Sisyphus repository
Last update: 1 october 2023 | SRPMs: 18631 | Visits: 37837920
en ru br
ALT Linux repos
S:0.9.5-alt1
5.0: 0.4-alt3.1
4.1: 0.1-alt2.M41.4

Group :: Development/Other
RPM: ldap-user-tools

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs and FR  Repocop 

ldap-user-tools-0.9.1/000075500000000000000000000000001220711616200145475ustar00rootroot00000000000000ldap-user-tools-0.9.1/bin/000075500000000000000000000000001220711616200153175ustar00rootroot00000000000000ldap-user-tools-0.9.1/bin/mkntpasswd000075500000000000000000000003141220711616200174360ustar00rootroot00000000000000#!/bin/sh
if [ $# -ne 1 ]; then
	echo "Usage: mkntpwd <password>"
	exit 1
fi

# Render hash using perl
perl -MCrypt::SmbHash -e "ntlmgen \"\$ARGV[0]\", \$lm, \$nt; print \"\${lm}:\${nt}\n\";" $1 

exit 0
ldap-user-tools-0.9.1/data/000075500000000000000000000000001220711616200154605ustar00rootroot00000000000000ldap-user-tools-0.9.1/data/slapd-template.conf000064400000000000000000000020161220711616200212420ustar00rootroot00000000000000database hdb
suffix "dc=template"
rootdn "cn=ldaproot,dc=template"
rootpw secret
directory /var/lib/ldap/bases/template

index objectClass eq
index uid eq
index cn eq
index  uidNumber          eq
index  gidNumber          eq

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none

access to attrs=krbPrincipalKey,krbPrincipalName,krbPwdPolicyReference,krbPasswordExpiration,krbLastPwdChange
	by dn.exact="cn=kdc,ou=kdcroot,dc=template" read 
	by dn.exact="cn=kadmin,ou=kdcroot,dc=template" write
	by * none

access to dn.subtree="ou=kdcroot,dc=template"
        by dn.exact="cn=kdc,ou=kdcroot,dc=template" write
        by dn.exact="cn=kadmin,ou=kdcroot,dc=template" write
	by anonymous read
        by * none

access to dn.subtree="cn=REALM,cn=kerberos,ou=kdcroot,dc=template"
        by dn.exact="cn=kdc,ou=kdcroot,dc=template" write
        by dn.exact="cn=kadmin,ou=kdcroot,dc=template" write
	by anonymous read
        by * none

access to *
        by * read
ldap-user-tools-0.9.1/hooks/000075500000000000000000000000001220711616200156725ustar00rootroot00000000000000ldap-user-tools-0.9.1/hooks/ldap-domain000064400000000000000000000014151220711616200200030ustar00rootroot00000000000000#!/bin/sh -f

# if we are not server 
[ -f /etc/sysconfig/system ] || exit 0

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0

. alterator-openldap-functions

olddomain="$1" ; shift
newdomain="$1" ; shift

create()
{
    local dn="$1" ; shift

    ldap-dn create "$dn"
}

rename()
{
    local old="${1#*.}" ; shift
    local new="${1#*.}" ; shift

    old="$(host_2_dn "$old")"
    new="$(host_2_dn "$new")"

#    if [ -z "$(ldap-dn find "$old")" ] ;then
        create "$new"
#    else
#        ldap-dn rename "$old" "$new"
#    fi  
}
rename "$olddomain" "$newdomain"

backend=/usr/lib/alterator/backend3/openldap
[ -f $backend ] && $backend &>/dev/null <<EOF
_message:begin
action:save
local_and_tls:#t
_message:end
EOF
service slapd restart
chkconfig slapd on
ldap-user-tools-0.9.1/po/000075500000000000000000000000001220711616200151655ustar00rootroot00000000000000ldap-user-tools-0.9.1/po/Makefile000064400000000000000000000007541220711616200166330ustar00rootroot00000000000000all:
	for i in *.po; do \
		msgfmt "$$i" -o "$${i/.po/.mo}"; \
	done

install: all
	for i in *.mo; do \
		install -Dm0644 "$$i" $$DESTDIR/usr/share/locale/$${i/.mo/}/LC_MESSAGES/ldap-user-tools.mo; \
	done

ldap-user-tools.pot:
	cd ../scripts/; \
	xgettext -L Shell -kfatal -o ../po/ldap-user-tools.pot ldap-*

update: ldap-user-tools.pot
	for i in *.po; do \
		echo -n "$${i/.po/} "; \
		msgmerge "$$i" ldap-user-tools.pot -o temp.po && /bin/mv -f temp.po "$$i"; \
	done

clean:
	rm -f *.mo
ldap-user-tools-0.9.1/po/ldap-user-tools.pot000064400000000000000000000042451220711616200207500ustar00rootroot00000000000000# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-04-23 10:56+0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"

#: ldap-dn:103 ldap-init:34
msgid "can't create tempfile"
msgstr ""

#: ldap-dn:138
msgid "can't remove old database dir"
msgstr ""

#: ldap-dn:163
msgid "basedn not set"
msgstr ""

#: ldap-dn:168 ldap-dn:172
msgid "object not set"
msgstr ""

#: ldap-getent:8 ldap-groupadd:11 ldap-groupdel:8 ldap-groupmod:8 ldap-init:8
#: ldap-passwd:9 ldap-useradd:9 ldap-userdel:9 ldap-usermod:8
msgid "DN_CONF not set"
msgstr ""

#: ldap-groupadd:85
msgid "not free gid available"
msgstr ""

#: ldap-groupdel:10 ldap-passwd:11 ldap-userdel:13
msgid "more arguments required. See --help for details"
msgstr ""

#: ldap-groupdel:38
msgid "cannot remove user primary group"
msgstr ""

#: ldap-groupmod:20
msgid "user list is empty"
msgstr ""

#: ldap-groupmod:66
msgid "group name is missing"
msgstr ""

#: ldap-passwd:49
msgid "No password given"
msgstr ""

#: ldap-passwd:60
msgid "unable to set password in Kerberos. Check krb5kdc service is running."
msgstr ""

#: ldap-useradd:105
msgid ""
"only small latin letters, digits, dot, '-' and '_' are allowed in username"
msgstr ""

#: ldap-useradd:108
msgid "user with same name already exists"
msgstr ""

#: ldap-useradd:115
msgid "not free uid available"
msgstr ""

#: ldap-useradd:119
msgid "same name in group database already exists"
msgstr ""

#: ldap-useradd:172
msgid "unable to create user in Kerberos. Check krb5kdc service is running."
msgstr ""

#: ldap-userdel:68
msgid "unable to delete user from Kerberos. Check krb5kdc service is running."
msgstr ""

#: ldap-usermod:20
msgid "user name is required"
msgstr ""

#: ldap-usermod:27
msgid "primary group name is missing"
msgstr ""
ldap-user-tools-0.9.1/po/ru.po000064400000000000000000000074261220711616200161640ustar00rootroot00000000000000# Copyright (C) 2013 Andrey Cherepanov <cas@altlinux.ru>
# This file is distributed under the same license as the package ldap-user-tools.
#
# Andrey Cherepanov <cas@altlinux.ru>, 2013.
msgid ""
msgstr ""
"Project-Id-Version: \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-04-23 10:56+0400\n"
"PO-Revision-Date: 2013-04-22 17:22+0400\n"
"Last-Translator: Andrey Cherepanov <cas@altlinux.ru>\n"
"Language-Team: Russian <ru@li.org>\n"
"Language: ru\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
"X-Generator: Lokalize 1.4\n"

#: ldap-dn:103 ldap-init:34
msgid "can't create tempfile"
msgstr "Не удалось создать временный файл"

#: ldap-dn:138
msgid "can't remove old database dir"
msgstr "Не удалось удалить каталог с базой данных"

#: ldap-dn:163
msgid "basedn not set"
msgstr "Параметр basedn не установлен"

#: ldap-dn:168 ldap-dn:172
msgid "object not set"
msgstr "Объект не указан"

#: ldap-getent:8 ldap-groupadd:11 ldap-groupdel:8 ldap-groupmod:8 ldap-init:8
#: ldap-passwd:9 ldap-useradd:9 ldap-userdel:9 ldap-usermod:8
msgid "DN_CONF not set"
msgstr "Переменная DN_CONF не задана"

#: ldap-groupadd:85
msgid "not free gid available"
msgstr "Нет свободных идентификаторов gid"

#: ldap-groupdel:10 ldap-passwd:11 ldap-userdel:13
msgid "more arguments required. See --help for details"
msgstr "Не указаны параметры. Запустите программу с --help."

#: ldap-groupdel:38
msgid "cannot remove user primary group"
msgstr "Не удалось удалить основную группу пользователя"

#: ldap-groupmod:20
msgid "user list is empty"
msgstr "Список пользователей пуст"

#: ldap-groupmod:66
msgid "group name is missing"
msgstr "Не указано имя группы"

#: ldap-passwd:49
msgid "No password given"
msgstr "Пароль не указан"

#: ldap-passwd:60
msgid "unable to set password in Kerberos. Check krb5kdc service is running."
msgstr ""
"Не удалось сохранить пароль в Kerberos. Проверьте, запущена ли служба "
"krb5kdc."

#: ldap-useradd:105
msgid ""
"only small latin letters, digits, dot, '-' and '_' are allowed in username"
msgstr ""
"В имени пользователя допустимы только маленькие латинские символы, цифры, "
"точка, '-' и '_'"

#: ldap-useradd:108
msgid "user with same name already exists"
msgstr "Пользователь с таким именем уже существует"

#: ldap-useradd:115
msgid "not free uid available"
msgstr "Нет свободных идентификаторов uid"

#: ldap-useradd:119
msgid "same name in group database already exists"
msgstr "Группа с таким названием уже существует"

#: ldap-useradd:172
msgid "unable to create user in Kerberos. Check krb5kdc service is running."
msgstr ""
"Не удалось создать пользователя в Kerberos. Проверьте, запущена ли служба "
"krb5kdc."

#: ldap-userdel:68
msgid "unable to delete user from Kerberos. Check krb5kdc service is running."
msgstr ""
"Не удалось удалить пользователя из Kerberos. Проверьте, запущена ли служба "
"krb5kdc."

#: ldap-usermod:20
msgid "user name is required"
msgstr "Укажите имя пользователя"

#: ldap-usermod:27
msgid "primary group name is missing"
msgstr "Не указано имя основной группы"
ldap-user-tools-0.9.1/schema/000075500000000000000000000000001220711616200160075ustar00rootroot00000000000000ldap-user-tools-0.9.1/schema/kerberos.schema000064400000000000000000000600431220711616200210100ustar00rootroot00000000000000# Novell Kerberos Schema Definitions
# Novell Inc.
# 1800 South Novell Place
# Provo, UT 84606
#
# VeRsIoN=1.0
# CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved
#
# OIDs:
#    joint-iso-ccitt(2)
#      country(16)
#        us(840)
#          organization(1)
#            Novell(113719)
#              applications(1)
#                kerberos(301)
#                 Kerberos Attribute Type(4) attr# version#
#                    specific attribute definitions
#                 Kerberos Attribute Syntax(5)
#                    specific syntax definitions
#                 Kerberos Object Class(6) class# version#
#                    specific class definitions
#
#    iso(1)
#      member-body(2)
#        United States(840)
#          mit (113554)
#            infosys(1)
#              ldap(4)
#                attributeTypes(1)
#                  Kerberos(6)

########################################################################


########################################################################
# 		      Attribute Type Definitions                       #
########################################################################

##### This is the principal name in the RFC 1964 specified format

attributetype ( 2.16.840.1.113719.1.301.4.1.1
                NAME 'krbPrincipalName'
                EQUALITY caseExactIA5Match
		SUBSTR caseExactSubstringsMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)

##### If there are multiple krbPrincipalName values for an entry, this
##### is the canonical principal name in the RFC 1964 specified
##### format.  (If this attribute does not exist, then all
##### krbPrincipalName values are treated as canonical.)

attributetype ( 1.2.840.113554.1.4.1.6.1
                NAME 'krbCanonicalName'
                EQUALITY caseExactIA5Match
                SUBSTR caseExactSubstringsMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                SINGLE-VALUE)

##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120

attributetype ( 2.16.840.1.113719.1.301.4.3.1
                NAME 'krbPrincipalType'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### This flag is used to find whether directory User Password has to be used
##### as kerberos password.
##### TRUE, if User Password is to be used as the kerberos password.
##### FALSE, if User Password and the kerberos password are different.

attributetype ( 2.16.840.1.113719.1.301.4.5.1
                NAME 'krbUPEnabled'
                DESC 'Boolean'
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
                SINGLE-VALUE)


##### The time at which the principal expires

attributetype ( 2.16.840.1.113719.1.301.4.6.1
                NAME 'krbPrincipalExpiration'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)


##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
##### The values (0x00000001 - 0x00800000) are reserved for standards and 
##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
##### The flags and values as per RFC 4120 and MIT implementation are,
##### DISALLOW_POSTDATED	0x00000001
##### DISALLOW_FORWARDABLE	0x00000002
##### DISALLOW_TGT_BASED        0x00000004
##### DISALLOW_RENEWABLE        0x00000008
##### DISALLOW_PROXIABLE        0x00000010
##### DISALLOW_DUP_SKEY         0x00000020
##### DISALLOW_ALL_TIX          0x00000040
##### REQUIRES_PRE_AUTH         0x00000080
##### REQUIRES_HW_AUTH          0x00000100
##### REQUIRES_PWCHANGE         0x00000200
##### DISALLOW_SVR              0x00001000
##### PWCHANGE_SERVICE          0x00002000


attributetype ( 2.16.840.1.113719.1.301.4.8.1
                NAME 'krbTicketFlags'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### The maximum ticket lifetime for a principal in seconds

attributetype ( 2.16.840.1.113719.1.301.4.9.1
                NAME 'krbMaxTicketLife'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Maximum renewable lifetime for a principal's ticket in seconds

attributetype ( 2.16.840.1.113719.1.301.4.10.1
                NAME 'krbMaxRenewableAge'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Forward reference to the Realm object.
##### (FDN of the krbRealmContainer object).
##### Example:   cn=ACME.COM, cn=Kerberos, cn=Security

attributetype ( 2.16.840.1.113719.1.301.4.14.1
                NAME 'krbRealmReferences'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### List of LDAP servers that kerberos servers can contact.
##### The attribute holds data in the ldap uri format,
##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636
#####
##### The values of this attribute need to be updated, when
##### the LDAP servers listed here are renamed, moved or deleted.

attributetype ( 2.16.840.1.113719.1.301.4.15.1
                NAME 'krbLdapServers'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)


##### A set of forward references to the KDC Service objects.
##### (FDNs of the krbKdcService objects).
##### Example:   cn=kdc - server 1, ou=uvw, o=xyz

attributetype ( 2.16.840.1.113719.1.301.4.17.1
                NAME 'krbKdcServers'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### A set of forward references to the Password Service objects.
##### (FDNs of the krbPwdService objects).
##### Example:   cn=kpasswdd - server 1, ou=uvw, o=xyz

attributetype ( 2.16.840.1.113719.1.301.4.18.1
                NAME 'krbPwdServers'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### This attribute holds the Host Name or the ip address, 
##### transport protocol and ports of the kerberos service host
##### The format is host_name-or-ip_address#protocol#port
##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.

attributetype ( 2.16.840.1.113719.1.301.4.24.1
                NAME 'krbHostServer'
                EQUALITY caseExactIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)


##### This attribute holds the scope for searching the principals
##### under krbSubTree attribute of krbRealmContainer
##### The value can either be 1 (ONE) or 2 (SUB_TREE).

attributetype ( 2.16.840.1.113719.1.301.4.25.1
                NAME 'krbSearchScope'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### FDNs pointing to Kerberos principals

attributetype ( 2.16.840.1.113719.1.301.4.26.1
                NAME 'krbPrincipalReferences'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### This attribute specifies which attribute of the user objects  
##### be used as the principal name component for Kerberos.
##### The allowed values are cn, sn, uid, givenname, fullname.

attributetype ( 2.16.840.1.113719.1.301.4.28.1
                NAME 'krbPrincNamingAttr'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
                SINGLE-VALUE)


##### A set of forward references to the Administration Service objects.
##### (FDNs of the krbAdmService objects).
##### Example:   cn=kadmindd - server 1, ou=uvw, o=xyz

attributetype ( 2.16.840.1.113719.1.301.4.29.1
                NAME 'krbAdmServers'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### Maximum lifetime of a principal's password

attributetype ( 2.16.840.1.113719.1.301.4.30.1
                NAME 'krbMaxPwdLife'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)


##### Minimum lifetime of a principal's password

attributetype ( 2.16.840.1.113719.1.301.4.31.1
                NAME 'krbMinPwdLife'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)


##### Minimum number of character clases allowed in a password

attributetype ( 2.16.840.1.113719.1.301.4.32.1
                NAME 'krbPwdMinDiffChars' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)


##### Minimum length of the password

attributetype ( 2.16.840.1.113719.1.301.4.33.1
                NAME 'krbPwdMinLength' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)


##### Number of previous versions of passwords that are stored

attributetype ( 2.16.840.1.113719.1.301.4.34.1
                NAME 'krbPwdHistoryLength' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)


##### Number of consecutive pre-authentication failures before lockout

attributetype ( 1.3.6.1.4.1.5322.21.2.1
                NAME 'krbPwdMaxFailure' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Period after which bad preauthentication count will be reset

attributetype ( 1.3.6.1.4.1.5322.21.2.2
                NAME 'krbPwdFailureCountInterval' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Period in which lockout is enforced

attributetype ( 1.3.6.1.4.1.5322.21.2.3
                NAME 'krbPwdLockoutDuration' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Policy attribute flags

attributetype ( 1.2.840.113554.1.4.1.6.2
                NAME 'krbPwdAttributes'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Policy maximum ticket lifetime

attributetype ( 1.2.840.113554.1.4.1.6.3
                NAME 'krbPwdMaxLife'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Policy maximum ticket renewable lifetime

attributetype ( 1.2.840.113554.1.4.1.6.4
                NAME 'krbPwdMaxRenewableLife'
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                SINGLE-VALUE)


##### Allowed enctype:salttype combinations for key changes

attributetype ( 1.2.840.113554.1.4.1.6.5
                NAME 'krbPwdAllowedKeysalts'
                EQUALITY caseIgnoreIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                SINGLE-VALUE)


##### FDN pointing to a Kerberos Password Policy object

attributetype ( 2.16.840.1.113719.1.301.4.36.1
                NAME 'krbPwdPolicyReference'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
                SINGLE-VALUE)


##### The time at which the principal's password expires

attributetype ( 2.16.840.1.113719.1.301.4.37.1
                NAME 'krbPasswordExpiration'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)


##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
##### the master key (krbMKey). 
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno       [0] UInt16,
##### attribute-minor-vno       [1] UInt16,
##### kvno                      [2] UInt32,
##### mkvno                     [3] UInt32 OPTIONAL,
##### keys                      [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt      [0] KrbSalt OPTIONAL,
##### key       [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type      [0] Int32,
##### salt      [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype   [0] Int32,
##### keyvalue  [1] OCTET STRING
##### }

attributetype ( 2.16.840.1.113719.1.301.4.39.1
                NAME 'krbPrincipalKey'
                EQUALITY octetStringMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)


##### FDN pointing to a Kerberos Ticket Policy object.

attributetype ( 2.16.840.1.113719.1.301.4.40.1
                NAME 'krbTicketPolicyReference'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
                SINGLE-VALUE)


##### Forward reference to an entry that starts sub-trees
##### where principals and other kerberos objects in the realm are configured.
##### Example:   ou=acme, ou=pq, o=xyz

attributetype ( 2.16.840.1.113719.1.301.4.41.1
                NAME 'krbSubTrees'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings. This will be
##### subset of the supported encryption/salt types.
##### Example: des-cbc-crc:normal

attributetype ( 2.16.840.1.113719.1.301.4.42.1
                NAME 'krbDefaultEncSaltTypes'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)


##### Holds the supported encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### The supported encryption types are mentioned in RFC 3961
##### The supported salt types are,
##### NORMAL          
##### V4              
##### NOREALM         
##### ONLYREALM       
##### SPECIAL         
##### AFS3            
##### Example: des-cbc-crc:normal

attributetype ( 2.16.840.1.113719.1.301.4.43.1
                NAME 'krbSupportedEncSaltTypes'
                EQUALITY caseIgnoreMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)


##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
##### the kadmin/history key.
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno       [0] UInt16,
##### attribute-minor-vno       [1] UInt16,
##### kvno                      [2] UInt32,
##### mkvno                     [3] UInt32 OPTIONAL -- actually kadmin/history key,
##### keys                      [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt      [0] KrbSalt OPTIONAL,
##### key       [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type      [0] Int32,
##### salt      [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype   [0] Int32,
##### keyvalue  [1] OCTET STRING
##### }

attributetype ( 2.16.840.1.113719.1.301.4.44.1
                NAME 'krbPwdHistory'
                EQUALITY octetStringMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)


##### The time at which the principal's password last password change happened.

attributetype ( 2.16.840.1.113719.1.301.4.45.1
                NAME 'krbLastPwdChange'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)

##### The time at which the principal was last administratively unlocked.

attributetype ( 1.3.6.1.4.1.5322.21.2.5
                NAME 'krbLastAdminUnlock'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)

##### This attribute holds the kerberos master key.
##### This can be used to encrypt principal keys. 
##### This attribute has to be secured in directory.
#####
##### This attribute is ASN.1 encoded.
##### The format of the value for this attribute is explained below,
##### KrbMKey ::= SEQUENCE {
##### kvno    [0] UInt32,
##### key     [1] MasterKey
##### }
#####
##### MasterKey ::= SEQUENCE {
##### keytype         [0] Int32,
##### keyvalue        [1] OCTET STRING
##### }


attributetype ( 2.16.840.1.113719.1.301.4.46.1
                NAME 'krbMKey'
                EQUALITY octetStringMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)


##### This stores the alternate principal names for the principal in the RFC 1964 specified format

attributetype ( 2.16.840.1.113719.1.301.4.47.1
                NAME 'krbPrincipalAliases'
                EQUALITY caseExactIA5Match
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)


##### The time at which the principal's last successful authentication happened.

attributetype ( 2.16.840.1.113719.1.301.4.48.1
                NAME 'krbLastSuccessfulAuth'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)


##### The time at which the principal's last failed authentication happened.

attributetype ( 2.16.840.1.113719.1.301.4.49.1
                NAME 'krbLastFailedAuth'
                EQUALITY generalizedTimeMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                SINGLE-VALUE)


##### This attribute stores the number of failed authentication attempts
##### happened for the principal since the last successful authentication.

attributetype ( 2.16.840.1.113719.1.301.4.50.1
                NAME 'krbLoginFailedCount' 
                EQUALITY integerMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
                SINGLE-VALUE)



##### This attribute holds the application specific data.

attributetype ( 2.16.840.1.113719.1.301.4.51.1
                NAME 'krbExtraData'
                EQUALITY octetStringMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)


##### This attributes holds references to the set of directory objects.
##### This stores the DNs of the directory objects to which the 
##### principal object belongs to.

attributetype ( 2.16.840.1.113719.1.301.4.52.1
                NAME 'krbObjectReferences'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)


##### This attribute holds references to a Container object where 
##### the additional principal objects and stand alone principal 
##### objects (krbPrincipal) can be created.

attributetype ( 2.16.840.1.113719.1.301.4.53.1
                NAME 'krbPrincContainerRef'
                EQUALITY distinguishedNameMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)

##### A list of services to which a service principal can delegate.
attributetype ( 1.3.6.1.4.1.5322.21.2.4
                NAME 'krbAllowedToDelegateTo'
                EQUALITY caseExactIA5Match
                SUBSTR caseExactSubstringsMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)

########################################################################
########################################################################
# 		        Object Class Definitions                       #
########################################################################

#### This is a kerberos container for all the realms in a tree.

objectclass ( 2.16.840.1.113719.1.301.6.1.1
                NAME 'krbContainer'
                SUP top
		STRUCTURAL
                MUST ( cn ) )


##### The krbRealmContainer is created per realm and holds realm specific data.

objectclass ( 2.16.840.1.113719.1.301.6.2.1
                NAME 'krbRealmContainer'
                SUP top
		STRUCTURAL
                MUST ( cn )
                MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )


##### An instance of a class derived from krbService is created per
##### kerberos authentication or administration server in an realm and holds
##### references to the realm objects. These references is used to further read
##### realm specific data to service AS/TGS requests. Additionally this object
##### contains some server specific data like pathnames and ports that the
##### server uses. This is the identity the kerberos server logs in with. A key
##### pair for the same is created and the kerberos server logs in with the same.
#####
##### krbKdcService, krbAdmService and krbPwdService derive from this class.

objectclass ( 2.16.840.1.113719.1.301.6.3.1
                NAME 'krbService'
                SUP top
                ABSTRACT
                MUST ( cn )
                MAY ( krbHostServer $ krbRealmReferences ) )


##### Representative object for the KDC server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required 
##### access rights.

objectclass ( 2.16.840.1.113719.1.301.6.4.1
                NAME 'krbKdcService'
                SUP krbService
		STRUCTURAL )


##### Representative object for the Kerberos Password server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.

objectclass ( 2.16.840.1.113719.1.301.6.5.1
                NAME 'krbPwdService'
                SUP krbService
		STRUCTURAL )


###### The principal data auxiliary class. Holds principal information
###### and is used to store principal information for Person, Service objects.

objectclass ( 2.16.840.1.113719.1.301.6.8.1
                NAME 'krbPrincipalAux'
		SUP top
                AUXILIARY
                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )


###### This class is used to create additional principals and stand alone principals.

objectclass ( 2.16.840.1.113719.1.301.6.9.1
                NAME 'krbPrincipal'
                SUP top
                MUST ( krbPrincipalName )
		MAY ( krbObjectReferences ) )


###### The principal references auxiliary class. Holds all principals referred
###### from a service

objectclass ( 2.16.840.1.113719.1.301.6.11.1
                NAME 'krbPrincRefAux'
                SUP top
                AUXILIARY
                MAY krbPrincipalReferences )


##### Representative object for the Kerberos Administration server to bind into a LDAP directory
##### and have a connection Id to access Kerberos data with the required access rights.

objectclass ( 2.16.840.1.113719.1.301.6.13.1
                NAME 'krbAdmService'
                SUP krbService 
		STRUCTURAL )


##### The krbPwdPolicy object is a template password policy that 
##### can be applied to principals when they are created. 
##### These policy attributes will be in effect, when the Kerberos
##### passwords are different from users' passwords (UP).

objectclass ( 2.16.840.1.113719.1.301.6.14.1
                NAME 'krbPwdPolicy' 
                SUP top
                MUST ( cn )
                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )


##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
##### This class can be attached to a principal object or realm object.

objectclass ( 2.16.840.1.113719.1.301.6.16.1
                NAME 'krbTicketPolicyAux'
                SUP top
                AUXILIARY
                MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )


##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal

objectclass ( 2.16.840.1.113719.1.301.6.17.1
                NAME 'krbTicketPolicy'
                SUP top
                MUST ( cn ) )

ldap-user-tools-0.9.1/scripts/000075500000000000000000000000001220711616200162365ustar00rootroot00000000000000ldap-user-tools-0.9.1/scripts/ldap-dn000075500000000000000000000142421220711616200175060ustar00rootroot00000000000000#!/bin/sh -f

. alterator-openldap-functions


# find_dn dc=my,dc=domain,dc=com
# => /etc/openldap/slapd-my.domain.com.conf
# or
# find_dn
# => /etc/openldap/slapd-my1.domain.com.conf
# => /etc/openldap/slapd-my2.domain.com.conf
# => /etc/openldap/slapd-my1....
find_dn()
{
    local dn=
    [ "$#" -ge 1 ] && dn="$1" && shift

    for conf in $(read_slapd_conf include|egrep -i "slapd-[.a-z0-9_-]+\.conf[[:blank:]]*$") ;do
        if [ -z "$dn" ] ;then
            local suffix="$(read_config "$conf" suffix)"
            [ -z "$suffix" ] || echo "$suffix $conf"
        else
            read_config "$conf" suffix|egrep -qw "^$dn$" && { echo "$conf"; break; }
        fi
    done
}


# to_realm my.domain.ru
# => MY.DOMAIN.RU
to_realm()
{
    echo "$1"|tr '[[:lower:]]' '[[:upper:]]'
}

check_dn_name()
{
    # please fix regexp
    echo "$1"|egrep -qi "^dc=[a-z][a-z0-9_-]*(,dc=[a-z][a-z0-9_-]*)*$" ||
    fatal "$0: check_dn_name: invalid suffix dn '$name'" 
    
    [ -n "$(find_dn "$1")" ] && fatal "check_dn_name: basedn '$1' already exists"
}

create_dn()
{
    local dn="$1"
    local domain=$(dn_2_host "$dn")
    local realm="$(to_realm "$domain")"
    local basedir=${SLAPD_CONF%/*}	
    local template="$basedir/slapd-template.conf"
    local new_dn_conf="$basedir/slapd-$domain.conf"
    local passwd=$(pwgen -n 16 -1)

    #copy template into slapd-domain.conf
    cp "$template" "$new_dn_conf"
    chmod 640 "$new_dn_conf"
    chown root:ldap "$new_dn_conf"

    #fix dc=. base, password
    sed -i -e "s/dc=template/$dn/g" $new_dn_conf
    sed -i -e "s/template/$domain/g" $new_dn_conf
    sed -i -e "s/REALM/$realm/g" $new_dn_conf
    sed -i -e "s/secret/$passwd/g" $new_dn_conf

    echo "include $new_dn_conf" >>  "$SLAPD_CONF"

    export DN_CONF="$new_dn_conf"
    base_rootdn_rootpw
    ldap-init 

    /etc/init.d/slapd restart >/dev/null   
}

delete_dn()
{
    local dn="$1"
    local domain=$(dn_2_host "$dn")
    local basedir="${SLAPD_CONF%/*}"
    local dn_conf="$(find_dn "$dn")"
    [ -f "$dn_conf" ] || fatal "delete_dn: no such file '$dn_conf'" 
    local dn_base_file="$(read_config "$dn_conf" directory)"

    rm -f -- "$dn_conf"
    rm -rf -- "$dn_base_file"
    dn_conf="$(quote_sed_regexp $dn_conf)"
    sed -r -i -e "/^include[[:blank:]]+$dn_conf[[:blank:]]*$/ d" "$SLAPD_CONF"

    /etc/init.d/slapd restart >/dev/null 2>&1
}

rename_dn()
{
    local old="$1" ; shift
    local new="$1" ; shift
    local oldhost="$(dn_2_host "$old")"
    local newhost="$(dn_2_host "$new")"
    local databasedir=""
    local oldname=""
    local newname=""


    TMPFILE="$(mktemp -t "$oldhost.XXXXXXXXXX")" || fatal "can't create tempfile"
   
    #slapcating old database
    /etc/init.d/slapd stop && slapcat -b "$old" -l "$TMPFILE"
   
    #substitution dc=old to dc=new
    sed -r -i -e "s/$(quote_sed_regexp $old)/$(quote_sed_regexp $new)/g" "$TMPFILE"
    # changing 'dc: '
    oldname="$(quote_sed_regexp "$(echo "$oldhost"|cut -f1 -d'.')")"
    newname="$(quote_sed_regexp "$(echo "$newhost"|cut -f1 -d'.')")"
    sed -r -i -e "s/dc:[[:space:]]$oldname/dc: $newname/" "$TMPFILE"

    #substitution cn=OLDDOMAIN to cn=NEWDOMAIN (KDC)
    oldname="$(to_realm $oldhost)"
    newname="$(to_realm $newhost)"
    sed -r -i -e "s/cn=$oldname/cn=$newname/g" "$TMPFILE"
    #substitution @OLDDOMAIN to @NEWDOMAIN (KDC)
    sed -r -i -e "s/@$oldname/@$newname/g" "$TMPFILE"

    #substitution olddomain to newdomain
    sed -r -i -e "s/$oldhost/$newhost/g" "$TMPFILE"
   
    #fixing main slapd conf
    sed -r -i -e "s/^include[[:space:]]+$(quote_sed_regexp "/etc/openldap/slapd-$oldhost.conf")$/include $(quote_sed_regexp "/etc/openldap/slapd-$newhost.conf")/" "$MAIN_SLAPD_CONF"

    #moving old to new
    mv "/etc/openldap/slapd-$oldhost.conf" "/etc/openldap/slapd-$newhost.conf"
   
    #changing dc=old to dc=new
    sed -r -i -e "s/$(quote_sed_regexp $old)/$(quote_sed_regexp $new)/g" "/etc/openldap/slapd-$newhost.conf"
   
    #database dir with OLD directory value
    databasedir="$(read_config "/etc/openldap/slapd-$newhost.conf" directory)"
   
    #removing old database dir with database
    rm -rf "$databasedir" || fatal "can't remove old database dir"
   
    #changing directory value
    sed -r -i -e "s/^directory[[:space:]].+/directory $(quote_sed_regexp "/var/lib/ldap/bases/$newhost")/" "/etc/openldap/slapd-$newhost.conf" 
   
    #database dir with NEW directory value
    databasedir="$(read_config "/etc/openldap/slapd-$newhost.conf" directory)"
   
    #adding changed ldif
    mkdir -p "$databasedir"
    chmod 700 "$databasedir"
    slapadd -c -b "$new" -l "$TMPFILE"
    chown -R ldap:ldap "$databasedir"
   
    /etc/init.d/slapd start
    rm -f "$TMPFILE" >&2
}

action="$1" ; shift
[ $# -eq 1 ] && object="$1" && shift
[ $# -eq 2 ] && old="$1" && new="$2"

# Parse arguments
case $action in
    create)
        [ -z "$object" ] && fatal "basedn not set" 
        check_dn_name $object 
        create_dn $object
    ;;
    delete)
        [ -z "$object" ] && fatal "object not set" 
        delete_dn $object	
    ;;
    find)
        [ -z "$object" ] && fatal "object not set"
        find_dn "$object"
    ;;
    list)
        find_dn
    ;;
    master)
        master_conf="/etc/alterator/openldap/master.conf"
        if [ -n "$object" ] ;then
            cfile="$(find_dn "$object")"
            [ -z "$cfile" ] || ln -sf "$cfile" "$master_conf"
        else
            if [ -h "$master_conf" ] ;then
                cfile=$(readlink "$master_conf")
                [ -s "$cfile" ] && echo "$(read_config "$cfile" suffix) $cfile"
            fi
        fi
        ;; 
#    rename)
#        [ -z "$old" -o -z "$new" ] && fatal "old domain or new domain not set" 
#        rename_dn "$old" "$new"
#    ;;
    --version)
        get_ldap_version
        ;;
    -h|--help|*)
        cat <<EOF
Usage: 

    $0 <command> [<domain_dn>]

Available commands:

    list        show all locally configured domains
    create      create domain
    delete      delete domain
    find        show configuration file for domain
    master      set domain as master domain
    -h, --help  show this help
    --version   show version

EOF
#       echo "or"
#       echo "$0 rename dc=myold,dc=domain,dc=ru dc=mynew,dc=domain,dc=ru"
        ;;
    esac


ldap-user-tools-0.9.1/scripts/ldap-getent000075500000000000000000000042641220711616200203760ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

if [ "$#" -eq 0 ]; then db="-h" # show usage information if no arguments
else db="$1"; shift; fi

key="*"
[ "$#" -gt 0 ] && {	key="$1"; shift; }

ldap_parse_reply()
{
		ruby -e '
require "ldap"
require "ldap/ldif"

defaultArgs = Array.new

case ARGV[0]
    when "group"
        defaultArgs = %w/cn userPassword gidNumber memberUid/
    when "passwd"
        defaultArgs = %w/uid userPassword uidNumber gidNumber gecos homeDirectory loginShell/
    when "ws"
        defaultArgs = %w/uid "" uidNumber/
end

ARGV.delete_at(0)

args = ARGV.empty? ? defaultArgs : ARGV.dup

LDAP::LDIF.parse_file "/dev/stdin" do |obj|
  reply = args.collect do |f|
    (obj.attrs[f.downcase] || [""]) * ","
  end
  puts reply * ":"
end
' "$@"
}


ldap_search_groups()
{
	ldapsearch -LLL -b "ou=Group,$base" -x -H "ldap://${host:-127.0.0.1}" "(&(objectClass=posixGroup)(cn=$key))" |
		ldap_parse_reply group "$@" 2>/dev/null
}

ldap_search_users()
{
	ldapsearch -LLL -b "ou=People,$base" -x -H "ldap://${host:-127.0.0.1}" "(&(objectClass=posixAccount)(uid=$key))" |
		ldap_parse_reply passwd "$@" 2>/dev/null
}

ldap_search_workstations()
{
	section=$(ldapsearch -LLL -b "$base" -x -H "ldap://${host:-127.0.0.1}" "(&(objectClass=organizationalUnit)(ou=Computers))")
	if [ -n "$section" ]; then
	    ldapsearch -LLL -b "ou=Computers,$base" -x -H "ldap://${host:-127.0.0.1}" "(&(objectClass=posixAccount)(uid=$key))" |
		ldap_parse_reply ws "$@" 2>/dev/null
	fi
}

# Parse arguments
case "$db" in
	"group")
		ldap_search_groups "$@"
		;;
	"passwd")
		ldap_search_users "$@"
		;;
	"ws")
		ldap_search_workstations "$@"
		;;
    "--version")
        get_ldap_version
        ;;
    -h|--help|*)
        cat <<EOF
Usage: 

    $0 <command> [<objname>]

Available commands:

    group       show LDAP group properties or all groups if objname is '*' or is omitted
    passwd      show LDAP user properties or all users if objname is '*' or is omitted
    ws          show registered workstation or all workstations if objname is '*' or is omitted
    -h, --help  show this help
    --version   show version

EOF

esac
ldap-user-tools-0.9.1/scripts/ldap-groupadd000075500000000000000000000046101220711616200207100ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

default_groups_hook="/etc/hooks/hostname.d/91-ldap-groups"
default_membership="/usr/lib/alterator/backend3/ldap-users"

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

if [ "$#" -eq 0 ]; then
	group="-h"
else
	group="$1" && shift
fi

gidin=
[ "$#" -eq 1 ] && gidin="$1" && shift

# Parse arguments
case "$group" in
    "--version")
        get_ldap_version
        exit
        ;;
    --default)
        # Set default groups from /etc/alterator/ldap-groups/group-init-list
        [ -x "$default_groups_hook" ] || fatal "no default groups hook in $default_groups_hook"
        echo "Create default groups..."
        $($default_groups_hook)

        # Add users to default groups
        [ -r "$default_membership" ] || exit
        echo "Add users to groups..."
        group_list="$(grep ^default_groups "$default_membership"|cut -f2 -d\")"
        echo "Groups for users: $group_list"

	# Fill all users list
	members="$(ldap-getent passwd '*' uid |tr '\n' ',')"
        members="${members%,}"

	# Add all users to specified groups
	for group in $group_list; do
            ldap-groupmod -m "$members" "$group" ||:
        done
        echo "Done."
        exit
        ;;
	-h|--help)
        cat <<EOF
Usage: 

    $0 <group> [<gid>]
    $0 --default

Arguments:

    group       LDAP group name
    gid         (optional) numeric GID
    --default	Creates all groups from
                /etc/alterator/ldap-groups/group-init-list
                and put users to groups
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac

#check for name
ldap-getent group "$group" >/dev/null && fatal "group with name \"$group\" already exists"
if  [ -n "$gidin" ] && echo "$gidin" |egrep -q "^[0-9]+$" ;then
        [ -z "$(ldap-getent group '*' gidNumber | grep -w "$gidin" )" ] ||
        fatal "gid '$gidin' already in use"
        gid="$gidin"
else
#calculate gid
gid_avail="$(ldap-getent group| cut -f3 -d: |sort -unr|head -1)"

gid=$(( $gid_avail + 1 ))

[ "$gid" -le "$gid_max" ] || fatal "not free gid available"
[ "$gid" -lt "$gid_min" ] && gid="$gid_min"
fi

#edit ldap
ldapadd -a -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" >/dev/null<<EOF
dn: cn=$group,ou=Group,$base
objectClass: posixGroup
objectClass: top
objectClass: extensibleObject
cn: $group
userPassword: {crypt}x
gidNumber: $gid
EOF
ldap-user-tools-0.9.1/scripts/ldap-groupdel000075500000000000000000000014121220711616200207210ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

[ "$#" -ne 0 ] || fatal "more arguments required. See --help for details"
group="$1"; shift

# Parse arguments
case "$group" in
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0 <group>

Arguments:

    group       LDAP group name
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac

gid="$(ldap-getent group "$group"|cut -f3 -d:)"

ldap-getent passwd| cut -f4 -d:|fgrep -xqs "$gid" && fatal "cannot remove user primary group"

ldapdelete -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" "cn=$group,ou=Group,$base" > /dev/null
ldap-user-tools-0.9.1/scripts/ldap-groupmod000075500000000000000000000140171220711616200207410ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

# Read default configuration
set_ldap_config

system_groups_file=/etc/group

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

if [ "$#" -ne 0 ]; then
	mod="$1"; shift
else
	mod="-h"
fi
userlist=
gid=
smb_group=

case $mod in
    -m|-x)
	[ "$#" -eq 0 ] && fatal "user list is empty"
	userlist="$1";shift
	;;
    -g)
	[ "$#" -eq 0 ] && fatal "gid number or system user name is missing"
	gid="$1";shift
	;;
    -s)
	if [ "$#" -gt 1 ]; then
		smb_group="$1";shift
	fi
	;;
    add|replace|del|-u) ;;
    *)
        echo "Unknown mode '$mod'"
        mod="-h"
        ;;
esac

# Parse arguments
case "$mod" in
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0 <mode> <group>
    $0 -m <userlist> <group>
    $0 -x <userlist> <group>
    $0 -g <gid> <group>
    $0 -s [<Samba-group>] <group>
    $0 -u <group>

Arguments:

    mode        'add'. 'replace' or 'del'.
                Pairs of '<name>:<value>' will be read from stdin.
    -m		Add specified users as group members
    -x		Remove specified users from group members
    -g		Set gid number (map LDAP group to system one)
    -s		Map LDAP group to Samba group
    -u		Remove Samba group which LDAP group mapped to
    <userlist>  One or more users separated by comma
    <gid>	The numerical value of the group ID or name of system group
    <Samba-group> Optional name of group in Samba. <group> is used by default.
    <group>     LDAP group name
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
    -m)
	mod="add"
	;;
    -x)
	mod="del"
	;;
    -g)
	mod="replace"
	;;
esac

[ "$#" -eq 1 ] || fatal "group name is missing"
group="$1"; shift
[ -z "$(ldap-getent group "$group")" ] && fatal "group \"$group\" does not exist"
memberlist="$(ldap-getent group "$group" memberUid|tr ',' '|')"


#edit ldap
ldap_modify() {
ruby -e '
require "ldap"
require "ldap/ldif"

mod = LDAP::LDAP_MOD_REPLACE
case ARGV[0]
    when "add"
        mod = LDAP::LDAP_MOD_ADD
    when "del"
        mod = LDAP::LDAP_MOD_DELETE
end

ARGV.delete_at(0)

dn = ARGV[0]
attrs = {}
$stdin.each do |l|
  l.force_encoding("UTF-8") if l.respond_to? :force_encoding
  key, val = l.chomp.split(/:/, 2)
  attrs[key] ||= []
  attrs[key] << val unless val.empty?
end
puts LDAP::LDIF.mods_to_ldif(dn, *LDAP.hash2mods(mod, attrs))
' "$mod" "cn=$group,ou=Group,$base" |
	ldapmodify -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" > /dev/null
}

# Get Samba mapped group for specified LDAP group
samba_mapped_group() {
    echo "$(net groupmap list | sed 's/^\(.*\) (S[0-9-]*) -> /\1\t/' | grep -P "\t${1}$" | cut -f1)"
}

# Get Samba mapped group SID for specified LDAP group
samba_mapped_sid() {
    echo "$(net groupmap list | sed 's/^\(.*\) (\(S[0-9-]*\)) -> /\2\t/' | grep -P "\t${1}$" | cut -f1)"
}

# Map to Samba group
samba_map() {
    local unix_group=$1; shift

    if [ $# -eq 0 -o -z "$1" ]; then
        # Generate Samba group name from LDAP group name
        samba_group="$(echo "$unix_group"|sed 's/^./\u&/')"
    else
        samba_group="$1"
    fi
    #echo "$unix_group -> $samba_group"

    [ "$(samba_mapped_group "$unix_group")" = "$samba_group" ] && exit

    # If mapping exists, remove mapping and group
    [ -n "$(samba_mapped_sid "$unix_group")" ] && samba_unmap "$unix_group"
    # Create new group in Samba (needs temporary create fake administrator account)
    admin_name="nt_domain_administrator"
    admin_password="$(pwqgen)"
    [ -z "$(ldap-getent passwd "$admin_name")" ] && ldap-useradd "$admin_name"
    ldap-passwd "$admin_name" "$admin_password"
    echo "uidNumber:0" | ldap-usermod replace "$admin_name"
    net rpc group add "$samba_group" -U$admin_name%"$admin_password" &>/dev/null ||:
    ldap-userdel -r "$admin_name"

    # Map LDAP group to Samba group
    net groupmap add unixgroup="$unix_group" ntgroup="$samba_group" &>/dev/null
}

# Remove mapping to Samba group and remove Samba group
samba_unmap() {
    local unix_group=$1; shift
    local samba_group="$(samba_mapped_group "$unix_group")"
    local samba_group_sid="$(samba_mapped_sid "$unix_group")"

    if [ -n "$samba_group_sid" ]; then
        # Unmap group
        net groupmap delete sid="$samba_group_sid" &>/dev/null

        # Remove Samba group (needs temporary create fake administrator account)
        admin_name="nt_domain_administrator"
        admin_password="$(pwqgen)"
        [ -z "$(ldap-getent passwd "$admin_name")" ] && ldap-useradd "$admin_name"
        ldap-passwd "$admin_name" "$admin_password"
        echo "uidNumber:0" | ldap-usermod replace "$admin_name"
        net rpc group delete "$samba_group" -U$admin_name%"$admin_password" &>/dev/null
        ldap-userdel -r "$admin_name"
    fi
}

# Bind and unbind LDAP and Samba groups
case "$mod" in
    -s)
        samba_map "$group" "$smb_group"
        exit
	    ;;
    -u)
	    samba_unmap "$group"
	    exit
	    ;;
esac

# Other operations
if [ -z "$userlist" -a -z "$gid" ]; then
	# Read values from stdin
	ldap_modify
else
	# Set group GID (-g option)
	if [ -n "$gid" ]; then
		if [ -z "$(echo $gid|egrep '^[0-9]+$')" ]; then
			# Possible system user name is defined, lookup in /etc/group
			gid=$(grep "^$gid:" $system_groups_file | cut -f3 -d:)
			test -z "$gid" && fatal "no such system group found"
		fi

        # Check that current gid is equal to the one being set
        [ "$gid" = "$(ldap-getent group "$group" gidNumber)" ] && exit

		# Set new GID for group
		echo "gidNumber:$gid" | ldap_modify
		exit
	fi

	# Read values from user list in -m or -x options
	actual=
	all_users="$(ldap-getent passwd '*' uid|tr ',' '|')"

	# Check existing user or member
	if [ "$mod" = "add" ]; then
		if [ -n "$memberlist" ]; then
			actual="$(echo "$userlist"|tr , '\n'|egrep -v "$memberlist"|egrep "$all_users")"
		else
			actual="$(echo "$userlist"|tr , '\n'|egrep "$all_users")"
		fi
	fi
	[ "$mod" = "del" ] && actual="$(echo "$userlist"|tr , '\n'|egrep "$memberlist")"

	# Do changes in old style
	[ -n "$actual" ] && echo "$actual" | tr , '\n' | sed -n 's/^./memberUid:&/p' | ldap_modify
fi
ldap-user-tools-0.9.1/scripts/ldap-init000075500000000000000000000027321220711616200200510ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

args="$1"

# Parse arguments
case "$args" in
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0

Arguments:

    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac

TMPFILE="$(mktemp -t "ldap-db-init.XXXXXXXXXX")" || fatal "can't create tempfile"

set_cleanup_handler cleanup_function

cleanup_function()
{
	[ -z "$TMPFILE" ] ||
		rm -rf -- "$TMPFILE"
}

db_dir="$(read_config "$DN_CONF" directory)"

cat > "$TMPFILE" <<EOF
dn: $base
objectclass: organization
objectclass: dcObject
$(printf %s\\n "$base" | sed -r 's/^dc=([^[:blank:],]*).*$/dc: \1/')
$(printf %s\\n "$base" | sed -r 's/^.*dc=([^[:blank:],]*)/o: \1/')

dn: $rootdn
objectclass: organizationalRole
$(printf %s\\n "$rootdn" | sed -r 's/^cn=([^[:blank:],]*).*$/cn: \1/')

dn: ou=People,$base
objectClass: organizationalUnit
ou: People

dn: ou=Group,$base
objectClass: organizationalUnit
ou: Group

dn: ou=kdcroot,$base
objectClass: organizationalUnit
ou: kdcroot
EOF


#adding changed ldif
mkdir -p "$db_dir"
chmod 700 "$db_dir"

# copy default berkeley db config into $db_dir
# before initial slapadd
cp "/var/lib/ldap/bases/DB_CONFIG" "$db_dir"
chown root:ldap "$db_dir/DB_CONFIG"
chmod 640 "$db_dir/DB_CONFIG"

# initial slapadd
slapadd -b "$base" -l "$TMPFILE"
chown -R ldap:ldap "$db_dir"
ldap-user-tools-0.9.1/scripts/ldap-passwd000075500000000000000000000031071220711616200204040ustar00rootroot00000000000000#!/bin/sh -e

. alterator-kdc-princ-functions
. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

[ "$#" -ne 0 -a "$#" -le 3 ] || fatal "more arguments required. See --help for details"
user="$1"; shift
pw="$1"

# Parse arguments
case "$user" in
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0 <user> [<new_passwd>]

Arguments:

    user        LDAP user name
    password    New password. If omitted password will be read from stdin.
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac

# If password does not set in command line, read it from stdin
[ -z "$pw" ] && read -es pw

# setting ldap-password
samba_pw="$(mkntpasswd $pw)"
lm=${samba_pw%%:*}
nt=${samba_pw##*:}

lp="$(slappasswd -h '{CRYPT}' -c '$2a$05$%.24s' ${pw:+-s "$pw"})"

[ -n "$lp" ] || fatal "No password given"

# Check Kerberos is ready
if [ -n "$ENABLE_KRB" ]; then
    kdc_status=
	service krb5kdc status &>/dev/null || kdc_status="fail"

	# Change password in Kerberos database
    changepw "$user" "$pw" &>/dev/null || kdc_status="fail"

	# Error reaction
	[ "$kdc_status" = "fail" ] && fatal "unable to set password in Kerberos. Check krb5kdc service is running."
fi

#edit ldap
echo "dn: uid=$user,ou=People,$base
changetype: modify
replace: userPassword
userPassword:$lp
-
replace: sambaLMPassword
sambaLMPassword: $lm
-
replace: sambaNTPassword
sambaNTPassword: $nt" |
ldapmodify -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" > /dev/null
ldap-user-tools-0.9.1/scripts/ldap-useradd000075500000000000000000000134331220711616200205350ustar00rootroot00000000000000#!/bin/sh -e

. alterator-kdc-princ-functions
. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

Usage() 
{
    cat <<EOF
Usage: 

    $0 [-n <first_name>] [-f <surname>]
       [-c <common_name>]
       [-w] [-i]
       [-d <home_dir>] [-s <shell>] [-p <passwd>]
       [-G <group[,...]] <user>

Arguments:
    -n first_name  LDAP attribute givenName (first or given name)
    -f surname     LDAP attribute surname (surname of family name)
    -c common_name LDAP attribute commonName (surname first_name patronym)
    -w             is a Windows Workstation
    -i             is a trust account (Windows Workstation)
    -d home_dir	   new user home dir location (by default /home/<user>)
    -s shell       name of the user login shell (by default /bin/bash)
    -p passwd      password for new user
    -G group,...   a list of LDAP groups which the user is also a member of
    user        new user name in LDAP
    -h, --help  show this help
    --version   show version

EOF
    exit
}

[ "$#" -ne 0 ] || Usage

# Default values
first_name=
surname=
common_name=
is_workstation="no"
is_trusted="no"
home_dir=
shell="/bin/bash"
passwd=
groups=

# Parse arguments
export OPTERR=1
while getopts "hwi-:n:f:c:d:s:p:G:" c
do
    [ "$DEBUG" = "1" ] && echo "param: -$c '$OPTARG'" >&2
    case "$c" in
        n) first_name="$OPTARG";;
        f) surname="$OPTARG";;
    	c) common_name="$OPTARG";;
        w) is_workstation="yes";;
        i) is_trusted="yes";;
        d) home_dir="$OPTARG";;
    	s) shell="$OPTARG";;
    	p) passwd="$OPTARG";;
        G) groups="$OPTARG";;
        h) Usage;;
    	-) case "$OPTARG" in
	           help) Usage;;
		       version) get_ldap_version; exit;;
    		   *) fatal "Invalid option \"-$OPTARG\"";;
	       esac;;
    	\?) fatal "Invalid option \"$1\"";;
    esac
done

# Set user name
shift $(( OPTIND - 1 ))
user="$1"

# Fallback values
[ -z "$surname" ] && surname="$user"
[ -z "$common_name" ] && common_name="$user"
[ -z "$home_dir" ] && home_dir="/home/$user"

# Add $ to username if -i is passed and $ miss at the end
[ "$is_workstation" = "yes" -a "$is_trusted" = "yes" -a "${user#${user%?}}" != "$" ] && user="$user$"

[ "$DEBUG" = "1" ] && cat >&2 <<DEBUGOUT

user=$user
first_name=$first_name
surname=$surname
common_name=$common_name
is_workstation=$is_workstation
is_trusted=$is_trusted
home_dir=$home_dir
shell=$shell
passwd=$passwd
groups=$groups
DEBUGOUT

# Check for username has only lowercase latin letters, digits, dot and '_'
echo "$user" | egrep '^[a-z][\.a-z0-9_-]*\$?$' >/dev/null || fatal "only small latin letters, digits, dot, '-' and '_' are allowed in username"

#check for name
ldap-getent passwd "$user" > /dev/null && fatal "user with same name already exists"

#calculate uid
uid_avail="$((ldap-getent passwd;ldap-getent ws)| cut -f3 -d: |sort -unr|head -1)"

uid=$(( $uid_avail + 1 ))

[ "$uid" -le "$uid_max" ] || fatal "not free uid available"
[ "$uid" -lt "$uid_min" ] && uid="$uid_min"

#add group and calculate gid
ldap-getent group "$user" > /dev/null && fatal "same name in group database already exists"
ldap-groupadd "$user"
gid="$(ldap-getent group "$user"|cut -f3 -d:)"

# getting sid
get_sid > /dev/null
user_sid="$SID-$(($uid*2+1000))"

# Add workstation
if [ "$is_workstation" = "yes" ]; then

    # Create ou=Computers if it is not exist
    container="Computers"
    section=$(ldapsearch -LLL -b "$base" -x -H "ldap://${host:-127.0.0.1}" "(&(objectClass=organizationalUnit)(ou=$container))")
    if [ -z "$section" ] ;then
        ldapadd -a -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" >/dev/null <<EOS
dn: ou=$container,$base
objectClass: organizationalUnit
ou: $container
EOS
    fi

    # fill content
    content="$(cat <<EOC
dn: uid=$user,ou=$container,$base
cn: $user
objectClass: top
objectClass: account
objectClass: posixAccount
uidNumber: $uid
gidNumber: $gid
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
EOC
)"
fi

# Add user
if [ "$is_workstation" != "yes" ] ;then

    # Check Kerberos is ready
    if [ -n "$ENABLE_KRB" ]; then
        kdc_status=
        service krb5kdc status &>/dev/null || kdc_status="fail"

	    # Add principal to Kerberos database
        addprinc "+requires_preauth $user" &>/dev/null || kdc_status="fail"

	    # Error reaction
        if [ "$kdc_status" = "fail" ]; then
            ldap-groupdel "$user" &>/dev/null ||:
	        fatal "unable to create user in Kerberos. Check krb5kdc service is running."
        fi
    fi
    #edit ldap
    content="$(cat <<EOF
dn: uid=$user,ou=People,$base
uid: $user
cn: $common_name
sn: $surname
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
loginShell: $shell
userPassword: {crypt}x
uidNumber: $uid
gidNumber: $gid
homeDirectory: $home_dir
sambaAcctFlags: [U          ]
sambaSID: $user_sid
sambaPwdLastSet: 2147483647
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 0
EOF
)"

    [ -n "$first_name" ] && content="${content}
GivenName: $first_name"
fi

[ "$DEBUG" = "1" ] && echo "$content" >&2

# Put record in LDAP database
echo "$content" | ldapadd -a -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" >/dev/null

if [ "$is_workstation" != "yes" ] ;then
    # Additional action for ordinary user

    # Create user homedir
    su - "$user" -s /bin/true > /dev/null 2>&1

    # Set password if it is not empty
    [ -n "$passwd" ] && ldap-passwd "$user" "$passwd"

    # Join to supplementary LDAP groups
    export IFS=","
    for g in $groups
    do
	[ "$DEBUG" = "1" ] && echo "add group $g" >&2
        [ -n "$(ldap-getent group "$g")" ] &&
        printf 'memberUid:%s\n' "$user" | ldap-groupmod add "$g" > /dev/null
    done
fi
ldap-user-tools-0.9.1/scripts/ldap-userdel000075500000000000000000000035711220711616200205530ustar00rootroot00000000000000#!/bin/sh -e

. alterator-kdc-princ-functions
. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

HOMEDEL=
is_workstation=
if [ "$#" -eq 0 ] ;then
    user="-h"
else
    user="$1"
    shift
fi

# Parse arguments
case "$user" in
    -r)
        user="$1"; shift
        HOMEDEL="$(ldap-getent passwd "$user" homeDirectory)"
        ;;
    -w)
        user="$1"; shift
        is_workstation=yes
        ;;
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0 [-r|-w] <user>

Arguments:

    -r          remove the user home directory and mail spool
    -w          remove workstation instead user
    user        LDAP user or workstation name
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac

if [ "$is_workstation" = "yes" ]; then
    # Fix missing trailing $
    [ "${user#${user%?}}" != "$" ] && user="$user$"

    # Remove workstation record
    ldapdelete -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" "uid=$user,ou=Computers,$base" > /dev/null ||:

    # Delete group
    ldap-groupdel "$user" >/dev/null
else
    # Remove home directory if necessary
    [ -n "$HOMEDEL" ] && rm -rf "$HOMEDEL" "/var/spool/mail/$user"

    # Delete from Kerberos database
    if [ -n "$ENABLE_KRB" ]; then
        kdc_status=
        service krb5kdc status &>/dev/null || kdc_status="fail"

        # Remove user from Kerberos database
        delprinc "$user" &>/dev/null || kdc_status="fail"

        # Error reaction
        [ "$kdc_status" = "fail" ] && fatal "unable to delete user from Kerberos. Check krb5kdc service is running."
    fi

    # Delete user
    ldapdelete -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" "uid=$user,ou=People,$base" > /dev/null ||:

    # Delete group
    ldap-groupdel "$user" >/dev/null
fi
ldap-user-tools-0.9.1/scripts/ldap-usermod000075500000000000000000000033671220711616200205710ustar00rootroot00000000000000#!/bin/sh -e

. alterator-openldap-functions

# Read default configuration
set_ldap_config

[ -n "$DN_CONF" ] || fatal "DN_CONF not set"

primary=

if [ "$#" -lt 2 ]; then
	mod="-h"
else
	mod="$1"; shift
	if [ "$mod" = "-g" ]; then
		primary="$1"; shift
	fi
	user="$1"; shift
	[ -z "$user" ] && fatal "user name is required"
	[ -z "$(ldap-getent passwd "$user")" ] && fatal "user name \"$user\" is not exists"
fi

# Parse arguments
case "$mod" in
    -g)
        [ -z "$primary" ] && fatal "primary group name is missing"
        gid="$(ldap-getent group "$primary" gidNumber)"
        [ -z "$gid" ] && fatal "group name \"$primary\" not exists"
        echo "gidNumber:$gid" | ldap-usermod replace "$user"
        exit
        ;;
    "--version")
        get_ldap_version
        exit
        ;;
    -h|--help)
        cat <<EOF
Usage: 

    $0 <mode> <user>
    $0 -g <group> <user>

Arguments:

    mode        'add'. 'replace' or 'del'.
                Pairs of '<name>:<value>' will be read from stdin.
    user        LDAP user name
    -g <group>  Set primary <group> for user
    -h, --help  show this help
    --version   show version

EOF
        exit
        ;;
esac


#edit ldap
ruby -e '
require "ldap"
require "ldap/ldif"

mod = LDAP::LDAP_MOD_REPLACE
case ARGV[0]
    when "add"
        mod = LDAP::LDAP_MOD_ADD
    when "del"
        mod = LDAP::LDAP_MOD_DELETE
end

ARGV.delete_at(0)

dn = ARGV[0]
attrs = {}
$stdin.each do |l|
  l.force_encoding("UTF-8") if l.respond_to? :force_encoding
  key, val = l.chomp.split(/:/, 2)
  attrs[key] ||= []
  attrs[key] << val unless val.empty?
end
puts LDAP::LDIF.mods_to_ldif(dn, *LDAP.hash2mods(mod, attrs))
' "$mod" "uid=$user,ou=People,$base" |
	ldapmodify -D "$rootdn" $rootpw -x -H "ldap://${host:-127.0.0.1}" > /dev/null
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin