X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=90069c87161179ee082ee4aab8f6b9862beee260;hb=f7fd9daf3f1322bdc5b0e568553c8f0f4403c7e2;hp=1ba2c53412b23158c4a7e1b6f08a88fe77f60449;hpb=0539c19e661f05d992fdeb6e05ec9dcf99bb691d;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 1ba2c53..90069c8 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -490,7 +490,7 @@ def FinishConfirmSudopassword(l, uid, Attrs): confirmedHosts = SudoPasswd[uuid][0] confirmedHmac = SudoPasswd[uuid][1] if status.startswith('confirmed:'): - if status == 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, ,uuid, hosts, cryptedpass): + if status == 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, uuid, hosts, cryptedpass): result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts) else: result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts) @@ -565,15 +565,18 @@ def HandleChange(Reply,DnRecord,Key): if ((GetAttr(oldAttrs[0],"userPassword").find("*LK*") != -1) or GetAttr(oldAttrs[0],"userPassword").startswith("!")): raise Error, "This account is locked"; - try: - Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs) - Result = Result + Res + "\n"; - except Error, e: - CommitChanges = 0 - Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e); + + if CommitChanges == 1: # only if we are still good to go + try: + Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs) + Result = Result + Res + "\n"; + except Error, e: + CommitChanges = 0 + Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e); + # Modify the record - Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn; if CommitChanges == 1: + Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn; l.modify_s(Dn,Attrs); Attribs = ""; @@ -582,7 +585,7 @@ def HandleChange(Reply,DnRecord,Key): if len(Attrs) == 0: raise Error, "User not found" Attribs = GPGEncrypt(PrettyShow(Attrs[0])+"\n","0x"+Key[1],Key[4]); - + Subst = {}; Subst["__FROM__"] = ChangeFrom; Subst["__EMAIL__"] = EmailAddress(DnRecord); @@ -665,8 +668,6 @@ try: # Startup the replay cache ErrType = EX_TEMPFAIL; ErrMsg = "Failed to initialize the replay cache:"; - RC = ReplayCache(ReplayCacheFile); - RC.Clean(); # Get the email ErrType = EX_PERMFAIL; @@ -701,12 +702,6 @@ try: else: PlainText = Res[3]; - # Check the signature against the replay cache - ErrMsg = "The replay cache rejected your message. Check your clock!"; - Rply = RC.Check(Res[1]); - if Rply != None: - raise Error, Rply; - # Connect to the ldap server ErrType = EX_TEMPFAIL; ErrMsg = "An error occured while performing the LDAP lookup"; @@ -723,7 +718,17 @@ try: if len(Attrs) != 1: raise Error, "Oddly your key fingerprint is assigned to more than one account.." + + # Check the signature against the replay cache + RC = ReplayCache(ReplayCacheFile); + RC.Clean(); + ErrMsg = "The replay cache rejected your message. Check your clock!"; + Rply = RC.Check(Res[1]); + if Rply != None: + RC.close() + raise Error, Rply; RC.Add(Res[1]); + RC.close() # Determine the sender address ErrMsg = "A problem occured while trying to formulate the reply"; @@ -781,7 +786,7 @@ except: try: ErrReply = TemplateSubst(Subst,open(TemplatesDir+"error-reply","r").read()); - Child = os.popen("/usr/sbin/sendmail -t","w"); + Child = os.popen("/usr/sbin/sendmail -t -oi -f ''","w"); Child.write(ErrReplyHead); Child.write(ErrReply); if Child.close() != None: @@ -792,4 +797,7 @@ except: if ErrType != EX_PERMFAIL: sys.exit(ErrType); sys.exit(0); - + +# vim:set et: +# vim:set ts=3: +# vim:set shiftwidth=3: