[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.7-6-g9aba855
Andreas B. Mundt
andi at debian.org
Mon Jan 21 21:48:22 UTC 2013
The following commit has been merged in the master branch:
commit 9aba8559a51d49728130bff94abf7148bd9c371d
Author: Andreas B. Mundt <andi at debian.org>
Date: Mon Jan 21 21:56:55 2013 +0100
Implement GOsa for user management.
GOsa manages the ou=gosa unit in LDAP. A user 'admin' is created in
LDAP with full administrative permissions regarded to GOsa.
Might need some polishing here and there.
ToDo:
* enable SSL and enforce HTTPS
* user mass creation
* predefined roles
* ...
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index 8891c40..8e6ea9a 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -41,6 +41,10 @@ FLAVOR="LVM7_A"
MAINSERVER_A="$FLAVOR LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER MAIL_SERVER \
LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A"
+## Use this to install a setup with GOsa:
+#MAINSERVER_A="$FLAVOR LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER MAIL_SERVER \
+#LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A GOSA"
+
WORKSTATION_A="LVM5_A LOG_CLIENT LDAP_CLIENT NFS_CLIENT KERBEROS_CLIENT CLIENT_A"
# Use a list of classes for your machine:
diff --git a/fai/config/files/etc/gosa/gosa.conf/GOSA b/fai/config/files/etc/gosa/gosa.conf/GOSA
new file mode 100644
index 0000000..ce8ede9
--- /dev/null
+++ b/fai/config/files/etc/gosa/gosa.conf/GOSA
@@ -0,0 +1,407 @@
+<?xml version="1.0"?>
+<conf configVersion="edb33ed1745798da76048582c2f16a48"
+ instancePassword=""
+ instanceUUID="cf086ce3-4b0a-45b5-b813-dc64eb51f1eb">
+
+ <!-- GOsa menu definition **************************************************
+
+ This tag defines the side and icon menu inside the
+ interface. Defining an entry here is no guarantie to get it shown,
+ though. Only entries with matching ACL's get shown.
+
+ There are two types of entries inside of the menu: section and plugin
+
+ Defining a section:
+
+ Open a <section> tag including a "name" attribute. This will show up in
+ the menu as a new section later on. Own entries are not handled via I18N
+ by default. Close the </section> tag after your plugin definitions.
+
+ Defining a plugin:
+
+ Open a <plugin> tag including a "class" attribute. The "class" should be
+ present inside your GOsa setup - the entry will be ignored if it is not.
+
+ Plugins should have an "acl" entry, that allows GOsa to decide wether
+ a user is allowed to see a plugin or not. The "acl" string matches with
+ an ACL definition done inside of GOsa -> ACLs.
+
+ You can override an icon by specifying the "icon" attribute.
+
+ For more information about possible configuration parameters, please take
+ a look at the gosa.conf(5) manual page.
+ -->
+ <menu>
+
+ <!-- Section to enable administrative services -->
+ <section name="Administration">
+ <plugin acl="department" class="departmentManagement" />
+
+ <!-- This long ACL list is required to exclude the users menu entry when only
+ 'viewFaxEntries' permissions are set -->
+ <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
+ class="userManagement" />
+ <plugin acl="groups" class="groupManagement" />
+ <plugin acl="roles" class="roleManagement"/>
+ <plugin acl="acl" class="aclManagement" />
+ <plugin acl="ogroups" class="ogroupManagement" />
+ <plugin acl="sudo" class="sudoManagement" />
+ <plugin acl="application" class="applicationManagement" />
+ <plugin acl="mimetypes" class="mimetypeManagement" />
+ <plugin acl="devices" class="deviceManagement" />
+ <plugin acl="terminal/termgeneric,workstation/workgeneric,server/servgeneric,phone/phoneGeneric,printer/printgeneric,component/componentGeneric,winworkstation/wingeneric,opsi/opsiGeneric" class="systemManagement" />
+ <!-- Use 'lockDn' for dn
+ 'lockName' for name
+ 'lockType' for branch/freeze -->
+ <plugin acl="fai/faiScript,fai/faiHook,fai/faiTemplate,fai/faiVariable,fai/faiPartitionTable,fai/faiPackage,fai/faiProfile,fai/faiManagement,opsi/opsiProperties" class="faiManagement" />
+ <plugin acl="opsi" class="opsiLicenses"/>
+ <plugin acl="gofaxlist" class="blocklist" />
+ <plugin acl="gofonmacro" class="goFonMacro" />
+ <plugin acl="gofonconference" class="phoneConferenceManagment" />
+ </section>
+
+ <!-- Section to enable addon plugins -->
+ <section name="Addons">
+ <plugin acl="all/all" class="propertyEditor" />
+ <plugin acl="server/rSyslogServer" class="rsyslog" />
+<!-- <plugin acl="mailqueue" class="mailqueue" />-->
+ <plugin acl="users/viewFaxEntries:self,users/viewFaxEntries" class="faxreport" />
+ <plugin acl="users/viewFonEntries:self,users/viewFonEntries" class="fonreport" />
+ <plugin acl="gotomasses" class="gotomasses" />
+ <plugin acl="ldapmanager" class="ldif" />
+ </section>
+ </menu>
+
+ <!-- These entries will be rendered on the short-cut menu -->
+ <shortCutMenu>
+ <plugin acl="none" class="welcome" />
+ </shortCutMenu>
+
+ <!-- These entries will be rendered on the path navigator -->
+ <pathMenu>
+ <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
+ <plugin acl="users/password:self" class="password"
+ postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/local/sbin/gosa-sync %dn"
+ />
+ </pathMenu>
+
+
+ <!-- Tab definitions *******************************************************
+
+ Tab definitions define the sub plugins which get included for certain
+ tabbed dialogs. If you change something here, never (!) remove the
+ primary (the first) "tab" tag which is defined. Most tabbed dialogs
+ need a primary plugin.
+
+ "*tab" should be looked for by a defined plugin. This one will take
+ every "tab" defined "class" and will show it inside of a tabbed dialog
+ with the header defined in "name".
+ -->
+
+ <!-- ACL dialog -->
+ <acltab>
+ <tab class="acl" name="ACL" />
+ </acltab>
+
+ <aclroletab>
+ <tab class="aclrole" name="ACL Role" />
+ </aclroletab>
+
+ <!-- User dialog -->
+ <usertabs>
+ <tab class="user" name="Generic" />
+ <tab class="posixAccount" name="POSIX" />
+ <tab class="sambaAccount" name="Samba" />
+ <tab class="netatalk" name="Netatalk" />
+ <tab class="mailAccount" name="Mail" />
+<!-- <tab class="Groupware" name="Groupware" />-->
+ <tab class="scalixAccount" name="Scalix" />
+ <tab class="environment" name="Desktop" />
+ <tab class="connectivity" name="Connectivity" />
+ <tab class="gofaxAccount" name="Fax" />
+ <tab class="phoneAccount" name="Phone" />
+ <tab class="nagiosAccount" name="Nagios" />
+ </usertabs>
+
+ <!-- User dialog -->
+ <MyAccountTabs>
+ <tab class="user" name="Generic" />
+ <tab class="posixAccount" name="POSIX"
+ postcreate="/usr/bin/sudo /usr/local/sbin/gosa-create %uid"
+ postremove="/usr/bin/sudo /usr/local/sbin/gosa-remove %uid %homeDirectory"
+ />
+ <tab class="sambaAccount" name="Samba" />
+ <tab class="netatalk" name="Netatalk" />
+ <tab class="mailAccount" name="Mail" />
+<!-- <tab class="Groupware" name="Groupware" />-->
+ <tab class="scalixAccount" name="Scalix" />
+ <tab class="environment" name="Desktop" />
+ <tab class="connectivity" name="Connectivity" />
+ <tab class="gofaxAccount" name="Fax" />
+ <tab class="phoneAccount" name="Phone" />
+ <tab class="nagiosAccount" name="Nagios" />
+ </MyAccountTabs>
+
+ <opsiLicenseTabs>
+ <tab class="licensePoolGeneric" name="Generic"/>
+ <tab class="licenseUsage" name="Usage"/>
