Merge branch 'master' of git+ssh://db.debian.org/git/userdir-ldap

* 'master' of git+ssh://db.debian.org/git/userdir-ldap:
  fix
  userdir-ldap-slapd.conf.in: explicitly list readable attributes.  End with 'by * none'.
  ud-generate: Also rebuild if one of our keyrings has changed, even if ldap has not.
  ud-lock: support supplying a status to set instead of 'retiring'

diff --combined debian/changelog
index 6931ccb,a0e969c..d62afbb
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -50,6 -50,9 +50,12 @@@ userdir-ldap (0.3.80) UNRELEASED; urgen
    * ud-generate: The ssh authorized_keys file for the sshdist user now wraps
      the rsync call in an flock wrapper that acquires a shared lock on
      ud-generate's lock.  This prevents syncing while ud-generate runs.
+   * ud-lock: support supplying a status to set instead of 'retiring'.
+   * ud-generate: Also rebuild if one of our keyrings has changed, even if
+     ldap has not.
++  * userdir-ldap-slapd.conf.in: explicitly list readable attributes.
++    End with 'by * none'.
++
  
    [ Stephen Gran ]
    * Fix deprecation warnings for sha module by using hashlib module instead
@@@ -59,13 -62,17 +65,17 @@@
  
    [ Martin Zobel-Helas ]
    * ud-generate: generate webPasswords
++  * ud-generate: generate voipPasswords
    * ud-replicate: set correct permissions for web-passwords
++  * ud-replicate: set correct permissions for voip-passwords
    * add freecdb to depends
    * userdir-ldap.schema
      - add webPasswords
      - add mailPreserveSuffixSeperator
 -  [ Peter Palfrader ]
 -  * userdir-ldap-slapd.conf.in: explicitly list readable attributes.
 -    End with 'by * none'.
++    - add voipPasswords
+ 
  
-  -- Martin Zobel-Helas <zobel@debian.org>  Fri, 23 Mar 2012 19:19:16 +0100
+  -- Peter Palfrader <weasel@debian.org>  Mon, 14 May 2012 18:45:07 +0200
  
  userdir-ldap (0.3.79) unstable; urgency=low
  

diff --combined ud-generate
index 9bad07a,0f6b5ae..21d8baa
--- 1/ud-generate
--- 2/ud-generate
+++ b/ud-generate
@@@ -32,6 -32,6 +32,9 @@@ import string, re, time, ldap, optparse
  from userdir_ldap import *
  from userdir_exceptions import *
  import UDLdap
++from xml.etree.ElementTree import Element, SubElement, Comment
++from xml.etree import ElementTree
++from xml.dom import minidom
  try:
     from cStringIO import StringIO
  except ImportError:
@@@ -69,6 -69,6 +72,12 @@@ DNSZone = ".debian.net
  Keyrings = ConfModule.sync_keyrings.split(":")
  GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None)
  
++def prettify(elem):
++   """Return a pretty-printed XML string for the Element.
++   """
++   rough_string = ElementTree.tostring(elem, 'utf-8')
++   reparsed = minidom.parseString(rough_string)
++   return reparsed.toprettyxml(indent="  ")
  
  def safe_makedirs(dir):
     try:
@@@ -390,27 -390,6 +399,39 @@@ def GenWebPassword(accounts, File)
        Die(File, None, F)
        raise
  
-          Line = "<user id=\"%s\">\n <params>\n  <param name=\"password\" value=\"%s\"/>\n <params />\n</user>" % (a['uid'], Pass)
-          Line = Sanitize(Line) + "\n"
-          F.write("%s" % (Line))
 +# Generate the voipPassword list
 +def GenVoipPassword(accounts, File):
 +   F = None
 +   try:
 +      OldMask = os.umask(0077)
 +      F = open(File, "w", 0600)
 +      os.umask(OldMask)
 +
++      root = Element('domain')
++      root.attrib['name'] = "$${sip_profile}"
++
 +      for a in accounts:
 +         if not 'voipPassword' in a: continue
 +         if not a.pw_active(): continue
 +
 +         Pass = str(a['voipPassword'])
++         user = Element('user')
++         user.attrib['id'] = "%s" % (a['uid'])
++         root.append(user)
++         params = Element('params')
++         user.append(params)
++         param = Element('param')
++         params.append(param)
++         param.attrib['name'] = "a1-hash"
++         param.attrib['value'] = "%s" % (Pass)
++
++      F.write("%s" % (prettify(root)))
++
 +
 +   except:
 +      Die(File, None, F)
 +      raise
 +
  def GenSSHtarballs(global_dir, userlist, ssh_userkeys, grouprevmap, target, current_host):
     OldMask = os.umask(0077)
     tf = tarfile.open(name=os.path.join(global_dir, 'ssh-keys-%s.tar.gz' % current_host), mode='w:gz')
@@@ -1042,7 -1021,7 +1063,7 @@@ def get_accounts(ldap_conn)
                      "keyFingerPrint", "privateSub", "mailDisableMessage",\
                      "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\
                      "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\
 -                    "mailContentInspectionAction", "webPassword"])
 +                    "mailContentInspectionAction", "webPassword", "voipPassword"])
  
     if passwd_attrs is None:
        raise UDEmptyList, "No Users"
@@@ -1128,7 -1107,6 +1149,7 @@@ def generate_all(global_dir, ldap_conn)
     GenMailList(accounts, global_dir + "mail-rhsbl", "mailRHSBL")
     GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist")
     GenWebPassword(accounts, global_dir + "web-passwords")
 +   GenVoipPassword(accounts, global_dir + "voip-passwords")
     GenKeyrings(global_dir)
  
     # Compatibility.
@@@ -1236,6 -1214,6 +1257,9 @@@ def generate_host(host, global_dir, acc
     if 'WEB-PASSWORDS' in ExtraList:
        DoLink(global_dir, OutDir, "web-passwords")
  
++   if 'VOIP-PASSWORDS' in ExtraList:
++      DoLink(global_dir, OutDir, "voip-passwords")
++
     if 'KEYRING' in ExtraList:
        for k in Keyrings:
           bn = os.path.basename(k)
@@@ -1273,15 -1251,26 +1297,26 @@@ def getLastLDAPChangeTime(l)
  
     return last
  
+ def getLastKeyringChangeTime():
+    krmod = 0
+    for k in Keyrings:
+       mt = os.path.getmtime(k)
+       if mt > krmod:
+          krmod = mt
+ 
+    return krmod
+ 
  def getLastBuildTime(gdir):
-    cache_last_mod = 0
+    cache_last_ldap_mod = 0
+    cache_last_unix_mod = 0
  
     try:
        fd = open(os.path.join(gdir, "last_update.trace"), "r")
        cache_last_mod=fd.read().split()
        try:
-          cache_last_mod = cache_last_mod[0]
-       except IndexError:
+          cache_last_ldap_mod = cache_last_mod[0]
+          cache_last_unix_mod = int(cache_last_mod[1])
+       except IndexError, ValueError:
           pass
        fd.close()
     except IOError, e:
@@@ -1290,8 -1279,7 +1325,7 @@@
        else:
           raise e
  
-    return cache_last_mod
- 
+    return (cache_last_ldap_mod, cache_last_unix_mod)
  
  def ud_generate():
     parser = optparse.OptionParser()
@@@ -1321,19 -1309,22 +1355,22 @@@
  
     l = make_ldap_conn()
  
+    time_started = int(time.time())
     ldap_last_mod = getLastLDAPChangeTime(l)
-    cache_last_mod = getLastBuildTime(generate_dir)
-    need_update = ldap_last_mod > cache_last_mod
+    unix_last_mod = getLastKeyringChangeTime()
+    cache_last_ldap_mod, cache_last_unix_mod = getLastBuildTime(generate_dir)
+ 
+    need_update = (ldap_last_mod > cache_last_ldap_mod) or (unix_last_mod > cache_last_unix_mod)
  
     if not options.force and not need_update:
        fd = open(os.path.join(generate_dir, "last_update.trace"), "w")
-       fd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+       fd.write("%s\n%s\n" % (ldap_last_mod, time_started))
        fd.close()
        sys.exit(0)
  
     tracefd = open(os.path.join(generate_dir, "last_update.trace"), "w")
     generate_all(generate_dir, l)
-    tracefd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+    tracefd.write("%s\n%s\n" % (ldap_last_mod, time_started))
     tracefd.close()
  
  

diff --combined userdir-ldap-slapd.conf.in
index dfd094e,30438b4..66ac323
--- 1/userdir-ldap-slapd.conf.in
--- 2/userdir-ldap-slapd.conf.in
+++ b/userdir-ldap-slapd.conf.in
@@@ -48,7 -48,7 +48,7 @@@ access to filter="(!(supplementaryGid=a
        by * break
  
  # allow users write access to an explicit subset of their fields
 -access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,webPassword,bATVToken
 +access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,webPassword,voipPassword,bATVToken
        by self write
        by * break
  
@@@ -58,7 -58,7 +58,7 @@@
  ##
  
  # allow authn/z by anyone
 -access to attrs=userPassword,sudoPassword,webPassword,bATVToken
 +access to attrs=userPassword,sudoPassword,webPassword,voipPassword,bATVToken
        by * compare
  
  # readable only by self
@@@ -79,11 -79,13 +79,13 @@@ access to attrs=facsimileTelephoneNumbe
        by dn.regex="uid=.*,ou=users,@@DN@@" read
        by * none
  
- 
  # rest is globally readable
- access to *
+ access to attrs=access,accountComment,accountStatus,admin,allowedGroups,allowedHost,architecture,bandwidth,cn,comment,dc,description,disk,distribution,dnsTTL,dnsZoneEntry,exportOptions,gecos,gid,gidNumber,homeDirectory,host,hostname,icqUin,ipHostNumber,ircNick,jabberJID,keyFingerPrint,labeledURI,mXRecord,machine,member,memory,mn,objectClass,ou,physicalHost,purpose,shadowExpire,shadowLastChange,shadowMax,shadowMin,shadowWarning,sn,sponsor,sponsor-admin,sshRSAHostKey,status,subGroup,supplementaryGid,uid,uidNumber
        by * read
  
+ access to *
+       by * none
+ 
  
  database hdb
  directory       "/var/lib/ldap-log"