Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
fusiondirectory-setup 75.04 KiB
1 
#!/usr/bin/perl
2
3 
########################################################################
4 
#
5 
#  fusiondirectory-setup
6 
#
7 
#  Manage fusiondirectory installs from the command line
8 
#
9 
#  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
10 
#  Copyright (C) 2011-2018  FusionDirectory
11 
#
12 
#  This program is free software; you can redistribute it and/or modify
13 
#  it under the terms of the GNU General Public License as published by
14 
#  the Free Software Foundation; either version 2 of the License, or
15 
#  (at your option) any later version.
16 
#
17 
#  This program is distributed in the hope that it will be useful,
18 
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
19 
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20 
#  GNU General Public License for more details.
21 
#
22 
#  You should have received a copy of the GNU General Public License
23 
#  along with this program; if not, write to the Free Software
24 
#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
25 
#
26 
########################################################################
27
28 
use strict;
29 
use warnings;
30 
use 5.008;
31
32 
# used to manage files
33 
use Path::Class;
34
35 
# used for checking config dirs rights (make the translation for lstat output)
36 
use Fcntl ':mode';
37
38 
# used to handle ldap connections
39 
use Net::LDAP;
40
41 
# used to base64 encode
42 
use MIME::Base64;
43
44 
# used to generate {SSHA} password (for LDAP)
45 
use Digest::SHA;
46 
use Crypt::CBC;
47 
use Bytes::Random::Secure qw(random_string_from);
48
49 
# used to uncompress tar.gz
50 
use Archive::Extract;
51
52 
# used to copy files
53 
use File::Copy::Recursive qw(rcopy);
54
55 
#XML parser
56 
use XML::Twig;
57
58 
# To hide password input
59 
use Term::ReadKey;
60
61 
use Data::Dumper;
62
63 
# fd's directory and class.cache file's path declaration
64 
my %vars = (
65 
 fd_home          => "/var/www/fusiondirectory",
66 
 fd_cache         => "/var/cache/fusiondirectory",
67 
 fd_config_dir    => "/etc/fusiondirectory",
68 
 fd_smarty_path   => "/usr/share/php/smarty3/Smarty.class.php",
69 
 fd_spool_dir     => "/var/spool/fusiondirectory",
70 
 ldap_conf        => "/etc/ldap/ldap.conf",
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
config_file => "fusiondirectory.conf", secrets_file => "fusiondirectory.secrets", locale_dir => "locale", class_cache => "class.cache", locale_cache_dir => "locale", tmp_dir => "tmp", fai_log_dir => "fai", template_dir => "template" ); my ($fd_config,$fd_secrets,$locale_dir,$class_cache,$locale_cache_dir,$tmp_dir,$fai_log_dir,$template_dir); my (@root_config_dirs,@apache_config_dirs,@config_dirs); my @plugin_types = qw(addons admin personal); my $yes_flag = 0; my %classes_hash_result = (); my %i18n_hash_result = (); my $configrdn = "cn=config,ou=fusiondirectory"; my $userrdn = "ou=people"; my $aclrolerdn = "ou=aclroles"; my $grouprdn = "ou=groups"; my $systemrdn = "ou=systems"; my $dnsrdn = "ou=dns"; my $dhcprdn = "ou=dhcp"; my $workstationrdn = "ou=workstations,ou=systems"; my $winstationrdn = "ou=computers,ou=systems"; ################################################################################################################################################# # ask a question send as parameter, and return true if the answer is "yes" sub ask_yn_question { return 1 if ($yes_flag); my ($question) = @_; print ( "$question [Yes/No]?\n" ); while ( my $input = <STDIN> ) { # remove the \n at the end of $input chomp $input; # if user's answer is "yes" if ( lc($input) eq "yes" || lc($input) eq "y") { return 1; # else if he answer "no" } elsif ( lc($input) eq "no" || lc($input) eq "n") { return 0; } } } # function that ask for an user input and do some checks sub ask_user_input { my ($thing_to_ask, $default_answer, $hide_input) = @_; my $answer; if (defined $default_answer) { $thing_to_ask .= " [$default_answer]"; } print $thing_to_ask.":\n"; if (defined $hide_input && $hide_input) { ReadMode('noecho'); } do { if ($answer = <STDIN>) { chomp $answer;
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$answer =~ s/^\s+|\s+$//g; } else { $answer = ""; } } while (($answer eq "") && (not defined $default_answer)); ReadMode('restore'); if ($answer eq "") { return $default_answer; } return $answer; } # Die on all LDAP error except for «No such object» sub die_on_ldap_errors { my ($mesg) = @_; if (($mesg->code != 0) && ($mesg->code != 32)) { die $mesg->error; } } { my $indice = 0; sub find_free_role_dn { my ($ldap,$base,$prefix) = @_; my ($cn,$dn,$mesg); do { $cn = $prefix.'-'.$indice; $dn = "cn=$cn,$aclrolerdn,$base"; $indice++; $mesg = $ldap->search( base => "$dn", scope => 'base', filter => '(objectClass=*)' ); die_on_ldap_errors($mesg); } while ($mesg->count); return $cn; } } sub create_role { my ($ldap,$base,$cn,$acl) = @_; my %role = ( 'cn' => "$cn", 'objectclass' => [ 'top', 'gosaRole' ], 'gosaAclTemplate' => "0:$acl" ); if (!branch_exists($ldap, "$aclrolerdn,$base")) { create_branch($ldap, $base, $aclrolerdn); } my $role_dn = "cn=$cn,$aclrolerdn,$base"; # Add the administator role object my @options = %role; my $role_add = $ldap->add( $role_dn, attr => \@options ); # send a warning if the ldap's admin's add didn't gone well $role_add->code && die "\n! failed to add LDAP's $role_dn entry - ".$role_add->error_name.": ".$role_add->error_text; return $role_dn; } ###################################################### Password encryption ######################################################################### sub cred_encrypt { my ($input, $password) = @_; my $cipher = Crypt::CBC->new( -key => $password,
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
-cipher => 'Rijndael', -salt => 1, -header => 'salt', ) || die "Couldn't create CBC object"; return $cipher->encrypt_hex($input); } sub cred_decrypt { my ($input, $password) = @_; my $cipher = Crypt::CBC->new( -key => $password, -cipher => 'Rijndael', -salt => 1, -header => 'salt', ) || die "Couldn't create CBC object"; return $cipher->decrypt_hex($input); } sub get_random_string { my ($size) = @_; $size = 32 if !$size; my @chars = ("A".."Z", "a".."z", '.', '/', 0..9); return random_string_from(join('', @chars), $size); } sub encrypt_passwords { if (!-e $fd_config) { die "Cannot find a valid configuration file ($fd_config)!\n"; } if (-e $fd_secrets) { die "There's already a file '$fd_secrets'. Cannot convert your existing fusiondirectory.conf - aborted\n"; } print "Starting password encryption\n"; print "* generating random master key\n"; my $master_key = get_random_string(); print "* creating '$fd_secrets'\n"; my $fp_file = file($fd_secrets); my $fp = $fp_file->openw() or die "! Unable to open '$fd_secrets' in write mode\n"; $fp->print("RequestHeader set FDKEY $master_key\n"); $fp->close or die "! Can't close '$fd_secrets'\n"; chmod 0600, $fd_secrets or die "! Unable to change '$fd_secrets' rights\n"; my $root_uid = getpwnam("root"); my $root_gid = getgrnam("root"); chown $root_uid,$root_gid,$fd_secrets or die "! Unable to change '$fd_secrets' owner\n"; # Move original fusiondirectory.conf out of the way and make it unreadable for the web user print "* creating backup in '$fd_config.orig'\n"; rcopy($fd_config, "$fd_config.orig"); chmod 0600, "$fd_config.orig" or die "! Unable to change '$fd_config.orig' rights\n"; chown $root_uid,$root_gid,"$fd_config.orig" or die "! Unable to change '$fd_config.orig' owner\n"; print "* loading '$fd_config'\n"; my $twig = XML::Twig->new(); # create the twig $twig->parsefile($fd_config); # build it # Locate all passwords inside the fusiondirectory.conf my @locs = $twig->root->first_child('main')->children('location'); foreach my $loc (@locs) { my $ref = $loc->first_child('referral'); print "* encrypting FusionDirectory password for: ".$ref->{'att'}->{'adminDn'}."\n"; $ref->set_att('adminPassword' => cred_encrypt($ref->{'att'}->{'adminPassword'}, $master_key)); } # Save print "* saving modified '$fd_config'\n"; $twig->print_to_file($fd_config, pretty_print => 'indented') or die "Cannot write modified $fd_config - aborted\n"; print "OK\n\n"; # Print reminder print " Please adapt your http fusiondirectory declaration to include the newly
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
created $fd_secrets. Example: # Include FusionDirectory to your web service Alias /fusiondirectory $vars{fd_home}/html <Directory $vars{fd_home}/html> # Include the secrects file include $fd_secrets </Directory> Please reload your httpd configuration after you've modified anything.\n"; } sub show_passwords { if (!-e $fd_config) { die "Cannot find a valid configuration file ($fd_config)!\n"; } my $secret; if (-e $fd_secrets) { open(my $secrets, q{<}, $fd_secrets) || die ("Could not open $fd_secrets"); while(<$secrets>) { if ($_ =~ m/RequestHeader set FDKEY ([^ \n]+)\n/) { $secret = $1; last; } } close($secrets); } my $locations = get_locations_from_config_file(); while ( my($key,$location) = each %$locations ) { my ($uri,$base); if ($location->{'base'} ne '') { $uri = $location->{'uri'}; $base = $location->{'base'}; } elsif ($location->{'uri'} =~ qr|^(.*)/([^/]+)$|) { # Format from FD<1.3 $uri = $1; $base = $2; } else { die '"'.$location->{'uri'}.'" does not contain any base!'; } my $bind_pwd = $location->{'bind_pwd'}; if (defined $secret) { $bind_pwd = cred_decrypt($bind_pwd, $secret); } printf("Location \"%s\":\n", $key); printf(" %-15s%s\n", 'URI', $uri); printf(" %-15s%s\n", 'Base', $base); printf(" %-15s%s\n", 'Bind DN', $location->{'bind_dn'}); printf(" %-15s%s\n", 'Bind password', $bind_pwd); printf(" %-15s%s\n", 'TLS', $location->{'tls'}); } } ####################################################### class.cache update ######################################################################### # function that scan recursivly a directory to find .inc and . php # then return a hash with class => path to the class file sub get_classes { my ($path) = @_; # if this function has been called without a parameter die ("! function get_classes called without parameter\n") if ( !defined($path) );
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
# create a "dir" object with the path my $dir = dir ($path) or die ("! Can't open $path\n"); my $contrib_dir = dir($vars{fd_home},"contrib"); if ("$dir" eq "$contrib_dir") { return; } # create an array with the content of $dir my @dir_files = $dir->children; foreach my $file (@dir_files) { # recursive call if $file is a directory if ( -d $file ) { get_classes($file); next; } # only process if $file is a .inc or a .php file if ( ( $file =~ /.*\.inc$/ ) && ( $file !~ /.*smarty.*/ ) ) { # put the entire content of the file pointed by $file in $data my @lines = $file->slurp; # modifing $file, to contains relative path, not complete one $file =~ s/^$vars{fd_home}//; foreach my $line ( @lines ) { # remove \n from the end of each line chomp $line; # process for lines beginning with "class", and extracting the 2nd word (the class name) if ( $line =~ /^(abstract )?class\s*(\w+).*/ ) { # adding the values (class name and file path) to the hash $classes_hash_result{$2} = $file; } # process for lines beginning with "interface", and extracting the 2nd word (the interface name) if ( $line =~ /^interface\s*(\w+).*/ ) { # adding the values (class name and file path) to the hash $classes_hash_result{$1} = $file; } } } } return %classes_hash_result; } # call get_classes and create /var/cache/fusiondirectory/class.cache sub rescan_classes { # hash that will contain the result of the "get_classes" function my %get_classes_result = get_classes ($vars{fd_home}); # create a "file" object with the $class_cache path my $file_class = file ($class_cache); # create the handler (write mode) for the file previoulsy created my $fhw = $file_class->openw() or die ("! Unable to open $class_cache in write mode\n"); # first lines of class.cache $fhw->print ("<?php\n\t\$class_mapping= array(\n"); # for each $key/$value, writting a new line to $class_cache while ( my($key,$value) = each %get_classes_result ) { $fhw->print ("\t\t\"$key\" => \"$value\",\n"); } # last line of classe.cache $fhw->print ("\t);\n?>");
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
$fhw->close or die ("! Can't close $class_cache\n"); } ###################################################### Internalisation's update #################################################################################### # function that create .mo files with .po for each language sub get_i18n { my ($path) = @_; # if this function has been called without a parameter die ("! function get_i18n called without parameter" ) if ( !defined($path) ); # create a "dir" object my $dir = dir ($path) or die ("! Can't open $path\n"); # create an array with the content of $dir my @dir_files = $dir->children; foreach my $file (@dir_files) { # recursive call if $file is a directory if (-d $file) { %i18n_hash_result = get_i18n ($file); next; } # if the file's directory is ???/language/fusiondirectory.po if ($file =~ qr{^.*/(\w+)/fusiondirectory.po$}) { # push the file's path in the language (fr/en/es/it...) array (wich is inside the hash pointed by $ref_result push @{$i18n_hash_result{$1}}, $file; } } return %i18n_hash_result; } # call get_i18n with the FusionDirectory's locales's directory and the hash that will contain the result in parameter sub rescan_i18n { # hash that will contain the result of the "get_i18n" function my %get_i18n_result = get_i18n ($locale_dir); while ( my ($lang, $files) = each %get_i18n_result ) { # directory wich will contain the .mo file for each language my $lang_cache_dir = dir ("$locale_cache_dir/$lang/LC_MESSAGES"); # if $lang_cache_dir doesn't already exists, creating it if ( !-d $lang_cache_dir ) { $lang_cache_dir->mkpath or die ("! Can't create $locale_cache_dir/$lang/LC_MESSAGES"); } # glue .po files's names my $po_files = join(" ", @{$files}); chomp $po_files; # merging .po files system ( "msgcat --use-first ".$po_files.">".$lang_cache_dir."/fusiondirectory.po" ) and die ("! Unable to merge .po files for $lang with msgcat, is it already installed?\n"); # compiling .po files in .mo files system ( "msgfmt -o $lang_cache_dir/fusiondirectory.mo $lang_cache_dir/fusiondirectory.po && rm $lang_cache_dir/fusiondirectory.po" ) and die ("! Unable to compile .mo files with msgfmt, is it already installed?\n"); } } ############################################################# Directories checking ################################################################################### #get the apache user group name sub get_apache_group { my $apache_group = ""; # try to identify the running distribution, if it's not debian or rehat like, script ask for user input
491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
if (-e "/etc/debian_version") { $apache_group = "www-data"; } elsif ((-e "/etc/redhat-release") || (-e "/etc/mageia-release")) { $apache_group = "apache"; } elsif (-e "/etc/SuSE-release") { $apache_group = "www"; } elsif (-e "/etc/arch-release") { $apache_group = "http"; } else { print ("! Looks like you are not a Debian, Suse, Redhat or Mageia, I don't know your distribution !\n"); $apache_group = ask_user_input ("What is your apache group?"); } return $apache_group; } #check the rights of a directory or file, creates missing directory if needed sub check_rights { my ($dir,$user,$group,$rights,$create) = @_; my $user_uid = getpwnam ( $user ); my $group_gid = getgrnam ( $group ); # if the current dir exists if (-e $dir) { print("$dir exists...\n"); # retrieve dir's informations my @lstat = lstat ($dir); # extract the owner and the group of the directory my $dir_owner = getpwuid ( $lstat[4] ); my $dir_group = getgrgid ( $lstat[5] ); # extract the dir's rights my $dir_rights = S_IMODE( $lstat[2] ); if ( ($dir_owner ne $user) || ($dir_group ne $group) || ($dir_rights ne $rights) ) { if ( ask_yn_question ("$dir is not set properly, do you want to fix it ?: ") ) { chown ($user_uid,$group_gid,$dir) or die ("! Unable to change $dir owner\n") if ( ($dir_owner ne $user) || ($dir_group ne $group) ); chmod ( $rights, $dir ) or die ("! Unable to change $dir rights\n") if ($dir_rights ne $rights); } else { print ("Skipping...\n"); } } else { print("Rights on $dir are correct\n"); } } elsif ($create) { if ( ask_yn_question("Directory $dir doesn't exist, do you want to create it ?: ") ) { my $conf_dir = dir ($dir); # create the directory, and change the rights $conf_dir->mkpath (0,$rights); chmod ($rights, $dir); chown ($user_uid,$group_gid,$dir) or die ("Unable to change $dir rights\n"); } else { print ( "Skipping...\n" ); } } else { return 0; } return 1; } # function that check FusionDirectory's directories sub check_directories { my $apache_group = get_apache_group(); # for each config directory foreach my $dir (@config_dirs) {
561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630
# if $dir is one of the dirs that remains to root if ( grep (/.*$dir.*/, @root_config_dirs) ) { check_rights($dir,"root","root",oct(755),1); # else if $dir is one of the dirs that remains to apache's user group, and the dir's owner is not root or the group is not the apache's user group, modifying owner } elsif ( grep ( /.*$dir.*/, @apache_config_dirs) ) { check_rights($dir,"root",$apache_group,oct(770),1); } } } # function that check FusionDirectory's config file sub check_config { my $apache_group = get_apache_group(); # check config file check_rights($fd_config,"root",$apache_group,oct(640),0) or die 'The config file does not exist!'; } ############################################################# Change install directories ################################################################################# sub write_vars { my $filecontent = <<eof; <?php require_once('variables_common.inc'); /*! \\file * Define common locations and variables * Generated by fusiondirectory-setup */ if (!defined("CONFIG_DIR")) { define ("CONFIG_DIR", "$vars{fd_config_dir}/"); /* FusionDirectory etc path */ } /* Allow setting the config file in the apache configuration e.g. SetEnv CONFIG_FILE fusiondirectory.conf 1.0 */ if (!defined("CONFIG_FILE")) { define ("CONFIG_FILE", "$vars{config_file}"); /* FusionDirectory filename */ } /* Path for smarty3 libraries */ define("SMARTY", "$vars{fd_smarty_path}"); /* Smarty compile dir */ define ("SPOOL_DIR", "$vars{fd_spool_dir}/"); /* FusionDirectory spool directory */ /* Global cache dir */ define ("CACHE_DIR", "$vars{fd_cache}/"); /* FusionDirectory var directory */ /* Global locale cache dir */ define ("LOCALE_DIR", "$locale_cache_dir/"); /* FusionDirectory locale directory */ /* Global tmp dir */ define ("TEMP_DIR", "$tmp_dir/"); /* FusionDirectory tmp directory */ /* Directory containing the configuration template */ define ("CONFIG_TEMPLATE_DIR", "$template_dir/"); /* FusionDirectory template directory */ /* Directory containing the fai logs */ define ("FAI_LOG_DIR", "$fai_log_dir/"); /* FusionDirectory fai directory */ /* Directory containing the supann files */ define ("SUPANN_DIR", "$vars{fd_config_dir}/supann/"); /* FusionDirectory supann template directory */ /* name of the class.cache file */ define("CLASS_CACHE", "$vars{class_cache}"); /* name of the class cache */ ?> eof
631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700
my $variables_path = "$vars{fd_home}/include/variables.inc"; my $variables_file = file ($variables_path); my $vars_file = $variables_file->openw() or die ("! Unable to open $variables_path in write mode\n"); $vars_file->print($filecontent); $vars_file->close or die ("! Can't close $variables_file\n"); } ############################################################# LDAP conformity check ################################################################################# # function that add the FusionDirectory's admin account # return nothing is it a problem? sub add_ldap_admin { my ($base, $ldap, $admindns, $people_entries, $roles) = @_; # Get the configuration to know which attribute must be used in the dn my $mesg = $ldap->search( base => "$configrdn,$base", filter => '(objectClass=fusionDirectoryConf)', scope => 'base', attrs => ['fdAccountPrimaryAttribute', 'fdForcePasswordDefaultHash', 'fdPasswordDefaultHash'] ); $mesg->code && die $mesg->error; my $attr; if ($mesg->count <= 0) { print "Could not find configuration object, using default value\n"; $attr = 'uid'; } elsif (($mesg->entries)[0]->exists('fdAccountPrimaryAttribute')) { $attr = ($mesg->entries)[0]->get_value('fdAccountPrimaryAttribute'); } else { $attr = 'uid'; } if ($mesg->count > 0) { if (($mesg->entries)[0]->exists('fdForcePasswordDefaultHash') && ($mesg->entries)[0]->exists('fdPasswordDefaultHash')) { if ((($mesg->entries)[0]->get_value('fdForcePasswordDefaultHash') eq 'TRUE') && (($mesg->entries)[0]->get_value('fdPasswordDefaultHash') ne 'ssha')) { warn "Warning: Administrator password will be hashed with ssha instead of forced default ".($mesg->entries)[0]->get_value('fdPasswordDefaultHash')."\n"; } } } my $fd_admin_uid = ask_user_input ("Please enter a login for FusionDirectory's admin", "fd-admin"); # Does this user exist? my $dn = ""; foreach my $entry (@$people_entries) { my $mesg = $ldap->search( base => "$entry", filter => "(&(objectClass=inetOrgPerson)(uid=$fd_admin_uid))", attrs => ['uid'] ); $mesg->code && die $mesg->error; if ($mesg->count) { print "User $fd_admin_uid already existing, adding admin acl to it\n"; $dn = ($mesg->entries)[0]->dn; last; } } if ($dn eq "") { my $fd_admin_pwd = ask_user_input ("Please enter FusionDirectory's admin password", undef, 1); my $fd_admin_pwd_confirm = ask_user_input ("Please enter it again", undef, 1); # while the confirmation password is not the same than the first one while ( ($fd_admin_pwd_confirm ne $fd_admin_pwd) && ($fd_admin_pwd_confirm ne "quit" ) ) { $fd_admin_pwd_confirm = ask_user_input ("! Inputs don't match, try again or type 'quit' to end this function"); } return -1 if ($fd_admin_pwd_confirm eq "quit"); my $ctx = Digest::SHA->new(1); my $salt = get_random_string(8); $ctx->add($fd_admin_pwd);
701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770
$ctx->add($salt); my $hashedPasswd = '{SSHA}'.encode_base64($ctx->digest.$salt, ''); my %obj = ( 'cn' => 'System Administrator', 'sn' => 'Administrator', 'uid' => $fd_admin_uid, 'givenname' => 'System', 'objectclass' => [ 'top', 'person', 'organizationalPerson', 'inetOrgPerson' ], 'userPassword' => $hashedPasswd ); if (not defined $obj{$attr}) { print "Error : invalid account primary attribute $attr, using uid\n"; $attr = 'uid'; } $dn = "$attr=".$obj{$attr}.",$userrdn,$base"; # Add the administator user object my @options = %obj; my $admin_add = $ldap->add( $dn, attr => \@options ); # send a warning if the ldap's admin's add didn't gone well $admin_add->code && die "\n! failed to add LDAP's $dn entry - ".$admin_add->error_name.": ".$admin_add->error_text; } # Create admin role if not existing my $role; if (scalar @$roles == 0) { my $role_dn = create_role($ldap,$base,'admin','all;cmdrw'); $role = encode_base64($role_dn, ''); } else { $role = shift(@$roles); } # Add the assignment that make him an administrator my $acls = $ldap->search ( base => "$base", scope => 'base', filter => "(objectClass=*)", attrs => ['objectClass', 'gosaAclEntry'] ); $acls->code && die "\n! failed to search acls in '$base' - ".$acls->error_name.": ".$acls->error_text; ($acls->count == 0) && die "\n! failed to search acls in '$base' - base not found"; my $oclass = ($acls->entries)[0]->get_value("objectClass", asref => 1); # Add admin acl my $newacl = ["0:subtree:$role:".encode_base64($dn, '')]; if (not (grep $_ eq 'gosaAcl', @$oclass)) { push (@$oclass, 'gosaAcl'); } else { my $acl = ($acls->entries)[0]->get_value("gosaAclEntry", asref => 1); my $i = 1; if (defined $acl) { foreach my $line (@$acl) { # Reorder existing non-admin acls $line =~ s/^\d+:/$i:/; push (@$newacl, $line); $i++; } } } my $result = $ldap->modify ( $base, replace => { 'objectClass' => $oclass, 'gosaAclEntry' => $newacl } ); $result->code && warn "\n! failed to add ACL for admin on '$base' - ".$result->error_name.": ".$result->error_text; } sub get_locations_from_config_file {
771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840
