fea8e8348f
Signed-off-by: Saul Wold <sgw@linux.intel.com>
355 lines
11 KiB
Diff
355 lines
11 KiB
Diff
---
|
|
Makefile | 5 +-
|
|
man/man1/ldapusersetup.1 | 60 +++++++++++
|
|
sbin/ldapusersetup | 254 +++++++++++++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 317 insertions(+), 2 deletions(-)
|
|
create mode 100644 man/man1/ldapusersetup.1
|
|
create mode 100644 sbin/ldapusersetup
|
|
|
|
diff --git a/sbin/ldapusersetup b/sbin/ldapusersetup
|
|
new file mode 100644
|
|
index 0000000..27d12dc
|
|
--- /dev/null
|
|
+++ b/sbin/ldapusersetup
|
|
@@ -0,0 +1,254 @@
|
|
+#!/bin/sh
|
|
+
|
|
+# ldapusersetup : interactive setup for adding users to LDAP
|
|
+
|
|
+# Copyright (c) 2015 Wind River Systems, Inc.
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License
|
|
+# as published by the Free Software Foundation; either version 2
|
|
+# of the License, or (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
+# USA.
|
|
+
|
|
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" -eq 1 ]
|
|
+then
|
|
+ echo "Usage : $0 [-u <username | uid> <field> <value>]
|
|
+where accepted field(s) are as follows:
|
|
+--sudo : whether to add this user to sudoer list
|
|
+--secondgroup <grp> : the secondary group to add this user to
|
|
+--passmax <value> : the shadowMax value for this user
|
|
+--passwarning <value> : the shadowWarning value for this user"
|
|
+ exit 1
|
|
+fi
|
|
+
|
|
+# Source runtime file
|
|
+_RUNTIMEFILE="/usr/lib/ldapscripts/runtime"
|
|
+. "$_RUNTIMEFILE"
|
|
+
|
|
+# runtime defaults
|
|
+_DEFAULTGRP2="sys_protected"
|
|
+_BASHSHELL="/bin/bash"
|
|
+_DEFAULTSHADOWMAX="90"
|
|
+_DEFAULTSHADOWWARNING="2"
|
|
+_SHELL=""
|
|
+
|
|
+### Helper functions ###
|
|
+
|
|
+# Gets input from user and validates it.
|
|
+# Will only return if input meets validation
|
|
+# criteria otherwise will just sit there.
|
|
+#
|
|
+# Input : input string ($1), valid output options ($2)
|
|
+# Output: the validated input
|
|
+# Note : the validation list must be an array
|
|
+LdapUserInput () {
|
|
+declare -a optionAry=("${!2}")
|
|
+while true; do
|
|
+ read -p "$1" _output
|
|
+ # convert to lower case
|
|
+ _output2=${_output,,}
|
|
+ # check if output is a valid option
|
|
+ if [[ "${optionAry[@]}" =~ "$_output2" ]]; then
|
|
+ break
|
|
+ else
|
|
+ echo "Invalid input \"$_output\". Allowed options: ${optionAry[@]}" >&2
|
|
+ fi
|
|
+done
|
|
+ echo "$_output2"
|
|
+}
|
|
+
|
|
+# Delete an ldap user if it exists
|
|
+# and exit with error
|
|
+# Input : username ($1), exit msg ($2)
|
|
+# Output : none
|
|
+LdapRollback() {
|
|
+ ldapdeleteuser "$1"
|
|
+ end_die "$2"
|
|
+}
|
|
+
|
|
+# Add an ldap user and exit on failure
|
|
+# Input : username ($1)
|
|
+# Output : none
|
|
+LdapAddUser() {
|
|
+ ldapadduser "$1" users
|
|
+ [ $? -eq 0 ] || end_die "Critical setup error: cannot add user"
|
|
+}
|
|
+
|
|
+# Replace Login Shell and call Rollback on failure
|
|
+# Input : username ($1), shell to set ($2)
|
|
+# Output : none
|
|
+LdapAddLoginShell () {
|
|
+ # Support bash only now.
|
|
+ _SHELL="$_BASHSHELL"
|
|
+ # Replace the login shell
|
|
+ ldapmodifyuser $1 replace loginShell $_SHELL &> /dev/null
|
|
+ [ $? -eq 0 ] || LdapRollback $1 "Critical setup error: cannot set login shell"
|
|
+}
|
|
+
|
|
+# Add user to sudoer list
|
|
+# Input : username ($1)
|
|
+# Output : true or false
|
|
+LdapAddSudo() {
|
|
+ ldapaddsudo "$1" 2> /dev/null
|
|
+ [ $? -eq 0 ] || \
|
|
+ echo_log "Non critical setup error: cannot add to sudoer list"
|
|
+}
|
|
+
|
|
+# Add user to a secondary user group
|
|
+# Input : username ($1), user group ($2)
|
|
+# Output : true or false
|
|
+LdapSecondaryGroup () {
|
|
+ _newGrp="$2"
|
|
+ [ -z "$2" ] && _newGrp=$_DEFAULTGRP2
|
|
+
|
|
+ ldapaddusertogroup $1 $_newGrp
|
|
+ [ $? -eq 0 ] || \
|
|
+ echo_log "Non critical setup error: cannot add $1 to $_newGrp"
|
|
+}
|
|
+
|
|
+# Update shadowMax for user
|
|
+# Input : username ($1), shadow Max value ($2)
|
|
+# Output : none
|
|
+LdapUpdateShadowMax () {
|
|
+ _newShadow="$2"
|
|
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
|
|
+ && _newShadow=$_DEFAULTSHADOWMAX
|
|
+
|
|
+ ldapmodifyuser $1 replace shadowMax $_newShadow
|
|
+ echo "Updating password expiry to $_newShadow days"
|
|
+}
|
|
+
|
|
+# Update shadowWarning for user
|
|
+# Input : username ($1), shadow Warning value ($2)
|
|
+# Output : none
|
|
+LdapUpdateShadowWarning () {
|
|
+ _newWarning="$2"
|
|
+ ! [[ "$2" =~ ^[0-9]+$ ]] || [ -z "$2" ] \
|
|
+ && _newWarning=$_DEFAULTSHADOWWARNING
|
|
+
|
|
+ ldapmodifyuser $1 replace shadowWarning $_newWarning
|
|
+ echo "Updating password expiry to $_newWarning days"
|
|
+}
|
|
+
|
|
+# Since this setup script is meant to be a
|
|
+# wrapper on top of existing ldap scripts,
|
|
+# it share invoke those... we could have achieved
|
|
+# loose coupling by not relying on helpers but
|
|
+# at the expense of massively redundant code
|
|
+# duplication.
|
|
+declare -a helper_scripts=("ldapadduser" "ldapaddsudo" "ldapmodifyuser" "ldapaddusertogroup" "$_BASHSHELL")
|
|
+
|
|
+# Do some quick sanity tests to make sure
|
|
+# helper scripts are present
|
|
+for src in "${helper_scripts[@]}"; do
|
|
+ if ! type "$src" &>/dev/null; then
|
|
+ end_die "Cannot locate $src. Update your PATH variable"
|
|
+ fi
|
|
+done
|
|
+
|
|
+if [ "$#" -eq 0 ]; then
|
|
+ # This setup collects all attributes
|
|
+ # interactively during runtime
|
|
+ echo -n "Enter username to add to LDAP: "
|
|
+ read _username
|
|
+ LdapAddUser "$_username"
|
|
+
|
|
+ # Replace the login shell. Only bash is supported now.
|
|
+ LdapAddLoginShell "$_username"
|
|
+
|
|
+ # Should sudo be activated for this user
|
|
+ echo -n "Add $_username to sudoer list? (yes/NO): "
|
|
+ read CONFIRM
|
|
+ CONFIRM=${CONFIRM,,}
|
|
+
|
|
+ if is_yes $CONFIRM
|
|
+ then
|
|
+ LdapAddSudo "$_username"
|
|
+ fi
|
|
+
|
|
+ # Add to secondary user group
|
|
+ shellInput="Add $_username to secondary user group? (yes/NO): "
|
|
+ options=( "yes", "no" )
|
|
+ CONFIRM=`LdapUserInput "$shellInput" options[@]`
|
|
+ if is_yes $CONFIRM
|
|
+ then
|
|
+ echo -n "Secondary group to add user to? [$_DEFAULTGRP2]: "
|
|
+ read _grp2
|
|
+ LdapSecondaryGroup $_username $_grp2
|
|
+ fi
|
|
+
|
|
+ # Set password expiry
|
|
+ echo -n "Enter days after which user password must \
|
|
+be changed [$_DEFAULTSHADOWMAX]: "
|
|
+ read _shadowMax
|
|
+ LdapUpdateShadowMax $_username $_shadowMax
|
|
+
|
|
+ # Set password warning
|
|
+ echo -n "Enter days before password is to expire that \
|
|
+user is warned [$_DEFAULTSHADOWWARNING]: "
|
|
+ read _shadowWarning
|
|
+ LdapUpdateShadowWarning $_username $_shadowWarning
|
|
+
|
|
+else
|
|
+ # we have to read command line option
|
|
+ while [[ $# > 1 ]]
|
|
+ do
|
|
+ key="$1"
|
|
+
|
|
+ case $key in
|
|
+ -u|--user) # compulsory
|
|
+ _username="$2"
|
|
+ shift
|
|
+ ;;
|
|
+ --sudo) # optional
|
|
+ _sudo="yes"
|
|
+ ;;
|
|
+ --passmax) # optional
|
|
+ _shadowMax="$2"
|
|
+ shift
|
|
+ ;;
|
|
+ --passwarning) # optional
|
|
+ _shadowWarning="$2"
|
|
+ shift
|
|
+ ;;
|
|
+ --secondgroup) # optional
|
|
+ _grpConfirm="1"
|
|
+ _grp2="$2"
|
|
+ shift
|
|
+ ;;
|
|
+ *)
|
|
+
|
|
+ ;;
|
|
+ esac
|
|
+ shift
|
|
+ done
|
|
+
|
|
+ # Add LDAP user
|
|
+ [ -z "$_username" ] && end_die "No username argument specified"
|
|
+ LdapAddUser $_username
|
|
+
|
|
+ # Change Login Shell
|
|
+ LdapAddLoginShell $_username "$_loginshell"
|
|
+
|
|
+ # Add sudo if required
|
|
+ if is_yes $_sudo
|
|
+ then
|
|
+ LdapAddSudo "$_username"
|
|
+ fi
|
|
+
|
|
+ # Add secondary group if required
|
|
+ [ -z "$_grpConfirm" ] || LdapSecondaryGroup $_username $_grp2
|
|
+
|
|
+ # Password modifications
|
|
+ LdapUpdateShadowMax $_username $_shadowMax
|
|
+ LdapUpdateShadowWarning $_username $_shadowWarning
|
|
+fi
|
|
diff --git a/Makefile b/Makefile
|
|
index f81c272..6e5b193 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -41,12 +41,13 @@ SBINFILES = ldapdeletemachine ldapmodifygroup ldapsetpasswd lsldap ldapadduser l
|
|
ldapdeleteuser ldapsetprimarygroup ldapfinger ldapid ldapgid ldapmodifymachine \
|
|
ldaprenamegroup ldapaddgroup ldapaddusertogroup ldapdeleteuserfromgroup \
|
|
ldapinit ldapmodifyuser ldaprenamemachine ldapaddmachine ldapdeletegroup \
|
|
- ldaprenameuser ldapmodifysudo ldapdeletesudo
|
|
+ ldaprenameuser ldapmodifysudo ldapdeletesudo ldapusersetup
|
|
MAN1FILES = ldapdeletemachine.1 ldapmodifymachine.1 ldaprenamemachine.1 ldapadduser.1 \
|
|
ldapdeleteuserfromgroup.1 ldapfinger.1 ldapid.1 ldapgid.1 ldapmodifyuser.1 lsldap.1 \
|
|
ldapaddusertogroup.1 ldaprenameuser.1 ldapinit.1 ldapsetpasswd.1 ldapaddgroup.1 \