+ </opsiLicenseTabs>
+
+ <!-- Group dialog -->
+ <grouptabs>
+ <tab class="group" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ <tab class="environment" name="Desktop" />
+ <tab class="appgroup" name="Startmenu" />
+ <tab class="mailgroup" name="Mail" />
+<!-- <tab class="GroupwareSharedFolder" name="Groupware" />-->
+ </grouptabs>
+
+ <!-- Sudo dialog -->
+ <sudotabs>
+ <tab class="sudo" name="Generic" />
+ <tab class="sudoOption" name="Options" />
+ </sudotabs>
+
+ <!-- GOfax plugins -->
+ <faxblocktabs>
+ <tab class="blocklistGeneric" name="Generic" />
+ </faxblocktabs>
+
+ <!-- GOfon plugins -->
+ <conferencetabs>
+ <tab class="conference" name="Generic" />
+ </conferencetabs>
+
+ <macrotabs>
+ <tab class="macro" name="Generic" />
+ <tab class="macroParameter" name="Parameter" />
+ </macrotabs>
+
+ <phonetabs>
+ <tab class="phoneGeneric" name="Generic" />
+ </phonetabs>
+
+ <!-- GOto plugins -->
+ <appstabs>
+ <tab class="application" name="Generic" />
+ <tab class="applicationParameters" name="Parameter" />
+ </appstabs>
+
+ <mimetabs>
+ <tab class="mimetype" name="Generic" />
+ </mimetabs>
+
+ <devicetabs>
+ <tab class="deviceGeneric" name="Generic" />
+ </devicetabs>
+
+ <arpnewdevicetabs>
+ <tab class="ArpNewDevice" name="Generic" />
+ </arpnewdevicetabs>
+
+ <termtabs>
+ <tab class="termgeneric" name="Generic" />
+ <tab class="termstartup" name="Recipe" />
+ <tab class="termservice" name="Devices" />
+ <tab class="terminfo" name="Information" />
+ </termtabs>
+
+ <servtabs>
+ <tab class="servgeneric" name="Generic" />
+ <tab class="workstartup" name="Recipe" />
+ <tab class="ServerService" name="Services" />
+ <tab class="faiSummaryTab" name="Deployment summary" />
+ <tab class="gotoLogView" name="Installation logs" />
+ <tab class="terminfo" name="Information" />
+ </servtabs>
+
+ <worktabs>
+ <tab class="workgeneric" name="Generic" />
+ <tab class="workstartup" name="Recipe" />
+ <tab class="workservice" name="Devices" />
+ <tab class="printgeneric" name="Printer" />
+ <tab class="terminfo" name="Information" />
+ <tab class="faiSummaryTab" name="Deployment summary" />
+ <tab class="gotoLogView" name="Installation logs" />
+ </worktabs>
+
+ <printtabs>
+ <tab class="printgeneric" name="Generic" />
+ </printtabs>
+
+ <componenttabs>
+ <tab class="componentGeneric" name="Generic" />
+ </componenttabs>
+
+ <wintabs>
+ <tab class="wingeneric" name="Generic" />
+ </wintabs>
+
+ <serverservice>
+ <tab class="goMailServer" />
+ <tab class="servkolab" />
+ <tab class="goNtpServer" />
+ <tab class="servrepository" />
+ <tab class="goImapServer" />
+ <tab class="goKrbServer" />
+ <tab class="goFaxServer" />
+ <tab class="goFonServer" />
+ <tab class="goCupsServer" />
+ <tab class="goKioskService" />
+ <tab class="goTerminalServer" />
+ <tab class="goLdapServer" />
+ <tab class="goShareServer" />
+ <tab class="gospamserver" />
+ <tab class="govirusserver" />
+ <tab class="servdhcp" />
+ <tab class="servdns" />
+ <tab class="rSyslogServer" />
+ </serverservice>
+
+ <!-- Department plugin -->
+ <deptabs>
+ <tab class="department" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </deptabs>
+
+ <organization_tabs>
+ <tab class="organization" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </organization_tabs>
+
+ <locality_tabs>
+ <tab class="locality" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </locality_tabs>
+
+ <country_tabs>
+ <tab class="country" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </country_tabs>
+
+ <dcobject_tabs>
+ <tab class="dcObject" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </dcobject_tabs>
+
+ <domain_tabs>
+ <tab class="domain" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </domain_tabs>
+
+ <!-- Role tabs -->
+ <roletabs>
+ <tab class="roleGeneric" name="Generic"/>
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </roletabs>
+
+ <ogrouptabs>
+ <tab class="ogroup" name="Generic" />
+ <tab class="DynamicLdapGroup" name="Dynamic object" />
+ </ogrouptabs>
+
+ <!-- Connectivity plugins -->
+ <connectivity>
+ <tab class='kolabAccount' />
+ <tab class="proxyAccount" />
+ <tab class="pureftpdAccount" />
+ <tab class="webdavAccount" />
+ <tab class="phpgwAccount" />
+ <tab class="intranetAccount" />
+ <tab class="pptpAccount" />
+ <tab class="phpscheduleitAccount" />
+ <tab class="oxchangeAccount" />
+ <tab class="opengwAccount" />
+ </connectivity>
+
+ <ldiftab>
+ <tab class="ldifexport" name="Export" />
+ <tab class="xlsexport" name="Excel Export" />
+ </ldiftab>
+
+ <faipartitiontabs>
+ <tab class="faiPartitionTable" name="Partitions" />
+ </faipartitiontabs>
+
+ <faiscripttabs>
+ <tab class="faiScript" name="Scripts" />
+ </faiscripttabs>
+
+ <faihooktabs>
+ <tab class="faiHook" name="Hooks" />
+ </faihooktabs>
+
+ <faivariabletabs>
+ <tab class="faiVariable" name="Variables" />
+ </faivariabletabs>
+
+ <faitemplatetabs>
+ <tab class="faiTemplate" name="Templates" />
+ </faitemplatetabs>
+
+ <faiprofiletabs>
+ <tab class="faiProfile" name="Profiles" />
+ <tab class="faiSummaryTab" name="Summary" />
+ </faiprofiletabs>
+
+ <faipackagetabs>
+ <tab class="faiPackage" name="Packages" />
+ </faipackagetabs>
+
+ <opsitabs>
+ <tab class="opsiGeneric" name="Generic" />
+ <tab class="opsiSoftware" name="Hardware" />
+ <tab class="opsiHardware" name="Software" />
+ <tab class="licenseUsageByHost" name="License usage"/>
+ </opsitabs>
+
+ <opsiprodconfig>
+ <tab class="opsiProperties" name="Properties" />
+ <tab class="licenseByProduct" name="License usage"/>
+ </opsiprodconfig>
+
+ <!-- rSyslog plugin -->
+ <rsyslogtabs>
+ <tab class="rsyslog" name="System logs" />
+ </rsyslogtabs>
+
+ <!-- Main section **********************************************************
+
+ The main section defines global settings, which might be overridden by
+ each location definition inside.
+
+ For more information about the configuration parameters, take a look at
+ the gosa.conf(5) manual page.
+
+ -->
+ <!-- If you broke your setup using the propertyEditor, then set 'ignoreLdapProperties' to true. -->
+ <main default="default"
+ SASLRealm="INTERN"
+ passwordDefaultHash="ssha"
+ accountPrimaryAttribute="uid"
+ userRDN="ou=people"
+ groupRDN="ou=groups"
+ warnSSL="true"
+ forceSSL="false"
+ forceGlobals="true"
+ ignoreLdapProperties="false"
+ rfc2307bis="false"
+ useSaslForKerberos="false"
+ gidNumberBase="10000"
+ uidNumberBase="10000"
+ idGenerator="{%sn[1-6]}{%givenName[1-6]}"
+ passwordMinLength="4"
+ passwordMinDiffer="2"
+ >
+
+ <!-- Location definition -->
+ <location name="default"
+ ldapTLS="true"
+ config="ou=gosa,ou=configs,ou=systems,ou=gosa,dc=intern">
+ <referral URI="ldap://ldap:389/ou=gosa,dc=intern"
+ adminDn="cn=gosa,ou=gosa,dc=intern"
+ adminPassword="@LDAP_ADMIN_PW@" />
+ </location>
+ </main>
+</conf>
diff --git a/fai/config/files/etc/ldap/gosa.ldif/GOSA b/fai/config/files/etc/ldap/gosa.ldif/GOSA
new file mode 100644
index 0000000..db0d1d7
--- /dev/null
+++ b/fai/config/files/etc/ldap/gosa.ldif/GOSA
@@ -0,0 +1,108 @@
+## GOsa ou, full access for the GOsa admin:
+dn: ou=gosa,dc=intern
+objectClass: top
+objectClass: organizationalUnit
+objectClass: gosaAcl
+objectClass: gosaDepartment
+description: Debian-LAN
+ou: gosa
+gosaAclEntry: 0:psub:dWlkPWFkbWluLG91PXBlb3BsZSxvdT1nb3NhLGRjPWludGVybg==:all/all;cmdrw
+gosaAclEntry: 1:psub:Kg==:users/user;s#sn;r#givenName;r#uid;r#gosaUserDefinedFilter;r#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#base;r#userPicture;w#gosaLoginRestriction;r#o;r#ou;r#departmentNumber;r#manager;r#employeeNumber;r#employeeType;r#roomNumber;w#telephoneNumber;w#pager;w#mobile;w#facsimileTelephoneNumber;w#st;r#l;r#postalAddress;r#homePostalAddress;w#homePhone;w#labeledURI;w#userPassword;r#Certificate;r,users/posixAccount;sr,users/password;sw
+
+
+## GOsa access to LDAP:
+dn: cn=gosa,ou=gosa,dc=intern
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+description: GOsa access to LDAP ou=gosa
+cn: gosa
+userPassword: @LDAP_ADMIN_PW_HASH@
+
+
+## peope and groups:
+dn: ou=people,ou=gosa,dc=intern
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=groups,ou=gosa,dc=intern
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+
+## First user 'admin':
+dn: uid=admin,ou=people,ou=gosa,dc=intern
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: gosaAccount
+objectClass: posixAccount
+objectClass: shadowAccount
+sn: Administrator
+givenName: System
+cn: System Administrator
+gecos: System Administrator
+uid: admin
+homeDirectory: /lan/mainserver/home0/admin
+loginShell: /bin/bash
+uidNumber: 10000
+gidNumber: 10000
+userPassword: @LDAP_ADMIN_PW_HASH@
+
+dn: cn=admin,ou=groups,ou=gosa,dc=intern
+cn: admin
+description: Group of user admin
+gidNumber: 10000
+objectClass: top
+objectClass: posixGroup
+
+
+## User template:
+dn: uid=default_user,ou=people,ou=gosa,dc=intern
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: gosaAccount
+objectClass: gosaUserTemplate
+objectClass: posixAccount
+objectClass: shadowAccount
+sn: default_user
+givenName: default_user
+uid: default_user
+cn: default_user default_user
+userPassword: {ssha}N0T$3T4N0W
+homeDirectory: /lan/mainserver/home0/%uid
+loginShell: /bin/bash
+uidNumber: 9999
+gidNumber: 2147483647
+
+
+## sudo-ldap (allow www-data to run /usr/sbin/gosa-*)
+dn: ou=sudoers,ou=gosa,dc=intern
+objectClass: top
+objectClass: organizationalUnit
+ou: sudoers
+
+dn: cn=defaults,ou=sudoers,ou=gosa,dc=intern
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudo options go here
+sudoOption: env_reset
+
+dn: cn=DebianLAN,ou=sudoers,ou=gosa,dc=intern
+objectClass: top
+objectClass: sudoRole
+sudoUser: www-data
+sudoHost: mainserver
+cn: DebianLAN
+sudoOption: !authenticate
+sudoOption: !syslog
+sudoOption: env_keep=USERPASSWORD
+description: Propagate GOsa's changes to the system
+sudoCommand: /usr/local/sbin/gosa-sync
+sudoCommand: /usr/local/sbin/gosa-remove
+sudoCommand: /usr/local/sbin/gosa-create
diff --git a/fai/config/files/etc/ldap/root.ldif/SERVER_A b/fai/config/files/etc/ldap/root.ldif/SERVER_A
index 619842d..6f44f18 100644
--- a/fai/config/files/etc/ldap/root.ldif/SERVER_A
+++ b/fai/config/files/etc/ldap/root.ldif/SERVER_A
@@ -1,4 +1,4 @@
-############### Root of tree amd admin ##############
+############### Root of tree and admin ##############
dn: dc=intern
objectClass: top
objectClass: dcObject
diff --git a/fai/config/files/etc/ldap/slapd.conf/SERVER_A b/fai/config/files/etc/ldap/slapd.conf/GOSA
similarity index 81%
copy from fai/config/files/etc/ldap/slapd.conf/SERVER_A
copy to fai/config/files/etc/ldap/slapd.conf/GOSA
index 0897ef1..8abe654 100644
--- a/fai/config/files/etc/ldap/slapd.conf/SERVER_A
+++ b/fai/config/files/etc/ldap/slapd.conf/GOSA
@@ -9,6 +9,17 @@ include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kerberos.schema
include /etc/ldap/schema/autofs.schema
+# These should be present for GOsa:
+include /etc/ldap/schema/gosa/samba3.schema
+include /etc/ldap/schema/gosa/gosystem.schema
+include /etc/ldap/schema/gosa/gofon.schema
+include /etc/ldap/schema/gosa/gofax.schema
+include /etc/ldap/schema/gosa/goto.schema
+include /etc/ldap/schema/gosa/goserver.schema
+include /etc/ldap/schema/gosa/gosa-samba3.schema
+include /etc/ldap/schema/gosa/trust.schema
+include /etc/ldap/schema/gosa/sudo.schema
+
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
@@ -46,6 +57,10 @@ localssf 128
backend hdb
#######################################################################
+# FIXME
+#database config
+#rootdn cn=config
+#rootpw @LDAP_PW@
#######################################################################
database hdb
@@ -83,7 +98,7 @@ index krbPwdPolicyReference
index krbPrincipalName pres,sub,eq
index cn pres,sub,eq
index uid pres,sub,eq
-
+index sudoUser eq,sub
# Save the time that the entry gets modified, for database #1
lastmod on
@@ -93,9 +108,15 @@ lastmod on
checkpoint 512 30
## map authentication via gssapi on user dn:
-authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
+authz-regexp "uid=([^,]*),cn=intern,cn=gssapi,cn=auth"
"ldap:///dc=intern??sub?(uid=$1)"
+################# GOsa access ###################
+access to dn.subtree="ou=gosa,dc=intern"
+ by dn.exact="cn=gosa,ou=gosa,dc=intern" manage
+ by * break
+
+
access to attrs=userPassword
by anonymous auth
by self write
diff --git a/fai/config/files/usr/local/sbin/gosa-create/GOSA b/fai/config/files/usr/local/sbin/gosa-create/GOSA
new file mode 100755
index 0000000..6405ae8
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/gosa-create/GOSA
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+PREFIX=/lan
+HOSTNAME=$(hostname -s)
+USERID=$1
+
+#FIXME Change this ldap search to only find new users, to not slow down as more users are added.
+# One ide might be to look for objects without the krbPasswordExpiration attributes.
+
+## lookup user and create home directory and principal:
+ldapsearch -b "ou=gosa,dc=intern" -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
+ cn homeDirectory gidNumber 2>/dev/null | perl -p0e 's/\n //g' | \
+while read KEY VALUE ; do
+ case "$KEY" in
+ dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
+ cn:) USERNAME="$VALUE" ;;
+ homeDirectory:) HOMEDIR="$VALUE" ;;
+ gidNumber:) GROUPID="$VALUE" ;;
+ "")
+ test "$HOMEDIR" || continue
+ echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
+ test -e "$HOMEDIR" && continue
+ cp -r /etc/skel $HOMEDIR
+ if type nscd > /dev/null 2>&1 ; then
+ nscd -i passwd
+ nscd -i group
+ fi
+ chown -R $USERID:$GROUPID $HOMEDIR
+ kadmin.local -q "add_principal -randkey -x $USERDN $USERID"
+ logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
+## send a welcome-email:
+ cat << EOF | /usr/lib/sendmail $USERID
+Subject: Welcome to the mail-system
+
+Hello $USERNAME,
+
+welcome to the mail-system.
+
+Your userID is $USERID, and your email
+address is:
+
+ $USERID at postoffice.intern
+
+Regards,
+
+ Debian-LAN SysAdmin
+
+EOF
+ ;;
+ esac
+done
+
+exit 0
diff --git a/fai/config/files/usr/local/sbin/gosa-remove/GOSA b/fai/config/files/usr/local/sbin/gosa-remove/GOSA
new file mode 100755
index 0000000..28b6c6d
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/gosa-remove/GOSA
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script removes the home directories and principals for users removed with gosa.
+## Home directories are not purged immediately, but marked with a time stamp. Next time
+## this script is run it looks for all home directories marked for removal and removes
+## directories older than the given age $MAXAGE.
+##
+## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not
+## too short, this will be detected by the owner and no data will get lost.
