From 637d73aa6e6fb24cd57dc8063af55a203f8ccc64 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sun, 26 Oct 2008 23:03:44 +0100 Subject: Major update, including adding cipux role accounts. --- ldap/db/cipux_rolegroup.ldif.in | 26 +++++++++++++++ ldap/db/cipux_roleuser.ldif.in | 36 ++++++++++++++++++++ ldap/mkldapdb | 74 ++++++++++++++++++++++++++++++++++++----- 3 files changed, 127 insertions(+), 9 deletions(-) create mode 100644 ldap/db/cipux_rolegroup.ldif.in create mode 100644 ldap/db/cipux_roleuser.ldif.in (limited to 'ldap') diff --git a/ldap/db/cipux_rolegroup.ldif.in b/ldap/db/cipux_rolegroup.ldif.in new file mode 100644 index 0000000..bff7f56 --- /dev/null +++ b/ldap/db/cipux_rolegroup.ldif.in @@ -0,0 +1,26 @@ +dn: cn=@ROLE@,ou=Group,ou=CipUX,@SUFFIX@ +cipuxCreationDate: 2008-07-31T01:54:00 +cipuxGroupLeaderUid: @ROLE@ +cipuxHardQuota: 50000 +cipuxInternetStatus: accept +cipuxIsAccount: TRUE +cipuxIsRole: TRUE +cipuxIsShare: FALSE +cipuxIsSkel: TRUE +cipuxRemark: Hand made account +cipuxRole: role +cipuxSoftQuota: 40000 +cn: @ROLE@ +gidNumber: @GID@ +memberUid: @ROLE@ +objectClass: top +objectClass: posixGroup +objectClass: cipuxGroup +structuralObjectClass: posixGroup +entryUUID: b72b2286-1c30-102d-92b5-c966c0ff3d4a +creatorsName: cn=cipuxadm,dc=jones,dc=dk +createTimestamp: 20080921135538Z +userPassword:: e1NTSEF9MllkUGRjV3RKYmhNdUZWODVaQ1pJWHNyZE5rTGVXdjM= +entryCSN: 20080921135647.732164Z#000000#000#000000 +modifiersName: cn=cipuxadm,dc=jones,dc=dk +modifyTimestamp: 20080921135647Z diff --git a/ldap/db/cipux_roleuser.ldif.in b/ldap/db/cipux_roleuser.ldif.in new file mode 100644 index 0000000..a19b1b8 --- /dev/null +++ b/ldap/db/cipux_roleuser.ldif.in @@ -0,0 +1,36 @@ +dn: uid=@ROLE@,ou=User,ou=CipUX,@SUFFIX@ +cipuxCreationDate: 2008-07-31T01:54:00 +cipuxFirstname: Role +cipuxHardQuota: 50000 +cipuxInternetStatus: accept +cipuxIsAccount: TRUE +cipuxIsRole: TRUE +cipuxIsShare: FALSE +cipuxIsSkel: TRUE +cipuxLastname: Account +cipuxRemark: CipUX task layer +cipuxRole: role +cipuxSkeletonUid: none +cipuxSoftQuota: 40000 +cipuxStatus: idle +cn: Default Role +gecos: Default Role +gidNumber: @GID@ +homeDirectory: /home/cipux0/@ROLE@ +loginShell: /bin/bash +mailMessageStore: /var/lib/maildirs/@ROLE@ +objectClass: posixAccount +objectClass: top +objectClass: shadowAccount +objectClass: imapUser +objectClass: cipuxAccount +uid: @ROLE@ +uidNumber: @UID@ +userPassword:: ZHV0 +structuralObjectClass: imapUser +entryUUID: b72bb2e6-1c30-102d-92b6-c966c0ff3d4a +creatorsName: cn=cipuxadm,dc=jones,dc=dk +createTimestamp: 20080921135538Z +entryCSN: 20080921144317.807008Z#000000#000#000000 +modifiersName: cn=cipuxadm,dc=jones,dc=dk +modifyTimestamp: 20080921144317Z diff --git a/ldap/mkldapdb b/ldap/mkldapdb index 4e297c3..31ad606 100755 --- a/ldap/mkldapdb +++ b/ldap/mkldapdb @@ -23,36 +23,83 @@ for var in basedn dnsdomain orgname backend; do fi done +# concatenate files with an additional newline in between +spacecat() { + perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(); close FH;}' "$@" +} + +#TODO: Somehow lookup id directly instead, as getent might be slow with +# thousands of entries, and some NSS mechanisms drop at some limit +# i.e. openldap by default return only first 500 entries +nextfreeid() { + type="$1" + id="$2" + max="$3" + case $type in + uid) column="3";; + gid) column="4";; + esac + while getent passwd | awk -F: "{ print \$$column }" | grep -Fqx "$id"; do + id=$(($id + 1)) + [ -z "$max" ] || [ "$id" -lt "$max" ] || return 1 + done + echo "$id" +} + masterdir=/etc/local-COMMON/ldap/db tempdir=`mktemp -dt slapd.XXXXXX` snippets="$(LANG=C find "$masterdir" -type f -name '*.conf.in' | sort)" -# concatenate files with an additional newline in between -# (perl could replace sed too, but multiline perl inside shell is ugly) -perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(); close FH;}' $snippets \ - | sed >>"$tempdir/slapd.conf" \ +spacecat $snippets | sed >>"$tempdir/slapd.conf" \ -e "s/@BACKEND@/$backend/g" \ -e "s/@SUFFIX@/$basedn/g" \ -e "s/@ADMIN@/cn=admin,$basedn/g" +# TODO: Better separate core from normal lif files than "below 100"... +file=99 for section in core base cipux horde; do - sed <"$masterdir/$section.ldif.in" >"$tempdir/$section.ldif" \ + sed <"$masterdir/$section.ldif.in" >"$tempdir/${file}_$section.ldif" \ -e "s/@SUFFIX@/$basedn/g" \ -e "s/@DOMAIN@/$dnsdomain/g" \ -e "s/@ORG@/$orgname/g" + file=$(($file + 1)) done +# FIXME: create cipuxadm in addition to below roles! + +# FIXME: fix apply passwords for roles in a sane way! +uid=10100 +gid=10100 +file=200 +for role in admin professor assistant pupil student tutor teacher lecturer; do + uid="$(nextfreeid uid "$uid")" + gid="$(nextfreeid gid "$gid")" + snippets="$masterdir/cipux_rolegroup.ldif.in $masterdir/cipux_roleuser.ldif.in" + spacecat $snippets | sed >"$tempdir/${file}_$role.ldif" \ + -e "s/@SUFFIX@/$basedn/g" \ + -e "s/@ROLE@/$role/g" \ + -e "s/@UID@/$uid/g" \ + -e "s/@GID@/$gid/g" \ + -e "s/@DOMAIN@/$dnsdomain/g" \ + -e "s/@ORG@/$orgname/g" + uid=$(($uid + 1)) + gid=$(($gid + 1)) + file=$(($file + 1)) +done + +file=300 for db in passwd group; do getent $db >"$tempdir/$db.dump" - ( cd /usr/share/migrationtools && ./migrate_passwd.pl "$tempdir/$db.dump" >"$tempdir/$db.ldif" ) + ( cd /usr/share/migrationtools && ./migrate_$db.pl "$tempdir/$db.dump" >"$tempdir/${file}_$db.ldif" ) + file=$(($file + 1)) done #invoke-rc.d slapd stop -#slapadd -l "$tempdir/core.ldif" +#slapadd -l "$tempdir/99_core.ldif" #invoke-rc.d slapd start #ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn" -for section in base cipux horde; do - ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$tempdir/$section.ldif" -W +for file in $(run-parts --list --regex '^1[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do + ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W done for role in cipux horde; do echo "Securing $role..." @@ -83,3 +130,12 @@ EOF # TODO: Add "uid=cifsdc,ou=Entities,ou=Access Control,@SUFFIX@" to group # "cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" for samba + +for file in $(run-parts --list --regex '^2[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do + ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W +done + +# FIXME: Check (and maybe correct) basedn from migrationtools-generated ldifs +#for file in $(run-parts --list --regex '^3[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do +# ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W +#done -- cgit v1.2.3