nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-13 10:30:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

users: Use ldapscripts for user management

Browse Source 
- Merge all ldap actions into one action.

- Setup ldapscripts using augeas.

- Use the default mechanisms used by ldapscripts.

- Remove adding admin users to 'sudo' group.  Mixing LDAP groups and
  local groups is not a good practice.  'admin' LDAP group will be added
  to sudoers in another patch to freedombox-setup.

- Make all users posixAccount and all groups posixGroup for simplicity.
  Shell access can be restricted in other ways.

- Work around ldapscripts not able to set password using SASL auth.

- Work around ldapscripts having issues with current locale.
This commit is contained in:
Sunil Mohan Adapa 2015-07-22 20:10:18 +05:30 committed by James Valleroy
parent 44ec564fd7
commit d363d8db26
10 changed files with 190 additions and 409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
actions/add-ldap-user-to-group
View File

@ -1,68 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
groupname="$2"
# check if group already exists
results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=$groupname)" cn)
if [ -z "$results" ]; then
# create group, with user as initial member
cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=$groupname,ou=groups,dc=thisbox
objectClass: groupOfNames
cn: $groupname
member: uid=$username,ou=users,dc=thisbox
EOF
else
# add user to existing group
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=$groupname,ou=groups,dc=thisbox
changetype: modify
add: member
member: uid=$username,ou=users,dc=thisbox
EOF
fi
# For admin users, also need a posixAccount for sudo.
if [ "$groupname" == "admin" ]; then
# check if sudo group already exists
results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=sudo)" cn)
if [ -z "$results" ]; then
# create sudo group
cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
objectClass: posixGroup
cn: sudo
gidNumber: 27
memberUid: $username
EOF
else
# add user to sudo group
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
changetype: modify
add: memberUid
memberUid: $username
EOF
fi
fi

41
actions/change-ldap-user-password
View File

@ -1,41 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
IFS= read -r password
if [ -z "$password" ]; then
echo "Error: Could not read password from stdin."
exit 2
fi
password=$(slappasswd -s "$password")
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: uid=$username,ou=users,dc=thisbox
changetype: modify
replace: userPassword
userPassword: $password
EOF
if [ $? -ne 0 ]; then
echo "Failed: could not set user password"
exit 1
fi

67
actions/create-ldap-user
View File

@ -1,67 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
IFS= read -r password
if [ -z "$password" ]; then
echo "Error: Could not read password from stdin."
exit 3
fi
password=$(slappasswd -s "$password")
cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: uid=$username,ou=users,dc=thisbox
objectClass: inetOrgPerson
uid: $username
sn: $username
cn: $username
userPassword: $password
EOF
if [ $? -ne 0 ]; then
echo "Failed to create user"
exit 1
fi
uid_num=$(getent passwd | awk -F: '($3>=1000) && ($3<59999) && ($3>maxuid) { maxuid=$3; } END { print maxuid+1; }')
home_dir=/home/$username
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: uid=$username,ou=users,dc=thisbox
changeType: modify
add: objectClass
objectClass: posixAccount
-
add: uidNumber
uidNumber: $uid_num
-
add: gidNumber
gidNumber: $uid_num
-
add: homeDirectory
homeDirectory: $home_dir
EOF
if [ $? -ne 0 ]; then
echo "Failed to create posix account for user"
exit 2
fi

60
actions/delete-ldap-user
View File

@ -1,60 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
ldapdelete -Y EXTERNAL -H ldapi:/// "uid=$username,ou=users,dc=thisbox"
if [ $? -eq 0 ]; then
echo "Success: user deleted"
else
echo "Failed: user delete failed"
exit 1
fi
# update groups
results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$username,ou=users,dc=thisbox)" dn | grep -v '^$')
while read -r line; do
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
$line
changetype: modify
delete: member
member: uid=$username,ou=users,dc=thisbox
EOF
if [ $? -eq 65 ]; then
# Cannot have empty group, so just delete the group.
dn=$(echo "$line" | cut -d' ' -f2)
ldapdelete -Y EXTERNAL -H ldapi:/// "$dn"
fi
done <<< "$results"
# update sudo group if needed
results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
if [ -n "$results" ]; then
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
changetype: modify
delete: memberUid
memberUid: $username
EOF
fi

23
actions/get-ldap-user-groups
View File

@ -1,23 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$username,ou=users,dc=thisbox)" cn | awk '/cn:/ { print $2 }'

168
actions/ldap Executable file
View File

@ -0,0 +1,168 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Store anything available from stdin.
# This is used to receive passwords from Plinth.
input="/proc/$$/fd/0"
set -e # Exit on failure
# XXX: ldapscripts has an issue that it can't properly extract
# built-in templates under certain locales due to grep command
# recognizing the source file as binary. Remove using this once the
# bug is fixed. Passing '-a' as argument to grep seems to be a
# solution.
export LC_ALL=C
create_user()
{
username="$1"
password="$2"
# All users shall have 'users' (a group in /etc/group) as primary group.
ldapadduser $username users > /dev/null
set_user_password $username $password
}
delete_user()
{
username="$1"
groups=$(get_user_groups $username)
ldapdeleteuser $username
while read -r group; do
ldapdeleteuserfromgroup $username $group > /dev/null || true
done <<< "$groups"
}
rename_user()
{
old_username="$1"
new_username="$2"
groups=$(get_user_groups $old_username)
ldaprenameuser $old_username $new_username
while read -r group; do
ldapdeleteuserfromgroup $old_username $group > /dev/null || true
ldapaddusertogroup $new_username $group > /dev/null || true
done <<< "$groups"
}
set_user_password()
{
username="$1"
password=$(slappasswd -s "$2")
# XXX: Use ldapsetpasswd as soon as ldapscripts can handle
# changing passwords with SASL auth EXTERNAL.
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// > /dev/null
dn: uid=$username,ou=Users,dc=thisbox
changetype: modify
replace: userPassword
userPassword: $password
EOF
}
get_user_groups()
{
# Return only supplimentary groups and don't include the 'users'
# primary group.
username="$1"
ldapid $username | cut -f 3 -d ' ' | cut -d = -f 2 | sed 's+,+\n+g' | sed "s+.*(\(.*\))+\1+" | grep -v users || true
}
add_user_to_group()
{
username="$1"
groupname="$2"
# Try to create group and ignore failure if group already exists
ldapaddgroup $groupname > /dev/null 2>&1 || true
ldapaddusertogroup $username $groupname > /dev/null
}
remove_user_from_group()
{
username="$1"
groupname="$2"
ldapdeleteuserfromgroup $username $groupname > /dev/null
}
setup()
{
# XXX: Password setting on users is disabled as changing passwords
# using SASL Auth is not supported.
cat <<EOF | augtool --noload --noautoload --transform 'Shellvars incl /etc/ldapscripts/ldapscripts.conf' > /dev/null
set /files/etc/ldapscripts/ldapscripts.conf/SERVER '"ldapi://"'
set /files/etc/ldapscripts/ldapscripts.conf/SASLAUTH '"EXTERNAL"'
set /files/etc/ldapscripts/ldapscripts.conf/SUFFIX '"dc=thisbox"'
set /files/etc/ldapscripts/ldapscripts.conf/USUFFIX '"ou=Users"'
set /files/etc/ldapscripts/ldapscripts.conf/GSUFFIX '"ou=Groups"'
set /files/etc/ldapscripts/ldapscripts.conf/PASSWORDGEN '"true"'
save
EOF
}
setup
command=$1
shift
case $command in
create-user)
create_user "$1" "$input"
;;
delete-user)
delete_user "$@"
;;
rename-user)
rename_user "$@"
;;
set-user-password)
set_user_password "$1" "$input"
;;
get-user-groups)
get_user_groups "$@"
;;
add-user-to-group)
add_user_to_group "$@"
;;
remove-user-from-group)
remove_user_from_group "$@"
;;
*)
echo "Invalid sub-command"
exit -1
;;
esac

60
actions/remove-ldap-user-from-group
View File

@ -1,60 +0,0 @@
#!/bin/sh
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
username="$1"
groupname="$2"
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=$groupname,ou=groups,dc=thisbox
changetype: modify
delete: member
member: uid=$username,ou=users,dc=thisbox
EOF
if [ $? -eq 0 ]; then
echo "Removed user from group"
elif [ $? -eq 16 ]; then
echo "User was not in group"
exit 1
elif [ $? -eq 65 ]; then
# Cannot have empty group, so just delete the group.
ldapdelete -Y EXTERNAL -H ldapi:/// "cn=$groupname,ou=groups,dc=thisbox"
if [ $? -eq 0 ]; then
echo "User was last member in group, so group was deleted."
else
echo "User was last member in group, but could not delete group."
exit 1
fi
fi
if [ "$groupname" = "admin" ]; then
# update sudo group if needed
results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
if [ -n "$results" ]; then
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
changetype: modify
delete: memberUid
memberUid: $username
EOF
fi
fi

74
actions/rename-ldap-user
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Must be run as root.
old_username="$1"
new_username="$2"
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: uid=$old_username,ou=users,dc=thisbox
changetype: modrdn
newrdn: uid=$new_username
deleteoldrdn: 1
EOF
if [ $? -eq 0 ]; then
echo "Success: user renamed"
else
echo "Failed: user rename failed"
exit 1
fi
# update groups
results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(member=uid=$old_username,ou=users,dc=thisbox)" dn | grep -v '^$')
while read -r line; do
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
$line
changetype: modify
add: member
member: uid=$new_username,ou=users,dc=thisbox
EOF
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
$line
changetype: modify
delete: member
member: uid=$old_username,ou=users,dc=thisbox
EOF
done <<< "$results"
# update sudo group if needed
results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$old_username)")
if [ -n "$results" ]; then
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
changetype: modify
delete: memberUid
memberUid: $old_username
EOF
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=sudo,ou=groups,dc=thisbox
changetype: modify
add: memberUid
memberUid: $new_username
EOF
fi

36
plinth/modules/users/forms.py
View File

@ -25,8 +25,8 @@ from plinth import actions
from plinth.errors import ActionError from plinth.errors import ActionError
GROUP_CHOICES = ( GROUP_CHOICES = (
('admin', 'admin'), ('admin', _('admin')),
('wiki', 'wiki'), ('wiki', _('wiki')),
) )
@ -61,8 +61,8 @@ class CreateUserForm(UserCreationForm):
if commit: if commit:
try: try:
actions.superuser_run( actions.superuser_run(
'create-ldap-user', 'ldap',
[user.get_username()], ['create-user', user.get_username()],
input=self.cleaned_data['password1'].encode()) input=self.cleaned_data['password1'].encode())
except ActionError: except ActionError:
messages.error(self.request, messages.error(self.request,
@ -71,8 +71,8 @@ class CreateUserForm(UserCreationForm):
for group in self.cleaned_data['groups']: for group in self.cleaned_data['groups']:
try: try:
actions.superuser_run( actions.superuser_run(
'add-ldap-user-to-group', 'ldap',
[user.get_username(), group]) ['add-user-to-group', user.get_username(), group])
except ActionError: except ActionError:
messages.error( messages.error(
self.request, self.request,
@ -109,14 +109,16 @@ class UserUpdateForm(forms.ModelForm):
user = super(UserUpdateForm, self).save(commit) user = super(UserUpdateForm, self).save(commit)
if commit: if commit:
output = actions.superuser_run('get-ldap-user-groups', [self.username]) output = actions.superuser_run(
'ldap', ['get-user-groups', self.username])
old_groups = output.strip().split('\n') old_groups = output.strip().split('\n')
old_groups = [group for group in old_groups if group] old_groups = [group for group in old_groups if group]
if self.username != user.get_username(): if self.username != user.get_username():
try: try:
actions.superuser_run('rename-ldap-user', actions.superuser_run(
[self.username, user.get_username()]) 'ldap',
['rename-user', self.username, user.get_username()])
except ActionError: except ActionError:
messages.error(self.request, messages.error(self.request,
_('Renaming LDAP user failed.')) _('Renaming LDAP user failed.'))
@ -125,8 +127,10 @@ class UserUpdateForm(forms.ModelForm):
for old_group in old_groups: for old_group in old_groups:
if old_group not in new_groups: if old_group not in new_groups:
try: try:
actions.superuser_run('remove-ldap-user-from-group', actions.superuser_run(
[user.get_username(), old_group]) 'ldap',
['remove-user-from-group', user.get_username(),
old_group])
except ActionError: except ActionError:
messages.error(self.request, messages.error(self.request,
_('Failed to remove user from group.')) _('Failed to remove user from group.'))
@ -134,8 +138,10 @@ class UserUpdateForm(forms.ModelForm):
for new_group in new_groups: for new_group in new_groups:
if new_group not in old_groups: if new_group not in old_groups:
try: try:
actions.superuser_run('add-ldap-user-to-group', actions.superuser_run(
[user.get_username(), new_group]) 'ldap',
['add-user-to-group', user.get_username(),
new_group])
except ActionError: except ActionError:
messages.error(self.request, messages.error(self.request,
_('Failed to add user to group.')) _('Failed to add user to group.'))
@ -157,8 +163,8 @@ class UserChangePasswordForm(SetPasswordForm):
if commit: if commit:
try: try:
actions.superuser_run( actions.superuser_run(
'change-ldap-user-password', 'ldap',
[user.get_username()], ['set-user-password', user.get_username()],
input=self.cleaned_data['new_password1'].encode()) input=self.cleaned_data['new_password1'].encode())
except ActionError: except ActionError:
messages.error( messages.error(

2
plinth/modules/users/views.py
View File

@ -114,7 +114,7 @@ class UserDelete(ContextMixin, DeleteView):
messages.success(self.request, message) messages.success(self.request, message)
try: try:
actions.superuser_run('delete-ldap-user', [self.kwargs['slug']]) actions.superuser_run('ldap', ['delete-user', self.kwargs['slug']])
except ActionError: except ActionError:
messages.error(self.request, messages.error(self.request,
_('Deleting LDAP user failed.')) _('Deleting LDAP user failed.'))