martymac / ldapscripts Goto Github PK

Simple shell scripts to handle POSIX entries in an LDAP directory

License: GNU General Public License v2.0

Makefile 12.97% Shell 87.03%

ldap scripts openldap account-management

ldapscripts's Introduction

Ldapscripts - README file
*************************

Description :
*************

The ldapscripts are originally designed to be used within Samba 3.x's
smb.conf file. They allow to manipulate POSIX entries for users, groups
and machines in an LDAP directory. They are written in shell and need ldap 
client commands to work correctly (ldapadd, ldapdelete, ldapmodify,
ldapsearch). Other scripts also are provided as simple tools to (manually)
query your LDAP directory : ldapfinger, ldapid, lsldap (...).

They are designed to be used under GNU/Linux or FreeBSD (any other
recent UNIX-like should also work) and require several binaries that should 
come with your OS (uuencode, getent/pw, date, grep, sed, cut...).

Latest version available on http://contribs.martymac.org

Installing and configuring the ldapscripts :
********************************************

To install the scripts, just type in :
# make install
or, to define a special installation directory :
# make PREFIX=/target/directory install

Use 'make help' for more options.

All the scripts will be copied (by default) to /usr/local/sbin and 
ldapscripts.conf will be copied to /usr/local/etc/ldapscripts.

Keep in mind that the scripts are installed with quite restrictive rights.
You may have to play with group rights or ACLs (if they are enabled
on your system) to make the things work...

Once installed, edit /usr/local/etc/ldapscripts/ldapscripts.conf to 
configure the ldapscripts.

Then, just type in - e.g. :
# ldapadduser foo foogroup

See ldapscripts(5) for more details.

Configuring your OpenLDAP server :
**********************************

Be sure to include these schemas in your slapd.conf :

- core.schema
- cosine.schema (for the account objectClass)
- nis.schema (for the posixAccount objectClass) or a modified
  RFC 2307bis compliant version of this file if you plan to use
  AUXILIARY posixGroup objectClasses together with groupOfNames
  or groupOfUniqueNames objectClasses (see GCLASS parameter in
  the ldapscripts.conf file).

Using the ldapscripts with Samba 3.x :
**************************************

To use the ldapscripts with Samba 3.x (e.g. for a Windows -> Samba migration),
just add the following to your smb.conf file :

# [...]
add machine script = /usr/local/sbin/ldapaddmachine '%u' sambamachines
add user script = /usr/local/sbin/ldapadduser '%u' sambausers
add group script = /usr/local/sbin/ldapaddgroup '%g'
add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
delete user script = /usr/local/sbin/ldapdeleteuser '%u'
delete group script = /usr/local/sbin/ldapdeletegroup '%g'
delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'
# [...]

and make sure sambamachines and sambausers exist before attempting to 
do a "net rpc vampire"...

Files :
*******

* Various files :

README : this file !
COPYING : the GPLv2 (or later) license
CHANGELOG : the changelog file, of course
VERSION : the current version of the ldapscripts
TODO : ideas, remaining work
Makefile : installation Makefile

* Man pages :

man/* : man pages

* Configuration files :

etc/ldapscripts.conf : configuration file
etc/ldapadduser.template.sample : user LDIF template file
etc/ldapaddgroup.template.sample : group LDIF template file
etc/ldapaddmachine.template.sample : machine LDIF template file

* 'Library' files

lib/runtime : runtime file used by the scripts (contains functions, etc...)

* Scripts that can be used in Samba configuration file (smb.conf) :

sbin/ldapaddgroup : adds a POSIX group to LDAP
sbin/ldapadduser : adds a POSIX user to LDAP
sbin/ldapdeletegroup : deletes a POSIX group from LDAP
sbin/ldapdeleteuserfromgroup : deletes a member from a group
sbin/ldapsetprimarygroup : sets gidNumber of a POSIX user or machine account
sbin/ldapaddmachine : adds a POSIX machine (user$) to LDAP
sbin/ldapaddusertogroup : adds a member to a group
sbin/ldapdeleteuser : deletes a POSIX user from LDAP
sbin/ldaprenameuser : renames a POSIX user account in LDAP

* Additional (useful) scripts not useable by Samba :

sbin/ldapdeletemachine : deletes a POSIX machine account in LDAP
sbin/ldapinit : initializes the LDAP tree with a minimal tree
sbin/lsldap : performs a *big* recursive query on the LDAP server from the root dn
sbin/ldapmodifyuser : modifies a POSIX user account in LDAP interactively
sbin/ldapmodifymachine : modifies a POSIX machine account in LDAP interactively
sbin/ldapmodifygroup : modifies a POSIX group account in LDAP interactively
sbin/ldaprenamemachine : renames a POSIX machine account in LDAP
sbin/ldaprenamegroup : renames a POSIX group in LDAP
sbin/ldapsetpasswd : modifies a POSIX user or machine account's password in LDAP
sbin/ldapfinger : displays a user/machine/group POSIX account's details
sbin/ldapid : displays a user's list of IDs
sbin/ldapgid : displays a group's list of IDs

Environment :
*************

You can set the LDAPSCRIPTS_CONF environment variable to override default
configuration file's location.

Author / Licence :
******************

These scripts have been written by Ganaël LAPLANCHE ([email protected])
and are available within the GPL license (see COPYING for details).

Thanks for using the ldapscripts... Any feedback welcome :)

ldapscripts's People

Contributors

Stargazers

Watchers

Forkers

sunilmohanadapa sunebahn tomlinux yradunchev maitrenem muzzol theassyrian neuralnoise resonancellc leemeans geofragkos sgparry club-1 louie5486 jes-github

ldapscripts's Issues

Allow ldapsetpasswd to set machine account passwords

It would be nice if ldapsetpasswd searched under $SUFFIX instead of $USUFFIX,$SUFFIX on line 33, so that it could modify machine accounts as well as users.

ldaprenameuser doesn't clean up group memberships

When using ldaprenameuser, it doesn't take care of any groups the account is in. For example, if john is a member of the staff group, and the account is renamed to johnsmith, the staff group will still have john as a member and not johnsmith. I don't know if this is an intentional omission (maybe due to some LDAP implementations automatically fixing the problem) - if it wasn't intentional, would you take a pull request to fix it?

Extracting templates fails under some locales

Under some locales, extracting embedded templates from scripts fails. See the following interaction:

root@freedomboxvm1:~# ldapadduser testuser users
Error adding user testuser to LDAP
root@freedomboxvm1:~# tail /var/log/ldapscripts.log 
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
  -> Error adding user testuser to LDAP
root@freedomboxvm1:~# LC_ALL=C ldapadduser testuser users
Successfully added user testuser to LDAP
Warning : got invalid password for user testuser (password not set)
root@freedomboxvm1:~#

Each file has a copyright message like this:

#  Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
#  Copyright (C) 2006-2013 Ganaël LAPLANCHE

The special characters are causing grep to detect that the file as binary under some locales. This causes it output something like Binary file /usr/share/ldapscripts/runtime matches instead of extracting the embedded template required for adding users, groups etc. This results in failure. Adding -a option to grep should fix the issue.

ldapscripts and Debian stretch

Hello, iv' got a problem since i upgrade my server to Debian stretch.

Debian GNU/Linux 9 (stretch)
Paquet : slapd                                          
Version : 2.4.44+dfsg-5
Paquet : ldapscripts                                    
Version : 2.0.7-2

No problem to create user with ldapadduser.
But each time i remove a user with ldapdeleteuser, i've got these error message :

ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported

Do you know what could be the problem ?
Thanks for your help.

Add support for syslog

It would be useful to be able to send logs to syslog in addition to (or instead of) a local file.

using empty GSUFFIX, MSUFFIX, USUFFIX

Empty suffixes in the /etc/ldapscripts/ldapscripts.conf lead to generation of illegal dns in the LDIF.

Dec 13 01:12:47 host2020 ldapscripts: ldapaddgroup(xxxxxxx): /usr/local/sbin/ldapaddgroup xxxxxx 1004
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Invalid DN syntax (34)
        additional info: invalid DN
  -> Error adding group xxxxxx to LDAP

Support for multiple configuration files?

Would it be possible for ldapscripts to support multiple configuration files? For example, by allowing an alternate config file to be specified as a command line argument or environment variable.

Support for groupOfMembers please.

ldapscripts currently does not support the groupOfMembers class, which unlike groupOfNames can be empty.

uid/gid check for ldapadduser?

it seems I can created two users wit the same uid/gid:

root@ubu1:~# ldapadduser user3 gardeners 9999
Successfully added user user3 to LDAP
Successfully set password for user user3
root@ubu1:~# ldapadduser user4 gardeners 9999
Successfully added user user4 to LDAP
Successfully set password for user user4

root@ubu1:~# lsldap  -u
[..]
dn: uid=user3,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user3
uid: user3
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user3
loginShell: /bin/bash
gecos: user3
description: User account
userPassword:: e1NTSEF9MUhyLzFsdnpWSXNvL2tSSHZNUEdXdkJja3B4cDdONWo=

dn: uid=user4,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user4
uid: user4
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user4
loginShell: /bin/bash
gecos: user4
description: User account
userPassword:: e1NTSEF9UHpVMC90QklOamsyY21lT0M5a1JHcFBiVW84eEhoUnc=

is this the intended behavior?

Can't change/set passwords with SASL auth

Currently, there is no way to set or change the password while using SASL authentication.

In FreedomBox, a very simplified UI manages everything including LDAP user accounts. The administrative interface has to take care of managing the user accounts. Since storing LDAP admin password on the system somewhere is not good, we are using SASL Auth EXTERNAL and connecting via ldapi:/// URL to manage the users. We have modified the permissions as necessary.

With this approach, we are unable to change a user's password or set it during user creation as ldapscripts refuses to do so. The relevant code looks as follows:

    if [ -n "$SASLAUTH" ]
    then
      # XXX Is there a reason to allow changing a userPassword attribute here ?
      end_die "Please, change password in $SASLAUTH database"

I believe there is a have realistic use case and we should allow changing the password for the user using ldappasswd command even when using SASL authentication.

martymac / ldapscripts Goto Github PK

ldapscripts's Introduction

ldapscripts's People

Contributors

Stargazers

Watchers

Forkers

ldapscripts's Issues

Allow ldapsetpasswd to set machine account passwords

ldaprenameuser doesn't clean up group memberships

Extracting templates fails under some locales

ldapscripts and Debian stretch

Add support for syslog

using empty GSUFFIX, MSUFFIX, USUFFIX

Support for multiple configuration files?

Support for groupOfMembers please.

uid/gid check for ldapadduser?

Can't change/set passwords with SASL auth

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent