[debian-edu-commits] debian-edu/ 01/01: GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207).
Mike Gabriel
sunweaver at debian.org
Fri Nov 6 10:31:58 UTC 2015
This is an automated email from the git hooks/post-receive script.
sunweaver pushed a commit to branch master
in repository debian-edu-config.
commit d2bbb3979eb434efa095af8ff0ae9cfb2d10ce4f
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Fri Nov 6 11:06:05 2015 +0100
GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207).
---
Makefile | 2 ++
debian/changelog | 3 ++
etc/gosa/gosa.conf | 4 ++-
ldap-bootstrap/sudo.ldif | 2 ++
share/debian-edu-config/tools/gosa-lock-user | 40 ++++++++++++++++++++++++++
share/debian-edu-config/tools/gosa-unlock-user | 40 ++++++++++++++++++++++++++
6 files changed, 90 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2790a11..b20642c 100644
--- a/Makefile
+++ b/Makefile
@@ -359,9 +359,11 @@ install: install-testsuite
share/debian-edu-config/tools/get-default-homepage \
share/debian-edu-config/tools/gosa-create \
share/debian-edu-config/tools/gosa-create-host \
+ share/debian-edu-config/tools/gosa-lock-user \
share/debian-edu-config/tools/gosa-remove \
share/debian-edu-config/tools/gosa-sync \
share/debian-edu-config/tools/gosa-sync-dns-nfs \
+ share/debian-edu-config/tools/gosa-unlock-user \
share/debian-edu-config/tools/iceweasel-plugin-support \
share/debian-edu-config/tools/kerberos-kdc-init \
share/debian-edu-config/tools/ldap2bind-updatezonelist \
diff --git a/debian/changelog b/debian/changelog
index 26a2887..7f5d18c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -59,6 +59,9 @@ debian-edu-config (1.819) UNRELEASED; urgency=low
* LDAP bootstrap: Create generic host (CNAME record for tjener) ipp.intern.
* wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
for hosts being in the .local domain. (Closes: #803911).
+ * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
+ hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
+ unlocking the Kerberos part of user accounts. (Closes: #804207).
-- Petter Reinholdtsen <pere at debian.org> Sat, 16 May 2015 23:12:06 +0200
diff --git a/etc/gosa/gosa.conf b/etc/gosa/gosa.conf
index 285e661..c5cbb85 100644
--- a/etc/gosa/gosa.conf
+++ b/etc/gosa/gosa.conf
@@ -76,7 +76,9 @@
<pathMenu>
<plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccoun [...]
<plugin acl="users/password:self" class="password"
- postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+ postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"
+ postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user %dn"
+ postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user %dn" />
</pathMenu>
diff --git a/ldap-bootstrap/sudo.ldif b/ldap-bootstrap/sudo.ldif
index 91e7f48..11e52a5 100644
--- a/ldap-bootstrap/sudo.ldif
+++ b/ldap-bootstrap/sudo.ldif
@@ -25,6 +25,8 @@ sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync
sudoCommand: /usr/share/debian-edu-config/tools/gosa-remove
sudoCommand: /usr/share/debian-edu-config/tools/gosa-create
sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-lock-user
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-unlock-user
dn: cn=root,ou=sudoers,dc=skole,dc=skolelinux,dc=no
objectClass: top
diff --git a/share/debian-edu-config/tools/gosa-lock-user b/share/debian-edu-config/tools/gosa-lock-user
new file mode 100755
index 0000000..54101e3
--- /dev/null
+++ b/share/debian-edu-config/tools/gosa-lock-user
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal -allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-lock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been locked."
+ else
+ OUT="Locking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff --git a/share/debian-edu-config/tools/gosa-unlock-user b/share/debian-edu-config/tools/gosa-unlock-user
new file mode 100755
index 0000000..e4d2793
--- /dev/null
+++ b/share/debian-edu-config/tools/gosa-unlock-user
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal +allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-unlock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been unlocked."
+ else
+ OUT="Unlocking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-unlock-user -p warning $OUT
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list