X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-useradd;h=494c348091c533c2105986201612e3734c4e11a7;hp=9088502dc335e67ee2a67935632218b2956a60d6;hb=a6fb69805c3999a85c064a96c93417bb1c284c5c;hpb=d0ee80d18e57382cb67def8a5f6ecff11f2cfcc0 diff --git a/ud-useradd b/ud-useradd index 9088502..494c348 100755 --- a/ud-useradd +++ b/ud-useradd @@ -1,7 +1,25 @@ #!/usr/bin/env python # -*- mode: python -*- -import string, re, time, ldap, getopt, sys, os, pwd; +# Copyright (c) 1999-2000 Jason Gunthorpe +# Copyright (c) 2001-2003 James Troup +# Copyright (c) 2004 Joey Schulze +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +import re, time, ldap, getopt, sys, os, pwd; from userdir_ldap import *; from userdir_gpg import *; @@ -9,26 +27,36 @@ from userdir_gpg import *; # this, one is to fetch all the entires and pick the highest, the other # is to randomly guess uids until one is free. This uses the former. # Regrettably ldap doesn't have an integer attribute comparision function -# so we can only cut the search down slightly +# so we can only cut the search down slightly + +# [JT] This is broken with Woody LDAP and the Schema; for now just +# search through all UIDs. def GetFreeID(l): - HighestUID = 1400; - Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL, - "uidnumber>="+str(HighestUID),["uidnumber"]); + Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL, + "uidNumber=*",["uidNumber", "gidNumber"]); HighestUID = 0; + gids = []; for I in Attrs: - ID = int(GetAttr(I,"uidnumber","0")); - if ID > HighestUID: + ID = int(GetAttr(I,"uidNumber","0")); + gids.append(int(GetAttr(I, "gidNumber","0"))) + if ID > HighestUID: HighestUID = ID; - return HighestUID + 1; + + resGID = HighestUID + 1; + while resGID in gids: + resGID += 1 + + return (HighestUID + 1, resGID); # Main starts here AdminUser = pwd.getpwuid(os.getuid())[0]; # Process options ForceMail = 0; +NoAutomaticIDs = 0; OldGPGKeyRings = GPGKeyRings; userdir_gpg.GPGKeyRings = []; -(options, arguments) = getopt.getopt(sys.argv[1:], "u:ma") +(options, arguments) = getopt.getopt(sys.argv[1:], "u:man") for (switch, val) in options: if (switch == '-u'): AdminUser = val; @@ -36,26 +64,23 @@ for (switch, val) in options: ForceMail = 1; elif (switch == '-a'): userdir_gpg.GPGKeyRings = OldGPGKeyRings; + elif (switch == '-n'): + NoAutomaticIDs = 1; -print "Accessing LDAP directory as '" + AdminUser + "'"; -Password = getpass(AdminUser + "'s password: "); - -# Connect to the ldap server -l = ldap.open(LDAPServer); -UserDn = "uid=" + AdminUser + "," + BaseDn; -l.simple_bind_s(UserDn,Password); +l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) # Locate the key of the user we are adding -GPGBasicOptions[0] = "--batch" # Permit loading of the config file +SetKeyrings(["/org/keyring.debian.org/keyrings/debian-keyring.gpg"]) while (1): Foo = raw_input("Who are you going to add (for a GPG search)? "); if Foo == "": - continue; + sys.exit(0); Keys = GPGKeySearch(Foo); if len(Keys) == 0: - print "Sorry, that search did not turn up any keys"; + print "Sorry, that search did not turn up any keys." + print "Has it been added to the Debian keyring already?" continue; if len(Keys) > 1: print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:"; @@ -67,8 +92,8 @@ while (1): print "A matching key was found:" GPGPrintKeyInfo(Keys[0]); break; - -# Crack up the email address from the key into a best guess + +# Crack up the email address from the key into a best guess # first/middle/last name Addr = SplitEmail(Keys[0][2]); (cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0])) @@ -76,43 +101,52 @@ email = Addr[1] + '@' + Addr[2]; account = Addr[1]; privsub = email; -gidnumber = str(DefaultGID); -uidnumber = 0; +gidNumber = 0; +uidNumber = 0; # Decide if we should use IDEA