Yuvipanda has uploaded a new change for review.
https://gerrit.wikimedia.org/r/301059
Change subject: ldap: Vastly simplify modify-ldap-group
......................................................................
ldap: Vastly simplify modify-ldap-group
I'll follow this up with actual documentation on how to do
common LDAP changes!
This is also maintained upstream code, and also has the
advantage of making you notice that our LDAP groups are
super cluttered with people whose access we never remove.
Bug: T114063
Change-Id: Iad66cf8c1be0d970c94630ed53371e4bc68c9647
---
A modules/ldap/files/modify-ldap-group
D modules/ldap/files/scripts/modify-ldap-group
M modules/ldap/manifests/client/utils.pp
M modules/ldap/manifests/management.pp
4 files changed, 16 insertions(+), 150 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/59/301059/1
diff --git a/modules/ldap/files/modify-ldap-group
b/modules/ldap/files/modify-ldap-group
new file mode 100755
index 0000000..8858039
--- /dev/null
+++ b/modules/ldap/files/modify-ldap-group
@@ -0,0 +1,9 @@
+#!/bin/bash
+[ $# -eq 0 ] && {
+ echo "Usage: $0 groupname";
+ echo "Provide name of the group to modify"
+ exit 1;
+}
+GROUP="$1"
+
+ldapvi -b ou=groups uid="$GROUP"
\ No newline at end of file
diff --git a/modules/ldap/files/scripts/modify-ldap-group
b/modules/ldap/files/scripts/modify-ldap-group
deleted file mode 100755
index 6c7978d..0000000
--- a/modules/ldap/files/scripts/modify-ldap-group
+++ /dev/null
@@ -1,143 +0,0 @@
-#!/usr/bin/python
-
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/ldap/scripts/modify-ldap-group
-#####################################################################
-
-import sys
-import grp
-import traceback
-import ldapsupportlib
-import copy
-from optparse import OptionParser
-
-try:
- import ldap
- import ldap.modlist
-except ImportError:
- sys.stderr.write("Unable to import LDAP library.\n")
- sys.exit(1)
-
-
-def main():
- parser = OptionParser(conflict_handler="resolve")
- parser.set_usage('modify-ldap-group [options] <groupname> [--rename
<newusergroup>]\nexample: modify-ldap-group --gid=501 wikidev')
-
- ldapSupportLib = ldapsupportlib.LDAPSupportLib()
- ldapSupportLib.addParserOptions(parser, "scriptuser")
-
- parser.add_option("-m", "--directorymanager", action="store_true",
dest="directorymanager", help="Use the Directory Manager's credentials, rather
than your own")
- parser.add_option("--gid", action="store", dest="gidNumber", help="Set the
group's gid")
- parser.add_option("--rename", action="store_true", dest="rename",
help="Rename the user")
- parser.add_option("--addmembers", action="store", dest="addMembers",
help="Add a comma separated list of users to this group")
- parser.add_option("--deletemembers", action="store", dest="deleteMembers",
help="Delete a comma separated list of users from this")
- (options, args) = parser.parse_args()
-
- if len(args) != 1:
- if options.rename and len(args) != 2:
- parser.error("modify-ldap-group expects exactly two arguments when
using rename.")
- elif not options.rename:
- parser.error("modify-ldap-group expects exactly one argument,
unless using --rename.")
-
- ldapSupportLib.setBindInfoByOptions(options, parser)
-
- base = ldapSupportLib.getBase()
-
- ds = ldapSupportLib.connect()
-
- # w00t We're in!
- try:
- groupname = args[0]
- PosixData = ds.search_s("ou=groups," + base, ldap.SCOPE_SUBTREE,
"(&(objectclass=posixGroup)(cn=" + groupname + "))")
- if not PosixData:
- raise ldap.NO_SUCH_OBJECT()
- dn = PosixData[0][0]
-
- if options.rename:
- newgroupname = args[1]
-
- # Rename the entry
- newrdn = 'cn=' + newgroupname
- ds.rename_s(dn, newrdn)
- else:
- PosixData = PosixData[0][1]
- NewPosixData = copy.deepcopy(PosixData)
- if options.gidNumber:
- try:
- groupcheck = grp.getgrgid(options.gidNumber)
- raise ldap.TYPE_OR_VALUE_EXISTS()
- except KeyError:
- NewPosixData['gidNumber'] = options.gidNumber
- if options.addMembers:
- raw_members = options.addMembers.split(',')
- for raw_member in raw_members:
- try:
- user=ds.search_s("ou=people," + base,
ldap.SCOPE_SUBTREE, "uid=%s" % raw_member, ("dn",))
- if len(user) == 0:
- sys.stderr.write(raw_member + " doesn't exist, and
won't be added to the group.\n")
- return
- if len(user) > 1:
- sys.stderr.write(raw_member + " exist multiple
times, this is so wrong, abandon all hope\n")
- return
- except Exception as e:
- sys.stderr.write("Failed to search user in LDAP.
Error: %s\n" % str(e))
- raise e
- membertoadd = user[0][0]
- # member expects DNs
- if 'member' in NewPosixData.keys():
- if membertoadd in NewPosixData['member']:
- sys.stderr.write(raw_member + " is already a
member of the group, skipping.\n")
- else:
- NewPosixData['member'].append(membertoadd)
- else:
- NewPosixData['member'] = [membertoadd]
- elif options.deleteMembers:
- raw_members = options.deleteMembers.split(',')
- for raw_member in raw_members:
- membertoremove = 'uid=' + raw_member + ',ou=people,' + base
- if 'member' in NewPosixData.keys():
- if membertoremove in NewPosixData['member']:
- NewPosixData['member'].remove(membertoremove)
- else:
- sys.stderr.write(raw_member + " isn't a
member of the group, skipping.\n")
- else:
- sys.stderr.write("This group contains no
members.\n")
-
- if PosixData == NewPosixData:
- sys.stderr.write("No changes to make; exiting.\n")
- else:
- modlist = ldap.modlist.modifyModlist(PosixData, NewPosixData)
- ds.modify_s(dn, modlist)
- except ldap.UNWILLING_TO_PERFORM, msg:
- sys.stderr.write("LDAP was unwilling to modify the group. Error was:
%s\n" % msg[0]["info"])
- ds.unbind()
- sys.exit(1)
- except ldap.NO_SUCH_OBJECT:
- sys.stderr.write("The group you are trying to modify doesn't exist.\n")
- ds.unbind()
- sys.exit(1)
- except ldap.TYPE_OR_VALUE_EXISTS:
- sys.stderr.write("The gid given already exists.\n")
- ds.unbind()
- sys.exit(1)
- except ldap.PROTOCOL_ERROR:
- sys.stderr.write("There was an LDAP protocol error; see traceback.\n")
- traceback.print_exc(file=sys.stderr)
- ds.unbind()
- sys.exit(1)
- except Exception:
- try:
- sys.stderr.write("There was a general error, this is unexpected;
see traceback.\n")
- traceback.print_exc(file=sys.stderr)
- ds.unbind()
- except Exception:
- sys.stderr.write("Also failed to unbind.\n")
- traceback.print_exc(file=sys.stderr)
- sys.exit(1)
-
- ds.unbind()
- sys.exit(0)
-
-if __name__ == "__main__":
- main()
diff --git a/modules/ldap/manifests/client/utils.pp
b/modules/ldap/manifests/client/utils.pp
index dd0f2e6..cdd2c84 100644
--- a/modules/ldap/manifests/client/utils.pp
+++ b/modules/ldap/manifests/client/utils.pp
@@ -18,13 +18,6 @@
source => 'puppet:///modules/ldap/scripts/add-ldap-group',
}
- file { '/usr/local/sbin/modify-ldap-group':
- owner => 'root',
- group => 'root',
- mode => '0544',
- source => 'puppet:///modules/ldap/scripts/modify-ldap-group',
- }
-
file { '/usr/local/sbin/ldaplist':
ensure => link,
target => '/usr/local/bin/ldaplist',
diff --git a/modules/ldap/manifests/management.pp
b/modules/ldap/manifests/management.pp
index f7dd629..e24eccc 100644
--- a/modules/ldap/manifests/management.pp
+++ b/modules/ldap/manifests/management.pp
@@ -34,6 +34,13 @@
source => 'puppet:///modules/ldap/modify-ldap-user',
}
+ file { '/usr/local/sbin/modify-ldap-group':
+ owner => 'root',
+ group => 'ldap-admins',
+ mode => '0550',
+ source => 'puppet:///modules/ldap/modify-ldap-group',
+ }
+
file { '/etc/ldap.scriptuser.yaml':
content => ordered_yaml($yaml_config),
}
--
To view, visit https://gerrit.wikimedia.org/r/301059
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iad66cf8c1be0d970c94630ed53371e4bc68c9647
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
