X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=sigcheck;h=95db70814b2adc4b65fdac1bed65b18817da2cf4;hb=9e1e7b0639b1265bf39acd330122f40123451c56;hp=848911e5e5b045b43d26d686cee08fd198a2f6cd;hpb=41b57e59986a3cea9a32d8940d9372bbd3b7f6d1;p=mirror%2Fuserdir-ldap.git

diff --git a/sigcheck b/sigcheck
index 848911e..95db708 100755
--- a/sigcheck
+++ b/sigcheck
@@ -19,7 +19,7 @@
 #  -v  Verbose mode
 
 # Typical Debian invokation may look like:
-# ./gpgwrapper -k /usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp \
+# sigcheck -k /usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp \
 #      -d ou=users,dc=debian,dc=org -l db.debian.org \
 #      -m debian.org -a admin@db.debian.org \
 #      -e /etc/userdir-ldap/templtes/error-reply -- test.sh
@@ -52,7 +52,7 @@ def CheckLDAP(FingerPrint):
    # Connect to the ldap server
    global ErrTyp, ErrMsg;
    ErrType = EX_TEMPFAIL;
-   ErrMsg = "An error occured while performing the LDAP lookup:";
+   ErrMsg = "An error occurred while performing the LDAP lookup:";
    global l;
    l = ldap.open(LDAPServer);
    l.simple_bind_s("","");
@@ -65,12 +65,31 @@ def CheckLDAP(FingerPrint):
    if len(Attrs) != 1:
       raise Error, "Oddly your key fingerprint is assigned to more than one account.."
 
+   gidnumber_found = 0;
+   for key in Attrs[0][1].keys():
+      if (key == "gidNumber"):
+         gidnumber_found = 1
+
+   if (gidnumber_found != 1):
+      raise Error, "No gidnumber in attributes for fingerprint %s" % FingerPrint
+
+   # Look for the group with the gid of the user
+   GAttr = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"(&(objectClass=debianGroup)(gidnumber=%s))" % Attrs[0][1]["gidNumber"][0], ["gid"])
+   if len(GAttr) == 0:
+	   raise Error, "Database inconsistency found: main group for account not found in database"
+
    # See if the group membership is OK
+   # Only if a group was given on the commandline
    if GroupMember != None:
       Hit = 0;
-      for x in Attrs[0][1].get("supplementarygid",[]):
-         if x == GroupMember:
-	   Hit = 1;
+      # Check primary group first
+      if GAttr[0][1]["gid"][0] == GroupMember:
+	 Hit = 1
+      else:
+	  # Check supplementary groups
+	  for x in Attrs[0][1].get("supplementaryGid",[]):
+	      if x == GroupMember:
+		  Hit = 1;
       if Hit != 1:
 	  raise Error, "You don't have %s group permissions."%(GroupMember);
    
@@ -126,7 +145,7 @@ try:
    # Check the signature
    ErrMsg = "Unable to check the signature or the signature was invalid:";
    Res = GPGCheckSig(Msg[0]);
-   
+
    if Res[0] != None:
       raise Error, Res[0];
       
@@ -140,6 +159,7 @@ try:
       if Rply != None:
          raise Error, Rply;
       RC.Add(Res[1]);
+      RC.close();
 
    # Do LDAP stuff
    if LDAPDn != None: