gunnar: server/perl-kolab/bin kolab_bootstrap.in, NONE, 1.1 kolabcheckperm.in, NONE, 1.1 kolabconf.in, NONE, 1.1 kolabdcachetool.in, NONE, 1.1 kolabd.in, NONE, 1.1 kolabpasswd.in, NONE, 1.1 kolabquotareport.in, NONE, 1.1 kolabquotawarn.in, NONE, 1.1 kolab_smtpdpolicy.in, NONE, 1.1 kolab_upgrade.in, NONE, 1.1
cvs at kolab.org
cvs at kolab.org
Fri Oct 10 16:22:07 CEST 2008
- Previous message: gunnar: server/perl-kolab AUTHORS, 1.4, 1.5 ChangeLog, 1.39, 1.40 MANIFEST, 1.4, 1.5 Makefile.PL, 1.7, 1.8 perl-kolab.spec, 1.102, 1.103
- Next message: gunnar: server/perl-kolab/lib Kolab.pm,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: gunnar
Update of /kolabrepository/server/perl-kolab/bin
In directory doto:/tmp/cvs-serv20319/bin
Added Files:
kolab_bootstrap.in kolabcheckperm.in kolabconf.in
kolabdcachetool.in kolabd.in kolabpasswd.in
kolabquotareport.in kolabquotawarn.in kolab_smtpdpolicy.in
kolab_upgrade.in
Log Message:
Merge all perl tools into the perl-kolab package.
--- NEW FILE: kolab_bootstrap.in ---
#!perl
# (c) 2004-2005 Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
# (c) 2003,2004 Tassilo Erlewein <tassilo.erlewein at erfrakon.de>
# (c) 2003-2005 Martin Konold <martin.konold at erfrakon.de>
# (c) 2003 Achim Frank <achim.frank at erfrakon.de>
#
# This program is Free Software under the GNU General Public License (>=v2).
# Read the file COPYING that comes with this packages for details.
# kolab_bootstrap Version 0.93
use strict;
use vars qw($opt_b $opt_f);
use URI;
use Socket;
use IO::File;
use IO::Select;
use Kolab;
use Kolab::Conf;
use Net::Domain qw(hostfqdn);
use Net::LDAP;
use Net::LDAP::Entry;
use Net::Netmask;
use File::Copy;
use Getopt::Std;
use Term::ReadKey;
use Time::Local;
use Time::localtime;
# Reload only kolab.globals into our configuration.
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals", 1);
my $kolab_config = ""@CONFIG_DIR@/kolab.conf";
my %kolab_config;
##### Utility Functions
# Shell double-quote a string
# Borrored from Sysadm::Install
sub qquote {
my($str, $metas) = @_;
$str =~ s/([\\"])/\\$1/g;
if(defined $metas) {
$metas = '$`' if $metas eq ":shell";
$metas =~ s/\]/\\]/g;
$str =~ s/([$metas])/\\$1/g;
}
return "\"$str\"";
}
# Connect to host,port and return 1 on success
sub tryConnect {
my $host = shift;
my $port = shift;
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
die "No port" unless $port;
my $iaddr = inet_aton($host) || die "no host: $host";
my $paddr = sockaddr_in($port, $iaddr);
my $proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "socket: $!";
my $retval = connect(SOCK, $paddr) || 0;
close( SOCK );
return $retval;
}
# Check for running service
sub checkPort {
my $name = shift; # Name of the service e.g. webserver
my $port = shift; # tcp Port of the named service
print ("Check for running $name on port $port\n");
if (tryConnect("localhost",$port) == 1) {
print ("Error: Found $name running on Port $port\n");
print ("Check your installation!\n");
print ("You must stop the service $name before running Kolab\n");
print ("You may try to execute \"$Kolab::config{'KOLABRC'} rc all stop\" initially\n");
exit 1;
}
}
# Hash a password
sub hashPassword {
my $pw = shift;
my $hashcmd = "$Kolab::config{'hashmethod'} ".qquote($pw,":shell");
(my $hashpw = `$hashcmd`) or die $@;
chomp($hashpw);
return $hashpw;
}
# Ask the user a question
sub getUserInput {
my $text = shift;
my $default = shift;
my @values = @_;
if( $default ) {
$text = "$text [$default]";
}
if( @values ) {
$text = "$text (".join('/', @values)."): ";
} else {
$text = "$text: ";
}
AGAIN:
print $text;
my $tmp = ReadLine;
chomp $tmp;
if( $default && $tmp eq '' ) { $tmp = $default; }
if( @values ) {
foreach( @values ) { return $tmp if( $tmp eq $_ ); }
goto AGAIN;
}
return $tmp;
}
# Like system() but echo the line before executing
sub kolab_system {
my $arg = shift;
print "$arg\n";
system( $arg ) == 0
or die "system $arg failed: $?";
};
# Usable chown
sub kolab_chown {
my $u = shift;
my $g = shift;
my $uid = getpwnam($u);
my $gid = getgrnam($g);
while( my $file = shift ) {
chown $uid,$gid,$file;
}
}
# Fetch entry from ldap server or create new entry of none exist
sub newOrExistingLDAPEntry {
my $ldap = shift;
my $dn = shift;
my $mesg = $ldap->search( base => $dn, scope => 'exact', filter => '(objectClass=*)' );
if( $mesg && $mesg->count() > 0 ) {
return $mesg->entry(0);
} else {
return Net::LDAP::Entry->new;
}
}
sub newkolabgroupofnames {
my $ldap = shift;
my $basedn = shift;
my $cn = shift;
if( scalar(@_) < 1 ) {
warn "kolabgroupofnames must contain at least one member";
}
my $ldapobject = newOrExistingLDAPEntry($ldap,"cn=$cn,$basedn");
$ldapobject->replace('cn' => $cn, 'objectclass' => ['top','kolabgroupofnames'],
'member' => @_);
$ldapobject->dn("cn=$cn,$basedn");
my $mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
return $ldapobject;
}
print "\nKOLAB BOOTSTRAP\n\n";
# Check for already running services preventing proper operation of kolab_bootstrap and Kolab
checkPort("http webserver", 80);
checkPort("https webserver", 443);
checkPort("imap server", 143);
checkPort("imaps server", 993);
checkPort("pop3 server", 110);
checkPort("pop3s server", 995);
checkPort("smtp server", 25);
checkPort("smtps server", 465);
checkPort("amavis server", 10024);
checkPort("postfix reinjection from kolabfilter", 10025);
checkPort("postfix reinjection from amavis", 10026);
checkPort("kolab daemon", 9999);
checkPort("ldap server", 389);
checkPort("ldaps server", 636);
checkPort("sieve server", 2000);
checkPort("lmtp server", 2003);
print ("Excellent all required Ports are available!\n");
system("$Kolab::config{'sbindir'}/slapcat >/dev/null 2>&1");
if ($?==0) {
print ("\nFound existing configuration\n");
print "\nBootstrapping Kolab will overwrite old configuration\n";
my $tmp = getUserInput( "\nContinue", "n", "y", "n" );
if( (lc $tmp eq 'n') || ($tmp eq '') ) {
print "Bootstrapping aborted - not creating new configuration\n";
exit 0;
}
print "Creating backup of old configuration (LDAP, kolab.conf and certificates)\n";
my $backupfiles = "$Kolab::config{'backupfiles'}";
if ($backupfiles ne "" && ! -s "$Kolab::config{'backupdir'}/kolab_backup-orig.tar.bz2") {
# Do an one time backup. This is to backup the original configuration
# files that were configured by user. The one time back is marked with
# orig.
system("tar cjPf $Kolab::config{'backupdir'}/kolab_backup-orig.tar.bz2 $backupfiles");
print "The orginal configuration files have been backed up to:\n";
print " $Kolab::config{'backupdir'}/kolab_backup-orig.tar.bz2\n"
}
my $epochseconds = timelocal(gmtime);
my $backupdir="$Kolab::config{'backupdir'}/backup".$epochseconds;
mkdir($backupdir,0700) || die "cannot mkdir : $!";
print "creating backup of LDAP repository\n";
system("cp -pRP \"$Kolab::config{'ldapserver_dir'}\" \"$backupdir/openldap-data\"");
print "creating backup of CA data\n";
if (-d "@CONFIG_DIR@/ca") {
system("mv \"@CONFIG_DIR@/ca\" $backupdir");
}
system("cd \"@CONFIG_DIR@\"; mv *.pem $backupdir");
if (-f $kolab_config) {
system("mv \"$kolab_config\" $backupdir");
}
print "Cleaning up LDAP\n";
system("cd \"$Kolab::config{'ldapserver_dir'}\"; rm -f *");
} else {
print "LDAP repository is empty - assuming fresh install\n";
}
# fetch fresh template
copy("@CONFIG_DIR@/templates/kolab.conf.template", $kolab_config);
%kolab_config = Kolab::readConfig(\%kolab_config, $kolab_config);
my $fqdnhostname = $kolab_config{'fqdnhostname'} || die "could not read fqdnhostname from $kolab_config";
my $is_master = $kolab_config{'is_master'} || "true";
my $bind_dn = $kolab_config{'bind_dn'} || die "could not read bind_dn from $kolab_config";
my $bind_pw = $kolab_config{'bind_pw'} || die "could not read bind_pw from $kolab_config";
my $bind_pw_hash = $kolab_config{'bind_pw_hash'} || hashPassword( $bind_pw );
my $ldap_uri = $kolab_config{'ldap_uri'} || die "could not read ldap_uri from $kolab_config";
my $base_dn = $kolab_config{'base_dn'} || die "could not read base_dn from $kolab_config";
my $php_dn = $kolab_config{'php_dn'} || die "could not read php_dn from $kolab_config";
my $php_pw = $kolab_config{'php_pw'} || die "could not read php_pw from $kolab_config";
my $calendar_id = $kolab_config{'calendar_id'};
my $calendar_pw = $kolab_config{'calendar_pw'};
my $slurpd_addr = $kolab_config{'slurpd_addr'} || die "could not read slurpd_addr from $kolab_config";
my $slurpd_port = $kolab_config{'slurpd_port'} || die "could not read slurpd_port from $kolab_config";
my @kolabhosts;
my $domain;
if (!$bind_dn || !$bind_pw || !$ldap_uri || !$base_dn) {
print "Please check $kolab_config (seems to be incomplete)\n";
die "and run kolab_bootstrap afterwards, manually";
}
my $fqdn;
if( $fqdnhostname =~ /\@\@\@/ ) {
$fqdn = hostfqdn();
} else {
$fqdn = $fqdnhostname;
}
chomp($fqdn);
$fqdn = getUserInput("Please enter Hostname including Domain Name (e.g. thishost.domain.tld)", $fqdn);
print "Proceeding with Hostname $fqdn\n";
my $tmp;
if( $is_master eq "false" ) {
$tmp = "2";
} else {
$tmp = "1";
}
my $tmp2 = getUserInput( "Do you want to set up (1) a master Kolab server or (2) a slave",
$tmp, "1", "2");
if ( $tmp2 eq "2" ) {
$is_master = "false";
print "Proceeding with slave server setup\n\n";
} else {
$is_master = "true";
print "Proceeding with master server setup\n\n";
}
if ( $is_master eq "true" ) {
##### Master server setup
getopt('f');
(my $dummy, $domain) = split(/\./, $fqdn, 2);
if ($domain !~ /\./) {
$domain = $fqdn;
}
$domain = getUserInput("Please enter your Maildomain - if you do not know your mail domain use the fqdn from above", $domain);
print "proceeding with Maildomain $domain\n";
print "Kolab primary email addresses will be of the type user\@$domain \n";
if ( $opt_f || $base_dn =~ /\@\@\@/ || $bind_dn =~ /\@\@\@/ || $bind_pw =~ /\@\@\@/ ) {
print "Generating default configuration:\n";
if ($base_dn =~ /\@\@\@/) {
$base_dn = "";
foreach my $dc ((split(/\./,$domain))) {
$base_dn .= "dc=$dc,";
}
chop $base_dn;
$base_dn = getUserInput("Top level DN for Kolab", $base_dn);
print " base_dn : $base_dn\n";
}
if ($bind_dn =~ /\@\@\@/) {
$bind_dn =~ s/\@\@\@kolab_basedn\@\@\@/$base_dn/g;
print " bind_dn : $bind_dn\n";
}
if ($bind_pw =~ /\@\@\@/) {
$bind_pw = `$Kolab::config{'bindir'}/openssl rand -base64 12`;
chomp $bind_pw;
$bind_pw = getUserInput("Please choose a manager password", $bind_pw);
print " bind_pw : $bind_pw\n";
$bind_pw_hash = hashPassword($bind_pw);
}
# Generate passwords
if ($php_dn =~ /\@\@\@/) {
$php_dn =~ s/\@\@\@kolab_basedn\@\@\@/$base_dn/g;
}
if ($php_pw =~ /\@\@\@/) {
$php_pw = `$Kolab::config{'bindir'}/openssl rand -base64 30`;
chomp $php_pw;
}
if ($calendar_pw =~ /\@\@\@/) {
$calendar_pw = `$Kolab::config{'bindir'}/openssl rand -base64 30`;
chomp $calendar_pw;
}
my $fd = IO::File->new($kolab_config, "w+") || die "could not open $kolab_config";
print $fd "fqdnhostname : $fqdn\n";
print $fd "is_master : $is_master\n";
print $fd "base_dn : $base_dn\n";
print $fd "bind_dn : $bind_dn\n";
print $fd "bind_pw : $bind_pw\n";
print $fd "bind_pw_hash : $bind_pw_hash\n";
print $fd "ldap_uri : $ldap_uri\n";
print $fd "ldap_master_uri : $ldap_uri\n";
print $fd "php_dn : $php_dn\n";
print $fd "php_pw : $php_pw\n";
print $fd "calendar_id : $calendar_id\n";
print $fd "calendar_pw : $calendar_pw\n";
print $fd "slurpd_addr : $slurpd_addr\n";
print $fd "slurpd_port : $slurpd_port\n";
undef $fd;
print "done modifying $kolab_config\n\n";
chmod 0600, $kolab_config;
kolab_chown "$Kolab::config{'kolab_musr'}","$Kolab::config{'kolab_mgrp'}", $kolab_config;
print "IMPORTANT NOTE:\n";
print "use login=manager and passwd=$bind_pw when you log into the webinterface!\n\n";
}
# Set up slapd to replicate to slave server's kolabds
@kolabhosts = ( $fqdn );
while(1) {
my $tmp = getUserInput("Enter fully qualified hostname of slave kolab server e.g. thishost.domain.tld [empty when done]");
if( $tmp ) {
push @kolabhosts, $tmp;
#$cfg .= "replica host=$tmp\n";
#$cfg .= " binddn=\"cn=replicator\"\n";
#$cfg .= " bindmethod=simple credentials=secret\n\n";
} else {
last;
}
};
my $confname = "$Kolab::config{'sasl_smtpconffile'}";
copy("@CONFIG_DIR@/templates/smtpd.conf.template", $confname) || die "could not write to $confname";
getopts('b');
if ($opt_b) {
print "prepare LDAP database...\n";
if ($ldap_uri =~ /127\.0\.0\.1/ || $ldap_uri =~ /localhost/) {
# Make sure that no rogue daemons are running
tryConnect( '127.0.0.1', 389 ) && die "A process is already listening to port 389 (ldap)\n"
."Please stop any running ldap server and bootstrap again\n";
tryConnect( '127.0.0.1', 9999 ) && die "A process is already listening to port 9999 (kolabd)\n"
."Please stop any running kolabd and bootstrap again\n";
if( `ps -elf|grep 's[l]urpd'` ) {
print "Error: Detected running slurpd processes.\n";
print "Please make sure the OpenLDAP server is stopped properly!\n";
exit 1;
}
$Kolab::config{'directory_replication_mode_is_syncrepl'} = 'true' if ($Kolab::config{'directory_mode'} eq 'syncrepl');
$Kolab::config{"base_dn"} = $base_dn;
$Kolab::config{"bind_dn"} = $bind_dn;
$Kolab::config{"bind_pw_hash"} = $bind_pw;
$Kolab::config{"slurpd_addr"} = $slurpd_addr;
$Kolab::config{"slurpd_port"} = $slurpd_port;
# During boot some settings like TLS certificates are not defined yet and
# hence can't be used, these definitons are skipped when
# bootstrap_config = true
$Kolab::config{"bootstrap_config"} = 'true';
Kolab::Conf::bootstrapConfig();
$Kolab::config{"bootstrap_config"} = 'false';
# now we must startup slapd
print "temporarily starting slapd\n";
$ldap_uri = "ldap://127.0.0.1:389/";
# ensure that the database has correct permissions
system("chown $Kolab::config{'ldapserver_rusr'}:$Kolab::config{'ldapserver_grp'} $Kolab::config{'ldapserver_dir'}/*");
(system("$Kolab::config{'libexecdir'}/openldap/slapd -h ldap://127.0.0.1:389/ -f $Kolab::config{'ldapserver_confdir'}/slapd.conf -u $Kolab::config{'ldapserver_rusr'} -g $Kolab::config{'ldapserver_grp'}") == 0 ) || die( "Could not start temporary slapd: $!" );
print ("Waiting for OpenLDAP to start\n");
sleep 10;
}
my $ldapuri = URI->new($ldap_uri) || die "error: could not parse given uri";
my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || die "could not connect ldap server $ldap_uri";
if ($ldap) {
$ldap->bind($bind_dn, password=> $bind_pw) || die "could not bind to ldap server $ldap_uri";
my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
if ($mesg && $mesg->count != 1) {
print "no $base_dn object found, creating one\n";
$base_dn =~ m/([^=]+)=([^,]+)/;
my @attrs = ( $1 => $2, 'objectclass'=> ['top', 'domain'] );
@attrs = ( @attrs, 'dc' => (split(/,/,$domain))[0] ) if( $1 ne 'dc' );
$mesg = $ldap->add( $base_dn, attr=> \@attrs);
}
$mesg && $mesg->code && warn "failed to write basedn entry : ", $mesg->error;
my $ldapobject = newOrExistingLDAPEntry( $ldap, "k=kolab,$base_dn" );
# create kolab config object
my $mynetworkinterfaces = "127.0.0.0/8";
print "mynetworkinterfaces: ".$mynetworkinterfaces."\n";
$ldapobject->replace(
'k' => 'kolab',
'kolabhost' => \@kolabhosts,
'postfix-mydomain' => $domain,
#'postfix-relaydomains' => "",
'postfix-mydestination' => "$domain",
'postfix-mynetworks' => $mynetworkinterfaces,
#'postfix-relayhost' => "",
#'postfix-transport' => "",
'postfix-enable-virus-scan' => "TRUE",
'cyrus-autocreatequota' => 100000,
'cyrus-quotawarn' => 80,
'cyrus-admins' => "manager",
'cyrus-imap' => "TRUE",
'cyrus-pop3' => "FALSE",
'cyrus-imaps' => "TRUE",
'cyrus-pop3s' => "TRUE",
'cyrus-sieve' => "TRUE",
'apache-http' => "FALSE",
'apache-allow-unauthenticated-fb' => "FALSE",
'uid' => "freebusy",
'userPassword' => "freebusy",
'objectclass' => ['top', 'kolab' ] );
# Get rid of fqdnhostname, it will cause pain and suffering...
#$ldapobject->delete( 'fqdnhostname' );
$ldapobject->dn("k=kolab,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create internal user topnode
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=internal,$base_dn" );
$ldapobject->replace('cn' => 'internal', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=internal,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create domain groups topnode
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=domains,cn=internal,$base_dn" );
$ldapobject->replace('cn' => 'domains', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=domains,cn=internal,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create external user topnode
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=external,$base_dn" );
$ldapobject->replace('cn' => 'external', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=external,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create groups user topnode
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=groups,$base_dn" );
$ldapobject->replace('cn' => 'groups', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=groups,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create resources user topnode
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=resources,$base_dn" );
$ldapobject->replace('cn' => 'resources', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=resources,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create admin group
newkolabgroupofnames( $ldap, "cn=internal,$base_dn", 'admin', $bind_dn );
# create manager user
$ldapobject = newOrExistingLDAPEntry( $ldap, $bind_dn );
$ldapobject->replace('cn' => 'manager', 'sn' => 'n/a', 'uid' => 'manager',
'userPassword' => $bind_pw_hash, 'objectclass' => ['top','inetorgperson','kolabinetorgperson']);
$ldapobject->dn($bind_dn);
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create php read-only user
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=nobody,cn=internal,$base_dn" );
$ldapobject->replace('cn' => 'nobody', 'sn' => 'n/a n/a', 'uid' => 'nobody',
'userPassword' => hashPassword($php_pw),
'objectclass' => ['top','inetorgperson','kolabinetorgperson']);
$ldapobject->dn("cn=nobody,cn=internal,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create calendar user
$ldapobject = newOrExistingLDAPEntry( $ldap, "cn=$calendar_id@" . $domain . ",cn=internal,$base_dn" );
$ldapobject->replace('cn' => $calendar_id . '@' . $domain, 'sn' => 'n/a n/a', 'uid' => $calendar_id . '@' . $domain,
'userPassword' => hashPassword($calendar_pw),
'objectclass' => ['top','inetorgperson','kolabinetorgperson']);
$ldapobject->dn("cn=$calendar_id@" . $domain . ",cn=internal,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
undef $ldapobject;
# create mainainter group
newkolabgroupofnames( $ldap, "cn=internal,$base_dn", 'maintainer', $bind_dn );
# create domain-mainainter group
newkolabgroupofnames( $ldap, "cn=internal,$base_dn", 'domain-maintainer', $bind_dn );
$ldap->unbind;
}
print "LDAP setup finished\n\n";
print "Create initial config files for postfix, apache, cyrus imap, saslauthd\n";
if ("$Kolab::config{'WITHOPENPKG'}" eq "yes") {
# $Kolab::config{'sysconfdir'}/rc.conf can be used to change the startup behaviour
# of programs, that have been installed with openpkg. On non openpkg
# this could be done with e.g. /etc/sysconfig/ldap.
my $cfg;
open(FH, "<$Kolab::config{'sysconfdir'}/rc.conf") || die;
$cfg .= $_ while (<FH>);
close(FH);
$cfg =~ s/\n((openldap_url|sasl_authmech)\S*=[^\n]*)/#$1\n/sg;
$cfg .= "openldap_url=\"ldap:// ldaps://\"\nsasl_authmech=\"ldap\"\n";
open(FH, ">$Kolab::config{'sysconfdir'}/rc.conf") || die;
print FH $cfg;
close(FH);
undef $cfg;
}
#print " running @CONFIG_DIR@/kolab -v -o -l$ldap_uri\n";
print "running $Kolab::config{'sbindir'}/kolabconf -n\n";
#system("@CONFIG_DIR@/kolab -v -o -l$ldap_uri");
system("$Kolab::config{'sbindir'}/kolabconf -n");
if ($ldap_uri =~ /127\.0\.0\.1/ || $ldap_uri =~ /localhost/) {
print "\nkill temporary slapd\n\n";
system("$Kolab::config{'KOLABRC'} rc $Kolab::config{'LDAPD'} stop");
sleep 1; # actually race should be impossible
system("killall -9 slapd >/dev/null 2>&1");
}
}
print <<'EOS';
Kolab can create and manage a certificate authority that can be
used to create SSL certificates for use within the Kolab environment.
You can choose to skip this section if you already have certificates
for the Kolab server.
EOS
my $tmp = getUserInput( "Do you want to create CA and certificates", "y", "y", "n");
if( lc $tmp eq 'n' ) {
print <<'EOS';
Skipping certificate creation. Please copy your certificate to
@CONFIG_DIR@/cert.pem and private key to
@CONFIG_DIR@/key.pem when the bootstrap script is finished.
EOS
} else {
print <<'EOS';
Now we need to create a cerificate authority (CA) for Kolab and a server
certificate. You will be prompted for a passphrase for the CA.
################################################################################
EOS
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -newca $fqdn");
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -newkey $fqdn @CONFIG_DIR@/key.pem");
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -newreq $fqdn @CONFIG_DIR@/key.pem @CONFIG_DIR@/newreq.pem ");
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -sign @CONFIG_DIR@/newreq.pem @CONFIG_DIR@/cert.pem");
kolab_system("chgrp $Kolab::config{'pki_grp'} @CONFIG_DIR@/key.pem;");
kolab_system("chmod 0640 @CONFIG_DIR@/key.pem;");
kolab_system("chgrp $Kolab::config{'pki_grp'} @CONFIG_DIR@/cert.pem;");
kolab_system("chmod 0640 @CONFIG_DIR@/cert.pem;");
print <<'EOS';
################################################################################
CA and certificate creation complete.
You can install @CONFIG_DIR@/ca/cacert.pem on your clients to allow them
to verify the validity of your server certificates.
EOS
}
} else {
##### Slave server setup
print "stop running slapd (if any)\n";
kolab_system("$Kolab::config{'KOLABRC'} rc $Kolab::config{'LDAPD'} stop");
# Make sure that no rogue demons are running
tryConnect( '127.0.0.1', 389 ) && die "A process is already listening to port 389 (ldap)\n"
."Please stop any running ldap server and bootstrap again\n";
tryConnect( '127.0.0.1', 9999 ) && die "A process is already listening to port 9999 (kolabd)\n"
."Please stop any running kolabd and bootstrap again\n";
# 051210: the check below used to be: if( `ps -elf|grep slurpd|grep -v grep` ) \rbos
if( `ps -elf|grep s[l]urpd` ) {
print "WARNING: Detected running slurpd processes.\n";
print " Please make sure the OpenLDAP server is stopped properly!\n";
}
# For now we just connect to the remote slapd
SLAVESTART:
print "Now some information about the master LDAP server is required:\n\n";
do {
$ldap_uri = getUserInput("URI of master LDAP server (for example ldaps://host.example.com)",
"");
} until $ldap_uri;
my $ldapuri = URI->new($ldap_uri) || warn "error: could not parse given uri";
if( $ldapuri ) {
$base_dn = join( ',', map { "dc=$_" } split /\./, $ldapuri->host() ); #\./
}
$base_dn = getUserInput("Base DN of server", $base_dn);
print "proceeding with base DN $base_dn\n";
$bind_dn = "cn=manager,cn=internal,$base_dn";
$bind_pw = getUserInput("Manager password");
$bind_pw_hash = hashPassword($bind_pw);
my $confname = "$Kolab::config{'sasl_smtpconffile'}";
copy("@CONFIG_DIR@/templates/smtpd.conf.template", $confname) || die "could not write to $confname";
print "Checking server info...\n";
my $ldap = Net::LDAP->new($ldap_uri, verify => 'none', onerror => 'undef' );
if (!defined($ldap)) {
print "Could not connect to ldap server at $ldap_uri, please check your input\n";
goto SLAVESTART;
}
$ldap->bind($bind_dn, password=> $bind_pw) || warn "could not bind to ldap";
my $mesg = $ldap->search(base=> "$base_dn", scope=> 'exact', filter=> "(objectclass=*)");
if ($mesg && $mesg->count != 1) {
print "No $base_dn object found, please check your input\n";
goto SLAVESTART;
}
$php_dn = "cn=nobody,cn=internal,$base_dn";
$mesg = $ldap->search(base=> $php_dn, scope=> 'exact', filter=> "(objectclass=*)");
if ($mesg && $mesg->count != 1) {
print "Nobody object not found, please check your input\n";
goto SLAVESTART;
}
#my $entry = $mesg->entry(0);
#$php_pw = $entry->get_value( 'userPassword' );
my $calendar_dn = "cn=$calendar_id@" . $domain . ",cn=internal,$base_dn";
$mesg = $ldap->search(base=> $php_dn, scope=> 'exact', filter=> "(objectclass=*)");
if ($mesg && $mesg->count != 1) {
print "Calendar object not found, please check your input\n";
goto SLAVESTART;
}
#$entry = $mesg->entry(0);
#$calendar_pw = $entry->get_value( 'userPassword' );
$mesg = $ldap->search(base=> "k=kolab,$base_dn", scope=> 'exact',
filter=> "(objectClass=*)");
if ($mesg && $mesg->count != 1) {
print "No Kolab object found, please check your input\n";
goto SLAVESTART;
}
my $kolabhosts = $mesg->entry(0)->get_value( 'kolabhost', asref => 1 );
foreach(@$kolabhosts) {
if( lc($_) eq lc($fqdn) ) {
goto SLAVEOK;
}
}
print "$fqdn is not listed on the master, please correct that and try again\n";
goto SLAVESTART;
SLAVEOK:
my $master_host = $ldapuri->host();
print "Reading nobody and calendar passwords from master, please type in master servers's root-password when asked\n";
open( CONF, "ssh -C $master_host 'cat @CONFIG_DIR@/kolab.conf'|");
my $conf;
$conf .= $_ while(<CONF>);
close(CONF);
$conf =~ /php_pw : (.*)/;
$php_pw = $1;
$conf =~ /calendar_pw : (.*)/;
$calendar_pw = $1;
(print "Error reading nobody password" && goto SLAVESTART) unless( $php_pw );
(print "Error reading calendar password" && goto SLAVESTART) unless( $calendar_pw );
my $fd = IO::File->new($kolab_config, "w+") || die "could not open $kolab_config";
print $fd "fqdnhostname : $fqdn\n";
print $fd "is_master : $is_master\n";
print $fd "base_dn : $base_dn\n";
print $fd "bind_dn : $bind_dn\n";
print $fd "bind_pw : $bind_pw\n";
print $fd "bind_pw_hash : $bind_pw_hash\n";
print $fd "ldap_uri : $ldap_uri\n";
print $fd "ldap_master_uri : $ldap_uri\n";
print $fd "php_dn : $php_dn\n";
print $fd "php_pw : $php_pw\n";
print $fd "calendar_id : $calendar_id\n";
print $fd "calendar_pw : $calendar_pw\n";
print $fd "slurpd_addr : $slurpd_addr\n";
print $fd "slurpd_port : $slurpd_port\n";
undef $fd;
print "done modifying $kolab_config\n\n";
chmod 0600, $kolab_config;
kolab_chown "$Kolab::config{'kolab_musr'}","$Kolab::config{'kolab_mgrp'}",$kolab_config;
if ($kolab_config{'directory_mode'} ne "syncrepl" ) {
print << 'EOS';
Now the master server needs to be stopped briefly while the contents of the LDAP database
is copied over to this slave. Please make sure that this slave is entered into the list
of kolabhosts on the master before proceeding.
EOS
kolab_system("ssh -CA $master_host $Kolab::config{'KOLABRC'} rc $Kolab::config{'LDAPD'} stop");
kolab_system("ssh -CA $master_host $Kolab::config{'TAR'} -C $Kolab::config{'ldapserver_statedir'} -pcf - openldap-data | $Kolab::config{'TAR'} -C $Kolab::config{'ldapserver_statedir'} -pxf -");
kolab_system("ssh -CA $master_host $Kolab::config{'KOLABRC'} rc $Kolab::config{'LDAPD'} start");
}
# FIXME: we should get rid of this construct because it makes the code hard to read.
# A if (-e @sysconfdir@/rc.conf) statement should be enough.
if ("$Kolab::config{'WITHOPENPKG'}" eq "yes") {
print "Updating configuration, please ignore any initial errors from kolabconf\n\n";
my $cfg;
open(FH, "<$Kolab::config{'sysconfdir'}/rc.conf") || die;
$cfg .= $_ while (<FH>);
close(FH);
$cfg =~ s/\n((openldap_url|sasl_authmech|openldap_enable)\S*=[^\n]*)/#$1\n/sg;
# $cfg .= "openldap_enable=\"no\"\nopenldap_url=\"\"\nsasl_authmech=\"ldap\"\n";
$cfg .= "\nopenldap_url=\"ldap:// ldaps://\"\nsasl_authmech=\"ldap\"\n";
open(FH, ">$Kolab::config{'sysconfdir'}/rc.conf") || die;
print FH $cfg;
close(FH);
undef $cfg;
}
print <<'EOS';
If you chose to create a CA on the master server, you will now need to create
a certificate request and copy it to the master to get it signed. If you already
have a certificate for this server, you can choose to skip this section.
EOS
my $tmp = getUserInput( "Do you want to create a certificate request and sign it",
"y", "y", "n");
if( lc $tmp eq 'n' ) {
print <<'EOS';
Skipping certificate creation. Please copy your certificate to
@CONFIG_DIR@/cert.pem and private key to
@CONFIG_DIR@/key.pem when the bootstrap script is finished.
EOS
} else {
print <<'EOS';
Now we need to create a cerificate request for this slave
and then ssh to the master server to have the request signed.
You will be asked multiple times for the root password of the
master server and the passphrase for the CA key on the master.
################################################################################
EOS
# Create cert req
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -newkey $fqdn @CONFIG_DIR@/key.pem");
kolab_system("$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -newreq $fqdn @CONFIG_DIR@/key.pem @CONFIG_DIR@/newreq.pem ");
# Log into master and sign cert request
kolab_system("scp @CONFIG_DIR@/newreq.pem $master_host:@CONFIG_DIR@/$fqdn-req.pem");
kolab_system("ssh -CA $master_host \"$Kolab::config{'kolab_scriptsdir'}/kolab_ca.sh -sign @CONFIG_DIR@/$fqdn-req.pem @CONFIG_DIR@/$fqdn.pem;\"");
kolab_system("scp $master_host:@CONFIG_DIR@/$fqdn.pem @CONFIG_DIR@/cert.pem");
kolab_system("ssh -CA $master_host \"rm @CONFIG_DIR@/$fqdn.pem @CONFIG_DIR@/$fqdn-req.pem\"");
die("Creation of @CONFIG_DIR@/cert.pem failed") unless -f "@CONFIG_DIR@/cert.pem";
kolab_system("chgrp @ldapserver_rgrp@ @CONFIG_DIR@/key.pem;");
kolab_system("chmod 0640 @CONFIG_DIR@/key.pem;");
kolab_system("chgrp @ldapserver_rgrp@ @CONFIG_DIR@/cert.pem;");
kolab_system("chmod 0640 @CONFIG_DIR@/cert.pem;");
print <<'EOS';
################################################################################
Certificate creation done!
EOS
}
kolab_system("$Kolab::config{'sbindir'}/kolabconf -n");
$fd = IO::File->new($kolab_config, "w+") || die "could not open $kolab_config";
print $fd "fqdnhostname : $fqdn\n";
print $fd "is_master : $is_master\n";
print $fd "base_dn : $base_dn\n";
print $fd "bind_dn : $bind_dn\n";
print $fd "bind_pw : $bind_pw\n";
print $fd "ldap_uri : ldap://127.0.0.1\n";
print $fd "ldap_master_uri : $ldap_uri\n";
print $fd "php_dn : $php_dn\n";
print $fd "php_pw : $php_pw\n";
print $fd "calendar_id : $calendar_id\n";
print $fd "calendar_pw : $calendar_pw\n";
print $fd "slurpd_addr : $slurpd_addr\n";
print $fd "slurpd_port : $slurpd_port\n";
undef $fd;
print "done modifying $kolab_config\n\n";
chmod 0600, $kolab_config;
}
#system("@CONFIG_DIR@/kolab_sslcert.sh $fqdn");
print "kolab is now ready to run!\n";
print "please run '$Kolab::config{'KOLABRC'} rc all start'\n";
print ("Use login=manager and passwd=$bind_pw when you log into\n");
print ("the webinterface https://$fqdn$Kolab::config{'kolab_wui'} !\n");
--- NEW FILE: kolabcheckperm.in ---
#!perl
# (c) 2004 Klaralvdalens Datakonsult AB
#
# Written by Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
#
# This program is Free Software under the GNU General Public License (>=v2).
# Read the file COPYING that comes with this packages for details.
use strict;
use Kolab;
use Kolab::Util;
use Kolab::Conf;
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
exit( Kolab::Conf::checkPermissions>0?0:-1 );
--- NEW FILE: kolabconf.in ---
#!perl
## COPYRIGHT
## ---------
##
## See AUTHORS file
##
##
## LICENSE
## -------
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
##
## $Revision: 1.1 $
use 5.008;
use strict;
use warnings;
use Getopt::Std;
use Sys::Syslog;
use IO::File;
use Kolab;
use Kolab::Util;
use Kolab::Conf;
use Kolab::LDAP;
use vars qw($opt_d $opt_n $opt_h);
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
openlog('kolabconf', 'cons, pid', ($Kolab::config{'syslog_facility'} || 'user'));
getopts('dnh');
if ($opt_h) {
print <<'EOS';
kolabconf - Version @VERSION@
Usage: kolabconf [-d] [-n] [-h]
Option d (debug) to print out the current config.
Option n (noreload) to skip reloading services after changing configuration.
Option h (help) to get this text.
EOS
exit 0;
}
if ($opt_d) {
foreach my $key (sort keys %Kolab::config) {
my $value;
if( ref($Kolab::config{$key}) eq "ARRAY" ) {
$value = join( ", ", @{$Kolab::config{$key}});
} else {
$value = $Kolab::config{$key};
}
print "$key : " . $value . "\n";
}
exit 0;
}
my $do_reload = 1;
if($opt_n) {
$do_reload = 0;
}
if( !$Kolab::reloadOk ) {
my $msg = "Error loading configuration. Maybe the LDAP server is not running. Please check the system log for errors.";
print STDERR "$msg\n";
Kolab::log('KC', $msg);
exit(-1);
}
Kolab::log('KC', 'Rebuilding templates');
Kolab::Conf::rebuildTemplates;
Kolab::log('KC', 'Reloading kolab components');
if( $do_reload ) {
Kolab::Conf::reload;
}
Kolab::log('KC', 'Finished');
--- NEW FILE: kolabdcachetool.in ---
#!perl
use strict;
use Getopt::Long;
use DB_File;
use POSIX qw(strftime);
use Kolab;
my $progname = `basename $0`;
chomp($progname);
sub usage
{
print "Usage: $progname CACHE FUNCTION
where CACHE is one of `mbox' or `gyard' (i.e. the cache to operate
on) and FUNCION is one of `list', `delete' or `flush' (i.e. the
function to perform on CACHE)\n";
exit(1);
1;
}
my $cache = shift || usage;
my $func = shift || usage;
my (%db, %db2, %sorted);
usage if ($func !~ /list/i && $func !~ /del/i && $func !~ /flush/i);
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
if ($cache =~ /mbox/i) {
dbmopen(%db, $Kolab::config{'kolab_mailboxuiddb'}, 0666)
|| die "Unable to open mail uid cache";
} elsif ($cache =~ /gyard/i) {
dbmopen(%db, $Kolab::config{'graveyard_uidcache'}, 0666)
|| die "Unable to open graveyard uid cache";
dbmopen(%db2, $Kolab::config{'graveyard_tscache'}, 0666)
|| die "Unable to open graveyard timestamp cache";
} else { usage; }
my ($guid, $ts);
foreach $guid (keys %db) {
#$sorted{
$ts = "";
$ts = ", deleted " . strftime("%F %T", localtime($db2{$guid})) if exists($db2{$guid});
print "GUID: `$guid', mailbox: `" . $db{$guid} . "'$ts\n";
}
dbmclose(%db);
dbmclose(%db2);
--- NEW FILE: kolabd.in ---
#!perl
##
## Copyright (c) 2004 Klaraelvdalens Datakonsult AB
## Copyright (c) 2003 Code Fusion cc
##
## Writen by Stuart Bing?<s.binge at codefusion.co.za>
## Portions based on work by the following people:
##
## (c) 2003 Tassilo Erlewein <tassilo.erlewein at erfrakon.de>
## (c) 2003 Martin Konold <martin.konold at erfrakon.de>
## (c) 2003 Achim Frank <achim.frank at erfrakon.de>
##
##
## This program is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License as
## published by the Free Software Foundation; either version 2, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
## General Public License for more details.
##
## You can view the GNU General Public License, online, at the GNU
## Project's homepage; see <http://www.gnu.org/licenses/gpl.html>.
##
#
# Module prefixes in the logs:
# K: kolabd
# C: Config
# T: Templates
# L: LDAP
# Y: Cyrus
# B: Backend
# KC: kolabconf
# Anything else: the various backends
#
use strict;
use Sys::Syslog;
use IO::File;
use Kolab;
use Kolab::Util;
use Kolab::LDAP;
use Kolab::LDAP::Backend;
use vars qw(%pids);
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
openlog('kolabd', 'cons, pid', ($Kolab::config{'syslog_facility'} || 'user'));
# won't be needed now (i think)
# my $prefix = $Kolab::config{'prefix'};
my $pidfile = IO::File->new($Kolab::config{'kolab_pidfile'}, 'w+')
|| die "Unable to open PID file `$Kolab::config{'kolab_pidfile'}";
print $pidfile $$;
undef $pidfile;
sub sigInt
{
Kolab::Util::superLog('Kolab is shutting down');
Kolab::log('K', 'SIGINT/SIGTERM detected, kill()ing children');
foreach my $pid (keys %pids) {
kill('INT', $pid);
waitpid($pid, 0);
}
Kolab::LDAP::shutdown;
Kolab::log('K', 'Exiting');
exit(0);
}
sub sigHup
{
Kolab::log('K', 'Refreshing configuration');
foreach my $pid (keys %pids) {
kill('INT', $pid);
waitpid($pid, 0);
}
%pids = ();
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
Kolab::log('K', 'Synchronising');
Kolab::LDAP::sync;
Kolab::log('K', 'Reloading addressbook.peers');
Kolab::log('K', 'Finished refresh');
&run;
}
sub sigDie {
Kolab::log( 'K', $_[0], KOLAB_ERROR );
}
sub run
{
my $pid;
my $finished = 0;
foreach my $backend (keys %Kolab::LDAP::Backend::backends) {
Kolab::log('K', "Forking `$backend' listener");
$pid = fork;
if (!defined($pid)) {
Kolab::log('K', "Unable to fork `$backend' listener", KOLAB_ERROR);
exit(1);
}
if ($pid) {
$pids{$pid} = 1;
$finished++;
next;
}
Kolab::LDAP::Backend::run($backend);
Kolab::log('K', "`$backend' returned");
# exit with 0 status to avoid killing daemon
exit(0);
}
$SIG{'INT'} = \&sigInt;
$SIG{'TERM'} = \&sigInt;
$SIG{'HUP'} = \&sigHup;
$SIG{__DIE__} = \&sigDie;
Kolab::log('K', 'Listeners spawned, wait()ing');
while ($finished > 0) {
wait;
if ($?) {
Kolab::log('K', 'Abnormal child exit status encountered, aborting');
kill('INT', $$);
} else {
Kolab::log('K', 'Child terminated normally');
}
}
}
print 'kolabd - Kolab Backend Daemon
Copyright (c) 2004 Klaraelvdalens Datakonsult AB
Copyright (c) 2003 Code Fusion cc
Copyright (c) 2003 Tassilo Erlewein, Martin Konold, Achim Frank
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
';
Kolab::Util::superLog('Kolab is starting up');
eval {
Kolab::LDAP::startup($Kolab::config{'kolab_statedir'});
Kolab::log('K', 'Loading backends');
Kolab::LDAP::Backend::load;
Kolab::LDAP::Backend::load('user');
Kolab::LDAP::Backend::load('sf');
Kolab::log('K', 'Performing backend startup');
&Kolab::LDAP::Backend::startup;
Kolab::log('K', 'Synchronising');
Kolab::LDAP::sync;
Kolab::log('K', 'Synchronisation complete, starting up daemon');
run;
}; Kolab::log( 'K', $@, KOLAB_ERROR ) if $@;
--- NEW FILE: kolabpasswd.in ---
#!perl
# The kolabpasswd script is used for changing the manager password on a Kolab Server.
# In multi-location Kolab setups the script must be run on each individual host
# seperately.
# After changing the manager password it is highly recommended to restart
# the Kolab server.
# In the future this utility may be enhanced to allow to change the passwords of
# normal users and special system accounts.
## Copyright (c) 2004 Erfrakon
##
## (c) 2004 Tassilo Erlewein <tassilo.erlewein at erfrakon.de>
## (c) 2004 Martin Konold <martin.konold at erfrakon.de>
##
## This program is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License as
## published by the Free Software Foundation; either version 2, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
## General Public License for more details.
##
## You can view the GNU General Public License, online, at the GNU
## Project's homepage; see <http://www.gnu.org/licenses/gpl.html>.
use Term::ReadKey;
use IO::File;
use File::Temp;
use Net::LDAP;
use Kolab::Util;
use Kolab;
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
# won't be needed (i think)
# my $kolab_prefix = (getpwnam('kolab'))[7] || die "Error: could not determine the kolab directory prefix (e.g. /kolab)";
# Shell double-quote a string
# Borrored from Sysadm::Install
sub qquote {
my($str, $metas) = @_;
$str =~ s/([\\"])/\\$1/g;
if(defined $metas) {
$metas = '!$`' if $metas eq ":shell";
$metas =~ s/\]/\\]/g;
$str =~ s/([$metas])/\\$1/g;
}
return "\"$str\"";
}
# Hash a password
sub hashPassword {
my $pw = shift;
my $hashcmd = "$Kolab::config{'sbindir'}/slappasswd -s ".qquote($pw,":shell");
(my $hashpw = `$hashcmd`) or die $@;
chomp($hashpw);
return $hashpw;
}
# open old kolab master config file
my $kolabconfname = "@CONFIG_DIR@/kolab.conf";
# read old config data
my %config = readConfig($kolabconfname);
my $kolabconf = IO::File->new('@CONFIG_DIR@/kolab.conf','r')
|| die "kolabpasswd: Fatal Error: could not open kolab config at $kolabconfname";
my $account = 'manager';
my $account_dn = $config{'bind_dn'};
if( $#ARGV == 0 ) {
$account = $ARGV[0];
if( $account ne 'calendar' and $account ne 'nobody' and $account ne 'manager' ) {
die("$^X can only change the password for manager, nobody and calendar");
}
$account_dn =~ s/cn=manager/cn=$account/;
}
print "Changing password for $account";
# open ldap connection and verify old password
my $ldap = Net::LDAP->new( $config{'ldap_uri'})
|| die "\nkolabpasswd: Fatal Error: could not connect to LDAP Server";
do {
print "\nOld Password: ";
ReadMode 'noecho';
my $old_password = ReadLine 0; chomp $old_password;
$mesg = $ldap->bind( $account_dn, password => $old_password ) || die "\nkolabpasswd: Failed to bind to LDAP server";
if( $mesg->code ) { print "\nError: ".$mesg->error.". Please try again\n"; }
} while ( $mesg->code );
# read in new password
print "\nNew Password for $account: ";
ReadMode 'noecho';
my $new_password = ReadLine 0; chomp $new_password;
print "\nRe-enter New Password: ";
my $new_password2 = ReadLine 0; chomp $new_password2;
print "\n";
ReadMode 'normal';
($new_password eq $new_password2) || die "Sorry, passwords do not match.\n";
my $bind_pw_hash;
# create temporary config file
my $tmp = new File::Temp( TEMPLATE => 'tempXXXXX', DIR => '@CONFIG_DIR@', UNLINK => 0, SUFFIX => '.conf')
|| die "Error: could not create temporary file under @CONFIG_DIR@";
$tmpfilename = $tmp->filename;
$bind_pw_hash = hashPassword($new_password);
# copy and replace old config to temporary file
foreach ($kolabconf->getlines()) {
if( $account eq 'manager' ) {
if (/^(bind_pw\s:\s).*$/) {
print $tmp $1.$new_password."\n";
} else {
if (/^(bind_pw_hash\s:\s).*$/) {
print $tmp $1.$bind_pw_hash."\n";
} else {
print $tmp $_;
}
}
} elsif( $account eq 'calendar' ) {
if (/^(calendar_pw\s:\s).*$/) {
print $tmp $1.$new_password."\n";
} else {
print $tmp $_;
}
} elsif( $account eq 'nobody' ) {
if (/^(php_pw\s:\s).*$/) {
print $tmp $1.$new_password."\n";
} else {
print $tmp $_;
}
}
}
undef $tmp;
undef $kolabconf;
# open ldap connection and update manager password
$ldap = Net::LDAP->new( $config{'ldap_uri'})
|| die "Error: could not connect LDAP Server";
$ldap->bind( $config{'bind_dn'}, password => $config{'bind_pw'} )
|| die "Error: Failed to bind as manager to LDAP Server";
$ldap->modify($account_dn, replace => {'userPassword' => $bind_pw_hash } )
|| die "Error: could not update LDAP with new manager password";
$ldap->unbind;
undef $ldap;
# move temporary file to kolab master config
rename($tmpfilename,$kolabconfname) || die "Error: could not install new $kolabconfname";
system("chown $Kolab::config{'ldapserver_usr'}:$Kolab::config{'ldapserver_grp'} $kolabconfname");
print "Password changed successfully, please be patient...\n";
# trigger kolabd to run update
system("$Kolab::config{'kolabconf_script'} > /dev/null 2>&1");
exit 0;
--- NEW FILE: kolabquotareport.in ---
(This appears to be a binary file; contents omitted.)
--- NEW FILE: kolabquotawarn.in ---
(This appears to be a binary file; contents omitted.)
--- NEW FILE: kolab_smtpdpolicy.in ---
#!perl
## COPYRIGHT
## ---------
##
## See AUTHORS file
##
##
## LICENSE
## -------
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
##
## $Revision: 1.1 $
use strict;
use Fcntl;
use Sys::Syslog qw(:DEFAULT setlogsock);
use URI;
use Net::LDAP qw(LDAP_NO_SUCH_OBJECT);
use Net::LDAP::Entry;
use Net::hostent;
use Socket;
use Kolab::Util;
#
# Usage: kolab_smtpdpolicy [-v]
#
# kolabdelegated Postfix SMTPD policy server for Kolab. This server implements
# various policies for Kolab:
#
# 1) Only authenticated users can use sender <username>@$domain
# 2) Some distribution lists are only available to authenticated users
#
# Logging is sent to syslogd.
#
# How it works: each time a Postfix SMTP server process is started
# it connects to the policy service socket, and Postfix runs one
# instance of this PERL script. By default, a Postfix SMTP server
# process terminates after 100 seconds of idle time, or after serving
# 100 clients. Thus, the cost of starting this PERL script is smoothed
# out over time.
#
# To run this from /etc/postfix/master.cf:
#
# policy unix - n n - - spawn
# user=kolab-n argv=/usr/bin/perl /usr/libexec/postfix/kolab_smtpdpolicy
#
# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
#
# smtpd_recipient_restrictions =
# ...
# reject_unauth_destination
# check_policy_service unix:private/policy
# ...
# smtpd_sender_restrictions =
# ...
# check_policy_service unix:private/policy
# ...
#
# NOTE: specify check_policy_service AFTER reject_unauth_destination
# or else your system can become an open relay.
#
# To test this script by hand, execute kolab_smtpdpolicy, optionally
# with the option -v to print debugging output.
# Example for OpenPKG based installations:
#
# # su - kolab
# $ /kolab/etc/kolab/kolab_smtpdpolicy -v
#
# Each query is a bunch of attributes. Order does not matter, and
# the demo script uses only a few of all the attributes shown below:
#
# request=smtpd_access_policy
# protocol_state=RCPT
# protocol_name=SMTP
# helo_name=some.domain.tld
# queue_id=8045F2AB23
# sender=foo at bar.tld
# recipient=bar at foo.tld
# client_address=1.2.3.4
# client_name=another.domain.tld
# instance=123.456.7
# sasl_method=plain
# sasl_username=you
# sasl_sender=
# size=12345
# [empty line]
#
# The policy server script will answer in the same style, with an
# attribute list followed by a empty line:
#
# action=DUNNO
# [empty line]
#
#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#
my %conf;
my %attr;
my $ldap;
my $verbose;
my $syslog_socktype = 'unix'; # inet, unix, stream, console
my $syslog_facility="mail";
my $syslog_options="pid";
my $syslog_priority="info";
my $ldap_max_tries = 5;
#
# Read options from config-file
#
my $conf_allowunauth = 0;
%conf = readConfig( %conf, "@CONFIG_DIR@/kolab_smtpdpolicy.conf" );
my $conf_ldapuri = $conf{'ldap_uri'};
my $conf_basedn = $conf{'basedn'};
my $conf_binddn = $conf{'binddn'};
my $conf_bindpw = $conf{'bindpw'};
my @conf_domain = $conf{'domain'};
$conf_allowunauth = 1 if( $conf{'allow_unauth'} );
my @conf_permithosts = split /\s*,\s*/, $conf{'permithosts'};
sub mylog {
my $prio = shift;
my $fmt = shift;
my $text = sprintf( $fmt, @_ );
#Kolab::log( 'P', $text );
syslog $prio, $text;
print "$text\n";
}
sub contains {
my $needle = lc(shift);
my $haystack = shift;
map { return 1 if $needle eq lc($_) } @$haystack;
return 0;
}
sub ldap_connect {
my $ldapuri = URI->new($conf_ldapuri) || fatal_exit("error: could not parse given uri $conf_ldapuri");
$ldap = Net::LDAP->new($conf_ldapuri) || fatal_exit("could not connect ldap server $conf_ldapuri: $@");
if ($ldap) {
if( $conf_binddn ) {
$ldap->bind( $conf_binddn, password => $conf_bindpw )
|| fatal_exit( "could not bind as $conf_binddn: $@" );
} else {
$ldap->bind || fatal_exit("could not bind: $@");
}
} else {
fatal_exit( "Could not contact LDAP server" );
}
}
sub lookup_uid {
my $tries = 0;
my $uid = shift;
AGAIN:
my $mesg = $ldap->search( base=> $conf_basedn,
scope=> 'sub',
filter=> "(&(objectClass=kolabinetorgperson)(|(mail=$uid)(uid=$uid)))",
attrs => [ 'uid'] );
if( !$mesg->code && $mesg->count() > 0 ) {
mylog($syslog_priority, "LDAP search returned ".$mesg->count()." objects") if $verbose;
my $ldapobject = $mesg->entry(0);
$uid = lc($ldapobject->get_value('uid'));
mylog($syslog_priority, "Translated username to $uid") if $verbose;
} elsif( $mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT ) {
if( $tries++ <= $ldap_max_tries ) {
ldap_connect;
goto AGAIN;
} else {
mylog($syslog_priority, "LDAP Connection error during LOOKUPUID: ".
$mesg->error." after $ldap_max_tries attempts to reconnect. Giving up!" );
die( "LDAP Error looking up uid: ".$mesg->error );
}
}
return $uid;
}
sub check_permithosts {
my $client_addr = shift;
for my $host (@conf_permithosts) {
my $h;
unless ($h = gethost($host)) {
mylog($syslog_priority,"No such host $host\n");
next;
}
for my $addr ( @{$h->addr_list} ) {
return 1 if inet_ntoa($addr) eq $client_addr;
}
}
return undef;
}
sub lookup_sender_uids {
my $sender = shift;
my $tries = 0;
my @result;
AGAIN:
my $mesg = $ldap->search( base=> $conf_basedn,
scope=> 'sub',
filter=> "(&(objectClass=kolabinetorgperson)(|(mail=$sender)(alias=$sender)))",
attrs => [ 'uid', 'kolabDelegate' ]);
if( !$mesg->code && $mesg->count() > 0 ) {
mylog($syslog_priority, "LDAP search returned ".$mesg->count()." objects") if $verbose;
foreach my $entry ( $mesg->entries ) {
mylog($syslog_priority, lc($entry->get_value('uid')." is the uid of ".$sender)) if $verbose;
push @result, lc($entry->get_value('uid'));
my $delegate;
for $delegate ($entry->get_value('kolabDelegate')) {
$delegate = lookup_uid($delegate);
mylog($syslog_priority, lc($delegate)." is a delegate of ".$sender) if $verbose;
push @result, lc($delegate);
}
}
} elsif( $mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT ) {
if( $tries++ <= $ldap_max_tries ) {
ldap_connect;
goto AGAIN;
} else {
die( "LDAP Error looking up uid for sender: ".$mesg->error );
}
}
return @result;
};
sub check_dist_list {
my $username = shift;
my $recipient = shift;
my $tries = 0;
AGAIN:
if( !$username ) {
my $mesg = $ldap->search( base=> "cn=internal,".$conf_basedn,
scope=> 'one', filter=> "(&(mail=$recipient)(objectClass=kolabgroupofnames))");
if( !$mesg->code && $mesg->count() > 0 ) {
# Ups, recipient is a restricted list, reject
mylog( $syslog_priority, "Attempt from $username to access restricted list $recipient" ) if $verbose;
return undef;
} elsif( $mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT && $tries++ <= $ldap_max_tries ) {
mylog($syslog_priority, "LDAP Connection error during CHECKDISTLIST: ".$mesg->error.", trying to reconnect" );
ldap_connect;
goto AGAIN;
} elsif( $mesg->code ) {
mylog( $syslog_priority, "LDAP Error during CHECKDISTLIST: ".$mesg->error ) if $verbose;
# Just fall through and accept the message in case there was an LDAP problem.
}
}
return 1;
}
#
# SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
# table. Request attributes are available via the %attr hash.
#
sub smtpd_access_policy {
# Get relevant attributes
my $sender = lc($attr{'sender'});
my $recipient = lc($attr{'recipient'});
my $username = lc($attr{'sasl_username'});
my $client_addr = lc($attr{'client_address'});
mylog($syslog_priority, "Checking sender=\"$sender\", recipient=\"$recipient\", username=\"$username\", domains=".join(',', at conf_domain)." permithosts=".join(',', at conf_permithosts).", conf_allowunauth=$conf_allowunauth") if $verbose;
# First check if the sender is a privileged kolabhost
# Kolab hosts use un-authenticated smtp currently
# We also just accept the email here is conf_allowunauth is set
return "DUNNO" if( !$username && ( $conf_allowunauth || check_permithosts($client_addr) ) );
# Reject anything else from unauthenticated users
# if conf_allowunauth is false
return "REJECT Access denied" if( !$username && !$conf_allowunauth );
eval{ $username = lookup_uid($username) }; return "DEFER_IF_PERMIT $@" if $@;
# See if sender is owned by someone
my @uids;
eval { @uids = lookup_sender_uids($sender) }; return "DEFER_IF_PERMIT $@" if $@;
if( scalar(@uids) > 0 ) {
if( contains( $username, \@uids ) ) {
mylog($syslog_priority, "$username using $sender is OK, accepting") if $verbose;
return "DUNNO";
} else {
mylog($syslog_priority, "$username trying to use $sender is NOT OK, rejecting") if $verbose;
return "REJECT Invalid sender";
}
} else {
# OK, here things get fishy! The above check
# ensures that nobody is using someone else's
# email address. That is perfectly valid, but
# people want tighter restrictions and disallow
# use of _any_ (real or imagined) email address
# that the user is not explicitly allowed to use.
# Do _have_ to allow the empty sender though,
# otherwise hell breaks loose...
if( $username ne '' && $sender ne '' ) {
mylog($syslog_priority, "$username trying to use $sender is NOT OK, rejecting") if $verbose;
return "REJECT Invalid sender";
}
}
# Check for valid access to restricted distribution lists
return "REJECT Access denied" unless check_dist_list($username, $recipient);
# The result can be any action that is allowed in a Postfix access(5) map.
#
# To label mail, return ``PREPEND'' headername: headertext
#
# In case of success, return ``DUNNO'' instead of ``OK'' so that the
# check_policy_service restriction can be followed by other restrictions.
#
# In case of failure, specify ``DEFER_IF_PERMIT optional text...''
# so that mail can still be blocked by other access restrictions.
mylog($syslog_priority, "sender $sender, recipient $recipient seems ok") if $verbose;
return "DUNNO";
}
#
# Log an error and abort.
#
sub fatal_exit {
my($first) = shift(@_);
mylog("err", "fatal: $first", @_);
print STDOUT "action=DEFER_IF_PERMIT $first\n\n";
exit 1;
}
#
# Signal 11 means that we have crashed perl
#
sub sigsegv_handler {
fatal_exit "Caught signal 11;";
}
$SIG{'SEGV'} = 'sigsegv_handler';
#
# This process runs as a daemon, so it can't log to a terminal. Use
# syslog so that people can actually see our messages.
#
setlogsock $syslog_socktype;
openlog $0, $syslog_options, $syslog_facility;
#
# Allow user to override on commandline
#
while (my $option = shift(@ARGV)) {
if ($option eq "-v") {
$verbose = 1;
} elsif ($option eq '-ldap') {
$conf_ldapuri = shift(@ARGV);
} elsif ($option eq '-basedn') {
$conf_basedn = shift(@ARGV);
} elsif ($option eq '-binddn' ) {
$conf_binddn = shift(@ARGV);
} elsif ($option eq '-bindpw' ) {
$conf_bindpw = shift(@ARGV);
} elsif ($option eq '-domain') {
push @conf_domain, shift(@ARGV);
} elsif ($option eq '-allow-unauth') {
$conf_allowunauth = 1;
} elsif ($option eq '-permithosts') {
@conf_permithosts = ();
for my $h (split /\s*,\s*/, shift(@ARGV)) {
push @conf_permithosts, $h;
}
} else {
mylog( $syslog_priority, "Invalid option: %s. Usage: %s [-v] -ldap <uri> -basedn <base_dn> [-binddn <bind_dn> -bindpw <bind_pw>] [-domain <domain>] [-permithosts <host,host,...>]",
$option, $0);
exit 1;
}
}
#
# Unbuffer standard output.
#
select((select(STDOUT), $| = 1)[0]);
if( $verbose ) {
mylog( $syslog_priority, "ldap=$conf_ldapuri, basedn=$conf_basedn, binddn=$conf_binddn");
}
ldap_connect;
#
# Receive a bunch of attributes, evaluate the policy, send the result.
#
while (<STDIN>) {
if (/([^=]+)=(.*)\n/) {
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
} elsif ($_ eq "\n") {
if ($verbose) {
for (keys %attr) {
mylog( $syslog_priority, "Attribute: %s=%s", $_, $attr{$_});
}
}
fatal_exit("unrecognized request type: '".$attr{'request'}."'")
unless $attr{'request'} eq "smtpd_access_policy";
my $action = smtpd_access_policy();
mylog( $syslog_priority, "Action: %s", $action) if $verbose;
print STDOUT "action=$action\n\n";
%attr = ();
} else {
chop;
mylog( $syslog_priority, "warning: ignoring garbage: %.100s", $_);
}
}
--- NEW FILE: kolab_upgrade.in ---
#!perl
# (c) 2005 Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
#
# This program is Free Software under the GNU General Public License (>=v2).
# Read the file COPYING that comes with this packages for details.
use Term::ReadKey;
use Kolab;
use Kolab::Util;
use Kolab::LDAP;
Kolab::reloadConfig("@CONFIG_DIR@/kolab.globals");
Kolab::LDAP::startup($Kolab::config{'kolab_statedir'});
# Utility functions
sub getLdapEntry {
my $ldap = shift;
my $dn = shift;
my $mesg = $ldap->search( base => $dn, scope => 'exact', filter => '(objectClass=*)' );
if( $mesg && $mesg->count() > 0 ) {
return $mesg->entry(0);
}
}
sub newOrExistingLDAPEntry {
my $ldap = shift;
my $dn = shift;
my $mesg = $ldap->search( base => $dn, scope => 'exact', filter => '(objectClass=*)' );
if( $mesg && $mesg->count() > 0 ) {
return $mesg->entry(0);
} else {
return Net::LDAP::Entry->new;
}
}
sub newkolabgroupofnames {
my $ldap = shift;
my $basedn = shift;
my $cn = shift;
if( scalar(@_) < 1 ) {
warn "kolabgroupofnames must contain at least one member";
}
my $ldapobject = newOrExistingLDAPEntry($ldap,"cn=$cn,$basedn");
$ldapobject->replace('cn' => $cn, 'objectclass' => ['top','kolabgroupofnames'],
'member' => @_);
$ldapobject->dn("cn=$cn,$basedn");
my $mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
return $ldapobject;
}
print "Kolab Upgrade script from 2.0 to 2.1\n";
print "------------------------------------\n\n";
print "This will upgrade your Kolab LDAP database from version 2.0 to 2.1.\n";
print "Please back up everything before continuing\n\n";
print "Continue? [N/y]: ";
my $tmp = ReadLine;
chomp $tmp;
print "$tmp\n";
exit unless $tmp eq 'y';
# Connect to LDAP server
my $ldap_uri = $Kolab::config{'ldap_uri'};
my $ldap = Net::LDAP->new($ldap_uri, verify => 'none' ) || die "Could not connect ldap server $ldap_uri";
$ldap->bind($Kolab::config{'bind_dn'}, password=> $Kolab::config{'bind_pw'})
|| die "could not bind to ldap server $ldap_uri";
print "Fixing k=kolab object:\n";
my $kolab_object = getLdapEntry($ldap, 'k=kolab'.$Kolab::config{'base_dn'}) || die "Could not read Kolab LDAP object";
my $mydom = $kolab_object->get_value('postfix-mydomain');
my @mydest = @{$kolab_object->get_value('postfix-mydestination')};
foreach( @mydest ){
if( $_ eq "\$mydomain" ) {
print "Replacing postfix-mydestination: $_ with postfix-mydestination: $mydom\n";
$_ = $mydom;
}
}
$kolab_object->replace( 'postfix-mydestination' => \@mydest );
$kolab_object->update( $ldap );
print "Creating additional entries:\n";
# create domain groups topnode
print "Creating cn=domains,cn=internal,$base_dn\n";
my $ldapobject = newOrExistingLDAPEntry( $ldap, "cn=domains,cn=internal,$base_dn" );
$ldapobject->replace('cn' => 'domains', 'objectclass' => ['top','kolabnamedobject']);
$ldapobject->dn("cn=domains,cn=internal,$base_dn");
$mesg = $ldapobject->update($ldap);
$mesg && $mesg->code && warn "failed to write entry: ", $mesg->error;
# create domain-mainainter group
print "Creating cn=domain-maintainers,cn=internal,$base_dn\n";
newkolabgroupofnames( $ldap, "cn=internal,$base_dn", 'domain-maintainer', $Kolab::config{'bind_dn'} );
- Previous message: gunnar: server/perl-kolab AUTHORS, 1.4, 1.5 ChangeLog, 1.39, 1.40 MANIFEST, 1.4, 1.5 Makefile.PL, 1.7, 1.8 perl-kolab.spec, 1.102, 1.103
- Next message: gunnar: server/perl-kolab/lib Kolab.pm,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the commits
mailing list