diff options
-rw-r--r-- | Changelog | 1 | ||||
-rw-r--r-- | README.ldap-support | 2 | ||||
-rwxr-xr-x | ldap-scripts/applySystemQuotas.pl | 99 | ||||
-rwxr-xr-x | ldap-scripts/edquota_editor | 32 | ||||
-rw-r--r-- | ldap-scripts/quota.schema | 18 | ||||
-rwxr-xr-x | ldap-scripts/setSystemQuotas.pl | 140 |
6 files changed, 291 insertions, 1 deletions
@@ -1,4 +1,5 @@ Changes in quota-tools from 3.11 to 3.12 +* added a few perl wrappers for LDAP (Stefan Adams) * added note about availability of -r option to manpages (Jan Kara) * maximal number of groups is now got via sysconf (Nathan Scott) * added batch mode to the setquota(8) (Jan Kara) diff --git a/README.ldap-support b/README.ldap-support index 9e226d6..0804677 100644 --- a/README.ldap-support +++ b/README.ldap-support @@ -1,4 +1,4 @@ -LDAP support by James Bourne <jbourne@hardrock.org> +LDAP support for warnquota by James Bourne <jbourne@hardrock.org> The LDAP support added to warnquota allows you to retreive mail routing information from an LDAP server so that you can send mail to the correct diff --git a/ldap-scripts/applySystemQuotas.pl b/ldap-scripts/applySystemQuotas.pl new file mode 100755 index 0000000..762eb82 --- /dev/null +++ b/ldap-scripts/applySystemQuotas.pl @@ -0,0 +1,99 @@ +#!/usr/bin/perl -w + +# $0 -b "ou=People,dc=borgia,dc=com" -F '(attr=value)' + +# Synopsis +# applyQuotas.pl is a script solely for making the quota set within LDAP take +# affect by running the linuxquota tool edquota with the figures set in LDAP. +# This tool is capable of applying standard LDAP filters to the user-supplied +# base DN for applying multiple users' quotas at once. + +# Examples: +# Apply the quotas using the linuxquota tool edquota for user stefan +# ./applySystemQuotas.pl -b "uid=stefan,ou=People,dc=borgia,dc=com" +# +# Apply the quotas using the linuxquota tool edquota for all People with description of Student +# ./applySystemQuotas.pl -b "ou=People,dc=borgia,dc=com" -F "(description=Student)" + +use strict; +use Net::LDAP; +use Getopt::Long; + +chomp(my $Password = `cat /etc/ldap.secret`); +my $Host = 'localhost'; +my $Port = '389'; +my $BindDN = 'cn=Manager,dc=borgia,dc=com'; +my $SSL = 0; +my $edquota_editor = '/usr/sbin/edquota_editor'; +my $edquota = '/usr/sbin/edquota'; + +my $b = ''; +my $F = ''; +GetOptions( + 'b=s' => \$b, + 'F=s' => \$F, +); + +die "Usage: $0 -b basedn [-F '(extrafilter)']\n" unless $b; + +my $ldap = connectLDAP(); + +my $search; +$search = $ldap->search( + base => $b, + filter => "(&(objectClass=systemQuotas)$F)", + attrs => ['uid', 'quota'], +); +$search->code && die $search->error; +my $i = 0; +my $max = $search->count; +for ( $i=0; $i<$max; $i++ ) { + my $entry = $search->entry($i); + my $editor = $ENV{'EDITOR'} if $ENV{'EDITOR'}; + $ENV{'EDITOR'} = $edquota_editor; + $ENV{'QUOTA_USER'} = $entry->get_value('uid'); + # Delete all existing quotas for QUOTA_USER + $ENV{'QUOTA_FILESYS'} = '*'; + $ENV{'QUOTA_SBLOCKS'} = 0; + $ENV{'QUOTA_HBLOCKS'} = 0; + $ENV{'QUOTA_SFILES'} = 0; + $ENV{'QUOTA_HFILES'} = 0; + print "$ENV{'QUOTA_USER'}: $ENV{'QUOTA_FILESYS'}:$ENV{'QUOTA_SBLOCKS'},$ENV{'QUOTA_HBLOCKS'},$ENV{'QUOTA_SFILES'},$ENV{'QUOTA_HFILES'}\n"; + qx(/usr/sbin/edquota -u $ENV{'QUOTA_USER'}); + my @quotas = $entry->get_value('quota'); + if ( $#quotas >= 0 ) { + foreach ( @quotas ) { + my @quota = split /:/; + $ENV{'QUOTA_FILESYS'} = $quota[0]; + $ENV{'QUOTA_SBLOCKS'} = $quota[1]; + $ENV{'QUOTA_HBLOCKS'} = $quota[2]; + $ENV{'QUOTA_SFILES'} = $quota[3]; + $ENV{'QUOTA_HFILES'} = $quota[4]; + print "$ENV{'QUOTA_USER'}: $ENV{'QUOTA_FILESYS'}:$ENV{'QUOTA_SBLOCKS'},$ENV{'QUOTA_HBLOCKS'},$ENV{'QUOTA_SFILES'},$ENV{'QUOTA_HFILES'}\n"; + qx($edquota -u $ENV{'QUOTA_USER'}); + } + } + $ENV{'EDITOR'} = $editor if $editor; +} +$search = $ldap->unbind; + +sub connectLDAP { + # bind to a directory with dn and password + my $ldap = Net::LDAP->new( + $Host, + port => $Port, + version => 3, +# debug => 0xffff, + ) or die "Can't contact LDAP server ($@)\n"; + if ( $SSL ) { + $ldap->start_tls( + # verify => 'require', + # clientcert => 'mycert.pem', + # clientkey => 'mykey.pem', + # decryptkey => sub { 'secret'; }, + # capath => '/usr/local/cacerts/' + ); + } + $ldap->bind($BindDN, password=>$Password); + return $ldap; +} diff --git a/ldap-scripts/edquota_editor b/ldap-scripts/edquota_editor new file mode 100755 index 0000000..95a03ee --- /dev/null +++ b/ldap-scripts/edquota_editor @@ -0,0 +1,32 @@ +#!/usr/bin/perl -w + +use strict; + +die "QUOTA_USER environment variable not set\n" unless defined $ENV{'QUOTA_USER'}; +die "QUOTA_FILESYS environment variable not set\n" unless defined $ENV{'QUOTA_FILESYS'}; +die "QUOTA_SBLOCKS environment variable not set\n" unless defined $ENV{'QUOTA_SBLOCKS'}; +die "QUOTA_HBLOCKS environment variable not set\n" unless defined $ENV{'QUOTA_HBLOCKS'}; +die "QUOTA_SFILES environment variable not set\n" unless defined $ENV{'QUOTA_SFILES'}; +die "QUOTA_HFILES environment variable not set\n" unless defined $ENV{'QUOTA_HFILES'}; + +open FILE, $ARGV[0]; +$qdata = join '', (@_=<FILE>); +close FILE; +open FILE, ">$ARGV[0]"; +print FILE &edit_quota_file($qdata, $ENV{'QUOTA_FILESYS'}, $ENV{'QUOTA_SBLOCKS'}, $ENV{'QUOTA_HBLOCKS'}, $ENV{'QUOTA_SFILES'}, $ENV{'QUOTA_HFILES'}); +close FILE; + +# edit_quota_file(data, filesys, sblocks, hblocks, sfiles, hfiles) +sub edit_quota_file { + local($rv, $line, @line, $i); + @line = split /\n/, $_[0]; + for ( $i=0; $i<@line; $i++ ) { + if ($line[$i] =~ /^\s+(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)$/ && ($1 eq $_[1] || $_[1] eq '*')) { + # new-style line to change + $rv .= " $1 $2 $_[2] $_[3] $5 $_[4] $_[5]\n"; + } else { + $rv .= "$line[$i]\n"; + } + } + return $rv; +} diff --git a/ldap-scripts/quota.schema b/ldap-scripts/quota.schema new file mode 100644 index 0000000..b5e216f --- /dev/null +++ b/ldap-scripts/quota.schema @@ -0,0 +1,18 @@ +## +## schema file for Unix Quotas +## Schema for storing Unix Quotas in LDAP +## OIDs are owned by Cogent Innovators, LLC +## +## 1.3.6.1.4.1.19937.1.1.x - attributetypes +## 1.3.6.1.4.1.19937.1.2.x - objectclasses +## + +attributetype ( 1.3.6.1.4.1.19937.1.1.1 NAME 'quota' + DESC 'Quotas (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} ) + +objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas' SUP posixAccount AUXILIARY + DESC 'System Quotas' + MUST ( uid ) + MAY ( quota )) diff --git a/ldap-scripts/setSystemQuotas.pl b/ldap-scripts/setSystemQuotas.pl new file mode 100755 index 0000000..90ab1e8 --- /dev/null +++ b/ldap-scripts/setSystemQuotas.pl @@ -0,0 +1,140 @@ +#!/usr/bin/perl -w + +# $0 -b "ou=People,dc=borgia,dc=com" -Q /dev/with/quota=0:0:0:0 -F '(attr=value)' + +# Synopsis +# setSystemQuotas.pl is a script solely for modifying the quota attribute in +# LDAP. It expects that the users you intend to have quotas already have the +# systemQuotas objectClass set. +# This tool is capable of applying standard LDAP filters to the user-supplied +# base DN for modifying multiple users' quotas at once. + +# Examples: +# Set quota on /dev/sda7 and /dev/sda8 for user stefan +# ./setSystemQuotas.pl -b "uid=stefan,ou=People,dc=borgia,dc=com" -Q /dev/sda7=4000000:4400000:10000:11000 -Q /dev/sda8=4000000:4400000:10000:11000 +# +# Set quota on /dev/sda8 for user all People with description of Student +# ./setSystemQuotas.pl -b "ou=People,dc=borgia,dc=com" -Q /dev/sda8=40000:44000:1000:1100 -F "(description=Student)" +# +# Delete quotas for user stefan +# ./setSystemQuotas.pl -b "uid=stefan,ou=People,dc=borgia,dc=com" + +use strict; +use Net::LDAP; +use Getopt::Long; + +chomp(my $Password = `cat /etc/ldap.secret`); +my $Host = 'localhost'; +my $Port = '389'; +my $BindDN = 'cn=Manager,dc=borgia,dc=com'; +my $SSL = 0; + +my $b = ''; +my %Q = (); +my $F = ''; +GetOptions( + 'b=s' => \$b, + 'Q=s' => \%Q, + 'F=s' => \$F, +); +die "Usage: $0 -b userdn [-F '(extrafilter)'] [-Q /fs=sb:hb:sf:hf ...]\n" unless $b; +foreach ( keys %Q ) { + local @_ = split /:/, $Q{$_}; + unless ( $#_ == 3 ) { + print "Ignoring $_: invalid format\n"; + delete $Q{$_}; + } +} + +my $ldap = connectLDAP(); + +my $quota = {}; +my $search; +$search = $ldap->search( + base => $b, + filter => "(&(objectClass=systemQuotas)$F)", + attrs => ['*', 'quota'], +); +$search->code && die $search->error; +my $i = 0; +my $max = $search->count; +for ( $i=0; $i<$max; $i++ ) { + my $entry = $search->entry($i); + my $dn = $entry->dn; + if ( keys %Q ) { + $quota->{$dn} = 1; + foreach ( $entry->get_value('quota') ) { + my @quota = split /:/; + my $fs = shift @quota; + delete $quota->{$dn} if $quota->{$dn} == 1; + $quota->{$dn}->{$fs} = join ':', @quota; + } + } else { + $quota->{$dn} = 0; + delete $quota->{$dn} unless $entry->get_value('quota'); + } +} + +foreach my $dn ( keys %{$quota} ) { + if ( ref $quota->{$dn} eq 'HASH' ) { +print STDERR "Modify $dn:\n"; + foreach ( keys %Q ) { +print STDERR "\t$_:$Q{$_}\n"; + $quota->{$dn}->{$_} = $Q{$_}; + } + my @quota = map { "$_:$quota->{$dn}->{$_}" } keys %{$quota->{$dn}}; + my $modify = $ldap->modify( + $dn, + replace => { + quota => [@quota], + }, + ); + $modify->code && warn "Failed to modify quota: ", $modify->error, "\n"; + } else { + if ( $quota->{$dn} == 1 ) { + delete $quota->{$dn}; +print STDERR "Add $dn:\n"; + foreach ( keys %Q ) { +print STDERR "\t$_:$Q{$_}\n"; + $quota->{$dn}->{$_} = $Q{$_} + } + my @quota = map { "$_:$quota->{$dn}->{$_}" } keys %{$quota->{$dn}}; + my $modify = $ldap->modify( + $dn, + add => { + quota => [@quota], + }, + ); + $modify->code && warn "Failed to modify quota: ", $modify->error, "\n"; + } elsif ( $quota->{$dn} == 0 ) { +print STDERR "Delete $dn:\n"; + my $modify = $ldap->modify( + $dn, + delete => ['quota'], + ); + $modify->code && warn "Failed to modify quota: ", $modify->error, "\n"; + } + } +} +$ldap->unbind; + +sub connectLDAP { + # bind to a directory with dn and password + my $ldap = Net::LDAP->new( + $Host, + port => $Port, + version => 3, +# debug => 0xffff, + ) or die "Can't contact LDAP server ($@)\n"; + if ( $SSL ) { + $ldap->start_tls( + # verify => 'require', + # clientcert => 'mycert.pem', + # clientkey => 'mykey.pem', + # decryptkey => sub { 'secret'; }, + # capath => '/usr/local/cacerts/' + ); + } + $ldap->bind($BindDN, password=>$Password); + return $ldap; +} |