3 # Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program; if not, write to the Free Software
17 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 # ud-ldap 0.3.46 changed the format of the sudopasswd lines so that
20 # the hmac also includes purpose ("sudo") and userid that owns the
21 # entry. This little script updates an ldap from old to new.
23 import string, re, time, ldap, getopt, sys, os, pwd, posix, socket, base64, shutil, errno, tarfile, grp
24 from userdir_ldap import *;
26 UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
28 # Connect to the ldap server
30 F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
31 Pass = F.readline().strip().split(" ")
33 l.simple_bind_s("uid="+Pass[0]+","+BaseDn,Pass[1]);
35 PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"sudoPassword=*", ["uid","sudoPassword"]);
36 if PasswdAttrs == None:
40 if not x[1].has_key('sudoPassword'):
45 for entry in x[1]['sudoPassword']:
46 Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
50 status = Match.group(2)
51 hosts = Match.group(3)
52 cryptedpass = Match.group(4)
55 oldformat = 'confirmed:'+make_hmac(':'.join(['password-is-confirmed', uuid, hosts, cryptedpass]))
56 newformat = 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', x[1]['uid'][0], uuid, hosts, cryptedpass);
58 if status == oldformat:
59 print "Updating sudo password entry for %s."%(uid)
61 elif status == newformat:
62 print "not updating sudo password entry for %s, it's already up to date."%(uid)
64 print "NOT Updating sudo password entry for %s, failed check."%(uid)
66 line = ' '.join([uuid, status, hosts, cryptedpass])
68 Rec.append((ldap.MOD_REPLACE, 'sudoPassword', line))
70 Rec.append((ldap.MOD_ADD, 'sudoPassword', line))
72 Dn = "uid=" + uid + "," + BaseDn;