my $twig = XML::Twig->new(); $twig->safe_parsefile($fd_config) or die("There is an error in $fd_config XML code: ".(split /\n/, $@)[1]."\n"); my @locs = $twig->root->first_child('main')->children('location'); my %locations = (); foreach my $loc (@locs) { $loc->lc_attnames(); my $ref = $loc->first_child('referral'); # Ignore case $ref->lc_attnames(); $locations{$loc->{'att'}->{'name'}} = { 'tls' => 0, 'uri' => $ref->{'att'}->{'uri'}, 'base' => ($ref->{'att'}->{'base'} or $loc->{'att'}->{'base'} or ''), 'bind_dn' => $ref->{'att'}->{'admindn'}, 'bind_pwd' => $ref->{'att'}->{'adminpassword'} }; if (defined $loc->{'att'}->{'ldaptls'} and $loc->{'att'}->{'ldaptls'} =~ m/true/i) { $locations{$loc->{'att'}->{'name'}}->{'tls'} = 1 } } return \%locations; } # function that initiate the ldap connexion, and bind as the ldap's admin sub get_ldap_connexion { my %hash_result = (); my $bind_dn = ""; my $bind_pwd = ""; my $uri = ""; my $base = ""; my $tls = 0; # read ldap's server's info from /etc/fusiondirectory/fusiondirectory.conf if (-e $fd_config) { my $locations = get_locations_from_config_file(); my ($location) = keys(%$locations); if (scalar(keys(%$locations)) > 1) { my $question = "There are several locations in your config file, which one should be used : (".join(',',keys(%$locations)).")"; my $answer; do { $answer = ask_user_input ($question, $location); } while (not exists($locations->{$answer})); $location = $answer; } if ($locations->{$location}->{'base'} ne '') { $uri = $locations->{$location}->{'uri'}; $base = $locations->{$location}->{'base'}; } elsif ($locations->{$location}->{'uri'} =~ qr|^(.*)/([^/]+)$|) { # Format from FD<1.3 $uri = $1; $base = $2; } else { die '"'.$locations->{$location}->{'uri'}.'" does not contain any base!'; } $bind_dn = $locations->{$location}->{'bind_dn'}; $bind_pwd = $locations->{$location}->{'bind_pwd'}; $tls = $locations->{$location}->{'tls'}; # if can't find fusiondirectory.conf } else { if ( ask_yn_question ("Can't find fusiondirectory.conf, do you want to specify LDAP's information yourself ?: ") ) { $uri = ask_user_input ("LDAP server's URI"); $base = ask_user_input ("Search base"); $hash_result{base} = $base; $bind_dn = ask_user_input ("Bind DN"); $bind_pwd = ask_user_input("Bind password", undef, 1);
841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910
} else { return; } } # ldap connection my $ldap = Net::LDAP->new ($uri) or die ("! Can't contact LDAP server $uri\n"); $hash_result{ldap} = $ldap; $hash_result{base} = $base; # bind to the LDAP server if (-e $fd_secrets) { open(my $secrets, q{<}, $fd_secrets) || die ("Could not open $fd_secrets"); my $key = ""; while(<$secrets>) { if ($_ =~ m/RequestHeader set FDKEY ([^ \n]+)\n/) { $key = $1; last; } } close($secrets); $bind_pwd = cred_decrypt($bind_pwd, $key); } if ($tls) { # Read LDAP config file open (my $ldapconf, q{<}, $vars{ldap_conf}) or die ("! Failed to open ldap config file '$vars{ldap_conf}': $!\n"); my %tls_options = ( 'REQCERT' => 'require', 'CERT' => '', 'KEY' => '', 'CACERTDIR' => '', 'CACERT' => '', ); # Scan LDAP config while (<$ldapconf>) { /^\s*(#|$)/ && next; chomp; if (m/^TLS_(REQCERT|CERT|KEY|CACERTDIR|CACERT)\s+(.*)\s*$/i) { $tls_options{uc $1} = $2; } } close($ldapconf); $ldap->start_tls( verify => $tls_options{'REQCERT'}, clientcert => $tls_options{'CERT'}, clientkey => $tls_options{'KEY'}, capath => $tls_options{'CACERTDIR'}, cafile => $tls_options{'CACERT'} ); } my $bind = $ldap->bind ($bind_dn, password => $bind_pwd); # send a warning if the bind didn't gone well $bind->code && die ("! Failed to bind to LDAP server: ", $bind->error."\n"); return %hash_result; } # function that check if there is an admin sub check_admin { my ($base, $ldap, $people_entries) = @_; # search for FusionDirectory's admin account # search for admin role
911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980
my $admin_roles = $ldap->search ( base => "$base", filter => "(&(objectClass=gosaRole)(gosaAclTemplate=*:all;cmdrw))", attrs => ['gosaAclTemplate'] ); $admin_roles->code && die $admin_roles->error; my @dns = (); my @roles = (); my $count = 0; while (my $entry = $admin_roles->shift_entry) { my $role_dn64 = encode_base64($entry->dn, ''); push @roles, $role_dn64; print ("Role ".$entry->dn." is an admin ACL role\n"); # Search for base-wide assignments my $assignments = $ldap->search ( base => "$base", scope => 'base', filter => "(&(objectClass=gosaAcl)(gosaAclEntry=*:subtree:$role_dn64:*))", attrs => ['gosaAclEntry'] ); $assignments->code && die $assignments->error; while (my $assignment = $assignments->shift_entry) { my $acl = $assignment->get_value("gosaAclEntry", asref => 1); foreach my $line (@$acl) { if ($line =~ m/^.:subtree:\Q$role_dn64\E/) { my @parts = split(':',$line,4); my @members = split(",",$parts[3]); foreach my $member (@members) { # Is this an existing user? my $dn = decode_base64($member); my $member_node = $ldap->search( base => $dn, scope => 'base', filter => "(objectClass=inetOrgPerson)" ); if ($member_node->count == 1) { print ("$dn is a valid admin\n"); return; } # Is this a group? $member_node = $ldap->search( base => $dn, scope => 'base', filter => "(objectClass=posixGroup)", attrs => ['memberUid'] ); if ($member_node->count == 1) { # Find group members my $member_entry = $member_node->shift_entry; my $memberUids = $member_entry->get_value("memberUid", asref => 1); my $filter = '(&(objectClass=inetOrgPerson)(|(uid='.join(')(uid=', @$memberUids).')))'; my $group_members = $ldap->search( base => $base, filter => $filter, ); $group_members->code && die $group_members->error; if (my $group_member_entry = $group_members->shift_entry) { print ($group_member_entry->dn." is a valid admin\n"); return; } } else { push @dns, $dn; } } } } } $count++; } if ($count < 1) {
981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050
print ("! There is no admin ACL role\n"); } foreach my $dn (@dns) { print ("! $dn is supposed to be admin but does not exist\n"); } if (ask_yn_question("No valid admin account found, do you want to create it ?")) { return add_ldap_admin($base, $ldap, \@dns, $people_entries, \@roles); } } sub create_branch { my ($ldap, $base, $ou) = @_; $ou =~ m/^ou=([^,]*),?$/ or die "Can’t create branch of unknown type $ou\n"; my $branch_add = $ldap->add( "$ou,$base", attr => [ 'ou' => $1, 'objectClass' => 'organizationalUnit' ] ); $branch_add->code && die "! failed to add LDAP's $ou,$base branch: ".$branch_add->error."\n"; } sub branch_exists { my ($ldap, $branch) = @_; # search for branch my $branch_mesg = $ldap->search (base => $branch, filter => '(objectClass=*)', scope => 'base'); if ($branch_mesg->code == 32) { return 0; } $branch_mesg->code && die $branch_mesg->error; my @entries = $branch_mesg->entries; return (defined ($entries[0])); } # function that check LDAP configuration sub check_ldap { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $admin_add = ""; # Collect existing people branches (even if main one may not exists); my $people = $ldap->search (base => $base, filter => $userrdn); $people->code && die $people->error; my @people_entries = $people->entries; @people_entries = map {$_->dn} @people_entries; # if people branch exists if ( branch_exists($ldap, "$userrdn,$base") ) { check_admin($base, $ldap, \@people_entries); # if ou=people doesn't exist } else { print ( "! $userrdn,$base not found in your LDAP directory\n" ); # if user's answer is "yes", creating ou=people branch if ( ask_yn_question("Do you want to create it ?: ") ) { create_branch($ldap, $base, $userrdn); push @people_entries, "$userrdn,$base"; check_admin($base, $ldap, \@people_entries); } else { print ("Skipping...\n"); }
1051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120
} # if groups branch does not exist if (!branch_exists($ldap, "$grouprdn,$base")) { print ("! $grouprdn,$base not found in your LDAP directory\n"); # if user's answer is "yes", creating groups branch if ( ask_yn_question("Do you want to create it ?: ") ) { create_branch($ldap, $base, $grouprdn); } else { print ("Skipping...\n"); } } # search for workstations and object groups my $faiclasses = $ldap->search (base => "$base", filter => "(&(FAIclass=*)(!(objectClass~=FAIprofile)))" ); $faiclasses->code && die $faiclasses->error; my @faiclass_entries = $faiclasses->entries; foreach my $entry (@faiclass_entries) { my $faiclass = $entry->get_value('FAIclass'); my (@profiles) = split(' ',$faiclass); if (scalar @profiles > 2) { print "! System or group ".$entry->get_value('cn')." have more than one FAI profile : ".$faiclass."\n"; } elsif (scalar @profiles < 2) { print "! System or group ".$entry->get_value('cn')." have no release set in its FAIclass : ".$faiclass."\n"; } } # search for old config dn if (branch_exists($ldap, "cn=fusiondirectory,ou=configs,$base")) { print ("! There is a configuration in cn=fusiondirectory,ou=configs,$base in your LDAP directory\n"); print ("! The correct configuration dn is now cn=config,ou=fusiondirectory,$base\n"); print ("! FusionDirectory will not read your configuration at its current dn\n"); if ( ask_yn_question("Do you want to move and rename this entry? ") ) { if (!branch_exists($ldap, "ou=fusiondirectory,$base")) { create_branch($ldap, $base, 'ou=fusiondirectory'); } my $result = $ldap->moddn ( "cn=fusiondirectory,ou=configs,$base", newrdn => 'cn=config', deleteoldrdn => '1', newsuperior => "ou=fusiondirectory,$base" ); $result->code && die "Migration of configuration entry failed, LDAP error: ".$result->error."\n"; } else { print ("Skipping...\n"); } } # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n"; } # function that checks for duplicate uid or gid numbers sub check_id_numbers { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $ldap = $hash_ldap_param{ldap}; my $base = $hash_ldap_param{base}; check_id_numbers_generic($ldap, $base, 'posixAccount','uidNumber','users'); check_id_numbers_generic($ldap, $base, 'posixGroup','gidNumber','groups'); }
