#
GroupIDMap = {}
SubGroupMap = {}
-Allowed = None
CurrentHost = ""
# return account['gidNumber'] == 800
# See if this user is in the group list
-def IsInGroup(account):
- if Allowed is None:
- return True
-
+def IsInGroup(account, allowed):
# See if the primary group is in the list
- if str(account['gidNumber']) in Allowed: return True
+ if str(account['gidNumber']) in allowed: return True
# Check the host based ACL
if account.is_allowed_by_hostacl(CurrentHost): return True
supgroups=[]
addGroups(supgroups, account['supplementaryGid'], account['uid'])
for g in supgroups:
- if Allowed.has_key(g):
+ if allowed.has_key(g):
return True
return False
userlist = {}
i = 0
for a in accounts:
- if not IsInGroup(a): continue
-
# Do not let people try to buffer overflow some busted passwd parser.
if len(a['gecos']) > 100 or len(a['loginShell']) > 50: continue
i = 0
for a in accounts:
- Pass = '*'
- if not IsInGroup(a): continue
-
# If the account is locked, mark it as such in shadow
# See Debian Bug #308229 for why we set it to 1 instead of 0
if not a.pw_active(): ShadowExpire = '1'
for a in accounts:
Pass = '*'
- if not IsInGroup(a): continue
-
if 'sudoPassword' in a:
for entry in a['sudoPassword']:
Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
# Sort them into a list of groups having a set of users
for a in accounts:
GroupHasPrimaryMembers[ a['gidNumber'] ] = True
- if not IsInGroup(a): continue
if not 'supplementaryGid' in a: continue
supgroups=[]
for a in accounts:
if not 'emailForward' in a: continue
-
delete = False
- if not IsInGroup(a): delete = True
# Do not allow people to try to buffer overflow busted parsers
- elif len(a['emailForward']) > 200: delete = True
+ if len(a['emailForward']) > 200: delete = True
# Check the forwarding address
elif EmailCheck.match(a['emailForward']) is None: delete = True
for extra in host[1]['exportOptions']:
ExtraList[extra.upper()] = True
- global Allowed
- Allowed = GroupList
- if Allowed == {}:
- Allowed = None
+ if GroupList != {}:
+ accounts = filter(lambda x: IsInGroup(x, GroupList), accounts)
DoLink(global_dir, OutDir, "debianhosts")
DoLink(global_dir, OutDir, "ssh_known_hosts")
DoLink(global_dir, OutDir, "mail-rhsbl")
DoLink(global_dir, OutDir, "mail-whitelist")
DoLink(global_dir, OutDir, "all-accounts.json")
- GenCDB(filter(lambda x: IsInGroup(x), accounts), OutDir + "user-forward.cdb", 'emailForward')
- GenCDB(filter(lambda x: IsInGroup(x), accounts), OutDir + "batv-tokens.cdb", 'bATVToken')
- GenCDB(filter(lambda x: IsInGroup(x), accounts), OutDir + "default-mail-options.cdb", 'mailDefaultOptions')
+ GenCDB(accounts, OutDir + "user-forward.cdb", 'emailForward')
+ GenCDB(accounts, OutDir + "batv-tokens.cdb", 'bATVToken')
+ GenCDB(accounts, OutDir + "default-mail-options.cdb", 'mailDefaultOptions')
# Compatibility.
DoLink(global_dir, OutDir, "forward-alias")
-parser = optparse.OptionParser()
-parser.add_option("-g", "--generatedir", dest="generatedir", metavar="DIR",
- help="Output directory.")
-parser.add_option("-f", "--force", dest="force", action="store_true",
- help="Force generation, even if not update to LDAP has happened.")
+def ud_generate():
+ global GenerateDir
+ global GroupIDMap
+ parser = optparse.OptionParser()
+ parser.add_option("-g", "--generatedir", dest="generatedir", metavar="DIR",
+ help="Output directory.")
+ parser.add_option("-f", "--force", dest="force", action="store_true",
+ help="Force generation, even if not update to LDAP has happened.")
-(options, args) = parser.parse_args()
-if len(args) > 0:
- parser.print_help()
- sys.exit(1)
+ (options, args) = parser.parse_args()
+ if len(args) > 0:
+ parser.print_help()
+ sys.exit(1)
-l = make_ldap_conn()
+ l = make_ldap_conn()
-if options.generatedir is not None:
- GenerateDir = os.environ['UD_GENERATEDIR']
-elif 'UD_GENERATEDIR' in os.environ:
- GenerateDir = os.environ['UD_GENERATEDIR']
+ if options.generatedir is not None:
+ GenerateDir = os.environ['UD_GENERATEDIR']
+ elif 'UD_GENERATEDIR' in os.environ:
+ GenerateDir = os.environ['UD_GENERATEDIR']
-ldap_last_mod = getLastLDAPChangeTime(l)
-cache_last_mod = getLastBuildTime()
-need_update = ldap_last_mod > cache_last_mod
+ ldap_last_mod = getLastLDAPChangeTime(l)
+ cache_last_mod = getLastBuildTime()
+ need_update = ldap_last_mod > cache_last_mod
-if not options.force and not need_update:
- fd = open(os.path.join(GenerateDir, "last_update.trace"), "w")
- fd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
- fd.close()
- sys.exit(0)
+ if not options.force and not need_update:
+ fd = open(os.path.join(GenerateDir, "last_update.trace"), "w")
+ fd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+ fd.close()
+ sys.exit(0)
-# Fetch all the groups
-GroupIDMap = {}
-attrs = l.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "gid=*",\
- ["gid", "gidNumber", "subGroup"])
-
-# Generate the SubGroupMap and GroupIDMap
-for x in attrs:
- if x[1].has_key("accountStatus") and x[1]['accountStatus'] == "disabled":
- continue
- if x[1].has_key("gidNumber") == 0:
- continue
- GroupIDMap[x[1]["gid"][0]] = int(x[1]["gidNumber"][0])
- if x[1].has_key("subGroup") != 0:
- SubGroupMap.setdefault(x[1]["gid"][0], []).extend(x[1]["subGroup"])
-
-lock = None
-try:
- lockf = os.path.join(GenerateDir, 'ud-generate.lock')
- lock = get_lock( lockf )
- if lock is None:
- sys.stderr.write("Could not acquire lock %s.\n"%(lockf))
- sys.exit(1)
+ # Fetch all the groups
+ GroupIDMap = {}
+ attrs = l.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "gid=*",\
+ ["gid", "gidNumber", "subGroup"])
- tracefd = open(os.path.join(GenerateDir, "last_update.trace"), "w")
- generate_all(GenerateDir, l)
- tracefd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
- tracefd.close()
+ # Generate the SubGroupMap and GroupIDMap
+ for x in attrs:
+ if x[1].has_key("accountStatus") and x[1]['accountStatus'] == "disabled":
+ continue
+ if x[1].has_key("gidNumber") == 0:
+ continue
+ GroupIDMap[x[1]["gid"][0]] = int(x[1]["gidNumber"][0])
+ if x[1].has_key("subGroup") != 0:
+ SubGroupMap.setdefault(x[1]["gid"][0], []).extend(x[1]["subGroup"])
-finally:
- if lock is not None:
- lock.release()
+ lock = None
+ try:
+ lockf = os.path.join(GenerateDir, 'ud-generate.lock')
+ lock = get_lock( lockf )
+ if lock is None:
+ sys.stderr.write("Could not acquire lock %s.\n"%(lockf))
+ sys.exit(1)
+
+ tracefd = open(os.path.join(GenerateDir, "last_update.trace"), "w")
+ generate_all(GenerateDir, l)
+ tracefd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+ tracefd.close()
+
+ finally:
+ if lock is not None:
+ lock.release()
+
+if __name__ == "__main__":
+ ud_generate()
# vim:set et: