4 # Copyright (c) 1999-2000 Jason Gunthorpe <jgg@debian.org>
5 # Copyright (c) 2004 Joey Schulze <joey@debian.org>
6 # Copyright (c) 2008, 2009, 2010 Peter Palfrader <peter@palfrader.org>
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 2 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program; if not, write to the Free Software
20 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 # This script tries to match key fingerprints from a keyring with user
23 # name in a directory. When an unassigned key is found a heuristic match
24 # against the keys given cn/sn and the directory is performed to try to get
25 # a matching. Generally this works about 90% of the time, matching is fairly
26 # strict. In the event a non-match a fuzzy sounds-alike search is performed
27 # and the results printed to aide the user.
29 # GPG is automatically invoked with the correct magic special options,
30 # pass the names of all the valid key rings on the command line.
32 # The output report will list what actions were taken. Keys that are present
33 # in the directory but not in the key ring will be removed from the
36 import re, time, ldap, getopt, sys, pwd, os;
37 from userdir_ldap import *;
38 from userdir_gpg import *;
40 # This map deals with people who put the wrong sort of stuff in their pgp
45 # Read the override file into the unknown map. The override file is a list
46 # of colon delimited entires mapping PGP email addresess to local users
47 def LoadOverride(File):
48 List = open(File,"r");
50 Line = List.readline();
53 Split = re.split("[:\n]",Line);
54 UnknownMap[Split[0]] = Split[1].strip()
57 AdminUser = pwd.getpwuid(os.getuid())[0];
58 (options, arguments) = getopt.getopt(sys.argv[1:], "au:m:n")
59 for (switch, val) in options:
62 elif (switch == '-m'):
64 elif (switch == '-a'):
68 # Main program starts here
70 # Connect to the ldap server
72 l = passwdAccessLDAP(BaseDn, AdminUser)
75 l.simple_bind_s("","");
77 # Download the existing key list and put it into a map
78 print "Fetching key list..",
80 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=*",["keyFingerPrint","uid"]);
85 # Sense a bad fingerprint.. Slapd has problems, it will store a null
86 # value that ldapsearch doesn't show up.. detect and remove
87 if len(x[1]["keyFingerPrint"]) == 0 or x[1]["keyFingerPrint"][0] == "":
89 print "Fixing bad fingerprint for",x[1]["uid"][0],
92 l.modify_s("uid="+x[1]["uid"][0]+","+BaseDn,\
93 [(ldap.MOD_DELETE,"keyFingerPrint",None)]);
95 for I in x[1]["keyFingerPrint"]:
96 KeyMap[I] = [x[1]["uid"][0],0];
97 if KeyCount.has_key(x[1]["uid"][0]):
98 KeyCount[x[1]["uid"][0]] = KeyCount[x[1]["uid"][0]] + 1;
100 KeyCount[x[1]["uid"][0]] = 1;
106 # Popen GPG with the correct magic special options
108 if len(arguments) == 0:
109 print "Using default keyrings: %s"%ConfModule.add_keyrings;
110 SetKeyrings(ConfModule.add_keyrings.split(":"))
112 if x.find("/") == -1:
116 Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + [" 2> /dev/null"]
117 Keys = os.popen(" ".join(Args),"r");
119 # Loop over the GPG key file
124 Line = Keys.readline();
128 Split = Line.split(":")
129 if len(Split) < 8 or Split[0] != "pub":
133 Line2 = Keys.readline();
136 Split2 = Line2.split(":");
137 if len(Split2) < 11 or Split2[0] != "fpr":
143 if SeenKeys.has_key(Split2[9]):
144 print "Dup key ",Split2[9],"belonging to",KeyMap[Split2[9]][0];
146 SeenKeys[Split2[9]] = None;
148 if KeyMap.has_key(Split2[9]):
149 Ignored = Ignored + 1;
150 # print "Ignoring keyID",Split2[9],"belonging to",KeyMap[Split2[9]][0];
151 KeyMap[Split2[9]][1] = 1;
154 UID = GetUID(l,SplitEmail(Split[9]),UnknownMap);
156 print "None for",SplitEmail(Split[9]),"'%s'"%(Split[9]);
158 for x in UID[1]: print x;
159 print "MISSING " + Split2[9];
163 Rec = [(ldap.MOD_ADD,"keyFingerPrint",Split2[9])];
164 Dn = "uid=" + UID + "," + BaseDn;
165 print "Adding key "+Split2[9],"to",UID;
166 if KeyCount.has_key(UID):
167 KeyCount[UID] = KeyCount[UID] + 1;
174 # Send the modify request
176 Outstanding = Outstanding + 1;
177 Outstanding = FlushOutstanding(l,Outstanding,1);
181 FlushOutstanding(l,Outstanding);
183 if Keys.close() != None:
184 raise "Error","GPG failed"
186 print Ignored,"keys already in the directory (ignored)";
188 # Look for unmatched keys
189 for x in KeyMap.keys():
190 if KeyMap[x][1] == 0:
191 print "key %s belonging to %s removed"%(x,KeyMap[x][0]);
192 if KeyCount.has_key(KeyMap[x][0]) :
193 KeyCount[KeyMap[x][0]] = KeyCount[KeyMap[x][0]] - 1
194 if KeyCount[KeyMap[x][0]] <= 0:
195 print "**",KeyMap[x][0],"no longer has any keys";
197 l.modify_s("uid="+KeyMap[x][0]+","+BaseDn,\
198 [(ldap.MOD_DELETE,"keyFingerPrint",x)]);