encryption UsePGP2 = 0; while len(Keys[0][1]) < 40: - Res = raw_input("Use PGP2.x compatibility [no]? "); + Res = raw_input("Use PGP2.x compatibility [No/yes]? "); if Res == "yes": UsePGP2 = 1; break; if Res == "": break; +Update = 0 +Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Keys[0][1]); +if len(Attrs) != 0: + print "*** This key already belongs to",GetAttr(Attrs[0],"uid"); + account = GetAttr(Attrs[0],"uid"); + Update = 1 + # Try to get a uniq account name -Update=0 while 1: - Res = raw_input("Login account [" + account + "]? "); - if Res != "": - account = Res; + if Update == 0: + Res = raw_input("Login account [" + account + "]? "); + if Res != "": + account = Res; Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account); if len(Attrs) == 0: privsub = "%s@debian.org"%(account); break; - Res = raw_input("That account already exists, update [no]? "); + Res = raw_input("That account already exists, update [No/yes]? "); if Res == "yes": # Update mode, fetch the default values from the directory Update = 1; - privsub = GetAttr(Attrs[0],"privatesub"); - gidnumber = GetAttr(Attrs[0],"gidnumber"); - uidnumber = GetAttr(Attrs[0],"uidnumber"); - email = GetAttr(Attrs[0],"emailforward"); + privsub = GetAttr(Attrs[0],"privateSub"); + gidNumber = GetAttr(Attrs[0],"gidNumber"); + uidNumber = GetAttr(Attrs[0],"uidNumber"); + email = GetAttr(Attrs[0],"emailForward"); cn = GetAttr(Attrs[0],"cn"); sn = GetAttr(Attrs[0],"sn"); mn = GetAttr(Attrs[0],"mn"); if privsub == None or privsub == "": privsub = " "; break; + else: + sys.exit(1) # Prompt for the first/last name and email address Res = raw_input("First name [" + cn + "]? "); @@ -133,14 +167,28 @@ Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? if Res != "": privsub = Res; -# GID -Res = raw_input("Group ID Number [" + gidnumber + "]? "); -if Res != "": - gidnumber = Res; +(uidNumber, generatedGID) = GetFreeID(l) +if not gidNumber: + gidNumber = DefaultGID +UserGroup = 0 -# UID -if uidnumber == 0: - uidnumber = GetFreeID(l); +if NoAutomaticIDs: + # UID + if not Update: + Res = raw_input("User ID Number [%s]? " % (uidNumber)); + if Res != "": + uidNumber = Res; + + # GID + Res = raw_input("Group ID Number (default group is %s, new usergroup %s) [%s]" % (DefaultGID, generatedGID, gidNumber)); + if Res != "": + if Res.isdigit(): + gidNumber = Res; + else: + gidNumber = Group2GID(l, Res); + + if gidNumber == generatedGID: + UserGroup = 1 # Generate a random password if Update == 0 or ForceMail == 1: @@ -150,7 +198,6 @@ if Update == 0 or ForceMail == 1: print "Randomizing and encrypting password" Password = GenPass(); Pass = HashPass(Password); - print "PASS: ", Password; # Use GPG to encrypt it, pass the fingerprint to ID it CryptedPass = GPGEncrypt("Your new password is '" + Password + "'\n",\ @@ -166,20 +213,20 @@ else: Pass = None; # Now we have all the bits of information. -if mn != "": +if mn != "": FullName = "%s %s %s" % (cn,mn,sn); else: FullName = "%s %s" % (cn,sn); print "------------"; print "Final information collected:" print " %s <%s@%s>:" % (FullName,account,EmailAppend); -print " Assigned UID:",uidnumber," GID:", gidnumber; +print " Assigned UID:",uidNumber," GID:", gidNumber; print " Email forwarded to:",email; print " Private Subscription:",privsub; print " GECOS Field: \"%s,,,,\"" % (FullName); print " Login Shell: /bin/bash"; print " Key Fingerprint:",Keys[0][1]; -Res = raw_input("Continue [no]? "); +Res = raw_input("Continue [No/yes]? "); if Res != "yes": sys.exit(1); @@ -192,64 +239,74 @@ Subst["__LOGIN__"] = account; Subst["__PRIVATE__"] = privsub; Subst["__EMAIL__"] = email; Subst["__PASSWORD__"] = CryptedPass; -#Subst["__LISTPASS__"] = string.strip(open(pwd.getpwuid(os.getuid())[5]+"/.debian-lists_passwd","r").read()); - -# Generate