--- /dev/null
+#!/usr/bin/perl -w
+
+# $Id: smbldap-groupmod,v 1.10 2005/01/08 12:04:45 jtournier Exp $
+#
+# This code was developped by IDEALX (http://IDEALX.org/) and
+# contributors (their names can be found in the CONTRIBUTORS file).
+#
+# Copyright (C) 2001-2002 IDEALX
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+# Purpose of smbldap-groupmod : group (posix) modification
+
+
+use strict;
+use FindBin;
+use FindBin qw($RealBin);
+use lib "$RealBin/";
+use smbldap_tools;
+
+#####################
+
+use Getopt::Std;
+my %Options;
+
+my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
+if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
+ print_banner;
+ print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
+ print " -a add automatic group mapping entry\n";
+ print " -g new gid\n";
+ print " -o gid is not unique\n";
+ print " -n new group name\n";
+ print " -m add members (comma delimited)\n";
+ print " -r group-rid\n";
+ print " -s group-sid\n";
+ print " -t group-type\n";
+ print " -x delete members (comma delimted)\n";
+ print " -? show this help message\n";
+ exit (1);
+}
+
+my $groupName = $ARGV[0];
+my $group_entry;
+
+my $ldap_master=connect_ldap_master();
+
+if (! ($group_entry = read_group_entry($groupName))) {
+ print "$0: group $groupName doesn't exist\n";
+ exit (6);
+}
+
+my $newname = $Options{'n'};
+
+my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
+
+if ($nscd_status == 0) {
+ system "/etc/init.d/nscd restart > /dev/null 2>&1";
+}
+
+my $gid = getgrnam($groupName);
+unless (defined ($gid)) {
+ print "$0: group $groupName not found!\n";
+ exit(6);
+}
+
+my $tmp;
+if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
+ if (!defined($Options{'o'})) {
+ if (defined(getgrgid($tmp))) {
+ print "$0: gid $tmp exists\n";
+ exit (6);
+ }
+ }
+ if (!($gid == $tmp)) {
+ my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
+ changes => [
+ replace => [gidNumber => $tmp]
+ ]
+ );
+ $modify->code && die "failed to modify entry: ", $modify->error ;
+ }
+}
+
+
+if (defined($newname)) {
+ my $modify = $ldap_master->moddn (
+ "cn=$groupName,$config{groupsdn}",
+ newrdn => "cn=$newname",
+ deleteoldrdn => "1",
+ newsuperior => "$config{groupsdn}"
+ );
+ $modify->code && die "failed to modify entry: ", $modify->error ;
+ # take down session
+}
+
+# Add members
+if (defined($Options{'m'})) {
+ my $members = $Options{'m'};
+ my @members = split( /,/, $members );
+ my $member;
+ foreach $member ( @members ) {
+ my $group_entry=read_group_entry($groupName);
+ $config{groupsdn}=$group_entry->dn;
+ if (is_unix_user($member)) {
+ if (is_group_member($config{groupsdn},$member)) {
+ print "User $member already in the group\n";
+ } else {
+ print "adding user $member to group $groupName\n";
+ my $modify = $ldap_master->modify ($config{groupsdn},
+ changes => [
+ add => [memberUid => $member]
+ ]
+ );
+ $modify->code && warn "failed to add entry: ", $modify->error ;
+ }
+ } else {
+ print "User $member does not exist: create it first !\n";
+ }
+ }
+}
+
+# Delete members
+if (defined($Options{'x'})) {
+ my $members = $Options{'x'};
+ my @members = split( /,/, $members );
+ my $member;
+ foreach $member ( @members ) {
+ my $user_entry=read_user_entry($member);
+ my $group_entry=read_group_entry($groupName);
+ $config{groupsdn}=$group_entry->dn;
+ if (is_group_member("$config{groupsdn}",$member)) {
+ if ($group_entry->get_value('sambaSID') ne $user_entry->get_value('sambaPrimaryGroupSID')) {
+ print "deleting user $member from group $groupName\n";
+ my $modify = $ldap_master->modify ($config{groupsdn},
+ changes => [
+ delete => [memberUid => $member]
+ ]
+ );
+ $modify->code && warn "failed to delete entry: ", $modify->error ;
+ } else {
+ print "Cannot delete user ($member) from his primary group ($groupName)\n";
+ }
+ } else {
+ print "User $member is not in the group $groupName!\n";
+ }
+ }
+}
+
+my $group_sid;
+if ($tmp= $Options{'s'}) {
+ if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
+ $group_sid = $tmp;
+ } else {
+ print "$0: illegal group-rid $tmp\n";
+ exit(7);
+ }
+} elsif ($Options{'r'} || $Options{'a'}) {
+ my $group_rid;
+ if ($tmp= $Options{'r'}) {
+ if ($tmp =~ /^\d+$/) {
+ $group_rid = $tmp;
+ } else {
+ print "$0: illegal group-rid $tmp\n";
+ exit(7);
+ }
+ } else {
+ # algorithmic mapping
+ $group_rid = 2*$gid+1001;
+ }
+ $group_sid = $config{SID}.'-'.$group_rid;
+}
+
+if ($group_sid) {
+ my @adds;
+ my @mods;
+ push(@mods, 'sambaSID' => $group_sid);
+
+ if ($tmp= $Options{'t'}) {
+ my $group_type;
+ if (defined($group_type = &group_type_by_name($tmp))) {
+ push(@mods, 'sambaGroupType' => $group_type);
+ } else {
+ print "$0: unknown group type $tmp\n";
+ exit(8);
+ }
+ } else {
+ if (! defined($group_entry->get_value('sambaGroupType'))) {
+ push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
+ }
+ }
+
+ my @oc = $group_entry->get_value('objectClass');
+ unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
+ push (@adds, 'objectClass' => 'sambaGroupMapping');
+ }
+
+ my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
+ changes => [
+ 'add' => [ @adds ],
+ 'replace' => [ @mods ]
+ ]
+ );
+ $modify->code && warn "failed to delete entry: ", $modify->error ;
+}
+
+$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
+
+if ($nscd_status == 0) {
+ system "/etc/init.d/nscd restart > /dev/null 2>&1";
+}
+
+# take down session
+$ldap_master->unbind;
+
+exit (0);
+
+############################################################
+
+=head1 NAME
+
+smbldap-groupmod - Modify a group
+
+=head1 SYNOPSIS
+
+smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
+ [-n group_name ] [-m members(,)] [-x members (,)] group
+
+=head1 DESCRIPTION
+
+The smbldap-groupmod command modifies the system account files to
+reflect the changes that are specified on the command line.
+The options which apply to the smbldap-groupmod command are
+
+-g gid The numerical value of the group's ID. This value must be
+ unique, unless the -o option is used. The value must be non-
+ negative. Any files which the old group ID is the file
+ group ID must have the file group ID changed manually.
+
+-n group_name
+ The name of the group will be changed from group to group_name.
+
+-m members
+ The members to be added to the group in comma-delimeted form.
+
+-x members
+ The members to be removed from the group in comma-delimted form.
+
+-a
+ add an automatic Security ID for the group (SID).
+ The rid of the group is calculated from the gidNumber of the
+ group as rid=2*gidNumber+1001. Thus the resulted SID of the
+ group is $SID-$rid where $SID and $rid are the domain SID and
+ the group rid
+
+-s sid
+ set the group SID.
+ The SID must be unique and defined with the domain Security ID
+ ($SID) like sid=$SID-rid where rid is the group rid.
+
+-r rid
+ set the group rid.
+ The SID is then calculated as sid=$SID-rid where $SID is the
+ domain Security ID.
+
+-t group type
+ set the NT Group type for the new group. Available values are
+ 2 (domain group), 4 (local group) and 5 (builtin group).
+ The default group type is 2.
+
+=head1 EXAMPLES
+
+smbldap-groupmod -g 253 development
+ This will change the GID of the 'development' group to '253'.
+
+smbldap-groupmod -n Idiots Managers
+ This will change the name of the 'Managers' group to 'Idiots'.
+
+smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
+ This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
+
+smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
+ This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.
+
+=head1 SEE ALSO
+
+ groupmod(1)
+
+=cut
+
+#'
projects / samba / blobdiff