[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.7-23-g19b75b0
Andreas B. Mundt
andi at debian.org
Mon Feb 11 13:45:06 UTC 2013
The following commit has been merged in the master branch:
commit 2fa565eb43171c06c8b38adec55337163ebba938
Author: Andreas B. Mundt <andi at debian.org>
Date: Mon Feb 11 12:26:44 2013 +0100
Add script to import users into LDAP/GOsa from a text file.
The script uses functions from the ldapscripts package to do the
work. A GOsa department (organizational unit) might be specified
and defines where the users end up. Usernames are generated from
first and last name. A random passwords is created and appended
to the corresponding line in the provided file.
Workflow:
* Create a text file, one user per line: <First Name> <Last Name>.
* Create the GOsa department if necessary.
* Run 'add2gosa <FILE> [ ou=<department> ]
diff --git a/fai/config/files/etc/ldap/gosa.ldif/GOSA b/fai/config/files/etc/ldap/gosa.ldif/GOSA
index a120bc9..6cce84c 100644
--- a/fai/config/files/etc/ldap/gosa.ldif/GOSA
+++ b/fai/config/files/etc/ldap/gosa.ldif/GOSA
@@ -19,7 +19,7 @@ cn: gosa
userPassword: @LDAP_ADMIN_PW_HASH@
-## peope and groups:
+## people and groups:
dn: ou=people,ou=gosa,dc=intern
objectClass: top
objectClass: organizationalUnit
diff --git a/fai/config/files/usr/local/sbin/add2gosa/GOSA b/fai/config/files/usr/local/sbin/add2gosa/GOSA
new file mode 100755
index 0000000..901a1c3
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/add2gosa/GOSA
@@ -0,0 +1,217 @@
+#!/bin/bash
+#
+# Import a list of users to GOsa. Based on the ldapscripts package.
+#
+
+set -e
+
+sync_nscd(){
+ if pidof nscd 1>&2 > /dev/null ; then
+ ## Clear tables to have database up to date:
+ nscd -i passwd
+ nscd -i group
+ fi
+}
+
+mk_uname() {
+ GNAME=${1,,}
+ FNAME=${2,,}
+ echo ${GNAME::4}${FNAME::4}
+ #echo ${GNAME}.${FNAME}
+}
+
+ou2LDAP() {
+ OU=$1
+ # Add ou to LDAP
+ _extractldif 3 | sed -e "s|<ORGUNIT>|$OU|g" | _filterldif | _utf8encode | _ldapadd
+ [ $? -eq 0 ] || end_die "Error adding '$OU' to '$SUFFIX'."
+ echo_log "Successfully added '$OU' to '$SUFFIX'."
+}
+
+user2LDAP() {
+ set +e
+ GNAME=$1
+ FNAME=$2
+ _USER="$3"
+ _GROUP="$_USER"
+
+ # Group GID
+ _GID=$(_findnextgid)
+ [ -z "_GID" ] && end_die "Cannot guess next free group id"
+
+ # Add group to LDAP
+ _extractldif 4 | _filterldif | _utf8encode | _ldapadd
+ [ $? -eq 0 ] || end_die "Error adding group $_GROUP to LDAP"
+ echo_log "Successfully added group $_GROUP to LDAP"
+
+ ###################
+
+ # User UID
+ _UID=$(_findnextuid)
+ [ -z "_UID" ] && end_die "Cannot guess next free user id"
+
+ # Compute homedir
+ _HOMEDIR=$(echo "$UHOMES" | sed "s|%u|$_USER|g")
+
+ # Add user to LDAP
+ _extractldif 5 | \
+ sed -e "s|<GNAME>|$GNAME|g" \
+ -e "s|<FNAME>|$FNAME|g" \
+ -e "s|<PWHASH>|$PWHASH|g" \
+ | _filterldif | _utf8encode | _ldapadd
+ [ $? -eq 0 ] || end_die "Error adding user $_USER to LDAP"
+ echo_log "Successfully added user $_USER to LDAP"
+
+ # Create Home dir
+ if [ -e "$_HOMEDIR" ] ; then
+ warn_log "Skipped home directory creation for user $_USER (already exists)"
+ else
+ # Create home by skel or mkdir
+ if [ -d "$HOMESKEL" ] ; then
+ cp -pR "$HOMESKEL/" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null
+ else
+ mkdir -p "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null
+ fi
+ chmod "$HOMEPERMS" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null
+ chown -R "$_UID":"$_GID" "$_HOMEDIR" 2>>"$LOGFILE" 1>/dev/null
+ echo_log "Successfully created home directory for user $_USER"
+ fi
+ set -e
+}
+
+checkPASSWD (){
+ PASSWD="$1"
+ local NUM=0
+ if [ $(expr length "$PASSWD") -ge $MINLEN ] ; then
+ [ -n "${PASSWD//[![:lower:]]/}" ] && NUM=$(($NUM+1))
+ [ -n "${PASSWD//[![:upper:]]/}" ] && NUM=$(($NUM+1))
+ [ -n "${PASSWD//[![:digit:]]/}" ] && NUM=$(($NUM+1))
+ [ -n "${PASSWD//[![:punct:]]/}" ] && NUM=$(($NUM+1))
+ fi
+ echo $NUM
+}
+
+createPASSWD (){
+ local NUM=0
+ while [ $NUM -lt $MINCLS ] ; do
+ PASSWD=$(slappasswd -g)
+ NUM=$(checkPASSWD "$PASSWD")
+ done
+ echo "$PASSWD"
+}
+
+###########################################
+
+FILE=$1
+GOSAOU=$2
+
+# Source runtime file
+_RUNTIMEFILE="/usr/share/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# We need to overwrite variables defined in the configuration
+# and sourced in the runtime file above:
+SUFFIX="$GOSAOU,ou=gosa,dc=intern"
+SUFFIX=${SUFFIX#,} # remove ',' if $GOSAOU=""
+GIDSTART="10000"
+UIDSTART="10000"
+
+## Password restrictions (compliant with kerberos policy):
+MINLEN=4 # minimal password length (max 8 with slappasswd as password generator)
+MINCLS=2 # minimal number of character classes
+
+if [ ! -r "$FILE" ] ; then
+ cat <<EOF
+Usage: add2gosa <file> [ou=<GOsa Department>]
+Where <file> contains rows of first and last names:
+
+ <First Name> <Last Name>
+ ... ...
+
+Empty lines or lines starting with a '#' will be ignored. The
+generated password is appended to the line during processing, the line
+commented.
+
+Optionally it is possible to specify an organizational unit within the
+GOsa tree. The users will be added to that department.
+
+Examples:
+
+ add2gosa <file> # add users to GOsa base
+ add2gosa <file> ou=students # add users to department 'students'
+
+The department must exist before adding users.
+
+EOF
+ exit 1
+fi
+
+sync_nscd
+# Test if dn exists:
+_ldapsearch "$SUFFIX" "(objectClass=organizationalUnit)" "dn" \
+ | grep -q "$SUFFIX" || end_die "No Department '$SUFFIX' found. Create it in GOsa first."
+# Create ou=groups if missing:
+_ldapsearch "$GSUFFIX,$SUFFIX" "(objectClass=organizationalUnit)" "dn" \
+ | grep -q "$GSUFFIX,$SUFFIX" || ou2LDAP $GSUFFIX
+# Create ou=people if missing:
+_ldapsearch "$USUFFIX,$SUFFIX" "(objectClass=organizationalUnit)" "dn" \
+ | grep -q "$USUFFIX,$SUFFIX" || ou2LDAP $USUFFIX
+echo
+
+chmod 600 $FILE
+IFS=$'\n'
+for LINE in $(grep -Ev "^(#|[[:space:]]*$)" $FILE | sed "s/\#.*//g" | awk '{print $1, $2, $3}') ; do
+ GNAME=`echo "$LINE" | cut -d " " -f1`
+ FNAME=`echo "$LINE" | cut -d " " -f2`
+ USERNAME=$(mk_uname ${GNAME} ${FNAME})
+ echo "---------------- $USERNAME ----------------"
+ PASSWD=$(createPASSWD)
+ PWHASH=$(slappasswd -s $PASSWD -h {SSHA})
+ echo "Password and hash created."
+ sed -i "s|\($GNAME[[:space:]]\+$FNAME\)|\# \1:\t $USERNAME\t ${PASSWD}|" $FILE
+ user2LDAP "$GNAME" "$FNAME" "$USERNAME" "$PWHASH"
+ USERDN="dn=uid=$USERNAME,$USUFFIX,$SUFFIX"
+ kadmin.local -q "add_principal -pw "$PASSWD" -x $USERDN $USERNAME"
+ echo
+done
+
+cat <<EOF
+ ===================== IMPORTANT NOTICE =====================
+ Make sure to keep '$FILE' save or remove it!
+ Advice users to change their password immediately in GOsa.
+ ============================================================
+EOF
+
+end_ok
+
+# Ldif ou template ##################################
+###dn: <ORGUNIT>,<suffix>
+###objectClass: top
+###objectClass: organizationalUnit
+###ou: <ORGUNIT>
+
+# Ldif group template ###############################
+####dn: cn=<group>,<gsuffix>,<suffix>
+####objectClass: <gclass>
+####cn: <group>
+####gidNumber: <gid>
+####description: Group of user <group>
+
+# Ldif user template ################################
+#####dn: uid=<user>,<usuffix>,<suffix>
+#####objectClass: person
+#####objectClass: organizationalPerson
+#####objectClass: inetOrgPerson
+#####objectClass: gosaAccount
+#####objectClass: posixAccount
+#####objectClass: shadowAccount
+#####sn: <FNAME>
+#####givenName: <GNAME>
+#####cn: <GNAME> <FNAME>
+#####gecos: <GNAME> <FNAME>
+#####uid: <user>
+#####homeDirectory: <home>
+#####loginShell: <shell>
+#####uidNumber: <uid>
+#####gidNumber: <gid>
+#####userPassword: <PWHASH>
diff --git a/fai/config/files/usr/local/sbin/debian-lan/SERVER_A b/fai/config/files/usr/local/sbin/debian-lan/SERVER_A
index a4115c3..4dedf5a 100755
--- a/fai/config/files/usr/local/sbin/debian-lan/SERVER_A
+++ b/fai/config/files/usr/local/sbin/debian-lan/SERVER_A
@@ -164,7 +164,7 @@ case $COMMAND in
if [ $NUM -lt $MINCLS ] ; then
PASSWD=$(createPASSWD)
echo "Password replaced/created!"
- sed -i "s#$USERID#$USERID ${PASSWD} <-- new password | old/bad password -->#" $1
+ sed -i "s%$USERID%\# $USERID\t ${PASSWD} <-- new password | %" $1
fi
adduserLDAP $USERID
USERDN="dn=uid=$USERID,ou=people,dc=intern"
diff --git a/fai/config/scripts/SERVER_A/10-misc b/fai/config/scripts/SERVER_A/10-misc
index 97b7842..d4a89cd 100755
--- a/fai/config/scripts/SERVER_A/10-misc
+++ b/fai/config/scripts/SERVER_A/10-misc
@@ -31,6 +31,11 @@ fi
fcopy -m root,root,0700 /usr/local/sbin/debian-lan
fcopy -m root,root,0700 /usr/local/sbin/dhcpd-keytab
+if ifclass GOSA ; then
+ fcopy -m root,root,0700 /usr/local/sbin/add2gosa
+fi
+
+
if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
exit 0
fi
diff --git a/fai/config/scripts/SERVER_A/20-ldapscripts b/fai/config/scripts/SERVER_A/20-ldapscripts
index b9fc06b..99c58d9 100755
--- a/fai/config/scripts/SERVER_A/20-ldapscripts
+++ b/fai/config/scripts/SERVER_A/20-ldapscripts
@@ -19,6 +19,10 @@ editfiles:
ReplaceAll '#UHOMES="/home/%u"' With 'UHOMES="/lan/mainserver/home0/%u"'
ReplaceAll 'CREATEHOMES="no"' With 'CREATEHOMES="yes"'
+ ## Avoid conflicts with GOsa which starts at uid/gid 10000":
+ ReplaceAll 'UIDSTART="10000"' With 'UIDSTART="40000"'
+ ReplaceAll 'GIDSTART="10000"' With 'GIDSTART="40000"'
+
## Do not generate a posix password, use kerberos instead:
HashCommentLinesStarting 'PASSWORDGEN='
}
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list