X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-generate;h=8537f0c6c391089d09bf4bf540998970d3232115;hp=1bf1951314f99f29b57879d8ea63df4bef64c5c9;hb=dc2644ca6761003bc2ede1d8c92235096b11c6fb;hpb=01c484437e1c41b686f9f22f55c2f8406efdc5c3 diff --git a/ud-generate b/ud-generate index 1bf1951..8537f0c 100755 --- a/ud-generate +++ b/ud-generate @@ -4,8 +4,8 @@ # Copyright (c) 2000-2001 Jason Gunthorpe # Copyright (c) 2003-2004 James Troup -# Copyright (c) 2004-2005 Joey Schulze -# Copyright (c) 2001-2006 Ryan Murray +# Copyright (c) 2004-2005,7 Joey Schulze +# Copyright (c) 2001-2007 Ryan Murray # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ BSMTPCheck = re.compile(".*mx 0 (gluck)\.debian\.org\..*",re.DOTALL); DNSZone = ".debian.net" def Sanitize(Str): - return string.translate(Str,string.maketrans("\n\r\t","$$$")); + return Str.translate(string.maketrans("\n\r\t","$$$")) def DoLink(From,To,File): try: posix.remove(To+File); @@ -88,7 +88,7 @@ def Done(File,F,Fdb): os.rename(File + ".tdb.tmp",File+".tdb"); # Generate the password list -def GenPasswd(l,File,HomePrefix): +def GenPasswd(l,File,HomePrefix,PwdMarker): F = None; try: F = open(File + ".tdb.tmp","w"); @@ -107,7 +107,8 @@ def GenPasswd(l,File,HomePrefix): if len(GetAttr(x,"gecos")) > 100 or len(GetAttr(x,"loginShell")) > 50: continue; - Line = "%s:x:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\ + Line = "%s:%s:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\ + PwdMarker,\ GetAttr(x,"uidNumber"),GetAttr(x,"gidNumber"),\ GetAttr(x,"gecos"),HomePrefix,GetAttr(x,"uid"),\ GetAttr(x,"loginShell")); @@ -147,11 +148,20 @@ def GenShadow(l,File): Pass = '*'; else: Pass = Pass[7:]; + + # If the account is locked, mark it as such in shadow + # See Debian Bug #308229 for why we set it to 1 instead of 0 + if (GetAttr(x,"userPassword").find("*LK*") != -1) \ + or GetAttr(x,"userPassword").startswith("!"): + ShadowExpire = '1' + else: + ShadowExpire = GetAttr(x,"shadowexpire") + Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\ Pass,GetAttr(x,"shadowLastChange"),\ GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\ GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\ - GetAttr(x,"shadowexpire")); + ShadowExpire); Line = Sanitize(Line) + "\n"; F.write("0%u %s" % (I,Line)); F.write(".%s %s" % (GetAttr(x,"uid"),Line)); @@ -180,7 +190,8 @@ def GenSSHShadow(l,File): # If the account is locked, do not write it. # This is a partial stop-gap. The ssh also needs to change this # to ignore ~/.ssh/authorized* files. - if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1): + if (GetAttr(x,"userPassword").find("*LK*") != -1) \ + or GetAttr(x,"userPassword").startswith("!"): continue; if x[1].has_key("uidNumber") == 0 or \ @@ -364,7 +375,8 @@ def GenPrivate(l,File): continue; # If the account is locked, do not write it - if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1): + if (GetAttr(x,"userPassword").find("*LK*") != -1) \ + or GetAttr(x,"userPassword").startswith("!"): continue; # If the account has no PGP key, do not write it @@ -388,6 +400,39 @@ def GenPrivate(l,File): raise; Done(File,F,None); +# Generate a list of locked accounts +def GenDisabledAccounts(l,File): + F = None; + try: + F = open(File + ".tmp","w"); + + # Fetch all the users + global PasswdAttrs; + if PasswdAttrs == None: + raise "No Users"; + + I = 0; + for x in PasswdAttrs: + if x[1].has_key("uidNumber") == 0: + continue; + + Pass = GetAttr(x,"userPassword"); + Line = "" + # *LK* is the reference value for a locked account + # password starting with ! is also a locked account + if Pass.find("*LK*") != -1 or Pass.startswith("!"): + # Format is : + Line = "%s:%s" % (GetAttr(x,"uid"), "Account is locked") + + if Line != "": + F.write(Sanitize(Line) + "\n") + + # Oops, something unspeakable happened. + except: + Die(File,F,None); + raise; + Done(File,F,None); + # Generate the list of local addresses that refuse all mail def GenMailDisable(l,File): F = None; @@ -403,9 +448,11 @@ def GenMailDisable(l,File): Reason = None # If the account is locked, disable incoming mail - if (string.find(GetAttr(x,"userPassword"),"*LK*") != -1) or \ - x[1].has_key("keyFingerPrint") == 0: - Reason = "user account locked" + if (GetAttr(x,"userPassword").find("*LK*") != -1): + if GetAttr(x,"uid") == "luther": + continue + else: + Reason = "user account locked" else: if x[1].has_key("mailDisableMessage"): Reason = GetAttr(x,"mailDisableMessage") @@ -500,7 +547,11 @@ def GenMailList(l,File,Key): if found == 0: found = 1 Line = GetAttr(x,"uid") + else: + Line += " " Line += ": " + z + if Key == "mailRHSBL": + Line += "/$sender_address_domain" if Line != None: Line = Sanitize(Line) + "\n"; @@ -536,12 +587,12 @@ def GenDNS(l,File,HomePrefix): try: F.write("; %s\n"%(EmailAddress(x))); for z in x[1]["dnsZoneEntry"]: - Split = string.split(string.lower(z)); - if string.lower(Split[1]) == 'in': + Split = z.lower().split() + if Split[1].lower() == 'in': for y in range(0,len(Split)): if Split[y] == "$": Split[y] = "\n\t"; - Line = string.join(Split," ") + "\n"; + Line = " ".join(Split) + "\n"; F.write(Line); Host = Split[0] + DNSZone; @@ -549,7 +600,7 @@ def GenDNS(l,File,HomePrefix): F.write("; Has BSMTP\n"); # Write some identification information - if string.lower(Split[2]) == "a": + if Split[2].lower() == "a": Line = "%s IN TXT \"%s\"\n"%(Split[0],EmailAddress(x)); for y in x[1]["keyFingerPrint"]: Line = Line + "%s IN TXT \"PGP %s\"\n"%(Split[0],FormatPGPKey(y)); @@ -587,7 +638,7 @@ def GenSSHFP(l,File,HomePrefix): Host = GetAttr(x,"hostname"); Algorithm = None for I in x[1]["sshRSAHostKey"]: - Split = string.split(I) + Split = I.split() if Split[0] == 'ssh-rsa': Algorithm = 1 if Split[0] == 'ssh-dss': @@ -625,12 +676,12 @@ def GenBSMTP(l,File,HomePrefix): continue; try: for z in x[1]["dnsZoneEntry"]: - Split = string.split(string.lower(z)); - if string.lower(Split[1]) == 'in': + Split = z.lower().split() + if Split[1].lower() == 'in': for y in range(0,len(Split)): if Split[y] == "$": Split[y] = "\n\t"; - Line = string.join(Split," ") + "\n"; + Line = " ".join(Split) + "\n"; Host = Split[0] + DNSZone; if BSMTPCheck.match(Line) != None: @@ -664,7 +715,7 @@ def GenSSHKnown(l,File): x[1].has_key("sshRSAHostKey") == 0: continue; Host = GetAttr(x,"hostname"); - SHost = string.find(Host,"."); + SHost = Host.find(".") for I in x[1]["sshRSAHostKey"]: if SHost == None: Line = "%s,%s %s" %(Host,socket.gethostbyname(Host),I); @@ -711,7 +762,7 @@ def GenHosts(l,File): # Connect to the ldap server l = ldap.open(LDAPServer); F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); -Pass = string.split(string.strip(F.readline())," "); +Pass = F.readline().strip().split(" ") F.close(); l.simple_bind_s("uid="+Pass[0]+","+BaseDn,Pass[1]); @@ -752,6 +803,7 @@ GenSSHShadow(l,GlobalDir+"ssh-rsa-shadow"); GenAllForward(l,GlobalDir+"mail-forward.cdb"); GenMarkers(l,GlobalDir+"markers"); GenPrivate(l,GlobalDir+"debian-private"); +GenDisabledAccounts(l,GlobalDir+"disabled-accounts"); GenSSHKnown(l,GlobalDir+"ssh_known_hosts"); GenHosts(l,GlobalDir+"debianhosts"); GenMailDisable(l,GlobalDir+"mail-disable"); @@ -768,13 +820,13 @@ while(1): Line = F.readline(); if Line == "": break; - Line = string.strip(Line); + Line = Line.strip() if Line == "": continue; if Line[0] == '#': continue; - Split = string.split(Line," "); + Split = Line.split(" ") OutDir = GenerateDir + '/' + Split[0] + '/'; try: os.mkdir(OutDir); except: pass; @@ -795,20 +847,26 @@ while(1): Allowed = None CurrentHost = Split[0]; + DoLink(GlobalDir,OutDir,"ssh-rsa-shadow"); + DoLink(GlobalDir,OutDir,"debianhosts"); + DoLink(GlobalDir,OutDir,"ssh_known_hosts"); + DoLink(GlobalDir,OutDir,"disabled-accounts") + sys.stdout.flush(); - GenPasswd(l,OutDir+"passwd",Split[1]); + if ExtraList.has_key("[NOPASSWD]"): + GenPasswd(l,OutDir+"passwd",Split[1], "*"); + else: + GenPasswd(l,OutDir+"passwd",Split[1], "x"); sys.stdout.flush(); GenGroup(l,OutDir+"group"); if ExtraList.has_key("[UNTRUSTED]"): continue; - GenShadow(l,OutDir+"shadow"); + if not ExtraList.has_key("[NOPASSWD]"): + GenShadow(l,OutDir+"shadow"); # Link in global things - DoLink(GlobalDir,OutDir,"ssh-rsa-shadow"); DoLink(GlobalDir,OutDir,"markers"); DoLink(GlobalDir,OutDir,"mail-forward.cdb"); - DoLink(GlobalDir,OutDir,"debianhosts"); - DoLink(GlobalDir,OutDir,"ssh_known_hosts"); DoLink(GlobalDir,OutDir,"mail-disable"); DoLink(GlobalDir,OutDir,"mail-greylist"); DoLink(GlobalDir,OutDir,"mail-callout");