1121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190
sub check_id_numbers_generic { my ($ldap, $base, $objectClass, $attribute, $type) = @_; my $mesg = $ldap->search( filter => "(&(objectClass=$objectClass)($attribute=*))", base => $base, attrs => [$attribute] ); $mesg->code && die $mesg->error; my @entries = $mesg->entries; my %tmp = (); foreach my $entry (@entries) { if (not defined $tmp{$entry->get_value($attribute)}) { $tmp{$entry->get_value($attribute)} = (); } push @{$tmp{$entry->get_value($attribute)}}, $entry->dn(); } my $dups = 0; while (my ($id, $dns) = each %tmp) { if (scalar(@$dns) > 1) { $dups = 1; print "The following $type use the same $attribute $id:\n"; foreach my $dn (@$dns) { print "\t$dn\n"; } } } if ($dups == 0) { print "There are no duplicate ${attribute}s\n"; } } # function that create a directory and copy plugin files in it sub create_and_copy_plugin_dir { my ($plugin_dir,$dest_dir) = @_; if ( -e $plugin_dir ){ my $dir = dir ($dest_dir); $dir->mkpath() or warn ("! Unable to make ".$dest_dir."\n") if ( !-e $dest_dir); my $files_dirs_copied = rcopy($plugin_dir."/*", $dest_dir); } } # function that install all the FD's plugins from a directory sub install_plugins { # ask for the plugins archive my $plugins_archive = ask_user_input ("Where is your plugins archive or folder?"); die ("! ".$plugins_archive." doesn't exist") if (!-e $plugins_archive); my $dir; if (-d $plugins_archive) { $dir = dir ($plugins_archive); } else { # check the archive format $plugins_archive =~ /^.*\/(.*).tar.gz$/; my $name = $1 or die ("! Unknown archive $plugins_archive"); # where the extract files will go my $tmp_plugins_dir = "/tmp"; print ("Installing plugins into $vars{fd_home}, please wait...\n"); # extract the plugins archive my $archive = Archive::Extract->new (archive => $plugins_archive); my $extract = $archive->extract( to => "$tmp_plugins_dir" ) or die ("! Unable to extract $plugins_archive\n");
1191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260
$dir = dir ($tmp_plugins_dir."/".$name); } # List non-hidden children, grep directories, and sort by name my @plugins = sort {$a->basename cmp $b->basename} grep {$_->is_dir} $dir->children(no_hidden => 1); print "Available plugins:\n"; my $i = 1; foreach my $plugin_path (@plugins) { print $i++.":".$plugin_path->basename."\n"; } my $user_input = ask_user_input("Which plugins do you want to install (use \"all\" to install all plugins)?"); my @plugins_to_install = split(/\s/, $user_input); chdir ($dir) or die ("! Unable to move to $dir\n"); $i = 0; foreach my $plugin_path (@plugins) { $i++; my $plugin = $plugin_path->basename; if (grep {($_ eq "all") or ($_ eq $i) or ($_ eq $plugin)} @plugins_to_install) { print "Installing plugin $plugin\n"; } else { next; } # copy addons into plugins create_and_copy_plugin_dir($plugin_path."/addons/", $vars{fd_home}."/plugins/addons/"); # copy admin into plugins create_and_copy_plugin_dir($plugin_path."/admin/", $vars{fd_home}."/plugins/admin/"); # copy config into plugins create_and_copy_plugin_dir($plugin_path."/config/", $vars{fd_home}."/plugins/config/"); # copy personal into plugins create_and_copy_plugin_dir($plugin_path."/personal/", $vars{fd_home}."/plugins/personal/"); # copy extra HTML and images create_and_copy_plugin_dir($plugin_path."/html/", $vars{fd_home}."/html/"); # copy extra theme templates create_and_copy_plugin_dir($plugin_path."/ihtml/", $vars{fd_home}."/ihtml/"); # copy includes create_and_copy_plugin_dir($plugin_path."/include/", $vars{fd_home}."/include/"); # copy ldap schema create_and_copy_plugin_dir($plugin_path."/contrib/openldap/", $vars{fd_home}."/contrib/openldap/"); # copy etc files create_and_copy_plugin_dir($plugin_path."/contrib/etc/", $vars{fd_config_dir}."/".$plugin."/"); # copy doc create_and_copy_plugin_dir($plugin_path."/contrib/doc/", $vars{fd_home}."/contrib/doc/"); # copy the locales create_and_copy_plugin_dir($plugin_path."/locale/", $vars{fd_home}."/locale/plugins/".$plugin."/locale/"); } #finally update FusionDirectory's class.cache and locales rescan_classes(); rescan_i18n();
1261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330
} # function that add object classes to people branch users sub migrate_users { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $mesg = $ldap->search( filter => '(&'. '(|'. '(objectClass=posixAccount)'. '(objectClass=person)'. '(objectClass=OpenLDAPperson)'. ')'. '(!(objectClass=ipHost))'. '(!(objectClass=inetOrgPerson))'. '(uid=*)'. ')', base => $base ); $mesg->code && die $mesg->error; if ($mesg->count > 0) { print ("The following users are missing objectClasses:\n"); my @entries = $mesg->entries; foreach my $entry (@entries) { print $entry->dn()."\n"; } if (ask_yn_question("Add the inetOrgPerson objectClass to all these entries?")) { foreach my $entry (@entries) { $mesg = $ldap->modify($entry->dn(), add => { "objectClass" => ["person","organizationalPerson","inetOrgPerson"]}); $mesg->code && print $mesg->error."\n"; } } } # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n"; } # function that moves DHCP configurations from systems to ou=dhcp sub migrate_dhcp { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; # Search for DHCP configurations my $mesg = $ldap->search( base => "$base", filter => "(objectClass=dhcpService)", attrs => ['cn'] ); $mesg->code && die $mesg->error; my @entries = $mesg->entries; print "There are ".$mesg->count." DHCP configurations in the LDAP\n"; my @baddns = ();
1331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400
foreach my $entry (@entries) { if ($entry->dn() !~ m/$dhcprdn/) { if (scalar(@baddns) == 0) { print "The following are not in the DHCP branch ($dhcprdn):\n"; } print $entry->dn()."\n"; push @baddns, $entry->dn(); } } if (scalar(@baddns) == 0) { print "They all already are in the DHCP branch ($dhcprdn):\n"; } else { if (ask_yn_question("Move these entries to the DHCP branch ($dhcprdn)?")) { foreach my $entrydn (@baddns) { $entrydn =~ m/^([^,]+),(cn=([^,]+),.*$systemrdn,(.+))$/ or die "Could not parse dn ".$entrydn."\n"; my $rdn = $1; my $systemdn = $2; my $systemcn = $3; my $entrybase = $4; if (!branch_exists($ldap, "$dhcprdn,$entrybase")) { create_branch($ldap, $entrybase, $dhcprdn); } my $result = $ldap->moddn ( $entrydn, newrdn => "$rdn-$systemcn", deleteoldrdn => '1', newsuperior => "$dhcprdn,$entrybase" ); $result->code && die "Migration of DHCP configuration entry failed, LDAP error: ".$result->error."\n"; my $configDn = "$rdn-$systemcn,$dhcprdn,$entrybase"; # Add DHCP service on server $mesg = $ldap->search( base => $systemdn, scope => 'base', filter => '(objectClass=*)' ); $mesg->code && die $mesg->error; my $system_entry = $mesg->shift_entry; $system_entry->get_value('objectClass'); my @classes = $system_entry->get_value('objectClass'); if (grep {$_ eq 'dhcpServer'} @classes) { $result = $ldap->modify ( "$systemdn", replace => { 'dhcpServiceDN' => $configDn, } ); } else { $result = $ldap->modify ( "$systemdn", replace => { 'dhcpServiceDN' => $configDn, }, add => { 'objectClass' => 'dhcpServer' } ); } $result->code && print "Could not add DHCP service on $systemdn, LDAP error: ".$result->error."\nYou'll need to activate it yourself\n"; } } } } sub delete_gosa_locks { # initiate the LDAP connexion
1401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470
my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; # Search for old formatted ACLs my $mesg = $ldap->search( base => "$base", filter => "(objectClass=gosaLockEntry)", attrs => ['dn'] ); $mesg->code && die $mesg->error; my @entries = $mesg->entries; foreach my $entry (@entries) { $mesg = $ldap->delete($entry); if ($mesg->code) { print "Failed to delete lock '".$entry->dn."': ".$mesg->error."\n"; } else { print "Deleted lock '".$entry->dn."'\n"; } } } # Get LDAP attributes which have been deprecated sub get_deprecated { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $schema_info = $ldap->schema(); my @attributes = $schema_info->all_attributes(); my @obsolete_attrs = (); foreach my $attribute (@attributes) { if ($attribute->{'obsolete'}) { push @obsolete_attrs, $attribute; } } my @ocs = $schema_info->all_objectclasses(); my @obsolete_classes = (); foreach my $oc (@ocs) { if ($oc->{'obsolete'}) { push @obsolete_classes, $oc; } } return (\@obsolete_attrs, \@obsolete_classes); } # function that migrates systems from FD<1.1 to FD>=1.1 sub migrate_systems { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my @oldOCs = ('gotoWorkstation', 'goServer', 'gotoTerminal', 'gotoDevice'); my @newOCs = ('fdWorkstation', 'fdServer', 'fdTerminal', 'device'); foreach my $i (0 .. $#oldOCs) { my $oldOC = $oldOCs[$i]; my $newOC = $newOCs[$i];
