[debian-lan-devel] [debian-lan] 02/02: Updates and fixes for GOsa².
Andreas B. Mundt
andi at moszumanska.debian.org
Fri Aug 12 07:52:18 UTC 2016
This is an automated email from the git hooks/post-receive script.
andi pushed a commit to branch master
in repository debian-lan.
commit 3477860939c0136bf3d0f501f48b895f93da7e0b
Author: Andreas B. Mundt <andi at debian.org>
Date: Thu Aug 11 14:46:59 2016 +0200
Updates and fixes for GOsa².
Update 'gosa.conf' and merge fixes/improvements from Debian-EDU.
Add 'gosa-lock-user' and 'gosa-unlock-user'. Thanks to Debian-EDU.
Use FQDN to make sudo-ldap work.
---
fai/config/files/etc/gosa/gosa.conf/GOSA | 58 +++++++++++-----------
fai/config/files/etc/ldap/gosa.ldif/GOSA | 4 +-
.../files/usr/local/sbin/gosa-lock-user/GOSA | 48 ++++++++++++++++++
fai/config/files/usr/local/sbin/gosa-sync/GOSA | 15 +++++-
.../files/usr/local/sbin/gosa-unlock-user/GOSA | 48 ++++++++++++++++++
fai/config/scripts/GOSA/10-config | 3 ++
6 files changed, 145 insertions(+), 31 deletions(-)
diff --git a/fai/config/files/etc/gosa/gosa.conf/GOSA b/fai/config/files/etc/gosa/gosa.conf/GOSA
index 4c39e71..edb4c4c 100644
--- a/fai/config/files/etc/gosa/gosa.conf/GOSA
+++ b/fai/config/files/etc/gosa/gosa.conf/GOSA
@@ -1,7 +1,5 @@
<?xml version="1.0"?>
-<conf configVersion="edb33ed1745798da76048582c2f16a48"
- instancePassword=""
- instanceUUID="cf086ce3-4b0a-45b5-b813-dc64eb51f1eb">
+<conf configVersion="Managed-by-Debian-LAN">
<!-- GOsa menu definition **************************************************
@@ -22,7 +20,7 @@
Open a <plugin> tag including a "class" attribute. The "class" should be
present inside your GOsa setup - the entry will be ignored if it is not.
- Plugins should have an "acl" entry, that allows GOsa to decide wether
+ Plugins should have an "acl" entry, that allows GOsa to decide whether
a user is allowed to see a plugin or not. The "acl" string matches with
an ACL definition done inside of GOsa -> ACLs.
@@ -81,8 +79,9 @@
<pathMenu>
<plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccoun [...]
<plugin acl="users/password:self" class="password"
- postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/local/sbin/gosa-sync %dn"
- />
+ postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/local/sbin/gosa-sync %dn"
+ postlock="/usr/bin/sudo /usr/local/sbin/gosa-lock-user %dn"
+ postunlock="/usr/bin/sudo /usr/local/sbin/gosa-unlock-user %dn" />
</pathMenu>
@@ -110,7 +109,9 @@
<!-- User dialog -->
<usertabs>
<tab class="user" name="Generic" />
- <tab class="posixAccount" name="POSIX" />
+ <tab class="posixAccount" name="POSIX"
+ postcreate="/usr/bin/sudo /usr/local/sbin/gosa-create %uid"
+ postremove="/usr/bin/sudo /usr/local/sbin/gosa-remove %uid %homeDirectory" />
<tab class="sambaAccount" name="Samba" />
<tab class="netatalk" name="Netatalk" />
<tab class="mailAccount" name="Mail" />
@@ -126,10 +127,7 @@
<!-- User dialog -->
<MyAccountTabs>
<tab class="user" name="Generic" />
- <tab class="posixAccount" name="POSIX"
- postcreate="/usr/bin/sudo /usr/local/sbin/gosa-create %uid"
- postremove="/usr/bin/sudo /usr/local/sbin/gosa-remove %uid %homeDirectory"
- />
+ <tab class="posixAccount" name="POSIX" />
<tab class="sambaAccount" name="Samba" />
<tab class="netatalk" name="Netatalk" />
<tab class="mailAccount" name="Mail" />
@@ -318,6 +316,8 @@
<ldiftab>
<tab class="ldifexport" name="Export" />
<tab class="xlsexport" name="Excel Export" />
+ <tab class="ldifimport" name="Import" />
+ <tab class="csvimport" name="CSV Import" />
</ldiftab>
<faipartitiontabs>
@@ -376,27 +376,27 @@
-->
<!-- If you broke your setup using the propertyEditor, then set 'ignoreLdapProperties' to true. -->
- <main default="default"
- SASLRealm="INTERN"
- passwordDefaultHash="ssha"
- accountPrimaryAttribute="uid"
- userRDN="ou=people"
- groupRDN="ou=groups"
- warnSSL="true"
- forceSSL="true"
- forceGlobals="true"
- ignoreLdapProperties="false"
- rfc2307bis="false"
- useSaslForKerberos="false"
- gidNumberBase="10000"
- uidNumberBase="10000"
- idGenerator="{%sn[1-6]}{%givenName[1-6]}"
- passwordMinLength="4"
- passwordMinDiffer="2"
+ <main default="Debian LAN"
+ SASLRealm="INTERN"
+ passwordDefaultHash="ssha"
+ accountPrimaryAttribute="uid"
+ userRDN="ou=people"
+ groupRDN="ou=groups"
+ warnSSL="true"
+ forceSSL="true"
+ forceGlobals="true"
+ ignoreLdapProperties="false"
+ rfc2307bis="false"
+ useSaslForKerberos="false"
+ gidNumberBase="10000"
+ uidNumberBase="10000"
+ idGenerator="{%sn[1-6]}{%givenName[1-6]}"
+ passwordMinLength="4"
+ passwordMinDiffer="2"
>
<!-- Location definition -->
- <location name="default"
+ <location name="Debian LAN"
ldapTLS="true"
config="ou=gosa,ou=configs,ou=systems,ou=gosa,dc=intern">
<referral URI="ldap://ldap:389/ou=gosa,dc=intern"
diff --git a/fai/config/files/etc/ldap/gosa.ldif/GOSA b/fai/config/files/etc/ldap/gosa.ldif/GOSA
index 1a72d46..114ecbb 100644
--- a/fai/config/files/etc/ldap/gosa.ldif/GOSA
+++ b/fai/config/files/etc/ldap/gosa.ldif/GOSA
@@ -101,11 +101,13 @@ cn: DebianLAN
sudoOption: !authenticate
sudoOption: !syslog
sudoOption: env_keep=USERPASSWORD
-sudoHost: mainserver
+sudoHost: mainserver.intern
sudoRunAs: ALL
sudoCommand: /usr/local/sbin/gosa-sync
sudoCommand: /usr/local/sbin/gosa-remove
sudoCommand: /usr/local/sbin/gosa-create
+sudoCommand: /usr/local/sbin/gosa-lock-user
+sudoCommand: /usr/local/sbin/gosa-unlock-user
sudoUser: www-data
## some admin roles: give admin(s) sudo access
diff --git a/fai/config/files/usr/local/sbin/gosa-lock-user/GOSA b/fai/config/files/usr/local/sbin/gosa-lock-user/GOSA
new file mode 100755
index 0000000..9a53638
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/gosa-lock-user/GOSA
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ ret=$?
+ set -e
+ if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal -allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-lock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been locked."
+ else
+ OUT="Locking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+ fi
+ else
+ logger -t gosa-lock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff --git a/fai/config/files/usr/local/sbin/gosa-sync/GOSA b/fai/config/files/usr/local/sbin/gosa-sync/GOSA
index 3cb573c..4f6f2b2 100755
--- a/fai/config/files/usr/local/sbin/gosa-sync/GOSA
+++ b/fai/config/files/usr/local/sbin/gosa-sync/GOSA
@@ -17,6 +17,15 @@ set -e
USERDN="$1"
USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+# check if the given user account has the Kerberos principal objectClass set...
+is_krbprincipal=`ldapsearch -LLL -x "(&(uid=${USERID})(objectClass=krbPrincipalAux))"`
+if [ -z "$is_krbprincipal" ]; then
+
+ # if not, simply bail out here without noise...
+ exit 0
+
+fi
+
## The new user password is in environment, $USERPASSWORD.
## Check if provided password corresponds to hash saved in ldap database:
@@ -27,10 +36,14 @@ cat <<EOF | tr -d "\n" > "$TMPFILE"
$USERPASSWORD
EOF
+# remove escapes from the password added by GOsa²...
+sed -i $TMPFILE -e 's/\\//g'
+
+# check the password in $TMPfile against LDAP...
IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
# Escapes " because kadmin needs to use double quotes:
-EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\"\"/g')"
+EUSERPASSWORD="$(cat $TMPFILE | sed -e 's/\"/\\\"/g')"
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > "$TMPFILE" <<EOF
diff --git a/fai/config/files/usr/local/sbin/gosa-unlock-user/GOSA b/fai/config/files/usr/local/sbin/gosa-unlock-user/GOSA
new file mode 100755
index 0000000..8b83338
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/gosa-unlock-user/GOSA
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa. There are some tests that make sure only
+## non-existent home directories are created. Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+USERDN="$1"
+USERID=`echo "$USERDN" | sed "s/^uid=\([^,]*\),.*$/\1/"`
+USEROU=`echo "$USERDN" | sed "s/^uid=[^,]*,\(.*\)$/\1/"`
+
+# test if user ID exists
+set +e
+LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ret=$?
+set -e
+if [ "x$ret" = "x0" ]; then
+ set +e
+ LANG=C ldapsearch -x "(&(uid=$USERID)(objectClass=gosaAccount)(objectClass=krbPrincipalAux))" -b "${USEROU}" | tail -n1 | grep -q -E "^# numEntries: 1$"
+ ret=$?
+ set -e
+ if [ "x$ret" = "x0" ]; then
+ set +e
+ success=$(LANG=C kadmin.local -q "modify_principal +allow_tix $USERID" | grep -E "^Principal\ .*@.*\ modified.$")
+ set -e
+ if [ -n "$success" ]; then
+ logger -t gosa-unlock-user -p notice "Kerberos account of user '$USERID' (DN: $USERDN) has been unlocked."
+ else
+ OUT="Unlocking Kerberos account of user '$USERID' (DN: $USERDN) failed."
+ echo "$OUT"
+ logger -t gosa-unlock-user -p warning $OUT
+ fi
+ else
+ logger -t gosa-unlock-user -p notice "User account '$USERID' (DN: $USERDN) is not a Kerberos-enabled account. (Thus, skipping...)."
+ fi
+else
+ OUT="User account '$USERID' (DN: $USERDN) does not exist."
+ echo "$OUT"
+ logger -t gosa-lock-user -p warning "$OUT"
+fi
+
+exit 0
diff --git a/fai/config/scripts/GOSA/10-config b/fai/config/scripts/GOSA/10-config
index 7cb7c1c..31e25dc 100755
--- a/fai/config/scripts/GOSA/10-config
+++ b/fai/config/scripts/GOSA/10-config
@@ -13,6 +13,9 @@ fcopy -m root,www-data,0660 $GOSACONF
fcopy -m root,root,0770 /usr/local/sbin/gosa-create
fcopy -m root,root,0770 /usr/local/sbin/gosa-sync
fcopy -m root,root,0770 /usr/local/sbin/gosa-remove
+fcopy -m root,root,0770 /usr/local/sbin/gosa-lock-user
+fcopy -m root,root,0770 /usr/local/sbin/gosa-unlock-user
+
fcopy -m root,root,0770 /usr/local/sbin/add2gosa
fcopy /var/www/html/index.html
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/debian-lan.git
More information about the debian-lan-devel
mailing list