diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-create-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-create-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-create-unix.enable-cpu 2005-11-20 21:28:05.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-create-unix 2010-11-01 09:34:11.000000000 -0600 @@ -33,6 +33,8 @@ my $conf = esmith::ConfigDB->open_ro my $accounts = esmith::AccountsDB->open or die "Could not open accounts DB"; +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; + my $event = $ARGV [0]; my $groupName = $ARGV [1]; @@ -66,27 +68,50 @@ unless ($gid = $group->prop('Gid')) my $uid = $group->prop('Uid'); my $description = $group->prop('Description') || ''; -# Create the user's unique group first - -system( - "/usr/sbin/groupadd", - "-g", $gid, - $groupName - ) == 0 or die "Failed to create group $groupName.\n"; - -# Now create the dummy user account - -system( - "/usr/sbin/useradd", - "-u", $uid, - "-g", $gid, - "-c", $description, - "-d", - "/home/e-smith", - "-s", - "/bin/false", - "$groupName" - ) == 0 or die "Failed to create user $groupName.\n"; +if ($ldapauth eq 'enabled') +{ + # Create the user's unique group first + system( + "/usr/sbin/cpu", "groupadd", + "-g", $gid, + $groupName + ) == 0 or die "Failed to create group $groupName.\n"; + + # Now create the dummy user account + system( + "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd", + "-u", $uid, + "-g", $gid, + "-c", $description, + "-d", + "/home/e-smith", + "-s", + "/bin/false", + "$groupName" + ) == 0 or die "Failed to create user $groupName.\n"; +} +else +{ + # Create the user's unique group first + system( + "/usr/sbin/groupadd", + "-g", $gid, + $groupName + ) == 0 or die "Failed to create group $groupName.\n"; + + # Now create the dummy user account + system( + "/usr/sbin/useradd", + "-u", $uid, + "-g", $gid, + "-c", $description, + "-d", + "/home/e-smith", + "-s", + "/bin/false", + "$groupName" + ) == 0 or die "Failed to create user $groupName.\n"; +} # Release lock if we have one $lock && esmith::lockfile::UnlockFile($lock); @@ -122,12 +147,27 @@ foreach $member (@groupMembers) my @groupList = split (/\s+/, $groups); @groupList = grep (!/^$member$/, @groupList); + + # root user/group isn't in ldap + if ($ldapauth eq 'enabled') + { + @groupList = grep (!/^root$/, @groupList); + } + push @groupList, $groupName; $groups = join (',', sort (@groupList)); - system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0 - or die "Failed to modify supplementary group list for $member.\n"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0 + or die "Failed to modify supplementary group list for $member.\n"; + } + else + { + system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0 + or die "Failed to modify supplementary group list for $member.\n"; + } } exit (0); diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-delete-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-delete-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-delete-unix.enable-cpu 2005-11-20 21:28:05.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-delete-unix 2010-11-01 08:49:37.000000000 -0600 @@ -25,14 +25,31 @@ package esmith; use strict; use Errno; +use esmith::ConfigDB; + +my $conf = esmith::ConfigDB->open_ro + or die "Could not open Config DB"; + +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $event = $ARGV [0]; my $groupName = $ARGV [1] or die "Groupname argument missing."; -system("/usr/sbin/userdel", "$groupName") == 0 - or die "Failed to delete dummy user for group $groupName.\n"; +if ($ldapauth eq 'enabled') +{ + system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "userdel", "$groupName") == 0 + or die "Failed to delete dummy user for group $groupName.\n"; + + system("/usr/sbin/cpu", "groupdel", "$groupName") == 0 + or die "Failed to delete group $groupName.\n"; +} +else +{ + system("/usr/sbin/userdel", "$groupName") == 0 + or die "Failed to delete dummy user for group $groupName.\n"; -system("/usr/sbin/groupdel", "$groupName") == 0 - or die "Failed to delete group $groupName.\n"; + system("/usr/sbin/groupdel", "$groupName") == 0 + or die "Failed to delete group $groupName.\n"; +} exit (0); diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-modify-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-modify-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-modify-unix.enable-cpu 2010-11-01 08:45:10.000000000 -0600 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/group-modify-unix 2010-11-01 08:54:28.000000000 -0600 @@ -31,6 +31,8 @@ use esmith::AccountsDB; my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n"; my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n"; +my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled'; + my $event = shift || die "Event name arg missing\n";; my @groups; @@ -64,8 +66,16 @@ foreach my $group (@groups) my $groupDesc = $properties{'Description'} if (defined $properties{'Description'}); - system("/usr/sbin/usermod", "-c", "$groupDesc", "$groupName") == 0 - or die "Failed to modify group description for $groupName.\n"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-c", "$groupDesc", "$groupName") == 0 + or die "Failed to modify group description for $groupName.\n"; + } + else + { + system("/usr/sbin/usermod", "-c", "$groupDesc", "$groupName") == 0 + or die "Failed to modify group description for $groupName.\n"; + } my ($name, $passwd, $gid, $members) = getgrnam ($groupName); my @oldMembers = split (/\s+/, $members); @@ -111,6 +121,12 @@ foreach my $group (@groups) my @groupList = split (/\s+/, $groups); @groupList = grep (!/^$member$/, @groupList); + # root user/group isn't in ldap + if ($ldapauth eq 'enabled') + { + @groupList = grep (!/^root$/, @groupList); + } + if ($oldMembers{$member}) { @groupList = grep (!/^$groupName$/, @groupList); @@ -121,8 +137,16 @@ foreach my $group (@groups) } $groups = join (',', sort (@groupList)); - system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0 - or die "Failed to modify supplementary group list for $member.\n"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", "-G", "$groups", "$member") == 0 + or die "Failed to modify supplementary group list for $member.\n"; + } + else + { + system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0 + or die "Failed to modify supplementary group list for $member.\n"; + } } } diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/init-accounts.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/init-accounts --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/init-accounts.enable-cpu 2005-11-20 21:28:05.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/init-accounts 2010-11-01 09:58:36.000000000 -0600 @@ -25,9 +25,22 @@ package esmith; use strict; use Errno; use esmith::util; +use esmith::ConfigDB; + +my $conf = esmith::ConfigDB->open_ro + or die "Could not open Config DB"; + +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; # create group "shared" if not already present -system(qw(/usr/sbin/groupadd -r shared)) unless getgrnam("shared"); +if ($ldapauth eq 'enabled') +{ + system(qw(/usr/sbin/cpu groupadd shared)) unless getgrnam("shared"); +} +else +{ + system(qw(/usr/sbin/groupadd -r shared)) unless getgrnam("shared"); +} # Create other required groups and users system(qw(/usr/sbin/groupadd -g 21 -r -f slocate)) @@ -39,7 +52,15 @@ system(qw(/usr/sbin/useradd -u 38 -s /sb # create user "admin" if not already present; if ( !getpwnam("admin") ) { - `/usr/sbin/useradd -c 'e-smith administrator' -d /home/e-smith -G root,shared -M -s /sbin/e-smith/console admin`; + if ($ldapauth eq 'enabled') + { + `/usr/sbin/cpu useradd -c 'e-smith administrator' -d /home/e-smith -G shared -M -s /sbin/e-smith/console admin`; + `/usr/sbin/gpasswd -a admin root`; + } + else + { + `/usr/sbin/useradd -c 'e-smith administrator' -d /home/e-smith -G root,shared -M -s /sbin/e-smith/console admin`; + } } else { @@ -70,27 +91,37 @@ else @groupList = grep (!/^shared$/, @groupList); @groupList = grep (!/^www$/, @groupList); - push @groupList, 'root', 'shared', 'www'; + push @groupList, 'shared', 'www'; + + # Only push root if not using ldap (root not in ldap) + push @groupList, 'root' if ($ldapauth ne 'enabled'); #-------------------------------------------------- # Run usermod command to update group list for admin. #-------------------------------------------------- $groups = join (',', sort (@groupList)); - $cmd = "/usr/sbin/usermod -c 'e-smith administrator' -d /home/e-smith -G '$groups' -s /sbin/e-smith/console admin"; + if ($ldapauth eq 'enabled') + { + $cmd = "/usr/sbin/cpu usermod -c 'e-smith administrator' -d /home/e-smith -G '$groups' -s /sbin/e-smith/console admin"; + } + else + { + $cmd = "/usr/sbin/usermod -c 'e-smith administrator' -d /home/e-smith -G '$groups' -s /sbin/e-smith/console admin"; + } `$cmd`; if ($? != 0) { die "Failed to change shell and modify supplementary group list for admin.\n"; } + `/usr/sbin/gpasswd -a admin root` if ($ldapauth eq 'enabled'); } #-------------------------------------------------- # create user "public" if not already present #-------------------------------------------------- -`/bin/grep '^public:' /etc/passwd`; -if ($? != 0) +if ( !getpwnam("public") ) { `/usr/sbin/useradd -c 'e-smith guest' -d /home/e-smith -G shared -M -s /bin/false public`; } @@ -100,10 +131,16 @@ if ($? != 0) # "e-smith private web server" (used to just say "e-smith web server") #-------------------------------------------------- -`/bin/grep '^www:' /etc/passwd`; -if ($? != 0) +if ( !getpwnam("www") ) { - `/usr/sbin/useradd -c 'e-smith web server' -d /home/e-smith -G shared -M -s /bin/false www`; + if ($ldapauth eq 'enabled') + { + `/usr/sbin/cpu useradd -c 'e-smith web server' -d /home/e-smith -G shared -M -s /bin/false www`; + } + else + { + `/usr/sbin/useradd -c 'e-smith web server' -d /home/e-smith -G shared -M -s /bin/false www`; + } } else { @@ -137,7 +174,14 @@ else #-------------------------------------------------- $groups = join (',', sort (@groupList)); - `/usr/sbin/usermod -c 'e-smith web server' -d /home/e-smith -G '$groups' -s /bin/false www`; + if ($ldapauth eq 'enabled') + { + `/usr/sbin/cpu usermod -c 'e-smith web server' -d /home/e-smith -G '$groups' -s /bin/false www`; + } + else + { + `/usr/sbin/usermod -c 'e-smith web server' -d /home/e-smith -G '$groups' -s /bin/false www`; + } if ($? != 0) { die "Failed to modify supplementary group list for www.\n"; diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-create-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-create-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-create-unix.enable-cpu 2005-11-20 21:28:05.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-create-unix 2010-11-01 09:44:52.000000000 -0600 @@ -31,6 +31,8 @@ use esmith::AccountsDB; my $conf = esmith::ConfigDB->open_ro; my $accounts = esmith::AccountsDB->open; +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; + my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -61,29 +63,58 @@ my $first = $acct->prop('FirstName') || my $last = $acct->prop('LastName') || ''; my $shell = $acct->prop('Shell') || '/usr/bin/rssh'; -# Create the user's unique group first -system( - "/usr/sbin/groupadd", - "-g", - $gid, - $userName - ) == 0 or die "Failed to create group $userName.\n"; - -# Now create the user account - -system( - "/usr/sbin/useradd", - "-u", $uid, - "-g", $uid, - "-c", "$first $last", - "-d", "/home/e-smith/files/users/$userName", - "-G", "shared", - "-m", - "-k", "/etc/e-smith/skel/user", - "-s", "$shell", - $userName - ) == 0 or die "Failed to create account $userName.\n"; +if ($ldapauth eq 'enabled') +{ + # Create the user's unique group first + system( + "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd", + "-g", + $gid, + $userName + ) == 0 or die "Failed to create group $userName.\n"; + + # Now create the user account + system( + "/usr/sbin/cpu", "useradd", + "-u", $uid, + "-g", $uid, + "-c", "$first $last", + "-f", "$first", + "-E", "$last", + "-d", "/home/e-smith/files/users/$userName", + "-G", "shared", + "-m", + "-k/etc/e-smith/skel/user", + "-s", "$shell", + $userName + ) == 0 or die "Failed to create account $userName.\n"; +} +else +{ + # Create the user's unique group first + system( + "/usr/sbin/groupadd", + "-g", + $gid, + $userName + ) == 0 or die "Failed to create group $userName.\n"; + + # Now create the user account + system( + "/usr/sbin/useradd", + "-u", $uid, + "-g", $uid, + "-c", "$first $last", + "-d", "/home/e-smith/files/users/$userName", + "-G", "shared", + "-m", + "-k", "/etc/e-smith/skel/user", + "-s", "$shell", + $userName + ) == 0 or die "Failed to create account $userName.\n"; +} + # Release lock if we have one $lock && esmith::lockfile::UnlockFile($lock); @@ -92,8 +123,16 @@ $lock && esmith::lockfile::UnlockFile($l chmod 0700, "/home/e-smith/files/users/$userName"; -system("/usr/bin/passwd", "-l", "$userName") - and warn("Could not lock password for $userName\n"); +if ($ldapauth eq 'enabled') +{ + system("/usr/sbin/cpu", "usermod", "-L", "$userName") + and warn("Could not lock password for $userName\n"); +} +else +{ + system("/usr/bin/passwd", "-l", "$userName") + and warn("Could not lock password for $userName\n"); +} system("/usr/bin/smbpasswd", "-a", "-d", "$userName") and warn("Could not lock smb password for $userName\n");; diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-delete-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-delete-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-delete-unix.enable-cpu 2005-11-20 21:28:05.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-delete-unix 2010-11-01 09:42:24.000000000 -0600 @@ -26,6 +26,12 @@ package esmith; use strict; use Errno; use esmith::util; +use esmith::ConfigDB; + +my $conf = esmith::ConfigDB->open_ro + or die "Could not open Config DB"; + +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -36,12 +42,23 @@ my $userName = $ARGV [1]; die "Username argument missing." unless defined ($userName); -esmith::util::cancelUserPassword ($userName); +if ($ldapauth eq 'enabled') +{ + system("/usr/sbin/cpu", "userdel", "-r", $userName) == 0 + or die "Failed to delete account $userName.\n"; -my $discard = `/usr/sbin/userdel -r '$userName'`; -if ($? != 0) + system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupdel", $userName) == 0 + or die "Failed to delete group account $userName.\n"; +} +else { - die "Failed to delete account $userName.\n"; + esmith::util::cancelUserPassword ($userName); + + my $discard = `/usr/sbin/userdel -r '$userName'`; + if ($? != 0) + { + die "Failed to delete account $userName.\n"; + } } exit (0); diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-lock-passwd.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-lock-passwd --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-lock-passwd.enable-cpu 2007-01-19 14:33:22.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-lock-passwd 2010-11-01 09:30:06.000000000 -0600 @@ -24,12 +24,13 @@ use strict; use Errno; use esmith::AccountsDB; use esmith::ConfigDB; -use IO::File; use English; my $a = esmith::AccountsDB->open or die "Could not open accounts db"; my $conf = esmith::ConfigDB->open or die "Could not open configuration db"; +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; + my $event = $ARGV [0]; my @users_to_lock = bad_password_users(); @@ -52,8 +53,16 @@ sub lock_user my $u = $a->get($userName) or die "No account record for user $userName"; - system("/usr/bin/passwd", "-l", $userName) == 0 - or die "Error running /usr/bin/passwd command to lock account $userName"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "usermod", "-L", $userName) == 0 + or die "Error running /usr/sbin/cpu usermod -L command to lock account $userName"; + } + else + { + system("/usr/bin/passwd", "-l", $userName) == 0 + or die "Error running /usr/bin/passwd command to lock account $userName"; + } system("/usr/bin/smbpasswd", "-d", $userName) == 0 or die "Error running /usr/bin/smbpasswd command to lock account $userName"; $u->set_prop('PasswordSet', 'no'); @@ -66,13 +75,13 @@ sub lock_user sub bad_password_users { - my $smbpasswd = IO::File->new("/etc/samba/smbpasswd", '<') - or die "Can't open smbpasswd: $OS_ERROR\n"; + my @smbpasswd = `/usr/bin/pdbedit -wL` + or die "Error listing smb passwords\n"; my @users; SMBPASSWD: - while (my $smb_entry = <$smbpasswd>) + foreach my $smb_entry (@smbpasswd) { my ($user, $uid, $lanman_hash, $nt_hash, @rest) = split /:/, $smb_entry; @@ -86,6 +95,5 @@ } } - $smbpasswd->close; return @users; } diff -up e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-modify-unix.enable-cpu e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-modify-unix --- e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-modify-unix.enable-cpu 2006-03-14 09:20:43.000000000 -0700 +++ e-smith-base-5.2.0/root/etc/e-smith/events/actions/user-modify-unix 2010-11-01 09:36:20.000000000 -0600 @@ -21,6 +21,11 @@ package esmith; use strict; use Errno; use esmith::AccountsDB; +use esmith::ConfigDB; + +my $conf = esmith::ConfigDB->open or die "Could not open configuration db"; + +my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled'; my $event = $ARGV [0]; my $userName = $ARGV [1]; @@ -51,6 +56,29 @@ foreach my $u (@users) die "Account $userName is not a user account; modify user failed.\n" unless ( ($userName eq 'admin') or ($type eq 'user') ); + # cpu usermod called without "-G list,of,supplementary,groups" causes user + # to be removed from all it's supplementary groups. Thus, to be able to call + # cpu usermod properly we need to know user supplementary groups. + + my $cmd = "/usr/bin/id -G -n '$userName'"; + my $groups = `$cmd 2>/dev/null`; + if ($? != 0) + { + die "Failed to get supplementary group list for $userName.\n"; + } + chomp ($groups); + + my @groupList = split (/\s+/, $groups); + @groupList = grep (!/^$userName$/, @groupList); + + # root user/group isn't in ldap + if ($ldapauth eq 'enabled') + { + @groupList = grep (!/^root$/, @groupList); + } + + $groups = join (',', sort (@groupList)); + setpwent; my ($comment, $shell) = (getpwnam($userName))[5,8]; endpwent; @@ -64,8 +92,16 @@ foreach my $u (@users) #------------------------------------------------------------ unless ($shell eq $new_shell) { - system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0 - or die "Failed to modify shell of account $userName.\n"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "usermod", '-s', "$new_shell", "-G", "$groups", $userName) == 0 + or die "Failed to modify shell of account $userName.\n"; + } + else + { + system("/usr/sbin/usermod", '-s', "$new_shell", $userName) == 0 + or die "Failed to modify shell of account $userName.\n"; + } } #------------------------------------------------------------ @@ -78,8 +114,16 @@ foreach my $u (@users) unless ($comment eq $new_comment) { - system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0 - or die "Failed to modify comment of account $userName.\n"; + if ($ldapauth eq 'enabled') + { + system("/usr/sbin/cpu", "usermod", "-c", "$first $last", "-G", "$groups", $userName) == 0 + or die "Failed to modify comment of account $userName.\n"; + } + else + { + system("/usr/sbin/usermod", "-c", "$first $last", $userName) == 0 + or die "Failed to modify comment of account $userName.\n"; + } } }