From cda7b5b02614be0e9bb9772b229835fc59d72b4b Mon Sep 17 00:00:00 2001
From: Mercier Pierre-Olivier <nemunaire@acu.epita.fr>
Date: Thu, 7 Nov 2013 14:46:28 +0100
Subject: [PATCH] LPT: fix grant-lab and add delete account capability

---
 ACU/LDAP.pm |   6 +--
 utils/lpt   | 108 +++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 98 insertions(+), 16 deletions(-)

diff --git a/ACU/LDAP.pm b/ACU/LDAP.pm
index 5e7e229..04b94e7 100644
--- a/ACU/LDAP.pm
+++ b/ACU/LDAP.pm
@@ -193,9 +193,9 @@ sub get_dn($$@)
 			      base   => "$dn",
 			      filter => Net::LDAP::Filter->new("(objectClass=*)"),
 			      attrs => \@_,
-			      scope => "sub"
+			      scope => "base"
 	);
-    if ($mesg->code != 0) { log(WARN, $mesg->error); return undef; }
+    return undef if ($mesg->code != 0);
     if ($mesg->count != 1) { log(WARN, "$dn not found or multiple entries match"); return undef; }
 
     return $mesg->entry(0);
@@ -331,7 +331,7 @@ sub search_dn($$@)
 			      attrs => [ ],
 			      scope => "sub"
 	);
-    croak($mesg->error) if ($mesg->code != 0);
+    return undef if ($mesg->code != 0);
     croak("$filter not found") if ($mesg->count == 0);
     croak("$filter not unique") if ($mesg->count > 1);
 
diff --git a/utils/lpt b/utils/lpt
index e760ed0..c96d936 100755
--- a/utils/lpt
+++ b/utils/lpt
@@ -73,6 +73,7 @@ my %cmds_account =
   "close"	  => \&cmd_account_close,
   "cn"		  => \&cmd_account_cn,
   "create"	  => \&cmd_account_create,
+  "delete"	  => \&cmd_account_delete,
   "finger"	  => \&cmd_account_view,
   "mail"	  => \&cmd_account_mail,
   "name"	  => \&cmd_account_cn,
@@ -259,11 +260,31 @@ sub cmd_account_create($@)
     log(DEBUG, "Adding dn: uid=$login,ou=$group,ou=users,dc=acu,dc=epita,dc=fr ...");
 
     my $ldap = LDAP::ldap_connect();
-    my $mesg = $ldap->add( "uid=$login,ou=$group,ou=users,dc=acu,dc=epita,dc=fr",
+
+    # Check if the OU exists
+    my $oudn = "ou=$group,ou=users,dc=acu,dc=epita,dc=fr";
+    my $ou = LDAP::get_dn($ldap, $oudn);
+
+    if (! $ou)
+    {
+	my $mesg = $ldap->add( "$oudn",
+			       attrs => [
+				   objectclass => [ "top", "organizationalUnit" ],
+				   ou => "$group",
+			       ]
+	    );
+	if ($mesg->code == 0) {
+	    log(INFO, "New OU created: $oudn");
+	} else {
+	    log(WARN, "Unable to add new OU $oudn: ", RESET, $mesg->error);
+	}
+    }
+
+    my $mesg = $ldap->add( "uid=$login,$oudn",
 			   attrs => [
 			       objectclass => [ "top", "epitaAccount" ],
 			       uidNumber => shift,
-			       cn => shift(@_)." ".shift(@_),
+			       cn => ucfirst(shift(@_))." ".ucfirst(shift(@_)),
 			       mail => "$login\@epita.fr",
 			       uid => $login,
 			   ]
@@ -271,10 +292,11 @@ sub cmd_account_create($@)
 
     #$ldap->unbind or die ("couldn't disconnect correctly");
 
-    if ($mesg->code == 0) {
+    if ($mesg->code == 0)
+    {
 	log(INFO, "Account added: $login");
 	my $pass = shift;
-	return cmd_account($login, $pass) if ($pass ne "nopass");
+	return cmd_account($login, $pass, @_) if ($pass ne "nopass");
 	return 0;
     }
     else {
@@ -282,6 +304,28 @@ sub cmd_account_create($@)
     }
 }
 
+sub cmd_account_delete($@)
+{
+    my $login = shift;
+
+    my $ldap = LDAP::ldap_connect();
+
+    my $dn = LDAP::search_dn($ldap, "ou=users", "uid=$login");
+
+    log(DEBUG, "Deleting dn: $dn ...");
+
+    if (LDAP::delete_entry($ldap, $dn))
+    {
+	log DONE, "Account ", YELLOW, $login, RESET, " successfully deleted.";
+	return 0;
+    }
+    else
+    {
+	log ERROR, "Unable to delete account ", YELLOW, $login, RESET, ".";
+	return 1;
+    }
+}
+
 sub cmd_account_grantintra($@)
 {
     my $login = shift;
@@ -300,27 +344,58 @@ sub cmd_account_grantintra($@)
 sub cmd_account_grantlab($@)
 {
     my $login = shift;
-    my $group = shift;
+    my $group = shift // "";
 
-    if ($group ne "acu" && $group ne "yaka") {
-	log(USAGE, "lpt account <login> grantlab <acu|yaka>");
+    if ($group ne "acu" && $group ne "yaka" && $group ne "ferry")
+    {
+	log(USAGE, "lpt account <login> grant-lab <acu|yaka|ferry>");
 	return 1;
     }
 
     my $ldap = LDAP::ldap_connect();
 
     my $dn = LDAP::search_dn($ldap, "ou=users", "uid=$login");
+    my $entry = LDAP::get_dn($ldap, $dn, "objectClass", "mail", "mailAlias", "mailAccountActive", "loginShell", "homeDirectory", "gidNumber");
 
     if (!LDAP::get_attribute($ldap, $dn, "mail")) {
 	LDAP::add_attribute($ldap, $dn, "mail", "$login\@epita.fr");
     }
 
-    LDAP::add_attribute($ldap, $dn, "mailAlias", "$login\@$group.epita.fr");
-    LDAP::update_attribute($ldap, $dn, "mailAccountActive", "yes");
-    LDAP::add_attribute($ldap, $dn, "objectClass", "MailAccount");
-    LDAP::add_attribute($ldap, $dn, "objectClass", "labAccount");
+    if ($group eq "acu" || $group eq "yaka")
+    {
+	if (! grep { $_ eq "MailAccount" } @{ $entry->get_value("objectClass") })
+	{
+	    $entry->replace("mailAccountActive" => [ "yes" ]);
 
-    log(INFO, "$login now grants to receive e-mail and connect in laboratory.");
+	    my @oc = $entry->get_value("objectClass");
+	    push @oc, "MailAccount";
+	    $entry->replace("objectClass" => \@oc);
+
+	    my @aliases = $entry->get_value("mailAlias");
+	    push @aliases, "$login\@$group.epita.fr";
+	    $entry->replace("objectClass" => \@aliases);
+	}
+
+	$entry->replace("loginShell" => [ "/bin/zsh" ]) if ($entry->get_value("loginShell"));
+	$entry->replace("homeDirectory" => [ "/home/201X/$login" ]) if ($entry->get_value("homeDirectory"));
+	$entry->replace("gidNumber" => [ "4242" ]) if ($entry->get_value("gidNumber"));
+    }
+    elsif ($group eq "ferry")
+    {
+	$entry->replace("loginShell" => [ "/bin/noexists" ]);
+	$entry->replace("homeDirectory" => [ "/dev/null" ]);
+	$entry->replace("gidNumber" => [ "4243" ]);
+    }
+
+    my @oc = $entry->get_value("objectClass");
+    push @oc, "labAccount";
+    $entry->replace("objectClass" => \@oc);
+
+    my $mesg = $entry->update($ldap) or die $!;
+    if ($mesg->code != 0) { log(WARN, $mesg->error); return 0; }
+
+    log(INFO, "$login now grants to receive e-mail and connect in laboratory.") if ($group eq "acu" || $group eq "yaka");
+    log(INFO, "$login now grants to connect in laboratory for exam.") if ($group eq "ferry");
 
     $ldap->unbind or die ("couldn't disconnect correctly");
 }
@@ -1855,10 +1930,12 @@ B<lpt account> <login> I<grant-intra>
 
 	Give rights to the user to access the intranet.
 
-B<lpt account> <login> I<grant-lab>
+B<lpt account> <login> I<grant-lab> <acu | yaka | ferry>
 
 	Give rights to the user to access intern systems of the laboratory (SSH, Unix, ...)
 
+        If ferry is given, open an account for exam only, with restricted rights.
+
 B<lpt account> <login> I<grant-mail>
 
 	Give rights to the user to receive e-mails.
@@ -1871,6 +1948,11 @@ B<lpt account> <login> I<close>
 
 	This is used to close an existing account.
 
+B<lpt account> <login> I<delete>
+
+	This is used to delete an existing account.
+        NEVER DELETE AN ACCOUNT, close it instead.
+
 B<lpt account> <login> I<mail> [new-mail]
 
 	This is used to display, or change if [new-mail] is given, the account contact adress.