DNSZone = ".debian.net"
def Sanitize(Str):
- return string.translate(Str,string.maketrans("\n\r\t","$$$"));
+ return Str.translate(string.maketrans("\n\r\t","$$$"))
def DoLink(From,To,File):
try: posix.remove(To+File);
Pass = '*';
else:
Pass = Pass[7:];
+
+ # If the account is locked, mark it as such in shadow
+ # See Debian Bug #308229 for why we set it to 1 instead of 0
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
+ or GetAttr(x,"userPassword").startswith("!"):
+ ShadowExpire = '1'
+ else:
+ ShadowExpire = GetAttr(x,"shadowexpire")
+
Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\
Pass,GetAttr(x,"shadowLastChange"),\
GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\
GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\
- GetAttr(x,"shadowexpire"));
+ ShadowExpire);
Line = Sanitize(Line) + "\n";
F.write("0%u %s" % (I,Line));
F.write(".%s %s" % (GetAttr(x,"uid"),Line));
# If the account is locked, do not write it.
# This is a partial stop-gap. The ssh also needs to change this
# to ignore ~/.ssh/authorized* files.
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1):
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
+ or GetAttr(x,"userPassword").startswith("!"):
continue;
if x[1].has_key("uidNumber") == 0 or \
continue;
# If the account is locked, do not write it
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1) \
- or (string.find(GetAttr(x,"userPassword"),"*PK*") != -1):
+ if (GetAttr(x,"userPassword").find("*LK*") != -1) \
+ or GetAttr(x,"userPassword").startswith("!"):
continue;
# If the account has no PGP key, do not write it
raise;
Done(File,F,None);
+# Generate a list of locked accounts
+def GenDisabledAccounts(l,File):
+ F = None;
+ try:
+ F = open(File + ".tmp","w");
+
+ # Fetch all the users
+ global PasswdAttrs;
+ if PasswdAttrs == None:
+ raise "No Users";
+
+ I = 0;
+ for x in PasswdAttrs:
+ if x[1].has_key("uidNumber") == 0:
+ continue;
+
+ Pass = GetAttr(x,"userPassword");
+ Line = ""
+ # *LK* is the reference value for a locked account
+ # password starting with ! is also a locked account
+ if Pass.find("*LK*") != -1 or Pass.startswith("!"):
+ # Format is <login>:<reason>
+ Line = "%s:%s" % (GetAttr(x,"uid"), "Account is locked")
+
+ if Line != "":
+ F.write(Sanitize(Line) + "\n")
+
+ # Oops, something unspeakable happened.
+ except:
+ Die(File,F,None);
+ raise;
+ Done(File,F,None);
+
# Generate the list of local addresses that refuse all mail
def GenMailDisable(l,File):
F = None;
Reason = None
# If the account is locked, disable incoming mail
- if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1):
- Reason = "user account locked"
+ if (GetAttr(x,"userPassword").find("*LK*") != -1):
+ if GetAttr(x,"uid") == "luther":
+ continue
+ else:
+ Reason = "user account locked"
else:
if x[1].has_key("mailDisableMessage"):
Reason = GetAttr(x,"mailDisableMessage")
try:
F.write("; %s\n"%(EmailAddress(x)));
for z in x[1]["dnsZoneEntry"]:
- Split = string.split(string.lower(z));
- if string.lower(Split[1]) == 'in':
+ Split = z.lower().split()
+ if Split[1].lower() == 'in':
for y in range(0,len(Split)):
if Split[y] == "$":
Split[y] = "\n\t";
- Line = string.join(Split," ") + "\n";
+ Line = " ".join(Split) + "\n";
F.write(Line);
Host = Split[0] + DNSZone;
F.write("; Has BSMTP\n");
# Write some identification information
- if string.lower(Split[2]) == "a":
+ if Split[2].lower() == "a":
Line = "%s IN TXT \"%s\"\n"%(Split[0],EmailAddress(x));
for y in x[1]["keyFingerPrint"]:
Line = Line + "%s IN TXT \"PGP %s\"\n"%(Split[0],FormatPGPKey(y));
Host = GetAttr(x,"hostname");
Algorithm = None
for I in x[1]["sshRSAHostKey"]:
- Split = string.split(I)
+ Split = I.split()
if Split[0] == 'ssh-rsa':
Algorithm = 1
if Split[0] == 'ssh-dss':
continue;
try:
for z in x[1]["dnsZoneEntry"]:
- Split = string.split(string.lower(z));
- if string.lower(Split[1]) == 'in':
+ Split = z.lower().split()
+ if Split[1].lower() == 'in':
for y in range(0,len(Split)):
if Split[y] == "$":
Split[y] = "\n\t";
- Line = string.join(Split," ") + "\n";
+ Line = " ".join(Split) + "\n";
Host = Split[0] + DNSZone;
if BSMTPCheck.match(Line) != None:
x[1].has_key("sshRSAHostKey") == 0:
continue;
Host = GetAttr(x,"hostname");
- SHost = string.find(Host,".");
+ SHost = Host.find(".")
for I in x[1]["sshRSAHostKey"]:
if SHost == None:
Line = "%s,%s %s" %(Host,socket.gethostbyname(Host),I);
# Connect to the ldap server
l = ldap.open(LDAPServer);
F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
-Pass = string.split(string.strip(F.readline())," ");
+Pass = F.readline().strip().split(" ")
F.close();
l.simple_bind_s("uid="+Pass[0]+","+BaseDn,Pass[1]);
GenAllForward(l,GlobalDir+"mail-forward.cdb");
GenMarkers(l,GlobalDir+"markers");
GenPrivate(l,GlobalDir+"debian-private");
+GenDisabledAccounts(l,GlobalDir+"disabled-accounts");
GenSSHKnown(l,GlobalDir+"ssh_known_hosts");
GenHosts(l,GlobalDir+"debianhosts");
GenMailDisable(l,GlobalDir+"mail-disable");
Line = F.readline();
if Line == "":
break;
- Line = string.strip(Line);
+ Line = Line.strip()
if Line == "":
continue;
if Line[0] == '#':
continue;
- Split = string.split(Line," ");
+ Split = Line.split(" ")
OutDir = GenerateDir + '/' + Split[0] + '/';
try: os.mkdir(OutDir);
except: pass;
DoLink(GlobalDir,OutDir,"ssh-rsa-shadow");
DoLink(GlobalDir,OutDir,"debianhosts");
DoLink(GlobalDir,OutDir,"ssh_known_hosts");
+ DoLink(GlobalDir,OutDir,"disabled-accounts")
sys.stdout.flush();
GenPasswd(l,OutDir+"passwd",Split[1]);
projects / mirror / userdir-ldap.git / blobdiff