martymac / ldapscripts Goto Github PK
View Code? Open in Web Editor NEWSimple shell scripts to handle POSIX entries in an LDAP directory
License: GNU General Public License v2.0
Simple shell scripts to handle POSIX entries in an LDAP directory
License: GNU General Public License v2.0
Ldapscripts - README file ************************* Description : ************* The ldapscripts are originally designed to be used within Samba 3.x's smb.conf file. They allow to manipulate POSIX entries for users, groups and machines in an LDAP directory. They are written in shell and need ldap client commands to work correctly (ldapadd, ldapdelete, ldapmodify, ldapsearch). Other scripts also are provided as simple tools to (manually) query your LDAP directory : ldapfinger, ldapid, lsldap (...). They are designed to be used under GNU/Linux or FreeBSD (any other recent UNIX-like should also work) and require several binaries that should come with your OS (uuencode, getent/pw, date, grep, sed, cut...). Latest version available on http://contribs.martymac.org Installing and configuring the ldapscripts : ******************************************** To install the scripts, just type in : # make install or, to define a special installation directory : # make PREFIX=/target/directory install Use 'make help' for more options. All the scripts will be copied (by default) to /usr/local/sbin and ldapscripts.conf will be copied to /usr/local/etc/ldapscripts. Keep in mind that the scripts are installed with quite restrictive rights. You may have to play with group rights or ACLs (if they are enabled on your system) to make the things work... Once installed, edit /usr/local/etc/ldapscripts/ldapscripts.conf to configure the ldapscripts. Then, just type in - e.g. : # ldapadduser foo foogroup See ldapscripts(5) for more details. Configuring your OpenLDAP server : ********************************** Be sure to include these schemas in your slapd.conf : - core.schema - cosine.schema (for the account objectClass) - nis.schema (for the posixAccount objectClass) or a modified RFC 2307bis compliant version of this file if you plan to use AUXILIARY posixGroup objectClasses together with groupOfNames or groupOfUniqueNames objectClasses (see GCLASS parameter in the ldapscripts.conf file). Using the ldapscripts with Samba 3.x : ************************************** To use the ldapscripts with Samba 3.x (e.g. for a Windows -> Samba migration), just add the following to your smb.conf file : # [...] add machine script = /usr/local/sbin/ldapaddmachine '%u' sambamachines add user script = /usr/local/sbin/ldapadduser '%u' sambausers add group script = /usr/local/sbin/ldapaddgroup '%g' add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/sbin/ldapdeleteuser '%u' delete group script = /usr/local/sbin/ldapdeletegroup '%g' delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g' rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew' # [...] and make sure sambamachines and sambausers exist before attempting to do a "net rpc vampire"... Files : ******* * Various files : README : this file ! COPYING : the GPLv2 (or later) license CHANGELOG : the changelog file, of course VERSION : the current version of the ldapscripts TODO : ideas, remaining work Makefile : installation Makefile * Man pages : man/* : man pages * Configuration files : etc/ldapscripts.conf : configuration file etc/ldapadduser.template.sample : user LDIF template file etc/ldapaddgroup.template.sample : group LDIF template file etc/ldapaddmachine.template.sample : machine LDIF template file * 'Library' files lib/runtime : runtime file used by the scripts (contains functions, etc...) * Scripts that can be used in Samba configuration file (smb.conf) : sbin/ldapaddgroup : adds a POSIX group to LDAP sbin/ldapadduser : adds a POSIX user to LDAP sbin/ldapdeletegroup : deletes a POSIX group from LDAP sbin/ldapdeleteuserfromgroup : deletes a member from a group sbin/ldapsetprimarygroup : sets gidNumber of a POSIX user or machine account sbin/ldapaddmachine : adds a POSIX machine (user$) to LDAP sbin/ldapaddusertogroup : adds a member to a group sbin/ldapdeleteuser : deletes a POSIX user from LDAP sbin/ldaprenameuser : renames a POSIX user account in LDAP * Additional (useful) scripts not useable by Samba : sbin/ldapdeletemachine : deletes a POSIX machine account in LDAP sbin/ldapinit : initializes the LDAP tree with a minimal tree sbin/lsldap : performs a *big* recursive query on the LDAP server from the root dn sbin/ldapmodifyuser : modifies a POSIX user account in LDAP interactively sbin/ldapmodifymachine : modifies a POSIX machine account in LDAP interactively sbin/ldapmodifygroup : modifies a POSIX group account in LDAP interactively sbin/ldaprenamemachine : renames a POSIX machine account in LDAP sbin/ldaprenamegroup : renames a POSIX group in LDAP sbin/ldapsetpasswd : modifies a POSIX user or machine account's password in LDAP sbin/ldapfinger : displays a user/machine/group POSIX account's details sbin/ldapid : displays a user's list of IDs sbin/ldapgid : displays a group's list of IDs Environment : ************* You can set the LDAPSCRIPTS_CONF environment variable to override default configuration file's location. Author / Licence : ****************** These scripts have been written by Ganaël LAPLANCHE ([email protected]) and are available within the GPL license (see COPYING for details). Thanks for using the ldapscripts... Any feedback welcome :)
It would be nice if ldapsetpasswd searched under $SUFFIX
instead of $USUFFIX,$SUFFIX
on line 33, so that it could modify machine accounts as well as users.
