'ldapdeleteuser' does not remove user from additional LDAP groups

Linux server 3.2.0-60-generic #91-Ubuntu SMP Wed Feb 19 03:55:18 UTC 2014 i686 i686 i386 GNU/Linux

Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise

ldapscripts-2.0.1-1ubuntu1

Yes agreed this is a security concern. Consider the scenario where an employee leaves the company and then rejoins only to have all his previous group memberships automatically renewed without the admin having no knowledge of this.

I have the following patch applied in my ldapscripts:

---
 lib/runtime | 7 +
 sbin/ldapdeleteuser | 25 ++++-

--- a/lib/runtime
+++ b/lib/runtime
@@ -620,6 +620,13 @@ _findentry () {
   _ENTRY=$(_ldapsearch "$1" "$2" dn | grep "dn: " | head -n 1 | sed "s|dn: ||")
 }

+# Finds a list of entries in the LDAP directory
+# Input : base ($1), filter ($2)
+# Output : an array of dns for all the matching entries found ($_ENTRYLIST)
+_findentrylist () {
+ _ENTRYLIST=( $(_ldapsearch "$1" "$2" dn | grep "dn: " | sed "s|dn: ||") )
+}
+
 # Get a particular attribute from LDAP
 # Input : entry DN ($1), attribute ($2)
 # Output : the requested attribute of the entry ($_ATTRIBUTE)
--- a/sbin/ldapdeleteuser
+++ b/sbin/ldapdeleteuser
@@ -37,9 +37,30 @@ _findentry "$USUFFIX,$SUFFIX" "(&(object
 # Delete entry
 _ldapdelete "$_ENTRY" || end_die "Error deleting user $_ENTRY from LDAP"

-
 # Optionally, delete the sudoer entry if it exists
 _ldapdeletesudo $1
 [ $? -eq 2 ] && end_die "Found sudoEntry for user $_ENTRY but unable to delete"

-end_ok "Successfully deleted user $_ENTRY from LDAP"
+# Finally, delete this user from all groups for which this was a memberUid
+_findentrylist "$SUFFIX" "(&(objectClass=posixGroup)(memberUid=$1))"
+if [ ! -z "$_ENTRYLIST" ]; then
+ _UID="$1" # needed by Ldif
+ # Stow the user entry for later
+ userEntry="$_ENTRY"
+ for _ENTRY in "${_ENTRYLIST[@]}"; do
+ # Modify group entry
+ _extractldif 2 | _filterldif | _utf8encode | _ldapmodify
+ done
+fi
+
+
+end_ok "Successfully deleted user $userEntry from LDAP"
+
+# Ldif templates #################################
+#
+# PosixGroup (level "2") :
+##dn: <entry>
+##changetype: modify
+##delete: <gmemberattr>
+##<gmemberattr>: <uid>
+#

Status changed to 'Confirmed' because the bug affects multiple users.

You might consider forwarding this patch to the upstream project which I found via apt-cache show ldapscripts:

Homepage: http://ldapscripts.sourceforge.net/

Fix has been committed to the Upstream project:
https://sourceforge.net/p/ldapscripts/code/ci/9806d8cb9e1bbc14fbce631457a325317be99ffe/