X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=userdir_ldap.py;h=00f9d4b6448fcd367e07cc8002fa8f1d9853feb7;hp=16dfbdb6678607b036957dc9e0b6b8dede6780e4;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hpb=828ae85d71bf905074508d1a80c88c72d44e1fbf

diff --git a/userdir_ldap.py b/userdir_ldap.py
index 16dfbdb..00f9d4b 100644
--- a/userdir_ldap.py
+++ b/userdir_ldap.py
@@ -1,6 +1,8 @@
 #   Copyright (c) 1999-2000  Jason Gunthorpe <jgg@debian.org>
 #   Copyright (c) 2001-2003  Ryan Murray <rmurray@debian.org>
 #   Copyright (c) 2004-2005  Joey Schulze <joey@infodrom.org>
+#   Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
+#   Copyright (c) 2008 Thomas Viehmann <tv@beamnet.de>
 #
 #   This program is free software; you can redistribute it and/or modify
 #   it under the terms of the GNU General Public License as published by
@@ -17,8 +19,10 @@
 #   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 
 # Some routines and configuration that are used by the ldap progams
-import termios, re, imp, ldap, sys, crypt, rfc822;
+import termios, re, imp, ldap, sys, crypt, rfc822, pwd, os, getpass
 import userdir_gpg
+import hmac
+import hashlib
 
 try:
    File = open("/etc/userdir-ldap/userdir-ldap.conf");
@@ -34,26 +38,30 @@ LDAPServer = ConfModule.ldaphost;
 EmailAppend = ConfModule.emailappend;
 AdminUser = ConfModule.adminuser;
 GenerateDir = ConfModule.generatedir;
-GenerateConf = ConfModule.generateconf;
-DefaultGID = ConfModule.defaultgid;
+AllowedGroupsPreload = ConfModule.allowedgroupspreload;
+HomePrefix = ConfModule.homeprefix;
 TemplatesDir = ConfModule.templatesdir;
 PassDir = ConfModule.passdir;
 Ech_ErrorLog = ConfModule.ech_errorlog;
 Ech_MainLog = ConfModule.ech_mainlog;
-
-File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
-HmacKey = F.readline().strip()
-File.close();
-
-# For backwards compatibility, we default to the old behaviour
-MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False)
-SingleSSHFile = getattr(ConfModule, 'singlesshfile', True)
+HostDomain = getattr(ConfModule, "hostdomain", EmailAppend)
 
 try:
    UseSSL = ConfModule.usessl;
 except AttributeError:
    UseSSL = False;
 
+try:
+   BaseBaseDn = ConfModule.basebasedn;
+except AttributeError:
+   BaseBaseDn = BaseDn
+
+try:
+   IgnoreUsersForUIDNumberGen = ConfModule.ignoreusersforuidnumbergen
+except AttributeError:
+   IgnoreUsersForUIDNumberGen = ['nobody']
+
+
 # Break up the keyring list
 userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":"))
 
@@ -75,7 +83,7 @@ GroupObjectClasses = ("top", "debianGroup")
 # SSH Key splitting. The result is:
 # (options,size,modulous,exponent,comment)
 SSHAuthSplit = re.compile('^(.* )?(\d+) (\d+) (\d+) ?(.+)$');
-SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa) ([a-zA-Z0-9=/+]+) ?(.+)$');
+SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa|ecdsa-sha2-nistp(?:256|384|521)|ed25519) ([a-zA-Z0-9=/+]+) ?(.+)$');
 #'^([^\d](?:[^ "]+(?:".*")?)*)? ?(\d+) (\d+) (\d+) (.+)$');
 
 AddressSplit = re.compile("(.*).*<([^@]*)@([^>]*)>");
@@ -121,28 +129,6 @@ def connectLDAP(server = None):
       l.start_tls_s();
    return l;
 
-# Function to prompt for a password 
-def getpass(prompt = "Password: "):
-   import termios, sys;
-   fd = sys.stdin.fileno();
-   old = termios.tcgetattr(fd);
-   new = termios.tcgetattr(fd);
-   new[3] = new[3] & ~termios.ECHO;          # lflags
-   try:
-      termios.tcsetattr(fd, termios.TCSADRAIN, new);
-      try:
-         passwd = raw_input(prompt);
-      except KeyboardInterrupt:
-         termios.tcsetattr(fd, termios.TCSADRAIN, old);
-         print
-         sys.exit(0)
-      except EOFError:
-         passwd = ""
-   finally:
-      termios.tcsetattr(fd, termios.TCSADRAIN, old);
-   print;
-   return passwd;
-
 def passwdAccessLDAP(BaseDn, AdminUser):
    """
    Ask for the AdminUser's password and connect to the LDAP server.
@@ -150,7 +136,10 @@ def passwdAccessLDAP(BaseDn, AdminUser):
    """
    print "Accessing LDAP directory as '" + AdminUser + "'";
    while (1):
-      Password = getpass(AdminUser + "'s password: ");
+      if 'LDAP_PASSWORD' in os.environ:
+          Password = os.environ['LDAP_PASSWORD']
+      else:
+          Password = getpass.getpass(AdminUser + "'s password: ")
 
       if len(Password) == 0:
          sys.exit(0)
@@ -162,6 +151,9 @@ def passwdAccessLDAP(BaseDn, AdminUser):
       try:
          l.simple_bind_s(UserDn,Password);
       except ldap.INVALID_CREDENTIALS:
+         if 'LDAP_PASSWORD' in os.environ:
+             print "password in environment does not work"
+             del os.environ['LDAP_PASSWORD']
          continue
       break
    return l
@@ -325,7 +317,7 @@ def FormatPGPKey(Str):
    if (len(Str) == 32):
       I = 0;
       while (I < len(Str)):
-         if I+2 == 32/2:
+         if I == 32/2:
             Res = "%s %s%s "%(Res,Str[I],Str[I+1]);
          else:
             Res = "%s%s%s "%(Res,Str[I],Str[I+1]);
@@ -334,7 +326,7 @@ def FormatPGPKey(Str):
       # OpenPGP Print
       I = 0;
       while (I < len(Str)):
-         if I+4 == 40/2:
+         if I == 40/2:
             Res = "%s %s%s%s%s "%(Res,Str[I],Str[I+1],Str[I+2],Str[I+3]);
          else:
             Res = "%s%s%s%s%s "%(Res,Str[I],Str[I+1],Str[I+2],Str[I+3]);
@@ -456,7 +448,13 @@ def Group2GID(l, name):
    return -1
 
 def make_hmac(str):
-   return hmac.new(HmacKey, str, sha1_module).hexdigest()
+   if 'UD_HMAC_KEY' in os.environ:
+      HmacKey = os.environ['UD_HMAC_KEY']
+   else:
+      File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
+      HmacKey = File.readline().strip()
+      File.close();
+   return hmac.new(HmacKey, str, hashlib.sha1).hexdigest()
 
-def make_sudopasswd_hmac(purpose, uuid, hosts, cryptedpass):
-   return make_hmac(':'.join([purpose, uuid, hosts, cryptedpass]))
+def make_passwd_hmac(status, purpose, uid, uuid, hosts, cryptedpass):
+   return make_hmac(':'.join([status, purpose, uid, uuid, hosts, cryptedpass]))