1 |
diff -Nur e-smith-ldap-5.6.0.old/createlinks e-smith-ldap-5.6.0/createlinks |
2 |
--- e-smith-ldap-5.6.0.old/createlinks 2016-02-05 11:04:35.000000000 -0500 |
3 |
+++ e-smith-ldap-5.6.0/createlinks 2020-12-11 22:14:09.069000000 -0500 |
4 |
@@ -11,9 +11,19 @@ |
5 |
bootstrap-console-save |
6 |
console-save |
7 |
ldap-update |
8 |
+ e-smith-ldap-update |
9 |
)); |
10 |
} |
11 |
|
12 |
+templates2events("/etc/sysconfig/slapd", |
13 |
+ qw( |
14 |
+ bootstrap-console-save |
15 |
+ console-save |
16 |
+ ldap-update |
17 |
+ e-smith-ldap-update |
18 |
+ )); |
19 |
+ |
20 |
+ |
21 |
event_link("ldap-update-simple", "group-create", "95"); |
22 |
event_link("ldap-update-simple", "group-modify", "95"); |
23 |
event_link("ldap-delete", "group-delete", "55"); |
24 |
@@ -42,18 +52,21 @@ |
25 |
templates2events("/etc/hosts.allow", "ldap-update"); |
26 |
safe_symlink("restart", "root/etc/e-smith/events/ldap-update/services2adjust/ldap"); |
27 |
safe_symlink("reload", "root/etc/e-smith/events/ssl-update/services2adjust/ldap"); |
28 |
-safe_symlink("adjust", "root/etc/e-smith/events/ldap-update/services2adjust/masq"); |
29 |
-safe_symlink("sigusr1", "root/etc/e-smith/events/ldap-update/services2adjust/httpd-e-smith"); |
30 |
+safe_symlink("reload", "root/etc/e-smith/events/ldap-update/services2adjust/masq"); |
31 |
+safe_symlink("reload", "root/etc/e-smith/events/ldap-update/services2adjust/httpd-e-smith"); |
32 |
|
33 |
event_link("ldap-delete-dumps", "pre-restore", "25"); |
34 |
|
35 |
event_link("set-ldap-bootstrap", "bootstrap-console-save", "95"); |
36 |
event_link("reset-ldap-bootstrap", "bootstrap-ldap-save", "95"); |
37 |
|
38 |
-safe_symlink("/usr/bin/sv", "root/etc/rc.d/init.d/ldap"); |
39 |
-service_link_enhanced("ldap", "S48", "7"); |
40 |
-service_link_enhanced("ldap.init", "S49", "7"); |
41 |
-service_link_enhanced("ldap", "K10", "6"); |
42 |
-service_link_enhanced("ldap", "K10", "0"); |
43 |
+ |
44 |
+my $event="e-smith-ldap-update"; |
45 |
+ |
46 |
+# systemd-specific action mandatory for this package-update event |
47 |
+event_link("systemd-reload", $event, "89"); |
48 |
+event_link("systemd-default", $event, "88"); |
49 |
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ldap"); |
50 |
+event_link("ldap-update", $event , "80"); |
51 |
|
52 |
exit 0; |
53 |
diff -Nur e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls |
54 |
--- e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls 2020-12-11 16:55:21.406000000 -0500 |
55 |
+++ e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/12tls 2020-12-11 21:29:21.667000000 -0500 |
56 |
@@ -11,8 +11,8 @@ |
57 |
$OUT = " 3.3"; |
58 |
} |
59 |
} |
60 |
-TLSCACertificateFile /var/service/ldap/ssl/slapd.pem |
61 |
-TLSCertificateFile /var/service/ldap/ssl/slapd.pem |
62 |
-TLSCertificateKeyFile /var/service/ldap/ssl/slapd.pem |
63 |
+TLSCACertificateFile /etc/openldap/ssl/slapd.pem |
64 |
+TLSCertificateFile /etc/openldap//ssl/slapd.pem |
65 |
+TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem |
66 |
TLSVerifyClient never |
67 |
|
68 |
diff -Nur e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/05head e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/05head |
69 |
--- e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/05head 1969-12-31 19:00:00.000000000 -0500 |
70 |
+++ e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/05head 2020-12-11 22:02:00.774000000 -0500 |
71 |
@@ -0,0 +1,3 @@ |
72 |
+# OpenLDAP server configuration |
73 |
+# see 'man slapd' for additional information |
74 |
+ |
75 |
diff -Nur e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS |
76 |
--- e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS 1969-12-31 19:00:00.000000000 -0500 |
77 |
+++ e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/20SLAPD_URLS 2020-12-11 22:03:09.117000000 -0500 |
78 |
@@ -0,0 +1,8 @@ |
79 |
+ |
80 |
+# Where the server will run (-h option) |
81 |
+# - ldapi:/// is required for on-the-fly configuration using client tools |
82 |
+# (use SASL with EXTERNAL mechanism for authentication) |
83 |
+# - default: ldapi:/// ldap:/// |
84 |
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// |
85 |
+SLAPD_URLS="ldap:/// ldaps:/// ldapi:///" |
86 |
+ |
87 |
diff -Nur e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS |
88 |
--- e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS 1969-12-31 19:00:00.000000000 -0500 |
89 |
+++ e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/40OPTIONS 2020-12-11 22:05:21.507000000 -0500 |
90 |
@@ -0,0 +1,4 @@ |
91 |
+ |
92 |
+# Any custom options |
93 |
+SLAPD_OPTIONS=" -4 -d { $ldap{LogLevel} || 256 } -s 0 " |
94 |
+ |
95 |
diff -Nur e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 |
96 |
--- e-smith-ldap-5.6.0.old/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 1969-12-31 19:00:00.000000000 -0500 |
97 |
+++ e-smith-ldap-5.6.0/root/etc/e-smith/templates/etc/sysconfig/slapd/60KRB5 2020-12-11 22:03:57.926000000 -0500 |
98 |
@@ -0,0 +1,4 @@ |
99 |
+ |
100 |
+# Keytab location for GSSAPI Kerberos authentication |
101 |
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" |
102 |
+ |
103 |
diff -Nur e-smith-ldap-5.6.0.old/root/sbin/e-smith/ldif-fix e-smith-ldap-5.6.0/root/sbin/e-smith/ldif-fix |
104 |
--- e-smith-ldap-5.6.0.old/root/sbin/e-smith/ldif-fix 1969-12-31 19:00:00.000000000 -0500 |
105 |
+++ e-smith-ldap-5.6.0/root/sbin/e-smith/ldif-fix 2020-12-11 21:59:11.686000000 -0500 |
106 |
@@ -0,0 +1,415 @@ |
107 |
+#!/usr/bin/perl -T |
108 |
+ |
109 |
+use strict; |
110 |
+use warnings; |
111 |
+use Net::LDAP; |
112 |
+use Net::LDAP::LDIF; |
113 |
+use Date::Parse; |
114 |
+use esmith::ConfigDB; |
115 |
+use esmith::AccountsDB; |
116 |
+use esmith::util; |
117 |
+use Getopt::Long qw(:config bundling); |
118 |
+ |
119 |
+$ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/sbin'; |
120 |
+$ENV{'LANG'} = 'C'; |
121 |
+$ENV{'TZ'} = ''; |
122 |
+ |
123 |
+sub dnsort { |
124 |
+ my %type = ( add => 1, modrdn => 2, moddn => 2, modify => 3, delete => 4); |
125 |
+ my %attr = ( dc => 1, ou => 2, cn => 3, uid => 4); |
126 |
+ |
127 |
+ my ($oa) = ($a->get_value('newrdn') || $a->dn) =~ /^([^=]+)=/; |
128 |
+ my ($ob) = ($b->get_value('newrdn') || $b->dn) =~ /^([^=]+)=/; |
129 |
+ my ($ua, $ub) = map { my $tu = $_->get_value('uidnumber'); defined $tu && $tu ne '' ? $tu : -1 } ($a, $b); |
130 |
+ my ($ga, $gb) = map { my $tg = $_->get_value('gidnumber'); defined $tg && $tg ne '' ? $tg : -1 } ($a, $b); |
131 |
+ |
132 |
+ ($attr{$oa} || 9) <=> ($attr{$ob} || 9) || ($type{$a->changetype} || 9) <=> ($type{$b->changetype} || 9) || |
133 |
+ $ua <=> $ub || $ga <=> $gb || ($a->get_value('newrdn') || $a->dn) cmp ($b->get_value('newrdn') || $b->dn); |
134 |
+} |
135 |
+ |
136 |
+my $c = esmith::ConfigDB->open_ro; |
137 |
+my $a = esmith::AccountsDB->open_ro; |
138 |
+ |
139 |
+my $auth = $c->get('ldap')->prop('Authentication') || 'disabled'; |
140 |
+my $schema = '/etc/openldap/schema/samba.schema'; |
141 |
+ |
142 |
+my $domain = $c->get('DomainName')->value; |
143 |
+my $basedn = esmith::util::ldapBase($domain); |
144 |
+ |
145 |
+my $userou = 'ou=Users'; |
146 |
+my $groupou = 'ou=Groups'; |
147 |
+my $compou = 'ou=Computers'; |
148 |
+ |
149 |
+my ($dc) = split /\./, $domain; |
150 |
+my $company = $c->get_prop('ldap', 'defaultCompany') || $domain; |
151 |
+ |
152 |
+my %opt; |
153 |
+GetOptions ( \%opt, "diff|d", "update|u", "input|i=s", "output|o=s" ); |
154 |
+$opt{input} = '/usr/sbin/slapcat -c 2> /dev/null|' unless $opt{input} && ($opt{input} eq '-' || -f "$opt{input}" || -c "$opt{input}"); |
155 |
+$opt{diff} = 1 if $opt{update}; |
156 |
+if ( $opt{output} && $opt{output} =~ m{^([-\w/.]+)$}) { |
157 |
+ $opt{output} = $1; |
158 |
+} else { |
159 |
+ $opt{output} = '-'; |
160 |
+} |
161 |
+ |
162 |
+my ($data, $dn); |
163 |
+ |
164 |
+# Top object (base) |
165 |
+$data->{$basedn} = { |
166 |
+ objectclass => [qw/organization dcObject top/], |
167 |
+ dc => $dc, |
168 |
+ o => $company, |
169 |
+}; |
170 |
+ |
171 |
+# Top containers for users/groups/computers |
172 |
+foreach (qw/Users Groups Computers/) { |
173 |
+ $data->{"ou=$_,$basedn"} = { |
174 |
+ objectclass => [qw/organizationalUnit top/], |
175 |
+ ou => $_, |
176 |
+ }; |
177 |
+} |
178 |
+ |
179 |
+# Common accounts needed for SME to work properly |
180 |
+$data->{"cn=nobody,$groupou,$basedn"}->{objectclass} = [ qw/posixGroup/ ]; |
181 |
+$data->{"uid=www,$userou,$basedn"}->{objectclass} = [ qw/account/ ]; |
182 |
+$data->{"cn=www,$groupou,$basedn"} = { objectclass => [ qw/posixGroup/ ], memberuid => [ qw/admin/ ] }; |
183 |
+$data->{"cn=shared,$groupou,$basedn"} = { |
184 |
+ objectclass => [ qw/posixGroup mailboxRelatedObject/ ], |
185 |
+ mail => "everyone\@$domain", |
186 |
+ memberuid => [ qw/www/ ] |
187 |
+}; |
188 |
+ |
189 |
+# Read in accounts database information |
190 |
+foreach my $acct ($a->get('admin'), $a->users, $a->groups, $a->ibays, $a->get_all_by_prop(type => 'machine')) { |
191 |
+ my $key = $acct->key; |
192 |
+ my $type = $acct->prop('type'); |
193 |
+ |
194 |
+ next if $key eq 'Primary'; |
195 |
+ |
196 |
+ $dn = "uid=$key,".($type eq 'machine' ? $compou : $userou).",$basedn"; |
197 |
+ if ($type =~ /^(?:user|group|machine|ibay)$/ || $key eq 'admin') { |
198 |
+ if ($type eq 'user' || $key eq 'admin') { |
199 |
+ # Allow removal of obsolete person objectclass and samba attributes |
200 |
+ push @{$data->{$dn}->{_delete}->{objectclass}}, 'person'; |
201 |
+ |
202 |
+ |
203 |
+ push @{$data->{$dn}->{objectclass}}, 'inetOrgPerson'; |
204 |
+ $data->{$dn}->{mail} = "$key\@$domain"; |
205 |
+ @{$data->{$dn}}{qw/givenname sn telephonenumber o ou l street/} = |
206 |
+ map { $acct->prop($_) || [] } qw/FirstName LastName Phone Company Dept City Street/; |
207 |
+ $data->{$dn}->{cn} = $acct->prop('FirstName').' '.$acct->prop('LastName'); |
208 |
+ } |
209 |
+ else { |
210 |
+ push @{$data->{$dn}->{objectclass}}, 'account'; |
211 |
+ } |
212 |
+ |
213 |
+ # users/ibays need to be a member of shared |
214 |
+ push @{$data->{"cn=shared,$groupou,$basedn"}->{memberuid}}, $key if $type =~ /^(user|ibay)$/ || $key eq 'admin'; |
215 |
+ |
216 |
+ if ($auth ne 'enabled') { |
217 |
+ # Allow removal of shadow properties |
218 |
+ push @{$data->{$dn}->{_delete}->{objectclass}}, 'shadowAccount'; |
219 |
+ $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/userPassword shadowLastChange shadowMin shadowMax |
220 |
+ shadowWarning shadowInactive shadowExpire shadowFlag/; |
221 |
+ |
222 |
+ if ( -f "$schema" ) { |
223 |
+ # If we will be adding samba properties then allow removal |
224 |
+ push @{$data->{$dn}->{_delete}->{objectclass}}, 'sambaSamAccount'; |
225 |
+ $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/displayName sambaAcctFlags sambaLMPassword sambaNTPassword |
226 |
+ sambaNTPassword sambaPrimaryGroupSID sambaPwdLastSet sambaSID/; |
227 |
+ } |
228 |
+ } |
229 |
+ } |
230 |
+ |
231 |
+ $dn = "cn=$key,$groupou,$basedn"; |
232 |
+ push @{$data->{$dn}->{objectclass}}, 'posixGroup'; |
233 |
+ if ($type eq 'group') { |
234 |
+ # Allways replace memberuid with new set |
235 |
+ $data->{$dn}->{_delete}->{memberuid} = 1; |
236 |
+ |
237 |
+ push @{$data->{$dn}->{objectclass}}, 'mailboxRelatedObject'; |
238 |
+ |
239 |
+ $data->{$dn}->{mail} = "$key\@$domain"; |
240 |
+ $data->{$dn}->{description} = $acct->prop('Description') || []; |
241 |
+ push @{$data->{$dn}->{memberuid}}, split /,/, ($acct->prop('Members') || ''); |
242 |
+ |
243 |
+ # www needs to be a memeber of every group |
244 |
+ push @{$data->{$dn}->{memberuid}}, 'www'; |
245 |
+ |
246 |
+ if ($auth ne 'enabled' && -f "$schema" ) { |
247 |
+ # If we will be adding samba properties then allow removal |
248 |
+ push @{$data->{$dn}->{_delete}->{objectclass}}, 'sambaGroupMapping'; |
249 |
+ $data->{$dn}->{_delete}->{lc($_)} = 1 foreach qw/displayName sambaGroupType sambaSID/; |
250 |
+ } |
251 |
+ } |
252 |
+ elsif ($type eq 'ibay') { |
253 |
+ $dn = "cn=".$acct->prop('Group').",$groupou,$basedn"; |
254 |
+ push @{$data->{$dn}->{memberuid}}, $acct->key; |
255 |
+ } |
256 |
+} |
257 |
+ |
258 |
+if ($auth ne 'enabled') { |
259 |
+ # Read in information from unix (passwd) system |
260 |
+ open PASSWD, '/etc/passwd'; |
261 |
+ while (<PASSWD>) { |
262 |
+ chomp; |
263 |
+ my @passwd = split /:/, $_; |
264 |
+ next unless scalar @passwd == 7; |
265 |
+ |
266 |
+ $dn = "uid=$passwd[0],".($passwd[0] =~ /\$$/ ? $compou : $userou).",$basedn"; |
267 |
+ next unless exists $data->{$dn}; |
268 |
+ |
269 |
+ push @{$data->{$dn}->{objectclass}}, 'posixAccount'; |
270 |
+ @{$data->{$dn}}{qw/cn uid uidnumber gidnumber homedirectory loginshell/} = |
271 |
+ map { $passwd[$_] ? $passwd[$_] : [] } (4,0,2,3,5,6); |
272 |
+ } |
273 |
+ close (PASSWD); |
274 |
+ |
275 |
+ # Shadow file defaults (pulled from cpu.conf) |
276 |
+ my %shadow_def = ( 1 => [], 2 => 11192, 3 => -1, 4 => 99999, 5 => 7, 6 => -1, 7 => -1, 8 => 134538308 ); |
277 |
+ |
278 |
+ # Read in information from unix (shadow) system |
279 |
+ open SHADOW, '/etc/shadow'; |
280 |
+ while (<SHADOW>) { |
281 |
+ chomp; |
282 |
+ my @shadow = split /:/, $_; |
283 |
+ next unless scalar @shadow >= 6; |
284 |
+ $shadow[1] = '!*' if $shadow[1] eq '!!'; |
285 |
+ $shadow[1] = "{CRYPT}$shadow[1]" unless $shadow[1] =~ /^\{/; |
286 |
+ |
287 |
+ $dn = "uid=$shadow[0],".($shadow[0] =~ /\$$/ ? $compou : $userou).",$basedn"; |
288 |
+ next unless exists $data->{$dn}; |
289 |
+ |
290 |
+ push @{$data->{$dn}->{objectclass}}, 'shadowAccount'; |
291 |
+ @{$data->{$dn}}{ map { lc($_) } qw/userPassword shadowLastChange shadowMin shadowMax shadowWarning shadowInactive |
292 |
+ shadowExpire shadowFlag/} = map { $shadow[$_] ? $shadow[$_] : $shadow_def{$_} } (1..8); |
293 |
+ } |
294 |
+ close (SHADOW); |
295 |
+ |
296 |
+ # Read in information from unix (group) system |
297 |
+ open GROUP, '/etc/group'; |
298 |
+ while (<GROUP>) { |
299 |
+ chomp; |
300 |
+ my @group = split /:/, $_; |
301 |
+ next unless scalar @group >= 3; |
302 |
+ $group[3] = [ split /,/, ($group[3] || '') ]; |
303 |
+ |
304 |
+ $dn = "cn=$group[0],$groupou,$basedn"; |
305 |
+ next unless exists $data->{$dn}; |
306 |
+ |
307 |
+ push @{$data->{$dn}->{objectclass}}, 'posixGroup'; |
308 |
+ @{$data->{$dn}}{qw/cn gidnumber/} = map { $group[$_] ? $group[$_] : [] } (0,2); |
309 |
+ push @{$data->{$dn}->{memberuid}}, @{$group[3]}; |
310 |
+ } |
311 |
+ close (GROUP); |
312 |
+ |
313 |
+ my %smbprop = ( |
314 |
+ 'User SID' => 'sambasid', |
315 |
+ 'Account Flags' => 'sambaacctflags', |
316 |
+ 'Primary Group SID' => 'sambaprimarygroupsid', |
317 |
+ 'Full Name' => 'displayname', |
318 |
+ 'Password last set' => 'sambapwdlastset', |
319 |
+ ); |
320 |
+ |
321 |
+ # Read in information from unix (smbpasswd) system |
322 |
+ if ( -f "$schema" && -x '/usr/bin/pdbedit' ) { |
323 |
+ $dn = undef; |
324 |
+ open SMBDETAIL, '/usr/bin/pdbedit -vL 2> /dev/null|'; |
325 |
+ while (<SMBDETAIL>) { |
326 |
+ chomp; |
327 |
+ |
328 |
+ $dn = ("uid=$1,".($1 =~ /\$$/ ? $compou : $userou).",$basedn") if m/^Unix username:\s+(\S.*)$/; |
329 |
+ next unless $dn && exists $data->{$dn}; |
330 |
+ |
331 |
+ # Map the samba account properties that we care about |
332 |
+ $data->{$dn}->{$smbprop{$1}} = ($2 ? str2time($2) : (defined $3 ? $3 : [])) |
333 |
+ if m/^(.+):\s+(?:(\S.*\d{4} \d{2}:\d{2}:\d{2}.*)|(.*))$/ && exists $smbprop{$1}; |
334 |
+ } |
335 |
+ close (SMBDETAIL); |
336 |
+ |
337 |
+ open SMBPASSWD, '/usr/bin/pdbedit -wL 2> /dev/null|'; |
338 |
+ while (<SMBPASSWD>) { |
339 |
+ chomp; |
340 |
+ my @smbpasswd = split /:/, $_; |
341 |
+ next unless scalar @smbpasswd >= 6; |
342 |
+ |
343 |
+ $dn = "uid=$smbpasswd[0],".($smbpasswd[0] =~ /\$$/ ? $compou : $userou).",$basedn"; |
344 |
+ next unless exists $data->{$dn} && exists $data->{$dn}->{uidnumber} && $data->{$dn}->{uidnumber} eq $smbpasswd[1]; |
345 |
+ |
346 |
+ push @{$data->{$dn}->{objectclass}}, 'sambaSamAccount'; |
347 |
+ @{$data->{$dn}}{qw/sambalmpassword sambantpassword/} = map { $smbpasswd[$_] ? $smbpasswd[$_] : [] } (2,3); |
348 |
+ } |
349 |
+ close (SMBPASSWD); |
350 |
+ } |
351 |
+ |
352 |
+ if ( -f "$schema" && -x '/usr/bin/net' ) { |
353 |
+ open GROUPMAP, '/usr/bin/net groupmap list 2> /dev/null|'; |
354 |
+ while (<GROUPMAP>) { |
355 |
+ chomp; |
356 |
+ |
357 |
+ if (m/^(.+) \((.+)\) -> (.+)$/) { |
358 |
+ # Skip local machine accounts |
359 |
+ next if $2 =~ /S-1-5-32-\d+/; |
360 |
+ |
361 |
+ $dn = "cn=$3,$groupou,$basedn"; |
362 |
+ next unless exists $data->{$dn}; |
363 |
+ |
364 |
+ push @{$data->{$dn}->{objectclass}}, 'sambaGroupMapping'; |
365 |
+ @{$data->{$dn}}{qw/displayname sambasid sambagrouptype/} = ($1, $2, 2); |
366 |
+ } |
367 |
+ } |
368 |
+ close (GROUPMAP); |
369 |
+ } |
370 |
+} |
371 |
+ |
372 |
+my @ldif; |
373 |
+ |
374 |
+# Loop through ldap data and update as necessary |
375 |
+my $reader = Net::LDAP::LDIF->new( $opt{input}, 'r', onerror => 'undef' ); |
376 |
+while( not $reader->eof()) { |
377 |
+ my $entry = $reader->read_entry() || next; |
378 |
+ $dn = $entry->dn; |
379 |
+ |
380 |
+ # Ensure the basedn is correct |
381 |
+ $dn = "$1$basedn" if $dn =~ /^((?:(?!dc=)[^,]+,)*)dc=/; |
382 |
+ |
383 |
+ # Ensure correct ou is part of user/groups/computers |
384 |
+ if ($dn =~ /^(uid=([^,\$]+)(\$)?),((?:(?!dc=)[^,]+,)*)dc=/) { |
385 |
+ if ( defined $3 && $3 eq '$') { |
386 |
+ $dn = "$1,$compou,$basedn"; |
387 |
+ } |
388 |
+ elsif (grep /posixGroup/, @{$entry->get_value('objectclass', asref => 1) || []}) { |
389 |
+ $dn = "cn=$2,$groupou,$basedn"; |
390 |
+ |
391 |
+ # Cleanup attributes that the modrdn will perform |
392 |
+ $entry->add(cn => $2); |
393 |
+ $entry->delete(uid => [$2]); |
394 |
+ } |
395 |
+ else { |
396 |
+ $dn = "$1,$userou,$basedn"; |
397 |
+ } |
398 |
+ } |
399 |
+ elsif ($dn =~ /^(cn=[^,]+),((?:(?!dc=)[^,]+,)*)dc=/) { |
400 |
+ $dn = "$1,$groupou,$basedn" unless $2 =~ /^ou=auto\./; |
401 |
+ } |
402 |
+ |
403 |
+ # Don't process records twice |
404 |
+ next if $data->{$dn}->{_done}; |
405 |
+ |
406 |
+ # Rename existing entry into place if we can |
407 |
+ if ($dn ne $entry->dn) { |
408 |
+ my $rdn = Net::LDAP::Entry->new; |
409 |
+ $rdn->dn($entry->dn); |
410 |
+ $rdn->changetype('modrdn'); |
411 |
+ my ($newdn, $newbase) = split /,/, $dn, 2; |
412 |
+ $rdn->add(newrdn => $newdn, deleteoldrdn => 1, newsuperior => $newbase); |
413 |
+ push @ldif, $rdn; |
414 |
+ |
415 |
+ # Now we can change the entry to new dn |
416 |
+ $entry->dn($dn); |
417 |
+ } |
418 |
+ |
419 |
+ # Change type to modify so that we can keep track of changes we make |
420 |
+ $entry->changetype('modify'); |
421 |
+ |
422 |
+ # Hack to make upgrades work (add calEntry if calFGUrl attributes exists) |
423 |
+ if ($entry->exists('calFBURL') && -f "/etc/openldap/schema/rfc2739.schema") { |
424 |
+ push @{$data->{$dn}->{objectclass}}, 'calEntry'; |
425 |
+ } |
426 |
+ |
427 |
+ my %attributes = (); |
428 |
+ @attributes{ keys %{$data->{$dn}}, exists $data->{$dn}->{_delete} ? map { lc($_) } keys %{$data->{$dn}->{_delete}} : () } = (); |
429 |
+ |
430 |
+ foreach my $attr (sort keys %attributes) { |
431 |
+ # Skip the pseudo attributes |
432 |
+ next if $attr =~ /^_/; |
433 |
+ |
434 |
+ my @l = @{$entry->get_value($attr, asref => 1) || []}; |
435 |
+ my @u = exists $data->{$dn}->{$attr} ? (ref $data->{$dn}->{$attr} ? @{$data->{$dn}->{$attr}} : ($data->{$dn}->{$attr})) : (); |
436 |
+ |
437 |
+ # Figure out differences between attributes |
438 |
+ my (@lonly, @uonly, @donly, %lseen, %useen, %dseen) = () x 6; |
439 |
+ |
440 |
+ # Unique lists of what is in ldap and what needs to be in ldap |
441 |
+ @lseen{@l} = (); |
442 |
+ @useen{@u} = (); |
443 |
+ |
444 |
+ # Create list of attributes that aren't in the other |
445 |
+ @uonly = grep { ! exists $lseen{$_} } keys %useen; |
446 |
+ @lonly = grep { ! exists $useen{$_} } keys %lseen; |
447 |
+ |
448 |
+ # Determine which of the ldap only attributes we need to remove |
449 |
+ if ((keys %useen == 1 && keys %lseen == 1) || (keys %useen == 0 && exists $data->{$dn}->{$attr})) { |
450 |
+ # Replacing a single entry or erasing entire entry |
451 |
+ @donly = @lonly; |
452 |
+ } |
453 |
+ elsif ($data->{$dn}->{_delete} && $data->{$dn}->{_delete}->{$attr}) { |
454 |
+ if (my $ref = ref($data->{$dn}->{_delete}->{$attr})) { |
455 |
+ # Map hash keys or array elemts to valid values to delete |
456 |
+ @dseen{$ref eq 'HASH' ? keys %{$data->{$dn}->{_delete}->{$attr}} : @{$data->{$dn}->{_delete}->{$attr}}} = (); |
457 |
+ @donly = grep { exists $dseen{$_} } @lonly; |
458 |
+ } |
459 |
+ else { |
460 |
+ # Permission to remove all values |
461 |
+ @donly = @lonly; |
462 |
+ } |
463 |
+ } |
464 |
+ |
465 |
+ if (@donly && @donly == keys %lseen) { |
466 |
+ # If we are removing all ldap attributes do a remove or full delete |
467 |
+ if (@uonly) { |
468 |
+ $entry->replace($attr => [ @uonly ]); |
469 |
+ } |
470 |
+ else { |
471 |
+ $entry->delete($attr => []); |
472 |
+ } |
473 |
+ } |
474 |
+ else { |
475 |
+ $entry->delete($attr => [ @donly ]) if @donly; |
476 |
+ $entry->add($attr => [ @uonly ]) if @uonly; |
477 |
+ } |
478 |
+ } |
479 |
+ |
480 |
+ $data->{$dn}->{_done} = 1; |
481 |
+ push @ldif, $entry; |
482 |
+} |
483 |
+$reader->done(); |
484 |
+ |
485 |
+# Add missing records that didn't exist in ldap yet |
486 |
+foreach $dn (grep { ! exists $data->{$_}->{_done} } sort keys %$data) { |
487 |
+ my $entry = Net::LDAP::Entry->new; |
488 |
+ $entry->dn($dn); |
489 |
+ |
490 |
+ foreach my $attr (sort keys %{$data->{$dn}}) { |
491 |
+ # Skip the pseudo attributes |
492 |
+ next if $attr =~ /^_/; |
493 |
+ |
494 |
+ my %seen = (); |
495 |
+ @seen{ref $data->{$dn}->{$attr} ? @{$data->{$dn}->{$attr}} : ($data->{$dn}->{$attr})} = (); |
496 |
+ $entry->add($attr => [ sort keys %seen ]) if keys %seen != 0; |
497 |
+ } |
498 |
+ |
499 |
+ push @ldif, $entry; |
500 |
+} |
501 |
+ |
502 |
+#------------------------------------------------------------ |
503 |
+# Update LDAP database entry. |
504 |
+#------------------------------------------------------------ |
505 |
+my $ldap; |
506 |
+if ($opt{update}) { |
507 |
+ $ldap = Net::LDAP->new('localhost') or die "$@"; |
508 |
+ $ldap->bind( dn => "cn=root,$basedn", password => esmith::util::LdapPassword() ); |
509 |
+} |
510 |
+ |
511 |
+my $writer = Net::LDAP::LDIF->new( $opt{output}, 'w', onerror => 'undef', wrap => 0, sort => 1, change => $opt{diff} ); |
512 |
+foreach my $entry (sort dnsort @ldif) { |
513 |
+ if ($opt{update} && ($entry->changetype ne 'modify' || @{$entry->{changes}}) ) { |
514 |
+ my $result = $entry->update($ldap); |
515 |
+ warn "Failure to ",$entry->changetype," ",$entry->dn,": ",$result->error,"\n" if $result->code; |
516 |
+ } |
517 |
+ |
518 |
+ if ($writer->{change} || $entry->changetype !~ /modr?dn/) { |
519 |
+ $writer->write_entry($entry); |
520 |
+ } |
521 |
+} |
522 |
diff -Nur e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-certificate e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-certificate |
523 |
--- e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-certificate 1969-12-31 19:00:00.000000000 -0500 |
524 |
+++ e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-certificate 2020-12-11 21:30:01.775000000 -0500 |
525 |
@@ -0,0 +1,40 @@ |
526 |
+#!/usr/bin/perl -w |
527 |
+ |
528 |
+#---------------------------------------------------------------------- |
529 |
+# copyright (C) 2005 Mitel Networks Corporation |
530 |
+# |
531 |
+# This program is free software; you can redistribute it and/or modify |
532 |
+# it under the terms of the GNU General Public License as published by |
533 |
+# the Free Software Foundation; either version 2 of the License, or |
534 |
+# (at your option) any later version. |
535 |
+# |
536 |
+# This program is distributed in the hope that it will be useful, |
537 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of |
538 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
539 |
+# GNU General Public License for more details. |
540 |
+# |
541 |
+# You should have received a copy of the GNU General Public License |
542 |
+# along with this program; if not, write to the Free Software |
543 |
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
544 |
+# |
545 |
+# Technical support for this program is available from Mitel Networks |
546 |
+# Please visit our web site www.mitel.com/sme/ for details. |
547 |
+#---------------------------------------------------------------------- |
548 |
+ |
549 |
+use esmith::util; |
550 |
+use esmith::ConfigDB; |
551 |
+use File::Copy; |
552 |
+ |
553 |
+my $c = esmith::ConfigDB->open_ro; |
554 |
+my $s = $c->get('SystemName')->value; |
555 |
+my $d = $c->get('DomainName')->value; |
556 |
+ |
557 |
+my $pem = "/etc/openldap/ssl/slapd.pem"; |
558 |
+# Now copy system pem file into jail used by ldap |
559 |
+copy("/home/e-smith/ssl.pem/$s.$d.pem", "$pem.$$") |
560 |
+ or die "failed to copy SSL PEM: $!"; |
561 |
+chmod 0640, "$pem.$$"; |
562 |
+esmith::util::chownFile("root", "ldap", "$pem.$$"); |
563 |
+rename("$pem.$$", "$pem") |
564 |
+ or die "failed to rename $pem.$$ to $pem: $!"; |
565 |
+ |
566 |
diff -Nur e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-finish e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-finish |
567 |
--- e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-finish 1969-12-31 19:00:00.000000000 -0500 |
568 |
+++ e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-finish 2020-12-11 21:51:25.883000000 -0500 |
569 |
@@ -0,0 +1,21 @@ |
570 |
+#! /bin/sh |
571 |
+ |
572 |
+exec 2>&1 |
573 |
+ |
574 |
+LDIF=$(readlink -n /etc/openldap/ldif) |
575 |
+TMP=$LDIF.$$ |
576 |
+if /usr/sbin/slapcat -l $TMP |
577 |
+then |
578 |
+ mv -f $TMP $LDIF |
579 |
+else |
580 |
+ echo slapcat dump of ldif failed - shutting down ldap service >&2 |
581 |
+ echo probable corruption of ldap backend files >&2 |
582 |
+ |
583 |
+ # Don't bother to keep a zero length dump file |
584 |
+ if test ! -s $TMP |
585 |
+ then |
586 |
+ rm -f $TMP |
587 |
+ fi |
588 |
+ |
589 |
+fi |
590 |
+ |
591 |
diff -Nur e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-prepare e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-prepare |
592 |
--- e-smith-ldap-5.6.0.old/root/sbin/e-smith/systemd/ldap-prepare 1969-12-31 19:00:00.000000000 -0500 |
593 |
+++ e-smith-ldap-5.6.0/root/sbin/e-smith/systemd/ldap-prepare 2020-12-11 22:22:52.071000000 -0500 |
594 |
@@ -0,0 +1,54 @@ |
595 |
+#! /bin/sh |
596 |
+ |
597 |
+ |
598 |
+domain=$(/sbin/e-smith/config get DomainName) |
599 |
+ldif="/home/e-smith/db/ldap/$domain.ldif" |
600 |
+ |
601 |
+if [ -e /etc/openldap/ldif ] |
602 |
+then |
603 |
+ old_ldif=$(readlink /etc/openldap/ldif) |
604 |
+ if [ "$old_ldif" != "$ldif" ] |
605 |
+ then |
606 |
+ # The domain name has changed, so we need to delete |
607 |
+ # the old directory contents. We still have the old |
608 |
+ # dump. |
609 |
+ mv -f $old_ldif $ldif |
610 |
+ find /var/lib/ldap -type f | xargs rm -f |
611 |
+ fi |
612 |
+fi |
613 |
+ |
614 |
+if [ -f /var/lib/ldap/nextid.dbb ] |
615 |
+then |
616 |
+ # We are upgrading from an earlier version which used |
617 |
+ # ldbm backend format. Delete the backend files, and |
618 |
+ # restore from ldif |
619 |
+ find /var/lib/ldap -type f | xargs rm -f |
620 |
+fi |
621 |
+ |
622 |
+# Set up symlink for ldap dump at shutdown |
623 |
+ln -sf $ldif /etc/openldap/ldif |
624 |
+ |
625 |
+/sbin/e-smith/expand-template /var/lib/ldap/DB_CONFIG |
626 |
+ |
627 |
+# Make sure we use the slapd.conf file instead of the new slapd.d |
628 |
+touch /etc/openldap/slapd.d/unused |
629 |
+find /etc/openldap/slapd.d/ -mindepth 1 -maxdepth 1 -not -name unused -exec rm -rf {} \; |
630 |
+/sbin/e-smith/expand-template /etc/openldap/slapd.conf |
631 |
+ |
632 |
+# Prime directory if required |
633 |
+if [ \! -f /var/lib/ldap/id2entry.bdb ] |
634 |
+then |
635 |
+ if [ -e /etc/openldap/ldif ] |
636 |
+ then |
637 |
+ /sbin/e-smith/ldif-fix -i /etc/openldap/ldif | setuidgid ldap slapadd -c |
638 |
+ else |
639 |
+ /sbin/e-smith/ldif-fix -i /dev/null | setuidgid ldap slapadd -c |
640 |
+ fi |
641 |
+else |
642 |
+ setuidgid ldap /usr/bin/db_recover -v -h /var/lib/ldap |
643 |
+fi |
644 |
+ |
645 |
+# Make sure all DB files belongs to ldap:ldap |
646 |
+find /var/lib/ldap -not -name DB_CONFIG -exec chown ldap:ldap {} \; |
647 |
+ |
648 |
+exit 0 |
649 |
diff -Nur e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/ldap.init.service e-smith-ldap-5.6.0/root/usr/lib/systemd/system/ldap.init.service |
650 |
--- e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/ldap.init.service 1969-12-31 19:00:00.000000000 -0500 |
651 |
+++ e-smith-ldap-5.6.0/root/usr/lib/systemd/system/ldap.init.service 2020-12-11 22:18:46.616000000 -0500 |
652 |
@@ -0,0 +1,21 @@ |
653 |
+[Unit] |
654 |
+Description=Koozali SME Server ldap.init |
655 |
+After=syslog.target network-online.target ldap.service |
656 |
+ |
657 |
+[Service] |
658 |
+Type=forking |
659 |
+Restart=no |
660 |
+TimeoutSec=5min |
661 |
+IgnoreSIGPIPE=no |
662 |
+KillMode=process |
663 |
+GuessMainPID=no |
664 |
+RemainAfterExit=yes |
665 |
+ExecStartPre=/sbin/e-smith/service-status ldap.init |
666 |
+ExecStart=/etc/rc.d/init.d/ldap.init start |
667 |
+ExecStop=/etc/rc.d/init.d/ldap.init stop |
668 |
+ |
669 |
+ |
670 |
+[Install] |
671 |
+WantedBy=sme-server.target |
672 |
+Alias=slapd.service |
673 |
+ |
674 |
diff -Nur e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/ldap.service e-smith-ldap-5.6.0/root/usr/lib/systemd/system/ldap.service |
675 |
--- e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/ldap.service 1969-12-31 19:00:00.000000000 -0500 |
676 |
+++ e-smith-ldap-5.6.0/root/usr/lib/systemd/system/ldap.service 2020-12-11 22:18:52.999000000 -0500 |
677 |
@@ -0,0 +1,25 @@ |
678 |
+[Unit] |
679 |
+Description=Koozali SME Server OpenLDAP Server Daemon |
680 |
+After=syslog.target network-online.target |
681 |
+Documentation=man:slapd |
682 |
+Documentation=man:slapd-config |
683 |
+Documentation=man:slapd-hdb |
684 |
+Documentation=man:slapd-mdb |
685 |
+Documentation=file:///usr/share/doc/openldap-servers/guide.html |
686 |
+ |
687 |
+[Service] |
688 |
+Type=forking |
689 |
+PIDFile=/var/run/openldap/slapd.pid |
690 |
+Environment="SLAPD_URLS=ldap:/// ldaps:/// ldapi:///" "SLAPD_OPTIONS=-4 -d 256 -s 0" |
691 |
+EnvironmentFile=/etc/sysconfig/slapd |
692 |
+ExecStartPre=/sbin/e-smith/service-status ldap |
693 |
+ExecStartPre=/sbin/e-smith/systemd/ldap-certificate |
694 |
+ExecStartPre=/sbin/e-smith/systemd/ldap-prepare |
695 |
+#ExecStartPre=/usr/libexec/openldap/check-config.sh |
696 |
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS |
697 |
+ |
698 |
+ExecStopPost=/sbin/e-smith/systemd/ldap-finish |
699 |
+ |
700 |
+[Install] |
701 |
+WantedBy=sme-server.target |
702 |
+Alias=slapd.service |
703 |
diff -Nur e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf e-smith-ldap-5.6.0/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf |
704 |
--- e-smith-ldap-5.6.0.old/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf 1969-12-31 19:00:00.000000000 -0500 |
705 |
+++ e-smith-ldap-5.6.0/root/usr/lib/systemd/system/slapd.service.d/50koozali.conf 2020-12-11 22:09:10.565000000 -0500 |
706 |
@@ -0,0 +1,5 @@ |
707 |
+# disabled |
708 |
+# we are using ldap.service |
709 |
+ExecStart=/usr/bin/true |
710 |
+ExecStartPre= |
711 |
+PIDFile= |