[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 7 commits: ldap-createuser-krb5: Fix user creation

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Mon Aug 7 15:08:12 BST 2023 


Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config


Commits:
98b9a05d by Guido Berhoerster at 2023-07-31T12:52:49+02:00
ldap-createuser-krb5: Fix user creation

Remove Samba NT4 domain support, add samba user using smbpasswd.
Add root CA for new users (copied from gosa-create).
Closes: #1042456

- - - - -
ec303a6a by Guido Berhoerster at 2023-08-07T11:05:58+02:00
ldap-createuser-krb5: fix new UID/GID selection

Exclude special users (UID/GID >= 10000) when looking for the highest UID/GID.

- - - - -
83a921a4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add CLI options for uid/gid/department

Also ensure script is run as root.

- - - - -
3c671914 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: Add additional attributes based on template users

- - - - -
25c911dd by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: add support for additional groups

- - - - -
dffca0f4 by Guido Berhoerster at 2023-08-07T11:06:43+02:00
ldap-createuser-krb5: send welcome email in order to create maildir

Without this the maildir in /var/mail/<user> will not exist and Dovecot will
refuse to let the user log in as it cannot create this directory.

- - - - -
a037063a by Guido Berhoerster at 2023-08-07T15:04:46+02:00
ldap-createuser-krb5: set LDAP password when creating users

This allows users to use gosa to change their password.

- - - - -


1 changed file:

- ldap-tools/ldap-createuser-krb5


Changes:

=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -5,26 +5,74 @@
 # users at the same time to LDAP, as the uid and gid values will
 # conflict.
 
-# The samba related attributes are described in
-# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >
-
 set -e
 
+function usage {
+    cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+  Create a user with a personal group and configure its kerberos
+  principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+    printf "error: this script needs to be run as root\n" >&2
+    exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+    case $arg in
+    d)
+        DEPT="${OPTARG}"
+        ;;
+    g)
+        NEWGID="${OPTARG}"
+        ;;
+    G)
+        ADDITIONAL_GROUPS="${OPTARG}"
+        ;;
+    u)
+        NEWUID="${OPTARG}"
+        ;;
+    h)
+        usage
+        exit 0
+        ;;
+    *)
+        usage
+        exit 2
+    esac
+done
+shift $((OPTIND - 1))
+
 USERNAME="$1"
+
 # posixAccount only accept ASCII in the gecos attribute.  Make sure
 # any non-ascii characters are converted apprpropriately.
 GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
 
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then 
-    echo "Usage: $0 <username> <gecos>"
-    echo
-    echo "  Create a user with a personal group and configure its kerberos"
-    echo "  principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+    usage
     exit 1
 fi
 
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+read -rs -p "new password: " PASSWORD
+read -rs -p "confirm password: " CONFIRM
+if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
+    echo "passwords do not match" >&2
+    exit 1
+fi
+
+if [[ -n $DEPT ]]; then
+    BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+    # Put users in first gosaDepartment
+    BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
 
 if [ -z "$BASE" ] ; then
     BASE="$(debian-edu-ldapserver -b)"
@@ -39,44 +87,10 @@ ADMINUSER="admin";
 admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
 
 HOMEDIR=/skole/tjener/home0/$USERNAME
-SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
 KRB5DOMAIN=INTERN
-SAMBADOMAIN=SKOLELINUX
 PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
 
-# Find last UID/GID
-SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`
-
-if [ -z "$SAMBASID" ] ; then
-    echo "error: unable to fetch Samba SID"
-    exit 1
-fi
-
-SAMBADOMAINDN=$(ldapsearch -x -s sub \
-    "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
-    dn 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^dn: / { print $2}')
-
-if [ -z "$SAMBADOMAINDN" ] ; then
-    echo "error: unable to find sambaDomain LDAP object"
-    exit 1
-fi
-
-SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
-    sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^sambaNextRid: / { print $2}')
-
-if [ -z "$SAMBARID" ] ; then
-    echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
-    exit 1
-fi
-
-NEXTRID=$(( $SAMBARID + 1 ))
-
-LASTID=$(ldapsearch -s sub -x \
-    '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
-    uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
-    awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
 
 # If no ID was found, use LASTID=1000-1 to get uid/gid=1000
 if [ -z "$LASTID" ] ; then
@@ -92,6 +106,8 @@ if [ -z "$NEWGID" ] ; then
     ldif="$ldif
 
 dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
 objectClass: posixGroup
 cn: $USERNAME
 description: Private group of user $USERNAME
@@ -99,21 +115,26 @@ gidNumber: $NEWGID
 "
 fi
 
+USER_PASSWORD="$(slappasswd -h '{CRYPT}' -c '$y$j9T$%.16s$' -T /dev/stdin <<<"${PASSWORD}")"
+
 ldif="$ldif
 
 dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
+objectClass: gosaAccount
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: krbPrincipalAux
-objectClass: sambaSamAccount
+objectClass: krbTicketPolicyAux
 sn: $GECOS
 givenName: $GECOS
 uid: $USERNAME
 cn: $GECOS
-userPassword: {SSHA}N0T$3T4N0W
+userPassword: $USER_PASSWORD
 homeDirectory: $HOMEDIR
 loginShell: /bin/bash
 uidNumber: $NEWUID
@@ -123,30 +144,67 @@ shadowLastChange: $PWLASTCHANGE
 shadowMin: 0
 shadowMax: 99999
 shadowWarning: 7
-sambaSID: $SAMBASID-$SAMBARID
-sambaAcctFlags: [U]
-sambaHomePath: SMBHOMEPATH
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
 krbPrincipalName: $USERNAME@$KRB5DOMAIN
 "
 
-# Update samba RIN
-ldif="$ldif
-dn: $SAMBADOMAINDN
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+    group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+    if [ -z "${group_dn}" ]; then
+        echo "group not found: ${group}" >&2
+        continue
+    fi
+    ldif="$ldif
+
+$group_dn
 changetype: modify
-replace: sambaNextRid
-sambaNextRid: $NEXTRID
+add: memberUid
+memberUid: $USERNAME
 "
+done
 
 echo "$ldif"
 
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
 
     # Set the kerberos password
-    kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
+    kadmin.local <<EOF
+change_password $USERNAME@$KRB5DOMAIN
+${PASSWORD}
+${PASSWORD}
+EOF
 
     # Create home directory
     if [ ! -d $HOMEDIR ] ; then
-	cp -r /etc/skel $HOMEDIR
-	chown -R $NEWUID:$NEWGID $HOMEDIR
+        cp -r /etc/skel $HOMEDIR
+        mkdir -p $HOMEDIR/.pki/nssdb
+        chmod -R 700 $HOMEDIR/.pki/nssdb
+        certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+        chown -R $NEWUID:$NEWGID $HOMEDIR
     fi
+
+    # add Samba user
+    smbpasswd -a -n -s $USERNAME
+
+    # Send welcome mail in order to create maildir for dovecot
+    /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+    $USERNAME at postoffice.intern
+
+Regards,
+
+    Debian-Edu SysAdmin
+
+EOF
 fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/df38e13dbca06dc779b81b61a58ecdfed2ed74f7...a037063a41e55e7d5222795e07e3c5f47da2b1ea

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/df38e13dbca06dc779b81b61a58ecdfed2ed74f7...a037063a41e55e7d5222795e07e3c5f47da2b1ea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230807/4af35369/attachment-0001.htm>

More information about the debian-edu-commits mailing list