projects / mirror / userdir-ldap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 454bfc6)
Teach ud-generate about host ACLs that expire
authorPeter Palfrader <peter@palfrader.org>
Sat, 18 Sep 2010 23:01:54 +0000 (01:01 +0200)
committerPeter Palfrader <peter@palfrader.org>
Sat, 18 Sep 2010 23:01:54 +0000 (01:01 +0200)
UDLdap.py patch | blob | history
ud-generate patch | blob | history

diff --git a/UDLdap.py b/UDLdap.py
index 0155345..97fd2fb 100644 (file)
--- a/UDLdap.py
+++ b/UDLdap.py
@@ -1,6 +1,8 @@
 import ldap
 import time
+import datetime
 import userdir_ldap
+import sys
 
 class Account:
     array_values = ['objectClass', 'keyFingerPrint', 'mailWhitelist', 'mailRBL',
@@ -108,6 +110,24 @@ class Account:
         tokens.append(mailbox)
         return ' '.join(tokens)
 
+    def is_allowed_by_hostacl(self, host):
+        if not 'allowedHost' in self: return False
+        if host in self['allowedHost']: return True
+        # or maybe it's a date limited ACL
+        for entry in self['allowedHost']:
+            list = entry.split(None,1)
+            if len(list) == 1: continue
+            (h, expire) = list
+            if host != h: continue
+            try:
+                parsed = datetime.datetime.strptime(expire, '%Y%m%d')
+            except ValueError:
+                print >>sys.stderr, "Cannot parse expiry date in '%s' in hostACL entry for %s."%(entry, self['uid'])
+                return False
+            return parsed >= datetime.datetime.now()
+        return False
+
+
 # vim:set et:
 # vim:set ts=4:
 # vim:set shiftwidth=4:
diff --git a/ud-generate b/ud-generate
index 76d8179..af277ea 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -137,7 +137,7 @@ def IsInGroup(account):
   if str(account['gidNumber']) in Allowed: return True
 
   # Check the host based ACL
-  if 'allowedHost' in account and CurrentHost in account['allowedHost']: return True
+  if account.is_allowed_by_hostacl(CurrentHost): return True
 
   # See if there are supplementary groups
   if not 'supplementaryGid' in account: return False
Mirror of Debian's userdir-ldap repository