From c7aea5c7cf2600002d9bdbf6a5d6e281b78bae79 Mon Sep 17 00:00:00 2001
From: David Bartley <dtbartle@csclub.uwaterloo.ca>
Date: Wed, 19 Dec 2007 21:51:20 -0500
Subject: [PATCH] Add sudo entry to ldap when creating clubs

---
 src/addclub.c |  6 ++++-
 src/config.c  |  5 ++--
 src/config.h  |  1 +
 src/ldap.c    | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++
 src/ldap.h    |  1 +
 5 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/src/addclub.c b/src/addclub.c
index 626bfa8..257cebc 100644
--- a/src/addclub.c
+++ b/src/addclub.c
@@ -41,7 +41,7 @@ static void usage() {
 }
 
 int addclub() {
-    int krb_ok, user_ok, group_ok, home_ok, quota_ok;
+    int krb_ok, user_ok, group_ok, sudo_ok, home_ok, quota_ok;
     int id;
     char homedir[1024];
 
@@ -78,6 +78,10 @@ int addclub() {
     if (!group_ok)
         logmsg("successfully created group for %s", userid);
 
+    sudo_ok = user_ok || ceo_add_group_sudo(userid, sudo_base);
+    if (!sudo_ok)
+        logmsg("successfully added group sudo entry for %s", userid);
+
     home_ok = user_ok || ceo_create_home(homedir, id, id);
     if (!home_ok)
         logmsg("successfully created home directory for %s", userid);
diff --git a/src/config.c b/src/config.c
index 93065d0..c4ba3a8 100644
--- a/src/config.c
+++ b/src/config.c
@@ -12,6 +12,7 @@ char *server_url = DEF_STR;
 
 char *users_base = DEF_STR;
 char *groups_base = DEF_STR;
+char *sudo_base = DEF_STR;
 
 char *skeleton_dir = DEF_STR;
 char *quota_prototype = DEF_STR;
@@ -47,12 +48,12 @@ static char *strvarnames[] = { "server_url", "users_base", "admin_principal",
     "admin_keytab", "skeleton_dir", "quota_prototype", "member_home",
     "member_shell", "club_home", "club_shell", "realm", "admin_bind_userid",
     "admin_bind_keytab", "groups_base", "privileged_group", "notify_hook",
-    "sasl_realm", "sasl_mech" };
+    "sasl_realm", "sasl_mech", "sudo_base" };
 static char **strvars[] = { &server_url, &users_base, &admin_principal,
     &admin_keytab, &skeleton_dir, &quota_prototype, &member_home,
     &member_shell, &club_home, &club_shell, &realm, &admin_bind_userid,
     &admin_bind_keytab, &groups_base, &privileged_group, &notify_hook,
-    &sasl_realm, &sasl_mech };
+    &sasl_realm, &sasl_mech, &sudo_base };
 
 static char *longvarnames[] = { "member_min_id", "member_max_id",
     "homedir_mode", "club_min_id", "club_max_id" };
diff --git a/src/config.h b/src/config.h
index c3d905e..bd7c20d 100644
--- a/src/config.h
+++ b/src/config.h
@@ -3,6 +3,7 @@
 extern char *server_url;
 extern char *users_base;
 extern char *groups_base;
+extern char *sudo_base;
 
 extern char *skeleton_dir;
 extern char *quota_prototype;
diff --git a/src/ldap.c b/src/ldap.c
index 244c2af..4e3786e 100644
--- a/src/ldap.c
+++ b/src/ldap.c
@@ -90,6 +90,76 @@ int ceo_add_group(char *cn, char *basedn, int no) {
     return ret;
 }
 
+int ceo_add_group_sudo(char *group, char *basedn) {
+    if (!group || !basedn)
+        fatal("addgroup: Invalid argument");
+
+    LDAPMod *mods[8];
+    int i = -1;
+    int ret = 0;
+
+    char cn[17];
+    snprintf(cn, sizeof(cn), "%%%s", group);
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "objectClass";
+    char *objectClasses[] = { "top", "sudoRole", NULL };
+    mods[i]->mod_values = objectClasses;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "cn";
+    char *uids[] = { cn, NULL };
+    mods[i]->mod_values = uids;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoUser";
+    char *sudouser[] = { cn, NULL };
+    mods[i]->mod_values = sudouser;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoHost";
+    char *sudohost[] = { "ALL", NULL };
+    mods[i]->mod_values = sudohost;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoCommand";
+    char *sudocommand[] = { "ALL", NULL };
+    mods[i]->mod_values = sudocommand;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoOption";
+    char *sudooption[] = { "!authenticate", NULL };
+    mods[i]->mod_values = sudooption;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoRunAs";
+    char *sudorunas[] = { group, NULL };
+    mods[i]->mod_values = sudorunas;
+
+    char dn[1024];
+    snprintf(dn, sizeof(dn), "cn=%%%s,%s", group, basedn);
+
+    mods[++i] = NULL;
+
+    if (ldap_add_s(ld, dn, mods) != LDAP_SUCCESS) {
+        ldap_err("addgroup");
+        ret = -1;
+    }
+
+    i = 0;
+    while (mods[i])
+        free(mods[i++]);
+
+    return ret;
+}
+
 int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
     va_list args;
 
diff --git a/src/ldap.h b/src/ldap.h
index 46b192c..717d4bd 100644
--- a/src/ldap.h
+++ b/src/ldap.h
@@ -2,6 +2,7 @@
 
 int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
 int ceo_add_group(char *, char *, int);
+int ceo_add_group_sudo(char *, char *);
 int ceo_new_uid(int, int);
 
 void ceo_ldap_init();