WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

*** empty log message ***

This commit is contained in:
katagia 2003-10-23 11:12:04 +00:00
parent e49648af93
commit 6bfc0fa071
5 changed files with 48 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lam/docs/README.lamdaemon.pl
View File

@ -48,21 +48,14 @@ thins to get it work.
"OPTIMIZE = -O1 --pipe". "OPTIMIZE = -O1 --pipe".
* run make * run make
* run make install * run make install
4. Set up ssh
The ssh connection is done to remote hast as the user your
webserver is running as. In my case it's wwwrun.
You have to connect one time to remote host because in most
cases the host key has to added.
This can be done by connecting to remote host and confirm the
question about host authenticity.
Example (as root):
su wwwrun
ssh -l $admin-user $remotehost
Confirm all questions.
Exit the connection and connect again. You shouldn't be asked
about enything.
4. Set up ssh
On my System, Suse 9.0 I had to set usePAM no in /etc/ssh/sshd_config
to get lamdaemon.pl work
I had some problems to log in with ssh if the password hash of the
admin-user was encrypted with {SSHA}. I had to change encryption
for admin-accounts to {CRYPT} to get ssh work.
Now everything should work fine Now everything should work fine
This is a very incomplete Documention for Alpha-Release only. This is a very incomplete Documention for Alpha-Release only.

55
lam/lib/account.inc
View File

@ -203,14 +203,16 @@ function getquotas($type,$user='+') {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' quota get ';
if ($type=='user') $towrite = $towrite.'u'; if ($type=='user') $towrite = $towrite.'u';
else $towrite = $towrite.'g'; else $towrite = $towrite.'g';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite, $vals, $status); exec("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite, $vals, $status);
print("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite);
/* $vals is a string which contains a two dimensional array. /* $vals is a string which contains a two dimensional array.
* We have to recreate it with explode * We have to recreate it with explode
* *
@ -244,8 +246,9 @@ function setquotas($values,$values_old=false) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$values->general_username.' quota set '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($values->general_username).' quota set ';
if ($values->type=='user') $towrite = $towrite.'u '; if ($values->type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g '; else $towrite = $towrite.'g ';
$i=0; $i=0;
@ -260,16 +263,17 @@ function setquotas($values,$values_old=false) {
*/ */
while ($values->quota[$i][0]) { while ($values->quota[$i][0]) {
if ($values->quota[$i] != $values_old->quota[$i]) { if ($values->quota[$i] != $values_old->quota[$i]) {
$towrite = $towrite. $values->quota[$i][0] .','.$values->quota[$i][2] .','.$values->quota[$i][3] $quotastring = $quotastring. $values->quota[$i][0] .','.$values->quota[$i][2] .','.$values->quota[$i][3]
.','.$values->quota[$i][6] .','. $values->quota[$i][7] .':'; .','.$values->quota[$i][6] .','. $values->quota[$i][7] .':';
} }
$i++; $i++;
} }
$towrite = $towrite . escapeshellarg($quotastring);
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
* only run lamdaemon.pl if quotas are really set, $i!=0 * only run lamdaemon.pl if quotas are really set, $i!=0
*/ */
if ($i!=0) exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); if ($i!=0) exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -283,14 +287,15 @@ function remquotas($user, $type) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota rem '; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' quota rem ';
if ($type=='user') $towrite = $towrite.'u '; if ($type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g '; else $towrite = $towrite.'g ';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -304,12 +309,13 @@ function addhomedir($user) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='add' * admin-username, admin-password, owner of homedir, 'home', operation='add'
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add'; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' home add';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -325,12 +331,13 @@ function remhomedir($user) {
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='rem' * admin-username, admin-password, owner of homedir, 'home', operation='rem'
* use escapeshellarg to make exec() shell-safe
*/ */
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem'; $towrite = escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]).' '.escapeshellarg($user).' home rem';
/* scriptServer is the IP to remote-host to which lam should connect via ssh /* scriptServer is the IP to remote-host to which lam should connect via ssh
* scriptPath is Path to lamdaemon.pl on remote system * scriptPath is Path to lamdaemon.pl on remote system
*/ */
exec(("perl ".$_SESSION['lampath']."lib/lamdaemon.pl ".$_SESSION['config']->scriptServer ." ".$_SESSION['config']->scriptPath." ".$towrite), $vals); exec(("perl ".escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".escapeshellarg($_SESSION['config']->scriptServer)." ".escapeshellarg($_SESSION['config']->scriptPath)." ".$towrite), $vals);
} }
@ -1087,9 +1094,10 @@ function createuser($values) {
$attr['sambaLMPassword'] = 'NO PASSWORD*****'; $attr['sambaLMPassword'] = 'NO PASSWORD*****';
} }
else { else {
// use escapeshellarg() to make command shell-secure
// Set samba-passwords with external perl-script // Set samba-passwords with external perl-script
$attr['sambaNTPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['sambaLMPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
} }
$attr['sambaPwdLastSet'] = time(); $attr['sambaPwdLastSet'] = time();
// Generate SID // Generate SID
@ -1118,9 +1126,10 @@ function createuser($values) {
$attr['lmPassword'] = 'NO PASSWORD*****'; $attr['lmPassword'] = 'NO PASSWORD*****';
} }
else { else {
// use escapeshellarg() to make command shell-secure
// Set samba-passwords with external perl-script // Set samba-passwords with external perl-script
$attr['ntPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['lmPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
} }
$attr['pwdLastSet'] = time(); $attr['pwdLastSet'] = time();
// Generate pseudo SID // Generate pseudo SID
@ -1286,7 +1295,7 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
$attr_rem['shadowInactive'] = $values_old->unix_pwdallowlogin; // shadowAccount_may $attr_rem['shadowInactive'] = $values_old->unix_pwdallowlogin; // shadowAccount_may
} }
// Check if shadow expire has changed // Check if shadow expire has changed
if ($values->unix_pwdexpire != $values_old->unix_pwdexpire) $attr['shadowExpire'] = $values->unix_pwdexpire / 86400 ; if ($values->unix_pwdexpire != $values_old->unix_pwdexpire) $attr['shadowExpire'] = intval($values->unix_pwdexpire / 86400) ;
// Set unix password // Set unix password
if ($values->unix_password=='') { if ($values->unix_password=='') {
// $values->unix_password=='' means use old password // $values->unix_password=='' means use old password
@ -1390,9 +1399,10 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
} }
else else
if ($values->smb_password!='') { if ($values->smb_password!='') {
// Set new samba password // use escapeshellarg() to make command shell-secure
$attr['sambaNTPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); // Set samba-passwords with external perl-script
$attr['sambaLMPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
$attr['sambaPwdLastSet'] = time(); // sambaAccount_may $attr['sambaPwdLastSet'] = time(); // sambaAccount_may
} }
// Check which Samba-Attributes have changed // Check which Samba-Attributes have changed
@ -1477,9 +1487,10 @@ function modifyuser($values,$values_old) { // Will modify the LDAP-Account
} }
else else
if ($values->smb_password!='') { if ($values->smb_password!='') {
// Set new samba password // use escapeshellarg() to make command shell-secure
$attr['ntPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl nt ' . $values->smb_password)); // Set samba-passwords with external perl-script
$attr['lmPassword'] = exec(($_SESSION['lampath'].'lib/createntlm.pl lm ' . $values->smb_password)); $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password));
$attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password));
$attr['pwdLastSet'] = time(); // sambaAccount_may $attr['pwdLastSet'] = time(); // sambaAccount_may
} }
// Check which Samba-Attributes have changed // Check which Samba-Attributes have changed

8
lam/lib/lamdaemon.pl
View File

@ -68,9 +68,6 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
} }
# ***************** Check values # ***************** Check values
if ($( == 0 ) { if ($( == 0 ) {
# Drop root Previleges # Drop root Previleges
($<, $>) = ($>, $<); ($<, $>) = ($>, $<);
@ -187,9 +184,8 @@ else {
@username = split (',', $ARGV[0]); @username = split (',', $ARGV[0]);
$username[0] =~ s/uid=//; $username[0] =~ s/uid=//;
my $ssh = Net::SSH::Perl->new($hostname, options=>[ my $ssh = Net::SSH::Perl->new($hostname, options=>[
#"IdentityFile /var/lib/wwwrun/.ssh/id_dsa", "UserKnownHostsFile /dev/null"
"UserKnownHostsFile /dev/null" ]);
]);
$ssh->login($username[0], $ARGV[1]); $ssh->login($username[0], $ARGV[1]);
($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath @ARGV"); ($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath @ARGV");
print "$stdout"; print "$stdout";

2
lam/templates/account/groupedit.php
View File

@ -345,7 +345,7 @@ do { // X-Or, only one if() can be true
$errors[] = array('INFO', _('GID-number has changed. You have to run the following command as root in order to change existing file-permissions:'), $errors[] = array('INFO', _('GID-number has changed. You have to run the following command as root in order to change existing file-permissions:'),
'find / -gid ' . $account_old->general_uidNumber . ' -exec chgrp ' . $account_new->general_uidNumber . ' {} \;'); 'find / -gid ' . $account_old->general_uidNumber . ' -exec chgrp ' . $account_new->general_uidNumber . ' {} \;');
// Go from final to next page if no error did ocour // Go from final to next page if no error did ocour
if (!$stay)) $select_local='final'; if (!$stay) $select_local='final';
else $select_local=$_POST['select']; else $select_local=$_POST['select'];
break; break;
} }

11
lam/templates/massdetail.php
View File

@ -172,12 +172,7 @@ echo '</title>'.
'<meta http-equiv="pragma" content="no-cache">'. '<meta http-equiv="pragma" content="no-cache">'.
'<meta http-equiv="cache-control" content="no-cache">'. '<meta http-equiv="cache-control" content="no-cache">'.
'</head><body>'. '</head><body>'.
'<form enctype="multipart/form-data" action="massdetail.php" method="post">'. '<form enctype="multipart/form-data" action="massdetail.php" method="post">';
'<table class="massdetail" width="100%">';
// Store variabled in $_POST
echo '<tr><td><input name="type" type="hidden" value="'.$select.'"></td></tr>';
echo '<tr><td><input name="row" type="hidden" value="'.$row.'"></td></tr>';
// Display errir-messages // Display errir-messages
if (is_array($errors2)) if (is_array($errors2))
for ($i=0; $i<sizeof($errors2); $i++) StatusMessage($errors2[$i][0], $errors2[$i][1], $errors2[$i][2]); for ($i=0; $i<sizeof($errors2); $i++) StatusMessage($errors2[$i][0], $errors2[$i][1], $errors2[$i][2]);
@ -207,6 +202,10 @@ switch ($select) {
StatusMessage('WARN', _('Check values.'), $_SESSION['errors'][$row][$i][2]); StatusMessage('WARN', _('Check values.'), $_SESSION['errors'][$row][$i][2]);
break; break;
case 'detail': case 'detail':
echo '<table class="massdetail" width="100%">';
// Store variabled in $_POST
echo '<tr><td><input name="type" type="hidden" value="'.$select.'"></td></tr>';
echo '<tr><td><input name="row" type="hidden" value="'.$row.'"></td></tr>';
echo '<tr><td>'; echo '<tr><td>';
echo _('Surname').'*'; echo _('Surname').'*';
echo '</td>'."\n".'<td>'. echo '</td>'."\n".'<td>'.