3
# Populate a LDAP base for Samba-LDAP usage
5
# $Id: smbldap-populate,v 1.21 2005/02/13 14:10:39 jtournier Exp $
7
# This code was developped by IDEALX (http://IDEALX.org/) and
8
# contributors (their names can be found in the CONTRIBUTORS file).
10
# Copyright (C) 2001-2002 IDEALX
12
# This program is free software; you can redistribute it and/or
13
# modify it under the terms of the GNU General Public License
14
# as published by the Free Software Foundation; either version 2
15
# of the License, or (at your option) any later version.
17
# This program is distributed in the hope that it will be useful,
18
# but WITHOUT ANY WARRANTY; without even the implied warranty of
19
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20
# GNU General Public License for more details.
22
# You should have received a copy of the GNU General Public License
23
# along with this program; if not, write to the Free Software
24
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
28
# . Create an initial LDAP database suitable for Samba 2.2
29
# . For lazy people, replace ldapadd (with only an ldif parameter)
33
use FindBin qw($RealBin);
41
# objectclass of the suffix
43
"ou" => "organizationalUnit",
44
"o" => "organization",
51
my $ok = getopts('a:b:e:i:k:l:u:g:?', \%Options);
52
if ( (!$ok) || ($Options{'?'}) ) {
54
print "Usage: $0 [-abeiklug?] [ldif]\n";
55
print " -u uidNumber first uidNumber to allocate (default: 1000)\n";
56
print " -g gidNumber first uidNumber to allocate (default: 1000)\n";
57
print " -a user administrator login name (default: Administrator)\n";
58
print " -b user guest login name (default: nobody)\n";
59
print " -k uidNumber administrator's uidNumber (default: 998)\n";
60
print " -l uidNumber guest's uidNumber (default: 999)\n";
61
print " -e file export ldif file\n";
62
print " -i file import ldif file\n";
63
print " -? show this help message\n";
67
sub read_workgroup_from_sambaconf
70
my $smbconf="/etc/samba/smb.conf";
71
open (CONFIGFILE, "$smbconf") || die "Unable to open $smbconf for reading !\n";
72
while (<CONFIGFILE>) {
74
## throw away comments
75
next if ( ! /workgroup/i );
76
## check for a param = value
77
my ($parameter,$value)=read_parameter($_);
78
$value = &subst_configvar($value, \%conf);
79
$conf{$parameter}=$value;
86
if ($config{sambaUnixIdPooldn} and $config{sambaUnixIdPooldn} =~ /^sambaDomainName=([^,]*),(.*)/) {
88
print "Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=$sambaDomainName\n";
90
my %conf_smbconf=read_workgroup_from_sambaconf();
91
$sambaDomainName=$conf_smbconf{workgroup};
92
print "Using workgroup name from smb.conf: sambaDomainName=$sambaDomainName\n";
93
if ($config{sambaUnixIdPooldn} ne "sambaDomainName=$sambaDomainName,$config{suffix}") {
94
print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
95
print "=> Warning: you must update smbldap.conf configuration file to :\n";
96
print "=> sambaUnixIdPooldn parameter must be set to \"sambaDomainName=$sambaDomainName,$config{suffix}\"\n";
97
print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
98
$config{sambaUnixIdPooldn}="sambaDomainName=$sambaDomainName,$config{suffix}";
102
my $firstuidNumber=$Options{'u'};
103
if (!defined($firstuidNumber)) {
104
$firstuidNumber=1000;
107
my $firstgidNumber=$Options{'g'};
108
if (!defined($firstgidNumber)) {
109
$firstgidNumber=1000;
112
my $tmp_ldif_file=$Options{'e'};
113
if (!defined($tmp_ldif_file)) {
114
$tmp_ldif_file="/tmp/$$.ldif";
117
my $adminName = $Options{'a'};
118
if (!defined($adminName)) {
119
$adminName = "Administrator";
122
my $guestName = $Options{'b'};
123
if (!defined($guestName)) {
124
$guestName = "nobody";
127
my $adminUidNumber=$Options{'k'};
128
if (!defined($adminUidNumber)) {
129
$adminUidNumber = "998";
132
my $guestUidNumber=$Options{'l'};
133
if (!defined($guestUidNumber)) {
134
$guestUidNumber = "999";
137
my $_ldifName = $Options{'i'};
139
my $exportFile = $Options{'e'};
140
if (!defined($exportFile)) {
141
$exportFile = "base.ldif";
144
if (!defined($_ldifName)) {
149
print "Using builtin directory structure\n";
150
if ($config{suffix} =~ m/([^=]+)=([^,]+)/) {
153
$objcl = $oc{$attr} if (exists $oc{$attr});
154
if (!defined($objcl)) {
155
$objcl = "myhardcodedobjectclass";
158
die "can't extract first attr and value from suffix $config{suffix}";
160
#print "$attr=$val\n";
161
my ($type,$ou_users,$ou_groups,$ou_computers,$ou_idmap,$cnsambaUnixIdPool);
162
($type,$ou_users)=($config{usersdn}=~/(.*)=(.*),$config{suffix}/);
163
($type,$ou_groups)=($config{groupsdn}=~/(.*)=(.*),$config{suffix}/);
164
($type,$ou_computers)=($config{computersdn}=~/(.*)=(.*),$config{suffix}/);
165
($type,$ou_idmap)=($config{idmapdn}=~/(.*)=(.*),$config{suffix}/);
166
($type,$cnsambaUnixIdPool)=($config{sambaUnixIdPooldn}=~/(.*)=(.*),$config{suffix}/);
168
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);
169
if ($organisation ne '') {
170
$org = "\nobjectclass: organization\no: $organisation";
173
my $entries="dn: $config{suffix}
174
objectClass: $objcl$org
178
objectClass: organizationalUnit
181
dn: $config{groupsdn}
182
objectClass: organizationalUnit
185
dn: $config{computersdn}
186
objectClass: organizationalUnit
190
objectClass: organizationalUnit
193
dn: $config{sambaUnixIdPooldn}
194
objectClass: sambaDomain
195
objectClass: sambaUnixIdPool
196
sambaDomainName: $sambaDomainName
197
sambaSID: $config{SID}
198
uidNumber: $firstuidNumber
199
gidNumber: $firstgidNumber
201
dn: uid=$adminName,$config{usersdn}
204
objectClass: inetOrgPerson
205
objectClass: sambaSAMAccount
206
objectClass: posixAccount
207
objectClass: shadowAccount
210
uidNumber: $adminUidNumber\n";
211
if (defined $config{userHome} and $config{userHome} ne "") {
212
my $userHome=$config{userHome};
213
$userHome=~s/\%U/$adminName/;
214
$entries.="homeDirectory: $userHome\n";
216
$entries.="homeDirectory: /dev/null\n";
218
$entries.="sambaPwdLastSet: 0
220
sambaLogoffTime: 2147483647
221
sambaKickoffTime: 2147483647
223
sambaPwdMustChange: 2147483647\n";
224
if (defined $config{userSmbHome} and $config{userSmbHome} ne "") {
225
my $userSmbHome=$config{userSmbHome};
226
$userSmbHome=~s/\%U/$adminName/;
227
$entries.="sambaHomePath: $userSmbHome\n";
229
if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") {
230
$entries.="sambaHomeDrive: $config{userHomeDrive}\n";
232
if (defined $config{userProfile} and $config{userProfile} ne "") {
233
my $userProfile=$config{userProfile};
234
$userProfile=~s/\%U/$adminName/;
235
$entries.="sambaProfilePath: $userProfile\\\n";
237
$entries.="sambaPrimaryGroupSID: $config{SID}-512
241
sambaSID: $config{SID}-2996
242
loginShell: /bin/false
243
gecos: Netbios Domain Administrator
245
dn: uid=$guestName,$config{usersdn}
248
objectClass: inetOrgPerson
249
objectClass: sambaSAMAccount
250
objectClass: posixAccount
251
objectClass: shadowAccount
254
uidNumber: $guestUidNumber
255
homeDirectory: /dev/null
258
sambaLogoffTime: 2147483647
259
sambaKickoffTime: 2147483647
261
sambaPwdMustChange: 2147483647\n";
262
if (defined $config{userSmbHome} and $config{userSmbHome} ne "") {
263
my $userSmbHome=$config{userSmbHome};
264
$userSmbHome=~s/\%U/$guestName/;
265
$entries.="sambaHomePath: $userSmbHome\n";
267
if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") {
268
$entries.="sambaHomeDrive: $config{userHomeDrive}\n";
270
if (defined $config{userProfile} and $config{userProfile} ne "") {
271
my $userProfile=$config{userProfile};
272
$userProfile=~s/\%U/$guestName/;
273
$entries.="sambaProfilePath: $userProfile\n";
275
$entries.="sambaPrimaryGroupSID: $config{SID}-514
276
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
277
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
278
sambaAcctFlags: [NU ]
279
sambaSID: $config{SID}-2998
280
loginShell: /bin/false
282
dn: cn=Domain Admins,$config{groupsdn}
283
objectClass: posixGroup
284
objectClass: sambaGroupMapping
287
memberUid: $adminName
288
description: Netbios Domain Administrators
289
sambaSID: $config{SID}-512
291
displayName: Domain Admins
293
dn: cn=Domain Users,$config{groupsdn}
294
objectClass: posixGroup
295
objectClass: sambaGroupMapping
298
description: Netbios Domain Users
299
sambaSID: $config{SID}-513
301
displayName: Domain Users
303
dn: cn=Domain Guests,$config{groupsdn}
304
objectClass: posixGroup
305
objectClass: sambaGroupMapping
308
description: Netbios Domain Guests Users
309
sambaSID: $config{SID}-514
311
displayName: Domain Guests
313
dn: cn=Domain Computers,$config{groupsdn}
