0
|
1 |
#!/usr/bin/env perl
|
|
2 |
# vim: set nosta noet ts=4 sw=4:
|
|
3 |
#
|
|
4 |
# Copyright (c) 2006, Mahlon E. Smith <mahlon@martini.nu>
|
|
5 |
# All rights reserved.
|
|
6 |
# Redistribution and use in source and binary forms, with or without
|
|
7 |
# modification, are permitted provided that the following conditions are met:
|
|
8 |
#
|
|
9 |
# * Redistributions of source code must retain the above copyright
|
|
10 |
# notice, this list of conditions and the following disclaimer.
|
|
11 |
# * Redistributions in binary form must reproduce the above copyright
|
|
12 |
# notice, this list of conditions and the following disclaimer in the
|
|
13 |
# documentation and/or other materials provided with the distribution.
|
|
14 |
# * Neither the name of Mahlon E. Smith nor the names of his
|
|
15 |
# contributors may be used to endorse or promote products derived
|
|
16 |
# from this software without specific prior written permission.
|
|
17 |
#
|
|
18 |
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
|
|
19 |
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
20 |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
21 |
# DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY
|
|
22 |
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
23 |
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
24 |
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
25 |
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
26 |
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
27 |
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
28 |
|
|
29 |
=head1 NAME
|
|
30 |
|
|
31 |
Shelldap / LDAP::Shell
|
|
32 |
|
|
33 |
A program for interacting with an LDAP server via a shell-like
|
|
34 |
interface.
|
|
35 |
|
|
36 |
This is not meant to be an exhaustive LDAP editing and browsing
|
|
37 |
interface, but rather an intuitive shell for performing basic LDAP
|
|
38 |
tasks quickly and with minimal effort.
|
|
39 |
|
|
40 |
=head1 SYNPOSIS
|
|
41 |
|
|
42 |
shelldap --server example.net --basedn dc=your,o=company [--tls] [--binddn ...] [--help]
|
|
43 |
|
|
44 |
=head1 FEATURES
|
|
45 |
|
|
46 |
- Upon successful authenticated binding, credential information is
|
|
47 |
auto-cached to ~/.shelldap.rc -- future loads require no command line
|
|
48 |
flags.
|
|
49 |
|
|
50 |
- Custom 'description maps' for entry listings. (See the 'list' command.)
|
|
51 |
|
|
52 |
- History and autocomplete via readline, if installed.
|
|
53 |
|
|
54 |
- Automatic reconnection attempts if the connection is lost with the
|
|
55 |
LDAP server.
|
|
56 |
|
|
57 |
- It feels like a semi-crippled shell, making LDAP browsing and editing
|
|
58 |
at least halfway pleasurable.
|
|
59 |
|
|
60 |
=head1 OPTIONS
|
|
61 |
|
|
62 |
All command line options follow getopts long conventions.
|
|
63 |
|
|
64 |
shelldap --server example.net --basedn dc=your,o=company
|
|
65 |
|
|
66 |
You may also optionally create a ~/.shelldap.rc file with command line
|
|
67 |
defaults. This file should be valid YAML. (This file is generated
|
|
68 |
automatically on a successful bind auth.)
|
|
69 |
|
|
70 |
Example:
|
|
71 |
|
|
72 |
server: ldap.example.net
|
|
73 |
binddn: cn=Manager,dc=your,o=company
|
|
74 |
bindpass: xxxxxxxxx
|
|
75 |
basedn: dc=your,o=company
|
|
76 |
tls: yes
|
|
77 |
|
|
78 |
=over 4
|
|
79 |
|
|
80 |
=item B<server>
|
|
81 |
|
|
82 |
Required. The LDAP server to connect to. This can be a hostname, IP
|
|
83 |
address, or a URI.
|
|
84 |
|
|
85 |
--server ldaps://ldap.example.net
|
|
86 |
|
|
87 |
=back
|
|
88 |
|
|
89 |
=over 4
|
|
90 |
|
|
91 |
=item B<binddn>
|
|
92 |
|
|
93 |
The full dn of a user to authenticate as. If not specified, defaults to
|
|
94 |
an anonymous bind. You will be prompted for a password.
|
|
95 |
|
|
96 |
--binddn cn=Manager,dc=your,o=company
|
|
97 |
|
|
98 |
=back
|
|
99 |
|
|
100 |
=over 4
|
|
101 |
|
|
102 |
=item B<basedn>
|
|
103 |
|
|
104 |
The directory 'root' of your LDAP server. If omitted, shelldap will
|
|
105 |
try and ask the server for a sane default.
|
|
106 |
|
|
107 |
--basedn dc=your,o=company
|
|
108 |
|
|
109 |
=back
|
|
110 |
|
|
111 |
=over 4
|
|
112 |
|
|
113 |
=item B< tls>
|
|
114 |
|
|
115 |
Enables TLS over what would normally be an insecure connection.
|
|
116 |
Requires server side support.
|
|
117 |
|
|
118 |
=back
|
|
119 |
|
|
120 |
=over 4
|
|
121 |
|
|
122 |
=item B<cacheage>
|
|
123 |
|
|
124 |
Set the time to cache directory lookups in seconds.
|
|
125 |
|
|
126 |
By default, directory lookups are cached for 300 seconds, to speed
|
|
127 |
autocomplete up when changing between different basedns.
|
|
128 |
|
|
129 |
Modifications to the directory automatically reset the cache. Directory
|
|
130 |
listings are not cached. (This is just used for autocomplete.) Set it
|
|
131 |
to 0 to disable caching completely.
|
|
132 |
|
|
133 |
=back
|
|
134 |
|
|
135 |
=over 4
|
|
136 |
|
|
137 |
=item B<timeout>
|
|
138 |
|
|
139 |
Set the maximum time an LDAP operation can take before it is cancelled.
|
|
140 |
|
|
141 |
=back
|
|
142 |
|
|
143 |
=over 4
|
|
144 |
|
|
145 |
=item B<debug>
|
|
146 |
|
|
147 |
Print extra operational info out, and backtrace on fatal error.
|
|
148 |
|
|
149 |
=back
|
|
150 |
|
|
151 |
=head1 SHELL COMMANDS
|
|
152 |
|
|
153 |
=over 4
|
|
154 |
|
|
155 |
=item B< cat>
|
|
156 |
|
|
157 |
Display an LDIF dump of an entry. Globbing is supported. Specify
|
|
158 |
either the full dn, or an rdn. For most commands, rdns are local to the
|
|
159 |
current search base. ('cwd', as translated to shell speak.) You may additionally
|
|
160 |
add a list of attributes to display. Use '+' for server side attributes.
|
|
161 |
|
|
162 |
cat uid=mahlon
|
|
163 |
cat ou=*
|
|
164 |
cat uid=mahlon,ou=People,dc=example,o=company
|
|
165 |
cat uid=mahlon + userPassword
|
|
166 |
|
|
167 |
=item B< cd>
|
|
168 |
|
|
169 |
Change directory. Translated to LDAP, this changes the current basedn.
|
|
170 |
All commands after a 'cd' operate within the new basedn.
|
|
171 |
|
|
172 |
cd cd to 'home' basedn
|
|
173 |
cd ~ same thing
|
|
174 |
cd - cd to previous directory
|
|
175 |
cd ou=People cd to explicit path
|
|
176 |
cd .. cd to parent node
|
|
177 |
|
|
178 |
Since LDAP doesn't actually limit what can be a container object, you
|
|
179 |
can actually cd into any entry. Many commands then work on '.', meaning
|
|
180 |
"wherever I currently am."
|
|
181 |
|
|
182 |
cd uid=mahlon
|
|
183 |
cat .
|
|
184 |
|
|
185 |
=item B<clear>
|
|
186 |
|
|
187 |
Clear the screen.
|
|
188 |
|
|
189 |
=item B<copy>
|
|
190 |
|
|
191 |
Copy an entry to a different dn path. All copies are relative to the
|
|
192 |
current basedn, unless a full dn is specified. All attributes are
|
|
193 |
copied, then an LDAP moddn() is performed.
|
|
194 |
|
|
195 |
copy uid=mahlon uid=bob
|
|
196 |
copy uid=mahlon ou=Others,dc=example,o=company
|
|
197 |
copy uid=mahlon,ou=People,dc=example,o=company uid=mahlon,ou=Others,dc=example,o=company
|
|
198 |
|
|
199 |
aliased to: cp
|
|
200 |
|
|
201 |
=item B<create>
|
|
202 |
|
|
203 |
Create an entry from scratch. Arguments are space separated objectClass
|
|
204 |
names. Possible objectClasses are derived automatically from the
|
|
205 |
server, and will tab-complete.
|
|
206 |
|
|
207 |
After the classes are specified, an editor will launch. Required
|
|
208 |
attributes are listed first, then optional attributes. Optionals are
|
|
209 |
commented out. After the editor exits, the resulting LDIF is validated
|
|
210 |
and added to the LDAP directory.
|
|
211 |
|
|
212 |
create top person organizationalPerson inetOrgPerson posixAccount
|
|
213 |
|
|
214 |
aliased to: touch
|
|
215 |
|
|
216 |
=item B<delete>
|
|
217 |
|
|
218 |
Remove an entry from the directory. Globbing is supported.
|
|
219 |
All deletes are sanity-prompted.
|
|
220 |
|
|
221 |
delete uid=mahlon
|
|
222 |
delete uid=ma*
|
|
223 |
|
|
224 |
aliased to: rm
|
|
225 |
|
|
226 |
=item B<edit>
|
|
227 |
|
|
228 |
Edit an entry in an external editor. After the editor exits, the
|
|
229 |
resulting LDIF is sanity checked, and changes are written to the LDAP
|
|
230 |
directory.
|
|
231 |
|
|
232 |
edit uid=mahlon
|
|
233 |
|
|
234 |
aliased to: vi
|
|
235 |
|
|
236 |
=item B< env>
|
|
237 |
|
|
238 |
Show values for various runtime variables.
|
|
239 |
|
|
240 |
=item B<grep>
|
|
241 |
|
|
242 |
Search for arbitrary LDAP filters, and return matching dn results.
|
|
243 |
The search string must be a valid LDAP filter.
|
|
244 |
|
|
245 |
grep uid=mahlon
|
|
246 |
grep uid=mahlon ou=People
|
|
247 |
grep -r (&(uid=mahlon)(objectClass=*))
|
|
248 |
|
|
249 |
aliased to: search
|
|
250 |
|
|
251 |
=item B<list>
|
|
252 |
|
|
253 |
List entries for the current basedn. Globbing is supported.
|
|
254 |
|
|
255 |
aliased to: ls
|
|
256 |
|
|
257 |
ls -l
|
|
258 |
ls -lR uid=mahlon
|
|
259 |
list uid=m*
|
|
260 |
list verbose
|
|
261 |
|
|
262 |
In 'verbose' mode, descriptions are listed as well, if they exist.
|
|
263 |
There are also some 'sane' long listings for common objectClass types.
|
|
264 |
You can actually specify your own in your .shelldap.rc, like so:
|
|
265 |
|
|
266 |
...
|
|
267 |
descmaps:
|
|
268 |
objectClass: attributename
|
|
269 |
posixAccount: gecos
|
|
270 |
posixGroup: gidNumber
|
|
271 |
ipHost: ipHostNumber
|
|
272 |
puppetClient: puppetclass
|
|
273 |
|
|
274 |
=item B<mkdir>
|
|
275 |
|
|
276 |
Creates a new 'organizationalUnit' entry.
|
|
277 |
|
|
278 |
mkdir containername
|
|
279 |
mkdir ou=whatever
|
|
280 |
|
|
281 |
=item B<move>
|
|
282 |
|
|
283 |
Move an entry to a different dn path. Usage is identical to B<copy>.
|
|
284 |
|
|
285 |
aliased to: mv
|
|
286 |
|
|
287 |
=item B<passwd>
|
|
288 |
|
|
289 |
If supported server side, change the password for a specified entry.
|
|
290 |
The entry must have a 'userPassword' attribute.
|
|
291 |
|
|
292 |
passwd uid=mahlon
|
|
293 |
|
|
294 |
=item B< pwd>
|
|
295 |
|
|
296 |
Print the 'working directory' - aka, the current ldap basedn.
|
|
297 |
|
|
298 |
=item B<setenv>
|
|
299 |
|
|
300 |
Modify various runtime variables normally set from the command line.
|
|
301 |
|
|
302 |
setenv debug 1
|
|
303 |
export debug=1
|
|
304 |
|
|
305 |
=item B<whoami>
|
|
306 |
|
|
307 |
Show current auth credentials. Unless you specified a binddn, this
|
|
308 |
will just show an anonymous bind.
|
|
309 |
|
|
310 |
=back
|
|
311 |
|
|
312 |
=head1 TODO
|
|
313 |
|
|
314 |
Referral support. Currently, if you try to write to a replicant slave,
|
|
315 |
you'll just get a referral. It would be nice if shelldap automatically
|
|
316 |
tried to follow it.
|
|
317 |
|
|
318 |
For now, it only makes sense to connect to a master if you plan on doing
|
|
319 |
any writes.
|
|
320 |
|
|
321 |
"cd ../ou=SomewhereElse" doesn't work, but "cd ../../" does. This is
|
|
322 |
weird, as both should probably work.
|
|
323 |
|
|
324 |
=head1 BUGS / LIMITATIONS
|
|
325 |
|
|
326 |
There is currently no attribute multiline support - attribute values
|
|
327 |
that span over one line will be ignored if modified. (Thankfully, they
|
|
328 |
are generally rare.)
|
|
329 |
|
|
330 |
There is no support for editing binary data. This is actually related
|
|
331 |
to the lack of multiline support - if you just base64 encode data and
|
|
332 |
paste it in, it will be ignored for the same reasons.
|
|
333 |
|
|
334 |
=head1 AUTHOR
|
|
335 |
|
|
336 |
Mahlon E. Smith <mahlon@martini.nu>
|
|
337 |
|
|
338 |
=cut
|
|
339 |
|
|
340 |
package LDAP::Shell;
|
|
341 |
use strict;
|
|
342 |
use warnings;
|
|
343 |
use Term::ReadKey;
|
|
344 |
use Term::Shell;
|
|
345 |
use Digest::MD5;
|
|
346 |
use Net::LDAP;
|
|
347 |
use Net::LDAP::LDIF;
|
|
348 |
use Data::Dumper;
|
|
349 |
use File::Temp;
|
|
350 |
use Algorithm::Diff;
|
|
351 |
use Carp 'confess';
|
|
352 |
use base 'Term::Shell';
|
|
353 |
require Net::LDAP::Extension::SetPassword;
|
|
354 |
|
|
355 |
my $conf = $main::conf;
|
|
356 |
|
|
357 |
# make 'die' backtrace in debug mode
|
|
358 |
$SIG{'__DIE__'} = \&Carp::confess if $conf->{'debug'};
|
|
359 |
|
|
360 |
###############################################################
|
|
361 |
#
|
|
362 |
# UTILITY FUNCTIONS
|
|
363 |
#
|
|
364 |
###############################################################
|
|
365 |
|
|
366 |
# initial shell behaviors
|
|
367 |
#
|
|
368 |
sub init
|
|
369 |
{
|
|
370 |
my $self = shift;
|
|
371 |
$self->{'API'}->{'match_uniq'} = 0;
|
|
372 |
|
|
373 |
$self->{'editor'} = $ENV{'EDITOR'} || 'vi';
|
|
374 |
$self->{'env'} = [ qw/ debug cacheage timeout / ];
|
|
375 |
|
|
376 |
# let autocomplete work with the '=' character
|
|
377 |
my $term = $self->term();
|
|
378 |
$term->Attribs->{'basic_word_break_characters'} =~ s/=//m;
|
|
379 |
$term->Attribs->{'completer_word_break_characters'} =~ s/=//m;
|
|
380 |
|
|
381 |
# read in history
|
|
382 |
eval {
|
|
383 |
$term->history_truncate_file("$ENV{'HOME'}/.shelldap_history", 50);
|
|
384 |
$term->ReadHistory("$ENV{'HOME'}/.shelldap_history");
|
|
385 |
};
|
|
386 |
|
|
387 |
$self->{'root_dse'} = $self->ldap->root_dse();
|
|
388 |
if ( $conf->{'debug'} ) {
|
|
389 |
$self->{'schema'} = $self->ldap->schema();
|
|
390 |
my @versions =
|
|
391 |
@{ $self->{'root_dse'}->get_value('supportedLDAPVersion', asref => 1) };
|
|
392 |
print "Connected to $conf->{'server'}\n";
|
|
393 |
print "Supported LDAP version: ", ( join ', ', @versions ), "\n";
|
|
394 |
print "Cipher in use: ", $self->ldap()->cipher(), "\n";
|
|
395 |
}
|
|
396 |
|
|
397 |
# try an initial search and die if it doesn't work
|
|
398 |
# (bad baseDN)
|
|
399 |
my $s = $self->search();
|
|
400 |
die "LDAP baseDN error: ", $s->{'message'}, "\n" if $s->{'code'};
|
|
401 |
|
|
402 |
$self->{'schema'} = $self->ldap->schema();
|
|
403 |
|
|
404 |
# okay, now do an initial population of 'cwd'
|
|
405 |
# for autocomplete.
|
|
406 |
$self->update_entries();
|
|
407 |
|
|
408 |
# whew, okay. Update prompt, wait for input!
|
|
409 |
$self->update_prompt();
|
|
410 |
|
|
411 |
return;
|
|
412 |
}
|
|
413 |
|
|
414 |
|
|
415 |
# get an ldap connection handle
|
|
416 |
#
|
|
417 |
sub ldap
|
|
418 |
{
|
|
419 |
my $self = shift;
|
|
420 |
|
|
421 |
# use cached connection object if it exists
|
|
422 |
return $self->{'ldap'} if $self->{'ldap'};
|
|
423 |
|
|
424 |
# fill in potentially missing info
|
|
425 |
die "No server specified.\n" unless $conf->{'server'};
|
|
426 |
if ( $conf->{'binddn'} && ! $conf->{'bindpass'} ) {
|
|
427 |
print "Bind password: ";
|
|
428 |
Term::ReadKey::ReadMode 2;
|
|
429 |
chomp($conf->{'bindpass'} = <STDIN>);
|
|
430 |
Term::ReadKey::ReadMode 0;
|
|
431 |
print "\n";
|
|
432 |
}
|
|
433 |
|
|
434 |
# make connection
|
|
435 |
my $ldap = Net::LDAP->new( $conf->{'server'} )
|
|
436 |
or die "Unable to connect to LDAP server '$conf->{'server'}': $!\n";
|
|
437 |
$ldap->start_tls( verify => 'none' ) if $conf->{'tls'};
|
|
438 |
|
|
439 |
# bind
|
|
440 |
my $rv;
|
|
441 |
if ( $conf->{'binddn'} ) {
|
|
442 |
# authed
|
|
443 |
$rv = $ldap->bind(
|
|
444 |
$conf->{'binddn'},
|
|
445 |
password => $conf->{'bindpass'}
|
|
446 |
);
|
|
447 |
}
|
|
448 |
else {
|
|
449 |
# anon
|
|
450 |
$rv = $ldap->bind();
|
|
451 |
}
|
|
452 |
|
|
453 |
my $err = $rv->error();
|
|
454 |
if ( $rv->code() ) {
|
|
455 |
$err .= " (forgot the --tls flag?)"
