PRUA - Program for Rational User Administration

Overview

Main purpose of this software is to really help UNIX system administrators in those tasks regarding users management.

This is not only a tool, it is a library which can be used in any kind of program. Indeed the command line tool here provided is only a possible use of this library.

Since it is not a numbers crunching nor a real time application, I chose the flexibility and power of a cool interpreted language, Python. Of course Prua library is a Python module.

Prua is a free piece of software licensed under GNU General Public License. Developing infrastructure is hosted by Savannah (project page).

Features

Summary of features and design goals I am currently pursuing:

• abstraction from the real method used for storing users and groups information (FI)
• simple and well defined interface usable to build from throw away scripts to full fledged tools (FI)
• may be used directly in the Python shell (FI)
• easy customization by system administrator (MI)
• user creation from multiple configurable templates (FI)
• modular design with plugins (MI)
• severe password checking (uses python-crack) (FI)
• integrated help system (PI)
• check of configuration validity (MI)
• setup of configuration (MI)

Here are some plugins:

• prua-file: interface to files like passwd and shadow (MI)
• prua-ldap: interface to LDAP server (uses python-ldap) (FI)
• prua-home: handler for automatic management of users' home directories (MI)
• prua-shell: handler gateway for shell scripts to be called on user processing (FI)
• prua-quota: handler for automatic management of users' disk quotas (W)
• prua-imap: handler for automatic creation of imap mailboxes (PI)

Some extras:

• python-setuid.c: C wrapper for execution of Python setuid scripts (MI)

(FI = fully implemented, MI = mostly implemented, PI = partially implemented, P = planned, W = wished but still not planned)

Documentation

Hot topic with ice-cold answer: there is not any documentation yet. The command line tool has an integrated help which should be enough for initial use. Please try "prua help".

Some examples of use follows.

Sample configuration file

<prua>
# comment

# this is the configuration for prua

plugins: prua-ldap, prua-home, prua-file

<Backend name="passwd" type="prua-file">
	passwd: /etc/passwd
	group: /etc/group
	shadow: /etc/shadow
	gshadow: /etc/gshadow
	Policy: md5
</Backend>

<Backend name="ldap" type="prua-ldap">
	Uri: ldap://localhost
	Binddn: cn=admin,dc=localnet
	Password: secret
	Base: dc=localnet
	Policy: md5
</Backend>

<Template name="default" backend="passwd">
	uid_min: 1000
	uid_max: 29999
	gid_min: 1000
	gid_max: 29999
	
	# if gid misses, a group with the same name of the user will be created
	gid: users

	# base pathname for user home directory
	home_base: /home

	shadowMin: 0
	shadowMax: 99999
	shadowWarning: 10
	shadowInactive: 30
	shadowExpire: -1
	shadowLastChange: 0

	<Handler type="prua-home">
		Skel: /etc/skel
	</Handler>
</Template>

<Template name="shared" type="ldap">
	uid_min: 30000
	uid_max: 39999
	gid_min: 30000
	gid_max: 39999

	# if gid misses, a group with the same name of the user will be created
	gid: users

	home_base: /home/shared

	shadowMin: 0
	shadowMax: 99999
	shadowWarning: 10
	shadowInactive: 30
	shadowExpire: -1
	shadowLastChange: 0

	<Handler type="prua-home">
		Skel: /etc/skel_shared
	</Handler>
</Template>

Sample command line invocations

$ prua help
Usage: prua [prua-options] <subcommand> [options] [args]
Type "prua help <subcommand>" for help on a specific subcommand.

Available subcommands:
  addgroup - add a new group
  adduser  - add a new user
  chage    - manage user password aging
  check    - check actual configuration
  delgroup - delete a group
  deluser  - delete a user
  help     - print detailed help
  license  - print conditions for copying
  modgroup - modify a group
  moduser  - modify a user
  setup    - setup actual configuration
$ prua check
manager initialized from file .pruarc...
 - templates: default, hi
checking templates...
 + default:
    - checking backend...
       . opening connection to ldap://localhost... succeeded
       . binding as cn=admin,dc=localnet... succeeded
       . checking base dc=localnet... succeeded
       . checking base ou=People,dc=localnet for users... succeeded
       . checking base ou=Group,dc=localnet for groups... failed (No such object)
       . closing connection... succeeded
 + hi:
    - checking backend...
       . opening connection to ldap://localhost... succeeded
       . binding as cn=admin,dc=localnet... succeeded
       . checking base dc=localnet... succeeded
       . checking base ou=People,ou=Prua,dc=localnet for users... failed (No such object)
       . checking base ou=Group,ou=Prua,dc=localnet for groups... failed (No such object)
       . closing connection... succeeded
$ prua setup default
manager initialized from file .pruarc...
 - templates: default, hi
setting up templates...
 + default:
    - setting up backend...
       . setting up base dc=localnet... failed (Already exists)
       . setting up base ou=People,dc=localnet for users... failed (Already exists)
       . setting up base ou=Group,dc=localnet for groups... done
$ prua adduser guest
New password: 
Re-enter new password: 
creating user guest...
$ prua chage -l guest
Minimum:            -1
Maximum:            -1
Warning:            -1
Inactive:           -1
Last Change:        Never
Password Expires:   Never
Password Inactive:  Never
Account Expires:    Never
$ prua chage -M 100 -W 7 -d 2003-03-31 guest
$ prua chage -l guest                            
Minimum:            -1
Maximum:            100
Warning:            7
Inactive:           -1
Last Change:        Mar 31, 2003
Password Expires:   Jul 09, 2003
Password Inactive:  Never
Account Expires:    Never
$ ldapsearch -x -b "dc=localnet" -LLL "(uid=guest)"
dn: uid=guest,ou=People,dc=localnet
uid: guest
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 44
gecos: Tux Penguin
sn: Penguin
homeDirectory: /home/prua/guest
givenName: Tux
cn: Tux Penguin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowWarning: 7
shadowMax: 100
shadowLastChange: 12142

Sample Python session

$ python   
Python 2.2.3 (#1, Jun  4 2003, 02:54:59) 
[GCC 3.3 (Debian)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import prua
>>> manager = prua.init(".pruarc")
manager: loading plugin prua-ldap at prua/plugin/prua-ldap.py...
manager: loading plugin prua-home at prua/plugin/prua-home.py...
manager: loading plugin prua-shell at prua/plugin/prua-shell.py...
>>> users = manager.query_user(username = "guest")
>>> len(users)
1
>>> u = users[0]
>>> print u
template name: default
username: guest
uid: 2000 (2000)
gid: 44 (44)
home: /home/prua/guest (/home/prua/guest)
shell: /bin/bash (/bin/bash)

firsname: Tux (Tux)
lastname: Penguin (Penguin)
gecos: Tux Penguin (Tux Penguin)

email: None (None)
home phone: None (None)
cellular phone: None (None)

shadowMin: None (None)
shadowMax: 100 (100)
shadowWarning: 7 (7)
shadowInactive: None (None)
shadowExpire: None (None)
shadowLastChange: 12142 (12142)
>>> g=manager.new_group("guest")
>>> print g
template name: default
groupname: guest
gid: 2000 (None)
>>> g.commit()
>>> u.gid=g.gid
>>> u.shell="/bin/zsh"
>>> u.firstname="Guest"  
>>> u.lastname="User"
>>> u.commit()
$ ldapsearch -x -b "dc=localnet" -LLL "(uid=guest)"
dn: uid=guest,ou=People,dc=localnet
uid: guest
uidNumber: 2000
gidNumber: 2000
gecos: Tux Penguin
homeDirectory: /home/prua/guest
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowWarning: 7
shadowMax: 100
shadowLastChange: 12142
loginShell: /bin/zsh
sn: User
givenName: Guest
cn: Guest User
$

Download

Until now no public releases have been made. Anyway public CVS repository is available for anonymous use.

Contacts

It is available the prua-devel mailing list where is possible to talk about anything regarding Prua and its evolution. If you prefer, you can contact me directly. Write to Domenico Andreoli.