#!/usr/bin/env python
# -*- mode: python -*-
-import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, posix;
+import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os;
import string, pwd
from userdir_gpg import *;
from userdir_ldap import *;
EX_TEMPFAIL = 75;
EX_PERMFAIL = 65; # EX_DATAERR
Error = 'Message Error';
-SeenRSA = 0;
+SeenKey = 0;
SeenDNS = 0;
+DNS = {}
ArbChanges = {"c": "..",
"l": ".*",
"loginshell": ".*",
"emailforward": "^([^<>@]+@.+)?$",
"ircnick": ".*",
+ "icquin": "^[0-9]*$",
"onvacation": ".*",
"labeledurl": ".*"};
"labeledurl": None,
"latitude": None,
"longitude": None,
- "sshrsaauthkey": None};
+ "icquin": None,
+ "sshrsaauthkey": None,
+ "sshdsaauthkey": None};
# Decode a GPS location from some common forms
def LocDecode(Str,Dir):
return None;
G = Match.groups();
- if ArbChanges.has_key(G[0]) == 0:
+ if DelItems.has_key(G[0]) == 0:
return "Cannot erase entry %s"%(G[0]);
Attrs.append((ldap.MOD_DELETE,G[0],None));
Attrs.append((ldap.MOD_REPLACE,"longitude",sLong));
return "Position set to %s/%s (%s/%s decimal degrees)"%(sLat,sLong,Lat,Long);
-# Handle a SSH RSA authentication key, the line format is:
+# Handle an SSH authentication key, the line format is:
# [options] 1024 35 13188913666680[..] [comment]
def DoSSH(Str,Attrs):
Match = SSHAuthSplit.match(Str);
if Match == None:
- return None;
+ Match = SSH2AuthSplit.match(Str);
+ if Match == None:
+ return None;
- global SeenRSA;
- if SeenRSA:
+ global SeenKey;
+ if SeenKey:
Attrs.append((ldap.MOD_ADD,"sshrsaauthkey",Str));
return "SSH Key added "+FormatSSHAuth(Str);
Attrs.append((ldap.MOD_REPLACE,"sshrsaauthkey",Str));
- SeenRSA = 1;
+ SeenKey = 1;
return "SSH Keys replaced with "+FormatSSHAuth(Str);
# Handle changing a dns entry
# host in a 12.12.12.12
# host in cname foo.bar. <- Trailing dot is required
def DoDNS(Str,Attrs,DnRecord):
- if re.match('^[\w-]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
- Str,re.IGNORECASE) == None and \
- re.match("^[\w-]+\s+in\s+cname\s+[\w.\-]+\.$",Str,re.IGNORECASE) == None:
+ cname = re.match("^[-\w]+\s+in\s+cname\s+[-\w.]+\.$",Str,re.IGNORECASE);
+ if re.match('^[-\w]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
+ Str,re.IGNORECASE) == None and cname == None and \
+ re.match("^[-\w]+\s+in\s+mx\s+\d{1,3}\s+[-\w.]+\.$",Str,re.IGNORECASE) == None:
return None;
# Check if the name is already taken
- G = re.match('^([\w-+]+)\s',Str).groups();
+ G = re.match('^([-\w+]+)\s',Str).groups();
# Check for collisions
global l;
return "DNS entry is already owned by " + GetAttr(x,"uid")
global SeenDNS;
+ global DNS;
+
+ if cname:
+ if DNS.has_key(G[0]):
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 2
+ else:
+ if DNS.has_key(G[0]) and DNS[G[0]] == 2:
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 1
+
if SeenDNS:
Attrs.append((ldap.MOD_ADD,"dnszoneentry",Str));
return "DNS Entry added "+Str;
# Handle an [almost] arbitary change
def HandleChange(Reply,DnRecord,Key):
global PlainText;
- Lines = string.split(PlainText,"\r\n");
+ Lines = re.split("\n *\r?",PlainText);
Result = "";
Attrs = [];
else:
Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \
DoArbChange(Line,Attrs) or DoSSH(Line,Attrs) or \
- DoDel(Line,Attrs);
+ DoDel(Line,Attrs);
except:
Res = None;
Result = Result + "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
# Connect to the ldap server
l = ldap.open(LDAPServer);
- F = open(PassDir+"/pass-"+pwd.getpwuid(posix.getuid())[0],"r");
+ F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
AccessPass = string.split(string.strip(F.readline())," ");
F.close();
# Connect to the ldap server
l = ldap.open(LDAPServer);
- F = open(PassDir+"/pass-"+pwd.getpwuid(posix.getuid())[0],"r");
+ F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
AccessPass = string.split(string.strip(F.readline())," ");
F.close();
+ l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
+
+ # Check for a locked account
+ Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid"));
+ if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
+ raise Error, "This account is locked";
# Modify the password
- l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)];
Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
l.modify_s(Dn,Rec);
# Start of main program
# Drop messages from a mailer daemon.
-if posix.environ.has_key('SENDER') == 0 or len(posix.environ['SENDER']) == 0:
+if os.environ.has_key('SENDER') == 0 or len(os.environ['SENDER']) == 0:
sys.exit(0);
ErrMsg = "Indeterminate Error";
if Sender == None:
raise Error, "Unable to determine the sender's address";
- if (string.find(GetAttr(Attrs[0],"userPassword"),"*LK*") != -1):
+ if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
raise Error, "This account is locked";
# Formulate a reply
# Send the message through sendmail
ErrMsg = "A problem occured while trying to send the reply";
- Child = posix.popen("/usr/sbin/sendmail -t","w");
-# Child = posix.popen("cat","w");
+ Child = os.popen("/usr/sbin/sendmail -t","w");
+# Child = os.popen("cat","w");
Child.write(Reply);
if Child.close() != None:
raise Error, "Sendmail gave a non-zero return code";
except:
# Error Reply Header
Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
- ErrReplyHead = "To: %s\nReply-To: %s\nDate: %s\n" % (posix.environ['SENDER'],ReplyTo,Date);
+ ErrReplyHead = "To: %s\nReply-To: %s\nDate: %s\n" % (os.environ['SENDER'],ReplyTo,Date);
# Error Body
Subst = {};
try:
ErrReply = TemplateSubst(Subst,open(TemplatesDir+"error-reply","r").read());
- Child = posix.popen("/usr/sbin/sendmail -t","w");
+ Child = os.popen("/usr/sbin/sendmail -t","w");
Child.write(ErrReplyHead);
Child.write(ErrReply);
if Child.close() != None: