Add sudo entry to ldap when creating clubs

15 years ago · c7aea5c7cf
parent a2a5e3771a
commit c7aea5c7cf
5 changed files with 80 additions and 3 deletions
--- a/src/addclub.c
+++ b/src/addclub.c
@ -41,7 +41,7 @@ static void usage() {
 }

 int addclub() {
-    int krb_ok, user_ok, group_ok, home_ok, quota_ok;
+    int krb_ok, user_ok, group_ok, sudo_ok, home_ok, quota_ok;
    int id;
    char homedir[1024];

@ -78,6 +78,10 @@ int addclub() {
    if (!group_ok)
        logmsg("successfully created group for %s", userid);

+    sudo_ok = user_ok || ceo_add_group_sudo(userid, sudo_base);
+    if (!sudo_ok)
+        logmsg("successfully added group sudo entry for %s", userid);
+
    home_ok = user_ok || ceo_create_home(homedir, id, id);
    if (!home_ok)
        logmsg("successfully created home directory for %s", userid);
--- a/src/config.c
+++ b/src/config.c
@ -12,6 +12,7 @@ char *server_url = DEF_STR;

 char *users_base = DEF_STR;
 char *groups_base = DEF_STR;
+char *sudo_base = DEF_STR;

 char *skeleton_dir = DEF_STR;
 char *quota_prototype = DEF_STR;
@ -47,12 +48,12 @@ static char *strvarnames[] = { "server_url", "users_base", "admin_principal",
    "admin_keytab", "skeleton_dir", "quota_prototype", "member_home",
    "member_shell", "club_home", "club_shell", "realm", "admin_bind_userid",
    "admin_bind_keytab", "groups_base", "privileged_group", "notify_hook",
-    "sasl_realm", "sasl_mech" };
+    "sasl_realm", "sasl_mech", "sudo_base" };
 static char **strvars[] = { &server_url, &users_base, &admin_principal,
    &admin_keytab, &skeleton_dir, &quota_prototype, &member_home,
    &member_shell, &club_home, &club_shell, &realm, &admin_bind_userid,
    &admin_bind_keytab, &groups_base, &privileged_group, &notify_hook,
-    &sasl_realm, &sasl_mech };
+    &sasl_realm, &sasl_mech, &sudo_base };

 static char *longvarnames[] = { "member_min_id", "member_max_id",
    "homedir_mode", "club_min_id", "club_max_id" };
--- a/src/config.h
+++ b/src/config.h
@ -3,6 +3,7 @@
 extern char *server_url;
 extern char *users_base;
 extern char *groups_base;
+extern char *sudo_base;

 extern char *skeleton_dir;
 extern char *quota_prototype;
--- a/src/ldap.c
+++ b/src/ldap.c
@ -90,6 +90,76 @@ int ceo_add_group(char *cn, char *basedn, int no) {
    return ret;
 }

+int ceo_add_group_sudo(char *group, char *basedn) {
+    if (!group || !basedn)
+        fatal("addgroup: Invalid argument");
+
+    LDAPMod *mods[8];
+    int i = -1;
+    int ret = 0;
+
+    char cn[17];
+    snprintf(cn, sizeof(cn), "%%%s", group);
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "objectClass";
+    char *objectClasses[] = { "top", "sudoRole", NULL };
+    mods[i]->mod_values = objectClasses;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "cn";
+    char *uids[] = { cn, NULL };
+    mods[i]->mod_values = uids;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoUser";
+    char *sudouser[] = { cn, NULL };
+    mods[i]->mod_values = sudouser;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoHost";
+    char *sudohost[] = { "ALL", NULL };
+    mods[i]->mod_values = sudohost;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoCommand";
+    char *sudocommand[] = { "ALL", NULL };
+    mods[i]->mod_values = sudocommand;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoOption";
+    char *sudooption[] = { "!authenticate", NULL };
+    mods[i]->mod_values = sudooption;
+
+    mods[++i] = xmalloc(sizeof(LDAPMod));
+    mods[i]->mod_op = LDAP_MOD_ADD;
+    mods[i]->mod_type = "sudoRunAs";
+    char *sudorunas[] = { group, NULL };
+    mods[i]->mod_values = sudorunas;
+
+    char dn[1024];
+    snprintf(dn, sizeof(dn), "cn=%%%s,%s", group, basedn);
+
+    mods[++i] = NULL;
+
+    if (ldap_add_s(ld, dn, mods) != LDAP_SUCCESS) {
+        ldap_err("addgroup");
+        ret = -1;
+    }
+
+    i = 0;
+    while (mods[i])
+        free(mods[i++]);
+
+    return ret;
+}
+
 int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
    va_list args;

--- a/src/ldap.h
+++ b/src/ldap.h
@ -2,6 +2,7 @@

 int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
 int ceo_add_group(char *, char *, int);
+int ceo_add_group_sudo(char *, char *);
 int ceo_new_uid(int, int);

 void ceo_ldap_init();