martymac / ldapscripts Goto Github PK

Empty suffixes in the /etc/ldapscripts/ldapscripts.conf lead to generation of illegal dns in the LDIF.

Dec 13 01:12:47 host2020 ldapscripts: ldapaddgroup(xxxxxxx): /usr/local/sbin/ldapaddgroup xxxxxx 1004
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Invalid DN syntax (34)
        additional info: invalid DN
  -> Error adding group xxxxxx to LDAP

Hello, iv' got a problem since i upgrade my server to Debian stretch.

Debian GNU/Linux 9 (stretch)
Paquet : slapd                                          
Version : 2.4.44+dfsg-5
Paquet : ldapscripts                                    
Version : 2.0.7-2

No problem to create user with ldapadduser.
But each time i remove a user with ldapdeleteuser, i've got these error message :

ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported

Do you know what could be the problem ?
Thanks for your help.

Under some locales, extracting embedded templates from scripts fails. See the following interaction:

root@freedomboxvm1:~# ldapadduser testuser users
Error adding user testuser to LDAP
root@freedomboxvm1:~# tail /var/log/ldapscripts.log 
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
  -> Error adding user testuser to LDAP
root@freedomboxvm1:~# LC_ALL=C ldapadduser testuser users
Successfully added user testuser to LDAP
Warning : got invalid password for user testuser (password not set)
root@freedomboxvm1:~# 

Each file has a copyright message like this:

#  Copyright (C) 2005 Ganaël LAPLANCHE - Linagora
#  Copyright (C) 2006-2013 Ganaël LAPLANCHE

The special characters are causing grep to detect that the file as binary under some locales. This causes it output something like Binary file /usr/share/ldapscripts/runtime matches instead of extracting the embedded template required for adding users, groups etc. This results in failure. Adding -a option to grep should fix the issue.

Currently, there is no way to set or change the password while using SASL authentication.

In FreedomBox, a very simplified UI manages everything including LDAP user accounts. The administrative interface has to take care of managing the user accounts. Since storing LDAP admin password on the system somewhere is not good, we are using SASL Auth EXTERNAL and connecting via ldapi:/// URL to manage the users. We have modified the permissions as necessary.

With this approach, we are unable to change a user's password or set it during user creation as ldapscripts refuses to do so. The relevant code looks as follows:

    if [ -n "$SASLAUTH" ]
    then
      # XXX Is there a reason to allow changing a userPassword attribute here ?
      end_die "Please, change password in $SASLAUTH database"

I believe there is a have realistic use case and we should allow changing the password for the user using ldappasswd command even when using SASL authentication.

ldapscripts currently does not support the groupOfMembers class, which unlike groupOfNames can be empty.

It would be useful to be able to send logs to syslog in addition to (or instead of) a local file.

It would be nice if ldapsetpasswd searched under $SUFFIX instead of $USUFFIX,$SUFFIX on line 33, so that it could modify machine accounts as well as users.

When using ldaprenameuser, it doesn't take care of any groups the account is in. For example, if john is a member of the staff group, and the account is renamed to johnsmith, the staff group will still have john as a member and not johnsmith. I don't know if this is an intentional omission (maybe due to some LDAP implementations automatically fixing the problem) - if it wasn't intentional, would you take a pull request to fix it?

Would it be possible for ldapscripts to support multiple configuration files? For example, by allowing an alternate config file to be specified as a command line argument or environment variable.

it seems I can created two users wit the same uid/gid:

root@ubu1:~# ldapadduser user3 gardeners 9999
Successfully added user user3 to LDAP
Successfully set password for user user3
root@ubu1:~# ldapadduser user4 gardeners 9999
Successfully added user user4 to LDAP
Successfully set password for user user4

root@ubu1:~# lsldap  -u
[..]
dn: uid=user3,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user3
uid: user3
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user3
loginShell: /bin/bash
gecos: user3
description: User account
userPassword:: e1NTSEF9MUhyLzFsdnpWSXNvL2tSSHZNUEdXdkJja3B4cDdONWo=

dn: uid=user4,ou=People,dc=foo,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: user4
uid: user4
uidNumber: 9999
gidNumber: 5001
homeDirectory: /home/user4
loginShell: /bin/bash
gecos: user4
description: User account
userPassword:: e1NTSEF9UHpVMC90QklOamsyY21lT0M5a1JHcFBiVW84eEhoUnc=

is this the intended behavior?