314
objectClass: posixGroup
315
objectClass: sambaGroupMapping
318
description: Netbios Domain Computers accounts
319
sambaSID: $config{SID}-515
321
displayName: Domain Computers
323
dn: cn=Administrators,$config{groupsdn}
324
objectClass: posixGroup
325
objectClass: sambaGroupMapping
328
description: Netbios Domain Members can fully administer the computer/sambaDomainName
329
sambaSID: S-1-5-32-544
331
displayName: Administrators
333
#dn: cn=Users,$config{groupsdn}
334
#objectClass: posixGroup
335
#objectClass: sambaGroupMapping
338
#description: Netbios Domain Ordinary users
339
#sambaSID: S-1-5-32-545
343
#dn: cn=Guests,$config{groupsdn}
344
#objectClass: posixGroup
345
#objectClass: sambaGroupMapping
348
#memberUid: $guestName
349
#description: Netbios Domain Users granted guest access to the computer/sambaDomainName
350
#sambaSID: S-1-5-32-546
354
#dn: cn=Power Users,$config{groupsdn}
355
#objectClass: posixGroup
356
#objectClass: sambaGroupMapping
359
#description: Netbios Domain Members can share directories and printers
360
#sambaSID: S-1-5-32-547
362
#displayName: Power Users
364
#dn: cn=Account Operators,$config{groupsdn}
365
#objectClass: posixGroup
366
#objectClass: sambaGroupMapping
368
#cn: Account Operators
369
#description: Netbios Domain Users to manipulate users accounts
370
#sambaSID: S-1-5-32-548
372
#displayName: Account Operators
374
#dn: cn=System Operators,$config{groupsdn}
375
#objectClass: posixGroup
376
#objectClass: sambaGroupMapping
378
#cn: System Operators
379
#description: Netbios Domain System Operators
380
#sambaSID: S-1-5-32-549
382
#displayName: System Operators
384
dn: cn=Print Operators,$config{groupsdn}
385
objectClass: posixGroup
386
objectClass: sambaGroupMapping
389
description: Netbios Domain Print Operators
390
sambaSID: S-1-5-32-550
392
displayName: Print Operators
394
dn: cn=Backup Operators,$config{groupsdn}
395
objectClass: posixGroup
396
objectClass: sambaGroupMapping
399
description: Netbios Domain Members can bypass file security to back up files
400
sambaSID: S-1-5-32-551
402
displayName: Backup Operators
404
dn: cn=Replicators,$config{groupsdn}
405
objectClass: posixGroup
406
objectClass: sambaGroupMapping
409
description: Netbios Domain Supports file replication in a sambaDomainName
410
sambaSID: S-1-5-32-552
412
displayName: Replicators
414
open (FILE, ">$tmp_ldif_file") || die "Can't open file $tmp_ldif_file: $!\n";
421
$tmp_ldif_file=$_ldifName;
424
if (!defined $Options{'e'}) {
425
my $ldap_master=connect_ldap_master();
426
my $ldif = Net::LDAP::LDIF->new($tmp_ldif_file, "r", onerror => 'undef' );
427
while ( not $ldif->eof() ) {
428
my $entry = $ldif->read_entry();
429
if ( $ldif->error() ) {
430
print "Error msg: ",$ldif->error(),"\n";
431
print "Error lines:\n",$ldif->error_lines(),"\n";
434
# we first check if the entry exist
435
my $mesg = $ldap_master->search (
438
filter => "objectclass=*"
443
print "entry $dn already exist. ";
444
if ($dn eq $config{sambaUnixIdPooldn}) {
445
print "Updating it...\n";
447
foreach my $attr_tmp ($entry->attributes) {
448
push(@mods,$attr_tmp=>[$entry->get_value("$attr_tmp")]);
450
my $modify = $ldap_master->modify ( "$dn",
451
'replace' => { @mods },
453
$modify->code && warn "failed to modify entry: ", $modify->error ;
458
print "adding new entry: $dn\n";
459
my $result=$ldap_master->add($entry);
460
$result->code && warn "failed to add entry: ", $result->error ;
464
$ldap_master->unbind;
465
if (!defined $Options{'i'}) {
466
system "rm -f $tmp_ldif_file";
469
print "exported ldif file: $tmp_ldif_file\n";
474
########################################
478
smbldap-populate - Populate your LDAP database
482
smbldap-populate [ldif-file]
486
The smbldap-populate command helps to populate an LDAP server by adding the necessary entries : base suffix (doesn't abort if already there), organizational units for users, groups and computers, builtin users : Administrator and guest, builtin groups (though posixAccount only, no SambaTNG support).
489
Your local administrator login name (default: Administrator)
492
Your local guest login name (default: nobody)
498
import an ldif file (Options -a and -b will be ignored)
502
/usr/lib/perl5/site-perl/smbldap_conf.pm : Global parameters.