starlingx/integ
Code Issues Proposed changes
38c184f1b4
integ/ldap/ldapscripts/files/ldap-user-setup-support.patch
Saul Wold 83c6575d51 integ: Convert wrsroot -> sysadmin 
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.

Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2019-06-14 15:09:09 -07:00

355 lines
11 KiB
Diff
Raw Blame History

---
Makefile | 5 +-
man/man1/ldapusersetup.1 | 60 +++++++++++
sbin/ldapusersetup | 254 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 317 insertions(+), 2 deletions(-)
create mode 100644 man/man1/ldapusersetup.1
create mode 100644 sbin/ldapusersetup
diff --git a/sbin/ldapusersetup b/sbin/ldapusersetup
new file mode 100644
index 0000000..27d12dc
--- /dev/null
+++ b/sbin/ldapusersetup
@@ -0,0 +1,254 @@
+#!/bin/sh
+
+# ldapusersetup : interactive setup for adding users to LDAP
+
+# Copyright (c) 2015 Wind River Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
+then
+ echo "Usage : $0 [-u <username | uid> <field> <value>]
+where accepted field(s) are as follows:
+--sudo : whether to add this user to sudoer list
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+ exit 1
+fi
+
+# Source runtime file
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
+. "$_RUNTIMEFILE"
+
+# runtime defaults
+_DEFAULTGRP2="sys_protected"
+_BASHSHELL="/bin/bash"
+_DEFAULTSHADOWMAX="90"
+_DEFAULTSHADOWWARNING="2"
+_SHELL=""
+
+### Helper functions ###
+
+# Gets input from user and validates it.
+# Will only return if input meets validation
+# criteria otherwise will just sit there.
+#
+# Input : input string ($1), valid output options ($2)
+# Output: the validated input
+# Note : the validation list must be an array
+LdapUserInput () {
+declare -a optionAry=("${!2}")
+while true; do
+ read -p "$1" _output
+ # convert to lower case
+ _output2=${_output,,}
+ # check if output is a valid option
+ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then
+ break
+ else
+ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2
+ fi
+done
+ echo "$_output2"
+}
+
+# Delete an ldap user if it exists
+# and exit with error
+# Input : username ($1), exit msg ($2)
+# Output : none
+LdapRollback() {
+ ldapdeleteuser "$1"
+ end_die "$2"
+}
+
+# Add an ldap user and exit on failure
+# Input : username ($1)
+# Output : none
+LdapAddUser() {
+ ldapadduser "$1" users
+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
+}
+
+# Replace Login Shell and call Rollback on failure
+# Input : username ($1), shell to set ($2)
+# Output : none
+LdapAddLoginShell () {
+ # Support bash only now.
+ _SHELL="$_BASHSHELL"
+ # Replace the login shell
+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
+}
+
+# Add user to sudoer list
+# Input : username ($1)
+# Output : true or false
+LdapAddSudo() {
+ ldapaddsudo "$1" 2> /dev/null
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add to sudoer list"
+}
+
+# Add user to a secondary user group
+# Input : username ($1), user group ($2)
+# Output : true or false
+LdapSecondaryGroup () {
+ _newGrp="$2"
+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
+
+ ldapaddusertogroup $1 $_newGrp
+ [ $? -eq 0 ] || \
+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
+}
+
+# Update shadowMax for user
+# Input : username ($1), shadow Max value ($2)
+# Output : none
+LdapUpdateShadowMax () {
+ _newShadow="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newShadow=$_DEFAULTSHADOWMAX
+
+ ldapmodifyuser $1 replace shadowMax $_newShadow
+ echo "Updating password expiry to $_newShadow days"
+}
+
+# Update shadowWarning for user
+# Input : username ($1), shadow Warning value ($2)
+# Output : none
+LdapUpdateShadowWarning () {
+ _newWarning="$2"
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
+ && _newWarning=$_DEFAULTSHADOWWARNING
+
+ ldapmodifyuser $1 replace shadowWarning $_newWarning
+ echo "Updating password expiry to $_newWarning days"
+}
+
+# Since this setup script is meant to be a
+# wrapper on top of existing ldap scripts,
+# it share invoke those... we could have achieved
+# loose coupling by not relying on helpers but
+# at the expense of massively redundant code
+# duplication.
+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_BASHSHELL")
+
+# Do some quick sanity tests to make sure
+# helper scripts are present
+for src in "${helper_scripts[@]}"; do
+ if ! type "$src" &>/dev/null; then
+ end_die "Cannot locate $src. Update your PATH variable"
+ fi
+done
+
+if [ "$#" -eq 0 ]; then
+ # This setup collects all attributes
+ # interactively during runtime
+ echo -n "Enter username to add to LDAP: "
+ read _username
+ LdapAddUser "$_username"
+
+ # Replace the login shell. Only bash is supported now.
+ LdapAddLoginShell "$_username"
+
+ # Should sudo be activated for this user
+ echo -n "Add $_username to sudoer list? (yes/NO): "
+ read CONFIRM
+ CONFIRM=${CONFIRM,,}
+
+ if is_yes $CONFIRM
+ then
+ LdapAddSudo "$_username"
+ fi
+
+ # Add to secondary user group
+ shellInput="Add $_username to secondary user group? (yes/NO): "
+ options=( "yes", "no" )
+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
+ if is_yes $CONFIRM
+ then
+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
+ read _grp2
+ LdapSecondaryGroup $_username $_grp2
+ fi
+
+ # Set password expiry
+ echo -n "Enter days after which user password must \
+be changed [$_DEFAULTSHADOWMAX]: "
+ read _shadowMax
+ LdapUpdateShadowMax $_username $_shadowMax
+
+ # Set password warning
+ echo -n "Enter days before password is to expire that \
+user is warned [$_DEFAULTSHADOWWARNING]: "
+ read _shadowWarning
+ LdapUpdateShadowWarning $_username $_shadowWarning
+
+else
+ # we have to read command line option
+ while [[ $# > 1 ]]
+ do
+ key="$1"
+
+ case $key in
+ -u|--user) # compulsory
+ _username="$2"
+ shift
+ ;;
+ --sudo) # optional
+ _sudo="yes"
+ ;;
+ --passmax) # optional
+ _shadowMax="$2"
+ shift
+ ;;
+ --passwarning) # optional
+ _shadowWarning="$2"
+ shift
+ ;;
+ --secondgroup) # optional
+ _grpConfirm="1"
+ _grp2="$2"
+ shift
+ ;;
+ *)
+
+ ;;
+ esac
+ shift
+ done
+
+ # Add LDAP user
+ [ -z "$_username" ] && end_die "No username argument specified"
+ LdapAddUser $_username
+
+ # Change Login Shell
+ LdapAddLoginShell $_username "$_loginshell"
+
+ # Add sudo if required
+ if is_yes $_sudo
+ then
+ LdapAddSudo "$_username"
+ fi
+
+ # Add secondary group if required
+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
+
+ # Password modifications
+ LdapUpdateShadowMax $_username $_shadowMax
+ LdapUpdateShadowWarning $_username $_shadowWarning
+fi
diff --git a/Makefile b/Makefile
index f81c272..6e5b193 100644
--- a/Makefile
+++ b/Makefile
@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser l
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
- ldaprenameuser ldapmodifysudo ldapdeletesudo
+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
+ ldapdeletesudo.1 ldapusersetup.1
MAN5FILES = ldapscripts.5
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
ldapadduser.template.sample
diff --git a/man/man1/ldapusersetup.1 b/man/man1/ldapusersetup.1
new file mode 100644
index 0000000..9b3129b
--- /dev/null
+++ b/man/man1/ldapusersetup.1
@@ -0,0 +1,60 @@
+.\" Copyright (c) 2015 Wind River Systems, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version 2
+.\" of the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+.\" USA.
+.\"
+.\" Kam Nasim
+.\" knasim@windriver.com
+.\"
+.TH ldapusersetup 1 "December 16, 2015"
+
+.SH NAME
+ldapusersetup \- wizard for adding an LDAP user to CGCS.
+
+.SH SYNOPSIS
+.B ldapusersetup
+
+.SH DESCRIPTION
+ldapusersetup interactively walks through the process of creating an LDAP user
+for access to CGCS services. The user is prompted for:
+- username
+- if a sudoEntry needs to be created
+- if a secondary user group needs to be added
+- user password expiry and warning configuration
+Alternatively, the user may provide these parameters as command line actions.
+Look at the OPTIONS section for more information.
+
+To delete the user and all its group associations, simply use ldapdeleteuser(1)
+
+.SH OPTIONS
+.TP
+.B [-u <username | uid> <field> <value>]
+The name or uid of the user to modify.
+The following fields are available as long format options:
+--sudo : whether to add this user to sudoer list
+--secondgroup <grp> : the secondary group to add this user to
+--passmax <value> : the shadowMax value for this user
+--passwarning <value> : the shadowWarning value for this user"
+
+.SH "SEE ALSO"
+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
+
+.SH AVAILABILITY
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
+The latest version of the ldapscripts is available on :
+.B http://contribs.martymac.org
+
+.SH BUGS
+No bug known.
View Git Blame Copy Permalink