#!/usr/bin/perl -w # This code was developped by Marco Gaiarin # taking ideas and code from smbldap-tools script by IDEALX # (http://IDEALX.org/) and # # Copyright (C) 2006 Marco Gaiarin # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose of smbldap-phpgw: copy some data from the LDAP tree into the # phpgroupware system # CHANGELOG # # (Mon Jan 29 10:52:47 CET 2007) # + initial revision use strict; use smbldap_tools; ##################### use Getopt::Std; my %Options; my $lagtime = 180; my $ok = getopts('vdspPl:h?', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { print_banner; print "Usage: $0 [-vdspP?h] [-l days] username\n"; print "Available options are:\n"; print " -v verbose mode\n"; print " -d dry-run (do all the checks but just not update)\n"; print " -s setup phpgw membership from LDAP\n"; print " -p setup also password expiration\n"; print " -P take password expiration data from POSIX (default: Samba)\n"; print " -l lag time to relax password expiration, default $lagtime (in days)\n"; print " -?|-h show this help message\n"; exit (1); } if ($< != 0) { print "You must be root to modify an user\n"; exit (1); } # Read only first @ARGV my $user = $ARGV[0]; # Let's connect to the directory first my $ldap_master=connect_ldap_master(); # Read user data my $user_entry = read_user_entry($user); if (!defined($user_entry)) { if ($Options{'v'}) { print "$0: user $user doesn't exist\n"; } exit (1); } my $dn = $user_entry->dn(); my @user_groups = &find_groups_of($user); my $user_number = $user_entry->get_value('uidNumber'); # some vars... my @mods; my $tmp; # reapup account ages on commandline... if (defined($tmp = $Options{'l'})) { $lagtime = int($tmp); } # Eventually adding missing phpgwAccount OC if ( ($Options{'s'}) && (! grep ($_ =~ /^phpgwAccount$/i, $user_entry->get_value('objectClass'))) ) { my @objectclass = $user_entry->get_value('objectClass'); push(@mods, 'objectClass' => [ @objectclass, 'phpgwAccount' ]); push(@mods, 'phpgwAccountID' => $user_number); push(@mods, 'phpgwAccountStatus' => 'A'); my $name = $user_entry->get_value('cn'); push(@mods, 'givenName' => $name); if ($Options{'v'}) { print "$0: user $user phpgwAccount ObjectClass missing added\n"; } } # Password expiration are handled automatically by samba, so if options p # was given we simply copy the data into phpgroupware objects... if ($Options{'p'}) { my $pls; my $pe; if ($Options{'P'}) { $pls = $user_entry->get_value('shadowLastChange') * 3600; $pe = $pls + (($user_entry->get_value('shadowMax') + $lagtime) * 3600); } else { $pls = $user_entry->get_value('sambaPwdLastSet'); $pe = $user_entry->get_value('sambaPwdMustChange') + ($lagtime * 3600); } my $ppls = $user_entry->get_value('phpgwLastPasswordChange'); if ( ! defined($ppls) ) { $ppls = 0; } if ( $pls > $ppls ) { if ($Options{'v'}) { print "$0: user $user setting up phgw account expiration data\n"; } push(@mods, 'phpgwLastPasswordChange' => $pls); push(@mods, 'phpgwAccountExpires' => $pe); } } # setting up membership in phpgroupware (phpgw_acl table) taking data from # LDAP # NOTE that we output SQL queries on stdout, it is outside the scope of # this script to manage multi-db compatibility and options... if ($Options{'s'}) { my $group_entry; my $gid; if ($Options{'v'}) { print "$0: user $user setting up phgw membership\n"; } print "delete from phpgw_acl where acl_appname='phpgw_group' and acl_account=$user_number;\n"; foreach my $g (@user_groups) { $group_entry = read_group_entry($g); if ( grep ($_ =~ /^phpgwGroup$/i, $group_entry->get_value('objectClass')) ) { $gid = $group_entry->get_value('phpgwGroupID'); print "insert into phpgw_acl values ('phpgw_group', $gid, $user_number, 1);\n"; } } } # apply changes if ( (@mods) && (! $Options{'d'}) ) { my $modify = $ldap_master->modify ( "$dn", 'replace' => { @mods } ); $modify->code && warn "failed to modify entry: ", $modify->error ; } # take down session $ldap_master->unbind; # exit exit(0); ############################################################ =head1 NAME smbldap-phpgw - Setup phpgw LDAP and SQL data syncing with the main LDAP tree =head1 SYNOPSIS smbldap-userexpire [-v] [-d] [-p] [-s] [-P] [-l days] login =head1 DESCRIPTION The smbldap-phpgw command (try to) copy all the usefoul data from an existing LDAP tree into the PHPGroupWare data, both on LDAP itself and on SQL table. It was build up as a simple tool/hack to setup quickly phpgw accounts, and to handle the expiration, in a setup where the phpgw user/group management itself was not the preferred way. This script are based on smbldap-tools, and so indeed these scripts are considered the firs choice in user administration. Note that SQL modification are directly printed on STDOUT, so to take care of them you have to disable verbose mode and feed someway to your sql interpreter. -v Verbose mode, print any action taken -d Dry-run, actually compute all needed modification but not apply them; usually used in conjunction with -v -s Setup PHPGroupWare membership (stored on phpgw_acl table) taking data from LDAP -p Sync password expiration data between POSIX(shadow) or Samba and PHPGroupWare -P For expiration counters, take into account the shadow data (default the Samba data) -l days Setting up account expliration, add to POSIX/Samba values these days; both Samba and POSIX set the password expiration time, so we have to not consider this strictly as account expiration. =head1 RETURN VALUES This script return 0 if all goes well, 1 if something goes wrong. =head1 SEE ALSO smbldap-usermod(1) smbldap-useraccess(1) chage(1) =cut #'