WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

LDAP isn't needed in lamdaemon.pl anymore because we authenicate 

via ssh now
sudo will make sure only valid users are able to run lamdaemon.pl
This commit is contained in:
katagia 2003-09-20 13:01:09 +00:00
parent d0a0ae0b3c
commit 3794485199
2 changed files with 113 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lam/docs/README.lamdaemon.pl
View File

@ -36,11 +36,11 @@ thins to get it work.
Th install them, run: Th install them, run:
perl -MCPAN -e shell perl -MCPAN -e shell
install Quota install Quota
install Net::LDAP
install Net::SSH::Perl install Net::SSH::Perl
Please answer all questions to describe your system Please answer all questions to describe your system
Every additional needed module should be installed Every additional needed module should be installed
automaticly automaticly
LDAP isn't used in perl anymore
I installed Math::Pari, a needed module, by hand. I installed Math::Pari, a needed module, by hand.
I had many problems to install Math::Pari, a module needed I had many problems to install Math::Pari, a module needed

252
lam/lib/lamdaemon.pl
View File

@ -24,20 +24,11 @@
###################################################### ######################################################
# Configure-Options # Configure-Options
# change only variables starting from here # change only variables starting from here
# list of valid admins
@admins = ('cn=Manager,dc=my-domain,dc=com',
'uid=test,ou=people,dc=my-domain,dc=com');
$server_ldap="127.0.0.1"; # IP or DNS of ldap-server
$server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, .... $server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, ....
$server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa"; # SSH-Key to use $server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa"; # SSH-Key to use
$path = "/srv/www/htdocs/lam/lib/lamdaemon.pl"; # path to ldap on remote-host $path = "/srv/www/htdocs/lam/lib/lamdaemon.pl"; # path to ldap on remote-host
$server_ldap_port='389'; # Port used from ldap
$server_tls='no'; # Use TLS?
$server_tls_verify='require'; # none,optional or require a valid server certificated
$server_tls_clientcert=''; # path to client certificate
$server_tls_clientkey=''; # path to client certificate
$server_tls_decryptkey=''; # To to decrypt clientkey
$server_tls_cafile='/etc/certificates/ca.cert'; # Path to CA-File
$debug=true; # Show debug messages $debug=true; # Show debug messages
# Don't change anything below this line # Don't change anything below this line
@ -45,7 +36,6 @@ $debug=true; # Show debug messages
use Quota; # Needed to get and set quotas use Quota; # Needed to get and set quotas
use Net::LDAP; # Needed to connect to ldap-server
#use strict; # Use strict for security reasons #use strict; # Use strict for security reasons
@quota_grp; @quota_grp;
@ -93,141 +83,123 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
if ($( == 0 ) { if ($( == 0 ) {
# Drop root Previleges # Drop root Previleges
($<, $>) = ($>, $<); ($<, $>) = ($>, $<);
foreach my $admin (@admins) { # Check if user is admin switch: {
if ($admin eq $vals[0]) { $found=true; } # Get user information
} if (($vals[5] eq 'u') || ($vals[3] eq 'home')) { @user = getpwnam($vals[2]); }
if ($found==true) { else { @user = getgrnam($vals[2]); }
# Connect to ldap-server and check if password is valid. $vals[3] eq 'home' && do {
$ldap = Net::LDAP->new($server_ldap, port => $server_ldap_port, version => 3) or die ('Can\'t connect to ldapserver.'); switch2: {
if ($server_tls eq 'yes') { $vals[4] eq 'add' && do {
$mesg = $ldap->start_tls( # split homedir to set all directories below the last dir. to 755
verify => $server_tls_verify, my $path = $user[7];
clientcert => $server_tls_clientcert, $path =~ s,/(?:[^/]*)$,,;
clientkey => $server_tls_clientkey, ($<, $>) = ($>, $<); # Get root privileges
decrypte => sub { $server_tls_decryptkey; }, if (! -e $path) {
cafile => $server_tls_cafile); system 'mkdir', '-m 755', '-p', $path; # Create paths to homedir
} }
$result = $ldap->bind (dn => $vals[0], password => $vals[1]) ; if (! -e $user[7]) {
$ldap->unbind(); # Close ldap connection. system 'mkdir', '-m 755', $user[7]; # Create himdir itself
if (!$result->code) { # password is valid system "cp -a /etc/skel/* /etc/skel/.[^.]* $user[7]"; # Copy /etc/sekl into homedir
switch: { system 'chown', '-R', "$user[2]:$user[3]" , $user[7]; # Change owner to new user
# Get user information if (-e '/usr/sbin/useradd.local') {
if (($vals[5] eq 'u') || ($vals[3] eq 'home')) { @user = getpwnam($vals[2]); } system '/usr/sbin/useradd.local', $user[0]; # run useradd-script
else { @user = getgrnam($vals[2]); }
$vals[3] eq 'home' && do {
switch2: {
$vals[4] eq 'add' && do {
# split homedir to set all directories below the last dir. to 755
my $path = $user[7];
$path =~ s,/(?:[^/]*)$,,;
($<, $>) = ($>, $<); # Get root privileges
if (! -e $path) {
system 'mkdir', '-m 755', '-p', $path; # Create paths to homedir
} }
if (! -e $user[7]) { }
system 'mkdir', '-m 755', $user[7]; # Create himdir itself ($<, $>) = ($>, $<); # Give up root previleges
system "cp -a /etc/skel/* /etc/skel/.[^.]* $user[7]"; # Copy /etc/sekl into homedir last switch2;
system 'chown', '-R', "$user[2]:$user[3]" , $user[7]; # Change owner to new user };
if (-e '/usr/sbin/useradd.local') { $vals[4] eq 'rem' && do {
system '/usr/sbin/useradd.local', $user[0]; # run useradd-script ($<, $>) = ($>, $<); # Get root previliges
} if (-d $user[7]) {
} system 'rm', '-R', $user[7]; # Delete Homedirectory
($<, $>) = ($>, $<); # Give up root previleges if (-e '/usr/sbin/userdel.local') {
last switch2;
};
$vals[4] eq 'rem' && do {
($<, $>) = ($>, $<); # Get root previliges
if (-d $user[7]) {
system 'rm', '-R', $user[7]; # Delete Homedirectory
system '/usr/sbin/userdel.local', $user[0]; system '/usr/sbin/userdel.local', $user[0];
} }
($<, $>) = ($>, $<); # Give up root previleges }
last switch2; ($<, $>) = ($>, $<); # Give up root previleges
}; last switch2;
};
}
last switch;
};
$vals[3] eq 'quota' && do {
get_fs(); # Load list of devices with enabled quotas
# Store quota information in array
@quota_temp1 = split (':', $vals[6]);
$group=0;
$i=0;
while ($quota_temp1[$i]) {
$j=0;
@temp = split (',', $quota_temp1[$i]);
while ($temp[$j]) {
$quota[$i][$j] = $temp[$j];
$j++;
} }
last switch; $i++;
}; }
$vals[3] eq 'quota' && do { if ($vals[5] eq 'u') { $group=false; } else {
get_fs(); # Load list of devices with enabled quotas $group=1;
# Store quota information in array @quota_usr = @quota_grp;
@quota_temp1 = split (':', $vals[6]); }
$group=0; switch2: {
$i=0; $vals[4] eq 'rem' && do {
while ($quota_temp1[$i]) { $i=0;
$j=0; ($<, $>) = ($>, $<); # Get root privileges
@temp = split (',', $quota_temp1[$i]); while ($quota_usr[$i][0]) {
while ($temp[$j]) { $dev = Quota::getqcarg($quota_usr[$i][1]);
$quota[$i][$j] = $temp[$j]; $return = Quota::setqlim($dev,$user[2],0,0,0,0,1,$group);
$j++; $i++;
} }
$i++; ($<, $>) = ($>, $<); # Give up root previleges
} last switch2;
if ($vals[5] eq 'u') { $group=false; } else { };
$group=1; $vals[4] eq 'set' && do {
@quota_usr = @quota_grp; $i=0;
} ($<, $>) = ($>, $<); # Get root privileges
switch2: { while ($quota_usr[$i][0]) {
$vals[4] eq 'rem' && do { $dev = Quota::getqcarg($quota[$i][0]);
$i=0; $return = Quota::setqlim($dev,$user[2],$quota[$i][1],$quota[$i][2],$quota[$i][3],$quota[$i][4],1,$group);
($<, $>) = ($>, $<); # Get root privileges $i++;
while ($quota_usr[$i][0]) { }
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$vals[4] eq 'get' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
if ($vals[2]ne'+') {
$dev = Quota::getqcarg($quota_usr[$i][1]); $dev = Quota::getqcarg($quota_usr[$i][1]);
$return = Quota::setqlim($dev,$user[2],0,0,0,0,1,$group); @temp = Quota::query($dev,$user[2],$group);
$i++; if ($temp[0]ne'') {
} $return = "$quota_usr[$i][1],$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7]:$return";
($<, $>) = ($>, $<); # Give up root previleges }
last switch2;
};
$vals[4] eq 'set' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
$dev = Quota::getqcarg($quota[$i][0]);
$return = Quota::setqlim($dev,$user[2],$quota[$i][1],$quota[$i][2],$quota[$i][3],$quota[$i][4],1,$group);
$i++;
}
($<, $>) = ($>, $<); # Give up root previleges
last switch2;
};
$vals[4] eq 'get' && do {
$i=0;
($<, $>) = ($>, $<); # Get root privileges
while ($quota_usr[$i][0]) {
if ($vals[2]ne'+') {
$dev = Quota::getqcarg($quota_usr[$i][1]);
@temp = Quota::query($dev,$user[2],$group);
if ($temp[0]ne'') {
$return = "$quota_usr[$i][1],$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7]:$return";
}
else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; }
}
else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; } else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; }
$i++;
} }
($<, $>) = ($>, $<); # Give up root previleges else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; }
last switch2; $i++;
}; }
} ($<, $>) = ($>, $<); # Give up root previleges
last switch; last switch2;
}; };
} }
} last switch;
else { $return = "Invalid Password"; } };
last switch;
};
print "$return\n";
} }
else { $return = "Invalid User"; }
print "$return\n";
}
else { else {
use Net::SSH::Perl; use Net::SSH::Perl;
@username = split (',', $vals[0]); @username = split (',', $vals[0]);
$username[0] =~ s/uid=//; $username[0] =~ s/uid=//;
my $ssh = Net::SSH::Perl->new($server_ssh, options=>[ my $ssh = Net::SSH::Perl->new($server_ssh, options=>[
"IdentityFile $server_ssh_ident", "IdentityFile $server_ssh_ident",
"UserKnownHostsFile /dev/null" "UserKnownHostsFile /dev/null"
]); ]);
$ssh->login($username[0], $vals[1]); $ssh->login($username[0], $vals[1]);
($stdout, $stderr, $exit) = $ssh->cmd("sudo $path @ARGV"); ($stdout, $stderr, $exit) = $ssh->cmd("sudo $path @ARGV");
print "$stdout"; print "$stdout";
} }