Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
fusiondirectory
fusiondirectory
Commits
8b475224
Commit
8b475224
authored
Dec 05, 2013
by
Côme Bernigaud
Committed by
Benoit Mortier
Dec 05, 2013
Browse files
Fixes:
#2670
Added a migrate-acls command to fusiondirectory-setup
parent
d8264038
Changes
1
Hide whitespace changes
Inline
Side-by-side
contrib/bin/fusiondirectory-setup
View file @
8b475224
...
...
@@ -107,6 +107,41 @@ sub ask_user_input {
return
$answer
;
}
{
my
$indice
=
0
;
sub
find_free_role_dn
{
my
(
$ldap
,
$base
,
$prefix
)
=
@_
;
my
(
$cn
,
$dn
,
$mesg
);
do
{
$cn
=
$prefix
.
'
_
'
.
$indice
;
$dn
=
"
cn=
$cn
,
$rolesou
,
$base
";
$indice
++
;
$mesg
=
$ldap
->
search
(
base
=>
"
$dn
",
scope
=>
'
base
',
filter
=>
'
(objectClass=*)
'
);
}
while
(
$mesg
->
count
);
return
$cn
;
}
}
sub
create_role
{
my
(
$ldap
,
$base
,
$cn
,
$acl
)
=
@_
;
my
%role
=
(
'
cn
'
=>
"
$cn
",
'
objectclass
'
=>
[
'
top
',
'
gosaRole
'
],
'
gosaAclTemplate
'
=>
"
0:
$acl
"
);
my
$role_dn
=
"
cn=
$cn
,
$rolesou
,
$base
";
# Add the administator role object
my
@options
=
%role
;
my
$role_add
=
$ldap
->
add
(
$role_dn
,
attr
=>
\
@options
);
# send a warning if the ldap's admin's add didn't gone well
$role_add
->
code
&&
die
"
\n
! failed to add LDAP's
$role_dn
entry -
"
.
$role_add
->
error_name
.
"
:
"
.
$role_add
->
error_text
;
return
$role_dn
;
}
###################################################### Password encryption #########################################################################
sub
cred_encrypt
{
...
...
@@ -568,18 +603,7 @@ sub add_ldap_admin {
# Create admin role if not existing
my
$role
;
if
(
scalar
@$roles
==
0
)
{
my
%role
=
(
'
cn
'
=>
'
admin
',
'
objectclass
'
=>
[
'
top
',
'
gosaRole
'
],
'
gosaAclTemplate
'
=>
'
0:all;cmdrw
'
);
my
$role_dn
=
'
cn=admin
'
.
"
,
$rolesou
,
$base
";
# Add the administator role object
my
@options
=
%role
;
my
$role_add
=
$ldap
->
add
(
$role_dn
,
attr
=>
\
@options
);
# send a warning if the ldap's admin's add didn't gone well
$role_add
->
code
&&
die
"
\n
! failed to add LDAP's
$role_dn
entry -
"
.
$role_add
->
error_name
.
"
:
"
.
$role_add
->
error_text
;
my
$role_dn
=
create_role
(
$ldap
,
$base
,'
admin
','
all;cmdrw
');
$role
=
encode_base64
(
$role_dn
,
'');
}
else
{
$role
=
shift
(
@$roles
);
...
...
@@ -1028,6 +1052,134 @@ sub migrate_users {
$unbind
->
code
&&
warn
"
! Unable to unbind from LDAP server:
",
$unbind
->
error
.
"
\n
";
}
sub
migrate_acls
{
# initiate the LDAP connexion
my
%hash_ldap_param
=
get_ldap_connexion
();
# LDAP's connection's parameters
my
$base
=
$hash_ldap_param
{
base
};
my
$ldap
=
$hash_ldap_param
{
ldap
};
# Search for old formatted ACLs
my
$mesg
=
$ldap
->
search
(
base
=>
"
$base
",
filter
=>
"
(gosaAclEntry=*)
",
attrs
=>
['
gosaAclEntry
']
);
while
(
my
$entry
=
$mesg
->
shift_entry
)
{
my
$acls
=
$entry
->
get_value
('
gosaAclEntry
',
asref
=>
1
);
my
@nacls
=
();
my
$old_formats
=
0
;
ACL:
foreach
my
$acl
(
@$acls
)
{
my
$old_format
=
0
;
my
(
$index
,
$scope
,
$part1
,
$part2
,
$filter
);
if
(
$acl
=~
m/:(p?sub|role):/
)
{
$old_format
=
1
;
(
$index
,
$scope
,
$part1
,
$part2
,
$filter
)
=
split
('
:
',
$acl
);
}
elsif
(
$acl
!~
m/:subtree:/
)
{
# With one or base scope we can't know, we have to check other parts
(
$index
,
$scope
,
$part1
,
$part2
,
$filter
)
=
split
('
:
',
$acl
);
my
$dn
=
decode_base64
(
$part1
);
$mesg
=
$ldap
->
search
(
base
=>
"
$dn
",
scope
=>
'
base
',
filter
=>
'
(objectClass=gosaRole)
'
);
if
(
$mesg
->
count
==
0
)
{
$old_format
=
1
;
}
}
if
(
$old_format
)
{
$old_formats
=
1
;
print
"
$acl
needs migration
\n
";
my
(
$role_dn
,
$members
);
if
(
$scope
eq
'
role
')
{
$role_dn
=
decode_base64
(
$part1
);
$members
=
$part2
;
# Find scope in role
$mesg
=
$ldap
->
search
(
base
=>
$role_dn
,
scope
=>
'
base
',
filter
=>
'
(objectClass=gosaRole)
'
);
if
(
my
$role_entry
=
$mesg
->
shift_entry
)
{
my
$acl_templates
=
$role_entry
->
get_value
('
gosaAclTemplate
',
asref
=>
1
);
my
$scope
=
'';
foreach
my
$acl_template
(
@$acl_templates
)
{
my
(
$t_index
,
$t_scope
,
$t_acl
)
=
split
('
:
',
$acl_template
);
if
(
$scope
eq
'')
{
$scope
=
$t_scope
;
}
elsif
(
$scope
ne
$t_scope
)
{
print
"
We don't know how to migrate role
$role_dn
as it contains several scopes
\n
";
push
@nacls
,
$acl
;
next
ACL
;
}
}
push
@nacls
,
"
$index
:
$scope
:
"
.
