[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/fix-ldap-createuser-krb5] 5 commits: ldap-createuser-krb5: fix new UID/GID selection

Guido Berhörster (@gber) gitlab at salsa.debian.org
Mon Aug 7 10:07:20 BST 2023 


Guido Berhörster pushed to branch personal/gber/fix-ldap-createuser-krb5 at Debian Edu / debian-edu-config


Commits:
ec303a6a by Guido Berhoerster at 2023-08-07T11:05:58+02:00
ldap-createuser-krb5: fix new UID/GID selection

Exclude special users (UID/GID >= 10000) when looking for the highest UID/GID.

- - - - -
83a921a4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add CLI options for uid/gid/department

Also ensure script is run as root.

- - - - -
3c671914 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: Add additional attributes based on template users

- - - - -
25c911dd by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add support for additional groups

- - - - -
dffca0f4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: send welcome email in order to create maildir

Without this the maildir in /var/mail/<user> will not exist and Dovecot will
refuse to let the user log in as it cannot create this directory.

- - - - -


1 changed file:

- ldap-tools/ldap-createuser-krb5


Changes:

=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -7,21 +7,65 @@
 
 set -e
 
+function usage {
+    cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+  Create a user with a personal group and configure its kerberos
+  principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+    printf "error: this script needs to be run as root\n" >&2
+    exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+    case $arg in
+    d)
+        DEPT="${OPTARG}"
+        ;;
+    g)
+        NEWGID="${OPTARG}"
+        ;;
+    G)
+        ADDITIONAL_GROUPS="${OPTARG}"
+        ;;
+    u)
+        NEWUID="${OPTARG}"
+        ;;
+    h)
+        usage
+        exit 0
+        ;;
+    *)
+        usage
+        exit 2
+    esac
+done
+shift $((OPTIND - 1))
+
 USERNAME="$1"
+
 # posixAccount only accept ASCII in the gecos attribute.  Make sure
 # any non-ascii characters are converted apprpropriately.
 GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
 
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then 
-    echo "Usage: $0 <username> <gecos>"
-    echo
-    echo "  Create a user with a personal group and configure its kerberos"
-    echo "  principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+    usage
     exit 1
 fi
 
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+if [[ -n $DEPT ]]; then
+    BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+    # Put users in first gosaDepartment
+    BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
 
 if [ -z "$BASE" ] ; then
     BASE="$(debian-edu-ldapserver -b)"
@@ -39,10 +83,7 @@ HOMEDIR=/skole/tjener/home0/$USERNAME
 KRB5DOMAIN=INTERN
 PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
 
-LASTID=$(ldapsearch -s sub -x \
-    '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
-    uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
 
 # If no ID was found, use LASTID=1000-1 to get uid/gid=1000
 if [ -z "$LASTID" ] ; then
@@ -58,6 +99,8 @@ if [ -z "$NEWGID" ] ; then
     ldif="$ldif
 
 dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
 objectClass: posixGroup
 cn: $USERNAME
 description: Private group of user $USERNAME
@@ -68,12 +111,16 @@ fi
 ldif="$ldif
 
 dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
+objectClass: gosaAccount
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: krbPrincipalAux
+objectClass: krbTicketPolicyAux
 sn: $GECOS
 givenName: $GECOS
 uid: $USERNAME
@@ -88,12 +135,32 @@ shadowLastChange: $PWLASTCHANGE
 shadowMin: 0
 shadowMax: 99999
 shadowWarning: 7
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
 krbPrincipalName: $USERNAME@$KRB5DOMAIN
 "
 
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+    group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+    if [ -z "${group_dn}" ]; then
+        echo "group not found: ${group}" >&2
+        continue
+    fi
+    ldif="$ldif
+
+$group_dn
+changetype: modify
+add: memberUid
+memberUid: $USERNAME
+"
+done
+
 echo "$ldif"
 
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
 
     # Set the kerberos password
     kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
@@ -105,9 +172,26 @@ if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
         chmod -R 700 $HOMEDIR/.pki/nssdb
         certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
         chown -R $NEWUID:$NEWGID $HOMEDIR
-        # kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $NEWUID"
     fi
 
     # add Samba user
     smbpasswd -a -n -s $USERNAME
+
+    # Send welcome mail in order to create maildir for dovecot
+    /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+    $USERNAME at postoffice.intern
+
+Regards,
+
+    Debian-Edu SysAdmin
+
+EOF
 fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/276da7f7b714efb0c0af383dd4924e289784a2de...dffca0f450734cf95dffdbcddd6e68c06defcdef

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/276da7f7b714efb0c0af383dd4924e289784a2de...dffca0f450734cf95dffdbcddd6e68c06defcdef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230807/629de5cc/attachment-0001.htm>

More information about the debian-edu-commits mailing list