From 1ec86235bdc4223733fd0a722fc4497c51d3ba81 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 19 Sep 2010 01:42:15 +0200 Subject: [PATCH] ud-useradd: A new -g switch for adding guest accounts ud-useradd: A new -g switch for adding guest accounts, with proper setting hostacls and shadowexpire and picking the right keyring. --- debian/changelog | 5 ++++- ud-useradd | 49 +++++++++++++++++++++++++++++++++++++++++------ userdir-ldap.conf | 3 ++- 3 files changed, 49 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index f99d09c..217e57f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,11 @@ userdir-ldap (0.3.7X) Xnstable; urgency=low * Add ud-sync-accounts-to-afs, a script to sync accounts to an AFS protection database. * ud-generate: support host ACLs that expire. + * ud-useradd: A new -g switch for adding guest accounts, with + proper setting hostacls and shadowexpire and picking the + right keyring. - -- Peter Palfrader Sun, 19 Sep 2010 01:40:54 +0200 + -- Peter Palfrader Sun, 19 Sep 2010 01:42:10 +0200 userdir-ldap (0.3.78) unstable; urgency=low diff --git a/ud-useradd b/ud-useradd index 9d51b69..003f28c 100755 --- a/ud-useradd +++ b/ud-useradd @@ -22,6 +22,7 @@ import re, time, ldap, getopt, sys, os, pwd; import email.Header +import datetime from userdir_ldap import *; from userdir_gpg import *; @@ -59,9 +60,10 @@ AdminUser = pwd.getpwuid(os.getuid())[0]; # Process options ForceMail = 0; NoAutomaticIDs = 0; +GuestAccount = False OldGPGKeyRings = GPGKeyRings; userdir_gpg.GPGKeyRings = []; -(options, arguments) = getopt.getopt(sys.argv[1:], "hu:man") +(options, arguments) = getopt.getopt(sys.argv[1:], "hgu:man") for (switch, val) in options: if (switch == '-h'): print "Usage: ud-useradd " @@ -71,6 +73,7 @@ for (switch, val) in options: print " -m Force mail (for updates)" print " -a Use old keyrings instead (??)" print " -n Do not automatically assign UID/GIDs (useful for usergroups or non-default group membership" + print " -g Add a guest account" sys.exit(0) elif (switch == '-u'): AdminUser = val; @@ -80,11 +83,17 @@ for (switch, val) in options: userdir_gpg.GPGKeyRings = OldGPGKeyRings; elif (switch == '-n'): NoAutomaticIDs = 1; + elif (switch == '-g'): + GuestAccount = True l = passwdAccessLDAP(BaseDn, AdminUser) # Locate the key of the user we are adding -SetKeyrings(ConfModule.add_keyrings.split(":")) +if GuestAccount: + SetKeyrings(ConfModule.add_keyrings_guest.split(":")) +else: + SetKeyrings(ConfModule.add_keyrings.split(":")) + while (1): Foo = raw_input("Who are you going to add (for a GPG search)? "); if Foo == "": @@ -179,18 +188,21 @@ if Res != "": emailaddr = Res; # Debian-Private subscription -if HavePrivateList: +if HavePrivateList and not GuestAccount: Res = raw_input("Subscribe to debian-private (space is none) [" + privsub + "]? "); if Res != "": privsub = Res; else: privsub = " " -(uidNumber, generatedGID) = GetFreeID(l) if not gidNumber: - gidNumber = DefaultGID -UserGroup = 0 + if not GuestAccount: + gidNumber = DefaultGID + else: + gidNumber = DebianGroups['guest'] +(uidNumber, generatedGID) = GetFreeID(l) +UserGroup = 0 if NoAutomaticIDs: # UID if not Update: @@ -209,6 +221,21 @@ if NoAutomaticIDs: if gidNumber == generatedGID: UserGroup = 1 +shadowExpire = None +hostacl = [] +if GuestAccount: + res = raw_input("Expires in xx days [60] (0 to disable)") + if res == "": res = '60' + exp = int(res) + if exp > 0: + shadowExpire = int(time.time() / 3600 / 24) + exp + res = raw_input("Hosts to grant access to: ") + for h in res.split(): + if not '.' in h: h = h + '.' + HostDomain + if exp > 0: h = h + " " + datetime.datetime.fromtimestamp( time.time() + exp * 24*3600 ).strftime("%Y%m%d") + hostacl.append(h) + + # Generate a random password if Update == 0 or ForceMail == 1: Password = raw_input("User's Password (Enter for random)? "); @@ -246,6 +273,11 @@ if HavePrivateList: print " GECOS Field: \"%s,,,,\"" % (FullName); print " Login Shell: /bin/bash"; print " Key Fingerprint:",Keys[0][1]; +if shadowExpire: + print " ShadowExpire: %d (%s)"%(shadowExpire, datetime.datetime.fromtimestamp( shadowExpire * 24*3600 ).strftime("%Y%m%d") ) +for h in hostacl: + print " allowedHost: ", h + Res = raw_input("Continue [No/yes]? "); if Res != "yes": sys.exit(1); @@ -294,6 +326,11 @@ if Update == 0: Details.append(("mn",mn)); if privsub != " ": Details.append(("privateSub",privsub)) + if shadowExpire: + Details.append(("shadowExpire",str(shadowExpire))) + if len(hostacl) > 0: + Details.append(("allowedHost",hostacl)) + l.add_s(Dn,Details); #Add user group if needed, then the actual user: diff --git a/userdir-ldap.conf b/userdir-ldap.conf index 64423d8..108b38c 100644 --- a/userdir-ldap.conf +++ b/userdir-ldap.conf @@ -53,7 +53,8 @@ keyrings = "/org/keyring.debian.org/keyrings/debian-keyring.gpg:/org/keyring.deb # Keyrings synced to other machines, if they need them sync_keyrings = "/org/keyring.debian.org/keyrings/debian-keyring.gpg:/org/keyring.debian.org/keyrings/debian-keyring.pgp:/org/keyring.debian.org/keyrings/debian-maintainers.gpg" # Keyrings used to search in when new developers get added -add_keyrings = "/org/keyring.debian.org/keyrings/debian-keyring.gpg:/org/keyring.debian.org/keyrings/debian-keyring.pgp:/srv/db.debian.org/keyring-guest/guest-keyring/debian-guest.gpg" +add_keyrings = "/org/keyring.debian.org/keyrings/debian-keyring.gpg:/org/keyring.debian.org/keyrings/debian-keyring.pgp" +add_keyrings_guest = "/org/keyring.debian.org/keyrings/debian-maintainers.gpg:/srv/db.debian.org/keyring-guest/guest-keyring/debian-guest.gpg" # For the WEB interface webloginhtml = "login.html"; -- 2.20.1