Do SSL when connecting to the ldap server.

diff --git a/debian/changelog b/debian/changelog
index 0073427..bfc6f60 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+userdir-ldap (0.3.32) unstable; urgency=low
+
+  * Do SSL when connecting to the ldap server.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 23 May 2008 23:50:03 +0200
+
 userdir-ldap (0.3.31) unstable; urgency=low
 
   [ Joerg Jaspert ]

diff --git a/gpgwrapper b/gpgwrapper
index 87ce632..cf25226 100755 (executable)
--- a/gpgwrapper
+++ b/gpgwrapper
@@ -85,7 +85,7 @@ def CheckLDAP(FingerPrint):
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
-   l = ldap.open(LDAPServer);
+   l = connectLDAP(LDAPServer);
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/sigcheck b/sigcheck
index 57c4a90..1ba2a8d 100755 (executable)
--- a/sigcheck
+++ b/sigcheck
@@ -54,7 +54,7 @@ def CheckLDAP(FingerPrint):
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occurred while performing the LDAP lookup:";
    global l;
-   l = ldap.open(LDAPServer);
+   l = connectLDAP(LDAPServer);
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/ud-arbimport b/ud-arbimport
index 7d306f7..90a1746 100755 (executable)
--- a/ud-arbimport
+++ b/ud-arbimport
@@ -39,7 +39,7 @@ if len(arguments) == 0:
    sys.exit(0)
 
 # Main program starts here
-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)
 
 List = open(arguments[1],"r");
 Set = [];

diff --git a/ud-echelon b/ud-echelon
index 3632980..6c07a0a 100755 (executable)
--- a/ud-echelon
+++ b/ud-echelon
@@ -94,7 +94,7 @@ try:
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    if Debug == None:
       F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
       AccessPass = F.readline().strip().split(" ")

diff --git a/ud-emailmatcher b/ud-emailmatcher
index bae8fd9..4d42d77 100755 (executable)
--- a/ud-emailmatcher
+++ b/ud-emailmatcher
@@ -52,8 +52,7 @@ for x in arguments:
 Args = Args + GPGSearchOptions + [" 2> /dev/null"]
 Keys = os.popen(" ".join(Args),"r")
 
-l = ldap.open(LDAPServer);
-l.simple_bind_s("","");
+l = connectLDAP()
 
 # Fetch the key list and map to email address
 PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=*",\

diff --git a/ud-generate b/ud-generate
index 17e54b3..774e032 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -848,7 +848,7 @@ def GenKeyrings(l,OutDir):
     shutil.copy(k, OutDir)
 
 # Connect to the ldap server
-l = ldap.open(LDAPServer);
+l = connectLDAP()
 F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
 Pass = F.readline().strip().split(" ")
 F.close();

diff --git a/ud-gpgimport b/ud-gpgimport
index 797aa5d..0ad4fc9 100755 (executable)
--- a/ud-gpgimport
+++ b/ud-gpgimport
@@ -70,9 +70,9 @@ if len(arguments) == 0:
 
 # Connect to the ldap server
 if NoAct == 0:
-   l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+   l = passwdAccessLDAP(BaseDn, AdminUser)
 else:
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    l.simple_bind_s("","");
 
 # Download the existing key list and put it into a map

diff --git a/ud-groupadd b/ud-groupadd
index de074b9..a1e39e4 100755 (executable)
--- a/ud-groupadd
+++ b/ud-groupadd
@@ -53,7 +53,7 @@ for (switch, val) in options:
    if (switch == '-u'):
       AdminUser = val;
 
-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)
 
 while 1:
    Group = raw_input("Group name? ");

diff --git a/ud-host b/ud-host
index e186e9a..97af1ef 100755 (executable)
--- a/ud-host
+++ b/ud-host
@@ -241,9 +241,9 @@ for (switch, val) in options:
       FingerPrints = 1
 
 if (BindUser != ""):
-   l = passwdAccessLDAP(LDAPServer, BaseDn, BindUser)
+   l = passwdAccessLDAP(BaseDn, BindUser)
 else:
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    l.simple_bind_s("","")
 
 if ListMode == 1:

diff --git a/ud-info b/ud-info
index d099c46..e05cb86 100755 (executable)
--- a/ud-info
+++ b/ud-info
@@ -315,7 +315,7 @@ if (BindUser != ""):
    Password = getpass(BindUser + "'s password: ");
 
 # Connect to the ldap server
-l = ldap.open(LDAPServer);
+l = connectLDAP()
 UserDn = "uid=" + BindUser + "," + BaseDn;
 if (BindUser != ""):
    l.simple_bind_s(UserDn,Password);

diff --git a/ud-ldapshow b/ud-ldapshow
index c397340..70e1f70 100755 (executable)
--- a/ud-ldapshow
+++ b/ud-ldapshow
@@ -31,7 +31,7 @@ for (switch, val) in options:
 print "Connecting to LDAP directory";
 
 # Connect to the ldap server
-l = ldap.open(LDAPServer);
+l = connectLDAP()
 l.simple_bind_s("","");
 
 if arguments[0] == "nokey":

diff --git a/ud-mailgate b/ud-mailgate
index 4fa2edf..6341130 100755 (executable)
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -467,7 +467,7 @@ def HandleChange(Reply,DnRecord,Key):
       Result = Result + Res + "\n";
 
    # Connect to the ldap server
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
@@ -538,7 +538,7 @@ def HandleChPass(Reply,DnRecord,Key):
    Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read());
    
    # Connect to the ldap server
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
@@ -616,7 +616,7 @@ try:
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/ud-passchk b/ud-passchk
index 6a7865a..1364e52 100755 (executable)
--- a/ud-passchk
+++ b/ud-passchk
@@ -41,7 +41,7 @@ def PassCheck(l,File,HomePrefix):
          print "mismatch",Split[0],Miss;
 
 # Connect to the ldap server
-l = ldap.open(LDAPServer);
+l = connectLDAP()
 l.simple_bind_s("","");
 
 PassCheck(l,sys.argv[1],sys.argv[2]);

diff --git a/ud-roleadd b/ud-roleadd
index 2117308..9c30bd1 100755 (executable)
--- a/ud-roleadd
+++ b/ud-roleadd
@@ -50,7 +50,7 @@ for (switch, val) in options:
    if (switch == '-u'):
       AdminUser = val
 
-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)
 
 while 1:
    account = raw_input("Who are you going to add? ")

diff --git a/ud-useradd b/ud-useradd
index f5c1fbc..23e1cd0 100755 (executable)
--- a/ud-useradd
+++ b/ud-useradd
@@ -67,7 +67,7 @@ for (switch, val) in options:
    elif (switch == '-n'):
       NoAutomaticIDs = 1;
 
-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)
 
 # Locate the key of the user we are adding
 SetKeyrings(ConfModule.add_keyrings.split(":"))

diff --git a/ud-userimport b/ud-userimport
index 4e044c7..db81b65 100755 (executable)
--- a/ud-userimport
+++ b/ud-userimport
@@ -249,7 +249,7 @@ for (switch, val) in options:
 # Main program starts here
 
 # Connect to the ldap server
-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)
 
 if (Passwd != ""):
    DoPasswd(l,Passwd);

diff --git a/ud-xearth b/ud-xearth
index 25e001a..58f8e93 100755 (executable)
--- a/ud-xearth
+++ b/ud-xearth
@@ -30,7 +30,7 @@ for (switch, val) in options:
       Anon = 1;
 
 # Connect to the ldap server
-l = passwdAccessLDAP(LDAPServer, BaseDn, User)
+l = passwdAccessLDAP(BaseDn, User)
 
 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"latitude=*",\
          ["uid","cn","mn","sn","latitude","longitude"]);

diff --git a/userdir-ldap.conf b/userdir-ldap.conf
index 090ac5a..ad37d9d 100644 (file)
--- a/userdir-ldap.conf
+++ b/userdir-ldap.conf
@@ -8,6 +8,7 @@ localsyncon = "*samosa*";
 
 # Basic LDAP configuration
 ldaphost = "db.debian.org";
+usessl   = True;
 basedn   = "ou=users,dc=debian,dc=org";
 hostbasedn = "ou=hosts,dc=debian,dc=org";
 adminuser = "admin";

diff --git a/userdir_ldap.py b/userdir_ldap.py
index 539dbae..e90fffd 100644 (file)
--- a/userdir_ldap.py
+++ b/userdir_ldap.py
@@ -45,6 +45,11 @@ Ech_MainLog = ConfModule.ech_mainlog;
 MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False)
 SingleSSHFile = getattr(ConfModule, 'singlesshfile', True)
 
+try:
+   UseSSL = ConfModule.usessl;
+except AttributeError:
+   UseSSL = False;
+
 # Break up the keyring list
 userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":"))
 
@@ -102,6 +107,16 @@ def PrettyShow(DnRecord):
          Result = Result + "%s: %s\n" % (x,i);
    return Result[:-1];
 
+def connectLDAP(server = None):
+   if server == None:
+      global LDAPServer
+      server = LDAPServer
+   l = ldap.open(server);
+   global UseSSL
+   if UseSSL:
+      l.start_tls_s();
+   return l;
+
 # Function to prompt for a password 
 def getpass(prompt = "Password: "):
    import termios, sys;
@@ -124,7 +139,7 @@ def getpass(prompt = "Password: "):
    print;
    return passwd;
 
-def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser):
+def passwdAccessLDAP(BaseDn, AdminUser):
    """
    Ask for the AdminUser's password and connect to the LDAP server.
    Returns the connection handle.
@@ -136,7 +151,7 @@ def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser):
       if len(Password) == 0:
          sys.exit(0)
 
-      l = ldap.open(LDAPServer);
+      l = connectLDAP()
       UserDn = "uid=" + AdminUser + "," + BaseDn;
 
       # Connect to the ldap server