Skip to content
Commits on Source (14)
......@@ -99,8 +99,7 @@ SYSCONFFILES = \
php/apache2/php-debian-edu.ini \
insserv/overrides/ntp \
ldap/rootDSE-debian-edu.ldif \
ldap/slapd-squeeze_debian-edu.conf \
ldap/ssl/slapd-cert.cnf \
ldap/slapd-debian-edu.conf \
ltsp/ltsp-build-client.conf \
network/if-up.d/hostname \
network/if-up.d/wpad-proxy-update \
......@@ -214,7 +213,6 @@ LDAPPROGRAMS = \
ldap-createuser-krb5 \
ldap2netgroup \
ldap-debian-edu-install \
mkslapdcert \
sitesummary2ldapdhcp
WWWFILES = \
......@@ -341,6 +339,8 @@ install: install-testsuite
share/debian-edu-config/tools/ldap-server-getcert \
share/debian-edu-config/tools/exim4-create-environment \
share/debian-edu-config/tools/edu-ldap-from-scratch \
share/debian-edu-config/tools/create-user-nssdb \
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/ltspfs-mounter-kde \
share/debian-edu-config/squid.resolvconf \
share/ltsp/get-ldap-ltsp-config \
......
......@@ -25,70 +25,55 @@ vars:
"sudoers_base ou=sudoers,$(edu.ldapbase)",
"BASE $(edu.ldapbase)",
"TLS_REQCERT demand",
"TLS_CACERT /etc/ldap/ssl/ldap-server-pubkey.pem" };
"nslcd_conf" string => "tls_cacertfile /etc/ldap/ssl/ldap-server-pubkey.pem";
"TLS_CACERT /etc/ssl/certs/debian-edu-server.crt" };
"nslcd_conf" string => "tls_cacertfile /etc/ssl/certs/debian-edu-server.crt";
files:
debian.!standalone.!roaming.installation::
"/etc/nsswitch.conf"
edit_line => nsswitch_conf;
edit_line => append_if_no_line( @(nss_conf) );
"/etc/nsswitch.conf"
edit_line => append_if_no_line("$(nss_conf)");
edit_line => nsswitch_conf;
# Adjust for package sudo-ldap; also use the downloaded LDAP SSL certificate
# to verify the connection to the server.
debian.!standalone.installation::
"/etc/ldap/ldap.conf"
edit_line => ca1_conf;
"/etc/ldap/ldap.conf"
edit_line => append_if_no_line("$(ldap_conf)");
"/etc/nslcd.conf"
edit_line => ca2_conf;
"/etc/nslcd.conf"
edit_line => nslcd_conf;
"/etc/nslcd.conf"
edit_line => append_if_no_line("$(nslcd_conf)");
}
bundle edit_line ca1_conf
{
vars:
"regexpr" string => "TLS_CACERT.*";
replace_patterns:
"^($(regexpr))$" replace_with => comment("#");
}
bundle edit_line ca2_conf
bundle edit_line nsswitch_conf
{
vars:
"regexpr" string => "tls_cacertfile.*";
"regexpr" slist => { "passwd: files", "group: files",
"shadow: files", "netgroup: nis" };
replace_patterns:
"^($(regexpr))$" replace_with => comment("#");
}
bundle edit_line nsswitch_conf
bundle edit_line nslcd_conf
{
vars:
"regexpr" slist => { "passwd.*", "shadow.*", "group.*", "netgroup.*" };
"nslcd_conf" string => "tls_cacertfile /etc/ssl/certs/debian-edu-server.crt";
replace_patterns:
"^($(regexpr))$" replace_with => comment("#");
"/etc/ldap/ssl/ldap-server-pubkey.pem" replace_with => value("/etc/ssl/certs/debian-edu-server.crt");
}
bundle agent ldapserver
{
# Configure LDAP server and communication with the LDAP server
vars:
"slapd_ssl" string => "/etc/ldap/ssl";
# Configure LDAP server and communication with the LDAP server.
# For certificate and security related details see:
# /usr/share/debian-edu-config/tools/create-debian-edu-certs.
files:
debian.server.installation::
"/etc/ldap/slapd.conf"
link_from => ln_s("/etc/ldap/slapd-squeeze_debian-edu.conf"),
link_from => ln_s("/etc/ldap/slapd-debian-edu.conf"),
move_obstructions => "true";
# Adjust rights, just to be sure.
"$(slapd_ssl)"
perms => og("openldap","openldap");
commands:
debian.server.di.installation::
# Generate TLS certificates
"/usr/bin/mkslapdcert"
contain => in_shell;
# Create the initial LDAP database, using the new slapd.conf.
# The Kerberos KDC is set up within this script too. Needs to
# run after the ssl certs are made available (cf.apache2).
......
......@@ -29,8 +29,8 @@ bundle common edu
"internet" expression => returnszero("/usr/bin/wget -qO /dev/null http://deb.debian.org/debian/README","noshell");
# Set if atomic partioning has been used (everything on one partion, w/ or w/o lvm).
"atomic" expression => returnszero("/usr/bin/namei -mol /skole | /bin/grep T", "useshell");
# Set if the Squid cache exists; used to avoid superfluously running 'dpkg-reconfigure squid'.
"squidcache" expression => isdir("/var/spool/squid/00/00");
# Set if the Squid cache exists; used to conditionally link Debian Edu configuration.
"squidcache" expression => isdir("/var/spool/squid");
# Set if running inside Debian Installer; used to avoid useless LDAP setup upon main server upgrade.
"di" expression => fileexists("/etc/apt/apt.conf.d/00IgnoreTimeConflict");
# Set for networked workstation if the 'education-desktop-other' package is installed.
......
debian-edu-config (2.10.50) UNRELEASED; urgency=medium
[ Mike Gabriel ]
* etc/shutdown-at-night/clients-generator: Support recent output
of ifconfig (where the MAC address comes in the second row of
one's interface output and is prefixed by "^ether ...".
[ Wolfgang Schweer ]
* Generate slapd certificate the same way as all other server certificates.
- Extend server certificate configuration to include ldap as well.
- Drop now obsolete slapd-cert.cnf configuration file.
- Drop tool mkslapdcert now that all server certificates are generated
in one place.
- Rename ldap/slapd-squeeze_debian-edu.conf -> ldap/slapd-debian-edu.conf
- Adjust related files and tools:
+ init script debian/debian-edu-config.fetch-ldap-cert
+ cfengine configuration files cf3/cf.{ldapserver,ldapclient}
+ share/debian-edu-config/tools/{create-debian-edu-certs,update-cert-dbs}
+ debian/debian-edu-config.postinst
+ Makefile
* cf3/edu.cf: Don't fail in case squid failed to initialize within d-i;
update related comment.
* Use FQDN (www.intern) as server name in Apache configuration files.
* Remove start related parts from init scripts configuration as these are no
longer supported (actually: since quite some time).
-- Mike Gabriel <sunweaver@debian.org> Tue, 11 Dec 2018 22:13:23 +0100
debian-edu-config (2.10.49) unstable; urgency=medium
......
......@@ -21,15 +21,15 @@ set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ldap/ssl/ldap-server-pubkey.pem
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/ldap/ldap.conf ] &&
grep -q /etc/ldap/ssl/ldap-server-pubkey.pem /etc/ldap/ldap.conf ; then
if [ -f /etc/ldap/ldap.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/ldap/ldap.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
......@@ -39,7 +39,6 @@ do_start() {
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
......@@ -54,12 +53,11 @@ do_start() {
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/ldap/ldap.conf ] &&
grep -q /etc/ldap/ssl/ldap-server-pubkey.pem $ltsp_chroot/etc/ldap/ldap.conf ; then
grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/ldap/ldap.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
chmod 644 $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
......