+
+USERID=$1
+HOMEDIR=$2
+
+## minimum age to keep a directory before it is purged
+## in days (only integer values):
+
+MAXAGE_DAYS=500
+
+####################################
+
+MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 ))
+
+[ -d $HOMEDIR ] || exit 1
+
+PREFIX=/lan
+HOSTNAME=$(hostname -s)
+echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
+
+## move mail directory to home directory
+if [ -d /var/mail/$USERID ]; then
+ mkdir -p $HOMEDIR/Maildir/
+ mv /var/mail/$USERID/* $HOMEDIR/Maildir/
+ rmdir /var/mail/$USERID
+fi
+
+## rename home directory and delete principal:
+HOME=`dirname $HOMEDIR`
+RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
+mv $HOMEDIR $RM_HOMEDIR
+
+chown root:root $RM_HOMEDIR
+chmod go-rwx $RM_HOMEDIR
+
+kadmin.local -q "delete_principal $USERID"
+logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed.
+
+for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
+ RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`
+ AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` ))
+ if [ $AGE -gt $MAXAGE_SEC ] ; then
+ rm -rf $DIR
+ logger -t gosa-remove -p notice Home directory \'$DIR\' purged.
+ fi
+done
+
+exit 0
diff --git a/fai/config/files/usr/local/sbin/gosa-sync/GOSA b/fai/config/files/usr/local/sbin/gosa-sync/GOSA
new file mode 100755
index 0000000..3cb573c
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/gosa-sync/GOSA
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script synchronizes the kerberos password of principals to the
+## posix password whenever the password is changed in ldap by gosa. To
+## make sure only authorized changes happen, it is tested if the
+## supplied password corresponds to the supplied distinguished name in
+## ldap.
+##
+## A caller not knowing the correct ldap password cannot change the
+## principal's one.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+
+## The new user password is in environment, $USERPASSWORD.
+## Check if provided password corresponds to hash saved in ldap database:
+
+TMPFILE=$(tempfile)
+trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
+
+cat <<EOF | tr -d "\n" > "$TMPFILE"
+$USERPASSWORD
+EOF
+
+IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
+
+# Escapes " because kadmin needs to use double quotes:
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
+
+if [ "$IAM" = "dn:$USERDN" ] ; then
+ cat > "$TMPFILE" <<EOF
+change_password -pw "$EUSERPASSWORD" $USERID
+EOF
+ RET=$((cat "$TMPFILE" | kadmin.local 1> /dev/null) 2>&1)
+ if [ -z "$RET" ] ; then
+ logger -t gosa-sync -p notice "Sucessfully changed kerberos password for '$USERID'."
+ else
+ logger -t gosa-sync -p warning "$RET"
+ echo "$RET"
+ fi
+else
+ RET="Could not verify password for '$USERID'. Nothing done."
+ echo $RET
+ logger -t gosa-sync -p warning "$RET"
+fi
+
+rm "$TMPFILE"
+
+exit 0
diff --git a/fai/config/package_config/GOSA b/fai/config/package_config/GOSA
new file mode 100644
index 0000000..ba89b39
--- /dev/null
+++ b/fai/config/package_config/GOSA
@@ -0,0 +1,6 @@
+PACKAGES aptitude
+
+gosa
+gosa-schema
+gosa-plugin-sudo
+
diff --git a/fai/config/scripts/GOSA/10-config b/fai/config/scripts/GOSA/10-config
new file mode 100755
index 0000000..013bb6f
--- /dev/null
+++ b/fai/config/scripts/GOSA/10-config
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -e
+
+GOSACONF="/etc/gosa/gosa.conf"
+
+if [ -e $GOSACONF ]; then
+ exit 0
+fi
+
+fcopy -m root,www-data,0660 $GOSACONF
+
+fcopy -m root,root,0770 /usr/local/sbin/gosa-create
+fcopy -m root,root,0770 /usr/local/sbin/gosa-sync
+fcopy -m root,root,0770 /usr/local/sbin/gosa-remove
+
+## Insert password:
+PWFILE="$DATADIR/LDAPadminPWD"
+PW=`cat $target/$PWFILE`
+sed -i "s#@LDAP_ADMIN_PW@#$PW#" $target/$GOSACONF
+
+## Encrypt password:
+rm $target/etc/gosa/gosa.secrets
+$ROOTCMD gosa-encrypt-passwords
+
+## needed for sudo-ldap:
+ainsl /etc/ldap/ldap.conf "sudoers_base ou=sudoers,ou=gosa,dc=intern"
diff --git a/fai/config/scripts/KDC_LDAP/10-slapd-KDC b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
index 90bf121..6c30079 100755
--- a/fai/config/scripts/KDC_LDAP/10-slapd-KDC
+++ b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
@@ -2,7 +2,14 @@
#
set -e
-LDIFS="/etc/ldap/root.ldif /etc/ldap/krb5.ldif /etc/ldap/autofs.ldif"
+if ifclass GOSA ; then
+ LDIFS="/etc/ldap/root.ldif /etc/ldap/krb5.ldif /etc/ldap/autofs.ldif /etc/ldap/gosa.ldif"
+ ## sudo schema:
+ cp -n $target/usr/share/doc/sudo-ldap/schema.OpenLDAP \
+ $target/etc/ldap/schema/gosa/sudo.schema
+else
+ LDIFS="/etc/ldap/root.ldif /etc/ldap/krb5.ldif /etc/ldap/autofs.ldif"
+fi
## Copy files in place, but no modifications if file exists:
for file in $LDIFS /etc/ldap/slapd.conf; do
@@ -128,12 +135,13 @@ init_KDC() {
echo "Random Kerberos KDC master password saved in ${PWFILE}."
fi
- ## create kerberos subtree in ldap database:
+ ## Create kerberos subtree in ldap database:
$ROOTCMD kdb5_ldap_util -s -D $DN_LDAP_ADMIN -w $LDAP_ADMIN_PW \
create -subtrees dc=intern -H ldapi:// -P $KDC_MASTER_PW
- ## create default policy:
- $ROOTCMD kadmin.local -q "add_policy -minlength 4 -minclasses 2 default"
+ ## Create default policy, start with no restrictions for the random password.
+ ## Add -minlength and -minclasses later (cf. below).
+ $ROOTCMD kadmin.local -q "add_policy default"
## needs root or kdc passwd:
$ROOTCMD kadmin.local -q "addprinc -pw $LDAP_ADMIN_PW root/admin"
@@ -173,6 +181,19 @@ init_KDC() {
$ROOTCMD chown dovecot:dovecot /etc/krb5.keytab.imap
fi
+ if ifclass GOSA ; then
+ ## Add initial admin user to kerberos:
+ GOSALDIF="$target/etc/ldap/gosa.ldif"
+ USERDN="dn=$(grep "^dn: uid=admin," $GOSALDIF | cut -d ' ' -f 2)"
+ HOMEDIR=$(grep "^homeDirectory.*admin$" $GOSALDIF | cut -d ' ' -f 2)
+ USID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^uidNumber:" | cut -d " " -f 2)
+ GRID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^gidNumber:" | cut -d " " -f 2)
+ $ROOTCMD kadmin.local -q "add_principal -pw $LDAP_ADMIN_PW -x $USERDN admin"
+ cp -r $target/etc/skel $target/$HOMEDIR
+ $ROOTCMD chown -R $USID:$GRID $HOMEDIR
+ fi
+ $ROOTCMD kadmin.local -q "modify_policy -minlength 4 -minclasses 2 default"
+
echo "Initializing KDC finished. "
}
diff --git a/fai/config/scripts/LDAP_CLIENT/10-ldap.conf b/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
index d516800..d747826 100755
--- a/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
+++ b/fai/config/scripts/LDAP_CLIENT/10-ldap.conf
@@ -10,16 +10,11 @@ editfiles:
{ ${target}/etc/ldap/ldap.conf
BeginGroupIfNoLineMatching "^URI .*"
AppendIfNoSuchLine "URI ldap://ldap/"
- EndGroup
-
- # Base-DN:
- BeginGroupIfNoLineMatching "^BASE .*"
- AppendIfNoSuchLine "BASE dc=intern"
EndGroup
- # needed for sudo-ldap:
- BeginGroupIfNoLineMatching "^sudoers_base .*"
- AppendIfNoSuchLine "sudoers_base ou=sudoers,dc=intern"
+ # Base-DN:
+ BeginGroupIfNoLineMatching "^BASE .*"
+ AppendIfNoSuchLine "BASE dc=intern"
EndGroup
# Verify the server:
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list