diff options
Diffstat (limited to 'examples/LDAP/smbldap-tools/smbldap_tools.pm')
-rwxr-xr-x | examples/LDAP/smbldap-tools/smbldap_tools.pm | 1114 |
1 files changed, 463 insertions, 651 deletions
diff --git a/examples/LDAP/smbldap-tools/smbldap_tools.pm b/examples/LDAP/smbldap-tools/smbldap_tools.pm index d33a65b7d17..0a451210f31 100755 --- a/examples/LDAP/smbldap-tools/smbldap_tools.pm +++ b/examples/LDAP/smbldap-tools/smbldap_tools.pm @@ -1,8 +1,7 @@ -#! /usr/bin/perl -w +#! /usr/bin/perl use strict; package smbldap_tools; use smbldap_conf; -use Net::LDAP; # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). @@ -30,739 +29,552 @@ use Net::LDAP; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); use Exporter; $VERSION = 1.00; - @ISA = qw(Exporter); @EXPORT = qw( - get_user_dn - get_group_dn - is_group_member - is_samba_user - is_unix_user - is_user_valid - does_sid_exist - get_dn_from_line - add_posix_machine - add_samba_machine - add_samba_machine_mkntpwd - group_add_user - add_grouplist_user - disable_user - delete_user - group_add - group_del - get_homedir - read_user - read_user_entry - read_group - read_group_entry - read_group_entry_gid - find_groups_of - parse_group - group_remove_member - group_get_members - do_ldapadd - do_ldapmodify - get_user_dn2 - connect_ldap_master - connect_ldap_slave - group_type_by_name - ); - -sub connect_ldap_master - { - # bind to a directory with dn and password - my $ldap_master = Net::LDAP->new( - "$masterLDAP", - port => "$masterPort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact master ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_master->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_master->bind ( "$binddn", - password => "$masterPw" - ); - return($ldap_master); - } - -sub connect_ldap_slave - { - # bind to a directory with dn and password - my $ldap_slave = Net::LDAP->new( - "$slaveLDAP", - port => "$slavePort", - version => 3, - # debug => 0xffff, - ) - or die "erreur LDAP: Can't contact slave ldap server ($@)"; - if ($ldapSSL == 1) { - $ldap_slave->start_tls( - # verify => 'require', - # clientcert => 'mycert.pem', - # clientkey => 'mykey.pem', - # decryptkey => sub { 'secret'; }, - # capath => '/usr/local/cacerts/' - ); - } - $ldap_slave->bind ( "$binddn", - password => "$slavePw" - ); - return($ldap_slave); - } - +get_user_dn +get_group_dn +is_samba_user +is_user_valid +get_dn_from_line +add_posix_machine +add_samba_machine +add_samba_machine_mkntpwd +group_add_user +add_grouplist_user +disable_user +delete_user +group_add +get_homedir +read_user +read_group +find_groups_of +parse_group +group_remove_member +group_get_members +do_ldapadd +do_ldapmodify +get_user_dn2 +); + +# dn_line = get_user_dn($username) +# where dn_line is like "dn: a=b,c=d" sub get_user_dn - { +{ my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); + my $dn=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^dn:"`; + chomp $dn; if ($dn eq '') { - return undef; + return undef; } - $dn="dn: ".$dn; + return $dn; - } - +} +# return (success, dn) sub get_user_dn2 - { +{ my $user = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && warn "failed to perform search; ", $mesg->error; - - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; + + my $sr = `$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'`; + if ($sr eq "") { + print "get_user_dn2: error in ldapsearch : +$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'\n"; + return (0, undef); } - $ldap_slave->unbind; - chomp($dn); + + my @lines = split(/\n/, $sr); + + my @matches = grep(/^dn:/, @lines); + + my $dn = $matches[0]; + chomp $dn; if ($dn eq '') { - return (1,undef); + return (1, undef); } - $dn="dn: ".$dn; - return (1,$dn); - } - + + return (1, $dn); +} +# dn_line = get_group_dn($groupname) +# where dn_line is like "dn: a=b,c=d" sub get_group_dn - { - my $group = shift; - my $dn=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $dn= $entry->dn; - } - $ldap_slave->unbind; - chomp($dn); - if ($dn eq '') { - return undef; - } - $dn="dn: ".$dn; - return $dn; - } +{ + my $group = shift; + my $dn=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))' | grep "^dn:"`; + chomp $dn; + if ($dn eq '') { + return undef; + } + + return $dn; +} -# return (success, dn) # bool = is_samba_user($username) sub is_samba_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=sambaSamAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_unix_user - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $suffix, - scope => $scope, - filter => "(&(objectClass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -sub is_group_member - { - my $dn_group = shift; - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => 'base', - filter => "(&(memberUid=$user))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg->count ne 0); - } - -# all entries = does_sid_exist($sid,$scope) -sub does_sid_exist - { - my $sid = shift; - my $dn_group=shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( base => $dn_group, - scope => $scope, - filter => "(sambaSID=$sid)" - #filter => "(&(objectClass=sambaSamAccount|objectClass=sambaGroupMapping)(sambaSID=$sid))" - ); - $mesg->code && die $mesg->error; - $ldap_slave->unbind; - return ($mesg); - } +{ + my $user = shift; + my $cmd = "$ldapsearch -b '$suffix' -s '$scope' '(&(objectClass=sambaAccount)(uid=$user))' | grep '^dn:\'"; + my $res=`$cmd`; + chomp $res; + if ($res ne '') { + return 1; + } + return 0; +} +# bool = is_user_valid($username) # try to bind with user dn and password to validate current password -sub is_user_valid - { - my ($user, $dn, $pass) = @_; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - my $mesg= $ldap->bind (dn => $dn, password => $pass ); - if ($mesg->code eq 0) { - $ldap->unbind; - return 1; - } else { - if ($ldap->bind()) { - $ldap->unbind; - return 0; - } else { - print ("The LDAP directory is not available.\n Check the server, cables ..."); - $ldap->unbind; - return 0; - } - die "Problem : contact your administrator"; - } - } - +sub is_user_valid +{ + my ($user, $dn, $pass) = @_; + my $res=`$ldapsearchnobind -b '$usersdn' -s '$scope' -D '$dn' -w '$pass' '(&(objectclass=posixAccount)(uid=$user))' 2>/dev/null | grep "^dn:"`; + chomp $res; + if ($res eq '') { + return 0; + } + return 1; +} # dn = get_dn_from_line ($dn_line) # helper to get "a=b,c=d" from "dn: a=b,c=d" sub get_dn_from_line - { - my $dn = shift; - $dn =~ s/^dn: //; - return $dn; - } - +{ + my $dn = shift; + $dn =~ s/^dn: //; + return $dn; +} # success = add_posix_machine($user, $uid, $gid) sub add_posix_machine - { - my ($user, $uid, $gid) = @_; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $add = $ldap_master->add ( "uid=$user,$computersdn", - attr => [ - 'objectclass' => ['top','inetOrgPerson', 'posixAccount'], - 'cn' => "$user", - 'sn' => "$user", - 'uid' => "$user", - 'uidNumber' => "$uid", - 'gidNumber' => "$gid", - 'homeDirectory' => '/dev/null', - 'loginShell' => '/bin/false', - 'description' => 'Computer', - ] - ); - - $add->code && warn "failed to add entry: ", $add->error ; - # take down the session - $ldap_master->unbind; - - } +{ + my ($user, $uid, $gid) = @_; + +my $tmpldif = +"dn: uid=$user,$computersdn +objectclass: top +objectclass: posixAccount +cn: $user +uid: $user +uidNumber: $uid +gidNumber: $gid +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer + +"; + + die "$0: error while adding posix account to machine $user\n" + unless (do_ldapadd($tmpldif) == 0); + + undef $tmpldif; + return 1; +} # success = add_samba_machine($computername) sub add_samba_machine - { +{ my $user = shift; system "smbpasswd -a -m $user"; + return 1; - } +} sub add_samba_machine_mkntpwd - { - my ($user, $uid) = @_; - my $sambaSID = 2 * $uid + 1000; - my $name = $user; - $name =~ s/.$//s; - - if ($mk_ntpasswd eq '') { - print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; - return 0; - } +{ + my ($user, $uid) = @_; + my $rid = 2 * $uid + 1000; # Samba 2.2.2 stuff - my $ntpwd = `$mk_ntpasswd '$name'`; - chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); - chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); - - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "uid=$user,$computersdn", - changes => [ - replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSamAccount']], - add => [sambaPwdLastSet => '0'], - add => [sambaLogonTime => '0'], - add => [sambaLogoffTime => '2147483647'], - add => [sambaKickoffTime => '2147483647'], - add => [sambaPwdCanChange => '0'], - add => [sambaPwdMustChange => '0'], - add => [sambaAcctFlags => '[W ]'], - add => [sambaLMPassword => "$lmpassword"], - add => [sambaNTPassword => "$ntpassword"], - add => [sambaSID => "$SID-$sambaSID"], - add => [sambaPrimaryGroupSID => "$SID-0"] - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; + my $name = $user; + $name =~ s/.$//s; - return 1; - # take down the session - $ldap_master->unbind; + if ($mk_ntpasswd eq '') { + print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n"; + return 0; + } + + my $ntpwd = `$mk_ntpasswd '$name'`; + chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':'))); + chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1)); + + my $tmpldif = +"dn: uid=$user,$computersdn +changetype: modify +objectclass: top +objectclass: posixAccount +objectClass: sambaAccount +pwdLastSet: 0 +logonTime: 0 +logoffTime: 2147483647 +kickoffTime: 2147483647 +pwdCanChange: 0 +pwdMustChange: 2147483647 +acctFlags: [W ] +lmpassword: $lmpassword +ntpassword: $ntpassword +rid: $rid +primaryGroupID: 0 + +"; + + die "$0: error while adding samba account to $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + return 1; +} - } sub group_add_user - { - my ($group, $userid) = @_; - my $members=''; - my $dn_line = get_group_dn($group); - if (!defined(get_group_dn($group))) { - print "$0: group \"$group\" doesn't exist\n"; - exit (6); - } - if (!defined($dn_line)) { - return 1; - } - my $dn = get_dn_from_line("$dn_line"); - # on look if the user is already present in the group - my $is_member=is_group_member($dn,$userid); - if ($is_member == 1) { - print "User \"$userid\" already member of the group \"$group\".\n"; - } else { - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - # It does not matter if the user already exist, Net::LDAP will add the user - # if he does not exist, and ignore him if his already in the directory. - my $modify = $ldap_master->modify ( "$dn", - changes => [ - add => [memberUid => $userid] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - } - } - -sub group_del - { - my $group_dn=shift; - # bind to a directory with dn and password - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete ($group_dn); - $modify->code && die "failed to delete group : ", $modify->error ; - # take down session - $ldap_master->unbind; - } - -sub add_grouplist_user - { - my ($grouplist, $user) = @_; - my @array = split(/,/, $grouplist); - foreach my $group (@array) { - group_add_user($group, $user); - } - } +{ + my ($group, $userid) = @_; + my $dn_line; + + if (!defined($dn_line = get_group_dn($group))) { + return 1; + } + my $dn = get_dn_from_line($dn_line); + my $members = `$ldapsearch -b '$dn' -s base | grep -i "^memberUid:"`; + chomp($members); + # user already member ? + if ($members =~ m/^memberUid: $userid/) { + return 2; + } + my $mods = ""; + if ($members ne '') { + $mods="$dn_line +changetype: modify +replace: memberUid +$members +memberUid: $userid +"; + } else { + $mods="$dn_line +changetype: modify +add: memberUid +memberUid: $userid +"; + } + + #print "$mods\n"; + + my $tmpldif = +"$mods +"; + + die "$0: error while modifying group $group\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + return 0; +} + +sub add_grouplist_user +{ + my ($grouplist, $user) = @_; + my @array = split(/,/, $grouplist); + foreach my $group (@array) { + group_add_user($group, $user); + } +} +# XXX FIXME : acctFlags |= D, and not acctFlags = D sub disable_user - { - my $user = shift; - my $dn_line; - my $dn = get_dn_from_line($dn_line); - - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [userPassword => '{crypt}!x'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - - if (is_samba_user($user)) { - my $modify = $ldap_master->modify ( "$dn", - changes => [ - replace => [sambaAcctFlags => '[D ]'] - ] - ); - $modify->code && die "failed to modify entry: ", $modify->error ; - } - # take down session - $ldap_master->unbind; - } +{ + my $user = shift; + my $dn_line; + + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } + + my $tmpldif = +"dn: $dn_line +changetype: modify +replace: userPassword +userPassword: {crypt}!x + +"; + + die "$0: error while modifying user $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + if (is_samba_user($user)) { + + my $tmpldif = +"dn: $dn_line +changetype: modify +replace: acctFlags +acctFlags: [D ] + +"; + + die "$0: error while modifying user $user\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + } + +} # delete_user($user) sub delete_user - { - my $user = shift; - my $dn_line; +{ + my $user = shift; + my $dn_line; - if (!defined($dn_line = get_user_dn($user))) { - print "$0: user $user doesn't exist\n"; - exit (10); - } + if (!defined($dn_line = get_user_dn($user))) { + print "$0: user $user doesn't exist\n"; + exit (10); + } - my $dn = get_dn_from_line($dn_line); - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->delete($dn); - $ldap_master->unbind; - } + my $dn = get_dn_from_line($dn_line); + system "$ldapdelete $dn >/dev/null"; +} -# $gid = group_add($groupname, $group_gid, $force_using_existing_gid) +# $success = group_add($groupname, $group_gid, $force_using_existing_gid) sub group_add - { - my ($gname, $gid, $force) = @_; - my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; - if ($nscd_status == 0) { - system "/etc/init.d/nscd stop > /dev/null 2>&1"; - } - if (!defined($gid)) { - while (defined(getgrgid($GID_START))) { - $GID_START++; - } - $gid = $GID_START; - } else { - if (!defined($force)) { - if (defined(getgrgid($gid))) { - return undef; - } - } +{ + my ($gname, $gid, $force) = @_; + + my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; + + if ($nscd_status == 0) { + system "/etc/init.d/nscd stop > /dev/null 2>&1"; + } + + if (!defined($gid)) { + while (defined(getgrgid($GID_START))) { + $GID_START++; } - if ($nscd_status == 0) { - system "/etc/init.d/nscd start > /dev/null 2>&1"; + $gid = $GID_START; + } else { + if (!defined($force)) { + if (defined(getgrgid($gid))) { + return 0; + } } - my $ldap_master=connect_ldap_master(); - my $modify = $ldap_master->add ( "cn=$gname,$groupsdn", - attrs => [ - objectClass => 'posixGroup', - cn => "$gname", - gidNumber => "$gid" - ] - ); - - $modify->code && die "failed to add entry: ", $modify->error ; - # take down session - $ldap_master->unbind; - return $gid; - } + } + + if ($nscd_status == 0) { + system "/etc/init.d/nscd start > /dev/null 2>&1"; + } + + my $tmpldif = +"dn: cn=$gname,$groupsdn +objectclass: posixGroup +cn: $gname +gidNumber: $gid + +"; + + die "$0: error while adding posix group $gname\n" + unless (do_ldapadd($tmpldif) == 0); + + undef $tmpldif; + + return 1; +} # $homedir = get_homedir ($user) sub get_homedir - { - my $user = shift; - my $homeDir=''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( - base =>$suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bhomeDirectory\b/) { - foreach my $ent ($entry->get_value($attr)) { - $homeDir.= $attr.": ".$ent."\n"; - } - } - } - } - $ldap_slave->unbind; - chomp $homeDir; - if ($homeDir eq '') { - return undef; - } - $homeDir =~ s/^homeDirectory: //; - return $homeDir; - } +{ + my $user = shift; + my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`; + chomp $homeDir; + if ($homeDir eq '') { + return undef; + } + $homeDir =~ s/^homeDirectory: //; + + return $homeDir; +} # search for an user sub read_user - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } - -# search for a user -# return the attributes in an array -sub read_user_entry - { - my $user = shift; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $suffix, - scope => $scope, - filter => "(&(objectclass=posixAccount)(uid=$user))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->entry(); - $ldap_slave->unbind; - return $entry; - } +{ + my $user = shift; + my $lines=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' -LLL`; + chomp $lines; + if ($lines eq '') { + return undef; + } + + return $lines; +} # search for a group sub read_group - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$user))" - ); - - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: " . $entry->dn."\n"; - foreach my $attr ($entry->attributes) { - { - $lines.= $attr.": ".join(',', $entry->get_value($attr))."\n"; - } - } - } - # take down session - $ldap_slave->unbind; - chomp $lines; - if ($lines eq '') { - return undef; - } - return $lines; - } +{ + my $user = shift; + my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(cn=$user))' -LLL`; + chomp $lines; + if ($lines eq '') { + return undef; + } + + return $lines; +} # find groups of a given user -##### MODIFIE ######## sub find_groups_of - { - my $user = shift; - my $lines =''; - my $ldap_slave=connect_ldap_slave; - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(memberuid=$user))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - $lines.= "dn: ".$entry->dn."\n"; - } - $ldap_slave->unbind; - chomp($lines); - if ($lines eq '') { - return undef; - } - return $lines; - } - -sub read_group_entry { - my $group = shift; - my $entry; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(cn=$group))" - ); - - $mesg->code && die $mesg->error; - my $nb=$mesg->count; - if ($nb > 1) { - print "Error: $nb groups exist \"cn=$group\"\n"; - foreach $entry ($mesg->all_entries) { my $dn=$entry->dn; print " $dn\n"; } - exit 11; - } else { - $entry = $mesg->shift_entry(); - } - return $entry; -} +{ + my $user = shift; + my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(memberuid=$user))' -LLL | grep "^dn: "`; + chomp $lines; + if ($lines eq '') { + return undef; + } -sub read_group_entry_gid { - my $group = shift; - my %res; - my $ldap_slave=connect_ldap_slave(); - my $mesg = $ldap_slave->search ( # perform a search - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixGroup)(gidNumber=$group))" - ); - - $mesg->code && die $mesg->error; - my $entry = $mesg->shift_entry(); - return $entry; + return $lines; } # return the gidnumber for a group given as name or gid # -1 : bad group name # -2 : bad gidnumber sub parse_group - { - my $userGidNumber = shift; - if ($userGidNumber =~ /[^\d]/ ) { - my $gname = $userGidNumber; - my $gidnum = getgrnam($gname); - if ($gidnum !~ /\d+/) { - return -1; - } else { - $userGidNumber = $gidnum; - } - } elsif (!defined(getgrgid($userGidNumber))) { - return -2; +{ + my $userGidNumber = shift; + + if ($userGidNumber =~ /[^\d]/ ) { + my $gname = $userGidNumber; + my $gidnum = getgrnam($gname); + if ($gidnum !~ /\d+/) { + return -1; + } else { + $userGidNumber = $gidnum; } - return $userGidNumber; - } + } elsif (!defined(getgrgid($userGidNumber))) { + return -2; + } + return $userGidNumber; +} # remove $user from $group sub group_remove_member - { - my ($group, $user) = @_; - my $members=''; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } - my $dn = get_dn_from_line($grp_line); - # we test if the user exist in the group - my $is_member=is_group_member($dn,$user); - if ($is_member == 1) { - my $ldap_master=connect_ldap_master(); - # delete only the user from the group - my $modify = $ldap_master->modify ( "$dn", - changes => [ - delete => [memberUid => ["$user"]] - ] - ); - $modify->code && die "failed to delete entry: ", $modify->error ; - $ldap_master->unbind; - } - return 1; - } +{ + my ($group, $user) = @_; + + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`; + + #print "avant ---\n$members\n"; + $members =~ s/memberUid: $user\n//; + #print "----\n$members\n---\n"; + + chomp($members); + + my $header; + if ($members eq '') { + $header = "changetype: modify\n"; + $header .= "delete: memberUid"; + } else { + $header = "changetype: modify\n"; + $header .= "replace: memberUid"; + } + + my $tmpldif = +"$grp_line +$header +$members +"; + die "$0: error while modifying group $group\n" + unless (do_ldapmodify($tmpldif) == 0); + undef $tmpldif; + + return 1; +} sub group_get_members - { - my ($group) = @_; - my $members; - my @resultat; - my $grp_line = get_group_dn($group); - if (!defined($grp_line)) { - return 0; - } +{ + my ($group) = @_; + my @members; - my $ldap = Net::LDAP->new($slaveLDAP) or die "erreur LDAP"; - $ldap->bind ; - my $mesg = $ldap->search ( - base => $groupsdn, - scope => $scope, - filter => "(&(objectclass=posixgroup)(cn=$group))" - ); - $mesg->code && die $mesg->error; - foreach my $entry ($mesg->all_entries) { - foreach my $attr ($entry->attributes) { - if ($attr=~/\bmemberUid\b/) { - foreach my $ent ($entry->get_value($attr)) { - push (@resultat,$ent); - } - } - } - } - return @resultat; - } + my $grp_line = get_group_dn($group); + if (!defined($grp_line)) { + return 0; + } + my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' memberUid | grep -i "^memberUid:"`; + + my @lines = split (/\n/, $members); + foreach my $line (@lines) { + $line =~ s/^memberUid: //; + push(@members, $line); + } + + return @members; +} + +sub file_write { + my ($filename, $filecontent) = @_; + local *FILE; + open (FILE, "> $filename") || + die "Cannot open «$filename» for writing: $!\n"; + print FILE $filecontent; + close FILE; +} + +# wrapper for ldapadd +sub do_ldapadd2 +{ + my $ldif = shift; + + my $tempfile = "/tmp/smbldapadd.$$"; + file_write($tempfile, $ldif); + + my $rc = system "$ldapadd < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; +} + +sub do_ldapadd +{ + my $ldif = shift; + + my $FILE = "|$ldapadd >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE <<EOF; +$ldif +EOF + ; + close FILE; + my $rc = $?; + return $rc; +} + +# wrapper for ldapmodify +sub do_ldapmodify2 +{ + my $ldif = shift; + + my $tempfile = "/tmp/smbldapmod.$$"; + file_write($tempfile, $ldif); + + my $rc = system "$ldapmodify -r < $tempfile >/dev/null"; + unlink($tempfile); + return $rc; +} sub do_ldapmodify - { - my $ldif = shift; - my $FILE = "|$ldapmodify -r >/dev/null"; - open (FILE, $FILE) || die "$!\n"; - print FILE <<EOF; +{ + my $ldif = shift; + + my $FILE = "|$ldapmodify -r >/dev/null"; + open (FILE, $FILE) || die "$!\n"; + print FILE <<EOF; $ldif EOF - ; - close FILE; - my $rc = $?; - return $rc; - } - -sub group_type_by_name { - my $type_name = shift; - my %groupmap = ( - 'domain' => 2, - 'local' => 4, - 'builtin' => 5 - ); - return $groupmap{$type_name}; + ; + close FILE; + my $rc = $?; + + return $rc; } |