from userdir_ldap import *
from userdir_exceptions import *
import UDLdap
++from xml.etree.ElementTree import Element, SubElement, Comment
++from xml.etree import ElementTree
++from xml.dom import minidom
try:
from cStringIO import StringIO
except ImportError:
Keyrings = ConfModule.sync_keyrings.split(":")
GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None)
++def prettify(elem):
++ """Return a pretty-printed XML string for the Element.
++ """
++ rough_string = ElementTree.tostring(elem, 'utf-8')
++ reparsed = minidom.parseString(rough_string)
++ return reparsed.toprettyxml(indent=" ")
def safe_makedirs(dir):
try:
Die(File, None, F)
raise
- Line = "<user id=\"%s\">\n <params>\n <param name=\"password\" value=\"%s\"/>\n <params />\n</user>" % (a['uid'], Pass)
- Line = Sanitize(Line) + "\n"
- F.write("%s" % (Line))
+# Generate the voipPassword list
+def GenVoipPassword(accounts, File):
+ F = None
+ try:
+ OldMask = os.umask(0077)
+ F = open(File, "w", 0600)
+ os.umask(OldMask)
+
++ root = Element('domain')
++ root.attrib['name'] = "$${sip_profile}"
++
+ for a in accounts:
+ if not 'voipPassword' in a: continue
+ if not a.pw_active(): continue
+
+ Pass = str(a['voipPassword'])
++ user = Element('user')
++ user.attrib['id'] = "%s" % (a['uid'])
++ root.append(user)
++ params = Element('params')
++ user.append(params)
++ param = Element('param')
++ params.append(param)
++ param.attrib['name'] = "a1-hash"
++ param.attrib['value'] = "%s" % (Pass)
++
++ F.write("%s" % (prettify(root)))
++
+
+ except:
+ Die(File, None, F)
+ raise
+
def GenSSHtarballs(global_dir, userlist, ssh_userkeys, grouprevmap, target, current_host):
OldMask = os.umask(0077)
tf = tarfile.open(name=os.path.join(global_dir, 'ssh-keys-%s.tar.gz' % current_host), mode='w:gz')
"keyFingerPrint", "privateSub", "mailDisableMessage",\
"mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\
"mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\
- "mailContentInspectionAction", "webPassword"])
+ "mailContentInspectionAction", "webPassword", "voipPassword"])
if passwd_attrs is None:
raise UDEmptyList, "No Users"
GenMailList(accounts, global_dir + "mail-rhsbl", "mailRHSBL")
GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist")
GenWebPassword(accounts, global_dir + "web-passwords")
+ GenVoipPassword(accounts, global_dir + "voip-passwords")
GenKeyrings(global_dir)
# Compatibility.
if 'WEB-PASSWORDS' in ExtraList:
DoLink(global_dir, OutDir, "web-passwords")
++ if 'VOIP-PASSWORDS' in ExtraList:
++ DoLink(global_dir, OutDir, "voip-passwords")
++
if 'KEYRING' in ExtraList:
for k in Keyrings:
bn = os.path.basename(k)
return last
+ def getLastKeyringChangeTime():
+ krmod = 0
+ for k in Keyrings:
+ mt = os.path.getmtime(k)
+ if mt > krmod:
+ krmod = mt
+
+ return krmod
+
def getLastBuildTime(gdir):
- cache_last_mod = 0
+ cache_last_ldap_mod = 0
+ cache_last_unix_mod = 0
try:
fd = open(os.path.join(gdir, "last_update.trace"), "r")
cache_last_mod=fd.read().split()
try:
- cache_last_mod = cache_last_mod[0]
- except IndexError:
+ cache_last_ldap_mod = cache_last_mod[0]
+ cache_last_unix_mod = int(cache_last_mod[1])
+ except IndexError, ValueError:
pass
fd.close()
except IOError, e:
else:
raise e
- return cache_last_mod
-
+ return (cache_last_ldap_mod, cache_last_unix_mod)
def ud_generate():
parser = optparse.OptionParser()
l = make_ldap_conn()
+ time_started = int(time.time())
ldap_last_mod = getLastLDAPChangeTime(l)
- cache_last_mod = getLastBuildTime(generate_dir)
- need_update = ldap_last_mod > cache_last_mod
+ unix_last_mod = getLastKeyringChangeTime()
+ cache_last_ldap_mod, cache_last_unix_mod = getLastBuildTime(generate_dir)
+
+ need_update = (ldap_last_mod > cache_last_ldap_mod) or (unix_last_mod > cache_last_unix_mod)
if not options.force and not need_update:
fd = open(os.path.join(generate_dir, "last_update.trace"), "w")
- fd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+ fd.write("%s\n%s\n" % (ldap_last_mod, time_started))
fd.close()
sys.exit(0)
tracefd = open(os.path.join(generate_dir, "last_update.trace"), "w")
generate_all(generate_dir, l)
- tracefd.write("%s\n%s\n" % (ldap_last_mod, int(time.time())))
+ tracefd.write("%s\n%s\n" % (ldap_last_mod, time_started))
tracefd.close()
by * break
# allow users write access to an explicit subset of their fields
-access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,webPassword,bATVToken
+access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,webPassword,voipPassword,bATVToken
by self write
by * break
##
# allow authn/z by anyone
-access to attrs=userPassword,sudoPassword,webPassword,bATVToken
+access to attrs=userPassword,sudoPassword,webPassword,voipPassword,bATVToken
by * compare
# readable only by self
by dn.regex="uid=.*,ou=users,@@DN@@" read
by * none
-
# rest is globally readable
- access to *
+ access to attrs=access,accountComment,accountStatus,admin,allowedGroups,allowedHost,architecture,bandwidth,cn,comment,dc,description,disk,distribution,dnsTTL,dnsZoneEntry,exportOptions,gecos,gid,gidNumber,homeDirectory,host,hostname,icqUin,ipHostNumber,ircNick,jabberJID,keyFingerPrint,labeledURI,mXRecord,machine,member,memory,mn,objectClass,ou,physicalHost,purpose,shadowExpire,shadowLastChange,shadowMax,shadowMin,shadowWarning,sn,sponsor,sponsor-admin,sshRSAHostKey,status,subGroup,supplementaryGid,uid,uidNumber
by * read
+ access to *
+ by * none
+
database hdb
directory "/var/lib/ldap-log"