a/smeserver-ldap.spec +++ b/smeserver-ldap.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - LDAP module %define name smeserver-ldap Name: %{name} %define version 11.0.0 -%define release 12 +%define release 13 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -31,6 +31,10 @@ Provides: e-smith-ldap smeserver server and gateway software - LDAP module. %changelog +* Sat Sep 06 2025 Jean-Philippe Pialasse 11.0.0-13.sme +- add support of posixMemberOf,preferredMail,extensionNumber,desktopLoginShell [SME: 10590] + TODO: improve integration of posixMemberOf + * Sun Jan 26 2025 Jean-Philippe Pialasse 11.0.0-12.sme - some scripts requires setuidgid from daemontools to run [SME: 12566]