Codebase list fusiondirectory / cf4f3b5
debian/examples: Ship Kerberos hook scripts (cudos to Debian Edu). Mike Gabriel 3 years ago
4 changed file(s) with 174 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+31
-0
debian/examples/host-create.sh less more
0 #!/bin/sh
1
2 set -e
3
4 ## This script is run by www-data using sudo. Keep that in mind!
5 ## Make sure that malicious execution cannot hurt.
6 ##
7 ## This script creates the principals for hosts added with FusionDirectory.
8
9 HOSTNAME=$1
10 DOMAIN=informatik.uni-kiel.de
11 FQDN=$1.$DOMAIN
12
13 ## lookup user and create home directory and principal:
14 ldapsearch -xLLL "(&(|(cn=$HOSTNAME)(cn=$FQDN))(|(objectClass=GOHard)(objectClass=ipHost)))" \
15 cn ipHostNumber macAddress 2>/dev/null | perl -p00e 's/\r?\n //g' | \
16 while read KEY VALUE ; do
17 case "$KEY" in
18 dn:) HOSTNAME= ; IP= ; HOSTDN="dn=$VALUE" ;;
19 cn:) HOSTNAME="$VALUE" ;;
20 ipHostNumber:) IP="$VALUE" ;;
21 macAddress:) MAC="$VALUE" ;;
22 "")
23 FQDN=$HOSTNAME.$DOMAIN
24 kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -p notice Krb5 principal \'host/$FQDN\' created.
25 kadmin.local -q "add_principal -policy service -randkey -x $HOSTDN nfs/$FQDN" && logger -p notice Krb5 principal \'nfs/$FQDN\' created.
26 ;;
27 esac
28 done
29
30 exit 0
+46
-0
debian/examples/user-create.sh less more
0 #!/bin/sh
1
2 set -e
3
4 ## This script is run by www-data using sudo. Keep that in mind!
5 ## Make sure that malicious execution cannot hurt.
6 ##
7 ## This script creates the home directories and principals for users
8 ## added with gosa. There are some tests that make sure only
9 ## non-existent home directories are created. Malicious execution
10 ## cannot hurt, because either the user is missing in ldap or his home
11 ## directory already exists. In both cases nothing should happen.
12
13 PREFIX=/net
14 HOSTNAME=$(hostname -s)
15 USERID="$1"
16
17 if which nscd 1>/dev/null; then
18 nscd -i passwd
19 nscd -i group
20 fi
21
22 ## lookup user and create home directory and principal:
23 ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
24 cn homeDirectory gidNumber 2>/dev/null | perl -p00e 's/\r?\n //g' | \
25 while read KEY VALUE; do
26 case "$KEY" in
27 dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
28 cn:) USERNAME="$VALUE" ;;
29 homeDirectory:) HOMEDIR="$VALUE" ;;
30 gidNumber:) GROUPID="$VALUE" ;;
31 "")
32 test "$HOMEDIR" || continue
33 echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" && HOMEDIR=/home/$USERID || continue
34 test -e "$HOMEDIR" || {
35 cp -r /etc/skel $HOMEDIR
36 chown -R $USERID:$GROUPID $HOMEDIR
37 echo "Home directory '$HOMEDIR' created.<br />"
38 }
39 kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID" 1>/dev/null 2>/dev/null && echo "Krb5 principal '$USERID' created.<br />"
40 x2godbadmin --adduser "$USERID" 1>/dev/null 2>/dev/null && echo "Enabled X2Go for user '$USERID'.<br />"
41 ;;
42 esac
43 done
44
45 exit 0
+62
-0
debian/examples/user-remove.sh less more
0 #!/bin/sh
1
2 set -xe
3
4 ## This script is run by www-data using sudo. Keep that in mind!
5 ## Make sure that malicious execution cannot hurt.
6 ##
7 ## This script removes the home directories and principals for users removed with gosa.
8 ## Home directories are not purged immediately, but marked with a time stamp. Next time
9 ## this script is run it looks for all home directories marked for removal and removes
10 ## directories older than the given age $MAXAGE.
11 ##
12 ## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not
13 ## too short, this will be detected by the owner and no data will get lost.
14
15 USERID=$1
16 MOUNTED_HOMEDIR=$2
17
18 ## minimum age to keep a directory before it is purged
19 ## in days (only integer values):
20
21 MAXAGE_DAYS=500
22
23 ####################################
24
25 MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 ))
26
27 [ -d $HOMEDIR ] || exit 1
28
29 PREFIX=/net
30 HOSTNAME=$(hostname -s)
31 echo "$MOUNTED_HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
32
33 HOMEDIR="$MOUNTED_HOMEDIR"
34
35 ## move mail directory to home directory
36 if [ -d /var/mail/$USERID ]; then
37 mkdir -p $HOMEDIR/Maildir/
38 mv /var/mail/$USERID/* $HOMEDIR/Maildir/
39 rmdir /var/mail/$USERID
40 fi
41
42 ## rename home directory and delete principal:
43 HOME=`dirname $HOMEDIR`
44 RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
45 mv $HOMEDIR $RM_HOMEDIR
46
47 chown root:root $RM_HOMEDIR
48 chmod go-rwx $RM_HOMEDIR
49
50 kadmin.local -q "delete_principal -force $USERID"
51 logger -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed.
52 for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
53 RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`
54 AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` ))
55 if [ $AGE -gt $MAXAGE_SEC ] ; then
56 rm -rf $DIR
57 echo logger -p notice Home directory \'$DIR\' purged.
58 fi
59 done
60
61 exit 0
+35
-0
debian/examples/user-sync.sh less more
0 #!/bin/sh
1
2 set -ex
3
4 ## This script is run by www-data using sudo. Keep that in mind!
5 ## Make sure that malicious execution cannot hurt.
6 ##
7 ## This script synchronizes the kerberos password of principals to the posix password
8 ## whenever the password is changed in ldap by gosa. To make sure only authorized
9 ## changes happen, it is tested if the supplied password corresponds to the supplied
10 ## distinguished name in ldap.
11 ##
12 ## A caller not knowing the correct ldap password cannot change the principal's one.
13
14 USERDN="$1"
15 set +x
16 NEWPW="$USERPASSWORD"
17 set -x
18 USERID=`echo $USERDN | tr A-Z a-z | sed "s/^uid=\([^,]*\),.*$/\1/"`
19 PATH="/usr/bin:/usr/sbin:/bin:/sbin"
20
21 ## check if provided password corresponds to hash saved in ldap database:
22 #set +e
23 #IAM=`ldapwhoami -x -Z -w "$NEWPW" -D "$USERDN" 2>/dev/null | perl -p00e 's/\r?\n //g' | tr [A-Z] [a-z]`
24 #if [ "$IAM" = "dn:$USERDN" ] ; then
25 # set -e
26 kadmin.local -q "change_password -pw \"$NEWPW\" \"$USERID\"" 1>/dev/null && echo "Updated Kerberos password for user '$USERID'.<br />"
27 logger -t FusionDirectory-PwHook "Updated Kerberos password for user '$USERID'."
28 #else
29 # echo "Warning: Could not verify password for '$USERID'. Nothing done.<br />"
30 # logger -t FusionDirectory-PwHook "Warning: Could not verify password for '$USERID'. Nothing done."
31 # exit 1
32 #fi
33
34 exit 0