WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

*** empty log message ***

This commit is contained in:
katagia 2003-10-23 11:12:04 +00:00
parent e49648af93
commit 6bfc0fa071
5 changed files with 48 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lam/docs/README.lamdaemon.pl
View File

@ -50,18 +50,11 @@ thins to get it work.
* run make install * run make install
4. Set up ssh 4. Set up ssh
The ssh connection is done to remote hast as the user your On my System, Suse 9.0 I had to set usePAM no in /etc/ssh/sshd_config
webserver is running as. In my case it's wwwrun. to get lamdaemon.pl work
You have to connect one time to remote host because in most I had some problems to log in with ssh if the password hash of the
cases the host key has to added. admin-user was encrypted with {SSHA}. I had to change encryption
This can be done by connecting to remote host and confirm the for admin-accounts to {CRYPT} to get ssh work.
question about host authenticity.
Example (as root):
su wwwrun
ssh -l $admin-user $remotehost
Confirm all questions.
Exit the connection and connect again. You shouldn't be asked
about enything.
Now everything should work fine Now everything should work fine

55
lam/lib/account.inc
View File

@ -203,14 +203,16 @@ function getquotas($type,$user='+') {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' quota get ';
if ($type=='user') $towrite = $towrite.'u'; if ($type=='user') $towrite = $towrite.'u';
else $towrite = $towrite.'g'; else $towrite = $towrite.'g';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite, $vals, $status); exec("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite, $vals, $status);
print("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite);
/* $vals is a string which contains a two dimensional array. /* $vals is a string which contains a two dimensional array.
* We have to recreate it with explode * We have to recreate it with explode
* *
@ -244,8 +246,9 @@ function setquotas($values,$values_old=false) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$values->general_username.' quota set '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($values->general_username).' quota set ';
if ($values->type=='user') $towrite = $towrite.'u '; if ($values->type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g '; else $towrite = $towrite.'g ';
$i=0; $i=0;
@ -260,16 +263,17 @@ function setquotas($values,$values_old=false) {
*/ */
while ($values->quota[$i][0]) { while ($values->quota[$i][0]) {
if ($values->quota[$i] != $values_old->quota[$i]) { if ($values->quota[$i] != $values_old->quota[$i]) {
$towrite = $towrite. $values->quota[$i][0] .','.$values->quota[$i][2] .','.$values->quota[$i][3] $quotastring = $quotastring. $values->quota[$i][0] .','.$values->quota[$i][2] .','.$values->quota[$i][3]
.','.$values->quota[$i][6] .','. $values->quota[$i][7] .':'; .','.$values->quota[$i][6] .','. $values->quota[$i][7] .':';
} }
$i++; $i++;
} }
$towrite = $towrite . escapeshellarg($quotastring);
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
* only run lamdaemon.pl if quotas are really set, $i!=0 * only run lamdaemon.pl if quotas are really set, $i!=0
*/ */
if ($i!=0) exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); if ($i!=0) exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -283,14 +287,15 @@ function remquotas($user, $type) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota rem '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' quota rem ';
if ($type=='user') $towrite = $towrite.'u '; if ($type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g '; else $towrite = $towrite.'g ';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -304,12 +309,13 @@ function addhomedir($user) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='add' * admin-username, admin-password, owner of homedir, 'home', operation='add'
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add'; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' home add';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -325,12 +331,13 @@ function remhomedir($user) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='rem' * admin-username, admin-password, owner of homedir, 'home', operation='rem'
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem'; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' home rem';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -1087,9 +1094,10 @@ function createuser($values) {
$attr['sambaLMPassword'] = 'NO PASSWORD*****'; $attr['sambaLMPassword'] = 'NO PASSWORD*****';
} }
else { else {
// use escapeshellarg() to make command shell-secure
// Set samba-passwords with external perl-script // Set samba-passwords with external perl-script
$attr['sambaNTPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['sambaLMPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
} }
$attr['sambaPwdLastSet'] = time(); $attr['sambaPwdLastSet'] = time();
// Generate SID // Generate SID
@ -1118,9 +1126,10 @@ function createuser($values) {
$attr['lmPassword'] = 'NO PASSWORD*****'; $attr['lmPassword'] = 'NO PASSWORD*****';
} }
else { else {
// use escapeshellarg() to make command shell-secure
// Set samba-passwords with external perl-script // Set samba-passwords with external perl-script
$attr['ntPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['lmPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
} }
$attr['pwdLastSet'] = time(); $attr['pwdLastSet'] = time();
// Generate pseudo SID // Generate pseudo SID
@ -1286,7 +1295,7 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
$attr_rem['shadowInactive'] = $values_old->unix_pwdallowlogin; // shadowAccount_may $attr_rem['shadowInactive'] = $values_old->unix_pwdallowlogin; // shadowAccount_may
} }
// Check if shadow expire has changed // Check if shadow expire has changed
if ($values->unix_pwdexpire != $values_old->unix_pwdexpire) $attr['shadowExpire'] = $values->unix_pwdexpire / 86400 ; if ($values->unix_pwdexpire != $values_old->unix_pwdexpire) $attr['shadowExpire'] = intval($values->unix_pwdexpire / 86400) ;
// Set unix password // Set unix password
if ($values->unix_password=='') { if ($values->unix_password=='') {
// $values->unix_password=='' means use old password // $values->unix_password=='' means use old password
@ -1390,9 +1399,10 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
} }
else else
if ($values->smb_password!='') { if ($values->smb_password!='') {
// Set new samba password // use escapeshellarg() to make command shell-secure
$attr['sambaNTPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); // Set samba-passwords with external perl-script
$attr['sambaLMPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
$attr['sambaPwdLastSet'] = time(); // sambaAccount_may $attr['sambaPwdLastSet'] = time(); // sambaAccount_may
} }
// Check which Samba-Attributes have changed // Check which Samba-Attributes have changed
@ -1477,9 +1487,10 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
} }
else else
if ($values->smb_password!='') { if ($values->smb_password!='') {
// Set new samba password // use escapeshellarg() to make command shell-secure
$attr['ntPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); // Set samba-passwords with external perl-script
$attr['lmPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
$attr['pwdLastSet'] = time(); // sambaAccount_may $attr['pwdLastSet'] = time(); // sambaAccount_may
} }
// Check which Samba-Attributes have changed // Check which Samba-Attributes have changed

8
lam/lib/lamdaemon.pl
View File

@ -68,9 +68,6 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
} }
# ***************** Check values # ***************** Check values
if ($( == 0 ) { if ($( == 0 ) {
# Drop root Previleges # Drop root Previleges
($<, $>) = ($>, $<); ($<, $>) = ($>, $<);
@ -187,9 +184,8 @@ else {
@username = split (',', $ARGV[0]); @username = split (',', $ARGV[0]);
$username[0] =~ s/uid=//; $username[0] =~ s/uid=//;
my $ssh = Net::SSH::Perl->new($hostname, options=>[ my $ssh = Net::SSH::Perl->new($hostname, options=>[
#"IdentityFile /var/lib/wwwrun/.ssh/id_dsa", "UserKnownHostsFile /dev/null"
"UserKnownHostsFile /dev/null" ]);
]);
$ssh->login($username[0], $ARGV[1]); $ssh->login($username[0], $ARGV[1]);
($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath @ARGV"); ($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath @ARGV");
print "$stdout"; print "$stdout";

2
lam/templates/account/groupedit.php
View File

@ -345,7 +345,7 @@ do { // X-Or, only one if() can be true
$errors[] = array('INFO', _('GID-number has changed. You have to run the following command as root in order to change existing file-permissions:'), $errors[] = array('INFO', _('GID-number has changed. You have to run the following command as root in order to change existing file-permissions:'),
'find / -gid ' . $account_old->general_uidNumber . ' -exec chgrp ' . $account_new->general_uidNumber . ' {} \;'); 'find / -gid ' . $account_old->general_uidNumber . ' -exec chgrp ' . $account_new->general_uidNumber . ' {} \;');
// Go from final to next page if no error did ocour // Go from final to next page if no error did ocour
if (!$stay)) $select_local='final'; if (!$stay) $select_local='final';
else $select_local=$_POST['select']; else $select_local=$_POST['select'];
break; break;
} }

11
lam/templates/massdetail.php
View File

@ -172,12 +172,7 @@ echo '</title>'.
'<meta http-equiv="pragma" content="no-cache">'. '<meta http-equiv="pragma" content="no-cache">'.
'<meta http-equiv="cache-control" content="no-cache">'. '<meta http-equiv="cache-control" content="no-cache">'.
'</head><body>'. '</head><body>'.
'<form enctype="multipart/form-data" action="massdetail.php" method="post">'. '<form enctype="multipart/form-data" action="massdetail.php" method="post">';
'<table class="massdetail" width="100%">';
// Store variabled in $_POST
echo '<tr><td><input name="type" type="hidden" value="'.$select.'"></td></tr>';
echo '<tr><td><input name="row" type="hidden" value="'.$row.'"></td></tr>';
// Display errir-messages // Display errir-messages
if (is_array($errors2)) if (is_array($errors2))
for ($i=0; $i<sizeof($errors2); $i++) StatusMessage($errors2[$i][0], $errors2[$i][1], $errors2[$i][2]); for ($i=0; $i<sizeof($errors2); $i++) StatusMessage($errors2[$i][0], $errors2[$i][1], $errors2[$i][2]);
@ -207,6 +202,10 @@ switch ($select) {
StatusMessage('WARN', _('Check values.'), $_SESSION['errors'][$row][$i][2]); StatusMessage('WARN', _('Check values.'), $_SESSION['errors'][$row][$i][2]);
break; break;
case 'detail': case 'detail':
echo '<table class="massdetail" width="100%">';
// Store variabled in $_POST
echo '<tr><td><input name="type" type="hidden" value="'.$select.'"></td></tr>';
echo '<tr><td><input name="row" type="hidden" value="'.$row.'"></td></tr>';
echo '<tr><td>'; echo '<tr><td>';
echo _('Surname').'*'; echo _('Surname').'*';
echo '</td>'."\n".'<td>'. echo '</td>'."\n".'<td>'.