[debian-edu-commits] debian-edu/ 02/05: GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207).

Mike Gabriel sunweaver at debian.org
Mon Jan 11 16:45:05 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch jessie
in repository debian-edu-config.

commit b05e5967c8788a29fd997cbf61546f041877e782
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Fri Nov 6 11:06:05 2015 +0100

    GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207).
---
 Makefile                                       |  2 ++
 debian/changelog                               |  3 ++
 etc/gosa/gosa.conf                             |  4 ++-
 ldap-bootstrap/sudo.ldif                       |  2 ++
 share/debian-edu-config/tools/gosa-lock-user   | 40 ++++++++++++++++++++++++++
 share/debian-edu-config/tools/gosa-unlock-user | 40 ++++++++++++++++++++++++++
 6 files changed, 90 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 4db1495..1b3f493 100644
--- a/Makefile
+++ b/Makefile
@@ -357,9 +357,11 @@ install: install-testsuite
 		share/debian-edu-config/tools/get-default-homepage \
 		share/debian-edu-config/tools/gosa-create \
 		share/debian-edu-config/tools/gosa-create-host \
+		share/debian-edu-config/tools/gosa-lock-user \
 		share/debian-edu-config/tools/gosa-remove \
 		share/debian-edu-config/tools/gosa-sync \
 		share/debian-edu-config/tools/gosa-sync-dns-nfs \
+		share/debian-edu-config/tools/gosa-unlock-user \
 		share/debian-edu-config/tools/iceweasel-plugin-support \
 		share/debian-edu-config/tools/kerberos-kdc-init \
 		share/debian-edu-config/tools/ldap2bind-updatezonelist \
diff --git a/debian/changelog b/debian/changelog
index a751db9..7112015 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,9 @@ debian-edu-config (1.818+deb8u1) UNRELEASED; urgency=low
     main server.
   * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and
     for hosts being in the .local domain. (Closes: #803911).
+  * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These
+    hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/
+    unlocking the Kerberos part of user accounts. (Closes: #804207).
 
  -- Petter Reinholdtsen <pere at debian.org>  Sat, 16 May 2015 23:12:06 +0200
 
diff --git a/etc/gosa/gosa.conf b/etc/gosa/gosa.conf
index 4b64475..0f67b41 100644
--- a/etc/gosa/gosa.conf
+++ b/etc/gosa/gosa.conf
@@ -76,7 +76,9 @@
   <pathMenu>
       <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccoun [...]
       <plugin acl="users/password:self" class="password" 
-              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"
+              postlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-lock-user %dn"
+              postunlock="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-unlock-user %dn" />
   </pathMenu>
 
 
diff --git a/ldap-bootstrap/sudo.ldif b/ldap-bootstrap/sudo.ldif
index 91e7f48..11e52a5 100644
--- a/ldap-bootstrap/sudo.ldif
+++ b/ldap-bootstrap/sudo.ldif
@@ -25,6 +25,8 @@ sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-remove
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-create
 sudoCommand: /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-lock-user
+sudoCommand: /usr/share/debian-edu-config/tools/gosa-unlock-user
 
 dn: cn=root,ou=sudoers,dc=skole,dc=skolelinux,dc=no
 objectClass: top
diff --git a/share/debian-edu-config/tools/gosa-lock-user b/share/debian-edu-config/tools/gosa-lock-user
new file mode 100755
index 0000000..54101e3
--- /dev/null
+++ b/share/debian-edu-config/tools/gosa-lock-user
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa.  There are some tests that make sure only
+## non-existent home directories are created.  Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+	set +e
+	success=$(LANG=C kadmin.local -q "modify_principal -allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+	set -e
+	if [ -n "$success" ]; then
+		logger -t gosa-lock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been locked."
+	else
+		OUT="Locking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+		echo "$OUT"
+		logger -t gosa-lock-user -p warning "$OUT"
+	fi
+else
+	OUT="User account '$USERID' (DN: $USERDN) does not exist."
+	echo "$OUT"
+	logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff --git a/share/debian-edu-config/tools/gosa-unlock-user b/share/debian-edu-config/tools/gosa-unlock-user
new file mode 100755
index 0000000..e4d2793
--- /dev/null
+++ b/share/debian-edu-config/tools/gosa-unlock-user
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa.  There are some tests that make sure only
+## non-existent home directories are created.  Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+	set +e
+	success=$(LANG=C kadmin.local -q "modify_principal +allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+	set -e
+	if [ -n "$success" ]; then
+		logger -t gosa-unlock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been unlocked."
+	else
+		OUT="Unlocking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+		echo "$OUT"
+		logger -t gosa-unlock-user -p warning $OUT
+	fi
+else
+	OUT="User account '$USERID' (DN: $USERDN) does not exist."
+	echo "$OUT"
+	logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git

More information about the debian-edu-commits mailing list