From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 23 May 2008 08:04:18 +0000 (+0200)
Subject: merge from alioth: Document how to use unique overlay for uid and keyFingerPrint
X-Git-Tag: userdir-ldap-0.3.31~1
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=c626017071b2de3c4623df898dcf0e16f25e7272;hp=f53712430a0cf937f4b606c29c8a3be6079d8d82

merge from alioth: Document how to use unique overlay for uid and keyFingerPrint
---

diff --git a/debian/changelog b/debian/changelog
index a387633..3dd2894 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,20 +1,5 @@
 userdir-ldap (0.3.XX) Xnstable; urgency=low
 
-  [ Peter Palfrader ]
-  * ud-replicate: sgran pointed out that if all we care about ignoring is
-    EEXIST then we should use mkdir -p instead of [ -d userkeys ] || mkdir
-    userkeys.
-
-  [ Stephen Gran ]
-  * Document how to use unique overlay for uid and keyFingerPrint
-
- -- Stephen Gran <sgran@debian.org>  Sun, 18 May 2008 17:58:46 +0100
-
-userdir-ldap (0.3.25+common1) unstable; urgency=low
-
-  [ Martin Zobel-Helas ]
-  * Fix userdir-ldap.schema (objectClass now contains MAY: VoIP)
-
   [ Joerg Jaspert ]
   * Use sync_keyrings from config file in ud-generate instead of a
   hardcoded list
@@ -23,7 +8,56 @@ userdir-ldap (0.3.25+common1) unstable; urgency=low
   * Use ud-config to get the emailappend value in ud-replicate, no longer
   hardcoding @debian.org
 
- -- Joerg Jaspert <joerg@debian.org>  Sun, 18 May 2008 13:32:01 +0200
+  [ Stephen Gran ]
+  * Document how to use unique overlay for uid and keyFingerPrint
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 23 May 2008 10:01:51 +0200
+
+userdir-ldap (0.3.30) unstable; urgency=low
+
+  * When we touch usePassword in ud-info or ud-mailgate we now also
+    update shadowLastChange.
+  * When we lock accounts, set shadowExpire to 1.  shadowExpire
+    is "days since Jan 1, 1970 that account is disabled".
+  * Properly capitalize shadowInactive and shadowExpire attributes in
+    ud-info and ud-generate.
+  * Add copyright statements to ud-info from bzr log.
+
+ -- Peter Palfrader <weasel@debian.org>  Thu, 22 May 2008 22:39:10 +0200
+
+userdir-ldap (0.3.29) unstable; urgency=low
+
+  * ud-info: Add an option "L" to lock accounts in the interactive
+    interface.  Locking an account sets a user's password to "{crypt}*LK*"
+    and sets a mailDisableMessage of "account locked".
+
+ -- Peter Palfrader <weasel@debian.org>  Thu, 22 May 2008 21:49:19 +0200
+
+userdir-ldap (0.3.28) unstable; urgency=low
+
+  * ud-generate: Do not disable mail just because the account is locked.
+
+ -- Peter Palfrader <weasel@debian.org>  Thu, 22 May 2008 21:38:56 +0200
+
+userdir-ldap (0.3.27) unstable; urgency=low
+
+  * Export ssh-keys.tar.gz to [UNTRUSTED] hosts.  Since we already export
+    ssh-rsa-shadow this is probably the right thing.
+  * Make keys in the ssh-keys tarball mode 0400 instead of mode 0600.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 19 May 2008 08:55:28 +0200
+
+userdir-ldap (0.3.26) unstable; urgency=low
+
+  * ud-replicate: sgran pointed out that if all we care about ignoring is
+    EEXIST then we should use mkdir -p instead of [ -d userkeys ] || mkdir
+    userkeys.
+  * ud-mailgate: a bug in DoSSH caused all changes to fail that came after
+    DoSSH in HandleChange.  Now DoSSH properly returns without raising an
+    exception if the line to handle is not an ssh public key.
+  * Fix userdir-ldap.schema (objectClass now contains MAY: VoIP). [zobel]
+
+ -- Peter Palfrader <weasel@debian.org>  Sun, 18 May 2008 14:27:50 +0200
 
 userdir-ldap (0.3.25) unstable; urgency=low
 
diff --git a/ud-generate b/ud-generate
index 10a124d..17e54b3 100755
--- a/ud-generate
+++ b/ud-generate
@@ -182,12 +182,12 @@ def GenShadow(l,File):
           or GetAttr(x,"userPassword").startswith("!"):
          ShadowExpire = '1'
       else:
-         ShadowExpire = GetAttr(x,"shadowexpire")
+         ShadowExpire = GetAttr(x,"shadowExpire")
 
       Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\
               Pass,GetAttr(x,"shadowLastChange"),\
               GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\
-              GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\
+              GetAttr(x,"shadowWarning"),GetAttr(x,"shadowInactive"),\
               ShadowExpire);
       Line = Sanitize(Line) + "\n";
       F.write("0%u %s" % (I,Line));
@@ -515,18 +515,11 @@ def GenMailDisable(l,File):
 
    for x in PasswdAttrs:
       Reason = None
-      
-      # If the account is locked, disable incoming mail
-      if (GetAttr(x,"userPassword").find("*LK*") != -1):
-         if GetAttr(x,"uid") == "luther":
-	    continue
-	 else:
-            Reason = "user account locked"
+
+      if x[1].has_key("mailDisableMessage"):
+         Reason = GetAttr(x,"mailDisableMessage")
       else:
-         if x[1].has_key("mailDisableMessage"):
-            Reason = GetAttr(x,"mailDisableMessage")
-         else:
-            continue
+         continue
 
       # Must be in the Debian group (yuk, hard coded for now)
       if GetAttr(x,"gidNumber") != "800":
@@ -876,8 +869,8 @@ for x in Attrs:
 PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=*",\
                 ["uid","uidNumber","gidNumber","supplementaryGid",\
                  "gecos","loginShell","userPassword","shadowLastChange",\
-                 "shadowMin","shadowMax","shadowWarning","shadowinactive",
-	         "shadowexpire","emailForward","latitude","longitude",\
+                 "shadowMin","shadowMax","shadowWarning","shadowInactive",
+	         "shadowExpire","emailForward","latitude","longitude",\
                  "allowedHost","sshRSAAuthKey","dnsZoneEntry","cn","sn",\
 	         "keyFingerPrint","privateSub","mailDisableMessage",\
                  "mailGreylisting","mailCallout","mailRBL","mailRHSBL",\
@@ -959,10 +952,6 @@ while(1):
       userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
    sys.stdout.flush();
    grouprevmap = GenGroup(l,OutDir+"group");
-   if ExtraList.has_key("[UNTRUSTED]"):
-	continue;
-   if not ExtraList.has_key("[NOPASSWD]"):
-     GenShadow(l,OutDir+"shadow");
 
    # Now we know who we're allowing on the machine, export
    # the relevant ssh keys
@@ -1007,13 +996,18 @@ while(1):
         # to give a shit^W^W^Wcare about the UIDoffset stuff.
         to.uname = f
         to.gname = grname
-        to.mode  = 0600
+        to.mode  = 0400
         tf.addfile(to, file(os.path.join(GlobalDir, 'userkeys', f)))
 
       tf.close()
       os.rename(os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost),
                 os.path.join(OutDir, 'ssh-keys.tar.gz'))
 
+   if ExtraList.has_key("[UNTRUSTED]"):
+     continue;
+   if not ExtraList.has_key("[NOPASSWD]"):
+     GenShadow(l,OutDir+"shadow");
+
    # Link in global things   
    DoLink(GlobalDir,OutDir,"markers");
    DoLink(GlobalDir,OutDir,"mail-forward.cdb");
diff --git a/ud-info b/ud-info
index e533a9e..d099c46 100755
--- a/ud-info
+++ b/ud-info
@@ -17,6 +17,28 @@
 #    -r    Enable 'root' functions, do this if your uid has access to
 #          restricted variables.
 
+#   Copyright (c) 1999-2001  Jason Gunthorpe <jgg@debian.org>
+#   Copyright (c) 2004-2005,7  Joey Schulze <joey@infodrom.org>
+#   Copyright (c) 2001-2006  Ryan Murray <rmurray@debian.org>
+#   Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
+#   Copyright (c) 2008 Martin Zobel-Helas <zobel@debian.org>
+#   Copyright (c) 2008 Marc 'HE' Brockschmidt <he@debian.org>
+#   Copyright (c) 2008 Mark Hymers <mhy@debian.org>
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software
+#   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
 import time, os, pwd, sys, getopt, ldap, crypt, readline, copy;
 from userdir_ldap import *;
 
@@ -106,8 +128,8 @@ def PrintShadow(Attrs):
    MinDays = int(GetAttr(Attrs,"shadowMin","0"));
    MaxDays = int(GetAttr(Attrs,"shadowMax","0"));
    WarnDays = int(GetAttr(Attrs,"shadowWarning","0"));
-   InactDays = int(GetAttr(Attrs,"shadowinactive","0"));
-   Expire = int(GetAttr(Attrs,"shadowexpire","0"));
+   InactDays = int(GetAttr(Attrs,"shadowInactive","0"));
+   Expire = int(GetAttr(Attrs,"shadowExpire","0"));
 
    print "%-24s:" % ("Password last changed"),
    print time.strftime("%a %d/%m/%Y %Z",time.localtime(Changed*24*60*60));
@@ -328,6 +350,7 @@ while(1):
       print "   a) Arbitary Change";
       print "   R) Randomize Password";
    print "   p) Change Password";
+   print "   L) Lock account";
    print "   u) Switch Users";
    print "   x) Exit";
    
@@ -374,8 +397,11 @@ while(1):
 
       print "Setting password..";
       Pass = "{crypt}" + Pass;
-      l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass)]);
+      shadowLast = str(int(time.time()/24/60/60));
+      l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass),
+                         (ldap.MOD_REPLACE,"shadowLastChange",shadowLast)]);
       Attrs[0][1]["userPassword"] = [Pass];
+      Attrs[0][1]["shadowLastChange"] = [shadowLast];
       continue;
 
    # Randomize password
@@ -395,8 +421,30 @@ while(1):
 	 
       print "Setting password..";
       Pass = "{crypt}" + Pass;
-      l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass)]);
+      shadowLast = str(int(time.time()/24/60/60));
+      l.modify_s(UserDn,[(ldap.MOD_REPLACE,"userPassword",Pass),
+                         (ldap.MOD_REPLACE,"shadowLastChange",shadowLast)]);
       Attrs[0][1]["userPassword"] = [Pass];
+      Attrs[0][1]["shadowLastChange"] = [shadowLast];
+      continue;
+
+   # Lock account
+   if Response == 'L' and RootMode == 1:
+      Resp = raw_input("Really lock account? [no/yes]");
+      if Resp != "yes":
+         continue;
+
+      print "Setting password..";
+      shadowLast = str(int(time.time()/24/60/60));
+      l.modify_s(UserDn,[
+         (ldap.MOD_REPLACE,"userPassword","{crypt}*LK*"),
+         (ldap.MOD_REPLACE,"mailDisableMessage","account locked"),
+         (ldap.MOD_REPLACE,"shadowLastChange",shadowLast),
+         (ldap.MOD_REPLACE,"shadowExpire","1")]);
+      Attrs[0][1]["userPassword"] = ["{crypt}*LK*"];
+      Attrs[0][1]["mailDisableMessage"] = ["account locked"];
+      Attrs[0][1]["shadowLastChange"] = [shadowLast];
+      Attrs[0][1]["shadowExpire"] = ["1"];
       continue;
 
    # Handle changing an arbitary value
diff --git a/ud-mailgate b/ud-mailgate
index 4da4382..4fa2edf 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -239,6 +239,8 @@ def LoadBadSSH():
 #  [options] 1024 35 13188913666680[..] [comment]
 def DoSSH(Str, Attrs, badkeys, uid):
    Match = SSH2AuthSplit.match(Str);
+   if Match == None:
+      return None;
    g = Match.groups()
    typekey = g[1]
    if Match == None:
@@ -549,7 +551,8 @@ def HandleChPass(Reply,DnRecord,Key):
       raise Error, "This account is locked";
 
    # Modify the password
-   Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)];
+   Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass),
+          (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60)))];
    Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
    l.modify_s(Dn,Rec);