1471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540
my $mesg = $ldap->search( filter => "(objectClass=$oldOC)", base => $base ); $mesg->code && die $mesg->error; if ($mesg->count > 0) { print ("The following systems are using the obsolete $oldOC objectClass:\n"); my @entries = $mesg->entries; foreach my $entry (@entries) { print $entry->dn()."\n"; } if (ask_yn_question("Migrate these entries to $newOC objectClass?")) { foreach my $entry (@entries) { my $tmprdn = "cn=".$entry->get_value('cn')."+ipHostNumber=".$entry->get_value('ipHostNumber'); my $newrdn = "cn=".$entry->get_value('cn'); my $dn_old = $entry->dn(); my $dn_new = $entry->dn(); $dn_new =~ s/^[^,]+,/$tmprdn,/; $entry->dn($dn_new); my @replace = ('ieee802Device', 'ipHost', $newOC); my @classes = $entry->get_value('objectClass'); foreach my $class (@classes) { if (($class ne $oldOC) && ($class ne 'GOhard')) { push(@replace, "$class"); } } $entry->replace("objectClass" => \@replace); if ($entry->exists('gotoMode')) { my $gotoMode = $entry->get_value('gotoMode'); if ($gotoMode eq 'locked') { $entry->add('fdMode' => 'locked'); } else { $entry->add('fdMode' => 'unlocked'); } $entry->delete('gotoMode'); } if ($entry->exists('argonautLdap2zoneAllowNotify')) { $entry->delete('argonautLdap2zoneAllowNotify'); } $mesg = $ldap->add($entry); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } undef @replace; $mesg = $ldap->delete($dn_old); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } $mesg = $ldap->moddn($dn_new, newrdn => $newrdn); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } } } } else { print "Found no system using $oldOC\n"; } } # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n";
1541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610
} # function that migrates winstations from FD<1.1 to FD>=1.1 sub migrate_winstations { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $mesg = $ldap->search( filter => "(&(!(objectClass=fdWorkstation))(!(objectClass=inetOrgPerson))(!(objectClass=posixGroup))(uid=*\$)(objectClass=sambaSamAccount))", base => $base ); $mesg->code && die $mesg->error; if ($mesg->count > 0) { print ("The following winstations are not using the new fdWorkstation objectClass:\n"); my @entries = $mesg->entries; foreach my $entry (@entries) { print $entry->dn()."\n"; } if (ask_yn_question("Migrate these entries to fdWorkstation objectClass?")) { foreach my $entry (@entries) { my $cn = $entry->get_value('cn'); $cn =~ s/\$$//; $entry->replace('cn' => $cn); my $newrdn = "cn=".$cn; my $dn_old = $entry->dn(); my $entrybase; if ($dn_old =~ m/^[^,]+,$winstationrdn,(.+)$/) { $entrybase = $1; } elsif ($dn_old =~ m/^[^,]+,.*$systemrdn,(.+)$/) { $entrybase = $1; } elsif ($dn_old =~ m/^[^,]+,.*$winstationrdn,(.+)$/) { $entrybase = $1; } else { die "Could not parse dn ".$dn_old."\n"; } if (!branch_exists($ldap, "$workstationrdn,$entrybase")) { if ($workstationrdn =~ m/^([^,]+),([^,]+)$/) { if (!branch_exists($ldap, "$2,$entrybase")) { create_branch($ldap, $entrybase, $2); } create_branch($ldap, "$2,$entrybase", $1); } else { create_branch($ldap, $entrybase, $workstationrdn); } } my $dn_new = "$newrdn,$workstationrdn,$entrybase"; $entry->dn($dn_new); my @replace = ('fdWorkstation'); my @classes = $entry->get_value('objectClass'); foreach my $class (@classes) { if ($class ne 'account') { push(@replace, "$class"); } } $entry->replace("objectClass" => \@replace); $entry->add('fdMode' => 'unlocked'); $mesg = $ldap->add($entry); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; }
1611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680
undef @replace; $mesg = $ldap->delete($dn_old); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } } } } else { print "Found no winstation to migrate\n"; } } # function that migrates phones from FD<1.1 to FD>=1.1 sub migrate_phones { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $mesg = $ldap->search( filter => '(&(objectClass=fdPhone)(objectClass=device))', base => $base ); $mesg->code && die $mesg->error; if ($mesg->count > 0) { print ("The following phones are still using the device objectClass:\n"); my @entries = $mesg->entries; foreach my $entry (@entries) { print $entry->dn()."\n"; } if (ask_yn_question("Migrate these entries to fdPhone objectClass?")) { foreach my $entry (@entries) { my $tmprdn = "cn=".$entry->get_value('cn')."+objectClass=fdPhone"; my $newrdn = "cn=".$entry->get_value('cn'); my $dn_old = $entry->dn(); my $dn_new = $entry->dn(); $dn_new =~ s/^[^,]+,/$tmprdn,/; $entry->dn($dn_new); my @replace = (); my @classes = $entry->get_value('objectClass'); foreach my $class (@classes) { if ($class ne 'device') { push(@replace, "$class"); } } $entry->replace("objectClass" => \@replace); $mesg = $ldap->add($entry); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } undef @replace; $mesg = $ldap->delete($dn_old); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } $mesg = $ldap->moddn($dn_new, newrdn => $newrdn); if ($mesg->code) { print $entry->dn().": ".$mesg->error."\n"; next; } }
1681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750
} } # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n"; } # function that migrates interfaces from FD<1.4 to FD>=1.4 sub migrate_interfaces { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my @entriesToMigrate = (); my @entriesToIgnore = (); my @systemOCs = ('fdWorkstation', 'fdServer', 'fdTerminal', 'fdPrinter', 'fdPhone', 'fdMobilePhone', 'device'); my $mesg = $ldap->search( filter => "(&(|(objectClass=".join(')(objectClass=', @systemOCs)."))(|(ipHostNumber=*)(macAddress=*)))", base => $base ); $mesg->code && die $mesg->error; my @entries = $mesg->entries; foreach my $entry (@entries) { my $mesg2 = $ldap->search( filter => "(objectClass=fdNetworkInterface)", base => $entry->dn, scope => "one" ); $mesg2->code && die $mesg2->error; if ($mesg2->count == 0) { my @macs = $entry->get_value('macAddress'); if (scalar(@macs) > 1) { push @entriesToIgnore, $entry; next; } push @entriesToMigrate, $entry; } } if (scalar(@entriesToMigrate) > 0) { print "\nThe following systems are missing an interface node and can be migrated automatically:\n\n"; foreach my $entry (@entriesToMigrate) { my @macs = $entry->get_value('macAddress'); my @ips = $entry->get_value('ipHostNumber'); print $entry->dn; if (scalar(@macs) > 0) { print " with MAC ".join(', ', @macs); } else { print " with no MAC"; } if (scalar(@ips) > 0) { print " and IP ".join(', ', @ips)."\n"; } else { print " and no IP\n"; } } print "\n"; if (ask_yn_question("Migrate these systems by adding an interface node")) { my $interface_cn = ask_user_input ("Please enter the name for interfaces created by this migration", "eth0"); my $count = 0; foreach my $entry (@entriesToMigrate) {
1751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820
my @macs = $entry->get_value('macAddress'); my @ips = $entry->get_value('ipHostNumber'); my %interface = ( 'cn' => $interface_cn, 'objectClass' => 'fdNetworkInterface', ); if (scalar(@macs) > 0) { $interface{'macAddress'} = \@macs; } if (scalar(@ips) > 0) { $interface{'ipHostNumber'} = \@ips; } my @options = %interface; my $interface_add = $ldap->add( "cn=$interface_cn,".$entry->dn, attr => \@options ); $interface_add->code && die "! failed to add interface: ".$interface_add->error."\n"; $count++; } print $count." entries migrated\n"; } } if (scalar(@entriesToIgnore) > 0) { print "\nThe following systems are missing interfaces nodes but cannot be migrated because they have several MAC addresses:\n\n"; foreach my $entry (@entriesToIgnore) { my @macs = $entry->get_value('macAddress'); my @ips = $entry->get_value('ipHostNumber'); print $entry->dn; if (scalar(@macs) > 0) { print " with MAC ".join(', ', @macs); } else { print " with no MAC"; } if (scalar(@ips) > 0) { print " and IP ".join(', ', @ips)."\n"; } else { print " and no IP\n"; } } print "\n"; print "Please edit them by hand in FusionDirectory to add interfaces\n"; } if ((scalar(@entriesToMigrate) == 0) and (scalar(@entriesToIgnore) == 0)) { print "\nNo systems are missing interfaces, nothing to do\n" } print "\n"; # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n"; } # function that removes SupAnn root information from FD<1.4 sub remove_supann_root { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $mesg = $ldap->search( filter => '(&(objectClass=supannOrg)(objectClass=eduOrg))', base => $base, scope => 'one'
1821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890
); $mesg->code && die $mesg->error; if ($mesg->count > 0) { print ("There is an outdated SupAnn establishement stored under root node:\n"); my @entries = $mesg->entries; foreach my $entry (@entries) { print $entry->dn()."\n"; } print ("You should remove this entry and check the 'Root establishment' checkbox\n"); print (" in FusionDirectory to save it in the root node instead.\n"); if (ask_yn_question("Remove this entry?")) { foreach my $entry (@entries) { $mesg = $ldap->delete($entry); if ($mesg->code) { print "Failed to delete entry '".$entry->dn."': ".$mesg->error."\n"; } else { print "Deleted entry '".$entry->dn."'\n"; } } } } else { print ("There is no outdated SupAnn establishement stored under root node.\n"); } # unbind to the LDAP server my $unbind = $ldap->unbind; $unbind->code && warn "! Unable to unbind from LDAP server: ", $unbind->error."\n"; } # List LDAP attributes which have been deprecated sub list_deprecated { my ($obsolete_attrs, $obsolete_classes) = get_deprecated(); print "Deprecated attributes:\n"; foreach my $attribute (@$obsolete_attrs) { printf(" %-30s\t%-60s\t- %s\n", $attribute->{'name'}, '('.$attribute->{'desc'}.')', $attribute->{'oid'}); } print "Deprecated objectClasses:\n"; foreach my $oc (@$obsolete_classes) { printf(" %-30s\t%-60s\t- %s\n", $oc->{'name'}, '('.$oc->{'desc'}.')', $oc->{'oid'}); } } # List LDAP entries using attributes which have been deprecated sub check_deprecated { my ($obsolete_attrs, $obsolete_classes) = get_deprecated(); my $filterAttrs = '(|'.join('', (map{ '('.$_->{'name'}.'=*)' } @$obsolete_attrs)).')'; # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $entries = $ldap->search( base => "$base", filter => "$filterAttrs", ); $entries->code && die $entries->error; if ($entries->count > 0) { while (my $entry = $entries->shift_entry) {
1891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960
print $entry->dn." contains an obsolete attribute\n"; } } else { print "There are no entries in the LDAP using obsolete attributes\n"; } my $useobsoletes = 0; foreach my $class (@$obsolete_classes) { $entries = $ldap->search( base => "$base", filter => '(objectClass='.$class->{'name'}.')', ); $entries->code && die $entries->error; if ($entries->count > 0) { $useobsoletes = 1; while (my $entry = $entries->shift_entry) { print $entry->dn." uses the obsolete object class ".$class->{'name'}."\n"; } } } if (!$useobsoletes) { print "There are no entries in the LDAP using obsolete classes\n"; } } # Print a LDIF file removing attributes which have been deprecated sub ldif_deprecated { my ($obsolete_attrs, $obsolete_classes) = get_deprecated(); my $filterAttrs = '(|'.join('', (map{ '('.$_->{'name'}.'=*)' } @$obsolete_attrs)).')'; my $filterClasses = '(|'.join('', (map{ '(objectClass='.$_->{'name'}.')' } @$obsolete_classes)).')'; # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $entries = $ldap->search( base => "$base", filter => "$filterAttrs", ); $entries->code && die $entries->error; if ($entries->count > 0) { while (my $entry = $entries->shift_entry) { print 'dn:'.$entry->dn."\n"; print "changetype:modify\n"; foreach my $attr (@$obsolete_attrs) { if ($entry->exists($attr->{'name'})) { print "delete:".$attr->{'name'}."\n-\n"; } } print "\n"; } } else { print "# There are no entries in the LDAP using obsolete attributes\n"; } $entries = $ldap->search( base => "$base", filter => "$filterClasses", ); $entries->code && die $entries->error; if ($entries->count > 0) { print "# WARNING: There are entries in the LDAP using obsolete classes, you need to edit them manually\n";
1961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030
} else { print "# There are no entries in the LDAP using obsolete classes\n"; } } # Read FD config in the LDAP sub read_ldap_config { # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $mesg = $ldap->search (base => "$configrdn,$base", filter => '(objectClass=fusionDirectoryConf)', scope => 'base'); die_on_ldap_errors($mesg); if ($mesg->count > 0) { if (($mesg->entries)[0]->exists('fdUserRDN')) { $userrdn = ($mesg->entries)[0]->get_value('fdUserRDN'); } if (($mesg->entries)[0]->exists('fdOGroupRDN')) { $grouprdn = ($mesg->entries)[0]->get_value('fdOGroupRDN'); } if (($mesg->entries)[0]->exists('fdAclRoleRDN')) { $aclrolerdn = ($mesg->entries)[0]->get_value('fdAclRoleRDN'); } if (($mesg->entries)[0]->exists('fdSystemRDN')) { $systemrdn = ($mesg->entries)[0]->get_value('fdSystemRDN'); } if (($mesg->entries)[0]->exists('fdDnsRDN')) { $dnsrdn = ($mesg->entries)[0]->get_value('fdDnsRDN'); } if (($mesg->entries)[0]->exists('fdDhcpRDN')) { $dhcprdn = ($mesg->entries)[0]->get_value('fdDhcpRDN'); } if (($mesg->entries)[0]->exists('fdWorkstationRDN')) { $workstationrdn = ($mesg->entries)[0]->get_value('fdWorkstationRDN'); } if (($mesg->entries)[0]->exists('fdSambaMachineAccountRDN')) { $winstationrdn = ($mesg->entries)[0]->get_value('fdSambaMachineAccountRDN'); } } return ($mesg->entries)[0]; } sub show_ldap_config { my $config_node = read_ldap_config(); $config_node->dump(); } sub set_config_var { my ($var, $value) = @_; if (!($var =~ m/^fd/)) { $var = "fd$var"; } print "Setting configuration var $var to $value\n"; # initiate the LDAP connexion my %hash_ldap_param = get_ldap_connexion(); # LDAP's connection's parameters my $base = $hash_ldap_param{base}; my $ldap = $hash_ldap_param{ldap}; my $result = $ldap->modify ( "$configrdn,$base", replace => {
2031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100
$var => $value } ); $result->code && warn "! failed to set value for '".$var."' - ".$result->error_name.": ".$result->error_text; } sub show_version { my $variables_common_path = "$vars{fd_home}/include/variables_common.inc"; if (-e $variables_common_path) { open(my $vars, q{<}, $variables_common_path) || die ("Could not open $variables_common_path"); while(<$vars>) { if ($_ =~ m/^define \(["']FD_VERSION["'], "([^"]+)"\);/) { print "FusionDirectory version is $1\n"; last; } } close($vars); } else { print "File $variables_common_path does not exist, can’t find out FusionDirectory version\n"; } } # function that set useful vars based on user specified folders and files sub set_vars { $fd_config = $vars{fd_config_dir}."/".$vars{config_file}; $fd_secrets = $vars{fd_config_dir}."/".$vars{secrets_file}; $locale_dir = $vars{fd_home}."/".$vars{locale_dir}; $class_cache = $vars{fd_cache}."/".$vars{class_cache}; $locale_cache_dir = $vars{fd_cache}."/".$vars{locale_cache_dir}; $tmp_dir = $vars{fd_cache}."/".$vars{tmp_dir}; $fai_log_dir = $vars{fd_cache}."/".$vars{fai_log_dir}; $template_dir = $vars{fd_cache}."/".$vars{template_dir}; my $supann_dir = $vars{fd_cache}."/supann"; @root_config_dirs = ( $vars{fd_home}, $vars{fd_config_dir} ); @apache_config_dirs = ( $vars{fd_spool_dir}, $vars{fd_cache}, $tmp_dir, $fai_log_dir, $template_dir ); @config_dirs = ( @root_config_dirs, @apache_config_dirs ); } # function that list variables that can be modified by the user sub list_vars { while ( my ($key, $value) = each(%vars) ) { print "$key\t[$value]"."\n"; } } #################### main function ##################### #die if the user is not root die ("! You have to run this script as root\n") if ($<!=0); my @vars_keys = keys %vars; # $commands{<cli-option>} = [<description>, <function>, <needs-ldap-config>]; my %commands = (); $commands{"--update-cache"} = ["Updating class.cache", \&rescan_classes]; $commands{"--update-locales"} = ["Updating translations", \&rescan_i18n]; $commands{"--check-directories"} = ["Checking FusionDirectory's directories", \&check_directories]; $commands{"--check-config"} = ["Checking FusionDirectory's config file", \&check_config]; $commands{"--check-ldap"} = ["Checking your LDAP tree", \&check_ldap, 1]; $commands{"--check-ids"} = ["Checking for duplicate uid or gid numbers", \&check_id_numbers, 1]; $commands{"--migrate-users"} = ["Migrating your users", \&migrate_users, 1]; $commands{"--migrate-phones"} = ["Migrating your phones from FD < 1.1", \&migrate_phones, 1]; $commands{"--migrate-systems"} = ["Migrating your systems from FD < 1.1", \&migrate_systems, 1]; $commands{"--migrate-winstations"} = ["Migrating your winstations from FD < 1.1", \&migrate_winstations, 1]; $commands{"--migrate-dhcp"} = ["Migrating DHCP configurations for FD >= 1.0.17",\&migrate_dhcp, 1]; $commands{"--migrate-interfaces"} = ["Migrating your systems from FD < 1.4", \&migrate_interfaces, 1]; $commands{"--remove-supann-root"} = ["Remove SupAnn root establishment from FD < 1.4",\&remove_supann_root, 1]; $commands{"--delete-gosa-locks"} = ["Delete lock tokens using old gosaLockEntry class", \&delete_gosa_locks]; $commands{"--install-plugins"} = ["Installing FusionDirectory's plugins", \&install_plugins];
2101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170
$commands{"--encrypt-passwords"} = ["Encrypt passwords in fusiondirectory.conf", \&encrypt_passwords]; $commands{"--show-passwords"} = ["Show passwords from fusiondirectory.conf", \&show_passwords]; $commands{"--show-version"} = ["Show FusionDirectory version from variables_common.inc", \&show_version]; $commands{"--list-vars"} = ["List possible vars to give --set", \&list_vars]; $commands{"--write-vars"} = ["Choose FusionDirectory Directories", \&write_vars]; $commands{"--set-VAR=value"} = ["Set the variable VAR to value see --list-vars", \&die]; # Won't be called because it contains uppercase $commands{"--list-deprecated"} = ["List deprecated attributes and objectclasses", \&list_deprecated]; $commands{"--check-deprecated"} = ["List LDAP entries using deprecated attributes or objectclasses", \&check_deprecated]; $commands{"--ldif-deprecated"} = ["# Print an LDIF removing deprecated attributes",\&ldif_deprecated]; $commands{"--show-config"} = ["Show an LDAP dump of the FusionDirectory configuration", \&show_ldap_config]; $commands{"--set-config-VAR=value"} = ["Set the value in LDAP of a configuration field",\&set_config_var]; my $usage = 0; set_vars(); foreach my $arg ( @ARGV ) { if (( $arg =~ m/^--set-(.*)=(.*)$/ ) && (grep {$_ eq lc($1)} @vars_keys)) { $vars{lc($1)} = $2; print "Setting ".lc($1)." to $2\n"; set_vars(); } elsif ( $arg =~ m/^--set-config-(.*)=(.*)$/ ) { set_config_var($1, $2); } elsif ( defined $commands { lc ( $arg ) } ) { my @command = @{ $commands{ $arg } }; if ((defined $command[2]) && $command[2]) { read_ldap_config(); } print( $command[0]."\n" ); $command[1](); } elsif ( ( lc($arg) eq "--help" ) || ( lc($arg) eq "-h" ) ) { print ( "\nCommands:\n" ); while ( my ( $key,$value ) = each %commands ) { print ( "$key\t".$value->[0]."\n" ); } print ("--yes\t\t\tAlways answer yes to yes/no questions\n"); print ("--help\t\t\tShows this help\n\n"); } elsif (( lc($arg) eq "--yes" ) || ( lc($arg) eq "-y" )) { $yes_flag = 1; } else { print ("\nInvalid argument\n\n"); $usage = 1; } } if( $usage || ( @ARGV <= 0 ) ) { print ( "Usage : $0 [--yes]" ); foreach my $command ( keys ( %commands )) { print ( " [$command]" ); } print "\n\n"; } exit 0; __END__ =head1 NAME fusiondirectory-setup - FusionDirectory configuration management tool =head1 DESCRIPTION This script is designed to perform multiple checks on your FusionDirectory/LDAP architecture, and fix usual misconfiguration. Some extra features allow you to install FusionDirectory's plugins, and change destinations directories. =head2 Options =over 4
2171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240
=item --update-cache This option update the /var/cache/fusiondirectory/class.cache file. Which contain PHP classes used in FusionDirectory, and their location. =item --update-locales This option update internalization, by generating a new .mo locales file for each language, with every .po files it found. Needs I<msgcat> and I<msgfmt> to be installed. =item --check-directories This option perform a check on all FusionDirectory's files or directories. =item --check-config This option perform a check on FusionDirectory's config file. =item --check-ldap This option check your LDAP tree. Looking for admin account, and groups or people branch. If one of those doesn't exist, the script will ask you what to do. =item --check-ids This option check your LDAP tree for duplicate uidNumber or gidNumber among users and groups. =item --migrate-users This option add FusionDirectory attributes to the people branch. =item --migrate-phones This option removes device objectClass for phones as fdPhones is now structural since FD 1.1. =item --migrate-systems This option replace old systems objectClasses by new objectClasses from FD 1.1. =item --migrate-winstations This option replace old winstations objectClasses by new objectClasses from FD 1.1. =item --migrate-dhcp This option moves DHCP configurations from systems branch to DHCP branch, which is necessary for FusionDirectory 1.0.17 and above. =item --migrate-interfaces This option creates interfaces objects for old systems from FD < 1.4. =item --delete-gosa-locks This option will delete old GOsa style lock tokens from 1.0.15 or older =item --install-plugins This option will install the plugin from a tar.gz of the plugin. This option is intended for people wanting to install from the sources. =item --encrypt-passwords This option will encrypt the password inside your fusiondirectory.conf file, it need the headers module to be activated in your apache to work. =item --show-passwords This option will show the passwords inside your fusiondirectory.conf file as clear text (even if they are encrypted). =item --show-version This option will parse the file variables_common.inc of FusionDirectory to find out which version of FusionDirectory is installed. =item --list_vars
2241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310
This option will list the variables you can change to install FusionDirectory on another set of directories. This option is intended for people wanting to install from the sources. =item --write-vars This option will write back the variables.inc file with the updated variables and is only useful with --set-VAR=variable and for people installing from sources. =item --set-VAR=variable This option will change the variable for the FusionDirectory installation. it is only useful with --install-directories and for people installing from sources. =item --list-deprecated This option will list the deprecated attributes and objectclasses still in your schemas and no longer used by FusionDirectory. =item --check-deprecated This option will list the dn of LDAP entries using deprecated attributes or objectclasses and no longer used by FusionDirectory. =item --ldif-deprecated This option will print an LDIF to allow you to remove deprecated attributes from you ldap server. Be careful and check before applying. =item --show-config This option will print a dump of the FusionDirectory configuration LDAP node. =item --set-config-VAR=value This option sets the value of a configuration field in the LDAP. The value needs to be in the correct LDAP format. You cannot set multivalued field with this. The var name can be provided with or without the fd prefix. =item --yes This flag will answer "yes" to every yes/no question asked by the script =back =head1 EXAMPLE benoit@catbert$ fusiondirectory-setup --update-cache --update-locales Update FusionDirectory class cache and update localization benoit@catbert$ fusiondirectory-setup --list-vars List possible vars to give --set locale_cache_dir [locale] config_file [fusiondirectory.conf] fd_cache [/var/cache/fusiondirectory] fd_smarty_path [/usr/share/php/smarty3/Smarty.class.php] fd_spool_dir [/var/spool/fusiondirectory] fai_log_dir [fai] tmp_dir [tmp] secrets_file [fusiondirectory.secrets] template_dir [template] locale_dir [locale] class_cache [class.cache] fd_config_dir [/etc/fusiondirectory] fd_home [/var/www/fusiondirectory] benoit@catbert$ fusiondirectory-setup --set-class_cache=class.cache --write-vars update the class.cache name and write back the variables.inc file =head1 BUGS Please report any bugs, or post any suggestions, to the fusiondirectory mailing list fusiondirectory-users or to <https://gitlab.fusiondirectory.org/fusiondirectory/fd/issues/new>
23112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333
=head1 AUTHORS Benjamin Carpentier Come Bernigaud =head1 LICENCE AND COPYRIGHT This code is part of FusionDirectory (http://www.fusiondirectory.org/) =over 2 =item Copyright (C) 2011-2018 FusionDirectory =back This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. =cut