|
|
456 |
if $err =~ /confidentiality required/i;
|
|
457 |
die "LDAP bind error: $err\n";
|
|
458 |
}
|
|
459 |
|
|
460 |
# offer to cache authentication info
|
|
461 |
# if we enter this conditional, we have successfully
|
|
462 |
# authed with the server (non anonymous), and
|
|
463 |
# we haven't cached anything in the past.
|
|
464 |
if ( $conf->{'binddn'} && ! -e $conf->{'confpath'} ) {
|
|
465 |
print "Would you like to cache your connection information? [Y/n]: ";
|
|
466 |
chomp( my $response = <STDIN> );
|
|
467 |
unless ( $response =~ /^n/i ) {
|
|
468 |
YAML::Syck::DumpFile( $conf->{'confpath'}, $conf );
|
|
469 |
chmod 0600, $conf->{'confpath'};
|
|
470 |
print "Connection info cached.\n";
|
|
471 |
}
|
|
472 |
}
|
|
473 |
|
|
474 |
$self->{'ldap'} = $ldap;
|
|
475 |
return $ldap;
|
|
476 |
}
|
|
477 |
|
|
478 |
# just return an LDIF object
|
|
479 |
#
|
|
480 |
sub ldif
|
|
481 |
{
|
|
482 |
my $self = shift;
|
|
483 |
my $use_temp = shift;
|
|
484 |
|
|
485 |
# create tmpfile and link ldif object with it
|
|
486 |
if ( $use_temp ) {
|
|
487 |
my ( undef, $fname ) =
|
|
488 |
File::Temp::tempfile( 'shelldap_XXXXXXXX', DIR => '/tmp', UNLINK => 1 );
|
|
489 |
$self->{'ldif'} = Net::LDAP::LDIF->new( $fname, 'w', sort => 1 );
|
|
490 |
$self->{'ldif_fname'} = $fname;
|
|
491 |
}
|
|
492 |
|
|
493 |
# ldif -> stdout
|
|
494 |
else {
|
|
495 |
$self->{'ldif'} = Net::LDAP::LDIF->new( \*STDOUT, 'w', sort => 1 );
|
|
496 |
}
|
|
497 |
|
|
498 |
return $self->{'ldif'};
|
|
499 |
}
|
|
500 |
|
|
501 |
# load and return an Entry object from LDIF
|
|
502 |
#
|
|
503 |
sub load_ldif
|
|
504 |
{
|
|
505 |
my $self = shift;
|
|
506 |
|
|
507 |
my $ldif = Net::LDAP::LDIF->new( shift(), 'r' );
|
|
508 |
return unless $ldif;
|
|
509 |
|
|
510 |
my $e;
|
|
511 |
eval { $e = $ldif->read_entry(); };
|
|
512 |
|
|
513 |
return if $@;
|
|
514 |
return $e;
|
|
515 |
}
|
|
516 |
|
|
517 |
# given a filename, return an md5 checksum
|
|
518 |
#
|
|
519 |
sub chksum
|
|
520 |
{
|
|
521 |
my $self = shift;
|
|
522 |
my $file = shift or return;
|
|
523 |
|
|
524 |
my $md5 = Digest::MD5->new();
|
|
525 |
open F, $file or die "Unable to read temporary ldif: $!\n";
|
|
526 |
my $hash = $md5->addfile( *F )->hexdigest();
|
|
527 |
close F;
|
|
528 |
|
|
529 |
return $hash;
|
|
530 |
}
|
|
531 |
|
|
532 |
# prompt functions
|
|
533 |
#
|
|
534 |
sub prompt_str
|
|
535 |
{
|
|
536 |
my $self = shift;
|
|
537 |
return $self->{'prompt'};
|
|
538 |
}
|
|
539 |
sub update_prompt
|
|
540 |
{
|
|
541 |
my $self = shift;
|
|
542 |
my $base = $self->base();
|
|
543 |
|
|
544 |
if ( length $base > 50 ) {
|
|
545 |
my $cwd_dn = $1 if $base =~ /^(.*?),/;
|
|
546 |
$self->{'prompt'} = "... $cwd_dn > ";
|
|
547 |
}
|
|
548 |
else {
|
|
549 |
my $prompt = $base;
|
|
550 |
$prompt =~ s/$conf->{'basedn'}/~/;
|
|
551 |
$self->{'prompt'} = "$prompt > ";
|
|
552 |
}
|
|
553 |
return;
|
|
554 |
}
|
|
555 |
|
|
556 |
# search base accessor
|
|
557 |
#
|
|
558 |
sub base
|
|
559 |
{
|
|
560 |
my $self = shift;
|
|
561 |
$self->{'base'} ||= $conf->{'basedn'};
|
|
562 |
|
|
563 |
# try and determine base automatically from rootDSE
|
|
564 |
#
|
|
565 |
unless ( $self->{'base'} ) {
|
|
566 |
my $base = $self->{'root_dse'}->{'asn'} || {};
|
|
567 |
$base = $base->{'attributes'} || [];
|
|
568 |
$base = $base->[0] || {};
|
|
569 |
$base = $base->{'vals'} || [];
|
|
570 |
$conf->{'basedn'} = $base->[0];
|
|
571 |
$self->{'base'} = $base->[0];
|
|
572 |
}
|
|
573 |
if ( $_[0] ) {
|
|
574 |
$self->{'base'} = $_[0];
|
|
575 |
}
|
|
576 |
return $self->{'base'};
|
|
577 |
}
|
|
578 |
|
|
579 |
# make sure a given rdn includes the current
|
|
580 |
# base, making it a dn.
|
|
581 |
# accepts a string reference.
|
|
582 |
#
|
|
583 |
sub rdn_to_dn
|
|
584 |
{
|
|
585 |
my $self = shift;
|
|
586 |
my $rdn = shift or return;
|
|
587 |
|
|
588 |
return unless ref $rdn;
|
|
589 |
|
|
590 |
# allow cd to 'basedn' and cd to directories 'higher' in the tree
|
|
591 |
return if $$rdn =~ /$conf->{'basedn'}$/;
|
|
592 |
|
|
593 |
# auto fill in current base for deeper DNs
|
|
594 |
my ( $dn, $curbase ) = ( $$rdn, $self->base() );
|
|
595 |
$dn = "$$rdn," . $curbase unless $$rdn =~ /$curbase/i;
|
|
596 |
|
|
597 |
$$rdn = $dn;
|
|
598 |
}
|
|
599 |
|
|
600 |
# do a search on a dn to determine if it is valid.
|
|
601 |
# returns a bool.
|
|
602 |
#
|
|
603 |
sub is_valid_dn
|
|
604 |
{
|
|
605 |
my $self = shift;
|
|
606 |
my $dn = shift or return 0;
|
|
607 |
|
|
608 |
my $r = $self->search({ base => $dn });
|
|
609 |
|
|
610 |
return $r->{'code'} == 0 ? 1 : 0;
|
|
611 |
}
|
|
612 |
|
|
613 |
# perform an ldap search
|
|
614 |
# return an hashref containing return code and
|
|
615 |
# arrayref of Net::LDAP::Entry objects
|
|
616 |
#
|
|
617 |
sub search
|
|
618 |
{
|
|
619 |
my $self = shift;
|
|
620 |
my $opts = shift || {};
|
|
621 |
|
|
622 |
$opts->{'base'} ||= $self->base(),
|
|
623 |
$opts->{'filter'} ||= '(objectClass=*)';
|
|
624 |
$opts->{'scope'} ||= 'base';
|
|
625 |
|
|
626 |
my $s = $self->ldap->search(
|
|
627 |
base => $opts->{'base'},
|
|
628 |
filter => $opts->{'filter'},
|
|
629 |
scope => $opts->{'scope'},
|
|
630 |
timelimit => $conf->{'timeout'},
|
|
631 |
typesonly => ! $opts->{'vals'},
|
|
632 |
attrs => $opts->{'attrs'} || ['*']
|
|
633 |
);
|
|
634 |
|
|
635 |
my $rv = {
|
|
636 |
code => $s->code(),
|
|
637 |
message => $s->error(),
|
|
638 |
entries => []
|
|
639 |
};
|
|
640 |
|
|
641 |
# since search is used just about everywhere, this seems like
|
|
642 |
# a pretty good place to check for connection errors.
|
|
643 |
#
|
|
644 |
# check for a lost connection, kill cached object so we
|
|
645 |
# try to reconnect on the next search.
|
|
646 |
#
|
|
647 |
$self->{'ldap'} = undef if $s->code() == 81;
|
|
648 |
|
|
649 |
$rv->{'entries'} =
|
|
650 |
$opts->{'scope'} eq 'base' ? [ $s->shift_entry() ] : [ $s->entries() ];
|
|
651 |
|
|
652 |
return $rv;
|
|
653 |
}
|
|
654 |
|
|
655 |
# update the autocomplete for entries
|
|
656 |
# in the current base tree, respecting or creating cache.
|
|
657 |
#
|
|
658 |
sub update_entries
|
|
659 |
{
|
|
660 |
my $self = shift;
|
|
661 |
my %opts = @_;
|
|
662 |
my $base = lc( $self->base() );
|
|
663 |
|
|
664 |
my $s = $opts{'search'} || $self->search({ scope => 'one' });
|
|
665 |
|
|
666 |
$self->{'cwd_entries'} = [];
|
|
667 |
return if $s->{'code'};
|
|
668 |
|
|
669 |
# setup cache object
|
|
670 |
$self->{'cache'} ||= {};
|
|
671 |
$self->{'cache'}->{ $base } ||= {};
|
|
672 |
$self->{'cache'}->{ $base } = {} if $opts{'clearcache'};
|
|
673 |
my $cache = $self->{'cache'}->{ $base };
|
|
674 |
|
|
675 |
my $now = time();
|
|
676 |
if ( ! exists $cache->{'entries'}
|
|
677 |
or $now - $cache->{'timestamp'} > $conf->{'cacheage'} )
|
|
678 |
{
|
|
679 |
$self->debug("Caching entries for $base\n");
|
|
680 |
foreach my $e ( @{ $s->{'entries'} } ) {
|
|
681 |
my $dn = $e->dn();
|
|
682 |
my $rdn = $dn;
|
|
683 |
$rdn =~ s/,$base//i; # remove base from display
|
|
684 |
push @{ $self->{'cwd_entries'} }, $rdn;
|
|
685 |
}
|
|
686 |
$cache->{'timestamp'} = $now;
|
|
687 |
$cache->{'entries'} = $self->{'cwd_entries'};
|
|
688 |
}
|
|
689 |
else {
|
|
690 |
$self->debug("Using cached lookups for $base\n");
|
|
691 |
}
|
|
692 |
|
|
693 |
$self->{'cwd_entries'} = $cache->{'entries'};
|
|
694 |
return;
|
|
695 |
}
|
|
696 |
|
|
697 |
# parse parent ('..') cn requests
|
|
698 |
#
|
|
699 |
sub parent_dn
|
|
700 |
{
|
|
701 |
my $self = shift;
|
|
702 |
my $rdn = shift or return;
|
|
703 |
return unless ref $rdn;
|
|
704 |
|
|
705 |
# FIXME: 'cd ../ou=somewhere' should work
|
|
706 |
my $dn = $self->base();
|
|
707 |
my $dotcount = $$rdn =~ s/\.\./\.\./g;
|
|
708 |
$dn =~ s/^.*?,// for 1 .. $dotcount;
|
|
709 |
|
|
710 |
$$rdn = $dn;
|
|
711 |
}
|
|
712 |
|
|
713 |
# given an array ref of shell-like globs,
|
|
714 |
# make and return an LDAP filter object.
|
|
715 |
#
|
|
716 |
sub make_filter
|
|
717 |
{
|
|
718 |
my $self = shift;
|
|
719 |
my $globs = shift or return;
|
|
720 |
|
|
721 |
return unless ref $globs eq 'ARRAY';
|
|
722 |
return unless scalar @$globs;
|
|
723 |
|
|
724 |
my $filter;
|
|
725 |
$filter = join '', map { "($_)" } @$globs;
|
|
726 |
$filter = '(|' . $filter . ')' if scalar @$globs > 1;
|
|
727 |
$filter = Net::LDAP::Filter->new( $filter );
|
|
728 |
|
|
729 |
if ( $filter ) {
|
|
730 |
$self->debug('Filter parsed as: ' . $filter->as_string() . "\n");
|
|
731 |
}
|
|
732 |
else {
|
|
733 |
print "Error parsing filter.\n";
|
|
734 |
return;
|
|
735 |
}
|
|
736 |
|
|
737 |
return $filter;
|
|
738 |
}
|
|
739 |
|
|
740 |
# little. yellow. different. better.
|
|
741 |
#
|
|
742 |
sub debug
|
|
743 |
{
|
|
744 |
my $self = shift;
|
|
745 |
return unless $conf->{'debug'};
|
|
746 |
print "\e[33m";
|
|
747 |
print shift();
|
|
748 |
print "\e[0m";
|
|
749 |
return;
|
|
750 |
}
|
|
751 |
|
|
752 |
# setup command autocompletes for
|
|
753 |
# all commands that have the same possible values
|
|
754 |
#
|
|
755 |
sub autocomplete_cwd
|
|
756 |
{
|
|
757 |
my $self = shift;
|
|
758 |
my $word = $_[0];
|
|
759 |
|
|
760 |
return sort @{ $self->{'cwd_entries'} };
|
|
761 |
}
|
|
762 |
|
|
763 |
sub comp_setenv
|
|
764 |
{
|
|
765 |
my $self = shift;
|
|
766 |
return @{ $self->{'env'} };
|
|
767 |
}
|
|
768 |
|
|
769 |
sub comp_create
|
|
770 |
{
|
|
771 |
my $self = shift;
|
|
772 |
return @{ $self->{'objectclasses'} } if $self->{'objectclasses'};
|
|
773 |
|
|
774 |
my @oc_data = $self->{'schema'}->all_objectclasses();
|
|
775 |
my @oc;
|
|
776 |
foreach my $o ( @oc_data ) {
|
|
777 |
push @oc, $o->{'name'};
|
|
778 |
}
|
|
779 |
@oc = sort @oc;
|
|
780 |
$self->{'objectclasses'} = \@oc;
|
|
781 |
|
|
782 |
return @oc;
|
|
783 |
}
|
|
784 |
|
|
785 |
{
|
|
786 |
no warnings;
|
|
787 |
no strict 'refs';
|
|
788 |
|
|
789 |
# command, alias
|
|
790 |
my %cmd_map = (
|
|
791 |
whoami => 'id',
|
|
792 |
list => 'ls',
|
|
793 |
grep => 'search',
|
|
794 |
edit => 'vi',
|
|
795 |
delete => 'rm',
|
|
796 |
copy => 'cp',
|
|
797 |
cat => 'read',
|
|
798 |
move => 'mv',
|
|
799 |
cd => undef,
|
|
800 |
passwd => undef
|
|
801 |
);
|
|
802 |
|
|
803 |
# setup autocompletes
|
|
804 |
foreach ( %cmd_map ) {
|
|
805 |
next unless $_;
|
|
806 |
my $sub = "comp_$_";
|
|
807 |
*$sub = \&autocomplete_cwd;
|
|
808 |
}
|
|
809 |
*comp_touch = \&comp_create;
|
|
810 |
*comp_export = \&comp_setenv;
|
|
811 |
|
|
812 |
# setup alias subs
|
|
813 |
#
|
|
814 |
# Term::Shell has an alias_* feature, but
|
|
815 |
# it seems to work about 90% of the time.
|
|
816 |
# that last 10% is something of a mystery.
|
|
817 |
#
|
|
818 |
$cmd_map{'create'} = 'touch';
|
|
819 |
foreach my $cmd ( keys %cmd_map ) {
|
|
820 |
next unless defined $cmd_map{$cmd};
|
|
821 |
my $alias_sub = 'run_' . $cmd_map{$cmd};
|
|
822 |
my $real_sub = 'run_' . $cmd;
|
|
823 |
*$alias_sub = \&$real_sub;
|
|
824 |
}
|
|
825 |
}
|
|
826 |
|
|
827 |
###############################################################
|
|
828 |
#
|
|
829 |
# SHELL METHODS
|
|
830 |
#
|
|
831 |
###############################################################
|
|
832 |
|
|
833 |
# don't die on a newline
|
|
834 |
#
|
|
835 |
sub run_ { return; }
|
|
836 |
|
|
837 |
# print shell debug actions
|
|
838 |
#
|
|
839 |
sub precmd
|
|
840 |
{
|
|
841 |
my $self = shift;
|
|
842 |
my ( $handler, $cmd, $args ) = @_;
|
|
843 |
|
|
844 |
my $term = $self->term();
|
|
845 |
eval { $term->WriteHistory("$ENV{'HOME'}/.shelldap_history"); };
|
|
846 |
|
|
847 |
return unless $conf->{'debug'};
|
|
848 |
$self->debug( "$$cmd (" . ( join ' ', @$args ) . "), calling '$$handler'\n" );
|
|
849 |
return;
|
|
850 |
}
|
|
851 |
|
|
852 |
sub run_cat
|
|
853 |
{
|
|
854 |
my $self = shift;
|
|
855 |
my $dn = shift;
|
|
856 |
my $attrs = \@_;
|
|
857 |
$attrs->[0] = '*' unless scalar @$attrs;
|
|
858 |
|
|
859 |
unless ( $dn ) {
|
|
860 |
print "No dn provided.\n";
|
|
861 |
return;
|
|
862 |
}
|
|
863 |
|
|
864 |
# support '.'
|
|
865 |
$dn = $self->base() if $dn eq '.';
|
|
866 |
|
|
867 |
# support globbing
|
|
868 |
my $s;
|
|
869 |
if ( $dn eq '*' ) {
|
|
870 |
$s = $self->search({
|
|
871 |
scope => 'one',
|
|
872 |
vals => 1,
|
|
873 |
attrs => $attrs
|
|
874 |
});
|
|
875 |
}
|
|
876 |
elsif ( $dn =~ /\*/ ) {
|
|
877 |
$s = $self->search({
|
|
878 |
scope => 'one',
|
|
879 |
vals => 1,
|
|
880 |
filter => $dn,
|
|
881 |
attrs => $attrs
|
|
882 |
});
|
|
883 |
}
|
|
884 |
else {
|
|
885 |
$self->rdn_to_dn( \$dn );
|
|
886 |
$s = $self->search({
|
|
887 |
base => $dn,
|
|
888 |
vals => 1,
|
|
889 |
attrs => $attrs
|
|
890 |
});
|
|
891 |
}
|
|
892 |
|
|
893 |
if ( $s->{'code'} ) {
|
|
894 |
print $s->{'message'} . "\n";
|
|
895 |
return;
|
|
896 |
}
|
|
897 |
|
|
898 |
foreach my $e ( @{ $s->{'entries'} } ) {
|
|
899 |
$self->ldif->write_entry( $e );
|
|
900 |
print "\n";
|
|
901 |
}
|
|
902 |
return;
|
|
903 |
}
|
|
904 |
|
|
905 |
sub run_cd
|
|
906 |
{
|
|
907 |
my $self = shift;
|
|
908 |
my $newbase = join ' ', @_;
|
|
909 |
|
|
910 |
# support 'cd' going to root
|
|
911 |
$newbase ||= $conf->{'basedn'};
|
|
912 |
|
|
913 |
# support 'cd -'
|
|
914 |
if ( $newbase eq '-' ) {
|
|
915 |
$newbase = $self->{'previous_base'} || return;
|
|
916 |
}
|
|
917 |
|
|
918 |
# support '..'
|
|
919 |
if ( $newbase =~ /\.\./ ) {
|
|
920 |
$self->parent_dn( \$newbase );
|
|
921 |
}
|
|
922 |
else {
|
|
923 |
$self->rdn_to_dn( \$newbase );
|
|
924 |
}
|
|
925 |
|
|
926 |
unless ( $self->is_valid_dn( $newbase ) ) {
|
|
927 |
print "No such object\n";
|
|
928 |
return;
|
|
929 |
}
|
|
930 |
|
|
931 |
# store old base
|
|
932 |
$self->{'previous_base'} = $self->base();
|
|
933 |
|
|
934 |
# update new base
|
|
935 |
$self->base( $newbase );
|
|
936 |
|
|
937 |
# get new 'cwd' listing
|
|
938 |
my $s = $self->search({ scope => 'one' });
|
|
939 |
if ( $s->{'code'} ) {
|
|
940 |
print "$s->{'message'}\n";
|
|
941 |
return;
|
|
942 |
}
|
|
943 |
$self->update_entries( search => $s );
|
|
944 |
|
|
945 |
# reflect cwd change in prompt
|
|
946 |
$self->update_prompt();
|
|
947 |
return;
|
|
948 |
}
|
|
949 |
|
|
950 |
sub run_clear
|
|
951 |
{
|
|
952 |
my $self = shift;
|
|
953 |
system('clear');
|
|
954 |
return;
|
|
955 |
}
|
|
956 |
|
|
957 |
sub run_copy
|
|
958 |
{
|
|
959 |
my $self = shift;
|
|
960 |
my ( $s_dn, $d_dn ) = @_;
|
|
961 |
|
|
962 |
unless ( $s_dn ) {
|
|
963 |
print "No source dn provided.\n";
|
|
964 |
return;
|
|
965 |
}
|
|
966 |
unless ( $d_dn ) {
|
|
967 |
print "No destination dn provided.\n";
|
|
968 |
return;
|
|
969 |
}
|
|
970 |
|
|
971 |
my $s_rdn = $s_dn;
|
|
972 |
$self->rdn_to_dn( \$s_dn );
|
|
973 |
my $s = $self->search({ base => $s_dn, vals => 1 });
|
|
974 |
unless ( $s->{'code'} == 0 ) {
|
|
975 |
print "No such object\n";
|
|
976 |
return;
|
|
977 |
}
|
|
978 |
|
|
979 |
# see if we're copying the entry to a totally new path
|
|
980 |
my ( $new_dn, $old_dn );
|
|
981 |
( $d_dn, $new_dn ) = ( $1, $2 ) if $d_dn =~ /^([\w=]+),(.*)$/;
|
|
982 |
if ( $new_dn ) {
|
|
983 |
unless ( $self->is_valid_dn( $new_dn ) ) {
|
|
984 |
print "Invalid destination.\n";
|
|
985 |
return;
|
|
986 |
}
|
|
987 |
}
|
|
988 |
else {
|
|
989 |
$new_dn = $self->base();
|
|
990 |
}
|
|
991 |
$old_dn = $1 if $s_dn =~ /^[\w=]+,(.*)$/;
|
|
992 |
|
|
993 |
# get the source object
|
|
994 |
my $e = ${ $s->{'entries'} }[0];
|
|
995 |
$e->dn( $s_dn );
|
|
996 |
|
|
997 |
# add changes in new entry instead of modifying existing
|
|
998 |
$e->changetype('add');
|
|
999 |
$e->dn( "$d_dn,$new_dn" );
|
|
1000 |
|
|
1001 |
# get the unique attribute from the dn for modification
|
|
1002 |
# perhaps there is a better way to do this...?
|
|
1003 |
#
|
|
1004 |
my ( $uniqkey, $uniqval ) = ( $1, $2 )
|
|
1005 |
if $d_dn =~ /^([\.\w]+)(?:\s+)?=(?:\s+)?([\.\-\s\w]+),?/;
|
|
1006 |
unless ( $uniqkey && $uniqval ) {
|
|
1007 |
print "Unable to parse unique values from rdn.\n";
|
|
1008 |
return;
|
|
1009 |
}
|
|
1010 |
$e->replace( $uniqkey => $uniqval );
|
|
1011 |
|
|
1012 |
# update
|
|
1013 |
my $rv = $e->update( $self->ldap() );
|
|
1014 |
print $rv->error , "\n";
|
|
1015 |
|
|
1016 |
# clear caches
|
|
1017 |
$self->{'cache'}->{ $new_dn } = {} if $new_dn;
|
|
1018 |
$self->{'cache'}->{ $old_dn } = {} if $old_dn;
|
|
1019 |
$self->update_entries( clearcache => 1 );
|
|
1020 |
return;
|
|
1021 |
}
|
|
1022 |
|
|
1023 |
sub run_create
|
|
1024 |
{
|
|
1025 |
my $self = shift;
|
|
1026 |
my @ocs = @_;
|
|
1027 |
|
|
1028 |
my ( $fh, $fname ) =
|
|
1029 |
File::Temp::tempfile( 'shelldap_XXXXXXXX', DIR => '/tmp', UNLINK => 1 );
|
|
1030 |
|
|
1031 |
# first print out the dn and object classes.
|
|
1032 |
print $fh 'dn: ???,', $self->base(), "\n";
|
|
1033 |
foreach my $oc ( sort @ocs ) {
|
|
1034 |
print $fh "objectClass: $oc\n";
|
|
1035 |
}
|
|
1036 |
|
|
1037 |
# now gather attributes for requested objectClasses
|
|
1038 |
#
|
|
1039 |
my ( %seen, @must_attr, @may_attr );
|
|
1040 |
foreach my $oc ( sort @ocs ) {
|
|
1041 |
|
|
1042 |
# required
|
|
1043 |
my @must = $self->{'schema'}->must( $oc );
|
|
1044 |
foreach my $attr ( sort { $a->{'name'} cmp $b->{'name'} } @must ) {
|
|
1045 |
next if $attr->{'name'} =~ /^objectclass$/i;
|
|
1046 |
next if $seen{ $attr->{'name'} };
|
|
1047 |
push @must_attr, $attr->{'name'};
|
|
1048 |
$seen{ $attr->{'name'} }++;
|
|
1049 |
}
|
|
1050 |
|
|
1051 |
# optional
|
|
1052 |
my @may = $self->{'schema'}->may( $oc );
|
|
1053 |
foreach my $attr ( sort { $a->{'name'} cmp $b->{'name'} } @may ) {
|
|
1054 |
next if $attr->{'name'} =~ /^objectclass$/i;
|
|
1055 |
next if $seen{ $attr->{'name'} };
|
|
1056 |
push @may_attr, $attr->{'name'};
|
|
1057 |
$seen{ $attr->{'name'} }++;
|
|
1058 |
}
|
|
1059 |
}
|
|
1060 |
|
|
1061 |
# print attributes
|
|
1062 |
print $fh "$_: \n" foreach @must_attr;
|
|
1063 |
print $fh "# $_: \n" foreach @may_attr;
|
|
1064 |
close $fh;
|
|
1065 |
my $hash_a = $self->chksum( $fname );
|
|
1066 |
system( $self->{'editor'}, $fname ) && die "Unable to launch editor: $!\n";
|
|
1067 |
|
|
1068 |
# hash compare
|
|
1069 |
my $hash_b = $self->chksum( $fname );
|
|
1070 |
if ( $hash_a eq $hash_b ) {
|
|
1071 |
print "Entry not modified.\n";
|
|
1072 |
unlink $fname;
|
|
1073 |
return;
|
|
1074 |
}
|
|
1075 |
|
|
1076 |
# load in LDIF
|
|
1077 |
my $ldif = Net::LDAP::LDIF->new( $fname, 'r', onerror => 'warn' );
|
|
1078 |
my $e = $ldif->read_entry();
|
|
1079 |
unless ( $e ) {
|
|
1080 |
print "Unable to parse LDIF.\n";
|
|
1081 |
unlink $fname;
|
|
1082 |
return;
|
|
1083 |
}
|
|
1084 |
$e->changetype('add');
|
|
1085 |
my $rv = $e->update( $self->ldap() );
|
|
1086 |
print $rv->error(), "\n";
|
|
1087 |
|
|
1088 |
$self->update_entries( clearcache => 1 ) unless $rv->code();
|
|
1089 |
|
|
1090 |
unlink $fname;
|
|
1091 |
return;
|
|
1092 |
}
|
|
1093 |
|
|
1094 |
sub run_delete
|
|
1095 |
{
|
|
1096 |
my $self = shift;
|
|
1097 |
my @DNs = @_;
|
|
1098 |
|
|
1099 |
unless ( scalar @DNs ) {
|
|
1100 |
print "No dn specified.\n";
|
|
1101 |
return;
|
|
1102 |
}
|
|
1103 |
my $filter;
|
|
1104 |
unless ( $DNs[0] eq '*' ) {
|
|
1105 |
$filter = $self->make_filter( \@DNs ) or return;
|
|
1106 |
}
|
|
1107 |
|
|
1108 |
|
|
1109 |
my $s = $self->search({ scope => 'one', filter => $filter });
|
|
1110 |
if ( $s->{'code'} ) {
|
|
1111 |
print "$s->{'message'}\n";
|
|
1112 |
return;
|
|
1113 |
}
|
|
1114 |
|
|
1115 |
print "Are you sure? [N/y]: ";
|
|
1116 |
chomp( my $resp = <STDIN> );
|
|
1117 |
return unless $resp =~ /^y/i;
|
|
1118 |
|
|
1119 |
foreach my $e ( @{ $s->{'entries'} } ) {
|
|
1120 |
my $dn = $e->dn();
|
|
1121 |
my $rv = $self->ldap->delete( $dn );
|
|
1122 |
print "$dn: ", $rv->error(), "\n";
|
|
1123 |
}
|
|
1124 |
|
|
1125 |
$self->update_entries( clearcache => 1 );
|
|
1126 |
return;
|
|
1127 |
}
|
|
1128 |
|
|
1129 |
sub run_edit
|
|
1130 |
{
|
|
1131 |
my $self = shift;
|
|
1132 |
my $dn = join ' ', @_;
|
|
1133 |
|
|
1134 |
unless ( $dn ) {
|
|
1135 |
print "No dn provided.\n";
|
|
1136 |
return;
|
|
1137 |
}
|
|
1138 |
|
|
1139 |
# support '.'
|
|
1140 |
$dn = $self->base() if $dn eq '.';
|
|
1141 |
|
|
1142 |
$self->rdn_to_dn( \$dn );
|
|
1143 |
my $s = $self->search({ base => $dn, vals => 1 });
|
|
1144 |
|
|
1145 |
if ( $s->{'code'} ) {
|
|
1146 |
print $s->{'message'} . "\n";
|
|
1147 |
return;
|
|
1148 |
}
|
|
1149 |
|
|
1150 |
# fetch entry and write it out to disk
|
|
1151 |
my $e = ${ $s->{'entries'} }[0];
|
|
1152 |
my $ldif = $self->ldif(1);
|
|
1153 |
$ldif->write_entry( $e );
|
|
1154 |
$ldif->done(); # force sync
|
|
1155 |
|
|
1156 |
# load it into an array for potential comparison
|
|
1157 |
my @orig_ldif;
|
|
1158 |
open LDIF, "$self->{'ldif_fname'}" or return;
|
|
1159 |
@orig_ldif = <LDIF>;
|
|
1160 |
close LDIF;
|
|
1161 |
|
|
1162 |
# checksum it, then open it in an editor
|
|
1163 |
my $hash_a = $self->chksum( $self->{'ldif_fname'} );
|
|
1164 |
system( "$self->{'editor'} $self->{'ldif_fname'}" ) &&
|
|
1165 |
die "Unable to launch editor: $!\n";
|
|
1166 |
|
|
1167 |
# detect a total lack of change
|
|
1168 |
my $hash_b = $self->chksum( $self->{'ldif_fname'} );
|
|
1169 |
if ( $hash_a eq $hash_b ) {
|
|
1170 |
print "Entry not modified.\n";
|
|
1171 |
unlink $self->{'ldif_fname'};
|
|
1172 |
return;
|
|
1173 |
}
|
|
1174 |
|
|
1175 |
# check changes for basic LDIF validity
|
|
1176 |
my $new_e = $self->load_ldif( $self->{'ldif_fname'} );
|
|
1177 |
unless ( $new_e ) {
|
|
1178 |
print "Unable to parse LDIF.\n";
|
|
1179 |
unlink $self->{'ldif_fname'};
|
|
1180 |
return;
|
|
1181 |
}
|
|
1182 |
|
|
1183 |
# load changes into a new array for comparison
|
|
1184 |
my @new_ldif;
|
|
1185 |
open LDIF, "$self->{'ldif_fname'}" or return;
|
|
1186 |
@new_ldif = <LDIF>;
|
|
1187 |
close LDIF;
|
|
1188 |
|
|
1189 |
$e->changetype('modify');
|
|
1190 |
|
|
1191 |
my $parse = sub {
|
|
1192 |
my $line = shift || $_;
|
|
1193 |
return unless $line =~ /^\w/; # ignore multiline
|
|
1194 |
return if $line =~ /^\#/; # ignore comments
|
|
1195 |
my ( $attr, $val ) = ( $1, $2 ) if $line =~ /^(.+?): (.*)$/;
|
|
1196 |
return if index($attr, ':') != -1; # ignore base64
|
|
1197 |
return ( $attr, $val );
|
|
1198 |
};
|
|
1199 |
|
|
1200 |
my $diff = Algorithm::Diff->new( \@orig_ldif, \@new_ldif );
|
|
1201 |
HUNK:
|
|
1202 |
while ( $diff->Next() ) {
|
|
1203 |
next if $diff->Same();
|
|
1204 |
my $diff_bit = $diff->Diff();
|
|
1205 |
my %seen_attr;
|
|
1206 |
|
|
1207 |
# total deletions
|
|
1208 |
if ( $diff_bit == 1 ) {
|
|
1209 |
foreach ( $diff->Items(1) ) {
|
|
1210 |
next unless /\w+/;
|
|
1211 |
$self->debug("DELETE: $_");
|
|
1212 |
my ( $attr, $val ) = $parse->( $_ ) or next;
|
|
1213 |
$e->delete( $attr => [ $val ] );
|
|
1214 |
}
|
|
1215 |
}
|
|
1216 |
|
|
1217 |
# new insertions
|
|
1218 |
if ( $diff_bit == 2 ) {
|
|
1219 |
foreach ( $diff->Items(2) ) {
|
|
1220 |
next unless /\w+/;
|
|
1221 |
$self->debug("INSERT: $_");
|
|
1222 |
my ( $attr, $val ) = $parse->( $_ ) or next;
|
|
1223 |
$e->add( $attr => $val );
|
|
1224 |
}
|
|
1225 |
}
|
|
1226 |
|
|
1227 |
# replacements
|
|
1228 |
# these are trickier with multivalue lines
|
|
1229 |
if ( $diff_bit == 3 ) {
|
|
1230 |
foreach ( $diff->Items(2) ) {
|
|
1231 |
next unless /\w+/;
|
|
1232 |
$self->debug("MODIFY: $_");
|
|
1233 |
my ( $attr, $val ) = $parse->( $_ ) or next;
|
|
1234 |
|
|
1235 |
my $cur_vals = $e->get_value( $attr, asref => 1 ) || [];
|
|
1236 |
my $cur_valcount = scalar @$cur_vals;
|
|
1237 |
next if $cur_valcount == 0; # should have been an 'add'
|
|
1238 |
|
|
1239 |
# replace immediately
|
|
1240 |
#
|
|
1241 |
if ( $cur_valcount == 1 ) {
|
|
1242 |
$e->replace( $attr => $val );
|
|
1243 |
}
|
|
1244 |
else {
|
|
1245 |
|
|
1246 |
# make sure the replace doesn't squash
|
|
1247 |
# other attributes listed with the same name
|
|
1248 |
#
|
|
1249 |
next if $seen_attr{ $attr };
|
|
1250 |
my @new_vals;
|
|
1251 |
foreach my $line ( @new_ldif ) {
|
|
1252 |
my ( $new_attr, $new_val ) = $parse->( $line ) or next;
|
|
1253 |
next unless $new_attr eq $attr;
|
|
1254 |
$seen_attr{ $attr }++;
|
|
1255 |
push @new_vals, $new_val;
|
|
1256 |
}
|
|
1257 |
$e->replace( $attr => \@new_vals );
|
|
1258 |
}
|
|
1259 |
}
|
|
1260 |
}
|
|
1261 |
|
|
1262 |
}
|
|
1263 |
|
|
1264 |
unlink $self->{'ldif_fname'};
|
|
1265 |
my $rv = $e->update( $self->ldap );
|
|
1266 |
print $rv->error(), "\n";
|
|
1267 |
|
|
1268 |
return;
|
|
1269 |
}
|
|
1270 |
|
|
1271 |
sub run_env
|
|
1272 |
{
|
|
1273 |
my $self = shift;
|
|
1274 |
|
|
1275 |
foreach ( sort @{ $self->{'env'} } ) {
|
|
1276 |
print "$_: ";
|
|
1277 |
print $conf->{$_} ? $conf->{$_} : 0;
|
|
1278 |
print "\n"
|
|
1279 |
}
|
|
1280 |
}
|
|
1281 |
|
|
1282 |
sub run_grep
|
|
1283 |
{
|
|
1284 |
my $self = shift;
|
|
1285 |
my ( $recurse, $filter, $base ) = @_;
|
|
1286 |
|
|
1287 |
# set 'recursion'
|
|
1288 |
unless ( $recurse && $recurse =~ /\-r|recurse/ ) {
|
|
1289 |
# shift args to the left
|
|
1290 |
( $recurse, $filter, $base ) = ( undef, $recurse, $filter );
|
|
1291 |
}
|
|
1292 |
|
|
1293 |
$filter = Net::LDAP::Filter->new( $filter );
|
|
1294 |
unless ( $filter ) {
|
|
1295 |
print "Invalid search filter.\n";
|
|
1296 |
return;
|
|
1297 |
}
|
|
1298 |
|
|
1299 |
# support '*'
|
|
1300 |
$base = $self->base() if ! $base or $base eq '*';
|
|
1301 |
|
|
1302 |
unless ( $base ) {
|
|
1303 |
print "No search base specified.\n";
|
|
1304 |
return;
|
|
1305 |
}
|
|
1306 |
$self->rdn_to_dn( \$base );
|
|
1307 |
|
|
1308 |
$self->debug("Filter parsed as: " . $filter->as_string() . "\n");
|
|
1309 |
|
|
1310 |
my $s = $self->search(
|
|
1311 |
{
|
|
1312 |
scope => $recurse ? 'sub' : 'one',
|
|
1313 |
base => $base,
|
|
1314 |
filter => $filter
|
|
1315 |
}
|
|
1316 |
);
|
|
1317 |
|
|
1318 |
foreach my $e ( @{ $s->{'entries'} } ) {
|
|
1319 |
my $dn = $e->dn();
|
|
1320 |
print "$dn\n";
|
|
1321 |
}
|
|
1322 |
|
|
1323 |
return;
|
|
1324 |
}
|
|
1325 |
|
|
1326 |
# override internal help functions
|
|
1327 |
# with pod2usage
|
|
1328 |
#
|
|
1329 |
sub run_help
|
|
1330 |
{
|
|
1331 |
return Pod::Usage::pod2usage(
|
|
1332 |
-exitval => 'NOEXIT',
|
|
1333 |
-verbose => 99,
|
|
1334 |
-sections => 'SHELL COMMANDS'
|
|
1335 |
);
|
|
1336 |
}
|
|
1337 |
|
|
1338 |
sub run_list
|
|
1339 |
{
|
|
1340 |
my $self = shift;
|
|
1341 |
my @filters = @_;
|
|
1342 |
my $base = $self->base();
|
|
1343 |
|
|
1344 |
# setup filters
|
|
1345 |
my ( $flags, $filter );
|
|
1346 |
if ( scalar @filters ) {
|
|
1347 |
# support '-l' or '-R' listings
|
|
1348 |
if ( $filters[0] =~ /\-[lR]|verbose/ ) {
|
|
1349 |
$flags = shift @filters;
|
|
1350 |
}
|
|
1351 |
|
|
1352 |
$filter = $self->make_filter( \@filters );
|
|
1353 |
}
|
|
1354 |
|
|
1355 |
# flag booleans
|
|
1356 |
my ( $recurse, $long );
|
|
1357 |
if ( $flags ) {
|
|
1358 |
$recurse = $flags =~ /R/;
|
|
1359 |
$long = $flags =~ /l/;
|
|
1360 |
}
|
|
1361 |
|
|
1362 |
my $s = $self->search({ scope => $recurse ? 'sub' : 'one',
|
|
1363 |
vals => $long, filter => $filter });
|
|
1364 |
if ( $s->{'code'} ) {
|
|
1365 |
print "$s->{'message'}\n";
|
|
1366 |
return;
|
|
1367 |
}
|
|
1368 |
|
|
1369 |
# if an entry doesn't have a description field,
|
|
1370 |
# try and show some nice defaults for ls -l !
|
|
1371 |
#
|
|
1372 |
# objectClass -> Attribute to show
|
|
1373 |
#
|
|
1374 |
my %descs = %{
|
|
1375 |
$conf->{'descmaps'}
|
|
1376 |
|| {
|
|
1377 |
posixAccount => 'gecos',
|
|
1378 |
posixGroup => 'gidNumber',
|
|
1379 |
ipHost => 'ipHostNumber',
|
|
1380 |
}
|
|
1381 |
};
|
|
1382 |
|
|
1383 |
# iterate and print
|
|
1384 |
#
|
|
1385 |
my $dn_count = 0;
|
|
1386 |
my $dn;
|
|
1387 |
foreach my $e ( sort { $a->dn() cmp $b->dn() } @{ $s->{'entries'} } ) {
|
|
1388 |
$dn = $e->dn();
|
|
1389 |
my $rdn = $dn;
|
|
1390 |
$rdn =~ s/,$base//i;
|
|
1391 |
|
|
1392 |
unless ( $long ) {
|
|
1393 |
$dn = $rdn;
|
|
1394 |
next;
|
|
1395 |
}
|
|
1396 |
|
|
1397 |
# show descriptions
|
|
1398 |
my $desc = $e->get_value('description');
|
|
1399 |
if ( $desc ) {
|
|
1400 |
$desc =~ s/\n.*//s; # 1st line only
|
|
1401 |
$dn .= " ($desc)";
|
|
1402 |
}
|
|
1403 |
|
|
1404 |
# no desc? Try and infer something useful
|
|
1405 |
# to display.
|
|
1406 |
else {
|
|
1407 |
|
|
1408 |
# pull objectClasses, hash for lookup speed
|
|
1409 |
my @oc = @{ $e->get_value( 'objectClass', asref => 1 ) || [] };
|
|
1410 |
my %ochash;
|
|
1411 |
map { $ochash{$_} = 1 } @oc;
|
|
1412 |
|
|
1413 |
foreach my $d_listing ( sort keys %descs ) {
|
|
1414 |
if ( exists $ochash{ $d_listing } ) {
|
|
1415 |
my $str = $e->get_value( $descs{ $d_listing }, asref => 1 );
|
|
1416 |
$dn .= ' (' . (join ', ', @$str) . ')' if $str && scalar @$str;
|
|
1417 |
}
|
|
1418 |
next;
|
|
1419 |
}
|
|
1420 |
}
|
|
1421 |
}
|
|
1422 |
continue {
|
|
1423 |
print "$dn\n";
|
|
1424 |
$dn_count++;
|
|
1425 |
}
|
|
1426 |
|
|
1427 |
print "\n$dn_count " .
|
|
1428 |
( $dn_count == 1 ? 'object.' : 'objects.') .
|
|
1429 |
"\n" if $long;
|
|
1430 |
return;
|
|
1431 |
}
|
|
1432 |
|
|
1433 |
sub run_mkdir
|
|
1434 |
{
|
|
1435 |
my $self = shift;
|
|
1436 |
my $dir = join ' ', @_;
|
|
1437 |
|
|
1438 |
unless ( $dir ) {
|
|
1439 |
print "No 'directory' provided.\n";
|
|
1440 |
return;
|
|
1441 |
}
|
|
1442 |
|
|
1443 |
# normalize ou name, then pull uniq val back out.
|
|
1444 |
$dir = "ou=$dir" unless $dir =~ /^ou=/i;
|
|
1445 |
$self->rdn_to_dn( \$dir );
|
|
1446 |
|
|
1447 |
my $ou = $1
|
|
1448 |
if $dir =~ /^[\.\w]+(?:\s+)?=(?:\s+)?([\.\-\s\w]+),?/;
|
|
1449 |
|
|
1450 |
# add
|
|
1451 |
my $r = $self->ldap()->add( $dir, attr => [
|
|
1452 |
objectClass => [ 'top', 'organizationalUnit' ],
|
|
1453 |
ou => $ou,
|
|
1454 |
]);
|
|
1455 |
|
|
1456 |
print $r->error(), "\n";
|
|
1457 |
$self->update_entries( clearcache => 1 );
|
|
1458 |
return;
|
|
1459 |
}
|
|
1460 |
|
|
1461 |
sub run_move
|
|
1462 |
{
|
|
1463 |
my $self = shift;
|
|
1464 |
my ( $s_dn, $d_dn ) = @_;
|
|
1465 |
|
|
1466 |
unless ( $s_dn ) {
|
|
1467 |
print "No source dn provided.\n";
|
|
1468 |
return;
|
|
1469 |
}
|
|
1470 |
unless ( $d_dn ) {
|
|
1471 |
print "No destination dn provided.\n";
|
|
1472 |
return;
|
|
1473 |
}
|
|
1474 |
|
|
1475 |
my $s_rdn = $s_dn;
|
|
1476 |
$self->rdn_to_dn( \$s_dn );
|
|
1477 |
unless ( $self->is_valid_dn( $s_dn ) ) {
|
|
1478 |
print "No such object\n";
|
|
1479 |
return;
|
|
1480 |
}
|
|
1481 |
|
|
1482 |
# see if we're moving the entry to a totally new path
|
|
1483 |
my ( $new_dn, $old_dn );
|
|
1484 |
( $d_dn, $new_dn ) = ( $1, $2 ) if $d_dn =~ /^([\w=]+),(.*)$/;
|
|
1485 |
$old_dn = $1 if $s_dn =~ /^[\w=]+,(.*)$/;
|
|
1486 |
|
|
1487 |
my $rv = $self->ldap()->moddn(
|
|
1488 |
$s_dn,
|
|
1489 |
newrdn => $d_dn,
|
|
1490 |
deleteoldrdn => 1,
|
|
1491 |
newsuperior => $new_dn
|
|
1492 |
);
|
|
1493 |
print $rv->error(), "\n";
|
|
1494 |
|
|
1495 |
# clear caches
|
|
1496 |
$self->{'cache'}->{ $new_dn } = {} if $new_dn;
|
|
1497 |
$self->{'cache'}->{ $old_dn } = {} if $old_dn;
|
|
1498 |
$self->update_entries( clearcache => 1 );
|
|
1499 |
return;
|
|
1500 |
}
|
|
1501 |
|
|
1502 |
sub run_passwd
|
|
1503 |
{
|
|
1504 |
my $self = shift;
|
|
1505 |
my $dn = shift || $self->base();
|
|
1506 |
|
|
1507 |
$self->{'root_dse'} ||= $self->ldap->root_dse();
|
|
1508 |
|
|
1509 |
my $pw_extension = '1.3.6.1.4.1.4203.1.11.1';
|
|
1510 |
unless ( $self->{'root_dse'}->supported_extension( $pw_extension ) ) {
|
|
1511 |
print "Sorry, password changes not supported by LDAP server.\n";
|
|
1512 |
return;
|
|
1513 |
}
|
|
1514 |
|
|
1515 |
# support '.'
|
|
1516 |
$dn = $self->base() if $dn eq '.';
|
|
1517 |
|
|
1518 |
$self->rdn_to_dn( \$dn );
|
|
1519 |
my $s = $self->search( { base => $dn, scope => 'base' } );
|
|
1520 |
if ( $s->{'code'} ) {
|
|
1521 |
print $s->{'message'}, "\n";
|
|
1522 |
return;
|
|
1523 |
}
|
|
1524 |
my $e = ${ $s->{'entries'} }[0];
|
|
1525 |
|
|
1526 |
unless ( $e->exists('userPassword') ) {
|
|
1527 |
print "No userPassword attribute for $dn\n";
|
|
1528 |
return;
|
|
1529 |
}
|
|
1530 |
|
|
1531 |
print "Changing password for $dn\n";
|
|
1532 |
Term::ReadKey::ReadMode 2;
|
|
1533 |
print "Enter new password: ";
|
|
1534 |
chomp( my $pw = <STDIN> );
|
|
1535 |
print "\nRetype new password: ";
|
|
1536 |
chomp( my $pw2 = <STDIN> );
|
|
1537 |
print "\n";
|
|
1538 |
Term::ReadKey::ReadMode 0;
|
|
1539 |
|
|
1540 |
if ( $pw ne $pw2 ) {
|
|
1541 |
print "Sorry, passwords do not match.\n";
|
|
1542 |
return;
|
|
1543 |
}
|
|
1544 |
|
|
1545 |
my $rv = $self->ldap->set_password(
|
|
1546 |
user => $dn,
|
|
1547 |
newpasswd => $pw
|
|
1548 |
);
|
|
1549 |
|
|
1550 |
if ( $rv->code() == 0 ) {
|
|
1551 |
print "Password updated successfully.\n";
|
|
1552 |
} else {
|
|
1553 |
print "Password error: " . $rv->error() . "\n";
|
|
1554 |
}
|
|
1555 |
|
|
1556 |
return;
|
|
1557 |
}
|
|
1558 |
|
|
1559 |
sub run_pwd
|
|
1560 |
{
|
|
1561 |
my $self = shift;
|
|
1562 |
print $self->base() . "\n";
|
|
1563 |
return;
|
|
1564 |
}
|
|
1565 |
|
|
1566 |
sub run_setenv
|
|
1567 |
{
|
|
1568 |
my $self = shift;
|
|
1569 |
my ( $key, $val ) = @_;
|
|
1570 |
|
|
1571 |
( $key, $val ) = split /=/, $key if $key && ! defined $val;
|
|
1572 |
return unless $key && defined $val;
|
|
1573 |
$key = lc $key;
|
|
1574 |
|
|
1575 |
$conf->{$key} = $val;
|
|
1576 |
return;
|
|
1577 |
}
|
|
1578 |
|
|
1579 |
sub run_whoami
|
|
1580 |
{
|
|
1581 |
my $self = shift;
|
|
1582 |
print $conf->{'binddn'} || 'anonymous bind';
|
|
1583 |
print "\n";
|
|
1584 |
return;
|
|
1585 |
}
|
|
1586 |
|
|
1587 |
###############################################################
|
|
1588 |
#
|
|
1589 |
# MAIN
|
|
1590 |
#
|
|
1591 |
###############################################################
|
|
1592 |
|
|
1593 |
package main;
|
|
1594 |
use strict;
|
|
1595 |
use warnings;
|
|
1596 |
|
|
1597 |
$0 = 'shelldap';
|
|
1598 |
my $VERSION = '0.1';
|
|
1599 |
|
|
1600 |
use Getopt::Long;
|
|
1601 |
use YAML::Syck;
|
|
1602 |
use Pod::Usage;
|
|
1603 |
eval 'use Term::ReadLine::Gnu';
|
|
1604 |
warn qq{Term::ReadLine::Gnu not installed.
|
|
1605 |
Continuing, but shelldap is of limited usefulness without it.\n\n} if $@;
|
|
1606 |
|
|
1607 |
# get config - rc file first, command line overrides
|
|
1608 |
use vars '$conf';
|
|
1609 |
$conf = load_config() || {};
|
|
1610 |
Getopt::Long::GetOptions(
|
|
1611 |
$conf,
|
|
1612 |
'server=s',
|
|
1613 |
'binddn=s',
|
|
1614 |
'basedn=s',
|
|
1615 |
'cacheage=i',
|
|
1616 |
'timeout=i',
|
|
1617 |
'tls', 'debug',
|
|
1618 |
help => sub {
|
|
1619 |
Pod::Usage::pod2usage(
|
|
1620 |
-verbose => 1,
|
|
1621 |
-message => "\n$0 command line flags\n" . '-' x 65
|
|
1622 |
);
|
|
1623 |
}
|
|
1624 |
);
|
|
1625 |
|
|
1626 |
# defaults
|
|
1627 |
$conf->{'confpath'} = "$ENV{'HOME'}/.shelldap.rc";
|
|
1628 |
$conf->{'cacheage'} ||= 300;
|
|
1629 |
$conf->{'timeout'} ||= 10;
|
|
1630 |
|
|
1631 |
# create and enter shell loop
|
|
1632 |
my $shell = LDAP::Shell->new();
|
|
1633 |
$shell->cmdloop();
|
|
1634 |
|
|
1635 |
# load YAML config into global conf.
|
|
1636 |
#
|
|
1637 |
sub load_config
|
|
1638 |
{
|
|
1639 |
my ( $d, $data );
|
|
1640 |
|
|
1641 |
my $confpath;
|
|
1642 |
my @confs = (
|
|
1643 |
"$ENV{'HOME'}/.shelldap.rc",
|
|
1644 |
'/usr/local/etc/shelldap.conf',
|
|
1645 |
'/etc/shelldap.conf',
|
|
1646 |
);
|
|
1647 |
foreach ( @confs ) {
|
|
1648 |
if ( -e $_ ) {
|
|
1649 |
$confpath = $_;
|
|
1650 |
last;
|
|
1651 |
}
|
|
1652 |
}
|
|
1653 |
$confpath or return undef;
|
|
1654 |
|
|
1655 |
open YAML, $confpath or return undef;
|
|
1656 |
do {
|
|
1657 |
local $/ = undef;
|
|
1658 |
$data = <YAML>; # slurp!
|
|
1659 |
};
|
|
1660 |
close YAML;
|
|
1661 |
|
|
1662 |
eval { $conf = YAML::Syck::Load( $data ) };
|
|
1663 |
die "Invalid YAML in ~/.shelldap.rc\n" if $@;
|
|
1664 |
|
|
1665 |
return $conf;
|
|
1666 |
}
|
|
1667 |
|
|
1668 |
## EOF
|
|
1669 |
|