Code development platform for open source projects from the European Union institutions

Skip to content
Snippets Groups Projects
Commit 068362d8 authored by vernada's avatar vernada
Browse files

deprecated stuff

parent 64de715a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 648 deletions
ldap_NS_adduser.pl deleted 100755 → 0
+ 0
648
View file @ 64de715a
#!/usr/bin/perl
#
use strict;
use warnings;
#
use Data::Dumper;
use CGI qw/:standard start_ol/;
use Config::IniFiles;
use File::Basename;
use Net::LDAP;
use Data::Dumper;
# unbuffered output:
$| = 1;
BEGIN {
my $iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
push( @INC, $iniFile->val( 'APPLICATION', 'LIBRARY' ) );
}
use SNET::access;
use SNET::common;
use SNET::html;
use SNET::ActiveDirectory;
use vars qw($verbose $debug $help $env $script $cli_mode $action $IM $username $belongs_iss3 $belongs_network $belongs_security $belongs_admin $migration $ldap_admin $ldap_passwd);
$debug = 0;
$verbose = 0;
( $script ) = split( /\./, basename( $0 ) );
my $title = "LDAP Add User";
my $function = $title;
$function =~ s/\s/_/g;
my $href = "";
my $header = "";
my $html_msg = "";
my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
$env = "test"; # "prod";
( $html_msg ) = Access_snet_script_head( $script, $global_iniFile, $ENV, $env );
# Get current user
my $run_user = '';
if ( defined( $ENV{"HTTP_AUTHUSER"} ) ) {
$run_user = $ENV{"HTTP_AUTHUSER"};
}
if ( $cli_mode && ( $run_user eq '' ) ) {
$run_user = $ENV{"USERNAME"};
}
if ( defined( $run_user ) ) {
$run_user =~ s/uid=//;
$run_user =~ s/,.*$//g;
}
=head1 print_prompt - HTML Form
Display the HTML Form parameters.
Arguments:
- Login name:
- Text field to write the new login name to be created. The username should already exist in Net1.
- IM:
- Text field to write the SMT IM associated with the request.
- Options:
- iss3,network,security: select only one where the user belong to.
- verbose: active the verbose output.
- debug: active the debug output.
=cut
sub print_prompt ($$$$)
{
my ( $ldap_admin, $ldap_passwd, $username, $IM ) = @_;
print start_form( -enctype => &CGI::MULTIPART );
print "<em>Administrator uid (or full dn): </em>";
print textfield(
-name => 'ldap_admin',
-default => (
$ldap_admin
? $ldap_admin
: 'cn=administrator,ou=people,ou=management,dc=ec,dc=europa,dc=eu'
),
-size => 50,
-maxlength => 80
);
print nl();
print nl();
print "<em>Administrator password: </em>";
print password_field(
-name => 'ldap_passwd',
-default => ( $ldap_passwd ? $ldap_passwd : '' ),
-size => 50,
-maxlength => 100
);
print nl();
print nl();
print "<em>Login name (same as net1): </em>";
print textfield(
-name => 'username',
-default => ( $username ? $username : '' ),
-size => 50,
-maxlength => 80
);
print nl();
print nl();
print "<em>IM (Full SMT ticket number): </em>";
print textfield(
-name => 'IM',
-default => ( $IM ? $IM : '' ),
-override => 1,
-size => 50,
-maxlength => 100
);
print nl();
print nl();
print "<em>Options: </em>" . nl();
print checkbox_group(
-name => 'belongs',
-values => [ 'administrator', 'iss3', 'network', 'security', 'migration', 'verbose', 'debug' ],
-linebreak => 'true'
);
print nl();
print "<p>", submit( 'action', 'Submit' ), reset;
print end_form();
}
=head1 do_work - HTML Parameters
display the parameters passed to the web interface.
Arguments: None
=cut
sub do_work ()
{
my ( @values, $key );
return if ( !param );
print "<h2>Here are the current settings used for the $title processor</h2>";
foreach $key ( param ) {
next if ( $key =~ /passw/i );
print "<strong>$key</strong> -> ";
@values = param( $key );
print join( ", ", @values ) . nl();
}
print nl() . nl();
}
$action = '';
my $old_people_tree = "ou=People,dc=snmc,dc=cec,dc=eu,dc=int";
my $new_people_tree = "ou=people,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu";
my $new_dead_people_tree = "ou=expired,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu";
$IM = param( 'IM' ) if ( defined( param( 'IM' ) ) && ( param( 'IM' ) !~ /^$/ ) && ( param( 'IM' ) =~ /^IM\d+$/ ) );
$action = param( 'action' ) if ( defined( param( 'action' ) ) && ( param( 'action' ) !~ /^$/ ) && ( param( 'action' ) =~ /^\w+$/ ) );
$username = param( 'username' ) if ( defined( param( 'username' ) ) && ( param( 'username' ) !~ /^$/ ) && ( param( 'username' ) =~ /^[\w-]+$/ ) );
if ( defined( param( 'ldap_admin' ) ) && ( param( 'ldap_admin' ) !~ /^$/ ) && ( param( 'ldap_admin' ) =~ /^[\w=,-]+$/ ) ) {
$ldap_admin = param( 'ldap_admin' );
if ( $ldap_admin !~ /,/ ) {
$ldap_admin = 'uid=' . $ldap_admin . ',' . $new_people_tree;
}
}
$ldap_passwd = param( 'ldap_passwd' ) if ( defined( param( 'ldap_passwd' ) ) && ( param( 'ldap_passwd' ) !~ /^$/ ) );
$belongs_admin = 0;
$belongs_iss3 = 0;
$belongs_network = 0;
$belongs_security = 0;
$migration = 0;
my $pcount = 0;
if ( ( defined( param( 'belongs' ) ) && ( param( 'belongs' ) !~ /^$/ ) ) ) {
my @values = param( 'belongs' );
my $belongs = join( ", ", @values );
$belongs =~ s/\n//;
$belongs =~ s/\r//;
$belongs =~ s/\s+//;
if ( $belongs =~ /administrator/ ) {
$belongs_admin = 1;
}
if ( $belongs =~ /iss3/ ) {
$belongs_iss3 = 1;
$pcount++;
}
if ( $belongs =~ /network/ ) {
$belongs_network = 1;
$pcount++;
}
if ( $belongs =~ /security/ ) {
$belongs_security = 1;
$pcount++;
}
$verbose = 1 if ( $belongs =~ /verbose/ );
$debug = 1 if ( $belongs =~ /debug/ );
$migration = 1 if ( $belongs =~ /migration/ );
}
print header( -charset => 'UTF-8', );
dg_header_html( $title, 1, 0, $href, $header );
print $html_msg . nl();
# TODO add only one belongs_* stuff
#$belongs_iss3 = 0;
#$belongs_network = 0;
#$belongs_security = 0;
if ( defined( $username )
&& ( $username !~ /^$/ )
&& ( $username =~ /^[\w-]+$/ )
&& defined( $IM )
&& ( $IM !~ /^$/ )
&& ( $IM =~ /^IM\d{10}$/ )
&& ( defined( $action ) )
&& ( $action eq "Submit" )
&& ( $pcount <= 1 ) ) {
do_work();
my $AiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'AD' ) );
my $adserver = $AiniFile->val( 'AD_NET1', 'SERVER' );
print "error value of adserver is undefined" if ( !defined( $adserver ) );
my $aduser = $AiniFile->val( 'AD_NET1', 'USER' );
print "error value of aduser is undefined" if ( !defined( $aduser ) );
my $adpasswd = $AiniFile->val( 'AD_NET1', 'PASSWORD' );
print "error value of adpasswd is undefined" if ( !defined( $adpasswd ) );
my $attrs = [ 'displayName', 'mail' ];
my ( $mail, $name ) = ( '', '' );
print "Searching Net1 for userlogin : '$username'" . nl();
my $ad = Net::LDAP->new( $adserver )
or die "Could not connect to AD: $adserver!";
$ad->bind( $aduser, password => $adpasswd );
#my $searchbase = 'OU=Users_ITIC,OU=DIGIT,OU=DGs,DC=net1,DC=cec,DC=eu,DC=int';
my $searchbase = 'OU=DIGIT,OU=DGs,DC=net1,DC=cec,DC=eu,DC=int';
my $filter = "sAMAccountName=$username";
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs );
if ( ( $results->code ) && ( $results->code != 32 ) ) {
print "Code:" . $results->code . " '" . $results->error . "'" . nl();
$ad->unbind;
exit 1;
}
my $count = $results->count;
if ( $count != 1 ) {
print "More than 1 entries fetched from the AD Net1. Do not know what to do. One and only one entry should be found." . nl();
$ad->unbind;
exit;
} else {
print "'$count' record fetched from Net1." . nl();
}
my $entry = $results->entry( 0 );
$mail = $entry->get_value( 'mail' );
$name = $entry->get_value( 'displayName' );
$name =~ s/\s\(.*$//;
$mail = lc( $mail );
$ad->unbind;
undef $results;
print "Pursuing the addition of user '$username' with parameters:" . nl();
print " - Realname: '$name'" . nl();
print " - Email: '$mail'" . nl();
print br;
# Check if username already exist
my $ldap_server = 'ldap.snmc.cec.eu.int';
my $homeserver = "home.snmc.cec.eu.int";
my $ldap_min_uid = 2000;
my $ldap_max_uid = 10000;
print "Connecting to $ldap_server..." . nl();
my $ldap = Net::LDAP->new( $ldap_server, onerror => sub { print "oups! " . $_[0]->error() . nl(); return undef; }, ) or die "$@";
$ldap->start_tls( verify => 'require',
cafile => '/usr/share/ca-certificates/cec.eu.int/cec.eu.int_CA.crt', );
$ldap->bind( $ldap_admin, password => $ldap_passwd );
print "Searching directory for existing uid: $username" . nl();
$results = $ldap->search( base => $new_people_tree, filter => "(uid=$username)", attrs => [ "cn", "uidNumber" ] );
if ( defined( $results ) ) {
$results->code && die $results->error;
$count = $results->count;
if ( $count != 0 ) {
print "Account already exist ('$count') in SNet LDAP. stopping process." . nl();
$entry = $results->entry( 0 );
print "cn: " . $entry->get_value( 'cn' ) . " uid " . $entry->get_value( 'uidNumber' ) . nl();
$ldap->unbind;
exit;
}
undef $results;
} else {
print "Did not found any existing entry in the LDAP SNet directory." . nl();
}
$results = $ldap->search( base => $new_dead_people_tree, filter => "(uid=$username)", attrs => [ "cn", "uidNumber" ] );
if ( defined( $results ) ) {
# TODO: branch does not yet exist...
if ( ( $results->code ) && ( $results->code != 32 ) ) {
print "Code:" . $results->code . " '" . $results->error . "'" . nl();
$ldap->unbind;
exit 1;
}
$count = $results->count;
if ( $count != 0 ) {
print "Account already exist in SNet LDAP for the old members! stopping process." . nl();
$ldap->unbind;
exit;
} else {
print "Did not found any existing entry in the LDAP SNet old members directory." . nl();
}
}
undef $results;
my $old_ldap;
my $old_ldap_server = 'snmc-ldapns.snmc.cec.eu.int';
my $old_admin = 'cn=Directory Manager';
my $old_passwd = 'DirectoryM!';
my $old_password;
my $old_uidnumber;
my @old_description;
my $old_result = 0;
my $next_free_uidnumber;
if ( $migration ) {
print "Checking if this is a migration from old directory..." . nl();
eval {
$old_ldap = Net::LDAP->new( $old_ldap_server, onerror => sub { print "oupsi! " . $_[0]->error() . nl(); return undef; }, )
or die "Could not connect to $old_ldap_server!";
$old_ldap->bind( $old_admin, password => $old_passwd );
$results = $old_ldap->search( base => $old_people_tree, filter => "(uid=$username)", attrs => [ "userPassword", "uidNumber", "description" ] );
if ( defined( $results ) && ( $results->count == 1 ) ) {
$old_password = $results->entry->get_value( 'userPassword' );
$old_uidnumber = $results->entry->get_value( 'uidNumber' );
@old_description = $results->entry->get_value( 'description' );
print "Found an uid matching with uidnumber : $old_uidnumber" . nl();
if ( defined( $old_uidnumber ) ) {
undef $results;
$results = $ldap->search( base => $new_people_tree, filter => "(uidNumber=$old_uidnumber)", attrs => ["cn"] );
if ( $results->count != 0 ) {
undef $old_uidnumber;
} else {
$next_free_uidnumber = $old_uidnumber;
}
undef $results;
}
$old_result = 1;
} else {
print "seems to be a new user" . nl();
}
$old_ldap->unbind;
};
if ( $@ ) {
print "oupsi! $@" . nl();
$old_ldap->unbind;
}
}
undef $results;
if ( !( defined( $old_uidnumber ) ) ) {
print "Allocating a new uidNumber..." . nl();