encode_base64
(
$role_dn
)
.
"
:
$members
";
}
else
{
# Removing invalid ACL
print
"
Removing acl as associated role
$role_dn
does not exists
\n
";
next
ACL
;
}
}
else
{
my
$cn
=
find_free_role_dn
(
$ldap
,
$base
,'
migrated_acl
');
$role_dn
=
create_role
(
$ldap
,
$base
,
$cn
,
$part2
);
$members
=
$part1
;
if
(
$scope
=~
m/sub$/
)
{
$scope
=
'
subtree
';
}
push
@nacls
,
"
$index
:
$scope
:
"
.
encode_base64
(
$role_dn
)
.
"
:
$members
";
}
}
else
{
push
@nacls
,
$acl
;
}
}
if
(
$old_formats
)
{
@nacls
=
sort
@nacls
;
my
$i
=
0
;
map
{
s/^[0-9]*:/$i:/
;
$i
++
}
@nacls
;
# Re-index acls
my
$result
=
$ldap
->
modify
(
$entry
->
dn
,
replace
=>
{
'
gosaAclEntry
'
=>
\
@nacls
}
);
$result
->
code
&&
warn
"
\n
! failed to migrate ACL for '
"
.
$entry
->
dn
.
"
' -
"
.
$result
->
error_name
.
"
:
"
.
$result
->
error_text
;
print
"
Migrated acls for '
"
.
$entry
->
dn
.
"
'
\n
";
}
}
# Search for old formatted ACL roles
$mesg
=
$ldap
->
search
(
base
=>
"
$base
",
filter
=>
"
(gosaAclTemplate=*:*:*)
",
attrs
=>
['
gosaAclTemplate
']
);
ROLE:
while
(
my
$role_entry
=
$mesg
->
shift_entry
)
{
my
$acl_templates
=
$role_entry
->
get_value
('
gosaAclTemplate
',
asref
=>
1
);
my
$scope
=
'';
my
@ntemplates
=
();
foreach
my
$acl_template
(
@$acl_templates
)
{
my
(
$t_index
,
$t_scope
,
$t_acl
)
=
split
('
:
',
$acl_template
);
if
(
$scope
eq
'')
{
$scope
=
$t_scope
;
}
elsif
(
$scope
ne
$t_scope
)
{
print
"
We don't know how to migrate role '
"
.
$role_entry
->
dn
.
"
' as it contains several scopes
\n
";
next
ROLE
;
}
push
@ntemplates
,
$t_index
.
'
:
'
.
$t_acl
;
}
my
$result
=
$ldap
->
modify
(
$role_entry
->
dn
,
replace
=>
{
'
gosaAclTemplate
'
=>
\
@ntemplates
}
);
$result
->
code
&&
warn
"
\n
! failed to migrate ACL for '
"
.
$role_entry
->
dn
.
"
' -
"
.
$result
->
error_name
.
"
:
"
.
$result
->
error_text
;
print
"
Migrated role '
"
.
$role_entry
->
dn
.
"
'
\n
";
}
}
# function that set useful vars based on user specified folders and files
sub
set_vars
{
$fd_config
=
$vars
{
fd_config_dir
}
.
"
/
"
.
$vars
{
config_file
};
...
...
@@ -1067,6 +1219,7 @@ die ("! You have to run this script as root\n") if ($<!=0);
$commands
{"
--check-ldap
"}
=
["
Checking your LDAP tree
",
\
&check_ldap
];
$commands
{"
--migrate-repositories
"}
=
["
Migrating your FAI repositories
",
\
&migrate_repo
];
$commands
{"
--migrate-users
"}
=
["
Migrating your users
",
\
&migrate_users
];
$commands
{"
--migrate-acls
"}
=
["
Migrating your ACLs
",
\
&migrate_acls
];
$commands
{"
--install-plugins
"}
=
["
Installing FusionDirectory's plugins
",
\
&install_plugins
];
$commands
{"
--encrypt-passwords
"}
=
["
Encrypt passwords in fusiondirectory.conf
",
\
&encrypt_passwords
];
$commands
{"
--write-vars
"}
=
["
Choose FusionDirectory Directories
",
\
&write_vars
];
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment