projects
/
mirror
/
userdir-ldap.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
9faf244
)
Added host ACL
author
jgg
<>
Sat, 25 Sep 1999 02:24:29 +0000
(
02:24
+0000)
committer
jgg
<>
Sat, 25 Sep 1999 02:24:29 +0000
(
02:24
+0000)
doc/ud-info.1.yo
patch
|
blob
|
history
ud-generate
patch
|
blob
|
history
ud-info
patch
|
blob
|
history
diff --git
a/doc/ud-info.1.yo
b/doc/ud-info.1.yo
index
8bf60a5
..
10ca844
100644
(file)
--- a/
doc/ud-info.1.yo
+++ b/
doc/ud-info.1.yo
@@
-38,6
+38,7
@@
itemize(
it() supplementarygid - A list of group names that the user belongs.
This field emulates the functionality of the traditional Unix group
file. [root]
it() supplementarygid - A list of group names that the user belongs.
This field emulates the functionality of the traditional Unix group
file. [root]
+ it() allowedhosts - Permits access to hosts outside of the group list. [root]
it() onvacation - A message indicating that the user is on vacation. The
time of departure and expected return date should be included as
well as any special instructions.
it() onvacation - A message indicating that the user is on vacation. The
time of departure and expected return date should be included as
well as any special instructions.
diff --git
a/ud-generate
b/ud-generate
index
d1773ff
..
27c1565
100755
(executable)
--- a/
ud-generate
+++ b/
ud-generate
@@
-7,13
+7,25
@@
from userdir_ldap import *;
PasswdAttrs = None;
GroupIDMap = {};
PasswdAttrs = None;
GroupIDMap = {};
+Allowed = None;
+CurrentHost = "";
# See if this user is in the group list
# See if this user is in the group list
-def IsInGroup(DnRecord,Allowed):
+def IsInGroup(DnRecord):
+ global Allowed,CurrentHost;
+ if Allowed == None:
+ return 1;
+
# See if the primary group is in the list
if Allowed.has_key(GetAttr(DnRecord,"gidnumber")) != 0:
return 1;
# See if the primary group is in the list
if Allowed.has_key(GetAttr(DnRecord,"gidnumber")) != 0:
return 1;
+ # Check the host based ACL
+ if DnRecord[1].has_key("allowedhosts") != 0:
+ for I in DnRecord[1]["allowedhosts"]:
+ if CurrentHost == I:
+ return 1;
+
# See if there are supplementary groups
if DnRecord[1].has_key("supplementarygid") == 0:
return 0;
# See if there are supplementary groups
if DnRecord[1].has_key("supplementarygid") == 0:
return 0;
@@
-43,7
+55,7
@@
def Done(File,F,Fdb):
os.rename(File + ".tdb.tmp",File+".tdb");
# Generate the password list
os.rename(File + ".tdb.tmp",File+".tdb");
# Generate the password list
-def GenPasswd(l,File,HomePrefix
,Allowed
):
+def GenPasswd(l,File,HomePrefix):
F = None;
Fdb = None;
try:
F = None;
Fdb = None;
try:
@@
-57,7
+69,7
@@
def GenPasswd(l,File,HomePrefix,Allowed):
I = 0;
for x in PasswdAttrs:
I = 0;
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x
,Allowed
) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
Line = "%s:x:%s:%s:%s:%s%s:%s\n" % (GetAttr(x,"uid"),\
continue;
Line = "%s:x:%s:%s:%s:%s%s:%s\n" % (GetAttr(x,"uid"),\
@@
-77,7
+89,7
@@
def GenPasswd(l,File,HomePrefix,Allowed):
Done(File,F,Fdb);
# Generate the shadow list
Done(File,F,Fdb);
# Generate the shadow list
-def GenShadow(l,File
,Allowed
):
+def GenShadow(l,File):
F = None;
Fdb = None;
try:
F = None;
Fdb = None;
try:
@@
-93,7
+105,7
@@
def GenShadow(l,File,Allowed):
I = 0;
for x in PasswdAttrs:
I = 0;
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x
,Allowed
) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
Pass = GetAttr(x,"userpassword");
continue;
Pass = GetAttr(x,"userpassword");
@@
-118,7
+130,7
@@
def GenShadow(l,File,Allowed):
Done(File,F,Fdb);
# Generate the group list
Done(File,F,Fdb);
# Generate the group list
-def GenGroup(l,File
,Allowed
):
+def GenGroup(l,File):
F = None;
Fdb = None;
try:
F = None;
Fdb = None;
try:
@@
-137,7
+149,7
@@
def GenGroup(l,File,Allowed):
# Sort them into a list of groups having a set of users
for x in PasswdAttrs:
# Sort them into a list of groups having a set of users
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x
,Allowed
) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
if x[1].has_key("supplementarygid") == 0:
continue;
continue;
if x[1].has_key("supplementarygid") == 0:
continue;
@@
-170,7
+182,7
@@
def GenGroup(l,File,Allowed):
Done(File,F,Fdb);
# Generate the email forwarding list
Done(File,F,Fdb);
# Generate the email forwarding list
-def GenForward(l,File
,Allowed
):
+def GenForward(l,File):
F = None;
Fdb = None;
try:
F = None;
Fdb = None;
try:
@@
-186,7
+198,7
@@
