3
# $Id: smbldap-groupmod,v 1.10 2005/01/08 12:04:45 jtournier Exp $
5
# This code was developped by IDEALX (http://IDEALX.org/) and
6
# contributors (their names can be found in the CONTRIBUTORS file).
8
# Copyright (C) 2001-2002 IDEALX
10
# This program is free software; you can redistribute it and/or
11
# modify it under the terms of the GNU General Public License
12
# as published by the Free Software Foundation; either version 2
13
# of the License, or (at your option) any later version.
15
# This program is distributed in the hope that it will be useful,
16
# but WITHOUT ANY WARRANTY; without even the implied warranty of
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
# GNU General Public License for more details.
20
# You should have received a copy of the GNU General Public License
21
# along with this program; if not, write to the Free Software
22
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
25
# Purpose of smbldap-groupmod : group (posix) modification
30
use FindBin qw($RealBin);
39
my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
40
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
42
print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
43
print " -a add automatic group mapping entry\n";
44
print " -g new gid\n";
45
print " -o gid is not unique\n";
46
print " -n new group name\n";
47
print " -m add members (comma delimited)\n";
48
print " -r group-rid\n";
49
print " -s group-sid\n";
50
print " -t group-type\n";
51
print " -x delete members (comma delimted)\n";
52
print " -? show this help message\n";
56
my $groupName = $ARGV[0];
59
my $ldap_master=connect_ldap_master();
61
if (! ($group_entry = read_group_entry($groupName))) {
62
print "$0: group $groupName doesn't exist\n";
66
my $newname = $Options{'n'};
68
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
70
if ($nscd_status == 0) {
71
system "/etc/init.d/nscd restart > /dev/null 2>&1";
74
my $gid = getgrnam($groupName);
75
unless (defined ($gid)) {
76
print "$0: group $groupName not found!\n";
81
if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
82
if (!defined($Options{'o'})) {
83
if (defined(getgrgid($tmp))) {
84
print "$0: gid $tmp exists\n";
88
if (!($gid == $tmp)) {
89
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
91
replace => [gidNumber => $tmp]
94
$modify->code && die "failed to modify entry: ", $modify->error ;
99
if (defined($newname)) {
100
my $modify = $ldap_master->moddn (
101
"cn=$groupName,$config{groupsdn}",
102
newrdn => "cn=$newname",
104
newsuperior => "$config{groupsdn}"
106
$modify->code && die "failed to modify entry: ", $modify->error ;
111
if (defined($Options{'m'})) {
112
my $members = $Options{'m'};
113
my @members = split( /,/, $members );
115
foreach $member ( @members ) {
116
my $group_entry=read_group_entry($groupName);
117
$config{groupsdn}=$group_entry->dn;
118
if (is_unix_user($member)) {
119
if (is_group_member($config{groupsdn},$member)) {
120
print "User $member already in the group\n";
122
print "adding user $member to group $groupName\n";
123
my $modify = $ldap_master->modify ($config{groupsdn},
125
add => [memberUid => $member]
128
$modify->code && warn "failed to add entry: ", $modify->error ;
131
print "User $member does not exist: create it first !\n";
137
if (defined($Options{'x'})) {
138
my $members = $Options{'x'};
139
my @members = split( /,/, $members );
141
foreach $member ( @members ) {
142
my $user_entry=read_user_entry($member);
143
my $group_entry=read_group_entry($groupName);
144
$config{groupsdn}=$group_entry->dn;
145
if (is_group_member("$config{groupsdn}",$member)) {
146
if ($group_entry->get_value('sambaSID') ne $user_entry->get_value('sambaPrimaryGroupSID')) {
147
print "deleting user $member from group $groupName\n";
148
my $modify = $ldap_master->modify ($config{groupsdn},
150
delete => [memberUid => $member]
153
$modify->code && warn "failed to delete entry: ", $modify->error ;
155
print "Cannot delete user ($member) from his primary group ($groupName)\n";
158
print "User $member is not in the group $groupName!\n";
164
if ($tmp= $Options{'s'}) {
165
if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
168
print "$0: illegal group-rid $tmp\n";
171
} elsif ($Options{'r'} || $Options{'a'}) {
173
if ($tmp= $Options{'r'}) {
174
if ($tmp =~ /^\d+$/) {
177
print "$0: illegal group-rid $tmp\n";
181
# algorithmic mapping
182
$group_rid = 2*$gid+1001;
184
$group_sid = $config{SID}.'-'.$group_rid;
190
push(@mods, 'sambaSID' => $group_sid);
192
if ($tmp= $Options{'t'}) {
194
if (defined($group_type = &group_type_by_name($tmp))) {
195
push(@mods, 'sambaGroupType' => $group_type);
197
print "$0: unknown group type $tmp\n";
201
if (! defined($group_entry->get_value('sambaGroupType'))) {
202
push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
206
my @oc = $group_entry->get_value('objectClass');
207
unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
208
push (@adds, 'objectClass' => 'sambaGroupMapping');
211
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
214
'replace' => [ @mods ]
217
$modify->code && warn "failed to delete entry: ", $modify->error ;
220
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
222
if ($nscd_status == 0) {
223
system "/etc/init.d/nscd restart > /dev/null 2>&1";
227
$ldap_master->unbind;
231
############################################################
235
smbldap-groupmod - Modify a group
239
smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
240
[-n group_name ] [-m members(,)] [-x members (,)] group
244
The smbldap-groupmod command modifies the system account files to
245
reflect the changes that are specified on the command line.
246
The options which apply to the smbldap-groupmod command are
248
-g gid The numerical value of the group's ID. This value must be
249
unique, unless the -o option is used. The value must be non-
250
negative. Any files which the old group ID is the file
251
group ID must have the file group ID changed manually.
254
The name of the group will be changed from group to group_name.
257
The members to be added to the group in comma-delimeted form.
260
The members to be removed from the group in comma-delimted form.
263
add an automatic Security ID for the group (SID).
264
The rid of the group is calculated from the gidNumber of the
265
group as rid=2*gidNumber+1001. Thus the resulted SID of the
266
group is $SID-$rid where $SID and $rid are the domain SID and
271
The SID must be unique and defined with the domain Security ID
272
($SID) like sid=$SID-rid where rid is the group rid.
276
The SID is then calculated as sid=$SID-rid where $SID is the
280
set the NT Group type for the new group. Available values are
281
2 (domain group), 4 (local group) and 5 (builtin group).
282
The default group type is 2.
286
smbldap-groupmod -g 253 development
287
This will change the GID of the 'development' group to '253'.
289
smbldap-groupmod -n Idiots Managers
290
This will change the name of the 'Managers' group to 'Idiots'.
292
smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
293
This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
295
smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
296
This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.