3 # $Id: smbldap-groupmod,v 1.12 2006/01/02 17:01:19 jtournier Exp $
5 # This code was developped by IDEALX (http://IDEALX.org/) and
6 # contributors (their names can be found in the CONTRIBUTORS file).
8 # Copyright (C) 2001-2002 IDEALX
10 # This program is free software; you can redistribute it and/or
11 # modify it under the terms of the GNU General Public License
12 # as published by the Free Software Foundation; either version 2
13 # of the License, or (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program; if not, write to the Free Software
22 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
25 # Purpose of smbldap-groupmod : group (posix) modification
30 use FindBin
qw($RealBin);
39 my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
40 if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
42 print "Usage: $0 [-a] [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] [-r rid] [-s sid] [-t type] groupname\n";
43 print " -a add automatic group mapping entry\n";
44 print " -g new gid\n";
45 print " -o gid is not unique\n";
46 print " -n new group name\n";
47 print " -m add members (comma delimited)\n";
48 print " -r group-rid\n";
49 print " -s group-sid\n";
50 print " -t group-type\n";
51 print " -x delete members (comma delimted)\n";
52 print " -? show this help message\n";
56 my $groupName = $ARGV[0];
59 my $ldap_master=connect_ldap_master();
61 if (! ($group_entry = read_group_entry($groupName))) {
62 print "$0: group $groupName doesn't exist\n";
66 my $newname = $Options{'n'};
68 my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
70 if ($nscd_status == 0) {
71 system "/etc/init.d/nscd restart > /dev/null 2>&1";
74 my $gid = getgrnam($groupName);
75 unless (defined ($gid)) {
76 print "$0: group $groupName not found!\n";
81 if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
82 if (!defined($Options{'o'})) {
83 if (defined(getgrgid($tmp))) {
84 print "$0: gid $tmp exists\n";
88 if (!($gid == $tmp)) {
89 my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
91 replace => [gidNumber => $tmp]
94 $modify->code && die "failed to modify entry: ", $modify->error ;
99 if (defined($newname)) {
100 my $modify = $ldap_master->moddn (
101 "cn=$groupName,$config{groupsdn}",
102 newrdn => "cn=$newname",
104 newsuperior => "$config{groupsdn}"
106 $modify->code && die "failed to modify entry: ", $modify->error ;
111 if (defined($Options{'m'})) {
112 my $members = $Options{'m'};
113 my @members = split( /,/, $members );
115 foreach $member ( @members ) {
116 my $group_entry=read_group_entry($groupName);
117 $config{groupsdn}=$group_entry->dn;
118 if (is_unix_user($member) || is_nonldap_unix_user($member)) {
119 if (is_group_member($config{groupsdn},$member)) {
120 print "User $member already in the group\n";
122 print "adding user $member to group $groupName\n";
123 my $modify = $ldap_master->modify ($config{groupsdn},
125 add => [memberUid => $member]
128 $modify->code && warn "failed to add entry: ", $modify->error ;
131 print "User $member does not exist: create it first !\n";
137 if (defined($Options{'x'})) {
138 my $members = $Options{'x'};
139 my @members = split( /,/, $members );
141 foreach $member ( @members ) {
142 my $user_entry=read_user_entry($member);
143 my $group_entry=read_group_entry($groupName);
144 $config{groupsdn}=$group_entry->dn;
145 if (is_group_member("$config{groupsdn}",$member)) {
147 if (defined $group_entry->get_value('sambaSID')) {
148 if ($group_entry->get_value('sambaSID') eq $user_entry->get_value('sambaPrimaryGroupSID')) {
150 print "Cannot delete user ($member) from his primary group ($groupName)\n";
154 print "deleting user $member from group $groupName\n";
155 my $modify = $ldap_master->modify ($config{groupsdn},
157 delete => [memberUid => $member]
160 $modify->code && warn "failed to delete entry: ", $modify->error ;
163 print "User $member is not in the group $groupName!\n";
169 if ($tmp= $Options{'s'}) {
170 if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
173 print "$0: illegal group-rid $tmp\n";
176 } elsif ($Options{'r'} || $Options{'a'}) {
178 if ($tmp= $Options{'r'}) {
179 if ($tmp =~ /^\d+$/) {
182 print "$0: illegal group-rid $tmp\n";
186 # algorithmic mapping
187 $group_rid = 2*$gid+1001;
189 $group_sid = $config{SID}.'-'.$group_rid;
195 push(@mods, 'sambaSID' => $group_sid);
197 if ($tmp= $Options{'t'}) {
199 if (defined($group_type = &group_type_by_name($tmp))) {
200 push(@mods, 'sambaGroupType' => $group_type);
202 print "$0: unknown group type $tmp\n";
206 if (! defined($group_entry->get_value('sambaGroupType'))) {
207 push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
211 my @oc = $group_entry->get_value('objectClass');
212 unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
213 push (@adds, 'objectClass' => 'sambaGroupMapping');
216 my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
219 'replace' => [ @mods ]
222 $modify->code && warn "failed to delete entry: ", $modify->error ;
225 $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
227 if ($nscd_status == 0) {
228 system "/etc/init.d/nscd restart > /dev/null 2>&1";
232 $ldap_master->unbind;
236 ############################################################
240 smbldap-groupmod - Modify a group
244 smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type]
245 [-n group_name ] [-m members(,)] [-x members (,)] group
249 The smbldap-groupmod command modifies the system account files to
250 reflect the changes that are specified on the command line.
251 The options which apply to the smbldap-groupmod command are
253 -g gid The numerical value of the group's ID. This value must be
254 unique, unless the -o option is used. The value must be non-
255 negative. Any files which the old group ID is the file
256 group ID must have the file group ID changed manually.
259 The name of the group will be changed from group to group_name.
262 The members to be added to the group in comma-delimeted form.
265 The members to be removed from the group in comma-delimted form.
268 add an automatic Security ID for the group (SID).
269 The rid of the group is calculated from the gidNumber of the
270 group as rid=2*gidNumber+1001. Thus the resulted SID of the
271 group is $SID-$rid where $SID and $rid are the domain SID and
276 The SID must be unique and defined with the domain Security ID
277 ($SID) like sid=$SID-rid where rid is the group rid.
281 The SID is then calculated as sid=$SID-rid where $SID is the
285 set the NT Group type for the new group. Available values are
286 2 (domain group), 4 (local group) and 5 (builtin group).
287 The default group type is 2.
291 smbldap-groupmod -g 253 development
292 This will change the GID of the 'development' group to '253'.
294 smbldap-groupmod -n Idiots Managers
295 This will change the name of the 'Managers' group to 'Idiots'.
297 smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
298 This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
300 smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
301 This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.