3
# $Id: smbldap-groupmod,v 1.12 2006/01/02 17:01:19 jtournier Exp $
5
# This code was developped by IDEALX (http://IDEALX.org/) and
6
# contributors (their names can be found in the CONTRIBUTORS file).
8
# Copyright (C) 2001-2002 IDEALX
10
# This program is free software; you can redistribute it and/or
11
# modify it under the terms of the GNU General Public License
12
# as published by the Free Software Foundation; either version 2
13
# of the License, or (at your option) any later version.
15
# This program is distributed in the hope that it will be useful,
16
# but WITHOUT ANY WARRANTY; without even the implied warranty of
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
# GNU General Public License for more details.
20
# You should have received a copy of the GNU General Public License
21
# along with this program; if not, write to the Free Software
22
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
25
# Purpose of smbldap-groupmod : group (posix) modification
30
use FindBin qw($RealBin);
39
my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
40
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
42
print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
43
print " -a add automatic group mapping entry\n";
44
print " -g new gid\n";
45
print " -o gid is not unique\n";
46
print " -n new group name\n";
47
print " -m add members (comma delimited)\n";
48
print " -r group-rid\n";
49
print " -s group-sid\n";
50
print " -t group-type\n";
51
print " -x delete members (comma delimted)\n";
52
print " -? show this help message\n";
56
my $groupName = $ARGV[0];
59
my $ldap_master=connect_ldap_master();
61
if (! ($group_entry = read_group_entry($groupName))) {
62
print "$0: group $groupName doesn't exist\n";
66
my $newname = $Options{'n'};
68
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
70
if ($nscd_status == 0) {
71
system "/etc/init.d/nscd restart > /dev/null 2>&1";
74
my $gid = getgrnam($groupName);
75
unless (defined ($gid)) {
76
print "$0: group $groupName not found!\n";
81
if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
82
if (!defined($Options{'o'})) {
83
if (defined(getgrgid($tmp))) {
84
print "$0: gid $tmp exists\n";
88
if (!($gid == $tmp)) {
89
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
91
replace => [gidNumber => $tmp]
94
$modify->code && die "failed to modify entry: ", $modify->error ;
99
if (defined($newname)) {
100
my $modify = $ldap_master->moddn (
101
"cn=$groupName,$config{groupsdn}",
102
newrdn => "cn=$newname",
104
newsuperior => "$config{groupsdn}"
106
$modify->code && die "failed to modify entry: ", $modify->error ;
111
if (defined($Options{'m'})) {
112
my $members = $Options{'m'};
113
my @members = split( /,/, $members );
115
foreach $member ( @members ) {
116
my $group_entry=read_group_entry($groupName);
117
$config{groupsdn}=$group_entry->dn;
118
if (is_unix_user($member) || is_nonldap_unix_user($member)) {
119
if (is_group_member($config{groupsdn},$member)) {
120
print "User $member already in the group\n";
122
print "adding user $member to group $groupName\n";
123
my $modify = $ldap_master->modify ($config{groupsdn},
125
add => [memberUid => $member]
128
$modify->code && warn "failed to add entry: ", $modify->error ;
131
print "User $member does not exist: create it first !\n";
137
if (defined($Options{'x'})) {
138
my $members = $Options{'x'};
139
my @members = split( /,/, $members );
141
foreach $member ( @members ) {
142
my $user_entry=read_user_entry($member);
143
my $group_entry=read_group_entry($groupName);
144
$config{groupsdn}=$group_entry->dn;
145
if (is_group_member("$config{groupsdn}",$member)) {
147
if (defined $group_entry->get_value('sambaSID')) {
148
if ($group_entry->get_value('sambaSID') eq $user_entry->get_value('sambaPrimaryGroupSID')) {
150
print "Cannot delete user ($member) from his primary group ($groupName)\n";
154
print "deleting user $member from group $groupName\n";
155
my $modify = $ldap_master->modify ($config{groupsdn},
157
delete => [memberUid => $member]
160
$modify->code && warn "failed to delete entry: ", $modify->error ;
163
print "User $member is not in the group $groupName!\n";
169
if ($tmp= $Options{'s'}) {
170
if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
173
print "$0: illegal group-rid $tmp\n";
176
} elsif ($Options{'r'} || $Options{'a'}) {
178
if ($tmp= $Options{'r'}) {
179
if ($tmp =~ /^\d+$/) {
182
print "$0: illegal group-rid $tmp\n";
186
# algorithmic mapping
187
$group_rid = 2*$gid+1001;
189
$group_sid = $config{SID}.'-'.$group_rid;
195
push(@mods, 'sambaSID' => $group_sid);
197
if ($tmp= $Options{'t'}) {
199
if (defined($group_type = &group_type_by_name($tmp))) {
200
push(@mods, 'sambaGroupType' => $group_type);
202
print "$0: unknown group type $tmp\n";
206
if (! defined($group_entry->get_value('sambaGroupType'))) {
207
push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
211
my @oc = $group_entry->get_value('objectClass');
212
unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
213
push (@adds, 'objectClass' => 'sambaGroupMapping');
216
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
219
'replace' => [ @mods ]
222
$modify->code && warn "failed to delete entry: ", $modify->error ;
225
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
227
if ($nscd_status == 0) {
228
system "/etc/init.d/nscd restart > /dev/null 2>&1";
232
$ldap_master->unbind;
236
############################################################
240
smbldap-groupmod - Modify a group
244
smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
245
[-n group_name ] [-m members(,)] [-x members (,)] group
249
The smbldap-groupmod command modifies the system account files to
250
reflect the changes that are specified on the command line.
251
The options which apply to the smbldap-groupmod command are
253
-g gid The numerical value of the group's ID. This value must be
254
unique, unless the -o option is used. The value must be non-
255
negative. Any files which the old group ID is the file
256
group ID must have the file group ID changed manually.
259
The name of the group will be changed from group to group_name.
262
The members to be added to the group in comma-delimeted form.
265
The members to be removed from the group in comma-delimted form.
268
add an automatic Security ID for the group (SID).
269
The rid of the group is calculated from the gidNumber of the
270
group as rid=2*gidNumber+1001. Thus the resulted SID of the
271
group is $SID-$rid where $SID and $rid are the domain SID and
276
The SID must be unique and defined with the domain Security ID
277
($SID) like sid=$SID-rid where rid is the group rid.
281
The SID is then calculated as sid=$SID-rid where $SID is the
285
set the NT Group type for the new group. Available values are
286
2 (domain group), 4 (local group) and 5 (builtin group).
287
The default group type is 2.
291
smbldap-groupmod -g 253 development
292
This will change the GID of the 'development' group to '253'.
294
smbldap-groupmod -n Idiots Managers
295
This will change the name of the 'Managers' group to 'Idiots'.
297
smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
298
This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
300
smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
301
This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.