|
|
ldapdeletegroup.1 ldapsetprimarygroup.1 ldapmodifygroup.1 ldaprenamegroup.1 \
|
|
- ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 ldapdeletesudo.1
|
|
+ ldapaddmachine.1 ldapdeleteuser.1 ldapaddsudo.1 ldapmodifysudo.1 \
|
|
+ ldapdeletesudo.1 ldapusersetup.1
|
|
MAN5FILES = ldapscripts.5
|
|
TMPLFILES = ldapaddgroup.template.sample ldapaddmachine.template.sample \
|
|
ldapadduser.template.sample
|
|
diff --git a/man/man1/ldapusersetup.1 b/man/man1/ldapusersetup.1
|
|
new file mode 100644
|
|
index 0000000..9b3129b
|
|
--- /dev/null
|
|
+++ b/man/man1/ldapusersetup.1
|
|
@@ -0,0 +1,60 @@
|
|
+.\" Copyright (c) 2015 Wind River Systems, Inc.
|
|
+.\"
|
|
+.\" This program is free software; you can redistribute it and/or
|
|
+.\" modify it under the terms of the GNU General Public License
|
|
+.\" as published by the Free Software Foundation; either version 2
|
|
+.\" of the License, or (at your option) any later version.
|
|
+.\"
|
|
+.\" This program is distributed in the hope that it will be useful,
|
|
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+.\" GNU General Public License for more details.
|
|
+.\"
|
|
+.\" You should have received a copy of the GNU General Public License
|
|
+.\" along with this program; if not, write to the Free Software
|
|
+.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
+.\" USA.
|
|
+.\"
|
|
+.\" Kam Nasim
|
|
+.\" knasim@windriver.com
|
|
+.\"
|
|
+.TH ldapusersetup 1 "December 16, 2015"
|
|
+
|
|
+.SH NAME
|
|
+ldapusersetup \- wizard for adding an LDAP user to CGCS.
|
|
+
|
|
+.SH SYNOPSIS
|
|
+.B ldapusersetup
|
|
+
|
|
+.SH DESCRIPTION
|
|
+ldapusersetup interactively walks through the process of creating an LDAP user
|
|
+for access to CGCS services. The user is prompted for:
|
|
+- username
|
|
+- if a sudoEntry needs to be created
|
|
+- if a secondary user group needs to be added
|
|
+- user password expiry and warning configuration
|
|
+Alternatively, the user may provide these parameters as command line actions.
|
|
+Look at the OPTIONS section for more information.
|
|
+
|
|
+To delete the user and all its group associations, simply use ldapdeleteuser(1)
|
|
+
|
|
+.SH OPTIONS
|
|
+.TP
|
|
+.B [-u <username | uid> <field> <value>]
|
|
+The name or uid of the user to modify.
|
|
+The following fields are available as long format options:
|
|
+--sudo : whether to add this user to sudoer list
|
|
+--secondgroup <grp> : the secondary group to add this user to
|
|
+--passmax <value> : the shadowMax value for this user
|
|
+--passwarning <value> : the shadowWarning value for this user"
|
|
+
|
|
+.SH "SEE ALSO"
|
|
+ldapdeleteuser(1), ldapaddgroup(1), ldapaddusertogroup(1), ldapmodifyuser(1), ldapscripts(5).
|
|
+
|
|
+.SH AVAILABILITY
|
|
+The ldapscripts are provided under the GNU General Public License v2 (see COPYING for more details).
|
|
+The latest version of the ldapscripts is available on :
|
|
+.B http://contribs.martymac.org
|
|
+
|
|
+.SH BUGS
|
|
+No bug known.
|