From d363d8db261dfaa02b5769d90f95a55d168e75a8 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 22 Jul 2015 20:10:18 +0530
Subject: [PATCH] users: Use ldapscripts for user management

- Merge all ldap actions into one action.

- Setup ldapscripts using augeas.

- Use the default mechanisms used by ldapscripts.

- Remove adding admin users to 'sudo' group.  Mixing LDAP groups and
  local groups is not a good practice.  'admin' LDAP group will be added
  to sudoers in another patch to freedombox-setup.

- Make all users posixAccount and all groups posixGroup for simplicity.
  Shell access can be restricted in other ways.

- Work around ldapscripts not able to set password using SASL auth.

- Work around ldapscripts having issues with current locale.
---
 actions/add-ldap-user-to-group      |  68 -----------
 actions/change-ldap-user-password   |  41 -------
 actions/create-ldap-user            |  67 -----------
 actions/delete-ldap-user            |  60 ----------
 actions/get-ldap-user-groups        |  23 ----
 actions/ldap                        | 168 ++++++++++++++++++++++++++++
 actions/remove-ldap-user-from-group |  60 ----------
 actions/rename-ldap-user            |  74 ------------
 plinth/modules/users/forms.py       |  36 +++---
 plinth/modules/users/views.py       |   2 +-
 10 files changed, 190 insertions(+), 409 deletions(-)
 delete mode 100755 actions/add-ldap-user-to-group
 delete mode 100755 actions/change-ldap-user-password
 delete mode 100755 actions/create-ldap-user
 delete mode 100755 actions/delete-ldap-user
 delete mode 100755 actions/get-ldap-user-groups
 create mode 100755 actions/ldap
 delete mode 100755 actions/remove-ldap-user-from-group
 delete mode 100755 actions/rename-ldap-user

diff --git a/actions/add-ldap-user-to-group b/actions/add-ldap-user-to-group
deleted file mode 100755
index 7cd104ce3..000000000
--- a/actions/add-ldap-user-to-group
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-groupname="$2"
-
-# check if group already exists
-results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=$groupname)" cn)
-
-if [ -z "$results" ]; then
-    # create group, with user as initial member
-    cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
-dn: cn=$groupname,ou=groups,dc=thisbox
-objectClass: groupOfNames
-cn: $groupname
-member: uid=$username,ou=users,dc=thisbox
-EOF
-else
-    # add user to existing group
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=$groupname,ou=groups,dc=thisbox
-changetype: modify
-add: member
-member: uid=$username,ou=users,dc=thisbox
-EOF
-fi
-
-# For admin users, also need a posixAccount for sudo.
-if [ "$groupname" == "admin" ]; then
-    # check if sudo group already exists
-    results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=sudo)" cn)
-
-    if [ -z "$results" ]; then
-	# create sudo group
-	cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-objectClass: posixGroup
-cn: sudo
-gidNumber: 27
-memberUid: $username
-EOF
-    else
-	# add user to sudo group
-	cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-changetype: modify
-add: memberUid
-memberUid: $username
-EOF
-    fi
-fi
diff --git a/actions/change-ldap-user-password b/actions/change-ldap-user-password
deleted file mode 100755
index feddebbd4..000000000
--- a/actions/change-ldap-user-password
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-
-IFS= read -r password
-if [ -z "$password" ]; then
-    echo "Error: Could not read password from stdin."
-    exit 2
-fi
-
-password=$(slappasswd -s "$password")
-
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: uid=$username,ou=users,dc=thisbox
-changetype: modify
-replace: userPassword
-userPassword: $password
-EOF
-
-if [ $? -ne 0 ]; then
-    echo "Failed: could not set user password"
-    exit 1
-fi
diff --git a/actions/create-ldap-user b/actions/create-ldap-user
deleted file mode 100755
index dd7273062..000000000
--- a/actions/create-ldap-user
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-
-IFS= read -r password
-if [ -z "$password" ]; then
-    echo "Error: Could not read password from stdin."
-    exit 3
-fi
-
-password=$(slappasswd -s "$password")
-
-cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
-dn: uid=$username,ou=users,dc=thisbox
-objectClass: inetOrgPerson
-uid: $username
-sn: $username
-cn: $username
-userPassword: $password
-EOF
-
-if [ $? -ne 0 ]; then
-    echo "Failed to create user"
-    exit 1
-fi
-
-uid_num=$(getent passwd | awk -F: '($3>=1000) && ($3<59999) && ($3>maxuid) { maxuid=$3; } END { print maxuid+1; }')
-home_dir=/home/$username
-
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: uid=$username,ou=users,dc=thisbox
-changeType: modify
-add: objectClass
-objectClass: posixAccount
--
-add: uidNumber
-uidNumber: $uid_num
--
-add: gidNumber
-gidNumber: $uid_num
--
-add: homeDirectory
-homeDirectory: $home_dir
-EOF
-
-if [ $? -ne 0 ]; then
-    echo "Failed to create posix account for user"
-    exit 2
-fi
diff --git a/actions/delete-ldap-user b/actions/delete-ldap-user
deleted file mode 100755
index 0550fda37..000000000
--- a/actions/delete-ldap-user
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-
-ldapdelete -Y EXTERNAL -H ldapi:/// "uid=$username,ou=users,dc=thisbox"
-
-if [ $? -eq 0 ]; then
-    echo "Success: user deleted"
-else
-    echo "Failed: user delete failed"
-    exit 1
-fi
-
-# update groups
-results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$username,ou=users,dc=thisbox)" dn | grep -v '^$')
-
-while read -r line; do
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-$line
-changetype: modify
-delete: member
-member: uid=$username,ou=users,dc=thisbox
-EOF
-
-    if [ $? -eq 65 ]; then
-	# Cannot have empty group, so just delete the group.
-	dn=$(echo "$line" | cut -d' ' -f2)
-	ldapdelete -Y EXTERNAL -H ldapi:/// "$dn"
-    fi
-done <<< "$results"
-
-# update sudo group if needed
-results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
-
-if [ -n "$results" ]; then
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-changetype: modify
-delete: memberUid
-memberUid: $username
-EOF
-fi
diff --git a/actions/get-ldap-user-groups b/actions/get-ldap-user-groups
deleted file mode 100755
index 57d8c7258..000000000
--- a/actions/get-ldap-user-groups
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-
-ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$username,ou=users,dc=thisbox)" cn | awk '/cn:/ { print $2 }'
diff --git a/actions/ldap b/actions/ldap
new file mode 100755
index 000000000..bb42c5996
--- /dev/null
+++ b/actions/ldap
@@ -0,0 +1,168 @@
+#!/bin/bash
+#
+# This file is part of Plinth.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Store anything available from stdin.
+# This is used to receive passwords from Plinth.
+input="/proc/$$/fd/0"
+
+set -e  # Exit on failure
+
+# XXX: ldapscripts has an issue that it can't properly extract
+# built-in templates under certain locales due to grep command
+# recognizing the source file as binary.  Remove using this once the
+# bug is fixed.  Passing '-a' as argument to grep seems to be a
+# solution.
+export LC_ALL=C
+
+
+create_user()
+{
+    username="$1"
+    password="$2"
+
+    # All users shall have 'users' (a group in /etc/group) as primary group.
+    ldapadduser $username users > /dev/null
+
+    set_user_password $username $password
+}
+
+
+delete_user()
+{
+    username="$1"
+
+    groups=$(get_user_groups $username)
+
+    ldapdeleteuser $username
+
+    while read -r group; do
+        ldapdeleteuserfromgroup $username $group > /dev/null || true
+    done <<< "$groups"
+}
+
+
+rename_user()
+{
+    old_username="$1"
+    new_username="$2"
+
+    groups=$(get_user_groups $old_username)
+
+    ldaprenameuser $old_username $new_username
+
+    while read -r group; do
+        ldapdeleteuserfromgroup $old_username $group > /dev/null || true
+        ldapaddusertogroup $new_username $group > /dev/null || true
+    done <<< "$groups"
+}
+
+
+set_user_password()
+{
+    username="$1"
+    password=$(slappasswd -s "$2")
+
+    # XXX: Use ldapsetpasswd as soon as ldapscripts can handle
+    # changing passwords with SASL auth EXTERNAL.
+    cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null
+dn: uid=$username,ou=Users,dc=thisbox
+changetype: modify
+replace: userPassword
+userPassword: $password
+EOF
+}
+
+
+get_user_groups()
+{
+    # Return only supplimentary groups and don't include the 'users'
+    # primary group.
+    username="$1"
+
+    ldapid $username | cut -f 3 -d ' ' | cut -d = -f 2 | sed 's+,+\n+g' | sed "s+.*(\(.*\))+\1+" | grep -v users || true
+}
+
+
+add_user_to_group()
+{
+    username="$1"
+    groupname="$2"
+
+    # Try to create group and ignore failure if group already exists
+    ldapaddgroup $groupname > /dev/null 2>&1 || true
+
+    ldapaddusertogroup $username $groupname > /dev/null
+}
+
+
+remove_user_from_group()
+{
+    username="$1"
+    groupname="$2"
+
+    ldapdeleteuserfromgroup $username $groupname > /dev/null
+}
+
+
+setup()
+{
+    # XXX: Password setting on users is disabled as changing passwords
+    # using SASL Auth is not supported.
+    cat <<EOF | augtool --noload --noautoload --transform 'Shellvars incl /etc/ldapscripts/ldapscripts.conf' > /dev/null
+set /files/etc/ldapscripts/ldapscripts.conf/SERVER '"ldapi://"'
+set /files/etc/ldapscripts/ldapscripts.conf/SASLAUTH '"EXTERNAL"'
+set /files/etc/ldapscripts/ldapscripts.conf/SUFFIX '"dc=thisbox"'
+set /files/etc/ldapscripts/ldapscripts.conf/USUFFIX '"ou=Users"'
+set /files/etc/ldapscripts/ldapscripts.conf/GSUFFIX '"ou=Groups"'
+set /files/etc/ldapscripts/ldapscripts.conf/PASSWORDGEN '"true"'
+save
+EOF
+}
+
+
+setup
+
+command=$1
+shift
+case $command in
+    create-user)
+        create_user "$1" "$input"
+    ;;
+    delete-user)
+        delete_user "$@"
+    ;;
+    rename-user)
+        rename_user "$@"
+    ;;
+    set-user-password)
+        set_user_password "$1" "$input"
+    ;;
+    get-user-groups)
+        get_user_groups "$@"
+    ;;
+    add-user-to-group)
+        add_user_to_group "$@"
+    ;;
+    remove-user-from-group)
+        remove_user_from_group "$@"
+    ;;
+    *)
+        echo "Invalid sub-command"
+        exit -1
+    ;;
+esac
diff --git a/actions/remove-ldap-user-from-group b/actions/remove-ldap-user-from-group
deleted file mode 100755
index 9db407900..000000000
--- a/actions/remove-ldap-user-from-group
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/sh
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-username="$1"
-groupname="$2"
-
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=$groupname,ou=groups,dc=thisbox
-changetype: modify
-delete: member
-member: uid=$username,ou=users,dc=thisbox
-EOF
-
-if [ $? -eq 0 ]; then
-    echo "Removed user from group"
-elif [ $? -eq 16 ]; then
-    echo "User was not in group"
-    exit 1
-elif [ $? -eq 65 ]; then
-    # Cannot have empty group, so just delete the group.
-    ldapdelete -Y EXTERNAL -H ldapi:/// "cn=$groupname,ou=groups,dc=thisbox"
-
-    if [ $? -eq 0 ]; then
-	echo "User was last member in group, so group was deleted."
-    else
-	echo "User was last member in group, but could not delete group."
-	exit 1
-    fi
-fi
-
-if [ "$groupname" = "admin" ]; then
-    # update sudo group if needed
-    results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
-
-    if [ -n "$results" ]; then
-	cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-changetype: modify
-delete: memberUid
-memberUid: $username
-EOF
-    fi
-fi
diff --git a/actions/rename-ldap-user b/actions/rename-ldap-user
deleted file mode 100755
index b301cbf38..000000000
--- a/actions/rename-ldap-user
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/bin/bash
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Must be run as root.
-
-old_username="$1"
-new_username="$2"
-
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: uid=$old_username,ou=users,dc=thisbox
-changetype: modrdn
-newrdn: uid=$new_username
-deleteoldrdn: 1
-EOF
-
-if [ $? -eq 0 ]; then
-    echo "Success: user renamed"
-else
-    echo "Failed: user rename failed"
-    exit 1
-fi
-
-# update groups
-results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$old_username,ou=users,dc=thisbox)" dn | grep -v '^$')
-
-while read -r line; do
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-$line
-changetype: modify
-add: member
-member: uid=$new_username,ou=users,dc=thisbox
-EOF
-
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-$line
-changetype: modify
-delete: member
-member: uid=$old_username,ou=users,dc=thisbox
-EOF
-done <<< "$results"
-
-# update sudo group if needed
-results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$old_username)")
-
-if [ -n "$results" ]; then
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-changetype: modify
-delete: memberUid
-memberUid: $old_username
-EOF
-
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=sudo,ou=groups,dc=thisbox
-changetype: modify
-add: memberUid
-memberUid: $new_username
-EOF
-fi
diff --git a/plinth/modules/users/forms.py b/plinth/modules/users/forms.py
index 23de11ec8..ed81dd5d7 100644
--- a/plinth/modules/users/forms.py
+++ b/plinth/modules/users/forms.py
@@ -25,8 +25,8 @@ from plinth import actions
 from plinth.errors import ActionError
 
 GROUP_CHOICES = (
-    ('admin', 'admin'),
-    ('wiki', 'wiki'),
+    ('admin', _('admin')),
+    ('wiki', _('wiki')),
 )
 
 
@@ -61,8 +61,8 @@ class CreateUserForm(UserCreationForm):
         if commit:
             try:
                 actions.superuser_run(
-                    'create-ldap-user',
-                    [user.get_username()],
+                    'ldap',
+                    ['create-user', user.get_username()],
                     input=self.cleaned_data['password1'].encode())
             except ActionError:
                 messages.error(self.request,
@@ -71,8 +71,8 @@ class CreateUserForm(UserCreationForm):
             for group in self.cleaned_data['groups']:
                 try:
                     actions.superuser_run(
-                        'add-ldap-user-to-group',
-                        [user.get_username(), group])
+                        'ldap',
+                        ['add-user-to-group', user.get_username(), group])
                 except ActionError:
                     messages.error(
                         self.request,
@@ -109,14 +109,16 @@ class UserUpdateForm(forms.ModelForm):
         user = super(UserUpdateForm, self).save(commit)
 
         if commit:
-            output = actions.superuser_run('get-ldap-user-groups', [self.username])
+            output = actions.superuser_run(
+                'ldap', ['get-user-groups', self.username])
             old_groups = output.strip().split('\n')
             old_groups = [group for group in old_groups if group]
 
             if self.username != user.get_username():
                 try:
-                    actions.superuser_run('rename-ldap-user',
-                                          [self.username, user.get_username()])
+                    actions.superuser_run(
+                        'ldap',
+                        ['rename-user', self.username, user.get_username()])
                 except ActionError:
                     messages.error(self.request,
                                    _('Renaming LDAP user failed.'))
@@ -125,8 +127,10 @@ class UserUpdateForm(forms.ModelForm):
             for old_group in old_groups:
                 if old_group not in new_groups:
                     try:
-                        actions.superuser_run('remove-ldap-user-from-group',
-                                              [user.get_username(), old_group])
+                        actions.superuser_run(
+                            'ldap',
+                            ['remove-user-from-group', user.get_username(),
+                             old_group])
                     except ActionError:
                         messages.error(self.request,
                                        _('Failed to remove user from group.'))
@@ -134,8 +138,10 @@ class UserUpdateForm(forms.ModelForm):
             for new_group in new_groups:
                 if new_group not in old_groups:
                     try:
-                        actions.superuser_run('add-ldap-user-to-group',
-                                              [user.get_username(), new_group])
+                        actions.superuser_run(
+                            'ldap',
+                            ['add-user-to-group', user.get_username(),
+                             new_group])
                     except ActionError:
                         messages.error(self.request,
                                        _('Failed to add user to group.'))
@@ -157,8 +163,8 @@ class UserChangePasswordForm(SetPasswordForm):
         if commit:
             try:
                 actions.superuser_run(
-                    'change-ldap-user-password',
-                    [user.get_username()],
+                    'ldap',
+                    ['set-user-password', user.get_username()],
                     input=self.cleaned_data['new_password1'].encode())
             except ActionError:
                 messages.error(
diff --git a/plinth/modules/users/views.py b/plinth/modules/users/views.py
index 0108cab08..5ba2e263b 100644
--- a/plinth/modules/users/views.py
+++ b/plinth/modules/users/views.py
@@ -114,7 +114,7 @@ class UserDelete(ContextMixin, DeleteView):
         messages.success(self.request, message)
 
         try:
-            actions.superuser_run('delete-ldap-user', [self.kwargs['slug']])
+            actions.superuser_run('ldap', ['delete-user', self.kwargs['slug']])
         except ActionError:
             messages.error(self.request,
                            _('Deleting LDAP user failed.'))