PasswdAttrs = None;
GroupIDMap = {};
+Allowed = None;
+CurrentHost = "";
# See if this user is in the group list
-def IsInGroup(DnRecord,Allowed):
+def IsInGroup(DnRecord):
+ global Allowed,CurrentHost;
+ if Allowed == None:
+ return 1;
+
# See if the primary group is in the list
if Allowed.has_key(GetAttr(DnRecord,"gidnumber")) != 0:
return 1;
+ # Check the host based ACL
+ if DnRecord[1].has_key("allowedhosts") != 0:
+ for I in DnRecord[1]["allowedhosts"]:
+ if CurrentHost == I:
+ return 1;
+
# See if there are supplementary groups
if DnRecord[1].has_key("supplementarygid") == 0:
return 0;
os.rename(File + ".tdb.tmp",File+".tdb");
# Generate the password list
-def GenPasswd(l,File,HomePrefix,Allowed):
+def GenPasswd(l,File,HomePrefix):
F = None;
Fdb = None;
try:
I = 0;
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
Line = "%s:x:%s:%s:%s:%s%s:%s\n" % (GetAttr(x,"uid"),\
Done(File,F,Fdb);
# Generate the shadow list
-def GenShadow(l,File,Allowed):
+def GenShadow(l,File):
F = None;
Fdb = None;
try:
I = 0;
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
Pass = GetAttr(x,"userpassword");
Done(File,F,Fdb);
# Generate the group list
-def GenGroup(l,File,Allowed):
+def GenGroup(l,File):
F = None;
Fdb = None;
try:
# Sort them into a list of groups having a set of users
for x in PasswdAttrs:
- if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+ if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
continue;
if x[1].has_key("supplementarygid") == 0:
continue;
Done(File,F,Fdb);
# Generate the email forwarding list
-def GenForward(l,File,Allowed):
+def GenForward(l,File):
F = None;
Fdb = None;
try:
# Write out the email address for each user
for x in PasswdAttrs:
- if x[1].has_key("emailforward") == 0 or IsInGroup(x,Allowed) == 0:
+ if x[1].has_key("emailforward") == 0 or IsInGroup(x) == 0:
continue;
Line = "%s: %s\n" % (GetAttr(x,"uid"),GetAttr(x,"emailforward"));
F.write(Line);
["uid","uidnumber","gidnumber","supplementarygid",\
"gecos","loginshell","userpassword","shadowlastchange",\
"shadowmin","shadowmax","shadowwarning","shadowinactive",
- "shadowexpire","emailforward","latitude","longitude"]);
+ "shadowexpire","emailforward","latitude","longitude",\
+ "allowedhosts"]);
# Open the control file
if len(sys.argv) == 1:
if GroupIDMap.has_key(I):
GroupList[str(GroupIDMap[I])] = None;
- GenPasswd(l,OutDir+"passwd",Split[1],GroupList);
- GenGroup(l,OutDir+"group",GroupList);
- GenShadow(l,OutDir+"shadow",GroupList);
- GenForward(l,OutDir+"forward-alias",GroupList);
+ global Allowed,CurrentHost;
+ Allowed = GroupList;
+ CurrentHost = Split[0];
+
+ GenPasswd(l,OutDir+"passwd",Split[1]);
+ GenGroup(l,OutDir+"group");
+ GenShadow(l,OutDir+"shadow");
+ GenForward(l,OutDir+"forward-alias");
GenMarkers(l,OutDir+"markers");
"uid": ["Unix User ID",0],
"loginshell": ["Unix Shell",7],
"supplementarygid": ["Unix Groups",0],
+ "allowedhosts": ["Host ACL",0],
+ "member": ["LDAP Group",0],
"emailforward": ["Email Forwarding",8],
"ircnick": ["IRC Nickname",9],
"onvacation": ["Vacation Message",10],
"userpassword": ["The users Crypt'd password"],
"comment": ["Admin Comment about the account"],
"supplementarygid": ["Groups the user is in"],
+ "allowedhosts": ["Grant access to certain hosts"],
+ "member": ["LDAP Group Member for slapd ACLs"],
"latitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"longitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
"labeledurl": ["Web home page"]};
# Change a single attribute
def ChangeAttr(Attrs,Attr):
- if (Attr == "supplementarygid"):
+ if (Attr == "supplementarygid" or Attr == "allowedhosts" or Attr == "member"):
return MultiChangeAttr(Attrs,Attr);
print "Old value: '%s'" % (GetAttr(Attrs,Attr,""));
# Enable changing of supplementary gid's
if (RootMode == 1):
- AttrInfo["supplementarygid"][1] = 100;
- OrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
- OrigOrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
+ # Items that root can edit
+ list = ["supplementarygid","allowedhosts","member"];
+ Count = 0;
+ for x in list:
+ AttrInfo[x][1] = 200 + Count;
+ OrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+ OrigOrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+ Count = Count + 1;
# Query the server for all of the attributes
Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + User);