tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

user: LDAP user management refactoring

Browse source
This commit is contained in:
Ossi Salmi 2013-08-03 03:41:20 +03:00
parent d784356112
commit 0b73e7782c
3 changed files with 144 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
user/manifests/init.pp
View file

@ -355,37 +355,26 @@ class user::system {
# Add local user account. # Add local user account.
# #
define user::newuser($uid, $gid, $comment, $home, $shell, $groups=undef, $requiregroups=undef) { define user::add($uid, $gid, $comment, $home, $shell, $groups=undef) {
user { $name: user { $name:
ensure => present, ensure => present,
uid => $uid, managehome => true,
gid => $gid, uid => $uid,
comment => $comment, gid => $gid,
home => $home, comment => $comment,
shell => $shell, home => $home,
groups => $groups, shell => $shell,
require => $requiregroups, groups => $groups,
notify => $::operatingsystem ? { }
OpenBSD => [ Exec["user-mod-${name}"],
Exec["user-home-${name}"], ], if $::operatingsystem == "OpenBSD" {
default => undef, exec { "usermod -L ldap ${name}":
refreshonly => true,
path => "/sbin:/usr/sbin:/bin:/usr/bin",
subscribe => User[$name],
require => File["/etc/login.conf"],
} }
} }
exec { "user-mod-${name}":
command => "usermod -L ldap ${name}",
path => "/sbin:/usr/sbin:/bin:/usr/bin",
refreshonly => true,
require => File["/etc/login.conf"],
}
exec { "user-home-${name}":
command => "/bin/sh -c 'umask 077; mkdir -p ${home} && tar cf - . | tar xf - -C ${home} && chown -R ${uid}:${gid} ${home}'",
cwd => "/etc/skel",
path => "/sbin:/usr/sbin:/bin:/usr/bin",
creates => $home,
refreshonly => true,
}
} }

124
user/scripts/update-classes.rb
View file

@ -1,15 +1,14 @@
require 'set'
require 'ldap'
require 'uri' require 'uri'
require 'ldap'
basedn = '' basedn = ''
conn = '' conn = ''
f = File.new('/etc/openldap/ldap.conf', 'r') File.readlines('/etc/openldap/ldap.conf').each do |line|
f.readlines.each do |line|
line = line.strip line = line.strip
next if line =~ /^#/ next if line.empty?
next if line == '' next if line.start_with?('#')
line = line.split line = line.split
if line[0] == 'BASE' if line[0] == 'BASE'
basedn = line[1] basedn = line[1]
@ -19,14 +18,10 @@ f.readlines.each do |line|
uri = URI.parse(uri) uri = URI.parse(uri)
begin begin
if uri.scheme == 'ldaps' if uri.scheme == 'ldaps'
if ! uri.port uri.port = 636 unless uri.port
uri.port = 636
end
conn = LDAP::SSLConn.new(uri.host, uri.port) conn = LDAP::SSLConn.new(uri.host, uri.port)
else else
if ! uri.port uri.port = 389 unless uri.port
uri.port = 389
end
conn = LDAP::Conn.new(uri.host, uri.port) conn = LDAP::Conn.new(uri.host, uri.port)
end end
conn.bind conn.bind
@ -37,67 +32,56 @@ f.readlines.each do |line|
end end
end end
end end
f.close
user_classes = [] user_pp = []
group_classes = [] group_pp = []
userlist = {} groups = {}
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, 'objectClass=posixAccount',
['uid', 'gidNumber']) { |entry| conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE,
groups = [] 'objectClass=posixAccount', ['uid', 'gidNumber']) do |entry|
filter = '(&(objectClass=posixGroup)(|(uniqueMember=' + entry.get_dn + \ dn = entry.get_dn
')(memberUid=' + entry['uid'][0] + ')))' uid = entry['uid'][0]
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) { |group|
groups << group['cn'][0] # skip samba machine accounts
} next if uid.include?('?')
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, \
'(&(objectClass=posixGroup)(gidNumber=' + \ gids = Set.new
entry['gidNumber'][0] + '))', \
['cn']) { |group| # find primary group
groups << group['cn'][0] filter = '(&(objectClass=posixGroup)(gidNumber=%s))' % entry['gidNumber'][0]
} conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) do |group|
gid = group['cn'][0]
# create user class gids << gid
if entry['uid'][0] !~ /.*\$.*/ groups[gid] = Set.new unless groups.has_key?(gid)
user_classes << "class user::user::" + entry['uid'][0] + " inherits user::virtual {\n" groups[gid] << uid
user_classes << " realize(User::Newuser['" + entry['uid'][0] + "'])\n"
groups.each do |group|
user_classes << " realize(Group['" + group + "'])\n"
end
user_classes << "}\n\n"
end end
userlist[entry.get_dn()] = entry['uid'][0] # find supplementary groups
} filter = '(&(objectClass=posixGroup)(|(uniqueMember=%s)(memberUid=%s)))' % [ dn, uid ]
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) do |group|
gid = group['cn'][0]
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, 'objectClass=posixGroup', gids << gid
['cn', 'gidNumber', 'memberUid', 'uniqueMember']) { |entry| groups[gid] = Set.new unless groups.has_key?(gid)
groups[gid] << uid
members = []
if entry.attrs.index('memberUid')
entry['memberUid'].each do |member|
if userlist.has_value?(member)
members << member
end
end
end end
if entry.attrs.index('uniqueMember')
entry['uniqueMember'].each do |member|
if userlist.has_key?(member)
members << userlist[member]
end
end
end
if members.length > 0
group_classes << "class user::group::" + entry['cn'][0] + " {\n"
members.uniq.sort.each do |member|
group_classes << " include user::user::" + member + "\n"
end
group_classes << "}\n\n"
end
}
puts user_classes if ARGV.include?("-u") user_pp << "class user::user::%s inherits user::virtual {\n\n" % uid
puts group_classes if ARGV.include?("-g") user_pp << " realize(User::Add[\"%s\"])\n" % uid
gids.sort.each do |gid|
user_pp << " realize(Group[\"%s\"])\n" % gid
end
user_pp << "\n}\n\n"
end
groups.each do |gid, uids|
next if uids.length == 1 and uids.include?(gid)
group_pp << "class user::group::%s {\n\n" % gid
uids.sort.each do |uid|
group_pp << " include user::user::%s\n" % uid
end
group_pp << "\n}\n\n"
end
puts user_pp if ARGV.include?("-u")
puts group_pp if ARGV.include?("-g")

137
user/scripts/update-virtual.rb
View file

@ -1,15 +1,14 @@
require 'set'
require 'ldap'
require 'uri' require 'uri'
require 'ldap'
basedn = '' basedn = ''
conn = '' conn = ''
f = File.new('/etc/openldap/ldap.conf', 'r') File.readlines('/etc/openldap/ldap.conf').each do |line|
f.readlines.each do |line|
line = line.strip line = line.strip
next if line =~ /^#/ next if line.empty?
next if line == '' next if line.start_with?('#')
line = line.split line = line.split
if line[0] == 'BASE' if line[0] == 'BASE'
basedn = line[1] basedn = line[1]
@ -19,14 +18,10 @@ f.readlines.each do |line|
uri = URI.parse(uri) uri = URI.parse(uri)
begin begin
if uri.scheme == 'ldaps' if uri.scheme == 'ldaps'
if ! uri.port uri.port = 636 unless uri.port
uri.port = 636
end
conn = LDAP::SSLConn.new(uri.host, uri.port) conn = LDAP::SSLConn.new(uri.host, uri.port)
else else
if ! uri.port uri.port = 389 unless uri.port
uri.port = 389
end
conn = LDAP::Conn.new(uri.host, uri.port) conn = LDAP::Conn.new(uri.host, uri.port)
end end
conn.bind conn.bind
@ -37,76 +32,90 @@ f.readlines.each do |line|
end end
end end
end end
f.close
print "class user::virtual {\n" print "class user::virtual {\n"
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, 'objectClass=posixAccount', filter = 'objectClass=posixAccount'
['uid', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory', attrs = [
'loginShell' ]) { |entry| 'uid',
groups = [] 'uidNumber',
filter = '(&(objectClass=posixGroup)(|(uniqueMember=' + entry.get_dn \ 'gidNumber',
+ ')(memberUid=' + entry['uid'][0] + ')))' 'gecos',
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) { |group| 'homeDirectory',
groups << group['cn'][0] 'loginShell',
} ]
prigroup = nil conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, attrs) do |entry|
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, \ dn = entry.get_dn
'(&(objectClass=posixGroup)(gidNumber=' + entry['gidNumber'][0] + '))', \ uid = entry['uid'][0]
['cn']) { |group| uidnumber=entry['uidNumber'][0]
prigroup = group['cn'][0] gidnumber=entry['gidNumber'][0]
}
primarygroup = nil
groups = Set.new
filter = '(&(objectClass=posixGroup)(gidNumber=%s))' % gidnumber
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) do |group|
primarygroup = group['cn'][0]
end
continue if primarygroup.nil?
filter = '(&(objectClass=posixGroup)(|(uniqueMember=%s)(memberUid=%s)))' % [ dn, uid ]
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, ['cn']) do |group|
groups << group['cn'][0]
end
print "\n" print "\n"
print " @user::newuser { '%s':\n" % entry['uid'][0] print " @user::add { \"%s\":\n" % uid
print " uid => '%s',\n" % entry['uidNumber'][0] print " uid => \"%s\",\n" % uidnumber
print " gid => '%s',\n" % entry['gidNumber'][0] print " gid => \"%s\",\n" % gidnumber
begin begin
print " comment => '%s',\n" % entry['gecos'][0] print " comment => \"%s\",\n" % entry['gecos'][0]
rescue rescue
print " comment => '%s',\n" % entry['uid'][0] print " comment => \"%s\",\n" % entry['uid'][0]
end end
print " home => '%s',\n" % entry['homeDirectory'][0] print " home => \"%s\",\n" % entry['homeDirectory'][0]
begin begin
print " shell => '%s',\n" % entry['loginShell'][0] print " shell => \"%s\",\n" % entry['loginShell'][0]
rescue rescue
print " shell => '%s',\n" % "/bin/bash" print " shell => \"%s\",\n" % "/bin/bash"
end end
if groups.length > 0 unless groups.empty?
print " groups => $operatingsystem ? {\n" print " groups => $::operatingsystem ? {\n"
print " openbsd => [ " print " \"openbsd\" => [ "
groups.each do |group| groups.each do |group|
print "'" + group + "', " print "\"%s\", " % group
end end
print "'wheel', " if groups.include?('sysadm') print "\"wheel\", " if groups.include?('sysadm')
print "],\n" print "],\n"
print " default => [ " print " default => [ "
groups.each do |group| groups.each do |group|
print "'" + group + "', " print "\"%s\", " % group
end end
print "],\n },\n" print "],\n },\n"
end end
print " requiregroups => [ Group['" + prigroup + "']," print " require => [\n"
print " Group[\"%s\"],\n" % primarygroup
groups.each do |group| groups.each do |group|
print "\n Group['" + group + "']," print " Group[\"%s\"],\n" % group
end end
print " ],\n" print " ],\n"
print " }\n" print " }\n"
end
} filter = 'objectClass=posixGroup'
attrs = [
'cn',
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, 'objectClass=posixGroup', 'gidNumber',
['cn', 'gidNumber', 'memberUid', 'uniqueMember']) { |entry| 'memberUid',
'uniqueMember',
# generate virtual group entry ]
conn.search(basedn, LDAP::LDAP_SCOPE_SUBTREE, filter, attrs) do |entry|
print "\n" print "\n"
print " @group { '" + entry['cn'][0] + "':\n" print " @group { \"%s\":\n" % entry['cn'][0]
print " ensure => present,\n" print " ensure => present,\n"
print " gid => '" + entry['gidNumber'][0] + "',\n" print " gid => %s,\n" % entry['gidNumber'][0]
print " }\n" print " }\n"
end
}
print "\n}\n" print "\n}\n"