X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-useradd;h=fcda26f055120a3ec93e97dd172cc6ea8c26bdf7;hp=6c2e19d4f43286566b79793b6067a4c1d0ab6f53;hb=HEAD;hpb=e0e50b8b7715311495617621fec4e2ed64a35bfe diff --git a/ud-useradd b/ud-useradd index 6c2e19d..fcda26f 100755 --- a/ud-useradd +++ b/ud-useradd @@ -1,61 +1,124 @@ #!/usr/bin/env python # -*- mode: python -*- -import string, re, time, ldap, getopt, sys, os, pwd; +# Copyright (c) 1999-2000 Jason Gunthorpe +# Copyright (c) 2001-2003 James Troup +# Copyright (c) 2004 Joey Schulze +# Copyright (c) 2008,2009,2010 Peter Palfrader +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +import re, time, ldap, getopt, sys, os, pwd; +import email.Header +import datetime + from userdir_ldap import *; from userdir_gpg import *; +HavePrivateList = getattr(ConfModule, "haveprivatelist", True) +DefaultGroup = getattr(ConfModule, "defaultgroup", 'users') + # This tries to search for a free UID. There are two possible ways to do # this, one is to fetch all the entires and pick the highest, the other # is to randomly guess uids until one is free. This uses the former. # Regrettably ldap doesn't have an integer attribute comparision function -# so we can only cut the search down slightly +# so we can only cut the search down slightly + +def ShouldIgnoreID(uid): + for i in IgnoreUsersForUIDNumberGen: + try: + if i.search(uid) is not None: + return True + except AttributeError: + if uid == i: + return True + + return False + +# [JT] This is broken with Woody LDAP and the Schema; for now just +# search through all UIDs. def GetFreeID(l): - HighestUID = 1400; - Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL, - "uidnumber>="+str(HighestUID),["uidnumber"]); + Attrs = l.search_s(BaseBaseDn,ldap.SCOPE_SUBTREE, + "(|(uidNumber=*)(gidNumber=*))",["uidNumber", "gidNumber", "uid"]); HighestUID = 0; + gids = []; + uids = []; for I in Attrs: - ID = int(GetAttr(I,"uidnumber","0")); - if ID > HighestUID: + ID = int(GetAttr(I,"uidNumber","0")); + uids.append(ID) + gids.append(int(GetAttr(I, "gidNumber","0"))) + uid = GetAttr(I, "uid", None) + if ID > HighestUID and not uid is None and not ShouldIgnoreID(uid): HighestUID = ID; - return HighestUID + 1; + + resUID = HighestUID + 1; + while resUID in uids or resUID in gids: + resUID += 1 + + return (resUID, resUID) # Main starts here AdminUser = pwd.getpwuid(os.getuid())[0]; # Process options ForceMail = 0; +NoAutomaticIDs = 0; +GuestAccount = False OldGPGKeyRings = GPGKeyRings; userdir_gpg.GPGKeyRings = []; -(options, arguments) = getopt.getopt(sys.argv[1:], "u:ma") +(options, arguments) = getopt.getopt(sys.argv[1:], "hgu:man") for (switch, val) in options: - if (switch == '-u'): + if (switch == '-h'): + print "Usage: ud-useradd " + print "Available options:" + print " -h Show this help" + print " -u= Admin user (defaults to current username)" + print " -m Force mail (for updates)" + print " -a Use old keyrings instead (??)" + print " -n Do not automatically assign UID/GIDs" + print " -g Add a guest account" + sys.exit(0) + elif (switch == '-u'): AdminUser = val; elif (switch == '-m'): ForceMail = 1; elif (switch == '-a'): userdir_gpg.GPGKeyRings = OldGPGKeyRings; + elif (switch == '-n'): + NoAutomaticIDs = 1; + elif (switch == '-g'): + GuestAccount = True -print "Accessing LDAP directory as '" + AdminUser + "'"; -Password = getpass(AdminUser + "'s password: "); - -# Connect to the ldap server -l = ldap.open(LDAPServer); -UserDn = "uid=" + AdminUser + "," + BaseDn; -l.simple_bind_s(UserDn,Password); +l = passwdAccessLDAP(BaseDn, AdminUser) # Locate the key of the user we are adding -GPGBasicOptions[0] = "--batch" # Permit loading of the config file +if GuestAccount: + SetKeyrings(ConfModule.add_keyrings_guest.split(":")) +else: + SetKeyrings(ConfModule.add_keyrings.split(":")) + while (1): Foo = raw_input("Who are you going to add (for a GPG search)? "); if Foo == "": - continue; + sys.exit(0); Keys = GPGKeySearch(Foo); if len(Keys) == 0: - print "Sorry, that search did not turn up any keys"; + print "Sorry, that search did not turn up any keys." + print "Has it been added to the Debian keyring already?" continue; if len(Keys) > 1: print "Sorry, more than one key was found, please specify the key to use by\nfingerprint:"; @@ -67,85 +130,129 @@ while (1): print "A matching key was found:" GPGPrintKeyInfo(Keys[0]); break; - -# Crack up the email address from the key into a best guess + +# Crack up the email address from the key into a best guess # first/middle/last name Addr = SplitEmail(Keys[0][2]); (cn,mn,sn) = NameSplit(re.sub('["]','',Addr[0])) -email = Addr[1] + '@' + Addr[2]; +emailaddr = Addr[1] + '@' + Addr[2]; account = Addr[1]; -privsub = email; -gidnumber = str(DefaultGID); -uidnumber = 0; +privsub = emailaddr +gidNumber = 0; +uidNumber = 0; # Decide if we should use IDEA encryption UsePGP2 = 0; while len(Keys[0][1]) < 40: - Res = raw_input("Use PGP2.x compatibility [no]? "); + Res = raw_input("Use PGP2.x compatibility [No/yes]? "); if Res == "yes": UsePGP2 = 1; break; if Res == "": break; -Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=" + Keys[0][1]); +Update = 0 +Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Keys[0][1]); if len(Attrs) != 0: print "*** This key already belongs to",GetAttr(Attrs[0],"uid"); account = GetAttr(Attrs[0],"uid"); + Update = 1 # Try to get a uniq account name -Update=0 while 1: - Res = raw_input("Login account [" + account + "]? "); - if Res != "": - account = Res; + if Update == 0: + Res = raw_input("Login account [" + account + "]? "); + if Res != "": + account = Res; Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + account); if len(Attrs) == 0: privsub = "%s@debian.org"%(account); break; - Res = raw_input("That account already exists, update [no]? "); + Res = raw_input("That account already exists, update [No/yes]? "); if Res == "yes": # Update mode, fetch the default values from the directory Update = 1; - privsub = GetAttr(Attrs[0],"privatesub"); - gidnumber = GetAttr(Attrs[0],"gidnumber"); - uidnumber = GetAttr(Attrs[0],"uidnumber"); - email = GetAttr(Attrs[0],"emailforward"); + privsub = GetAttr(Attrs[0],"privateSub"); + gidNumber = GetAttr(Attrs[0],"gidNumber"); + uidNumber = GetAttr(Attrs[0],"uidNumber"); + emailaddr = GetAttr(Attrs[0],"emailForward"); cn = GetAttr(Attrs[0],"cn"); sn = GetAttr(Attrs[0],"sn"); mn = GetAttr(Attrs[0],"mn"); if privsub == None or privsub == "": privsub = " "; break; + else: + sys.exit(1) # Prompt for the first/last name and email address Res = raw_input("First name [" + cn + "]? "); if Res != "": cn = Res; Res = raw_input("Middle name [" + mn + "]? "); -if Res != "": +if Res == " ": + mn = "" +elif Res != "": mn = Res; Res = raw_input("Last name [" + sn + "]? "); if Res != "": sn = Res; -Res = raw_input("Email forwarding address [" + email + "]? "); +Res = raw_input("Email forwarding address [" + emailaddr + "]? "); if Res != "": - email = Res; + emailaddr = Res; # Debian-Private subscription -Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? "); -if Res != "": - privsub = Res; +if HavePrivateList and not GuestAccount: + Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? "); + if Res != "": + privsub = Res; +else: + privsub = " " -# GID -Res = raw_input("Group ID Number [" + gidnumber + "]? "); -if Res != "": - gidnumber = Res; -# UID -if uidnumber == 0: - uidnumber = GetFreeID(l); +(uidNumber, generatedGID) = GetFreeID(l) +if not gidNumber: + gidNumber = generatedGID + +UserGroup = 1 +if NoAutomaticIDs: + # UID + if not Update: + Res = raw_input("User ID Number [%s]? " % (uidNumber)); + if Res != "": + uidNumber = Res; + + # GID + Res = raw_input("Group ID Number (new usergroup is %s) [%s]" % (generatedGID, gidNumber)); + if Res != "": + if Res.isdigit(): + gidNumber = int(Res); + else: + gidNumber = Group2GID(l, Res); + + if gidNumber != generatedGID: + UserGroup = 0 + +if GuestAccount: + supplementaryGid = 'guest' +else: + supplementaryGid = DefaultGroup + +shadowExpire = None +hostacl = [] +if GuestAccount: + res = raw_input("Expires in xx days [60] (0 to disable)") + if res == "": res = '60' + exp = int(res) + if exp > 0: + shadowExpire = int(time.time() / 3600 / 24) + exp + res = raw_input("Hosts to grant access to: ") + for h in res.split(): + if not '.' in h: h = h + '.' + HostDomain + if exp > 0: h = h + " " + datetime.datetime.fromtimestamp( time.time() + exp * 24*3600 ).strftime("%Y%m%d") + hostacl.append(h) + # Generate a random password if Update == 0 or ForceMail == 1: @@ -170,92 +277,129 @@ else: Pass = None; # Now we have all the bits of information. -if mn != "": +if mn != "": FullName = "%s %s %s" % (cn,mn,sn); else: FullName = "%s %s" % (cn,sn); print "------------"; print "Final information collected:" print " %s <%s@%s>:" % (FullName,account,EmailAppend); -print " Assigned UID:",uidnumber," GID:", gidnumber; -print " Email forwarded to:",email; -print " Private Subscription:",privsub; +print " Assigned UID:",uidNumber," GID:", gidNumber; +print " supplementary group:",supplementaryGid +print " Email forwarded to:",emailaddr +if HavePrivateList: + print " Private Subscription:",privsub; print " GECOS Field: \"%s,,,,\"" % (FullName); print " Login Shell: /bin/bash"; print " Key Fingerprint:",Keys[0][1]; -Res = raw_input("Continue [no]? "); +if shadowExpire: + print " ShadowExpire: %d (%s)"%(shadowExpire, datetime.datetime.fromtimestamp( shadowExpire * 24*3600 ).strftime("%Y%m%d") ) +for h in hostacl: + print " allowedHost: ", h + +Res = raw_input("Continue [No/yes]? "); if Res != "yes": sys.exit(1); # Initialize the substitution Map Subst = {} + +encrealname = '' +try: + encrealname = FullName.decode('us-ascii') +except UnicodeError: + encrealname = str(email.Header.Header(FullName, 'utf-8', 200)) + +Subst["__ENCODED_REALNAME__"] = encrealname Subst["__REALNAME__"] = FullName; Subst["__WHOAMI__"] = pwd.getpwuid(os.getuid())[0]; Subst["__DATE__"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); Subst["__LOGIN__"] = account; Subst["__PRIVATE__"] = privsub; -Subst["__EMAIL__"] = email; +Subst["__EMAIL__"] = emailaddr Subst["__PASSWORD__"] = CryptedPass; -#Subst["__LISTPASS__"] = string.strip(open(pwd.getpwuid(os.getuid())[5]+"/.debian-lists_passwd","r").read()); - -# Generate the LDAP request -Rec = [(ldap.MOD_REPLACE,"uid",account), - (ldap.MOD_REPLACE,"uidNumber",str(uidnumber)), - (ldap.MOD_REPLACE,"gidNumber",str(gidnumber)), - (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), - (ldap.MOD_REPLACE,"loginShell","/bin/bash"), - (ldap.MOD_REPLACE,"keyfingerprint",Keys[0][1]), - (ldap.MOD_REPLACE,"cn",cn), - (ldap.MOD_REPLACE,"mn",mn), - (ldap.MOD_REPLACE,"sn",sn), - (ldap.MOD_REPLACE,"emailforward",email), - (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), - (ldap.MOD_REPLACE,"shadowMin","0"), - (ldap.MOD_REPLACE,"shadowMax","99999"), - (ldap.MOD_REPLACE,"shadowWarning","7"), - (ldap.MOD_REPLACE,"shadowInactive",""), - (ldap.MOD_REPLACE,"shadowExpire","")]; -if privsub != " ": - Rec.append((ldap.MOD_REPLACE,"privatesub",privsub)); -if Pass != None: - Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); - -# Submit the modification request + +# Submit the modification request Dn = "uid=" + account + "," + BaseDn; print "Updating LDAP directory..", sys.stdout.flush(); -try: - l.add_s(Dn,[("uid",account), - ("objectclass","top"), - ("objectclass","account"), - ("objectclass","posixAccount"), - ("objectclass","shadowAccount"), - ("objectclass","debiandeveloper")]); -except ldap.ALREADY_EXISTS: - pass; - -# Send the modify request -l.modify_s(Dn,Rec); + +if Update == 0: + # New account + Details = [("uid",account), + ("objectClass", UserObjectClasses), + ("uidNumber",str(uidNumber)), + ("gidNumber",str(gidNumber)), + ("supplementaryGid",supplementaryGid), + ("gecos",FullName+",,,,"), + ("loginShell","/bin/bash"), + ("keyFingerPrint",Keys[0][1]), + ("cn",cn), + ("sn",sn), + ("emailForward",emailaddr), + ("shadowLastChange",str(int(time.time()/24/60/60))), + ("shadowMin","0"), + ("shadowMax","99999"), + ("shadowWarning","7"), + ("userPassword","{crypt}"+Pass)]; + if mn: + Details.append(("mn",mn)); + if privsub != " ": + Details.append(("privateSub",privsub)) + if shadowExpire: + Details.append(("shadowExpire",str(shadowExpire))) + if len(hostacl) > 0: + Details.append(("allowedHost",hostacl)) + + l.add_s(Dn,Details); + + #Add user group if needed, then the actual user: + if UserGroup == 1: + Dn = "gid=" + account + "," + BaseDn; + l.add_s(Dn,[("gid",account), ("gidNumber",str(gidNumber)), ("objectClass", GroupObjectClasses)]) +else: + # Modification + Rec = [(ldap.MOD_REPLACE,"uidNumber",str(uidNumber)), + (ldap.MOD_REPLACE,"gidNumber",str(gidNumber)), + (ldap.MOD_REPLACE,"gecos",FullName+",,,,"), + (ldap.MOD_REPLACE,"loginShell","/bin/bash"), + (ldap.MOD_REPLACE,"keyFingerPrint",Keys[0][1]), + (ldap.MOD_REPLACE,"cn",cn), + (ldap.MOD_REPLACE,"mn",mn), + (ldap.MOD_REPLACE,"sn",sn), + (ldap.MOD_REPLACE,"emailForward",emailaddr), + (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60))), + (ldap.MOD_REPLACE,"shadowMin","0"), + (ldap.MOD_REPLACE,"shadowMax","99999"), + (ldap.MOD_REPLACE,"shadowWarning","7"), + (ldap.MOD_REPLACE,"shadowInactive",""), + (ldap.MOD_REPLACE,"shadowExpire","")]; + if privsub != " ": + Rec.append((ldap.MOD_REPLACE,"privateSub",privsub)); + if Pass != None: + Rec.append((ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)); + # Do it + l.modify_s(Dn,Rec); + print; # Abort email sends for an update operation if Update == 1 and ForceMail == 0: print "Account is not new, Not sending mails" sys.exit(0); - -# Do the subscription/welcome message -#if privsub != " ": -# Sub = TemplateSubst(Subst,open(TemplatesDir+"/list-subscribe","r").read()); -# Child = os.popen("/usr/sbin/sendmail -t","w"); -# Child.write(Sub); -# if Child.close() != None: -# raise Error, "Sendmail gave a non-zero return code"; - + # Send the Welcome message print "Sending Welcome Email" -Reply = TemplateSubst(Subst,open(TemplatesDir+"/welcome-message-"+gidnumber,"r").read()); +templatepath = TemplatesDir + "/welcome-message-%s" % supplementaryGid +if not os.path.exists(templatepath): + templatepath = TemplatesDir + "/welcome-message" +Reply = TemplateSubst(Subst,open(templatepath, "r").read()) Child = os.popen("/usr/sbin/sendmail -t","w"); #Child = os.popen("cat","w"); Child.write(Reply); if Child.close() != None: raise Error, "Sendmail gave a non-zero return code"; + +# vim:set et: +# vim:set ts=3: +# vim:set shiftwidth=3: