#!/usr/bin/env python
# -*- mode: python -*-
-import string, re, time, ldap, getopt, sys, os, pwd;
+# Copyright (c) 1999-2000 Jason Gunthorpe <jgg@debian.org>
+# Copyright (c) 2001-2003 James Troup <troup@debian.org>
+# Copyright (c) 2004 Joey Schulze <joey@infodrom.org>
+# Copyright (c) 2008,2009,2010 Peter Palfrader <peter@palfrader.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+import re, time, ldap, getopt, sys, os, pwd;
+import email.Header
+import datetime
+
from userdir_ldap import *;
from userdir_gpg import *;
+HavePrivateList = getattr(ConfModule, "haveprivatelist", True)
+DefaultGroup = getattr(ConfModule, "defaultgroup", 'users')
+
# This tries to search for a free UID. There are two possible ways to do
# this, one is to fetch all the entires and pick the highest, the other
-# is to randomly guess uids until one is free. This uses the formar.
+# is to randomly guess uids until one is free. This uses the former.
# Regrettably ldap doesn't have an integer attribute comparision function
-# so we can only cut the search down slightly
+# so we can only cut the search down slightly
+
+def ShouldIgnoreID(uid):
+ for i in IgnoreUsersForUIDNumberGen:
+ try:
+ if i.search(uid) is not None:
+ return True
+ except AttributeError:
+ if uid == i:
+ return True
+
+ return False
+
+# [JT] This is broken with Woody LDAP and the Schema; for now just
+# search through all UIDs.
def GetFreeID(l):
- HighestUID = 1400;
- Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,\
- "uidnumber>="+str(HighestUID),["uidnumber"]);
+ Attrs = l.search_s(BaseBaseDn,ldap.SCOPE_SUBTREE,
+ "(|(uidNumber=*)(gidNumber=*))",["uidNumber", "gidNumber", "uid"]);
HighestUID = 0;
+ gids = [];
+ uids = [];
for I in Attrs:
- ID = int(GetAttr(I,"uidnumber","0"));
- if ID > HighestUID:
+ ID = int(GetAttr(I,"uidNumber","0"));
+ uids.append(ID)
+ gids.append(int(GetAttr(I, "gidNumber","0")))
+ uid = GetAttr(I, "uid", None)
+ if ID > HighestUID and not uid is None and not ShouldIgnoreID(uid):
HighestUID = ID;
- return HighestUID + 1;
+
+ resUID = HighestUID + 1;
+ while resUID in uids or resUID in gids:
+ resUID += 1
+
+ return (resUID, resUID)
# Main starts here
+AdminUser = pwd.getpwuid(os.getuid())[0];
# Process options
-(options, arguments) = getopt.getopt(sys.argv[1:], "u:")
+ForceMail = 0;
+NoAutomaticIDs = 0;
+GuestAccount = False
+OldGPGKeyRings = GPGKeyRings;
+userdir_gpg.GPGKeyRings = [];
+(options, arguments) = getopt.getopt(sys.argv[1:], "hgu:man")
for (switch, val) in options:
- if (switch == '-u'):
- AdminUser = val
-
-print "Accessing LDAP directory as '" + AdminUser + "'";
-Password = getpass(AdminUser + "'s password: ");
+ if (switch == '-h'):
+ print "Usage: ud-useradd <options>"
+ print "Available options:"
+ print " -h Show this help"
+ print " -u=<user> Admin user (defaults to current username)"
+ print " -m Force mail (for updates)"
+ print " -a Use old keyrings instead (??)"
+ print " -n Do not automatically assign UID/GIDs"
+ print " -g Add a guest account"
+ sys.exit(0)
+ elif (switch == '-u'):
+ AdminUser = val;
+ elif (switch == '-m'):
+ ForceMail = 1;
+ elif (switch == '-a'):
+ userdir_gpg.GPGKeyRings = OldGPGKeyRings;
+ elif (switch == '-n'):
+ NoAutomaticIDs = 1;
+ elif (switch == '-g'):
+ GuestAccount = True
-# Connect to the ldap server
-l = ldap.open(LDAPServer);
-UserDn = "uid=" + AdminUser + "," + BaseDn;
-l.simple_bind_s(UserDn,Password);
+l = passwdAccessLDAP(BaseDn, AdminUser)
# Locate the key of the user we are adding
-GPGBasicOptions[0] = "--batch" # Permit loading of the config file
+if GuestAccount:
+ SetKeyrings(ConfModule.add_keyrings_guest.split(":"))
+else:
+ SetKeyrings(ConfModule.add_keyrings.split(":"))
+
while (1):
Foo = raw_input("Who are you going to add (for a GPG search)? ");
if Foo == "":
- continue;
+ sys.exit(0);
Keys = GPGKeySearch(Foo);
if len(Keys) == 0:
- print "Sorry, that search did not turn up any keys";
+ print "Sorry, that search did not turn up any keys."
+ print "Has it been added to the Debian keyring already?"
continue;
if len(Keys) > 1:
print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:";
print "A matching key was found:"
GPGPrintKeyInfo(Keys[0]);
break;
-
-# Crack up the email address from the key into a best guess
+
+# Crack up the email address from the key into a best guess
# first/middle/last name
Addr = SplitEmail(Keys[0][2]);
(cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0]))
-email = Addr[1] + '@' + Addr[2];
+emailaddr = Addr[1] + '@' + Addr[2];
account = Addr[1];
-privsub = email;
-gidnumber = str(DefaultGID);
-uidnumber = 0;
+privsub = emailaddr
+gidNumber = 0;
+uidNumber = 0;
# Decide if we should use IDEA encryption
UsePGP2 = 0;
while len(Keys[0][1]) < 40:
- Res = raw_input("Use PGP2.x compatibility [no]? ");
+ Res = raw_input("Use PGP2.x compatibility [No/yes]? ");
if Res == "yes":
UsePGP2 = 1;
break;
if Res == "":
break;
+Update = 0
+Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Keys[0][1]);
+if len(Attrs) != 0:
+ print "*** This key already belongs to",GetAttr(Attrs[0],"uid");
+ account = GetAttr(Attrs[0],"uid");
+ Update = 1
+
# Try to get a uniq account name
-Update=0
while 1:
- Res = raw_input("Login account [" + account + "]? ");
- if Res != "":
- account = Res;
+ if Update == 0:
+ Res = raw_input("Login account [" + account + "]? ");
+ if Res != "":
+ account = Res;
Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account);
if len(Attrs) == 0:
+ privsub = "%s@debian.org"%(account);
break;
- Res = raw_input("That account already exists, update [no]? ");
+ Res = raw_input("That account already exists, update [No/yes]? ");
if Res == "yes":
# Update mode, fetch the default values from the directory
Update = 1;
- privsub = GetAttr(Attrs[0],"privatesub");
- gidnumber = GetAttr(Attrs[0],"gidnumber");
- uidnumber = GetAttr(Attrs[0],"uidnumber");
- email = GetAttr(Attrs[0],"emailforward");
+ privsub = GetAttr(Attrs[0],"privateSub");
+ gidNumber = GetAttr(Attrs[0],"gidNumber");
+ uidNumber = GetAttr(Attrs[0],"uidNumber");
+ emailaddr = GetAttr(Attrs[0],"emailForward");
cn = GetAttr(Attrs[0],"cn");
sn = GetAttr(Attrs[0],"sn");
mn = GetAttr(Attrs[0],"mn");
if privsub == None or privsub == "":
privsub = " ";
break;
+ else:
+ sys.exit(1)
# Prompt for the first/last name and email address
Res = raw_input("First name [" + cn + "]? ");
if Res != "":
cn = Res;
Res = raw_input("Middle name [" + mn + "]? ");
-if Res != "":
+if Res == " ":
+ mn = ""
+elif Res != "":
mn = Res;
Res = raw_input("Last name [" + sn + "]? ");
if Res != "":
sn = Res;
-Res = raw_input("Email forwarding address [" + email + "]? ");
+Res = raw_input("Email forwarding address [" + emailaddr + "]? ");
if Res != "":
- email = Res;
+ emailaddr = Res;
# Debian-Private subscription
-Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? ");
-if Res != "":
- privsub = Res;
+if HavePrivateList and not GuestAccount:
+ Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? ");
+ if Res != "":
+ privsub = Res;
+else:
+ privsub = " "
-# GID
-Res = raw_input("Group ID Number [" + gidnumber + "]? ");
-if Res != "":
- gidnumber = Res;
-# UID
-if uidnumber == 0:
- uidnumber = GetFreeID(l);
+(uidNumber, generatedGID) = GetFreeID(l)
+if not gidNumber:
+ gidNumber = generatedGID
+
+UserGroup = 1
+if NoAutomaticIDs:
+ # UID
+ if not Update:
+ Res = raw_input("User ID Number [%s]? " % (uidNumber));
+ if Res != "":
+ uidNumber = Res;
+
+ # GID
+ Res = raw_input("Group ID Number (new usergroup is %s) [%s]" % (generatedGID, gidNumber));
+ if Res != "":
+ if Res.isdigit():
+ gidNumber = int(Res);
+ else:
+ gidNumber = Group2GID(l, Res);
+
+ if gidNumber != generatedGID:
+ UserGroup = 0
+
+if GuestAccount:
+ supplementaryGid = 'guest'
+else:
+ supplementaryGid = DefaultGroup
+
+shadowExpire = None
+hostacl = []
+if GuestAccount:
+ res = raw_input("Expires in xx days [60] (0 to disable)")
+ if res == "": res = '60'
+ exp = int(res)
+ if exp > 0:
+ shadowExpire = int(time.time() / 3600 / 24) + exp
+ res = raw_input("Hosts to grant access to: ")
+ for h in res.split():
+ if not '.' in h: h = h + '.' + HostDomain
+ if exp > 0: h = h + " " + datetime.datetime.fromtimestamp( time.time() + exp * 24*3600 ).strftime("%Y%m%d")
+ hostacl.append(h)
+
# Generate a random password
-if Update == 0:
+if Update == 0 or ForceMail == 1:
Password = raw_input("User's Password (Enter for random)? ");
if Password == "":
print "Randomizing and encrypting password"
Password = GenPass();
Pass = HashPass(Password);
- print "PASS: ", Password;
# Use GPG to encrypt it, pass the fingerprint to ID it
CryptedPass = GPGEncrypt("Your new password is '" + Password + "'\n",\
Pass = None;
# Now we have all the bits of information.
-if mn != "":
+if mn != "":
FullName = "%s %s %s" % (cn,mn,sn);
else:
FullName = "%s %s" % (cn,sn);
print "------------";
print "Final information collected:"
print " %s <%s@%s>:" % (FullName,account,EmailAppend);
-print " Assigned UID:",uidnumber," GID:", gidnumber;
-print " Email forwarded to:",email;
-print " Private Subscription:",privsub;
+print " Assigned UID:",uidNumber," GID:", gidNumber;
+print " supplementary group:",supplementaryGid
+print " Email forwarded to:",emailaddr
+if HavePrivateList:
+ print " Private Subscription:",privsub;
print " GECOS Field: \"%s,,,,\"" % (FullName);
print " Login Shell: /bin/bash";
print " Key Fingerprint:",Keys[0][1];
-Res = raw_input("Continue [no]? ");
+if shadowExpire:
+ print " ShadowExpire: %d (%s)"%(shadowExpire, datetime.datetime.fromtimestamp( shadowExpire * 24*3600 ).strftime("%Y%m%d") )
+for h in hostacl:
+ print " allowedHost: ", h
+
+Res = raw_input("Continue [No/yes]? ");
if Res != "yes":
sys.exit(1);
# Initialize the substitution Map
Subst = {}
+
+encrealname = ''
+try:
+ encrealname = FullName.decode('us-ascii')
+except UnicodeError:
+ encrealname = str(email.Header.Header(FullName, 'utf-8', 200))
+
+Subst["__ENCODED_REALNAME__"] = encrealname
Subst["__REALNAME__"] = FullName;
Subst["__WHOAMI__"] = pwd.getpwuid(os.getuid())[0];
Subst["__DATE__"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
Subst["__LOGIN__"] = account;
Subst["__PRIVATE__"] = privsub;
-Subst["__EMAIL__"] = email;
+Subst["__EMAIL__"] = emailaddr
Subst["__PASSWORD__"] = CryptedPass;
-Subst["__LISTPASS__"] = string.strip(open(pwd.getpwuid(os.getuid())[5]+"/.debian-lists_passwd","r").read());
-
-# Generate the LDAP request
-Rec = [(ldap.MOD_REPLACE,"uid",account),
- (ldap.MOD_REPLACE,"uidNumber",str(uidnumber)),
- (ldap.MOD_REPLACE,"gidNumber",str(gidnumber)),
- (ldap.MOD_REPLACE,"gecos",FullName+",,,,"),
- (ldap.MOD_REPLACE,"loginShell","/bin/bash"),
- (ldap.MOD_REPLACE,"keyfingerprint",Keys[0][1]),
- (ldap.MOD_REPLACE,"cn",cn),
- (ldap.MOD_REPLACE,"mn",mn),
- (ldap.MOD_REPLACE,"sn",sn),
- (ldap.MOD_REPLACE,"emailforward",email),
- (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))),
- (ldap.MOD_REPLACE,"shadowMin","0"),
- (ldap.MOD_REPLACE,"shadowMax","99999"),
- (ldap.MOD_REPLACE,"shadowWarning","7"),
- (ldap.MOD_REPLACE,"shadowInactive",""),
- (ldap.MOD_REPLACE,"shadowExpire","")];
-if privsub != " ":
- Rec.append((ldap.MOD_REPLACE,"privatesub",privsub));
-if Pass != None:
- Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass));
-
-# Submit the modification request
+
+# Submit the modification request
Dn = "uid=" + account + "," + BaseDn;
print "Updating LDAP directory..",
sys.stdout.flush();
-try:
- l.add_s(Dn,[("uid",account),
- ("objectclass","top"),
- ("objectclass","account"),
- ("objectclass","posixAccount"),
- ("objectclass","shadowAccount"),
- ("objectclass","debiandeveloper")]);
-except ldap.ALREADY_EXISTS:
- pass;
-
-# Send the modify request
-l.modify_s(Dn,Rec);
+
+if Update == 0:
+ # New account
+ Details = [("uid",account),
+ ("objectClass", UserObjectClasses),
+ ("uidNumber",str(uidNumber)),
+ ("gidNumber",str(gidNumber)),
+ ("supplementaryGid",supplementaryGid),
+ ("gecos",FullName+",,,,"),
+ ("loginShell","/bin/bash"),
+ ("keyFingerPrint",Keys[0][1]),
+ ("cn",cn),
+ ("sn",sn),
+ ("emailForward",emailaddr),
+ ("shadowLastChange",str(int(time.time()/24/60/60))),
+ ("shadowMin","0"),
+ ("shadowMax","99999"),
+ ("shadowWarning","7"),
+ ("userPassword","{crypt}"+Pass)];
+ if mn:
+ Details.append(("mn",mn));
+ if privsub != " ":
+ Details.append(("privateSub",privsub))
+ if shadowExpire:
+ Details.append(("shadowExpire",str(shadowExpire)))
+ if len(hostacl) > 0:
+ Details.append(("allowedHost",hostacl))
+
+ l.add_s(Dn,Details);
+
+ #Add user group if needed, then the actual user:
+ if UserGroup == 1:
+ Dn = "gid=" + account + "," + BaseDn;
+ l.add_s(Dn,[("gid",account), ("gidNumber",str(gidNumber)), ("objectClass", GroupObjectClasses)])
+else:
+ # Modification
+ Rec = [(ldap.MOD_REPLACE,"uidNumber",str(uidNumber)),
+ (ldap.MOD_REPLACE,"gidNumber",str(gidNumber)),
+ (ldap.MOD_REPLACE,"gecos",FullName+",,,,"),
+ (ldap.MOD_REPLACE,"loginShell","/bin/bash"),
+ (ldap.MOD_REPLACE,"keyFingerPrint",Keys[0][1]),
+ (ldap.MOD_REPLACE,"cn",cn),
+ (ldap.MOD_REPLACE,"mn",mn),
+ (ldap.MOD_REPLACE,"sn",sn),
+ (ldap.MOD_REPLACE,"emailForward",emailaddr),
+ (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))),
+ (ldap.MOD_REPLACE,"shadowMin","0"),
+ (ldap.MOD_REPLACE,"shadowMax","99999"),
+ (ldap.MOD_REPLACE,"shadowWarning","7"),
+ (ldap.MOD_REPLACE,"shadowInactive",""),
+ (ldap.MOD_REPLACE,"shadowExpire","")];
+ if privsub != " ":
+ Rec.append((ldap.MOD_REPLACE,"privateSub",privsub));
+ if Pass != None:
+ Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass));
+ # Do it
+ l.modify_s(Dn,Rec);
+
print;
# Abort email sends for an update operation
-if Update == 1:
+if Update == 1 and ForceMail == 0:
print "Account is not new, Not sending mails"
sys.exit(0);
-
-# Do the subscription/welcome message
-if privsub != " ":
- print TemplateSubst(Subst,open("templates/list-subscribe","r").read());
# Send the Welcome message
print "Sending Welcome Email"
-Reply = TemplateSubst(Subst,open("templates/welcome-message-"+gidnumber,"r").read());
+templatepath = TemplatesDir + "/welcome-message-%s" % supplementaryGid
+if not os.path.exists(templatepath):
+ templatepath = TemplatesDir + "/welcome-message"
+Reply = TemplateSubst(Subst,open(templatepath, "r").read())
Child = os.popen("/usr/sbin/sendmail -t","w");
#Child = os.popen("cat","w");
Child.write(Reply);
if Child.close() != None:
raise Error, "Sendmail gave a non-zero return code";
+
+# vim:set et:
+# vim:set ts=3:
+# vim:set shiftwidth=3:
projects / mirror / userdir-ldap.git / blobdiff