New build path variable

[freeradius.git] / scripts / radiusd2ldif.pl

#!/usr/bin/perl

# radius2ldif.pl
#
#        To test this program, do the following
#Take a radius users' file, for example with:
#
#myuser Password = "apassword"
#        User-Service = Framed-User,
#        Framed-Protocol = PPP,
#        Framed-Address = 255.255.255.255,
#        Framed-Netmask = 255.255.255.255,
#        Ascend-Metric = 2,
#        Framed-Routing = None,
#        Framed-Compression = 0,
#        Ascend-Idle-Limit = 0,
#        Ascend-Maximum-Time = 36000
#
#and do:
#
#cat users | ./radius2ldif
#
#Output is:
#dn: cn=myuser, ou=Hardware, ou=EDUCAMADRID, ou=People, o=icm.es
#objectclass: top
#objectclass: person
#objectclass: radiusprofile
#cn: myuser
#sn: myuser
#userpassword: apassword
#radiusServiceType: Framed-User
#radiusFramedProtocol: PPP
#radiusFramedIPAddress: 255.255.255.255
#radiusFramedIPNetmask: 255.255.255.255
#radiusFramedRouting: None
#radiusFramedCompression: 0
#
#dn: ou=RadiusUser, ou=Groups, o=icm.es
#description: RadiusUser
#objectclass: top
#objectclass: groupOfUniqueNames
#cn: RadiusUser
#uniquemember: dn: cn=myuser, ou=Hardware, ou=EDUCAMADRID, ou=People, o=icm.es
#
# (c) 2000 Javier Fern'andez-Sanguino Pen~a  <jfs@computer.org>
# -------------------------------------------------------------------------
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
# -----------------------------------------------------------------------


# TODO:
# currently does not encrypt passwords (takes them from outside file)

# Command line options
# -d : debugging output
# -p : give only password
# -m : set entry to modify ldap attributes
# -f : read encrypted passwords from file
use Getopt::Std;
getopts('dpmf:');
$debug = $opt_d;

%passwords;
# This might or might not be necessary depending if your LDAP server
# when importing from ldif introduces crypted passwords in the LDAP db
# (not necessary for Netscape's Directory Server)
read_passwds ($opt_f) if $opt_f;

# USER CONFIGURATION
# ------------------
$usermatch = ".*"; # only add users matching this
# WARNING: in order to add  *all* users set this to ".*" NOT ""

# LDAP configuration
$domain = "o=icm.es";
$basedn = ", ou=Hardware, ou=EDUCAMADRID, ou=People, $domain";
$predn = "dn: cn=";
$uniquemembers = 1;
$groupname = "RadiusUser"; # group to add in the LDAP, if null will not add
$group = "\n\ndn: ou=$groupname, ou=Groups, $domain";
# Only useful for adding the group (not yet implemented)
$addgroup = $group."\ndescription: $groupname\nobjectclass: top";
if ( $uniquemembers ) {
$addgroup = $addgroup."\nobjectclass: groupOfUniqueNames";
} else {
$addgroup = $addgroup."\nobjectclass: groupOfNames";
}
$addgroup = $addgroup."\ncn: $groupname";
# The following group must be created first
# (ldif entry), the script will *not* create it
#cn=$group,ou=Groups,o=icm.es
#description=whatever
#objectclass=top
#objectclass=groupOfUniqueNames
# (or objectclass=groupOfNames)
#cn=$group
# Required: person (for userpasswords) and radiusprofile (<draft-aboba-radius-02.txt> 5 February 1998)
@objectClass = ( "top", "person" , "radiusprofile" );


# Mapping of entries (use lower case so no check needs to be make)
# From freeradius: rlm_ldap.c
#        { "radiusServiceType", "Service-Type" },
#        { "radiusFramedProtocol", "Framed-Protocol" },
#        { "radiusFramedIPAddress", "Framed-IP-Address" },
#        { "radiusFramedIPNetmask", "Framed-IP-Netmask" },
#        { "radiusFramedRoute", "Framed-Route" },
#        { "radiusFramedRouting", "Framed-Routing" },
#        { "radiusFilterId", "Filter-Id" },
#        { "radiusFramedMTU", "Framed-MTU" },
#        { "radiusFramedCompression", "Framed-Compression" },
#        { "radiusLoginIPHost", "Login-IP-Host" },
#        { "radiusLoginService", "Login-Service" },
#        { "radiusLoginTCPPort", "Login-TCP-Port" },
#        { "radiusCallbackNumber", "Callback-Number" },
#        { "radiusCallbackId", "Callback-Id" },
#        { "radiusFramedRoute", "Framed-Route" },
#        { "radiusFramedIPXNetwork", "Framed-IPX-Network" },
#        { "radiusClass", "Class" },
#        { "radiusSessionTimeout", "Session-Timeout" },
#        { "radiusIdleTimeout", "Idle-Timeout" },
#        { "radiusTerminationAction", "Termination-Action" },
#        { "radiusCalledStationId", "Called-Station-Id" },
#        { "radiusCallingStationId", "Calling-Station-Id" },
#        { "radiusLoginLATService", "Login-LAT-Service" },
#        { "radiusLoginLATNode", "Login-LAT-Node" },
#        { "radiusLoginLATGroup", "Login-LAT-Group" },
#        { "radiusFramedAppleTalkLink", "Framed-AppleTalk-Link" },
#        { "radiusFramedAppleTalkNetwork", "Framed-AppleTalk-Network" },
#        { "radiusFramedAppleTalkZone", "Framed-AppleTalk-Zone" },
#        { "radiusPortLimit", "Port-Limit" },
#        { "radiusLoginLATPort", "Login-LAT-Port" },
# You can change to the mappings below like this
# cat radius2ldif.pl | grep ^# | \
# perl -ne 'if ( /\{ \"(.*?)\", \"(.*?)\" \}/ ) \
# { $attr=lc $2; print "\$mapping{\"$attr\"} = \"$1\";\n" ; } '


# Warning: sometimes password must be encrypted before sent to the LDAP
# Which Perl libraries are available? Only way I find is through
# Netscape's NDS getpwenc.
# However NDS does the cyphering even if sending plain passwords
# (do all LDAP's do this?)
# TODO: test with OpenLDAP
$mapping{'password'} = "userpassword";
$mapping{'service-type'} = "radiusServiceType";
$mapping{'framed-protocol'} = "radiusFramedProtocol";
$mapping{'framed-ip-address'} = "radiusFramedIPAddress";
$mapping{'framed-ip-netmask'} = "radiusFramedIPNetmask";
$mapping{'framed-route'} = "radiusFramedRoute";
$mapping{'framed-routing'} = "radiusFramedRouting";
$mapping{'filter-id'} = "radiusFilterId";
$mapping{'framed-mtu'} = "radiusFramedMTU";
$mapping{'framed-compression'} = "radiusFramedCompression";
$mapping{'login-ip-host'} = "radiusLoginIPHost";
$mapping{'login-service'} = "radiusLoginService";
$mapping{'login-tcp-port'} = "radiusLoginTCPPort";
$mapping{'callback-number'} = "radiusCallbackNumber";
$mapping{'callback-id'} = "radiusCallbackId";
$mapping{'framed-ipx-network'} = "radiusFramedIPXNetwork";
$mapping{'class'} = "radiusClass";
$mapping{'session-timeout'} = "radiusSessionTimeout";
$mapping{'idle-timeout'} = "radiusIdleTimeout";
$mapping{'termination-action'} = "radiusTerminationAction";
$mapping{'called-station-id'} = "radiusCalledStationId";
$mapping{'calling-station-id'} = "radiusCallingStationId";
$mapping{'login-lat-service'} = "radiusLoginLATService";
$mapping{'login-lat-node'} = "radiusLoginLATNode";
$mapping{'login-lat-group'} = "radiusLoginLATGroup";
$mapping{'framed-appletalk-link'} = "radiusFramedAppleTalkLink";
$mapping{'framed-appletalk-network'} = "radiusFramedAppleTalkNetwork";
$mapping{'framed-appletalk-zone'} = "radiusFramedAppleTalkZone";
$mapping{'port-limit'} = "radiusPortLimit";
$mapping{'login-lat-port'} = "radiusLoginLATPort";

# Must be added to rlm_ldap.c (change this to suite your needs)
# (really not all since they are in the /etc/raddb/dictionary.compat)
$mapping{'framed-address'} = "radiusFramedIPAddress";
$mapping{'framed-ip-route'} = "radiusFramedRoute";
$mapping{'framed-netmask'} = "radiusFramedIPNetmask";
$mapping{'user-service'} = "radiusServiceType";
# Since this might not change they could be placed in the DEFAULT
# user insted of the LDAP
#$mapping{'ascend-metric'} = "radiusAscendMetric";
#$mapping{'ascend-idle-limit'} = "radiusAscendIdleLimit";
# But this really ought to be there :
$mapping{'callback_number'} = "radiusCallbackNumber";


# Footer of ldif entries
$footer = "\n\n";
$startentry = 0;

while ($line=<STDIN>) {
        chomp $line;
        if ( $line =~ /^[\s\t]*$/  && $startentry) {
                $startentry = 0 ;
                print $footer;
        }
        # Start line is hardcoded must be uid followed by password
        # this could be changed to use any other parameter however
        if ( $line =~ /^(\w+)\s*\t*(?:User-)?Password=(\w+)/ ) {
                $uid = $1;
                $password= $2;
                $password = $passwords{$password} if $opt_f;
        if ( $uid =~ /$usermatch/ ) {
                $startentry = 1;
                $dn=$predn.$uid.$basedn; # Start of LDIF entry
                $header = "$dn\n";
                push @userlist, $dn;
                if ( $opt_m ) {
                        $header= $header."changetype: modify\n";
                } else {
                        for (my $i=0; $i < $#objectClass+1; $i++) {
                                $header = $header."objectclass: ".$objectClass[$i]."\n";
                        }
                }
                print $header if !$opt_m;
                print_entry ("cn",$uid);
                print_entry ("sn",$uid);
                # The following might be necessary (depending on the groups)
                # of the object
                #print "replace: uid\n" if $opt_m;
                #print "uid: $uid\n";
                #print "replace: givenname\n" if $opt_m;
                #print "givenname: $uid\n";
                print_entry ($mapping{'password'},$password);
        }
        }
        # Do this only for entries detected
        if ( $startentry  && ! $opt_p ) {
                #Take anything that starts with a tab or spaces
                # and ends (sometimes) with a comma
                if ( $line =~ /^[\t\s]+(.*?)\s+=\s+(.*?),*$/ ) {
                        $parameter = lc $1;
                        $value = $2;
                        print "DEBUG: Got :$parameter=$value\n" if $debug;
                        if ( defined $mapping{$parameter}  && $mapping{$parameter} ne "" ) {
                                print_entry ($mapping{$parameter},$value);
                        } # of if defined mapping
                        else {
                                print "DEBUG: Parameter $parameter not known\n" if $debug;
                                }
                } # of if line
        } # of if startentry

} # of while


# The list of users in the group
if ( $group ) {
        if ( ! $opt_m ) {
                print "$addgroup\n";
        }
        else {
                print "\n\n$group\n";
                print "changetype: modify\n" ;
        }
        foreach $user ( @userlist ) {
                $member = "member: ";
                $member = "uniquemember: " if $uniquemembers;
                print "$member$user\n";
        }
}

exit 0;

sub read_passwds {
# Reads passwords from a file in order to get the crypted
# version, the file must be of the following format:
# password      cryptedversion
        my ($file)=@_;
        open (PASSWD,"< $file") or die ("Could not open $file: $!\n");

        while ($line = <PASSWD>) {
                chomp $line;
                if ( $line =~ /^(\w+)[\t\s]+(.*?)$/ ) {
                        $passwords{$1}=$2;
                }
        }
        close PASSWD;

        return 0;
}

sub print_entry {
# Prints and ldif entry given name and value
# if this is a modification it will print header and footer
        my ($name, $value) = @_;
        print $header."replace: $name\n" if $opt_m;
        print $name.": ".$value."\n";
        print $footer if $opt_m;
        return 0;
}