Do SSL when connecting to the ldap server.

diff --git a/debian/changelog b/debian/changelog
index 0073427..bfc6f60 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+userdir-ldap (0.3.32) unstable; urgency=low
+
+  * Do SSL when connecting to the ldap server.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 23 May 2008 23:50:03 +0200
+

 userdir-ldap (0.3.31) unstable; urgency=low
 
   [ Joerg Jaspert ]
 userdir-ldap (0.3.31) unstable; urgency=low
 
   [ Joerg Jaspert ]

diff --git a/gpgwrapper b/gpgwrapper
index 87ce632..cf25226 100755 (executable)
--- a/gpgwrapper
+++ b/gpgwrapper
@@ -85,7 +85,7 @@ def CheckLDAP(FingerPrint):
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;

-   l = ldap.open(LDAPServer);
+   l = connectLDAP(LDAPServer);

    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/sigcheck b/sigcheck
index 57c4a90..1ba2a8d 100755 (executable)
--- a/sigcheck
+++ b/sigcheck
@@ -54,7 +54,7 @@ def CheckLDAP(FingerPrint):
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occurred while performing the LDAP lookup:";
    global l;
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occurred while performing the LDAP lookup:";
    global l;

-   l = ldap.open(LDAPServer);
+   l = connectLDAP(LDAPServer);

    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/ud-arbimport b/ud-arbimport
index 7d306f7..90a1746 100755 (executable)
--- a/ud-arbimport
+++ b/ud-arbimport
@@ -39,7 +39,7 @@ if len(arguments) == 0:
    sys.exit(0)
 
 # Main program starts here
    sys.exit(0)
 
 # Main program starts here

-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)

 
 List = open(arguments[1],"r");
 Set = [];
 
 List = open(arguments[1],"r");
 Set = [];

diff --git a/ud-echelon b/ud-echelon
index 3632980..6c07a0a 100755 (executable)
--- a/ud-echelon
+++ b/ud-echelon
@@ -94,7 +94,7 @@ try:
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    if Debug == None:
       F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
       AccessPass = F.readline().strip().split(" ")
    if Debug == None:
       F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
       AccessPass = F.readline().strip().split(" ")

diff --git a/ud-emailmatcher b/ud-emailmatcher
index bae8fd9..4d42d77 100755 (executable)
--- a/ud-emailmatcher
+++ b/ud-emailmatcher
@@ -52,8 +52,7 @@ for x in arguments:
 Args = Args + GPGSearchOptions + [" 2> /dev/null"]
 Keys = os.popen(" ".join(Args),"r")
 
 Args = Args + GPGSearchOptions + [" 2> /dev/null"]
 Keys = os.popen(" ".join(Args),"r")
 

-l = ldap.open(LDAPServer);
-l.simple_bind_s("","");
+l = connectLDAP()

 
 # Fetch the key list and map to email address
 PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=*",\
 
 # Fetch the key list and map to email address
 PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=*",\

diff --git a/ud-generate b/ud-generate
index 17e54b3..774e032 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -848,7 +848,7 @@ def GenKeyrings(l,OutDir):
     shutil.copy(k, OutDir)
 
 # Connect to the ldap server
     shutil.copy(k, OutDir)
 
 # Connect to the ldap server

-l = ldap.open(LDAPServer);
+l = connectLDAP()

 F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
 Pass = F.readline().strip().split(" ")
 F.close();
 F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
 Pass = F.readline().strip().split(" ")
 F.close();

diff --git a/ud-gpgimport b/ud-gpgimport
index 797aa5d..0ad4fc9 100755 (executable)
--- a/ud-gpgimport
+++ b/ud-gpgimport
@@ -70,9 +70,9 @@ if len(arguments) == 0:
 
 # Connect to the ldap server
 if NoAct == 0:
 
 # Connect to the ldap server
 if NoAct == 0:

-   l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+   l = passwdAccessLDAP(BaseDn, AdminUser)

 else:
 else:

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    l.simple_bind_s("","");
 
 # Download the existing key list and put it into a map
    l.simple_bind_s("","");
 
 # Download the existing key list and put it into a map

diff --git a/ud-groupadd b/ud-groupadd
index de074b9..a1e39e4 100755 (executable)
--- a/ud-groupadd
+++ b/ud-groupadd
@@ -53,7 +53,7 @@ for (switch, val) in options:
    if (switch == '-u'):
       AdminUser = val;
 
    if (switch == '-u'):
       AdminUser = val;
 

-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)

 
 while 1:
    Group = raw_input("Group name? ");
 
 while 1:
    Group = raw_input("Group name? ");

diff --git a/ud-host b/ud-host
index e186e9a..97af1ef 100755 (executable)
--- a/ud-host
+++ b/ud-host
@@ -241,9 +241,9 @@ for (switch, val) in options:
       FingerPrints = 1
 
 if (BindUser != ""):
       FingerPrints = 1
 
 if (BindUser != ""):

-   l = passwdAccessLDAP(LDAPServer, BaseDn, BindUser)
+   l = passwdAccessLDAP(BaseDn, BindUser)

 else:
 else:

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    l.simple_bind_s("","")
 
 if ListMode == 1:
    l.simple_bind_s("","")
 
 if ListMode == 1:

diff --git a/ud-info b/ud-info
index d099c46..e05cb86 100755 (executable)
--- a/ud-info
+++ b/ud-info
@@ -315,7 +315,7 @@ if (BindUser != ""):
    Password = getpass(BindUser + "'s password: ");
 
 # Connect to the ldap server
    Password = getpass(BindUser + "'s password: ");
 
 # Connect to the ldap server

-l = ldap.open(LDAPServer);
+l = connectLDAP()

 UserDn = "uid=" + BindUser + "," + BaseDn;
 if (BindUser != ""):
    l.simple_bind_s(UserDn,Password);
 UserDn = "uid=" + BindUser + "," + BaseDn;
 if (BindUser != ""):
    l.simple_bind_s(UserDn,Password);

diff --git a/ud-ldapshow b/ud-ldapshow
index c397340..70e1f70 100755 (executable)
--- a/ud-ldapshow
+++ b/ud-ldapshow
@@ -31,7 +31,7 @@ for (switch, val) in options:
 print "Connecting to LDAP directory";
 
 # Connect to the ldap server
 print "Connecting to LDAP directory";
 
 # Connect to the ldap server

-l = ldap.open(LDAPServer);
+l = connectLDAP()

 l.simple_bind_s("","");
 
 if arguments[0] == "nokey":
 l.simple_bind_s("","");
 
 if arguments[0] == "nokey":

diff --git a/ud-mailgate b/ud-mailgate
index 4fa2edf..6341130 100755 (executable)
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -467,7 +467,7 @@ def HandleChange(Reply,DnRecord,Key):
       Result = Result + Res + "\n";
 
    # Connect to the ldap server
       Result = Result + Res + "\n";
 
    # Connect to the ldap server

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();


@@ -538,7 +538,7 @@ def HandleChPass(Reply,DnRecord,Key):
    Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read());
    
    # Connect to the ldap server
    Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read());
    
    # Connect to the ldap server

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();


@@ -616,7 +616,7 @@ try:
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;

-   l = ldap.open(LDAPServer);
+   l = connectLDAP()

    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint

diff --git a/ud-passchk b/ud-passchk
index 6a7865a..1364e52 100755 (executable)
--- a/ud-passchk
+++ b/ud-passchk
@@ -41,7 +41,7 @@ def PassCheck(l,File,HomePrefix):
          print "mismatch",Split[0],Miss;
 
 # Connect to the ldap server
          print "mismatch",Split[0],Miss;
 
 # Connect to the ldap server

-l = ldap.open(LDAPServer);
+l = connectLDAP()

 l.simple_bind_s("","");
 
 PassCheck(l,sys.argv[1],sys.argv[2]);
 l.simple_bind_s("","");
 
 PassCheck(l,sys.argv[1],sys.argv[2]);

diff --git a/ud-roleadd b/ud-roleadd
index 2117308..9c30bd1 100755 (executable)
--- a/ud-roleadd
+++ b/ud-roleadd
@@ -50,7 +50,7 @@ for (switch, val) in options:
    if (switch == '-u'):
       AdminUser = val
 
    if (switch == '-u'):
       AdminUser = val
 

-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)

 
 while 1:
    account = raw_input("Who are you going to add? ")
 
 while 1:
    account = raw_input("Who are you going to add? ")

diff --git a/ud-useradd b/ud-useradd
index f5c1fbc..23e1cd0 100755 (executable)
--- a/ud-useradd
+++ b/ud-useradd
@@ -67,7 +67,7 @@ for (switch, val) in options:
    elif (switch == '-n'):
       NoAutomaticIDs = 1;
 
    elif (switch == '-n'):
       NoAutomaticIDs = 1;
 

-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)

 
 # Locate the key of the user we are adding
 SetKeyrings(ConfModule.add_keyrings.split(":"))
 
 # Locate the key of the user we are adding
 SetKeyrings(ConfModule.add_keyrings.split(":"))

diff --git a/ud-userimport b/ud-userimport
index 4e044c7..db81b65 100755 (executable)
--- a/ud-userimport
+++ b/ud-userimport
@@ -249,7 +249,7 @@ for (switch, val) in options:
 # Main program starts here
 
 # Connect to the ldap server
 # Main program starts here
 
 # Connect to the ldap server

-l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser)
+l = passwdAccessLDAP(BaseDn, AdminUser)

 
 if (Passwd != ""):
    DoPasswd(l,Passwd);
 
 if (Passwd != ""):
    DoPasswd(l,Passwd);

diff --git a/ud-xearth b/ud-xearth
index 25e001a..58f8e93 100755 (executable)
--- a/ud-xearth
+++ b/ud-xearth
@@ -30,7 +30,7 @@ for (switch, val) in options:
       Anon = 1;
 
 # Connect to the ldap server
       Anon = 1;
 
 # Connect to the ldap server

-l = passwdAccessLDAP(LDAPServer, BaseDn, User)
+l = passwdAccessLDAP(BaseDn, User)

 
 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"latitude=*",\
          ["uid","cn","mn","sn","latitude","longitude"]);
 
 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"latitude=*",\
          ["uid","cn","mn","sn","latitude","longitude"]);

diff --git a/userdir-ldap.conf b/userdir-ldap.conf
index 090ac5a..ad37d9d 100644 (file)
--- a/userdir-ldap.conf
+++ b/userdir-ldap.conf
@@ -8,6 +8,7 @@ localsyncon = "*samosa*";
 
 # Basic LDAP configuration
 ldaphost = "db.debian.org";
 
 # Basic LDAP configuration
 ldaphost = "db.debian.org";

+usessl   = True;

 basedn   = "ou=users,dc=debian,dc=org";
 hostbasedn = "ou=hosts,dc=debian,dc=org";
 adminuser = "admin";
 basedn   = "ou=users,dc=debian,dc=org";
 hostbasedn = "ou=hosts,dc=debian,dc=org";
 adminuser = "admin";

diff --git a/userdir_ldap.py b/userdir_ldap.py
index 539dbae..e90fffd 100644 (file)
--- a/userdir_ldap.py
+++ b/userdir_ldap.py
@@ -45,6 +45,11 @@ Ech_MainLog = ConfModule.ech_mainlog;
 MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False)
 SingleSSHFile = getattr(ConfModule, 'singlesshfile', True)
 
 MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False)
 SingleSSHFile = getattr(ConfModule, 'singlesshfile', True)
 

+try:
+   UseSSL = ConfModule.usessl;
+except AttributeError:
+   UseSSL = False;
+

 # Break up the keyring list
 userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":"))
 
 # Break up the keyring list
 userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":"))
 


@@ -102,6 +107,16 @@ def PrettyShow(DnRecord):
          Result = Result + "%s: %s\n" % (x,i);
    return Result[:-1];
 
          Result = Result + "%s: %s\n" % (x,i);
    return Result[:-1];
 

+def connectLDAP(server = None):
+   if server == None:
+      global LDAPServer
+      server = LDAPServer
+   l = ldap.open(server);
+   global UseSSL
+   if UseSSL:
+      l.start_tls_s();
+   return l;
+

 # Function to prompt for a password 
 def getpass(prompt = "Password: "):
    import termios, sys;
 # Function to prompt for a password 
 def getpass(prompt = "Password: "):
    import termios, sys;


@@ -124,7 +139,7 @@ def getpass(prompt = "Password: "):
    print;
    return passwd;
 
    print;
    return passwd;
 

-def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser):
+def passwdAccessLDAP(BaseDn, AdminUser):

    """
    Ask for the AdminUser's password and connect to the LDAP server.
    Returns the connection handle.
    """
    Ask for the AdminUser's password and connect to the LDAP server.
    Returns the connection handle.


@@ -136,7 +151,7 @@ def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser):
       if len(Password) == 0:
          sys.exit(0)
 
       if len(Password) == 0:
          sys.exit(0)
 

-      l = ldap.open(LDAPServer);
+      l = connectLDAP()

       UserDn = "uid=" + AdminUser + "," + BaseDn;
 
       # Connect to the ldap server
       UserDn = "uid=" + AdminUser + "," + BaseDn;
 
       # Connect to the ldap server