|
|
|
|
#!/usr/bin/perl -w
|
|
|
|
|
|
|
|
|
|
#----------------------------------------------------------------------
|
|
|
|
|
# copyright (C) 2010 Firewall Services
|
|
|
|
|
# dani@firewall-services.com
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
#
|
|
|
|
|
# Technical support for this program is available from e-smith, inc.
|
|
|
|
|
# For details, please visit our web site at www.e-smith.com or
|
|
|
|
|
# call us on 1 888 ESMITH 1 (US/Canada toll free) or +1 613 564 8000
|
|
|
|
|
#----------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
package esmith;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use Errno;
|
|
|
|
|
use esmith::ConfigDB;
|
|
|
|
|
use esmith::AccountsDB;
|
|
|
|
|
use esmith::util;
|
|
|
|
|
use Net::LDAP;
|
|
|
|
|
|
|
|
|
|
my $c = esmith::ConfigDB->open_ro;
|
|
|
|
|
my $a = esmith::AccountsDB->open_ro;
|
|
|
|
|
|
|
|
|
|
my $i = $c->get('ipasserelle');
|
|
|
|
|
my $ip = $i->prop('status') || 'disabled';
|
|
|
|
|
my $reverse = $i->prop('LdapReverseGroups') || 'disabled';
|
|
|
|
|
my $x = 0;
|
|
|
|
|
|
|
|
|
|
exit (0) if (($ip eq 'disabled') || ($reverse eq 'disabled'));
|
|
|
|
|
|
|
|
|
|
my $l = $c->get('ldap');
|
|
|
|
|
my $status = $l->prop('status') || "disabled";
|
|
|
|
|
unless ($status eq "enabled" ){
|
|
|
|
|
warn "Not running action script $0, LDAP service not enabled!\n";
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $hostname = $c->get('SystemName')
|
|
|
|
|
|| die("Couldn't determine system name");
|
|
|
|
|
$hostname = $hostname->value;
|
|
|
|
|
|
|
|
|
|
my $domain = $c->get('DomainName')
|
|
|
|
|
|| die("Couldn't determine domain name");
|
|
|
|
|
$domain = $domain->value;
|
|
|
|
|
|
|
|
|
|
my @accounts;
|
|
|
|
|
my $account;
|
|
|
|
|
my $event = shift || die "Event name must be specified";
|
|
|
|
|
if ($event eq 'ldap-update' or
|
|
|
|
|
$event eq 'bootstrap-ldap-save' or
|
|
|
|
|
$event =~ m/group\-(create|modify|delete)/){
|
|
|
|
|
@accounts = ($a->users);
|
|
|
|
|
push(@accounts, $a->get('admin'));
|
|
|
|
|
}
|
|
|
|
|
else{
|
|
|
|
|
my @name = @ARGV;
|
|
|
|
|
die "Account name argument missing." unless scalar (@name) >= 1;
|
|
|
|
|
|
|
|
|
|
foreach my $name (@name){
|
|
|
|
|
$account = $a->get($name);
|
|
|
|
|
die "Account $name not found.\n" unless defined $account;
|
|
|
|
|
my $type = $account->prop('type') || "unknown";
|
|
|
|
|
|
|
|
|
|
die "Account $name is not a user account; update LDAP entry failed.\n"
|
|
|
|
|
unless ($type eq 'user' or $name eq 'admin');
|
|
|
|
|
push @accounts, $account;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $base = esmith::util::ldapBase ($domain);
|
|
|
|
|
my $pw = esmith::util::LdapPassword();
|
|
|
|
|
|
|
|
|
|
my $ldap = Net::LDAP->new('localhost') or die "$@";
|
|
|
|
|
|
|
|
|
|
$ldap->bind(
|
|
|
|
|
dn => "cn=root,$base",
|
|
|
|
|
password => $pw
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
my $result;
|
|
|
|
|
foreach my $acct (@accounts){
|
|
|
|
|
my $key = $acct->key;
|
|
|
|
|
|
|
|
|
|
# Ensure this account has the iPasserelleUser objectclass
|
|
|
|
|
$result = $ldap->search(
|
|
|
|
|
base => "ou=Users,". $base,
|
|
|
|
|
scope => 'sub',
|
|
|
|
|
filter => "uid=$key"
|
|
|
|
|
);
|
|
|
|
|
$result->code && ($x = 255, warn "Error looking for entry uid=$key,ou=Users,$base: ", $result->error);
|
|
|
|
|
my @oc = ();
|
|
|
|
|
my @oldgroups = ();
|
|
|
|
|
foreach my $entry ($result->all_entries()){
|
|
|
|
|
push @oc, $entry->get_value('objectClass');
|
|
|
|
|
push @oldgroups, $entry->get_value('posixMemberOf');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unless (grep { $_ =~ /iPasserelleUser/i } @oc){
|
|
|
|
|
push @oc, 'iPasserelleUser';
|
|
|
|
|
|
|
|
|
|
$result = $ldap->modify(
|
|
|
|
|
"uid=$key,ou=Users,$base",
|
|
|
|
|
replace => {
|
|
|
|
|
objectClass => \@oc
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
$result->code && ($x = 255, warn "failed to modify entry uid=$key,ou=Users,$base: ", $result->error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my @groups = $a->user_group_list($key);
|
|
|
|
|
@oldgroups = sort @oldgroups;
|
|
|
|
|
@groups = sort @groups;
|
|
|
|
|
my $oldgroups = join('\0', @oldgroups);
|
|
|
|
|
my $groups = join('\0', @groups);
|
|
|
|
|
|
|
|
|
|
unless ($oldgroups eq $groups){
|
|
|
|
|
$result = $ldap->modify(
|
|
|
|
|
"uid=$key,ou=Users,$base",
|
|
|
|
|
replace => {
|
|
|
|
|
posixMemberOf => \@groups
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
$result->code && ($x = 255, warn "failed to modify entry uid=$key,ou=Users,$base: ", $result->error);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ldap->unbind;
|
|
|
|
|
|
|
|
|
|
exit ($x);
|
