X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=userdir_ldap.py;h=00f9d4b6448fcd367e07cc8002fa8f1d9853feb7;hp=539dbaef3c21c24a4fb9e4a9d4763802897c119d;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hpb=a9ebb6f2afbf0fbc0e94ab73726dedb6a8ae5d75 diff --git a/userdir_ldap.py b/userdir_ldap.py index 539dbae..00f9d4b 100644 --- a/userdir_ldap.py +++ b/userdir_ldap.py @@ -1,6 +1,8 @@ # Copyright (c) 1999-2000 Jason Gunthorpe # Copyright (c) 2001-2003 Ryan Murray # Copyright (c) 2004-2005 Joey Schulze +# Copyright (c) 2008 Peter Palfrader +# Copyright (c) 2008 Thomas Viehmann # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -17,8 +19,10 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # Some routines and configuration that are used by the ldap progams -import termios, re, imp, ldap, sys, crypt, rfc822; +import termios, re, imp, ldap, sys, crypt, rfc822, pwd, os, getpass import userdir_gpg +import hmac +import hashlib try: File = open("/etc/userdir-ldap/userdir-ldap.conf"); @@ -34,16 +38,29 @@ LDAPServer = ConfModule.ldaphost; EmailAppend = ConfModule.emailappend; AdminUser = ConfModule.adminuser; GenerateDir = ConfModule.generatedir; -GenerateConf = ConfModule.generateconf; -DefaultGID = ConfModule.defaultgid; +AllowedGroupsPreload = ConfModule.allowedgroupspreload; +HomePrefix = ConfModule.homeprefix; TemplatesDir = ConfModule.templatesdir; PassDir = ConfModule.passdir; Ech_ErrorLog = ConfModule.ech_errorlog; Ech_MainLog = ConfModule.ech_mainlog; +HostDomain = getattr(ConfModule, "hostdomain", EmailAppend) + +try: + UseSSL = ConfModule.usessl; +except AttributeError: + UseSSL = False; + +try: + BaseBaseDn = ConfModule.basebasedn; +except AttributeError: + BaseBaseDn = BaseDn + +try: + IgnoreUsersForUIDNumberGen = ConfModule.ignoreusersforuidnumbergen +except AttributeError: + IgnoreUsersForUIDNumberGen = ['nobody'] -# For backwards compatibility, we default to the old behaviour -MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False) -SingleSSHFile = getattr(ConfModule, 'singlesshfile', True) # Break up the keyring list userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":")) @@ -66,7 +83,7 @@ GroupObjectClasses = ("top", "debianGroup") # SSH Key splitting. The result is: # (options,size,modulous,exponent,comment) SSHAuthSplit = re.compile('^(.* )?(\d+) (\d+) (\d+) ?(.+)$'); -SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa) ([a-zA-Z0-9=/+]+) ?(.+)$'); +SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa|ecdsa-sha2-nistp(?:256|384|521)|ed25519) ([a-zA-Z0-9=/+]+) ?(.+)$'); #'^([^\d](?:[^ "]+(?:".*")?)*)? ?(\d+) (\d+) (\d+) (.+)$'); AddressSplit = re.compile("(.*).*<([^@]*)@([^>]*)>"); @@ -102,47 +119,41 @@ def PrettyShow(DnRecord): Result = Result + "%s: %s\n" % (x,i); return Result[:-1]; -# Function to prompt for a password -def getpass(prompt = "Password: "): - import termios, sys; - fd = sys.stdin.fileno(); - old = termios.tcgetattr(fd); - new = termios.tcgetattr(fd); - new[3] = new[3] & ~termios.ECHO; # lflags - try: - termios.tcsetattr(fd, termios.TCSADRAIN, new); - try: - passwd = raw_input(prompt); - except KeyboardInterrupt: - termios.tcsetattr(fd, termios.TCSADRAIN, old); - print - sys.exit(0) - except EOFError: - passwd = "" - finally: - termios.tcsetattr(fd, termios.TCSADRAIN, old); - print; - return passwd; - -def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser): +def connectLDAP(server = None): + if server == None: + global LDAPServer + server = LDAPServer + l = ldap.open(server); + global UseSSL + if UseSSL: + l.start_tls_s(); + return l; + +def passwdAccessLDAP(BaseDn, AdminUser): """ Ask for the AdminUser's password and connect to the LDAP server. Returns the connection handle. """ print "Accessing LDAP directory as '" + AdminUser + "'"; while (1): - Password = getpass(AdminUser + "'s password: "); + if 'LDAP_PASSWORD' in os.environ: + Password = os.environ['LDAP_PASSWORD'] + else: + Password = getpass.getpass(AdminUser + "'s password: ") if len(Password) == 0: sys.exit(0) - l = ldap.open(LDAPServer); + l = connectLDAP() UserDn = "uid=" + AdminUser + "," + BaseDn; # Connect to the ldap server try: l.simple_bind_s(UserDn,Password); except ldap.INVALID_CREDENTIALS: + if 'LDAP_PASSWORD' in os.environ: + print "password in environment does not work" + del os.environ['LDAP_PASSWORD'] continue break return l @@ -306,7 +317,7 @@ def FormatPGPKey(Str): if (len(Str) == 32): I = 0; while (I < len(Str)): - if I+2 == 32/2: + if I == 32/2: Res = "%s %s%s "%(Res,Str[I],Str[I+1]); else: Res = "%s%s%s "%(Res,Str[I],Str[I+1]); @@ -315,7 +326,7 @@ def FormatPGPKey(Str): # OpenPGP Print I = 0; while (I < len(Str)): - if I+4 == 40/2: + if I == 40/2: Res = "%s %s%s%s%s "%(Res,Str[I],Str[I+1],Str[I+2],Str[I+3]); else: Res = "%s%s%s%s%s "%(Res,Str[I],Str[I+1],Str[I+2],Str[I+3]); @@ -435,3 +446,15 @@ def Group2GID(l, name): return int(GetAttr(res[0], "gidNumber")) return -1 + +def make_hmac(str): + if 'UD_HMAC_KEY' in os.environ: + HmacKey = os.environ['UD_HMAC_KEY'] + else: + File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r"); + HmacKey = File.readline().strip() + File.close(); + return hmac.new(HmacKey, str, hashlib.sha1).hexdigest() + +def make_passwd_hmac(status, purpose, uid, uuid, hosts, cryptedpass): + return make_hmac(':'.join([status, purpose, uid, uuid, hosts, cryptedpass]))