[Bug 1292143] Re: 'ldapdeleteuser' does not remove user from additional LDAP groups

Tue, 19 Jan 2016 11:36:07 -0800 

Yes agreed this is a security concern. Consider the scenario where an
employee leaves the company and then rejoins only to have all his
previous group memberships automatically renewed without the admin
having no knowledge of this.

I have the following patch applied in my ldapscripts:

---
 lib/runtime              |    7 +
 sbin/ldapdeleteuser      |   25 ++++-

--- a/lib/runtime
+++ b/lib/runtime
@@ -620,6 +620,13 @@ _findentry () {
   _ENTRY=$(_ldapsearch "$1" "$2" dn | grep "dn: " | head -n 1 | sed "s|dn: ||")
 }

+# Finds a list of entries in the LDAP directory
+# Input : base ($1), filter ($2)
+# Output : an array of dns for all the matching entries found ($_ENTRYLIST)
+_findentrylist () {
+  _ENTRYLIST=( $(_ldapsearch "$1" "$2" dn | grep "dn: " | sed "s|dn: ||") )
+}
+
 # Get a particular attribute from LDAP
 # Input : entry DN ($1), attribute ($2)
 # Output : the requested attribute of the entry ($_ATTRIBUTE)
--- a/sbin/ldapdeleteuser
+++ b/sbin/ldapdeleteuser
@@ -37,9 +37,30 @@ _findentry "$USUFFIX,$SUFFIX" "(&(object
 # Delete entry
 _ldapdelete "$_ENTRY" || end_die "Error deleting user $_ENTRY from LDAP"

-
 # Optionally, delete the sudoer entry if it exists
 _ldapdeletesudo $1
 [ $? -eq 2 ] && end_die "Found sudoEntry for user $_ENTRY but unable to delete"

-end_ok "Successfully deleted user $_ENTRY from LDAP"
+# Finally, delete this user from all groups for which this was a memberUid
+_findentrylist "$SUFFIX" "(&(objectClass=posixGroup)(memberUid=$1))"
+if [ ! -z "$_ENTRYLIST" ]; then
+  _UID="$1" # needed by Ldif
+  # Stow the user entry for later
+  userEntry="$_ENTRY"
+  for _ENTRY in "${_ENTRYLIST[@]}"; do
+    # Modify group entry
+    _extractldif 2 | _filterldif | _utf8encode | _ldapmodify
+  done
+fi
+
+
+end_ok "Successfully deleted user $userEntry from LDAP"
+
+# Ldif templates #################################
+#
+# PosixGroup (level "2") :
+##dn: <entry>
+##changetype: modify
+##delete: <gmemberattr>
+##<gmemberattr>: <uid>
+#

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1292143

Title:
  'ldapdeleteuser' does not remove user from additional LDAP groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ldapscripts/+bug/1292143/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to