When using ldaprenameuser
, it doesn't take care of any groups the account is in. For example, if john
is a member of the staff
group, and the account is renamed to johnsmith
, the staff
group will still have john
as a member and not johnsmith
. I don't know if this is an intentional omission (maybe due to some LDAP implementations automatically fixing the problem) - if it wasn't intentional, would you take a pull request to fix it?
Under some locales, extracting embedded templates from scripts fails. See the following interaction:
root@freedomboxvm1:~# ldapadduser testuser users
Error adding user testuser to LDAP
root@freedomboxvm1:~# tail /var/log/ldapscripts.log
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
-> Error adding user testuser to LDAP
root@freedomboxvm1:~# LC_ALL=C ldapadduser testuser users
Successfully added user testuser to LDAP
Warning : got invalid password for user testuser (password not set)
root@freedomboxvm1:~#
Each file has a copyright message like this:
# Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
# Copyright (C) 2006-2013 Ganaël LAPLANCHE
The special characters are causing grep
to detect that the file as binary under some locales. This causes it output something like Binary file /usr/share/ldapscripts/runtime matches
instead of extracting the embedded template required for adding users, groups etc. This results in failure. Adding -a
option to grep should fix the issue.
Hello, iv' got a problem since i upgrade my server to Debian stretch.
Debian GNU/Linux 9 (stretch)
Paquet : slapd
Version : 2.4.44+dfsg-5
Paquet : ldapscripts
Version : 2.0.7-2
No problem to create user with ldapadduser.
But each time i remove a user with ldapdeleteuser, i've got these error message :
ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported
Do you know what could be the problem ?
Thanks for your help.
It would be useful to be able to send logs to syslog in addition to (or instead of) a local file.
Empty suffixes in the /etc/ldapscripts/ldapscripts.conf lead to generation of illegal dns in the LDIF.
Dec 13 01:12:47 host2020 ldapscripts: ldapaddgroup(xxxxxxx): /usr/local/sbin/ldapaddgroup xxxxxx 1004
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Invalid DN syntax (34)
additional info: invalid DN
-> Error adding group xxxxxx to LDAP
Would it be possible for ldapscripts to support multiple configuration files? For example, by allowing an alternate config file to be specified as a command line argument or environment variable.
ldapscripts currently does not support the groupOfMembers class, which unlike groupOfNames can be empty.
it seems I can created two users wit the same uid/gid:
root@ubu1:~# ldapadduser user3 gardeners 9999
Successfully added user user3 to LDAP
Successfully set password for user user3
root@ubu1:~# ldapadduser user4 gardeners 9999
Successfully added user user4 to LDAP
Successfully set password for user user4
root@ubu1:~# lsldap -u
[..]
dn: uid=user3,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user3
uid: user3
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user3
loginShell: /bin/bash
gecos: user3
description: User account
userPassword:: e1NTSEF9MUhyLzFsdnpWSXNvL2tSSHZNUEdXdkJja3B4cDdONWo=
dn: uid=user4,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user4
uid: user4
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user4
loginShell: /bin/bash
gecos: user4
description: User account
userPassword:: e1NTSEF9UHpVMC90QklOamsyY21lT0M5a1JHcFBiVW84eEhoUnc=
is this the intended behavior?
Currently, there is no way to set or change the password while using SASL authentication.
In FreedomBox, a very simplified UI manages everything including LDAP user accounts. The administrative interface has to take care of managing the user accounts. Since storing LDAP admin password on the system somewhere is not good, we are using SASL Auth EXTERNAL and connecting via ldapi:/// URL to manage the users. We have modified the permissions as necessary.
With this approach, we are unable to change a user's password or set it during user creation as ldapscripts
refuses to do so. The relevant code looks as follows:
if [ -n "$SASLAUTH" ]
then
# XXX Is there a reason to allow changing a userPassword attribute here ?
end_die "Please, change password in $SASLAUTH database"
I believe there is a have realistic use case and we should allow changing the password for the user using ldappasswd
command even when using SASL authentication.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.