From: Frank Brehm Date: Tue, 8 Feb 2022 15:49:17 +0000 (+0100) Subject: Adding management of ACIs to after-migration.sh X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=9b7ae538ea717b60f64d296c1e64968550eb5d87;p=pixelpark%2Fldap-migration.git Adding management of ACIs to after-migration.sh --- diff --git a/after-migration.sh b/after-migration.sh index 5309dcb..8af17a6 100755 --- a/after-migration.sh +++ b/after-migration.sh @@ -8,7 +8,7 @@ DEBUG="n" QUIET='n' SIMULATE='n' -VERSION="3.3" +VERSION="4.1" # console colors: RED="" @@ -51,7 +51,7 @@ OLD_IMAP_SERVER='mail-brln-store02.pixelpark.com' declare -A NEW_IMAP_SERVERS=() NEW_IMAP_SERVERS['prd']="prd-imap01.pixelpark.com" NEW_IMAP_SERVERS['test']="prd-imap01.pixelpark.com" -NEW_IMAP_SERVERS['dev']="idev-imap01.pixelpark.com" +NEW_IMAP_SERVERS['dev']="dev-imap01.pixelpark.com" NEW_IMAP_SERVER="${NEW_IMAP_SERVERS['prd']}" @@ -847,7 +847,137 @@ adding_additional_entries() { local ldif_file= for ldif_file in "${ldif_dir}"/*.ldif ; do - add_additional_entry "${ldif_file}" + if [[ -f "${ldif_file}" ]] ; then + add_additional_entry "${ldif_file}" + fi + done + +} + +#------------------------------------------------ +apply_acl() { + + local dn="$1" + local acl_name="$2" + local acl="$3" + + local cmd= + local value= + + debug "Checking for acl '${CYAN}${acl_name}${NORMAL}' of entry '${CYAN}${dn}${NORMAL}' ..." + + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' -s base " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="'(aci=*\"${acl_name}\"*)' aci | grep -i '^aci:'" + debug "Executing: ${cmd}" + value=$( eval ${cmd} || true ) + + if [[ -n "${value}" ]] ; then + warn "ACI '${YELLOW}${acl_name}${NORMAL}' already exists in entry '${CYAN}${dn}${NORMAL}'." + return 0 + fi + + info "Applying ACI '${CYAN}${acl_name}${NORMAL}' to entry '${CYAN}${dn}${NORMAL}': ${acl}" + + cat > "${LDIF_FILE}" <<-EOF + dn: ${dn} + changetype: modify + add: aci + aci: ${acl} + - + EOF + if [[ "${VERBOSE}" == "y" ]] ; then + debug "Resulting LDIF:" + cat "${LDIF_FILE}" + fi + + cmd="ldapmodify -H \"${LDAP_URL}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\"" + cmd+=" -f \"$( readlink -f "${LDIF_FILE}" )\"" + debug "Executing: ${cmd}" + if [[ "${SIMULATE}" != "y" ]] ; then + eval $cmd + fi + debug "Done." +} + +#------------------------------------------------ +add_acis_from_file() { + + local aci_file="$1" + + local cmd= + local value= + + empty_line + local dn=$( basename "${aci_file}" | sed -e 's/^[0-9][0-9]*\.//' -e 's/\.txt//i' ) + + info "Adding ACIs for entry '${CYAN}${dn}${NORMAL}' from file '${aci_file}' ..." + + debug "Checking for entry '${CYAN}${dn}${NORMAL}' ..." + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' -s base " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"(objectClass=*)\" dn | grep -i '^dn:'" + debug "Executing: ${cmd}" + value=$( eval ${cmd} || true ) + + if [[ -z "${value}" ]] ; then + warn "Entry '${YELLOW}${dn}${NORMAL}' does not exists." + return 0 + fi + debug "Entry '${CYAN}${dn}${NORMAL}' is existing." + + local acl_name= + local acl= + local line= + + local oifs="${IFS}" + + local -a acl_names=() + local -A acls=() + + IFS=" +" + + for line in $( cat "${aci_file}" | grep -vP '^\s*(#|$)' ) ; do + acl_name=$( echo "${line}" | sed -e 's/[ ]*:.*//' -e 's/^[ ]*//' ) + acl=$( echo "${line}" | sed -E -e 's/^[^:]+[ ]*:[ ]*//' ) + if [[ -n "${acl_name}" && -n "${acl}" ]] ; then + acl=$( printf "${acl}" "${acl_name}" ) + debug "Applying ACI '${CYAN}${acl_name}${NORMAL}': ${acl}" + acl_names+=( "${acl_name}" ) + acls[${acl_name}]="${acl}" + fi + done + + IFS="${oifs}" + + for acl_name in "${acl_names[@]}" ; do + acl="${acls[${acl_name}]}" + apply_acl "${dn}" "${acl_name}" "${acl}" + done + +} + +#------------------------------------------------ +adding_acis() { + + empty_line + draw_line + info "Adding ${CYAN}ACIs${NORMAL} (access control item) ..." + + local aci_dir="etc/aci" + + if [[ ! -d "${aci_dir}" ]] ; then + error "Directory for additional ACI definitions '${RED}${aci_dir}${NORMAL}' not found." + exit 8 + fi + + local aci_file= + + for aci_file in "${aci_dir}"/[0-9][0-9][0-9].*.txt ; do + if [[ -f "${aci_file}" ]] ; then + add_acis_from_file "${aci_file}" + fi done } @@ -871,7 +1001,7 @@ add_uid_pool() { cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " cmd+="\"(objectClass=*)\" dn | grep -i '^dn:'" - # debug "Executing: ${cmd}" + debug "Executing: ${cmd}" value=$( eval ${cmd} || true ) if [[ -n "${value}" ]] ; then @@ -910,6 +1040,10 @@ add_uid_pool() { uidNumber: ${max_uid} EOF + if [[ "${VERBOSE}" == "y" ]] ; then + debug "Resulting LDIF:" + cat "${LDIF_FILE}" + fi cmd="ldapadd -H \"${LDAP_URL}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\"" cmd+=" -f \"${LDIF_FILE}\"" @@ -940,7 +1074,7 @@ add_gid_pool() { cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " cmd+="\"(objectClass=*)\" dn | grep -i '^dn:'" - # debug "Executing: ${cmd}" + debug "Executing: ${cmd}" value=$( eval ${cmd} || true ) if [[ -n "${value}" ]] ; then @@ -979,6 +1113,10 @@ add_gid_pool() { uidNumber: ${max_gid} EOF + if [[ "${VERBOSE}" == "y" ]] ; then + debug "Resulting LDIF:" + cat "${LDIF_FILE}" + fi cmd="ldapadd -H \"${LDAP_URL}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\"" cmd+=" -f \"${LDIF_FILE}\"" @@ -1019,6 +1157,7 @@ main() { update_all_mailhosts update_all_public_sshkeys adding_additional_entries + adding_acis add_id_pools empty_line diff --git a/etc/aci/000.o=isp.txt b/etc/aci/000.o=isp.txt new file mode 100644 index 0000000..2fb5dcf --- /dev/null +++ b/etc/aci/000.o=isp.txt @@ -0,0 +1,3 @@ +# Enable full access to admin user: (version 3.0; acl "%s"; allow (all, export, import, proxy) (userdn = "ldap:///cn=admin"); ) +Enable read for readonly user: (version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); ) +Enable read for mail-service user: (version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=mail-service,ou=Services,o=Pixelpark,o=isp"); )