#!/usr/bin/env python # -*- mode: python -*- import string, re, time, ldap, getopt, sys, os, pwd; from userdir_ldap import *; from userdir_gpg import *; # This tries to search for a free UID. There are two possible ways to do # this, one is to fetch all the entires and pick the highest, the other # is to randomly guess uids until one is free. This uses the former. # Regrettably ldap doesn't have an integer attribute comparision function # so we can only cut the search down slightly # [JT] This is broken with Woody LDAP and the Schema; for now just # search through all UIDs. def GetFreeID(l): Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL, "uidNumber=*",["uidNumber"]); HighestUID = 0; for I in Attrs: ID = int(GetAttr(I,"uidNumber","0")); if ID > HighestUID: HighestUID = ID; return HighestUID + 1; # Main starts here AdminUser = pwd.getpwuid(os.getuid())[0]; # Process options ForceMail = 0; OldGPGKeyRings = GPGKeyRings; userdir_gpg.GPGKeyRings = []; (options, arguments) = getopt.getopt(sys.argv[1:], "u:ma") for (switch, val) in options: if (switch == '-u'): AdminUser = val; elif (switch == '-m'): ForceMail = 1; elif (switch == '-a'): userdir_gpg.GPGKeyRings = OldGPGKeyRings; print "Accessing LDAP directory as '" + AdminUser + "'"; Password = getpass(AdminUser + "'s password: "); # Connect to the ldap server l = ldap.open(LDAPServer); UserDn = "uid=" + AdminUser + "," + BaseDn; l.simple_bind_s(UserDn,Password); # Locate the key of the user we are adding GPGBasicOptions[0] = "--batch" # Permit loading of the config file while (1): Foo = raw_input("Who are you going to add (for a GPG search)? "); if Foo == "": continue; Keys = GPGKeySearch(Foo); if len(Keys) == 0: print "Sorry, that search did not turn up any keys"; continue; if len(Keys) > 1: print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:"; for i in Keys: GPGPrintKeyInfo(i); continue; print print "A matching key was found:" GPGPrintKeyInfo(Keys[0]); break; # Crack up the email address from the key into a best guess # first/middle/last name Addr = SplitEmail(Keys[0][2]); (cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0])) email = Addr[1] + '@' + Addr[2]; account = Addr[1]; privsub = email; gidNumber = str(DefaultGID); uidNumber = 0; # Decide if we should use IDEA encryption UsePGP2 = 0; while len(Keys[0][1]) < 40: Res = raw_input("Use PGP2.x compatibility [no]? "); if Res == "yes": UsePGP2 = 1; break; if Res == "": break; Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Keys[0][1]); if len(Attrs) != 0: print "*** This key already belongs to",GetAttr(Attrs[0],"uid"); account = GetAttr(Attrs[0],"uid"); # Try to get a uniq account name Update=0 while 1: Res = raw_input("Login account [" + account + "]? "); if Res != "": account = Res; Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account); if len(Attrs) == 0: privsub = "%s@debian.org"%(account); break; Res = raw_input("That account already exists, update [no]? "); if Res == "yes": # Update mode, fetch the default values from the directory Update = 1; privsub = GetAttr(Attrs[0],"privateSub"); gidNumber = GetAttr(Attrs[0],"gidNumber"); uidNumber = GetAttr(Attrs[0],"uidNumber"); email = GetAttr(Attrs[0],"emailForward"); cn = GetAttr(Attrs[0],"cn"); sn = GetAttr(Attrs[0],"sn"); mn = GetAttr(Attrs[0],"mn"); if privsub == None or privsub == "": privsub = " "; break; # Prompt for the first/last name and email address Res = raw_input("First name [" + cn + "]? "); if Res != "": cn = Res; Res = raw_input("Middle name [" + mn + "]? "); if Res != "": mn = Res; Res = raw_input("Last name [" + sn + "]? "); if Res != "": sn = Res; Res = raw_input("Email forwarding address [" + email + "]? "); if Res != "": email = Res; # Debian-Private subscription Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? "); if Res != "": privsub = Res; # GID Res = raw_input("Group ID Number [" + gidNumber + "]? "); if Res != "": gidNumber = Res; # UID if uidNumber == 0: uidNumber = GetFreeID(l); # Generate a random password if Update == 0 or ForceMail == 1: Password = raw_input("User's Password (Enter for random)? "); if Password == "": print "Randomizing and encrypting password" Password = GenPass(); Pass = HashPass(Password); # Use GPG to encrypt it, pass the fingerprint to ID it CryptedPass = GPGEncrypt("Your new password is '" + Password + "'\n",\ "0x"+Keys[0][1],UsePGP2); Password = None; if CryptedPass == None: raise "Error","Password Encryption failed" else: Pass = HashPass(Password); CryptedPass = "Your password has been set to the previously agreed value."; else: CryptedPass = ""; Pass = None; # Now we have all the bits of information. if mn != "": FullName = "%s %s %s" % (cn,mn,sn); else: FullName = "%s %s" % (cn,sn); print "------------"; print "Final information collected:" print " %s <%s@%s>:" % (FullName,account,EmailAppend); print " Assigned UID:",uidNumber," GID:", gidNumber; print " Email forwarded to:",email; print " Private Subscription:",privsub; print " GECOS Field: \"%s,,,,\"" % (FullName); print " Login Shell: /bin/bash"; print " Key Fingerprint:",Keys[0][1]; Res = raw_input("Continue [no]? "); if Res != "yes": sys.exit(1); # Initialize the substitution Map Subst = {} Subst["__REALNAME__"] = FullName; Subst["__WHOAMI__"] = pwd.getpwuid(os.getuid())[0]; Subst["__DATE__"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); Subst["__LOGIN__"] = account; Subst["__PRIVATE__"] = privsub; Subst["__EMAIL__"] = email; Subst["__PASSWORD__"] = CryptedPass; # Submit the modification request Dn = "uid=" + account + "," + BaseDn; print "Updating LDAP directory..", sys.stdout.flush(); if Update == 0: # New account Details = [("uid",account), ("objectClass", ("top","inetOrgPerson","debianAccount","shadowAccount","debianDeveloper")), ("uidNumber",str(uidNumber)), ("gidNumber",str(gidNumber)), ("gecos",FullName+",,,,"), ("loginShell","/bin/bash"), ("keyFingerPrint",Keys[0][1]), ("cn",cn), ("sn",sn), ("emailForward",email), ("shadowLastChange",str(int(time.time()/24/60/60))), ("shadowMin","0"), ("shadowMax","99999"), ("shadowWarning","7"), ("privateSub",privsub), ("userPassword","{crypt}"+Pass)]; if mn: Details.append(("mn",mn)); l.add_s(Dn,Details); else: # Modification Rec = [(ldap.MOD_REPLACE,"uidNumber",str(uidNumber)), (ldap.MOD_REPLACE,"gidNumber",str(gidNumber)), (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), (ldap.MOD_REPLACE,"loginShell","/bin/bash"), (ldap.MOD_REPLACE,"keyFingerPrint",Keys[0][1]), (ldap.MOD_REPLACE,"cn",cn), (ldap.MOD_REPLACE,"mn",mn), (ldap.MOD_REPLACE,"sn",sn), (ldap.MOD_REPLACE,"emailForward",email), (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), (ldap.MOD_REPLACE,"shadowMin","0"), (ldap.MOD_REPLACE,"shadowMax","99999"), (ldap.MOD_REPLACE,"shadowWarning","7"), (ldap.MOD_REPLACE,"shadowInactive",""), (ldap.MOD_REPLACE,"shadowExpire","")]; if privsub != " ": Rec.append((ldap.MOD_REPLACE,"privateSub",privsub)); if Pass != None: Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); # Do it l.modify_s(Dn,Rec); print; # Abort email sends for an update operation if Update == 1 and ForceMail == 0: print "Account is not new, Not sending mails" sys.exit(0); # Send the Welcome message print "Sending Welcome Email" Reply = TemplateSubst(Subst,open(TemplatesDir+"/welcome-message-"+gidNumber,"r").read()); Child = os.popen("/usr/sbin/sendmail -t","w"); #Child = os.popen("cat","w"); Child.write(Reply); if Child.close() != None: raise Error, "Sendmail gave a non-zero return code";