X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-generate;h=9629d58c4abcaf4e70732fa5e962d60b6f6701e2;hb=890782858c21ebd21476e12af064ca408d77ce6a;hp=b8a21f1fff4a246f6786d88452e8b6cb02b11da9;hpb=c555044ceb3eb8141735926c41a5b87906cfdd42;p=mirror%2Fuserdir-ldap.git diff --git a/ud-generate b/ud-generate index b8a21f1..9629d58 100755 --- a/ud-generate +++ b/ud-generate @@ -45,7 +45,7 @@ CurrentHost = "" UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' EmailCheck = re.compile("^([^ <>@]+@[^ ,<>@]+)?$") -BSMTPCheck = re.compile(".*mx 0 (gluck)\.debian\.org\..*",re.DOTALL) +BSMTPCheck = re.compile(".*mx 0 (master)\.debian\.org\..*",re.DOTALL) PurposeHostField = re.compile(r".*\[\[([\*\-]?[a-z0-9.\-]*)(?:\|.*)?\]\]") DNSZone = ".debian.net" Keyrings = ConfModule.sync_keyrings.split(":") @@ -511,27 +511,24 @@ def GenForward(File): raise Done(File, F, None) -def GenAllForward(File): +def GenCDB(File, Key): Fdb = None try: OldMask = os.umask(0022) Fdb = os.popen("cdbmake %s %s.tmp"%(File, File), "w") os.umask(OldMask) - + # Fetch all the users global DebianUsers - + # Write out the email address for each user for x in DebianUsers: - if x[1].has_key("emailForward") == 0: + if not Key in x[1]: continue - - # Do not allow people to try to buffer overflow busted parsers - Forward = GetAttr(x, "emailForward") - + Value = GetAttr(x, Key) User = GetAttr(x, "uid") - Fdb.write("+%d,%d:%s->%s\n" % (len(User), len(Forward), User, Forward)) - + Fdb.write("+%d,%d:%s->%s\n" % (len(User), len(Value), User, Value)) + Fdb.write("\n") # Oops, something unspeakable happened. except: @@ -749,7 +746,7 @@ def isRoleAccount(pwEntry): return False # Generate the DNS Zone file -def GenDNS(File, HomePrefix): +def GenDNS(File): F = None try: F = open(File + ".tmp", "w") @@ -802,7 +799,7 @@ def GenDNS(File, HomePrefix): Done(File, F, None) # Generate the DNS SSHFP records -def GenSSHFP(File, HomePrefix): +def GenSSHFP(File): F = None try: F = open(File + ".tmp", "w") @@ -940,8 +937,8 @@ def GenSSHKnown(File, mode=None): for I in x[1]["sshRSAHostKey"]: if mode and mode == 'authorized_keys': - #Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="%s" %s' % (Host, ",".join(HNames + HostToIP(Host)), I) - Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding %s' % (Host,I) + Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="%s" %s' % (Host, ",".join(HostToIP(Host)), I) + #Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding %s' % (Host,I) else: Line = "%s %s" %(",".join(HostNames + HostToIP(Host)), I) Line = Sanitize(Line) + "\n" @@ -1026,20 +1023,15 @@ PasswdAttrs = l.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "uid=*",\ "allowedHost", "sshRSAAuthKey", "dnsZoneEntry", "cn", "sn",\ "keyFingerPrint", "privateSub", "mailDisableMessage",\ "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\ - "mailWhitelist", "sudoPassword", "objectClass", "accountStatus"]) + "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\ + "mailContentInspectionAction"]) if PasswdAttrs is None: raise UDEmptyList, "No Users" # Fetch all the hosts -HostAttrs = l.search_s(HostBaseDn, ldap.SCOPE_ONELEVEL, "sshRSAHostKey=*",\ - ["hostname", "sshRSAHostKey", "purpose"]) - -# Open the control file -if len(sys.argv) == 1: - F = open(GenerateConf, "r") -else: - F = open(sys.argv[1], "r") +HostAttrs = l.search_s(HostBaseDn, ldap.SCOPE_ONELEVEL, "objectClass=debianServer",\ + ["hostname", "sshRSAHostKey", "purpose", "allowedGroups", "exportOptions"]) # Generate global things GlobalDir = GenerateDir + "/" @@ -1052,9 +1044,10 @@ DebianUsers = PasswdAttrs CheckForward() GenMailDisable(GlobalDir + "mail-disable") -GenAllForward(GlobalDir + "mail-forward.cdb") +GenCDB(GlobalDir + "mail-forward.cdb", 'emailForward') +GenCDB(GlobalDir + "mail-contentinspectionaction.cdb", 'mailContentInspectionAction') GenPrivate(GlobalDir + "debian-private") -#GenSSHKnown(l,GlobalDir+"authorized_keys", 'authorized_keys') +GenSSHKnown(GlobalDir+"authorized_keys", 'authorized_keys') GenMailBool(GlobalDir + "mail-greylist", "mailGreylisting") GenMailBool(GlobalDir + "mail-callout", "mailCallout") GenMailList(GlobalDir + "mail-rbl", "mailRBL") @@ -1072,18 +1065,12 @@ GenMarkers(GlobalDir + "markers") GenSSHKnown(GlobalDir + "ssh_known_hosts") GenHosts(l, GlobalDir + "debianhosts") -while(1): - Line = F.readline() - if Line == "": - break - Line = Line.strip() - if Line == "": - continue - if Line[0] == '#': +for host in HostAttrs: + if not "hostname" in host[1]: continue - Split = Line.split(" ") - OutDir = GenerateDir + '/' + Split[0] + '/' + CurrentHost = host[1]['hostname'][0] + OutDir = GenerateDir + '/' + CurrentHost + '/' try: os.mkdir(OutDir) except: @@ -1091,47 +1078,49 @@ while(1): # Get the group list and convert any named groups to numerics GroupList = {} + for groupname in AllowedGroupsPreload.strip().split(" "): + GroupList[groupname] = True + if 'allowedGroups' in host[1]: + for groupname in host[1]['allowedGroups']: + GroupList[groupname] = True + for groupname in GroupList.keys(): + if groupname in GroupIDMap: + GroupList[str(GroupIDMap[groupname])] = True + ExtraList = {} - for I in Split[2:]: - if I[0] == '[': - ExtraList[I] = None - continue - GroupList[I] = None - if GroupIDMap.has_key(I): - GroupList[str(GroupIDMap[I])] = None + if 'exportOptions' in host[1]: + for extra in host[1]['exportOptions']: + ExtraList[extra.upper()] = True Allowed = GroupList if Allowed == {}: Allowed = None - CurrentHost = Split[0] DoLink(GlobalDir, OutDir, "debianhosts") DoLink(GlobalDir, OutDir, "ssh_known_hosts") DoLink(GlobalDir, OutDir, "disabled-accounts") sys.stdout.flush() - if ExtraList.has_key("[NOPASSWD]"): - userlist = GenPasswd(OutDir + "passwd", Split[1], "*") + if 'NOPASSWD' in ExtraList: + userlist = GenPasswd(OutDir + "passwd", HomePrefix, "*") else: - userlist = GenPasswd(OutDir + "passwd", Split[1], "x") + userlist = GenPasswd(OutDir + "passwd", HomePrefix, "x") sys.stdout.flush() grouprevmap = GenGroup(OutDir + "group") - GenShadowSudo(OutDir + "sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]")) + GenShadowSudo(OutDir + "sudo-passwd", ('UNTRUSTED' in ExtraList) or ('NOPASSWD' in ExtraList)) # Now we know who we're allowing on the machine, export # the relevant ssh keys GenSSHtarballs(userlist, SSHFiles, grouprevmap, os.path.join(OutDir, 'ssh-keys.tar.gz')) - if ExtraList.has_key("[UNTRUSTED]"): - print "[UNTRUSTED] tag is obsolete and may be removed in the future." - continue - if not ExtraList.has_key("[NOPASSWD]"): + if not 'NOPASSWD' in ExtraList: GenShadow(OutDir + "shadow") # Link in global things - if not ExtraList.has_key("[NOMARKERS]"): + if not 'NOMARKERS' in ExtraList: DoLink(GlobalDir, OutDir, "markers") DoLink(GlobalDir, OutDir, "mail-forward.cdb") + DoLink(GlobalDir, OutDir, "mail-contentinspectionaction.cdb") DoLink(GlobalDir, OutDir, "mail-disable") DoLink(GlobalDir, OutDir, "mail-greylist") DoLink(GlobalDir, OutDir, "mail-callout") @@ -1142,17 +1131,20 @@ while(1): # Compatibility. DoLink(GlobalDir, OutDir, "forward-alias") - if ExtraList.has_key("[DNS]"): - GenDNS(OutDir + "dns-zone", Split[1]) - GenSSHFP(OutDir + "dns-sshfp", Split[1]) + if 'DNS' in ExtraList: + GenDNS(OutDir + "dns-zone") + GenSSHFP(OutDir + "dns-sshfp") + + if 'AUTHKEYS' in ExtraList: + DoLink(GlobalDir, OutDir, "authorized_keys") - if ExtraList.has_key("[BSMTP]"): - GenBSMTP(OutDir + "bsmtp", Split[1]) + if 'BSMTP' in ExtraList: + GenBSMTP(OutDir + "bsmtp", HomePrefix) - if ExtraList.has_key("[PRIVATE]"): + if 'PRIVATE' in ExtraList: DoLink(GlobalDir, OutDir, "debian-private") - if ExtraList.has_key("[KEYRING]"): + if 'KEYRING' in ExtraList: for k in Keyrings: DoLink(GlobalDir, OutDir, os.path.basename(k)) else: