Yes agreed this is a security concern. Consider the scenario where an employee leaves the company and then rejoins only to have all his previous group memberships automatically renewed without the admin having no knowledge of this.
I have the following patch applied in my ldapscripts: --- lib/runtime | 7 + sbin/ldapdeleteuser | 25 ++++- --- a/lib/runtime +++ b/lib/runtime @@ -620,6 +620,13 @@ _findentry () { _ENTRY=$(_ldapsearch "$1" "$2" dn | grep "dn: " | head -n 1 | sed "s|dn: ||") } +# Finds a list of entries in the LDAP directory +# Input : base ($1), filter ($2) +# Output : an array of dns for all the matching entries found ($_ENTRYLIST) +_findentrylist () { + _ENTRYLIST=( $(_ldapsearch "$1" "$2" dn | grep "dn: " | sed "s|dn: ||") ) +} + # Get a particular attribute from LDAP # Input : entry DN ($1), attribute ($2) # Output : the requested attribute of the entry ($_ATTRIBUTE) --- a/sbin/ldapdeleteuser +++ b/sbin/ldapdeleteuser @@ -37,9 +37,30 @@ _findentry "$USUFFIX,$SUFFIX" "(&(object # Delete entry _ldapdelete "$_ENTRY" || end_die "Error deleting user $_ENTRY from LDAP" - # Optionally, delete the sudoer entry if it exists _ldapdeletesudo $1 [ $? -eq 2 ] && end_die "Found sudoEntry for user $_ENTRY but unable to delete" -end_ok "Successfully deleted user $_ENTRY from LDAP" +# Finally, delete this user from all groups for which this was a memberUid +_findentrylist "$SUFFIX" "(&(objectClass=posixGroup)(memberUid=$1))" +if [ ! -z "$_ENTRYLIST" ]; then + _UID="$1" # needed by Ldif + # Stow the user entry for later + userEntry="$_ENTRY" + for _ENTRY in "${_ENTRYLIST[@]}"; do + # Modify group entry + _extractldif 2 | _filterldif | _utf8encode | _ldapmodify + done +fi + + +end_ok "Successfully deleted user $userEntry from LDAP" + +# Ldif templates ################################# +# +# PosixGroup (level "2") : +##dn: <entry> +##changetype: modify +##delete: <gmemberattr> +##<gmemberattr>: <uid> +# -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1292143 Title: 'ldapdeleteuser' does not remove user from additional LDAP groups To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldapscripts/+bug/1292143/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs