userdir-ldap (0.3.XX) Xnstable; urgency=low
- [ Peter Palfrader ]
- * ud-replicate: sgran pointed out that if all we care about ignoring is
- EEXIST then we should use mkdir -p instead of [ -d userkeys ] || mkdir
- userkeys.
-
- [ Stephen Gran ]
- * Document how to use unique overlay for uid and keyFingerPrint
-
- -- Stephen Gran <sgran@debian.org> Sun, 18 May 2008 17:58:46 +0100
-
-userdir-ldap (0.3.25+common1) unstable; urgency=low
-
- [ Martin Zobel-Helas ]
- * Fix userdir-ldap.schema (objectClass now contains MAY: VoIP)
-
[ Joerg Jaspert ]
* Use sync_keyrings from config file in ud-generate instead of a
hardcoded list
* Use ud-config to get the emailappend value in ud-replicate, no longer
hardcoding @debian.org
- -- Joerg Jaspert <joerg@debian.org> Sun, 18 May 2008 13:32:01 +0200
+ [ Stephen Gran ]
+ * Document how to use unique overlay for uid and keyFingerPrint
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 23 May 2008 10:01:51 +0200
+
+userdir-ldap (0.3.30) unstable; urgency=low
+
+ * When we touch usePassword in ud-info or ud-mailgate we now also
+ update shadowLastChange.
+ * When we lock accounts, set shadowExpire to 1. shadowExpire
+ is "days since Jan 1, 1970 that account is disabled".
+ * Properly capitalize shadowInactive and shadowExpire attributes in
+ ud-info and ud-generate.
+ * Add copyright statements to ud-info from bzr log.
+
+ -- Peter Palfrader <weasel@debian.org> Thu, 22 May 2008 22:39:10 +0200
+
+userdir-ldap (0.3.29) unstable; urgency=low
+
+ * ud-info: Add an option "L" to lock accounts in the interactive
+ interface. Locking an account sets a user's password to "{crypt}*LK*"
+ and sets a mailDisableMessage of "account locked".
+
+ -- Peter Palfrader <weasel@debian.org> Thu, 22 May 2008 21:49:19 +0200
+
+userdir-ldap (0.3.28) unstable; urgency=low
+
+ * ud-generate: Do not disable mail just because the account is locked.
+
+ -- Peter Palfrader <weasel@debian.org> Thu, 22 May 2008 21:38:56 +0200
+
+userdir-ldap (0.3.27) unstable; urgency=low
+
+ * Export ssh-keys.tar.gz to [UNTRUSTED] hosts. Since we already export
+ ssh-rsa-shadow this is probably the right thing.
+ * Make keys in the ssh-keys tarball mode 0400 instead of mode 0600.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 19 May 2008 08:55:28 +0200
+
+userdir-ldap (0.3.26) unstable; urgency=low
+
+ * ud-replicate: sgran pointed out that if all we care about ignoring is
+ EEXIST then we should use mkdir -p instead of [ -d userkeys ] || mkdir
+ userkeys.
+ * ud-mailgate: a bug in DoSSH caused all changes to fail that came after
+ DoSSH in HandleChange. Now DoSSH properly returns without raising an
+ exception if the line to handle is not an ssh public key.
+ * Fix userdir-ldap.schema (objectClass now contains MAY: VoIP). [zobel]
+
+ -- Peter Palfrader <weasel@debian.org> Sun, 18 May 2008 14:27:50 +0200
userdir-ldap (0.3.25) unstable; urgency=low
or GetAttr(x,"userPassword").startswith("!"):
ShadowExpire = '1'
else:
- ShadowExpire = GetAttr(x,"shadowexpire")
+ ShadowExpire = GetAttr(x,"shadowExpire")
Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\
Pass,GetAttr(x,"shadowLastChange"),\
GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\
- GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\
+ GetAttr(x,"shadowWarning"),GetAttr(x,"shadowInactive"),\
ShadowExpire);
Line = Sanitize(Line) + "\n";
F.write("0%u %s" % (I,Line));
for x in PasswdAttrs:
Reason = None
-
- # If the account is locked, disable incoming mail
- if (GetAttr(x,"userPassword").find("*LK*") != -1):
- if GetAttr(x,"uid") == "luther":
- continue
- else:
- Reason = "user account locked"
+
+ if x[1].has_key("mailDisableMessage"):
+ Reason = GetAttr(x,"mailDisableMessage")
else:
- if x[1].has_key("mailDisableMessage"):
- Reason = GetAttr(x,"mailDisableMessage")
- else:
- continue
+ continue
# Must be in the Debian group (yuk, hard coded for now)
if GetAttr(x,"gidNumber") != "800":
PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=*",\
["uid","uidNumber","gidNumber","supplementaryGid",\
"gecos","loginShell","userPassword","shadowLastChange",\
- "shadowMin","shadowMax","shadowWarning","shadowinactive",
- "shadowexpire","emailForward","latitude","longitude",\
+ "shadowMin","shadowMax","shadowWarning","shadowInactive",
+ "shadowExpire","emailForward","latitude","longitude",\
"allowedHost","sshRSAAuthKey","dnsZoneEntry","cn","sn",\
"keyFingerPrint","privateSub","mailDisableMessage",\
"mailGreylisting","mailCallout","mailRBL","mailRHSBL",\
userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
sys.stdout.flush();
grouprevmap = GenGroup(l,OutDir+"group");
- if ExtraList.has_key("[UNTRUSTED]"):
- continue;
- if not ExtraList.has_key("[NOPASSWD]"):
- GenShadow(l,OutDir+"shadow");
# Now we know who we're allowing on the machine, export
# the relevant ssh keys
# to give a shit^W^W^Wcare about the UIDoffset stuff.
to.uname = f
to.gname = grname
- to.mode = 0600
+ to.mode = 0400
tf.addfile(to, file(os.path.join(GlobalDir, 'userkeys', f)))
tf.close()
os.rename(os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost),
os.path.join(OutDir, 'ssh-keys.tar.gz'))
+ if ExtraList.has_key("[UNTRUSTED]"):
+ continue;
+ if not ExtraList.has_key("[NOPASSWD]"):
+ GenShadow(l,OutDir+"shadow");
+
# Link in global things
DoLink(GlobalDir,OutDir,"markers");
DoLink(GlobalDir,OutDir,"mail-forward.cdb");
# -r Enable 'root' functions, do this if your uid has access to
# restricted variables.
+# Copyright (c) 1999-2001 Jason Gunthorpe <jgg@debian.org>
+# Copyright (c) 2004-2005,7 Joey Schulze <joey@infodrom.org>
+# Copyright (c) 2001-2006 Ryan Murray <rmurray@debian.org>
+# Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
+# Copyright (c) 2008 Martin Zobel-Helas <zobel@debian.org>
+# Copyright (c) 2008 Marc 'HE' Brockschmidt <he@debian.org>
+# Copyright (c) 2008 Mark Hymers <mhy@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
import time, os, pwd, sys, getopt, ldap, crypt, readline, copy;
from userdir_ldap import *;
MinDays = int(GetAttr(Attrs,"shadowMin","0"));
MaxDays = int(GetAttr(Attrs,"shadowMax","0"));
WarnDays = int(GetAttr(Attrs,"shadowWarning","0"));
- InactDays = int(GetAttr(Attrs,"shadowinactive","0"));
- Expire = int(GetAttr(Attrs,"shadowexpire","0"));
+ InactDays = int(GetAttr(Attrs,"shadowInactive","0"));
+ Expire = int(GetAttr(Attrs,"shadowExpire","0"));
print "%-24s:" % ("Password last changed"),
print time.strftime("%a %d/%m/%Y %Z",time.localtime(Changed*24*60*60));
print " a) Arbitary Change";
print " R) Randomize Password";
print " p) Change Password";
+ print " L) Lock account";
print " u) Switch Users";
print " x) Exit";
print "Setting password..";
Pass = "{crypt}" + Pass;
- l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass)]);
+ shadowLast = str(int(time.time()/24/60/60));
+ l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass),
+ (ldap.MOD_REPLACE,"shadowLastChange",shadowLast)]);
Attrs[0][1]["userPassword"] = [Pass];
+ Attrs[0][1]["shadowLastChange"] = [shadowLast];
continue;
# Randomize password
print "Setting password..";
Pass = "{crypt}" + Pass;
- l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass)]);
+ shadowLast = str(int(time.time()/24/60/60));
+ l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass),
+ (ldap.MOD_REPLACE,"shadowLastChange",shadowLast)]);
Attrs[0][1]["userPassword"] = [Pass];
+ Attrs[0][1]["shadowLastChange"] = [shadowLast];
+ continue;
+
+ # Lock account
+ if Response == 'L' and RootMode == 1:
+ Resp = raw_input("Really lock account? [no/yes]");
+ if Resp != "yes":
+ continue;
+
+ print "Setting password..";
+ shadowLast = str(int(time.time()/24/60/60));
+ l.modify_s(UserDn,[
+ (ldap.MOD_REPLACE,"userPassword","{crypt}*LK*"),
+ (ldap.MOD_REPLACE,"mailDisableMessage","account locked"),
+ (ldap.MOD_REPLACE,"shadowLastChange",shadowLast),
+ (ldap.MOD_REPLACE,"shadowExpire","1")]);
+ Attrs[0][1]["userPassword"] = ["{crypt}*LK*"];
+ Attrs[0][1]["mailDisableMessage"] = ["account locked"];
+ Attrs[0][1]["shadowLastChange"] = [shadowLast];
+ Attrs[0][1]["shadowExpire"] = ["1"];
continue;
# Handle changing an arbitary value
# [options] 1024 35 13188913666680[..] [comment]
def DoSSH(Str, Attrs, badkeys, uid):
Match = SSH2AuthSplit.match(Str);
+ if Match == None:
+ return None;
g = Match.groups()
typekey = g[1]
if Match == None:
raise Error, "This account is locked";
# Modify the password
- Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)];
+ Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass),
+ (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60)))];
Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
l.modify_s(Dn,Rec);