# fetching all the uid, to find the next available uid
# first tree... the living one...
$results = $ldap->search( base => $new_people_tree, filter => "(&(objectClass=posixAccount)(uid=*))", attrs => [ "cn", "uidNumber" ] );
exit 1 unless defined( $results );
if ( ( $results->code ) && ( $results->code != 32 ) ) {
print "Code:" . $results->code . " '" . $results->error . "'" . nl();
$ldap->unbind;
exit 1;
}
$count = $results->count;
if ( $count != 0 ) {
print "found $count already used uid(s)" . nl();
}
my %blah;
foreach my $entry ( $results->entries ) {
# $entry->dump;
my $uid = $entry->get_value( 'cn' );
my $uidnumber = $entry->get_value( 'uidNumber' );
if ( defined( $blah{$uidnumber} ) ) {
$blah{$uidnumber} = $blah{$uidnumber} + 1;
} else {
if ( ( $uidnumber >= $ldap_min_uid ) && ( $uidnumber < 10000 ) ) {
$blah{$uidnumber} = 1;
}
}
}
undef $results;
# searching the dead one...
$results = $ldap->search( base => $new_dead_people_tree, filter => "(uid=*)", attrs => [ "cn", "uidNumber" ] );
if ( defined( $results ) ) {
if ( ( $results->code ) && ( $results->code != 32 ) ) {
print "Code:" . $results->code . " '" . $results->error . "'" . nl();
$ldap->unbind;
exit 1;
}
foreach my $entry ( $results->entries ) {
# $entry->dump;
my $uid = $entry->get_value( 'cn' );
my $uidnumber = $entry->get_value( 'uidNumber' );
if ( defined( $blah{$uidnumber} ) ) {
$blah{$uidnumber} = $blah{$uidnumber} + 1;
} else {
if ( ( $uidnumber >= $ldap_min_uid ) && ( $uidnumber < $ldap_max_uid ) ) {
$blah{$uidnumber} = 1;
}
}
}
undef $results;
}
foreach my $key ( sort { $a <=> $b } ( keys( %blah ) ) ) {
if ( $blah{$key} > 1 ) {
print "WARNING : uid number $key is used several time!" . nl();
}
}
for ( $next_free_uidnumber = $ldap_min_uid ; $next_free_uidnumber <= $ldap_max_uid ; $next_free_uidnumber++ ) {
if ( !defined( $blah{$next_free_uidnumber} ) ) {
last;
}
}
}
if ( $next_free_uidnumber < $ldap_max_uid ) {
print "next free uid number : $next_free_uidnumber" . nl();
} else {
print "No more uid number available!" . nl();
exit 1;
}
my $uidn = $next_free_uidnumber;
my $gidn = 3500; # gid is snmc...
my $description = ();
my $folder = '';
if ( $belongs_admin ) {
$belongs_admin = 'cn=admin,ou=groups,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu';
}
if ( $belongs_network ) {
if ( $old_result ) {
push( @$description, @old_description );
} else {
push( @$description, 'RPRO' );
push( @$description, 'PSRO' );
push( @$description, 'CWRW' );
}
$folder = 'cn=network,ou=groups,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu';
} elsif ( $belongs_security ) {
if ( $old_result ) {
push( @$description, @old_description );
} else {
push( @$description, 'RPRW' );
push( @$description, 'PSRW' );
push( @$description, 'CWRO' );
}
$folder = 'cn=security,ou=groups,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu';
} elsif ( $belongs_iss3 ) {
if ( $old_result ) {
push( @$description, @old_description );
} else {
push( @$description, 'RPRW' );
push( @$description, 'PSRW' );
push( @$description, 'CWRA' );
}
$folder = 'cn=iss3,ou=groups,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu';
} else {
print "ignoring old attributes as no group membership was specified" . nl();
#if ($old_result) {
# push( @$description, @old_description );
#}
#else {
push( @$description, 'RPRO' );
push( @$description, 'PSRO' );
push( @$description, 'CWRO' );
#}
}
#my $uid_dn = "uid=${username},ou=${folder},".$new_people_tree;
my $uid_dn = "uid=${username}," . $new_people_tree;
print "Creating user '$username' using the following parameters:" . nl();
print " - Realname: '$name'" . nl();
print " - Email: '$mail'" . nl();
print " - UID number: '$uidn'" . nl();
print " - GID number: '$gidn'" . nl();
print " - description: " . Dumper( $description ) . nl();
print " - uid_dn: '$uid_dn'" . nl();
print " - AUDIT: '$IM;$run_user;A;" . time . "'" . nl();
print br;
# Need to SSH to home.snmc.cec.eu.int
# if ( ! -d "/opt/home/$username" ) {
# print "Creation directory";
# system "mkdir /opt/home/$username";
# system "chown $next_free_uidnumber:3500 /opt/home/$username";
# }
my $attr = [
'cn' => $username,
'sn' => $username,
'uid' => $username,
'uidNumber' => $uidn,
'gidNumber' => $gidn,
'description' => $description,
'mail' => $mail,
'gecos' => $name,
'homeDirectory' => "/home/$username",
'loginShell' => '/bin/ksh',
'shadowLastChange' => '11640',
'shadowFlag' => '0',
'auditInformation' => "$IM;$run_user;A;" . time,
'objectClass' => [ 'inetOrgPerson', 'organizationalPerson', 'person', 'posixAccount', 'shadowAccount', 'simpleSecurityObject', 'Audit', 'top' ],
];
my $pass;
if ( $old_result && defined( $old_password ) ) {
$pass = $old_password;
my $ppolicy = "cn=migration,ou=policies,ou=SNet,ou=2,ou=C,o=DIGIT,dc=ec,dc=europa,dc=eu";
unshift( @{$attr}, 'pwdConstraintSubentry' => $ppolicy, 'pwdPolicySubentry' => $ppolicy );
} else {
$pass = '{CLEARTEXT}P@ssword01';
}
unshift( @{$attr}, 'userPassword' => $pass );
print "adding to the SNet LDAP server '$ldap_server'" . nl();
$results = $ldap->add( $uid_dn, attr => $attr, );
if ( ( $results->code ) && ( $results->code != 32 ) ) {
print "Code:" . $results->code . " '" . $results->error . "'" . nl();
$ldap->unbind;
exit 1;
}
$results->code && warn "failed to add entry: ", $results->error;
undef $results;
# $result = $ldap->modify( "cn=snmc,ou=group,dc=snmc,dc=cec,dc=eu,dc=int", add => { memberUid => $username } );
# $result->code && warn "failed to modify group snmc: ", $result->error ;
# $result = $ldap->modify( "cn=NS,ou=group,dc=snmc,dc=cec,dc=eu,dc=int", add => { memberUid => $username } );
# $result->code && warn "failed to modify group: ", $result->error ;
print "User '$username' created." . nl();
if ( $belongs_admin ) {
$results = $ldap->modify( $belongs_admin, add => { member => [$uid_dn] } );
if ( defined( $results ) ) {
print "user added to admin group" . nl();
undef $results;
} else {
print "fail to add user to admin group" . nl();
}
}
if ( $belongs_network || $belongs_security || $belongs_iss3 ) {
$results = $ldap->modify( $folder, add => { memberUid => [$username] } );
$folder =~ s/^cn=//;
$folder =~ s/,.*//;
if ( defined( $results ) ) {
print "user added to $folder group" . nl();
undef $results;
} else {
print "fail to add user to $folder group" . nl();
}
} else {
print "user was added without group membership" . nl();
}
} else {
if ( ( defined( $action ) ) && ( $action eq "Submit" ) ) {
if ( $pcount > 1 ) {
print "ERROR: only 1 base group is valid" . nl();
}
if ( defined( $username ) && ( $username !~ /^$/ ) && ( $username !~ /^[\w-]+$/ ) ) {
print "ERROR: username contains some unsupported characters." . nl();
}
if ( defined( $IM ) && ( $IM !~ /^$/ ) && ( $IM !~ /^IM\d{10}$/ ) ) {
print "ERROR: IM is not a valid IM number." . nl();
}
if ( defined( $ldap_admin ) && ( $ldap_admin !~ /^$/ ) && ( $ldap_admin !~ /^[\w=,-]+$/ ) ) {
print "ERROR: admin dn contains some unsupported characters." . nl();
}
}
print_prompt( $ldap_admin, $ldap_passwd, $username, $IM );
}
print '</div>';
print "<hr> <address>Snet NS Team</address><br> <a href=\"\">Home Page</a>";
print end_html;
exit 1;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about