def GenForward(l,File,Allowed):
# Write out the email address for each user
for x in PasswdAttrs:
# Write out the email address for each user
for x in PasswdAttrs:
- if x[1].has_key("emailforward") == 0 or IsInGroup(x
,Allowed
) == 0:
+ if x[1].has_key("emailforward") == 0 or IsInGroup(x) == 0:
continue;
Line = "%s: %s\n" % (GetAttr(x,"uid"),GetAttr(x,"emailforward"));
F.write(Line);
continue;
Line = "%s: %s\n" % (GetAttr(x,"uid"),GetAttr(x,"emailforward"));
F.write(Line);
@@
-248,7
+260,8
@@
PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=*",\
["uid","uidnumber","gidnumber","supplementarygid",\
"gecos","loginshell","userpassword","shadowlastchange",\
"shadowmin","shadowmax","shadowwarning","shadowinactive",
["uid","uidnumber","gidnumber","supplementarygid",\
"gecos","loginshell","userpassword","shadowlastchange",\
"shadowmin","shadowmax","shadowwarning","shadowinactive",
- "shadowexpire","emailforward","latitude","longitude"]);
+ "shadowexpire","emailforward","latitude","longitude",\
+ "allowedhosts"]);
# Open the control file
if len(sys.argv) == 1:
# Open the control file
if len(sys.argv) == 1:
@@
-277,9
+290,13
@@
while(1):
if GroupIDMap.has_key(I):
GroupList[str(GroupIDMap[I])] = None;
if GroupIDMap.has_key(I):
GroupList[str(GroupIDMap[I])] = None;
- GenPasswd(l,OutDir+"passwd",Split[1],GroupList);
- GenGroup(l,OutDir+"group",GroupList);
- GenShadow(l,OutDir+"shadow",GroupList);
- GenForward(l,OutDir+"forward-alias",GroupList);
+ global Allowed,CurrentHost;
+ Allowed = GroupList;
+ CurrentHost = Split[0];
+
+ GenPasswd(l,OutDir+"passwd",Split[1]);
+ GenGroup(l,OutDir+"group");
+ GenShadow(l,OutDir+"shadow");
+ GenForward(l,OutDir+"forward-alias");
GenMarkers(l,OutDir+"markers");
GenMarkers(l,OutDir+"markers");
diff --git
a/ud-info
b/ud-info
index
5e9603e
..
b1d3b6f
100755
(executable)
--- a/
ud-info
+++ b/
ud-info
@@
-36,6
+36,8
@@
AttrInfo = {"cn": ["First Name", 101],
"uid": ["Unix User ID",0],
"loginshell": ["Unix Shell",7],
"supplementarygid": ["Unix Groups",0],
"uid": ["Unix User ID",0],
"loginshell": ["Unix Shell",7],
"supplementarygid": ["Unix Groups",0],
+ "allowedhosts": ["Host ACL",0],
+ "member": ["LDAP Group",0],
"emailforward": ["Email Forwarding",8],
"ircnick": ["IRC Nickname",9],
"onvacation": ["Vacation Message",10],
"emailforward": ["Email Forwarding",8],
"ircnick": ["IRC Nickname",9],
"onvacation": ["Vacation Message",10],
@@
-61,6
+63,8
@@
AttrPrompt = {"cn": ["Common name or first name"],
"userpassword": ["The users Crypt'd password"],
"comment": ["Admin Comment about the account"],
"supplementarygid": ["Groups the user is in"],
"userpassword": ["The users Crypt'd password"],
"comment": ["Admin Comment about the account"],
"supplementarygid": ["Groups the user is in"],
+ "allowedhosts": ["Grant access to certain hosts"],
+ "member": ["LDAP Group Member for slapd ACLs"],
"latitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"longitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"labeledurl": ["Web home page"]};
"latitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"longitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"labeledurl": ["Web home page"]};
@@
-167,7
+171,7
@@
def ShowAttrs(Attrs):
# Change a single attribute
def ChangeAttr(Attrs,Attr):
# Change a single attribute
def ChangeAttr(Attrs,Attr):
- if (Attr == "supplementarygid"):
+ if (Attr == "supplementarygid"
or Attr == "allowedhosts" or Attr == "member"
):
return MultiChangeAttr(Attrs,Attr);
print "Old value: '%s'" % (GetAttr(Attrs,Attr,""));
return MultiChangeAttr(Attrs,Attr);
print "Old value: '%s'" % (GetAttr(Attrs,Attr,""));
@@
-272,9
+276,14
@@
UserDn = "uid=" + User + "," + BaseDn;
# Enable changing of supplementary gid's
if (RootMode == 1):
# Enable changing of supplementary gid's
if (RootMode == 1):
- AttrInfo["supplementarygid"][1] = 100;
- OrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
- OrigOrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
+ # Items that root can edit
+ list = ["supplementarygid","allowedhosts","member"];
+ Count = 0;
+ for x in list:
+ AttrInfo[x][1] = 200 + Count;
+ OrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+ OrigOrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+ Count = Count + 1;
# Query the server for all of the attributes
Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + User);
# Query the server for all of the attributes
Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + User);