#!/usr/bin/env python # -*- mode: python -*- # Copyright (c) 1999-2000 Jason Gunthorpe # Copyright (c) 2001-2003 James Troup # Copyright (c) 2004 Joey Schulze # Copyright (c) 2008,2009,2010 Peter Palfrader # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. import re, time, ldap, getopt, sys, os, pwd; import email.Header import datetime from userdir_ldap import *; from userdir_gpg import *; HavePrivateList = getattr(ConfModule, "haveprivatelist", True) DefaultGroup = getattr(ConfModule, "defaultgroup", 'users') # This tries to search for a free UID. There are two possible ways to do # this, one is to fetch all the entires and pick the highest, the other # is to randomly guess uids until one is free. This uses the former. # Regrettably ldap doesn't have an integer attribute comparision function # so we can only cut the search down slightly def ShouldIgnoreID(uid): for i in IgnoreUsersForUIDNumberGen: try: if i.search(uid) is not None: return True except AttributeError: if uid == i: return True return False # [JT] This is broken with Woody LDAP and the Schema; for now just # search through all UIDs. def GetFreeID(l): Attrs = l.search_s(BaseBaseDn,ldap.SCOPE_SUBTREE, "(|(uidNumber=*)(gidNumber=*))",["uidNumber", "gidNumber", "uid"]); HighestUID = 0; gids = []; uids = []; for I in Attrs: ID = int(GetAttr(I,"uidNumber","0")); uids.append(ID) gids.append(int(GetAttr(I, "gidNumber","0"))) uid = GetAttr(I, "uid", None) if ID > HighestUID and not uid is None and not ShouldIgnoreID(uid): HighestUID = ID; resUID = HighestUID + 1; while resUID in uids or resUID in gids: resUID += 1 return (resUID, resUID) # Main starts here AdminUser = pwd.getpwuid(os.getuid())[0]; # Process options ForceMail = 0; NoAutomaticIDs = 0; GuestAccount = False OldGPGKeyRings = GPGKeyRings; userdir_gpg.GPGKeyRings = []; (options, arguments) = getopt.getopt(sys.argv[1:], "hgu:man") for (switch, val) in options: if (switch == '-h'): print "Usage: ud-useradd " print "Available options:" print " -h Show this help" print " -u= Admin user (defaults to current username)" print " -m Force mail (for updates)" print " -a Use old keyrings instead (??)" print " -n Do not automatically assign UID/GIDs" print " -g Add a guest account" sys.exit(0) elif (switch == '-u'): AdminUser = val; elif (switch == '-m'): ForceMail = 1; elif (switch == '-a'): userdir_gpg.GPGKeyRings = OldGPGKeyRings; elif (switch == '-n'): NoAutomaticIDs = 1; elif (switch == '-g'): GuestAccount = True l = passwdAccessLDAP(BaseDn, AdminUser) # Locate the key of the user we are adding if GuestAccount: SetKeyrings(ConfModule.add_keyrings_guest.split(":")) else: SetKeyrings(ConfModule.add_keyrings.split(":")) while (1): Foo = raw_input("Who are you going to add (for a GPG search)? "); if Foo == "": sys.exit(0); Keys = GPGKeySearch(Foo); if len(Keys) == 0: print "Sorry, that search did not turn up any keys." print "Has it been added to the Debian keyring already?" continue; if len(Keys) > 1: print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:"; for i in Keys: GPGPrintKeyInfo(i); continue; print print "A matching key was found:" GPGPrintKeyInfo(Keys[0]); break; # Crack up the email address from the key into a best guess # first/middle/last name Addr = SplitEmail(Keys[0][2]); (cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0])) emailaddr = Addr[1] + '@' + Addr[2]; account = Addr[1]; privsub = emailaddr gidNumber = 0; uidNumber = 0; # Decide if we should use IDEA encryption UsePGP2 = 0; while len(Keys[0][1]) < 40: Res = raw_input("Use PGP2.x compatibility [No/yes]? "); if Res == "yes": UsePGP2 = 1; break; if Res == "": break; Update = 0 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Keys[0][1]); if len(Attrs) != 0: print "*** This key already belongs to",GetAttr(Attrs[0],"uid"); account = GetAttr(Attrs[0],"uid"); Update = 1 # Try to get a uniq account name while 1: if Update == 0: Res = raw_input("Login account [" + account + "]? "); if Res != "": account = Res; Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account); if len(Attrs) == 0: privsub = "%s@debian.org"%(account); break; Res = raw_input("That account already exists, update [No/yes]? "); if Res == "yes": # Update mode, fetch the default values from the directory Update = 1; privsub = GetAttr(Attrs[0],"privateSub"); gidNumber = GetAttr(Attrs[0],"gidNumber"); uidNumber = GetAttr(Attrs[0],"uidNumber"); emailaddr = GetAttr(Attrs[0],"emailForward"); cn = GetAttr(Attrs[0],"cn"); sn = GetAttr(Attrs[0],"sn"); mn = GetAttr(Attrs[0],"mn"); if privsub == None or privsub == "": privsub = " "; break; else: sys.exit(1) # Prompt for the first/last name and email address Res = raw_input("First name [" + cn + "]? "); if Res != "": cn = Res; Res = raw_input("Middle name [" + mn + "]? "); if Res == " ": mn = "" elif Res != "": mn = Res; Res = raw_input("Last name [" + sn + "]? "); if Res != "": sn = Res; Res = raw_input("Email forwarding address [" + emailaddr + "]? "); if Res != "": emailaddr = Res; # Debian-Private subscription if HavePrivateList and not GuestAccount: Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? "); if Res != "": privsub = Res; else: privsub = " " (uidNumber, generatedGID) = GetFreeID(l) if not gidNumber: gidNumber = generatedGID UserGroup = 1 if NoAutomaticIDs: # UID if not Update: Res = raw_input("User ID Number [%s]? " % (uidNumber)); if Res != "": uidNumber = Res; # GID Res = raw_input("Group ID Number (new usergroup is %s) [%s]" % (generatedGID, gidNumber)); if Res != "": if Res.isdigit(): gidNumber = int(Res); else: gidNumber = Group2GID(l, Res); if gidNumber != generatedGID: UserGroup = 0 if GuestAccount: supplementaryGid = 'guest' else: supplementaryGid = DefaultGroup shadowExpire = None hostacl = [] if GuestAccount: res = raw_input("Expires in xx days [60] (0 to disable)") if res == "": res = '60' exp = int(res) if exp > 0: shadowExpire = int(time.time() / 3600 / 24) + exp res = raw_input("Hosts to grant access to: ") for h in res.split(): if not '.' in h: h = h + '.' + HostDomain if exp > 0: h = h + " " + datetime.datetime.fromtimestamp( time.time() + exp * 24*3600 ).strftime("%Y%m%d") hostacl.append(h) # Generate a random password if Update == 0 or ForceMail == 1: Password = raw_input("User's Password (Enter for random)? "); if Password == "": print "Randomizing and encrypting password" Password = GenPass(); Pass = HashPass(Password); # Use GPG to encrypt it, pass the fingerprint to ID it CryptedPass = GPGEncrypt("Your new password is '" + Password + "'\n",\ "0x"+Keys[0][1],UsePGP2); Password = None; if CryptedPass == None: raise "Error","Password Encryption failed" else: Pass = HashPass(Password); CryptedPass = "Your password has been set to the previously agreed value."; else: CryptedPass = ""; Pass = None; # Now we have all the bits of information. if mn != "": FullName = "%s %s %s" % (cn,mn,sn); else: FullName = "%s %s" % (cn,sn); print "------------"; print "Final information collected:" print " %s <%s@%s>:" % (FullName,account,EmailAppend); print " Assigned UID:",uidNumber," GID:", gidNumber; print " supplementary group:",supplementaryGid print " Email forwarded to:",emailaddr if HavePrivateList: print " Private Subscription:",privsub; print " GECOS Field: \"%s,,,,\"" % (FullName); print " Login Shell: /bin/bash"; print " Key Fingerprint:",Keys[0][1]; if shadowExpire: print " ShadowExpire: %d (%s)"%(shadowExpire, datetime.datetime.fromtimestamp( shadowExpire * 24*3600 ).strftime("%Y%m%d") ) for h in hostacl: print " allowedHost: ", h Res = raw_input("Continue [No/yes]? "); if Res != "yes": sys.exit(1); # Initialize the substitution Map Subst = {} encrealname = '' try: encrealname = FullName.decode('us-ascii') except UnicodeError: encrealname = str(email.Header.Header(FullName, 'utf-8', 200)) Subst["__ENCODED_REALNAME__"] = encrealname Subst["__REALNAME__"] = FullName; Subst["__WHOAMI__"] = pwd.getpwuid(os.getuid())[0]; Subst["__DATE__"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); Subst["__LOGIN__"] = account; Subst["__PRIVATE__"] = privsub; Subst["__EMAIL__"] = emailaddr Subst["__PASSWORD__"] = CryptedPass; # Submit the modification request Dn = "uid=" + account + "," + BaseDn; print "Updating LDAP directory..", sys.stdout.flush(); if Update == 0: # New account Details = [("uid",account), ("objectClass", UserObjectClasses), ("uidNumber",str(uidNumber)), ("gidNumber",str(gidNumber)), ("supplementaryGid",supplementaryGid), ("gecos",FullName+",,,,"), ("loginShell","/bin/bash"), ("keyFingerPrint",Keys[0][1]), ("cn",cn), ("sn",sn), ("emailForward",emailaddr), ("shadowLastChange",str(int(time.time()/24/60/60))), ("shadowMin","0"), ("shadowMax","99999"), ("shadowWarning","7"), ("userPassword","{crypt}"+Pass)]; if mn: Details.append(("mn",mn)); if privsub != " ": Details.append(("privateSub",privsub)) if shadowExpire: Details.append(("shadowExpire",str(shadowExpire))) if len(hostacl) > 0: Details.append(("allowedHost",hostacl)) l.add_s(Dn,Details); #Add user group if needed, then the actual user: if UserGroup == 1: Dn = "gid=" + account + "," + BaseDn; l.add_s(Dn,[("gid",account), ("gidNumber",str(gidNumber)), ("objectClass", GroupObjectClasses)]) else: # Modification Rec = [(ldap.MOD_REPLACE,"uidNumber",str(uidNumber)), (ldap.MOD_REPLACE,"gidNumber",str(gidNumber)), (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), (ldap.MOD_REPLACE,"loginShell","/bin/bash"), (ldap.MOD_REPLACE,"keyFingerPrint",Keys[0][1]), (ldap.MOD_REPLACE,"cn",cn), (ldap.MOD_REPLACE,"mn",mn), (ldap.MOD_REPLACE,"sn",sn), (ldap.MOD_REPLACE,"emailForward",emailaddr), (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), (ldap.MOD_REPLACE,"shadowMin","0"), (ldap.MOD_REPLACE,"shadowMax","99999"), (ldap.MOD_REPLACE,"shadowWarning","7"), (ldap.MOD_REPLACE,"shadowInactive",""), (ldap.MOD_REPLACE,"shadowExpire","")]; if privsub != " ": Rec.append((ldap.MOD_REPLACE,"privateSub",privsub)); if Pass != None: Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); # Do it l.modify_s(Dn,Rec); print; # Abort email sends for an update operation if Update == 1 and ForceMail == 0: print "Account is not new, Not sending mails" sys.exit(0); # Send the Welcome message print "Sending Welcome Email" templatepath = TemplatesDir + "/welcome-message-%s" % supplementaryGid if not os.path.exists(templatepath): templatepath = TemplatesDir + "/welcome-message" Reply = TemplateSubst(Subst,open(templatepath, "r").read()) Child = os.popen("/usr/sbin/sendmail -t","w"); #Child = os.popen("cat","w"); Child.write(Reply); if Child.close() != None: raise Error, "Sendmail gave a non-zero return code"; # vim:set et: # vim:set ts=3: # vim:set shiftwidth=3: