Attachment 117674 Details for Bug 176402 – smbldap-groupmod with workaround

smbldap-groupmod with workaround

smbldap-groupmod (text/plain), 8.77 KB, created by Matthias Nagl on 2007-04-29 20:56:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Matthias Nagl

Created: 2007-04-29 20:56:36 UTC

Size: 8.77 KB

patch

obsolete

>#!/usr/bin/perl -w
>
># $Id: smbldap-groupmod,v 1.12 2006/01/02 17:01:19 jtournier Exp $
>#
>#  This code was developped by IDEALX (http://IDEALX.org/) and
>#  contributors (their names can be found in the CONTRIBUTORS file).
>#
>#                 Copyright (C) 2001-2002 IDEALX
>#
>#  This program is free software; you can redistribute it and/or
>#  modify it under the terms of the GNU General Public License
>#  as published by the Free Software Foundation; either version 2
>#  of the License, or (at your option) any later version.
>#
>#  This program is distributed in the hope that it will be useful,
>#  but WITHOUT ANY WARRANTY; without even the implied warranty of
>#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>#  GNU General Public License for more details.
>#
>#  You should have received a copy of the GNU General Public License
>#  along with this program; if not, write to the Free Software
>#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
>#  USA.
>
># Purpose of smbldap-groupmod : group (posix) modification
>
>
>use strict;
>use FindBin;
>use FindBin qw($RealBin);
>use lib "$RealBin/";
>use smbldap_tools;
>
>#####################
>
>use Getopt::Std;
>my %Options;
>
>my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
>if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
>  print_banner;
>  print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
>  print "  -a   add automatic group mapping entry\n";
>  print "  -g   new gid\n";
>  print "  -o   gid is not unique\n";
>  print "  -n   new group name\n";
>  print "  -m   add members (comma delimited)\n";
>  print "  -r   group-rid\n";
>  print "  -s   group-sid\n";
>  print "  -t   group-type\n"; 
>  print "  -x   delete members (comma delimted)\n";
>  print "  -?   show this help message\n";
>  exit (1);
>}
>
>my $groupName = $ARGV[0];
>
># Dirty Samba Workaround
>$groupName=~s/\\([0-9A-Z]{2})\\([0-9A-Z]{2})/chr(hex($1)).chr(hex($2))/ge;
>
>my $group_entry;
>
>my $ldap_master=connect_ldap_master();
>
>if (! ($group_entry = read_group_entry($groupName))) {
>  print "$0: group $groupName doesn't exist\n";
>  exit (6);
>}
>
>my $newname = $Options{'n'};
>
>my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
>
>if ($nscd_status == 0) {
>  system "/etc/init.d/nscd restart > /dev/null 2>&1";
>}
>
>my $gid = getgrnam($groupName);
>unless (defined ($gid)) {
>  print "$0: group $groupName not found!\n";
>  exit(6);
>}
>
>my $tmp;
>if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
>  if (!defined($Options{'o'})) {
>    if (defined(getgrgid($tmp))) {
>      print "$0: gid $tmp exists\n";
>      exit (6);
>    }
>  }
>  if (!($gid == $tmp)) {
>    my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
>					changes => [
>						    replace => [gidNumber => $tmp]
>						   ]
>				      );
>    $modify->code && die "failed to modify entry: ", $modify->error ;
>  }
>}
>
>
>if (defined($newname)) {
>  my $modify = $ldap_master->moddn (
>				    "cn=$groupName,$config{groupsdn}",
>				    newrdn => "cn=$newname",
>				    deleteoldrdn => "1",
>				    newsuperior => "$config{groupsdn}"
>				   );
>  $modify->code && die "failed to modify entry: ", $modify->error ;
>  # take down session
>}
>
># Add members
>if (defined($Options{'m'})) {
>  my $members = $Options{'m'};
>  my @members = split( /,/, $members );
>  my $member;
>  foreach $member ( @members ) {
>    my $group_entry=read_group_entry($groupName);
>    $config{groupsdn}=$group_entry->dn;
>    if (is_unix_user($member) || is_nonldap_unix_user($member)) {
>      if (is_group_member($config{groupsdn},$member)) {
>	print "User $member already in the group\n";
>      } else {
>	print "adding user $member to group $groupName\n";
>	my $modify = $ldap_master->modify ($config{groupsdn},
>					   changes => [
>						       add => [memberUid => $member]
>						      ]
>					  );
>	$modify->code && warn "failed to add entry: ", $modify->error ;
>      }
>    } else {
>      print "User $member does not exist: create it first !\n";
>    }
>  }
>}
>
># Delete members
>if (defined($Options{'x'})) {
>  my $members = $Options{'x'};
>  my @members = split( /,/, $members );
>  my $member;
>  foreach $member ( @members ) {
>    my $user_entry=read_user_entry($member);
>    my $group_entry=read_group_entry($groupName);
>    $config{groupsdn}=$group_entry->dn;
>    if (is_group_member("$config{groupsdn}",$member)) {
>      my $delete=1;
>      if (defined $group_entry->get_value('sambaSID')) {
>        if ($group_entry->get_value('sambaSID') eq $user_entry->get_value('sambaPrimaryGroupSID')) {
>    	  $delete=0;
>  	  print "Cannot delete user ($member) from his primary group ($groupName)\n";
>        }
>      }
>      if ($delete eq 1) {
>	print "deleting user $member from group $groupName\n";
>        my $modify = $ldap_master->modify ($config{groupsdn},
>                                           changes => [
>                                                       delete => [memberUid => $member]
>                                                      ]
>                                          );
>        $modify->code && warn "failed to delete entry: ", $modify->error ;
>      }
>    } else {
>      print "User $member is not in the group $groupName!\n";
>    }
>  }
>}
>
>my $group_sid;
>if ($tmp= $Options{'s'}) {
>  if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
>    $group_sid = $tmp;
>  } else {
>    print "$0: illegal group-rid $tmp\n";
>    exit(7);
>  }
>} elsif ($Options{'r'} || $Options{'a'}) {
>  my $group_rid;
>  if ($tmp= $Options{'r'}) {
>    if ($tmp =~ /^\d+$/) {
>      $group_rid = $tmp;
>    } else {
>      print "$0: illegal group-rid $tmp\n";
>      exit(7);
>    }
>  } else {
>    # algorithmic mapping
>    $group_rid = 2*$gid+1001;
>  }
>  $group_sid = $config{SID}.'-'.$group_rid;
>}
>
>if ($group_sid) {
>  my @adds;
>  my @mods;
>  push(@mods, 'sambaSID' => $group_sid);
>
>  if ($tmp= $Options{'t'}) {
>    my $group_type;
>    if (defined($group_type = &group_type_by_name($tmp))) {
>      push(@mods, 'sambaGroupType' => $group_type);
>    } else {
>      print "$0: unknown group type $tmp\n";
>      exit(8);
>    }
>  } else {
>    if (! defined($group_entry->get_value('sambaGroupType'))) {
>      push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
>    }
>  }
>
>  my @oc = $group_entry->get_value('objectClass');
>  unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
>    push (@adds, 'objectClass' => 'sambaGroupMapping');
>  }
>
>  my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
>				      changes => [
>						  'add' => [ @adds ],
>						  'replace' => [ @mods ]
>						 ]
>				    );
>  $modify->code && warn "failed to delete entry: ", $modify->error ;
>}
>
>$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
>
>if ($nscd_status == 0) {
>  system "/etc/init.d/nscd restart > /dev/null 2>&1";
>}
>
># take down session
>$ldap_master->unbind;
>
>exit (0);
>
>############################################################
>
>=head1 NAME
>
>smbldap-groupmod - Modify a group
>
>=head1 SYNOPSIS
>
>smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
>          [-n group_name ] [-m members(,)] [-x members (,)] group
>
>=head1 DESCRIPTION
>
>The smbldap-groupmod command modifies the system account files to
>reflect the changes that are specified on the command line.
>The options which apply to the smbldap-groupmod command are
>
>-g gid The numerical value of the group's ID. This value must be
>   unique, unless the -o option is used. The value must be non-
>   negative. Any files which the old group ID is the file
>   group ID must have the file group ID changed manually.
>
>-n group_name
>   The name of the group will be changed from group to group_name.
>
>-m members
>   The members to be added to the group in comma-delimeted form.
>
>-x members
>   The members to be removed from the group in comma-delimted form.
>
>-a
>   add an automatic Security ID for the group (SID).
>   The rid of the group is calculated from the gidNumber of the
>   group as rid=2*gidNumber+1001. Thus the resulted SID of the
>   group is $SID-$rid where $SID and $rid are the domain SID and
>   the group rid
>
>-s sid
>   set the group SID.
>   The SID must be unique and defined with the domain Security ID
>   ($SID) like sid=$SID-rid where rid is the group rid.
>
>-r rid
>   set the group rid.
>   The SID is then calculated as sid=$SID-rid where $SID is the
>   domain Security ID.
>
>-t group type
>   set the NT Group type for the new group. Available values are
>   2 (domain group), 4 (local group) and 5 (builtin group).
>   The default group type is 2.
>
>=head1 EXAMPLES
>
>smbldap-groupmod -g 253 development
> This will change the GID of the 'development' group to '253'.
>
>smbldap-groupmod -n Idiots Managers
> This will change the name of the 'Managers' group to 'Idiots'.
>
>smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
> This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
>
>smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
> This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.
>
>=head1 SEE ALSO
>
>       groupmod(1)
>
>=cut
>
>#'

Actions: View

Attachments on bug 176402: 117674 | 117676