the LDAP request -Rec = [(ldap.MOD_REPLACE,"uid",account), - (ldap.MOD_REPLACE,"uidNumber",str(uidnumber)), - (ldap.MOD_REPLACE,"gidNumber",str(gidnumber)), - (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), - (ldap.MOD_REPLACE,"loginShell","/bin/bash"), - (ldap.MOD_REPLACE,"keyfingerprint",Keys[0][1]), - (ldap.MOD_REPLACE,"cn",cn), - (ldap.MOD_REPLACE,"mn",mn), - (ldap.MOD_REPLACE,"sn",sn), - (ldap.MOD_REPLACE,"emailforward",email), - (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), - (ldap.MOD_REPLACE,"shadowMin","0"), - (ldap.MOD_REPLACE,"shadowMax","99999"), - (ldap.MOD_REPLACE,"shadowWarning","7"), - (ldap.MOD_REPLACE,"shadowInactive",""), - (ldap.MOD_REPLACE,"shadowExpire","")]; -if privsub != " ": - Rec.append((ldap.MOD_REPLACE,"privatesub",privsub)); -if Pass != None: - Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); - -# Submit the modification request + +# Submit the modification request Dn = "uid=" + account + "," + BaseDn; print "Updating LDAP directory..", sys.stdout.flush(); -try: - l.add_s(Dn,[("uid",account), - ("objectclass","top"), - ("objectclass","account"), - ("objectclass","posixAccount"), - ("objectclass","shadowAccount"), - ("objectclass","debiandeveloper")]); -except ldap.ALREADY_EXISTS: - pass; - -# Send the modify request -l.modify_s(Dn,Rec); + +if Update == 0: + # New account + Details = [("uid",account), + ("objectClass", UserObjectClasses), + ("uidNumber",str(uidNumber)), + ("gidNumber",str(gidNumber)), + ("gecos",FullName+",,,,"), + ("loginShell","/bin/bash"), + ("keyFingerPrint",Keys[0][1]), + ("cn",cn), + ("sn",sn), + ("emailForward",email), + ("shadowLastChange",str(int(time.time()/24/60/60))), + ("shadowMin","0"), + ("shadowMax","99999"), + ("shadowWarning","7"), + ("userPassword","{crypt}"+Pass)]; + if mn: + Details.append(("mn",mn)); + if privsub != " ": + Details.append(("privateSub",privsub)) + + #Add user group if needed, then the actual user: + if UserGroup == 1: + Dn = "gid=" + account + "," + BaseDn; + l.add_s(Dn,[("gid",account), ("gidNumber",str(gidNumber)), ("objectClass", GroupObjectClasses)]) + + l.add_s(Dn,Details); +else: + # Modification + Rec = [(ldap.MOD_REPLACE,"uidNumber",str(uidNumber)), + (ldap.MOD_REPLACE,"gidNumber",str(gidNumber)), + (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), + (ldap.MOD_REPLACE,"loginShell","/bin/bash"), + (ldap.MOD_REPLACE,"keyFingerPrint",Keys[0][1]), + (ldap.MOD_REPLACE,"cn",cn), + (ldap.MOD_REPLACE,"mn",mn), + (ldap.MOD_REPLACE,"sn",sn), + (ldap.MOD_REPLACE,"emailForward",email), + (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), + (ldap.MOD_REPLACE,"shadowMin","0"), + (ldap.MOD_REPLACE,"shadowMax","99999"), + (ldap.MOD_REPLACE,"shadowWarning","7"), + (ldap.MOD_REPLACE,"shadowInactive",""), + (ldap.MOD_REPLACE,"shadowExpire","")]; + if privsub != " ": + Rec.append((ldap.MOD_REPLACE,"privateSub",privsub)); + if Pass != None: + Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); + # Do it + l.modify_s(Dn,Rec); + print; # Abort email sends for an update operation if Update == 1 and ForceMail == 0: print "Account is not new, Not sending mails" sys.exit(0); - -# Do the subscription/welcome message -#if privsub != " ": -# Sub = TemplateSubst(Subst,open(TemplatesDir+"/list-subscribe","r").read()); -# Child = os.popen("/usr/sbin/sendmail -t","w"); -# Child.write(Sub); -# if Child.close() != None: -# raise Error, "Sendmail gave a non-zero return code"; - + # Send the Welcome message print "Sending Welcome Email" -Reply = TemplateSubst(Subst,open(TemplatesDir+"/welcome-message-"+gidnumber,"r").read()); +Reply = TemplateSubst(Subst,open(TemplatesDir + "/welcome-message-%d" % gidNumber, "r").read()) Child = os.popen("/usr/sbin/sendmail -t","w"); #Child = os.popen("cat","w"); Child.write(Reply);