From: Martin Zobel-Helas Date: Wed, 13 Jun 2012 22:10:50 +0000 (+0200) Subject: Merge branch 'master' of git+ssh://db.debian.org/git/userdir-ldap X-Git-Tag: userdir-ldap-0.3.85~61 X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=60e335bcb88d3995e4cc7217829b1bad233f7c8c;hp=fe12f1a9d872cd6570ff1744b60629e8c26601f8 Merge branch 'master' of git+ssh://db.debian.org/git/userdir-ldap * 'master' of git+ssh://db.debian.org/git/userdir-ldap: fix userdir-ldap-slapd.conf.in: explicitly list readable attributes. End with 'by * none'. ud-generate: Also rebuild if one of our keyrings has changed, even if ldap has not. ud-lock: support supplying a status to set instead of 'retiring' --- diff --git a/debian/changelog b/debian/changelog index 6931ccb..d62afbb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -50,6 +50,12 @@ userdir-ldap (0.3.80) UNRELEASED; urgency=low * ud-generate: The ssh authorized_keys file for the sshdist user now wraps the rsync call in an flock wrapper that acquires a shared lock on ud-generate's lock. This prevents syncing while ud-generate runs. + * ud-lock: support supplying a status to set instead of 'retiring'. + * ud-generate: Also rebuild if one of our keyrings has changed, even if + ldap has not. + * userdir-ldap-slapd.conf.in: explicitly list readable attributes. + End with 'by * none'. + [ Stephen Gran ] * Fix deprecation warnings for sha module by using hashlib module instead @@ -59,13 +65,17 @@ userdir-ldap (0.3.80) UNRELEASED; urgency=low [ Martin Zobel-Helas ] * ud-generate: generate webPasswords + * ud-generate: generate voipPasswords * ud-replicate: set correct permissions for web-passwords + * ud-replicate: set correct permissions for voip-passwords * add freecdb to depends * userdir-ldap.schema - add webPasswords - add mailPreserveSuffixSeperator + - add voipPasswords + - -- Martin Zobel-Helas Fri, 23 Mar 2012 19:19:16 +0100 + -- Peter Palfrader Mon, 14 May 2012 18:45:07 +0200 userdir-ldap (0.3.79) unstable; urgency=low diff --git a/ud-generate b/ud-generate index 9bad07a..21d8baa 100755 --- a/ud-generate +++ b/ud-generate @@ -32,6 +32,9 @@ import string, re, time, ldap, optparse, sys, os, pwd, posix, socket, base64, ha from userdir_ldap import * from userdir_exceptions import * import UDLdap +from xml.etree.ElementTree import Element, SubElement, Comment +from xml.etree import ElementTree +from xml.dom import minidom try: from cStringIO import StringIO except ImportError: @@ -69,6 +72,12 @@ DNSZone = ".debian.net" Keyrings = ConfModule.sync_keyrings.split(":") GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None) +def prettify(elem): + """Return a pretty-printed XML string for the Element. + """ + rough_string = ElementTree.tostring(elem, 'utf-8') + reparsed = minidom.parseString(rough_string) + return reparsed.toprettyxml(indent=" ") def safe_makedirs(dir): try: @@ -398,14 +407,26 @@ def GenVoipPassword(accounts, File): F = open(File, "w", 0600) os.umask(OldMask) + root = Element('domain') + root.attrib['name'] = "$${sip_profile}" + for a in accounts: if not 'voipPassword' in a: continue if not a.pw_active(): continue Pass = str(a['voipPassword']) - Line = "\n \n \n \n" % (a['uid'], Pass) - Line = Sanitize(Line) + "\n" - F.write("%s" % (Line)) + user = Element('user') + user.attrib['id'] = "%s" % (a['uid']) + root.append(user) + params = Element('params') + user.append(params) + param = Element('param') + params.append(param) + param.attrib['name'] = "a1-hash" + param.attrib['value'] = "%s" % (Pass) + + F.write("%s" % (prettify(root))) + except: Die(File, None, F) @@ -1236,6 +1257,9 @@ def generate_host(host, global_dir, accounts, ssh_userkeys): if 'WEB-PASSWORDS' in ExtraList: DoLink(global_dir, OutDir, "web-passwords") + if 'VOIP-PASSWORDS' in ExtraList: + DoLink(global_dir, OutDir, "voip-passwords") + if 'KEYRING' in ExtraList: for k in Keyrings: bn = os.path.basename(k) @@ -1273,15 +1297,26 @@ def getLastLDAPChangeTime(l): return last +def getLastKeyringChangeTime(): + krmod = 0 + for k in Keyrings: + mt = os.path.getmtime(k) + if mt > krmod: + krmod = mt + + return krmod + def getLastBuildTime(gdir): - cache_last_mod = 0 + cache_last_ldap_mod = 0 + cache_last_unix_mod = 0 try: fd = open(os.path.join(gdir, "last_update.trace"), "r") cache_last_mod=fd.read().split() try: - cache_last_mod = cache_last_mod[0] - except IndexError: + cache_last_ldap_mod = cache_last_mod[0] + cache_last_unix_mod = int(cache_last_mod[1]) + except IndexError, ValueError: pass fd.close() except IOError, e: @@ -1290,8 +1325,7 @@ def getLastBuildTime(gdir): else: raise e - return cache_last_mod - + return (cache_last_ldap_mod, cache_last_unix_mod) def ud_generate(): parser = optparse.OptionParser() @@ -1321,19 +1355,22 @@ def ud_generate(): l = make_ldap_conn() + time_started = int(time.time()) ldap_last_mod = getLastLDAPChangeTime(l) - cache_last_mod = getLastBuildTime(generate_dir) - need_update = ldap_last_mod > cache_last_mod + unix_last_mod = getLastKeyringChangeTime() + cache_last_ldap_mod, cache_last_unix_mod = getLastBuildTime(generate_dir) + + need_update = (ldap_last_mod > cache_last_ldap_mod) or (unix_last_mod > cache_last_unix_mod) if not options.force and not need_update: fd = open(os.path.join(generate_dir, "last_update.trace"), "w") - fd.write("%s\n%s\n" % (ldap_last_mod, int(time.time()))) + fd.write("%s\n%s\n" % (ldap_last_mod, time_started)) fd.close() sys.exit(0) tracefd = open(os.path.join(generate_dir, "last_update.trace"), "w") generate_all(generate_dir, l) - tracefd.write("%s\n%s\n" % (ldap_last_mod, int(time.time()))) + tracefd.write("%s\n%s\n" % (ldap_last_mod, time_started)) tracefd.close() diff --git a/ud-lock b/ud-lock index 7e8725d..801ad71 100755 --- a/ud-lock +++ b/ud-lock @@ -47,7 +47,7 @@ def connect(user): sys.exit(1) return l -def do_one_user(lc, user, ticket): +def do_one_user(lc, user, ticket, status): try: u = UDLdap.Account.from_search(lc, BaseDn, user) except IndexError, e: @@ -57,12 +57,12 @@ def do_one_user(lc, user, ticket): sys.stderr.write('%s: Account is not active, skipping. (details: %s)\n'%(user, u.verbose_status())) return - print '%s: Setting to retiring:'%(user) + print '%s: Setting to %s:'%(user, status) set = {} set['userPassword'] = '{crypt}*LK*' set['shadowLastChange'] = str(int(time.time()/24/60/60)) set['shadowExpire'] = '1' - set['accountStatus'] = 'retiring %s'%(time.strftime('%Y-%m-%d')) + set['accountStatus'] = '%s %s'%(status, time.strftime('%Y-%m-%d')) if not ticket is None: set['accountComment'] = "RT#%s"%(ticket) @@ -93,6 +93,9 @@ parser.add_option("-n", "--no-do", action="store_true", help="Do not actually change anything.") parser.add_option("-r", "--rt-ticket", dest="ticket", metavar="ticket#", help="Ticket number for accountComment.") +parser.add_option("-s", "--status", dest="status", metavar="status", + default='retiring', + help="Set status to (default: retiring).") (options, args) = parser.parse_args() @@ -101,7 +104,7 @@ if options.no_do: lc = connect(options.admin) for user in args: - do_one_user(lc, user, options.ticket) + do_one_user(lc, user, options.ticket, options.status) # vim:set et: diff --git a/userdir-ldap-slapd.conf.in b/userdir-ldap-slapd.conf.in index dfd094e..66ac323 100644 --- a/userdir-ldap-slapd.conf.in +++ b/userdir-ldap-slapd.conf.in @@ -79,11 +79,13 @@ access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCod by dn.regex="uid=.*,ou=users,@@DN@@" read by * none - # rest is globally readable -access to * +access to attrs=access,accountComment,accountStatus,admin,allowedGroups,allowedHost,architecture,bandwidth,cn,comment,dc,description,disk,distribution,dnsTTL,dnsZoneEntry,exportOptions,gecos,gid,gidNumber,homeDirectory,host,hostname,icqUin,ipHostNumber,ircNick,jabberJID,keyFingerPrint,labeledURI,mXRecord,machine,member,memory,mn,objectClass,ou,physicalHost,purpose,shadowExpire,shadowLastChange,shadowMax,shadowMin,shadowWarning,sn,sponsor,sponsor-admin,sshRSAHostKey,status,subGroup,supplementaryGid,uid,uidNumber by * read +access to * + by * none + database hdb directory "/var/lib/ldap-log"