[mirror/userdir-ldap.git] / ud-useradd

#!/usr/bin/env python
# -*- mode: python -*-

import string, re, time, ldap, getopt, sys, os, pwd;
from userdir_ldap import *;
from userdir_gpg import *;

# This tries to search for a free UID. There are two possible ways to do
# this, one is to fetch all the entires and pick the highest, the other
# is to randomly guess uids until one is free. This uses the formar.
# Regrettably ldap doesn't have an integer attribute comparision function
# so we can only cut the search down slightly 
def GetFreeID(l):
   HighestUID = 1400;
   Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,\ 
                      "uidnumber>="+str(HighestUID),["uidnumber"]);
   HighestUID = 0;
   for I in Attrs:
      ID = int(GetAttr(I,"uidnumber","0"));
      if ID > HighestUID: 
         HighestUID = ID;
   return HighestUID + 1;

# Main starts here

# Process options
(options, arguments) = getopt.getopt(sys.argv[1:], "u:")
for (switch, val) in options:
   if (switch == '-u'):
      AdminUser = val

print "Accessing LDAP directory as '" + AdminUser + "'";
Password = getpass(AdminUser + "'s password: ");

# Connect to the ldap server
l = ldap.open(LDAPServer);
UserDn = "uid=" + AdminUser + "," + BaseDn;
l.simple_bind_s(UserDn,Password);

# Locate the key of the user we are adding
GPGBasicOptions[0] = "--batch"           # Permit loading of the config file
while (1):
   Foo = raw_input("Who are you going to add (for a GPG search)? ");
   if Foo == "":
      continue;

   Keys = GPGKeySearch(Foo);

   if len(Keys) == 0:
      print "Sorry, that search did not turn up any keys";
      continue;
   if len(Keys) > 1:
      print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:";
      for i in Keys:
         GPGPrintKeyInfo(i);
      continue;

   print
   print "A matching key was found:"
   GPGPrintKeyInfo(Keys[0]);
   break;
   
# Crack up the email address from the key into a best guess 
# first/middle/last name
Addr = SplitEmail(Keys[0][2]);
(cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0]))
email = Addr[1] + '@' + Addr[2];
account = Addr[1];

privsub = email;
gidnumber = str(DefaultGID);
uidnumber = 0;

# Decide if we should use IDEA encryption
UsePGP2 = 0;
while len(Keys[0][1]) < 40:
   Res = raw_input("Use PGP2.x compatibility [no]? ");
   if Res == "yes":
      UsePGP2 = 1;
      break;
   if Res == "":
      break;

# Try to get a uniq account name
Update=0
while 1:
   Res = raw_input("Login account [" + account + "]? ");
   if Res != "":
      account = Res;
   Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account);
   if len(Attrs) == 0:
      break;
   Res = raw_input("That account already exists, update [no]? ");
   if Res == "yes":
      # Update mode, fetch the default values from the directory
      Update = 1;
      privsub = GetAttr(Attrs[0],"privatesub");
      gidnumber = GetAttr(Attrs[0],"gidnumber");
      uidnumber = GetAttr(Attrs[0],"uidnumber");
      email = GetAttr(Attrs[0],"emailforward");
      cn = GetAttr(Attrs[0],"cn");
      sn = GetAttr(Attrs[0],"sn");
      mn = GetAttr(Attrs[0],"mn");
      if privsub == None or privsub == "":
         privsub = " ";
      break;

# Prompt for the first/last name and email address
Res = raw_input("First name [" + cn + "]? ");
if Res != "":
   cn = Res;
Res = raw_input("Middle name [" + mn + "]? ");
if Res != "":
   mn = Res;
Res = raw_input("Last name [" + sn + "]? ");
if Res != "":
   sn = Res;
Res = raw_input("Email forwarding address [" + email + "]? ");
if Res != "":
   email = Res;

# Debian-Private subscription
Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? ");
if Res != "":
   privsub = Res;

# GID
Res = raw_input("Group ID Number [" + gidnumber + "]? ");
if Res != "":
   gidnumber = Res;

# UID
if uidnumber == 0:
   uidnumber = GetFreeID(l);

# Generate a random password
if Update == 0:
   Password = raw_input("User's Password (Enter for random)? ");

   if Password == "":
      print "Randomizing and encrypting password"
      Password = GenPass();
      Pass = HashPass(Password);
      print "PASS: ", Password;

      # Use GPG to encrypt it, pass the fingerprint to ID it
      CryptedPass = GPGEncrypt("Your new password is '" + Password + "'\n",\
                               "0x"+Keys[0][1],UsePGP2);
      Password = None;
      if CryptedPass == None:
        raise "Error","Password Encryption failed"
   else:
      Pass = HashPass(Password);
      CryptedPass = "Your password has been set to the previously agreed value.";
else:
   CryptedPass = "";
   Pass = None;

# Now we have all the bits of information.
if mn != "": 
   FullName = "%s %s %s" % (cn,mn,sn);
else:
   FullName = "%s %s" % (cn,sn);
print "------------";
print "Final information collected:"
print " %s <%s@%s>:" % (FullName,account,EmailAppend);
print "   Assigned UID:",uidnumber," GID:", gidnumber;
print "   Email forwarded to:",email;
print "   Private Subscription:",privsub;
print "   GECOS Field: \"%s,,,,\"" % (FullName);
print "   Login Shell: /bin/bash";
print "   Key Fingerprint:",Keys[0][1];
Res = raw_input("Continue [no]? ");
if Res != "yes":
   sys.exit(1);

# Initialize the substitution Map
Subst = {}
Subst["__REALNAME__"] = FullName;
Subst["__WHOAMI__"] = pwd.getpwuid(os.getuid())[0];
Subst["__DATE__"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
Subst["__LOGIN__"] = account;
Subst["__PRIVATE__"] = privsub;
Subst["__EMAIL__"] = email;
Subst["__PASSWORD__"] = CryptedPass;
Subst["__LISTPASS__"] = string.strip(open(pwd.getpwuid(os.getuid())[5]+"/.debian-lists_passwd","r").read());

# Generate the LDAP request
Rec = [(ldap.MOD_REPLACE,"uid",account),
       (ldap.MOD_REPLACE,"uidNumber",str(uidnumber)),
       (ldap.MOD_REPLACE,"gidNumber",str(gidnumber)),
       (ldap.MOD_REPLACE,"gecos",FullName+",,,,"),
       (ldap.MOD_REPLACE,"loginShell","/bin/bash"),
       (ldap.MOD_REPLACE,"keyfingerprint",Keys[0][1]),
       (ldap.MOD_REPLACE,"cn",cn),
       (ldap.MOD_REPLACE,"mn",mn),
       (ldap.MOD_REPLACE,"sn",sn),
       (ldap.MOD_REPLACE,"emailforward",email),
       (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))),
       (ldap.MOD_REPLACE,"shadowMin","0"),
       (ldap.MOD_REPLACE,"shadowMax","99999"),
       (ldap.MOD_REPLACE,"shadowWarning","7"),
       (ldap.MOD_REPLACE,"shadowInactive",""),
       (ldap.MOD_REPLACE,"shadowExpire","")];
if privsub != " ":
   Rec.append((ldap.MOD_REPLACE,"privatesub",privsub));
if Pass != None:
   Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass));

# Submit the modification request   
Dn = "uid=" + account + "," + BaseDn;
print "Updating LDAP directory..",
sys.stdout.flush();
try:
   l.add_s(Dn,[("uid",account),
               ("objectclass","top"),
               ("objectclass","account"),
               ("objectclass","posixAccount"),
               ("objectclass","shadowAccount"),
               ("objectclass","debiandeveloper")]);
except ldap.ALREADY_EXISTS:
   pass;

# Send the modify request
l.modify_s(Dn,Rec);
print;

# Abort email sends for an update operation
if Update == 1:
   print "Account is not new, Not sending mails"
   sys.exit(0);
   
# Do the subscription/welcome message
if privsub != " ":
   print TemplateSubst(Subst,open("templates/list-subscribe","r").read());

# Send the Welcome message
print "Sending Welcome Email"
Reply = TemplateSubst(Subst,open("templates/welcome-message-"+gidnumber,"r").read());
Child = os.popen("/usr/sbin/sendmail -t","w");
#Child = os.popen("cat","w");
Child.write(Reply);
if Child.close() != None:
   raise Error, "Sendmail gave a non-zero return code";