3 # $Id: smbldap-groupmod,v 1.10 2005/01/08 12:04:45 jtournier Exp $
5 # This code was developped by IDEALX (http://IDEALX.org/) and
6 # contributors (their names can be found in the CONTRIBUTORS file).
8 # Copyright (C) 2001-2002 IDEALX
10 # This program is free software; you can redistribute it and/or
11 # modify it under the terms of the GNU General Public License
12 # as published by the Free Software Foundation; either version 2
13 # of the License, or (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program; if not, write to the Free Software
22 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
25 # Purpose of smbldap-groupmod : group (posix) modification
30 use FindBin qw($RealBin);
39 my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
40 if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
42 print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
43 print " -a add automatic group mapping entry\n";
44 print " -g new gid\n";
45 print " -o gid is not unique\n";
46 print " -n new group name\n";
47 print " -m add members (comma delimited)\n";
48 print " -r group-rid\n";
49 print " -s group-sid\n";
50 print " -t group-type\n";
51 print " -x delete members (comma delimted)\n";
52 print " -? show this help message\n";
56 my $groupName = $ARGV[0];
59 my $ldap_master=connect_ldap_master();
61 if (! ($group_entry = read_group_entry($groupName))) {
62 print "$0: group $groupName doesn't exist\n";
66 my $newname = $Options{'n'};
68 my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
70 if ($nscd_status == 0) {
71 system "/etc/init.d/nscd restart > /dev/null 2>&1";
74 my $gid = getgrnam($groupName);
75 unless (defined ($gid)) {
76 print "$0: group $groupName not found!\n";
81 if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
82 if (!defined($Options{'o'})) {
83 if (defined(getgrgid($tmp))) {
84 print "$0: gid $tmp exists\n";
88 if (!($gid == $tmp)) {
89 my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
91 replace => [gidNumber => $tmp]
94 $modify->code && die "failed to modify entry: ", $modify->error ;
99 if (defined($newname)) {
100 my $modify = $ldap_master->moddn (
101 "cn=$groupName,$config{groupsdn}",
102 newrdn => "cn=$newname",
104 newsuperior => "$config{groupsdn}"
106 $modify->code && die "failed to modify entry: ", $modify->error ;
111 if (defined($Options{'m'})) {
112 my $members = $Options{'m'};
113 my @members = split( /,/, $members );
115 foreach $member ( @members ) {
116 my $group_entry=read_group_entry($groupName);
117 $config{groupsdn}=$group_entry->dn;
118 if (is_unix_user($member)) {
119 if (is_group_member($config{groupsdn},$member)) {
120 print "User $member already in the group\n";
122 print "adding user $member to group $groupName\n";
123 my $modify = $ldap_master->modify ($config{groupsdn},
125 add => [memberUid => $member]
128 $modify->code && warn "failed to add entry: ", $modify->error ;
131 print "User $member does not exist: create it first !\n";
137 if (defined($Options{'x'})) {
138 my $members = $Options{'x'};
139 my @members = split( /,/, $members );
141 foreach $member ( @members ) {
142 my $user_entry=read_user_entry($member);
143 my $group_entry=read_group_entry($groupName);
144 $config{groupsdn}=$group_entry->dn;
145 if (is_group_member("$config{groupsdn}",$member)) {
146 if ($group_entry->get_value('sambaSID') ne $user_entry->get_value('sambaPrimaryGroupSID')) {
147 print "deleting user $member from group $groupName\n";
148 my $modify = $ldap_master->modify ($config{groupsdn},
150 delete => [memberUid => $member]
153 $modify->code && warn "failed to delete entry: ", $modify->error ;
155 print "Cannot delete user ($member) from his primary group ($groupName)\n";
158 print "User $member is not in the group $groupName!\n";
164 if ($tmp= $Options{'s'}) {
165 if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
168 print "$0: illegal group-rid $tmp\n";
171 } elsif ($Options{'r'} || $Options{'a'}) {
173 if ($tmp= $Options{'r'}) {
174 if ($tmp =~ /^\d+$/) {
177 print "$0: illegal group-rid $tmp\n";
181 # algorithmic mapping
182 $group_rid = 2*$gid+1001;
184 $group_sid = $config{SID}.'-'.$group_rid;
190 push(@mods, 'sambaSID' => $group_sid);
192 if ($tmp= $Options{'t'}) {
194 if (defined($group_type = &group_type_by_name($tmp))) {
195 push(@mods, 'sambaGroupType' => $group_type);
197 print "$0: unknown group type $tmp\n";
201 if (! defined($group_entry->get_value('sambaGroupType'))) {
202 push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
206 my @oc = $group_entry->get_value('objectClass');
207 unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
208 push (@adds, 'objectClass' => 'sambaGroupMapping');
211 my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
214 'replace' => [ @mods ]
217 $modify->code && warn "failed to delete entry: ", $modify->error ;
220 $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
222 if ($nscd_status == 0) {
223 system "/etc/init.d/nscd restart > /dev/null 2>&1";
227 $ldap_master->unbind;
231 ############################################################
235 smbldap-groupmod - Modify a group
239 smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
240 [-n group_name ] [-m members(,)] [-x members (,)] group
244 The smbldap-groupmod command modifies the system account files to
245 reflect the changes that are specified on the command line.
246 The options which apply to the smbldap-groupmod command are
248 -g gid The numerical value of the group's ID. This value must be
249 unique, unless the -o option is used. The value must be non-
250 negative. Any files which the old group ID is the file
251 group ID must have the file group ID changed manually.
254 The name of the group will be changed from group to group_name.
257 The members to be added to the group in comma-delimeted form.
260 The members to be removed from the group in comma-delimted form.
263 add an automatic Security ID for the group (SID).
264 The rid of the group is calculated from the gidNumber of the
265 group as rid=2*gidNumber+1001. Thus the resulted SID of the
266 group is $SID-$rid where $SID and $rid are the domain SID and
271 The SID must be unique and defined with the domain Security ID
272 ($SID) like sid=$SID-rid where rid is the group rid.
276 The SID is then calculated as sid=$SID-rid where $SID is the
280 set the NT Group type for the new group. Available values are
281 2 (domain group), 4 (local group) and 5 (builtin group).
282 The default group type is 2.
286 smbldap-groupmod -g 253 development
287 This will change the GID of the 'development' group to '253'.
289 smbldap-groupmod -n Idiots Managers
290 This will change the name of the 'Managers' group to 'Idiots'.
292 smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
293 This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
295 smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
296 This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.