initial public commit

2012-08-26 21:33:59 +02:00 · 2012-08-26 21:33:59 +02:00 · be6ce99519
commit be6ce99519
27 changed files with 312 additions and 0 deletions
--- a/8
+++ b/8
@ -0,0 +1,8 @@
+Bash scripts for Hackerspace.pl LDAP administration.
+
+To activate, type bin/activate.
+
+To get help, type help.
+
+The effects of issued commands end up in a buffer file, by default ~/.ldap-admin.ldif . To make them persistent, issue the commit command. If successful, it will clear the buffer. Otherwise the buffer will remain unchanged.
+
--- a/bin/activate
+++ b/bin/activate
@ -0,0 +1,5 @@
+#!/bin/sh
+#% activate
+#% Starts an LDAP admin shell. Exit with ^D. Recursion at your own goddamn risk.
+BIN_DIR=`readlink -f "$0" | xargs dirname`
+BIN_DIR=$BIN_DIR bash --rcfile $BIN_DIR/../lib/adminrc -s
--- a/bin/add-dn-to-ldap-group
+++ b/bin/add-dn-to-ldap-group
@ -0,0 +1,11 @@
+#!/bin/bash
+#% add-dn-to-ldap-group dn group
+#% Add dn to group. group should be a regular LDAP groupOfNames
+. $LIB_DIR/common.sh
+if [[ $# < 2 ]]; then 
+  show-usage
+  exit 1
+fi
+tag-begin "Add DN $1 to group $2"
+basic-attr-op add $2 member $1
+tag-end
--- a/bin/add-to-posix-group
+++ b/bin/add-to-posix-group
@ -0,0 +1,11 @@
+#!/bin/bash
+#% add-to-posix-group login group
+#% Add user (identified by login) to group. group should be a posixGroup
+. $LIB_DIR/common.sh
+if [[ $# < 2 ]]; then 
+  show-usage
+  exit 1
+fi
+tag-begin "Add user $1 to posix group $2"
+basic-attr-op add "$2" memberUid "$1"
+tag-end
--- a/bin/add-to-wiki
+++ b/bin/add-to-wiki
@ -0,0 +1,4 @@
+#!/bin/bash
+#% add-to-wiki user
+#% Give user access to wiki.
+add-user-to-ldap-group $1 'cn=user,dc=wiki,dc=hackerspace,dc=pl'
--- a/bin/add-user
+++ b/bin/add-user
@ -0,0 +1,25 @@
+#!/bin/bash
+#% add-user [--full]
+#% (Interactively) adds a user to LDAP.
+#%      --full : grant full member privileges (add to itanic-shell, xmpp and vpn)
+. $LIB_DIR/common.sh
+
+function readvar() {
+	vname=$1
+	prompt=${2:-$1}
+	echo -n "$prompt: "
+	read $vname
+}
+
+uid=$((`maxuid`+1))
+readvar login "Login"
+readvar cn "Full name"
+readvar email "Email"
+
+raw-add-user $login "$cn" "$email"
+add-to-wiki $login
+create-posix-group $login $uid
+
+if [ "$1" = "--full" ]; then
+  grant-member-privileges $login
+fi
--- a/bin/add-user-to-ldap-group
+++ b/bin/add-user-to-ldap-group
@ -0,0 +1,9 @@
+#!/bin/bash
+#% add-user-to-ldap-group login groupdn
+#% Add user with login=login to group groupdn. groupdn should be a regular LDAP groupOfNames
+. $LIB_DIR/common.sh
+if [[ $# < 2 ]]; then 
+  show-usage
+  exit 1
+fi
+add-dn-to-ldap-group "uid=$1,ou=People,dc=hackerspace,dc=pl" "$2"        
--- a/bin/all-users
+++ b/bin/all-users
@ -0,0 +1,4 @@
+#!/bin/bash
+#% all-users
+#% List the logins of all users in LDAP
+ldapsearch -x -ZZ -b 'ou=People,dc=hackerspace,dc=pl' | grep ^uid: | cut -d' ' -f2
--- a/bin/commit
+++ b/bin/commit
@ -0,0 +1,11 @@
+#!/bin/bash
+#% commit
+#% Attempt to commit the buffer to the LDAP server using your credentials.
+
+. $LIB_DIR/common.sh
+ldapmodify -x -ZZ -W -D $ME -f $LDIF_BASE
+if [ $? -eq 0 ]; then
+  discard
+else
+  echo "Modification failed!" >&2
+fi
--- a/bin/create-posix-group
+++ b/bin/create-posix-group
@ -0,0 +1,16 @@
+#!/bin/bash
+#% create-posix-group name gid
+#% Creates a posix group with name and gid 
+. $LIB_DIR/common.sh
+
+tag-begin "Create group $1 (gid: $2)"
+push <<EOF
+dn: cn=$1,ou=Group,dc=hackerspace,dc=pl
+changetype: add
+objectClass: posixGroup
+cn: $1
+gidNumber: $2
+userPassword: {crypt}x
+
+EOF
+tag-end
--- a/bin/discard
+++ b/bin/discard
@ -0,0 +1,6 @@
+#!/bin/bash
+#% discard
+#% Clear *ALL* pending operations
+
+read -p "Are you sure you want to discard ALL pending operations? (y/N)"
+[ "$REPLY" == "y" ] && : > $LDIF_BASE
--- a/bin/enable-itanic-shell
+++ b/bin/enable-itanic-shell
@ -0,0 +1,7 @@
+#!/bin/bash
+#% enable-itanic-shell user
+#% Give user shell access to itanic. User still needs a valid login shell.
+add-to-posix-group $1 'cn=itanic-shell,ou=Group,dc=hackerspace,dc=pl'
+msg "A home directory on itanic is needed for $1."
+msg "You can create it by running:"
+msg "  [itanic ~ #] cp -R /etc/skel /home/$1"
--- a/bin/enable-proliant-shell
+++ b/bin/enable-proliant-shell
@ -0,0 +1,7 @@
+#!/bin/bash
+#% enable-proliant-shell user
+#% Give user shell access to proliant User still needs a valid login shell.
+add-to-posix-group $1 'cn=proliant-shell,ou=Group,dc=hackerspace,dc=pl'
+msg "A home directory on itanic is needed for $1."
+msg "You can create it by running:"
+msg "  [proliant ~ #] cp -R /etc/skel /home/$1"
--- a/bin/enable-vpn
+++ b/bin/enable-vpn
@ -0,0 +1,4 @@
+#!/bin/bash
+#% enable-vpn user
+#% Give user access to VPN
+add-user-to-ldap-group $1 'cn=vpn-users,ou=Group,dc=hackerspace,dc=pl'
--- a/bin/enable-xmpp
+++ b/bin/enable-xmpp
@ -0,0 +1,4 @@
+#!/bin/bash
+#% enable-xmpp user
+#% Give user access to XMPP.
+add-user-to-ldap-group $1 'cn=xmpp-users,ou=Group,dc=hackerspace,dc=pl'
--- a/bin/grant-member-privileges
+++ b/bin/grant-member-privileges
@ -0,0 +1,7 @@
+#!/bin/bash
+#% grant-member-privileges user
+#% shortcut - adds user to itanic-shell, vpn-users and xmpp-users.
+enable-itanic-shell $1
+enable-xmpp $1
+enable-vpn $1
+set-shell $1 /bin/bash
--- a/bin/help
+++ b/bin/help
@ -0,0 +1,10 @@
+#!/bin/bash
+#% help [command]
+#% Describe command. If command is not given, show this message.
+CMD=${1:-help}
+grep '^#%.*' `which $CMD` | sed -e "s/^#%//"
+if [[ "$CMD" == "help" ]]; then
+  echo
+  echo "Available commands are:"
+  ls $BIN_DIR
+fi
--- a/bin/messages
+++ b/bin/messages
@ -0,0 +1,4 @@
+#!/bin/bash
+#% show-messages
+#% Shows messages recorded by not-yet-commited commands. 
+show-ldif | grep "#!" | sed -e "s/#!//"
--- a/bin/msg
+++ b/bin/msg
@ -0,0 +1,6 @@
+#!/bin/bash
+#% msg message
+#% INTERNAL/DEV: record a message for the admin shell user. It will be emitted upon calling and after commiting changes.
+. $LIB_DIR/common.sh
+push <<<"#!`date`: $@"
+echo "$@"
--- a/bin/raw-add-user
+++ b/bin/raw-add-user
@ -0,0 +1,46 @@
+#!/bin/bash
+#% raw-add-user login "Full Name" "email"
+#% INTERNAL add user
+
+. $LIB_DIR/common.sh
+login="$1"
+cn="$2"
+email="$3"
+idnumber=$(( `maxuid` + 1))
+gecos=`sed -e "y/ąćęłńóśźżĄĆĘŁŃÓŚŹŻ/acelnoszzACELNOSZZ/" <<<"$cn"`
+read -r gn sn <<<"$cn"
+
+
+tag-begin "Adding user $login"
+push <<EOF
+dn: uid=$login,ou=People,dc=hackerspace,dc=pl
+changeType: add
+objectClass: inetLocalMailRecipient
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+objectClass: shadowAccount
+objectClass: ldapPublicKey
+objectClass: hsMember
+shadowLastChange: 15022
+shadowMax: 99999
+shadowWarning: 7
+loginShell: /bin/false
+uidNumber: $idnumber
+gidNumber: $idnumber
+homeDirectory: /home/$login
+cn: $cn
+gecos: $gecos
+givenName: $gn
+surname: $sn
+uid: $login
+mail: $email
+mailRoutingAddress: $email
+userPassword: {crypt}x
+mailHost: hackerspace.pl
+
+EOF
+tag-end
+msg "Don't forget to set a password for $login."
--- a/bin/replace-attribute
+++ b/bin/replace-attribute
@ -0,0 +1,6 @@
+#!/bin/bash
+#% replace-attribute targetDn attrName newValue
+#% Replace the value of attribute attrName on targetDn, whatever that happens to mean
+
+. $LIB_DIR/common.sh
+basic-attr-op 'replace' $@
--- a/bin/set-shell
+++ b/bin/set-shell
@ -0,0 +1,5 @@
+#!/bin/bash
+#% set-shell user [shell]
+#% Sets the login shell for user to shell (defaults to /bin/bash)
+loginShell=${2:-/bin/bash}
+replace-attribute "uid=$1,ou=People,dc=hackerspace,dc=pl" loginShell $loginShell
--- a/bin/show-ldif
+++ b/bin/show-ldif
@ -0,0 +1,10 @@
+#!/bin/bash
+#% show-ldif
+#% Show operations not yet commited in ldif form
+
+if [ $LDAP_SHELL -ne 1 ]; then
+  echo "Not running in LDAP shell mode" >&2
+  return 1
+else
+  cat $LDIF_BASE
+fi
--- a/bin/show-pending
+++ b/bin/show-pending
@ -0,0 +1,10 @@
+#!/bin/bash
+#% show-pending 
+#% Show operations not yet commited in symbolic form
+
+if [ $LDAP_SHELL -ne 1 ]; then
+  echo "Not running in LDAP shell mode" >&2
+  return 1
+else
+  grep "^#%" $LDIF_BASE | sed -e "s/^#%//"
+fi
--- a/bin/validate
+++ b/bin/validate
@ -0,0 +1,6 @@
+#!/bin/bash
+#% validate
+#% Attempt to validate the buffer of pending operations.
+#% This will probably not catch constraint violations and missing DNs. Sorry.
+
+(ldapmodify -x -n -ZZ -f $LDIF_BASE && echo "Everything seems fine.") || echo "Something's wrong."
--- a/lib/adminrc
+++ b/lib/adminrc
@ -0,0 +1,17 @@
+. ~/.bashrc # for convenience
+export LDAP_SHELL=1
+export TAG_PREFIX="#%"
+export TAG_DEPTH=0
+export LDIF_BASE=~/.ldap-admin.ldif
+PS1="(ldap)$PS1"
+export BASE_DIR="${BIN_DIR%/bin}"
+export LIB_DIR="$BASE_DIR/lib"
+export ME="uid=$USER,ou=People,dc=hackerspace,dc=pl"
+PATH="$PATH:$BIN_DIR"
+touch $LDIF_BASE
+chmod 600 $LDIF_BASE
+
+alias help="$BIN_DIR/help"
+alias import_common=". $LIB_DIR/common.sh"
+
+echo "Type \"help\" for available commands."
--- a/lib/common.sh
+++ b/lib/common.sh
@ -0,0 +1,53 @@
+#!/bin/bash
+LDAP_SHELL=${LDAP_SHELL:-0}
+function push() {
+  if [ $LDAP_SHELL -ne 1 ]; then
+    cat $@
+  else
+    cat $@ >> $LDIF_BASE
+  fi
+}
+
+function pop() {
+  if [ $LDAP_SHELL -eq 1 ]; then
+    :
+  fi
+}
+
+function discard() {
+  : > $LDIF_BASE
+}
+
+function basic-attr-op() {
+tag-begin "$1 attribute $3 on DN $2 (value $4)"
+push <<EOF
+dn: $2
+changetype: modify
+$1: $3
+$3: $4
+
+EOF
+tag-end
+}
+
+function maxgid() {
+        ldapsearch -x -ZZ -b 'ou=Group,dc=hackerspace,dc=pl' | grep gidNumber | cut -d' ' -f2 | sort -n | tail -n1
+}
+
+function maxuid() {
+        ldapsearch -x -ZZ -b 'ou=People,dc=hackerspace,dc=pl' | grep uidNumber | cut -d' ' -f2 | sort -n | tail -n1
+}
+
+function show-usage() {
+        $BIN_DIR/help `basename $0`
+}
+
+function tag-begin() {
+        push <<<"$TAG_PREFIX`printf "%*c" $((4 * $TAG_DEPTH )) " "; date`: $@"
+        ((TAG_DEPTH+=1))
+}
+
+function tag-end() {
+        ((TAG_DEPTH-=1))
+}
+