X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=sigcheck;h=57c4a9034767831be1a3eec86c308a0d37614e3b;hp=af1be9d333ce02c3a5fffeb35370d7b77bcdc041;hb=a6fb69805c3999a85c064a96c93417bb1c284c5c;hpb=01af4060534a03cefc125036a469798838d3e72b

diff --git a/sigcheck b/sigcheck
index af1be9d..57c4a90 100755
--- a/sigcheck
+++ b/sigcheck
@@ -25,7 +25,7 @@
 #      -e /etc/userdir-ldap/templtes/error-reply -- test.sh
 
 import sys, traceback, time, os;
-import string, pwd, getopt;
+import pwd, getopt;
 from userdir_gpg import *;
 
 EX_TEMPFAIL = 75;
@@ -65,12 +65,31 @@ def CheckLDAP(FingerPrint):
    if len(Attrs) != 1:
       raise Error, "Oddly your key fingerprint is assigned to more than one account.."
 
+   gidnumber_found = 0;
+   for key in Attrs[0][1].keys():
+      if (key == "gidNumber"):
+         gidnumber_found = 1
+
+   if (gidnumber_found != 1):
+      raise Error, "No gidnumber in attributes for fingerprint %s" % FingerPrint
+
+   # Look for the group with the gid of the user
+   GAttr = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"(&(objectClass=debianGroup)(gidnumber=%s))" % Attrs[0][1]["gidNumber"][0], ["gid"])
+   if len(GAttr) == 0:
+	   raise Error, "Database inconsistency found: main group for account not found in database"
+
    # See if the group membership is OK
+   # Only if a group was given on the commandline
    if GroupMember != None:
       Hit = 0;
-      for x in Attrs[0][1].get("supplementarygid",[]):
-         if x == GroupMember:
-	   Hit = 1;
+      # Check primary group first
+      if GAttr[0][1]["gid"][0] == GroupMember:
+	 Hit = 1
+      else:
+	  # Check supplementary groups
+	  for x in Attrs[0][1].get("supplementaryGid",[]):
+	      if x == GroupMember:
+		  Hit = 1;
       if Hit != 1:
 	  raise Error, "You don't have %s group permissions."%(GroupMember);
    
@@ -81,7 +100,7 @@ for (switch, val) in options:
    if (switch == '-r'):
       ReplayCacheFile = val;
    elif (switch == '-k'):
-      SetKeyrings(string.split(val,":"));
+      SetKeyrings(val.split(":"));
    elif (switch == '-d'):
       LDAPDn = val;
    elif (switch == '-l'):
@@ -120,7 +139,7 @@ try:
       raise Error, "PGP/MIME disallowed";
   
    ErrMsg = "Message is not PGP signed:"
-   if string.find(Msg[0],"-----BEGIN PGP SIGNED MESSAGE-----") == -1:
+   if Msg[0].find("-----BEGIN PGP SIGNED MESSAGE-----") == -1:
       raise Error, "No PGP signature";
    
    # Check the signature
@@ -140,6 +159,7 @@ try:
       if Rply != None:
          raise Error, Rply;
       RC.Add(Res[1]);
+      RC.close();
 
    # Do LDAP stuff
    if LDAPDn != None:
@@ -151,8 +171,8 @@ try:
       while 1:
 	  Line = F.readline();
 	  if Line == "": break;
-	  if string.find(Res[3],string.strip(Line)) == -1:
-	      raise Error,"Phrase '%s' was not found"%(string.strip(Line));
+	  if Res[3].find(Line.strip()) == -1:
+	      raise Error,"Phrase '%s' was not found" % (Line.strip())
       
 except:
    ErrMsg = "[%s] \"%s\" \"%s %s\"\n"%(Now,MsgID,ErrMsg,sys.exc_value);