......@@ -108,6 +108,33 @@ fi
case "$1" in
configure)
if dpkg --compare-versions "$2" le "2.10.50" ; then
if [ -f /etc/ldap/ldap.conf ] ; then
sed -i 's#/etc/ldap/ssl/ldap-server-pubkey.pem#/etc/ssl/certs/debian-edu-server.crt#' /etc/ldap/ldap.conf
fi
if [ -f /etc/nslcd.conf ] ; then
sed -i 's#/etc/ldap/ssl/ldap-server-pubkey.pem#/etc/ssl/certs/debian-edu-server.crt#' /etc/nslcd.conf
fi
if egrep -q "(Main-Server)" /etc/debian-edu/config ; then
rm -f /etc/ldap/ssl/slapd.pem
rm -f /etc/ldap/slapd.conf
if [ -f /etc/ldap/slapd-debian-edu.conf ] ; then
ln -s /etc/ldap/slapd-debian-edu.conf /etc/ldap/slapd.conf
fi
if [ -f /usr/share/debian-edu-config/tools/create-debian-edu-certs ] ; then
/usr/share/debian-edu-config/tools/create-debian-edu-certs --force-overwrite
fi
else
if ! egrep -q "(Standalone)" /etc/debian-edu/config ; then
invoke-rc.d fetch-ldap-cert restart
invoke-rc.d nslcd restart
fi
fi
rm -f /etc/ldap/ssl/ldap-server-pubkey.pem
rm -f /etc/ldap/ssl/slapd-cert.cnf
rm -f /etc/ldap/slapd-squeeze_debian-edu.conf
fi
if dpkg --compare-versions "$2" le "1.929" && dpkg --compare-versions "$2" ge "1.926" && \
egrep -q "(Main-Server)" /etc/debian-edu/config ; then
rm /etc/apache2/mods-available/userdir.load
......
......@@ -10,10 +10,10 @@ override_dh_auto_install:
override_dh_installinit:
# Start it after 15bind9 and 19slapd
dh_installinit --init-script fetch-ldap-cert -r --no-start -u"start 95 2 3 4 5 ."
dh_installinit --init-script fetch-ldap-cert -r --no-start
# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
dh_installinit --init-script firefox-ldapconf -r --no-start -u"start 96 2 3 4 5 ."
dh_installinit --init-script chromium-ldapconf -r --no-start -u"start 97 2 3 4 5 ."
dh_installinit --init-script firefox-ldapconf -r --no-start
dh_installinit --init-script chromium-ldapconf -r --no-start
dh_installinit --init-script enable-nat --no-start
override_dh_installman:
......
<VirtualHost *:80>
ServerName www
ServerName www.intern
ServerAdmin webmaster@postoffice.intern
DocumentRoot /etc/debian-edu/www/
......
......@@ -4,7 +4,7 @@
SSLCertificateFile /etc/ssl/certs/debian-edu-server.crt
SSLCertificateKeyFile /etc/ssl/private/debian-edu-server.key
ServerName www
ServerName www.intern
ServerAdmin webmaster@postoffice.intern
DocumentRoot /etc/debian-edu/www/
......
......@@ -9,9 +9,7 @@ include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/dhcp.schema
include /etc/ldap/schema/gosa/dhcp.schema
#include /etc/ldap/schema/dnsdomain2.schema
include /etc/ldap/schema/gosa/dnszone.schema
include /etc/ldap/schema/kerberos.schema
include /etc/ldap/schema/ltspclientaux.schema
......@@ -39,12 +37,9 @@ loglevel none
rootDSE /etc/ldap/rootDSE-debian-edu.ldif
# TLS/SSL
TLSCACertificateFile /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
TLSCertificateFile /etc/ldap/ssl/slapd.pem
#TLSCACertificateFile /var/lib/pyca/Root/cacert.pem
#TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem
#TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem
TLSCACertificateFile /etc/ssl/certs/Debian-Edu_rootCA.crt
TLSCertificateKeyFile /etc/ssl/private/debian-edu-server.key
TLSCertificateFile /etc/ssl/certs/debian-edu-server.crt
modulepath /usr/lib/ldap
moduleload back_bdb
......
RANDOM=/dev/random
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = v3_req
prompt = no
[ req_dn ]
C=NO
ST=NA
L=Skolen
O=LDAP server
OU=Automatically-generated LDAP SSL key
###
### run LDAP service on main server (tjener) -> default
### make sure CN is also one of subjectAltName
###
CN=tjener.intern
emailAddress=postmaster@postoffice.intern
[ v3_req ]
nsCertType = server
subjectAltName=DNS:tjener.intern,DNS:tjener,DNS:ldap.intern,DNS:ldap,DNS:localhost
###
### run LDAP service on a separate machine
### (server's IP must revresolv to ldap.intern)
###
#CN=ldap.intern
#emailAddress=postmaster@postoffice.intern
#[ v3_req ]
#nsCertType = server
#subjectAltName=DNS:ldap.intern,DNS:ldap,DNS:localhost
###############################################################################
# Readme for passwd2ldap, makeldif and makesmbAcc #
###############################################################################
# #
# Maximilian Wilhelm <max@skolelinux.de> #
# #
# Last Changed: Sun, 24 Aug 2003 19:26:11 +0200 #
# #
###############################################################################
* About
These scrips allow to migrate users from existing passwd, shadow and
smbpasswd files to skolelinux ldap database.
The sciptset is still considered as beta!
* How does this scriptset work?
* Edit each script and set the path to the following files:
- passwd
- shadow
- smbpasswd
* It might be a good idea to "censor" your passwd file, so that only user
which should get an account in the LDAP DB are listed in that file.
* If you do not want to enter the LDAP-Admin password for every user created,
change the calls to "ldapadd" and "ldapmodify" in makeldif and makesmbAcc
and exchange the option "-W" by "-w <password>", *but* still remind, that
the clear text password is shown in the output of "ps".
* Execute passwd2ldap
* Be happy
* Known Bugs
none :-)
#!/bin/bash
#
# Convert unix group file to LDIF
#
# Maximilian Wilhelm <debian-edu@rfc3514>
# -- Mon, 16 Aug 2004 17:55:40 +0200
#
#
# Variables
#
# User maintaned Variables
GROUPBASE="ou=group,dc=skole,dc=skolelinux,dc=no"
# Script maintaned
GROUPFILE=""
LDIFOUT=""
EMPTYGROUPS=""
TMPFILE="/tmp/group2ldif.$$.tmp"
#
# Some fency functions
#
#
# How I want to be used.
usage()
{
echo "Usage: $0 -g <groupfile> [ -lo <ldif output> ] [ --include-empty-groups ] [ -h | -help ]"
exit 1
}
#
# Simple group file validation
checkgroup()
{
if [ ! -s $GROUPFILE -a ! -r $GROUPFILE ]; then
echo "File \"${GROUPFILE}\" does not exist or is not readable" >&2
exit 1
elif [ `grep -c '[a-z]\+:[[:space:]x*]:[0-9]\+:.*' ${GROUPFILE}` -lt 1 ]; then
echo "File \"${GROUPFILE}\ seems not to be a valid group file." >&2
exit 1
fi
}
ldifgen()
{
while read line;
do
group=`echo ${line} | cut -d: -f1`
gid=`echo ${line} | cut -d: -f3`
users=`echo ${line} | cut -d: -f4`
if [ "${EMPTYGROUPS}" == "yes" -o "${users}" ]; then
# Group not empty, convert it.
# Group header
cat << EOF >> ${TMPFILE}
dn: cn=${group},${GROUPBASE}
objectClass: posixGroup
objectClass: top
cn: ${group}
gidNumber: ${gid}
EOF
# users
echo ${users} | tr ',' '\n' | while read user;
do
echo "memberUid: ${user}" >> ${TMPFILE}
done
else
# Group is empty, don't convert
echo "Group ${group} is empty, not converted" >&2
fi
done < ${GROUPFILE}
}
#
# What to do with the output?
output()
{
if [ "${LDIFOUT}" ]; then
cp ${TMPFILE} ${LDIFOUT};
else
cat ${TMPFILE}
fi
}
#
# Let the show begin
#
# What to do?
[ $# == 0 ] && usage >&2
while [ $# -gt 0 ]; do
case "$1" in
-g) GROUPFILE="$2" ;;
-lo) LDIFOUT="$2" ;;
--include-empty-groups) EMPTYGROUPS="yes" ;;
-help|-h) usage ;;
esac
shift
done
[ -z ${GROUPFILE} ] && usage>&2
# Valid file?
checkgroup
# OK, let's convert it
ldifgen
# Tell the world
output
# remove tmpfile
rm ${TMPFILE}
#!/bin/sh
################################################################################
# makeldif #
################################################################################
#
# Maximilian Wilhelm <max@skolelinux.de>
# Frank Matthiess <frankm@skolelinux.de>
#
# Last changed Sun, 24 Aug 2003 19:23:42 +0200
#
# specify path to shadow file
SHADOWPATH=""
################################################################################
# make sure, we have enough data
if [ $# -ne 3 ]; then
echo "Usage: $0 [UID] [account name] [real name]";
exit 1;
fi
# make sure we have a shadow file and it exists
if [ -z ${SHADOWPATH} ]; then
echo "Specify path to your shadow file in $0."
exit 1;
fi
# make sure the user is listed in the shadow file
if [ -z $( cat ${SHADOWPATH} | cut -d: -f1 | grep $2 ) ]; then
echo "Error: user $2 not listed in ${SHADOWPATH}";
exit 1;
fi
# temporary variables
USERID=$1;
USERNAME=$2;
REALNAME=$(echo $3 | sed -e 's/"//g');
USNAME=$(echo ${REALNAME}| cut -f$(echo $USERNAME | wc -w) -d " ");
#
# Generate LDIF entry for user and personal group
#
cat << EOF | ldapadd -x -h localhost -W -D cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
dn: uid=${USERNAME},ou=people,dc=skole,dc=skolelinux,dc=no
objectClass: posixAccount
objectClass: imapUser
cn: ${REALNAME}
uid: ${USERNAME}
uidNumber: ${USERID}
gidNumber: ${USERID}
homeDirectory: /skole/tjener/home0/${USERNAME}
mailMessageStore: /var/lib/maildirs/${USERNAME}
loginShell: /bin/bash
userPassword: {crypt}$(grep ${USERNAME} ${SHADOWPATH} | cut -d: -f2 )
dn: cn=${USERNAME},ou=group,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: posixGroup
objectClass: lisGroup
groupType: private
description: dontcare
cn: ${USERNAME}
gidNumber: ${USERID}
EOF
#!/bin/sh
################################################################################
# makesmbAcc #
################################################################################
#
# Maximilian Wilhelm <max@skolelinux.de>
#
# Last changed Sun, 24 Aug 2003 19:25:23 +0200
#
# specify path to smbpasswd file
SMBPWD=""
################################################################################
if [ -z ${SMBPWD} ]; then
echo "Specify the path to your smbpasswd file in $0."
exit 1;
fi
if [ -z "$( grep $1 ${SMBPWD} )" ]; then
echo "Error: User not listed in ${SMBPWD}."
exit 1;
fi
# temporary variables
USERID=$1
LMPW=$(grep $USERID $SMBPWD | cut -d: -f3 )
NTPW=$(grep $USERID $SMBPWD | cut -d: -f4 )
# creata a samba account and set dummy password
smbpasswd -a $USERID foo
# Reset samba passwords to given hashes
cat << EOF | ldapmodify -x -h localhost -W -D cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
dn: uid=${USERID},ou=people,dc=skole,dc=skolelinux,dc=no
sambaNTPassword: $NTPW
sambaLMPassword: $LMPW
EOF
#!/bin/sh
################################################################################
# passwd2ldap #
################################################################################
#
# Maximilian Wilhelm <max@skolelinux.de>
# Frank Matthiess <frankm@skolelinux.de>
#
# Last changed: Sun, 24 Aug 2003 19:55:05 +0200
#
# Path to passwd file
PASSWDPATH=""
################################################################################
if [ -z $PASSWDPATH ]; then
echo "Specify the path to your passwd file.";
exit 1;
fi
cat ${PASSWDPATH} | while read LINE;
do
UID=$(echo ${LINE} | cut -d: -f3 );
UNAME=$(echo ${LINE} | cut -f1 -d:);
REALNAME="$(echo ${LINE} | cut -f5 -d: | cut -d, -f1 )";
./makeldif ${UID} ${UNAME} "${REALNAME}";
./makesmbAcc ${UNAME};
done;
#!/usr/bin/perl -w
#
# Author: Rune Nordbe Skillingstad <runesk@linpro.no>
#
# $Id$
use strict;
use Text::Unaccent;
use Net::LDAP;
use Data::Dumper;
use Unicode::String qw (utf8 latin1);
# This is not working right :)
my $ldapserver = "localhost";
my $basedn = "o=stfk,c=no";
my $ldapadmindn = "cn=admin,o=stfk,c=no";
my $ldappassword = "foofoo";
my $maildomain = "elev.stfk.no";
my $maildir = "/var/mail/Maildir/";
my $homedir = "/var/mail/Maildir/";
my %usernames;
srand (time ^ $$ ^ unpack "%L*", `/bin/ps axww | /bin/gzip`);
my $ldap = Net::LDAP->new($ldapserver, version => 3) or die "$@";
$ldap->bind($ldapadmindn, password => $ldappassword);
sub genusername {
my($fname, $lname, $mname) = @_;
my $i = 2;
my $j = 1;
# This wont work for and unless you use the UnicodeData-patch
$fname = lc(unac_string("LATIN1", $fname));
$lname = lc(unac_string("LATIN1", $lname));
if($mname) {
$mname =~ s/ /\./;
$mname = lc(unac_string("LATIN1", $mname));
}
my $username = $fname.".".$lname;
while($usernames{$username}) {
if(!$mname) {
$username = $fname.$i++.".".$lname;
} else {
if(length($mname) < $j) {
$username = $fname.$i++.".".$mname.".".$lname;
} else {
$username = $fname.".".substr($mname, 0, $j++).".".$lname;
}
}
}
$usernames{$username} = 1;
return $username;
}
sub loadusernames {
my $mesg = $ldap->search(base => "ou=people,domain=$maildomain,ou=Domains,".$basedn,
filter => "objectclass=mailaccount",
scope => "one",
attrs => ['uid']
);
$mesg->code && die $mesg->error;
my @allentries = $mesg->all_entries;
foreach my $entry (@allentries){
my $uid = $entry->get_value('uid');
$uid =~ s,/+$,,;
$usernames{"$uid"} = "1";
}
}
sub next_char {
my $password = lc(shift(@_));
my $vowels = "aeiouy";
my $consonants = "bdfghjklmnoprstuv";
my $doubles = "bdfgjklmnopst";
my $range;
my $n = 0;
if(!$password) {
$range = $vowels . $consonants;
} elsif($password =~ /[$vowels]$/) {
$range = $consonants;
} elsif($password =~ /[$consonants]{2}$/) {
$range = $vowels;
} elsif($password =~ /[$consonants]$/) {
if($password =~ /(\s)(\s)$/) {
if ($1 = $2) {
$range = $vowels;
} else {
$range = $vowels.$doubles;
}
} else {
$range = $vowels.$doubles;
}
} else {
$range = $vowels.$consonants;
}
# $range = "123456789" if(!int(rand(20)));
my $char = substr($range, rand(length($range)), 1);
$char = uc($char) unless rand(10) % 9;
return $char;
}
sub genpasswd {
my $password;
my $min = 6;
my $max = 8;
my $length = $min + int(rand($max - $min + 1));
for(my $i = 0; $i < $length; $i++) {
$password .= &next_char($password);
}
return $password;
}
sub output {
my ($username, $fullname, $password, @rest) = @_;
&adduser($ldap, $username, $fullname, $password,
$maildomain, $maildir, $homedir);
print STDOUT "$maildomain;$username;$fullname;$password;" .
join(";",@rest) . "\n";
}
sub adduser {
my ($ldap, $username, $fullname, $passwd, $domain, $maildir, $homedir) = @_;
if ($maildir !~ /\/$/) {
$maildir .= "/";
}
if ($homedir !~ /\/$/) {
$homedir .= "/";
}
my %data = (
attrs => [
'uid' => $username,
'cn' => latin1($fullname)->utf8,
'domain' => $domain,
'homeDirectory' => $homedir . $domain ."/".$username."/",
'mailDir' => $maildir . $domain ."/".$username."/",
'mail' => $username . '@' . $domain,
'mailAddr' => $username . '@' . $domain,
'userPassword' => $passwd,
'objectclass' => ['mailaccount','limacuteConfig'],]);
my $dn = "uid=$username,ou=people,domain=$domain,ou=Domains,$basedn";
$ldap->add($dn, %data);
}
if($#ARGV < 0) {
print STDERR "Usage: $0 <infile>\n";
exit;
}
&loadusernames;
open(IN, "<$ARGV[0]") || die "Can't open infile $ARGV[0]";
while(<IN>) {
chomp;
my ($tname, $lname, @rest) = split(";");
# This might be cleaner
my ($fname, @mname) = split(" ", $tname);
$lname =~ s/ /\./g;
my $mname = join(" ", @mname);
my $username = &genusername($fname, $lname, $mname);
my $password = &genpasswd;
if($mname) {
&output($username, "$fname $mname $lname", $password, @rest);
} else {
&output($username, "$fname $lname", $password, @rest);
}
}
close(IN);
#!/bin/sh
#
# Author: Rune Nordbe Skillingstad <rune@skillingtad.no>
# Date: 2003-02-12
#
# Create a TLS certificate for slapd. To change default settings,
# edit /etc/ldap/ssl/slapd-cert.cnf
#
#set -x
opensslbin=/usr/bin/openssl
umask 077
certconf=/etc/ldap/ssl/slapd-cert.cnf
privkey=/etc/ldap/ssl/slapd.pem
pubkey=/etc/ldap/ssl/ldap-server-pubkey.pem
if test -x $opensslbin ; then
:
else
echo "error: can't find openssl." 1>&2
exit 1
fi
if [ ! -f $certconf ] ; then
echo "warning: missing certificate configuration file $certconf." 1>&2
fi
mkdir -p /etc/ldap/ssl
chmod 751 /etc/ldap/ssl
if [ -f $privkey ] ; then
echo "warning: private key $privkey already exist. Exiting." 1>&2
exit 1;
fi
TMPFILE=`mktemp`
# lifetime 10 years
$opensslbin req -new -x509 -nodes -sha256 \
-config $certconf -days 3650 \
-out $privkey -keyout $privkey >> $TMPFILE 2>&1 \
|| echo "error: problems running openssl." 1>&2
sedextract='/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'
sed -n "$sedextract" < $privkey > $pubkey
rm $TMPFILE
# Make sure the private key is only readable by user openldap
chown openldap:openldap $privkey
chmod 600 $privkey
# And the public key is readable by everyone
chmod 644 $pubkey
#!/usr/bin/perl -W
use strict;
#
# Author: Harald Inge Boerseth <haraldib@broadpark.no>
#
# This script is written to enter users into the
# LDAP DB from users defined in a LDIF file.
# In this case the LDIF file is generated from a Novel 6.0
# authentication server. An example of what an LDIF entry looks
# like in this case can be seen at the end of the script.
# It should be a simple task to adapt the script to other LDIF files.
#
# Note that the script corrects some sequences of UTF8 encoding
# that were found to be wrong as exported from the Novell 6.0 server.
# These lines of code should be removed when reading LDIF entries
# that are believed to be correct regarding UTF-8 encoding.
# The corrections are done in the subroutine utf8_corr().
#
# Note that some data definitions have to be entered before
# running the script. Look for comments starting with 'Replace ...'.
# Good luck!!!
use Net::LDAP;
use Net::LDAP::LDIF;
use File::Find;
use File::Copy;
use File::Glob;
# Replace homebase as appropriate...
my $homebase = '/skole/tjener/home0/';
# Replace mailbase as appropriate...
my $mailbase = '/var/lib/maildirs/';
# Replace nn below...
my $rootdn = 'cn=<nn>,ou=people,dc=skole,dc=skolelinux,dc=no';
# Replace root password blow...
my $rootpasswd = '<password>';
my $basedn = 'dc=skole,dc=skolelinux,dc=no';
my $cntr = 1;
# Replace first uid value and gid value below...
# ...the script assumes that uid's and gid's following
# this value is not already taken, i.e. the lowest free number
# for uid and gid should be used.
my $uid_val = 10199;
my $gid_val = 10199;
my $ldap = Net::LDAP->new('localhost', onerror => 'warn');
# Replace name of LDIF-file below...
my $ldif = Net::LDAP::LDIF->new("<ldif file>", "r", onerror => 'warn');
$ldap->bind($rootdn, password => $rootpasswd);
while ( not $ldif->eof() ) {
my $ldif_entry = $ldif->read_entry();
if ( $ldif->error() ) {
print "Error msg: ",$ldif->error(),"\n";
print "Error lines:\n",$ldif->error_lines(),"\n";
} else {
my $dn = $ldif_entry->dn;
my $uid = undef;
$dn =~ /cn=(\w+)/ && ($uid = $1);
# Skip entires where the uid is not provided...
next unless defined $uid;
$ldif_entry->replace('sn' => 'NN')
unless $ldif_entry->exists('sn');
$ldif_entry->replace('givenName' => 'NN')
unless $ldif_entry->exists('givenName');
my $given_name = $ldif_entry->get_value('givenName');
my $sn = $ldif_entry->get_value('sn');
# The attributes givenName and sn contain wrong
# UTF8 encodings for the characters ,,a,,,...
# ...this is a special operation needed for
# this specific input file only.
utf8_corr($given_name);
utf8_corr($sn);
my $homedir = $homebase . $uid;
my $maildir = "/var/lib/maildirs/" . $uid;
my $new_entry = Net::LDAP::Entry->new;
$uid_val++;
$gid_val++;
$new_entry->dn("uid=$uid,ou=people,dc=skole,dc=skolelinux,dc=no");
$new_entry->
add('objectClass' => ['posixAccount','imapUser'],
'cn' => $given_name . " " . $sn,
'uid' => $uid,
'uidNumber' => $uid_val,
'gidNumber' => $gid_val,
'homeDirectory' => $homedir,
'mailMessageStore' => $maildir,
'loginShell' => '/bin/bash',
'userPassword' => $uid);
print "Processing: ", $new_entry->dn, "\n";
$ldap->add($new_entry);
print "addSuccess\n";
create_dir($new_entry);
create_grp($new_entry);
print "\n";
}
}
$ldap->unbind();
$ldif->done();
exit;
sub utf8_corr {
# The LDIF file geneated from Novel contained errors
# regarding UTF8 encoding of ,,,,,...
$_[0] =~ s/\303\217/\303\230/g;
$_[0] =~ s/\302\265/\303\246/g;
$_[0] =~ s/\302\260/\303\270/g;
$_[0] =~ s/\303\225/\303\245/g;
}
sub create_dir {
my $entry = shift;
my $uidnumber = $entry->get_value('uidnumber');
my $gidnumber = $entry->get_value('gidnumber');
my $homedir = $entry->get_value('homedirectory');
my $cn = $entry->get_value('cn');
if (-d $homedir) {
print "homedirOK (already created) $homedir\n";
return;
}
umask 0022;
mkdir $homedir, 0755 || die "Unable to create $homedir: $!\n";
my @files = </etc/skel/.* /etc/skel/*>;
foreach (@files) {
next if m(^/etc/skel/\.\.$);
next if m(^/etc/skel/\.$);
`cp -r $_ $homedir`;
}
find(sub {chown($uidnumber, $gidnumber, $_)}, $homedir);
print "homedirOK, $cn ( $homedir )\n";
}
sub create_grp {
my $entry = shift;
my $gidnumber = $entry->get_value('gidnumber');
my $cn = $entry->get_value('cn');
my $uid = $entry->get_value('uid');
my $mesg = $ldap->search (base => "ou=group,$basedn",
filter => "gidNumber=$gidnumber");
if (! $mesg->count()){
# Group id unknown...
my $new_entry = Net::LDAP::Entry->new();
$new_entry->dn("cn=$uid,ou=group,$basedn");
$new_entry->add(objectclass => 'posixGroup',
cn => $uid,
gidNumber => $gidnumber);
$ldap->add($new_entry);
print "groupOK, $cn ( $gidnumber )\n";
} else {
print "groupOK (already created), $cn ( $gidnumber )\n";
}
}
# Example of LDIF entry processed by the script
# Some values (<...>) changed for security reasons...
#dn: cn=<cn>,ou=elev,ou=Users,o=UVNETT
#changetype: add
#givenName: <givenname>
#fullName:: <QXlFYSBLZWxow5VziFJ5x2g=>
#Language: ENGLISH
#sn: <sn>
#securityEquals: cn=Elever,ou=Users,o=UVNETT
#passwordUniqueRequired: TRUE
#passwordRequired: TRUE
#passwordMinimumLength: 5
#passwordExpirationTime: 20030429113427Z
#passwordExpirationInterval: 7776000
#objectClass: inetOrgPerson
#objectClass: organizationalPerson
#objectClass: person
#objectClass: ndsLoginProperties
#objectClass: top
#loginTime: 20030218122529Z
#loginGraceLimit: 6
#ndsHomeDirectory: cn=EMBLA_DATA,ou=Drift,o=UVNETT#0#<...>
#groupMembership: cn=Elever,ou=Users,o=UVNETT
#cn: <cn>
#ACL: 2#subtree#cn=<cn>,ou=elev,ou=Users,o=UVNETT#[All Attributes Rights]
#ACL: 6#entry#cn=<cn>,ou=elev,ou=Users,o=UVNETT#loginScript
#ACL: 2#entry#[Public]#messageServer
#ACL: 2#entry#[Root]#groupMembership
#ACL: 6#entry#cn=<cn>,ou=elev,ou=Users,o=UVNETT#printJobConfiguration
#ACL: 2#entry#[Root]#networkAddress