# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-import string, re, time, ldap, getopt, sys, os, pwd, posix, socket, base64, sha
+import string, re, time, ldap, getopt, sys, os, pwd, posix, socket, base64, sha, shutil
from userdir_ldap import *;
global Allowed;
EmailCheck = re.compile("^([^ <>@]+@[^ ,<>@]+)?$");
BSMTPCheck = re.compile(".*mx 0 (gluck)\.debian\.org\..*",re.DOTALL);
DNSZone = ".debian.net"
+Keyrings = [ "/org/keyring.debian.org/keyrings/debian-keyring.gpg",
+ "/org/keyring.debian.org/keyrings/debian-keyring.pgp" ]
def Sanitize(Str):
- return string.translate(Str,string.maketrans("\n\r\t","$$$"));
+ return Str.translate(string.maketrans("\n\r\t","$$$"))
def DoLink(From,To,File):
try: posix.remove(To+File);
os.rename(File + ".tdb.tmp",File+".tdb");
# Generate the password list
-def GenPasswd(l,File,HomePrefix):
+def GenPasswd(l,File,HomePrefix,PwdMarker):
F = None;
try:
F = open(File + ".tdb.tmp","w");
if len(GetAttr(x,"gecos")) > 100 or len(GetAttr(x,"loginShell")) > 50:
continue;
- Line = "%s:x:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\
+ Line = "%s:%s:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\
+ PwdMarker,\
GetAttr(x,"uidNumber"),GetAttr(x,"gidNumber"),\
GetAttr(x,"gecos"),HomePrefix,GetAttr(x,"uid"),\
GetAttr(x,"loginShell"));
Pass = '*';
else:
Pass = Pass[7:];
+
+ # If the account is locked, mark it as such in shadow
+ # See Debian Bug #308229 for why we set it to 1 instead of 0
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
+ or GetAttr(x,"userPassword").startswith("!"):
+ ShadowExpire = '1'
+ else:
+ ShadowExpire = GetAttr(x,"shadowexpire")
+
Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\
Pass,GetAttr(x,"shadowLastChange"),\
GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\
GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\
- GetAttr(x,"shadowexpire"));
+ ShadowExpire);
Line = Sanitize(Line) + "\n";
F.write("0%u %s" % (I,Line));
F.write(".%s %s" % (GetAttr(x,"uid"),Line));
# If the account is locked, do not write it.
# This is a partial stop-gap. The ssh also needs to change this
# to ignore ~/.ssh/authorized* files.
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1) \
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
or GetAttr(x,"userPassword").startswith("!"):
continue;
continue;
# If the account is locked, do not write it
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1) \
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
or GetAttr(x,"userPassword").startswith("!"):
continue;
raise;
Done(File,F,None);
+# Generate a list of locked accounts
+def GenDisabledAccounts(l,File):
+ F = None;
+ try:
+ F = open(File + ".tmp","w");
+
+ # Fetch all the users
+ global PasswdAttrs;
+ if PasswdAttrs == None:
+ raise "No Users";
+
+ I = 0;
+ for x in PasswdAttrs:
+ if x[1].has_key("uidNumber") == 0:
+ continue;
+
+ Pass = GetAttr(x,"userPassword");
+ Line = ""
+ # *LK* is the reference value for a locked account
+ # password starting with ! is also a locked account
+ if Pass.find("*LK*") != -1 or Pass.startswith("!"):
+ # Format is <login>:<reason>
+ Line = "%s:%s" % (GetAttr(x,"uid"), "Account is locked")
+
+ if Line != "":
+ F.write(Sanitize(Line) + "\n")
+
+ # Oops, something unspeakable happened.
+ except:
+ Die(File,F,None);
+ raise;
+ Done(File,F,None);
+
# Generate the list of local addresses that refuse all mail
def GenMailDisable(l,File):
F = None;
Reason = None
# If the account is locked, disable incoming mail
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1):
+ if (GetAttr(x,"userPassword").find("*LK*") != -1):
if GetAttr(x,"uid") == "luther":
continue
else:
try:
F.write("; %s\n"%(EmailAddress(x)));
for z in x[1]["dnsZoneEntry"]:
- Split = string.split(string.lower(z));
- if string.lower(Split[1]) == 'in':
+ Split = z.lower().split()
+ if Split[1].lower() == 'in':
for y in range(0,len(Split)):
if Split[y] == "$":
Split[y] = "\n\t";
- Line = string.join(Split," ") + "\n";
+ Line = " ".join(Split) + "\n";
F.write(Line);
Host = Split[0] + DNSZone;
F.write("; Has BSMTP\n");
# Write some identification information
- if string.lower(Split[2]) == "a":
+ if Split[2].lower() == "a":
Line = "%s IN TXT \"%s\"\n"%(Split[0],EmailAddress(x));
for y in x[1]["keyFingerPrint"]:
Line = Line + "%s IN TXT \"PGP %s\"\n"%(Split[0],FormatPGPKey(y));
Host = GetAttr(x,"hostname");
Algorithm = None
for I in x[1]["sshRSAHostKey"]:
- Split = string.split(I)
+ Split = I.split()
if Split[0] == 'ssh-rsa':
Algorithm = 1
if Split[0] == 'ssh-dss':
continue;
try:
for z in x[1]["dnsZoneEntry"]:
- Split = string.split(string.lower(z));
- if string.lower(Split[1]) == 'in':
+ Split = z.lower().split()
+ if Split[1].lower() == 'in':
for y in range(0,len(Split)):
if Split[y] == "$":
Split[y] = "\n\t";
- Line = string.join(Split," ") + "\n";
+ Line = " ".join(Split) + "\n";
Host = Split[0] + DNSZone;
if BSMTPCheck.match(Line) != None:
x[1].has_key("sshRSAHostKey") == 0:
continue;
Host = GetAttr(x,"hostname");
- SHost = string.find(Host,".");
+ SHost = Host.find(".")
for I in x[1]["sshRSAHostKey"]:
if SHost == None:
Line = "%s,%s %s" %(Host,socket.gethostbyname(Host),I);
raise;
Done(File,F,None);
+def GenKeyrings(l,OutDir):
+ for k in Keyrings:
+ shutil.copy(k, OutDir)
+
# Connect to the ldap server
l = ldap.open(LDAPServer);
F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
-Pass = string.split(string.strip(F.readline())," ");
+Pass = F.readline().strip().split(" ")
F.close();
l.simple_bind_s("uid="+Pass[0]+","+BaseDn,Pass[1]);
GenAllForward(l,GlobalDir+"mail-forward.cdb");
GenMarkers(l,GlobalDir+"markers");
GenPrivate(l,GlobalDir+"debian-private");
+GenDisabledAccounts(l,GlobalDir+"disabled-accounts");
GenSSHKnown(l,GlobalDir+"ssh_known_hosts");
GenHosts(l,GlobalDir+"debianhosts");
GenMailDisable(l,GlobalDir+"mail-disable");
GenMailList(l,GlobalDir+"mail-rbl","mailRBL");
GenMailList(l,GlobalDir+"mail-rhsbl","mailRHSBL");
GenMailList(l,GlobalDir+"mail-whitelist","mailWhitelist");
+GenKeyrings(l,GlobalDir);
# Compatibility.
GenForward(l,GlobalDir+"forward-alias");
-
+
while(1):
Line = F.readline();
if Line == "":
break;
- Line = string.strip(Line);
+ Line = Line.strip()
if Line == "":
continue;
if Line[0] == '#':
continue;
- Split = string.split(Line," ");
+ Split = Line.split(" ")
OutDir = GenerateDir + '/' + Split[0] + '/';
try: os.mkdir(OutDir);
except: pass;
DoLink(GlobalDir,OutDir,"ssh-rsa-shadow");
DoLink(GlobalDir,OutDir,"debianhosts");
DoLink(GlobalDir,OutDir,"ssh_known_hosts");
+ DoLink(GlobalDir,OutDir,"disabled-accounts")
sys.stdout.flush();
- GenPasswd(l,OutDir+"passwd",Split[1]);
+ if ExtraList.has_key("[NOPASSWD]"):
+ GenPasswd(l,OutDir+"passwd",Split[1], "*");
+ else:
+ GenPasswd(l,OutDir+"passwd",Split[1], "x");
sys.stdout.flush();
GenGroup(l,OutDir+"group");
if ExtraList.has_key("[UNTRUSTED]"):
if ExtraList.has_key("[PRIVATE]"):
DoLink(GlobalDir,OutDir,"debian-private")
+
+ if ExtraList.has_key("[KEYRING]"):
+ for k in Keyrings:
+ DoLink(GlobalDir,OutDir,os.path.basename(k))
+ else:
+ for k in Keyrings:
+ try: posix.remove(OutDir+os.path.basename(k));
+ except: pass;