From 55004c1aa2b0c0e1dde3014f9b2535904e57adc4 Mon Sep 17 00:00:00 2001
From: jgg <>
Date: Sat, 25 Sep 1999 02:24:29 +0000
Subject: [PATCH] Added host ACL

---
 doc/ud-info.1.yo |  1 +
 ud-generate      | 45 +++++++++++++++++++++++++++++++--------------
 ud-info          | 17 +++++++++++++----
 3 files changed, 45 insertions(+), 18 deletions(-)

diff --git a/doc/ud-info.1.yo b/doc/ud-info.1.yo
index 8bf60a5..10ca844 100644
--- a/doc/ud-info.1.yo
+++ b/doc/ud-info.1.yo
@@ -38,6 +38,7 @@ itemize(
   it() supplementarygid - A list of group names that the user belongs.
            This field emulates the functionality of the traditional Unix group
 	   file. [root]
+  it() allowedhosts - Permits access to hosts outside of the group list. [root]
   it() onvacation - A message indicating that the user is on vacation. The
            time of departure and expected return date should be included as
            well as any special instructions.
diff --git a/ud-generate b/ud-generate
index d1773ff..27c1565 100755
--- a/ud-generate
+++ b/ud-generate
@@ -7,13 +7,25 @@ from userdir_ldap import *;
 
 PasswdAttrs = None;
 GroupIDMap = {};
+Allowed = None;
+CurrentHost = "";
 
 # See if this user is in the group list
-def IsInGroup(DnRecord,Allowed):
+def IsInGroup(DnRecord):
+  global Allowed,CurrentHost;
+  if Allowed == None:
+     return 1;
+
   # See if the primary group is in the list
   if Allowed.has_key(GetAttr(DnRecord,"gidnumber")) != 0:
      return 1;
 
+  # Check the host based ACL
+  if DnRecord[1].has_key("allowedhosts") != 0:
+     for I in DnRecord[1]["allowedhosts"]:
+        if CurrentHost == I:
+           return 1;
+
   # See if there are supplementary groups
   if DnRecord[1].has_key("supplementarygid") == 0:
      return 0;
@@ -43,7 +55,7 @@ def Done(File,F,Fdb):
     os.rename(File + ".tdb.tmp",File+".tdb");
   
 # Generate the password list
-def GenPasswd(l,File,HomePrefix,Allowed):
+def GenPasswd(l,File,HomePrefix):
   F = None;
   Fdb = None;
   try:
@@ -57,7 +69,7 @@ def GenPasswd(l,File,HomePrefix,Allowed):
 
    I = 0;
    for x in PasswdAttrs:
-      if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+      if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
          continue;
 	    
       Line = "%s:x:%s:%s:%s:%s%s:%s\n" % (GetAttr(x,"uid"),\
@@ -77,7 +89,7 @@ def GenPasswd(l,File,HomePrefix,Allowed):
   Done(File,F,Fdb);
 
 # Generate the shadow list
-def GenShadow(l,File,Allowed):
+def GenShadow(l,File):
   F = None;
   Fdb = None;
   try:
@@ -93,7 +105,7 @@ def GenShadow(l,File,Allowed):
 
    I = 0;
    for x in PasswdAttrs:
-      if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+      if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
          continue;
 	 
       Pass = GetAttr(x,"userpassword");
@@ -118,7 +130,7 @@ def GenShadow(l,File,Allowed):
   Done(File,F,Fdb);
 
 # Generate the group list
-def GenGroup(l,File,Allowed):
+def GenGroup(l,File):
   F = None;
   Fdb = None;
   try:
@@ -137,7 +149,7 @@ def GenGroup(l,File,Allowed):
 
    # Sort them into a list of groups having a set of users
    for x in PasswdAttrs:
-      if x[1].has_key("uidnumber") == 0 or IsInGroup(x,Allowed) == 0:
+      if x[1].has_key("uidnumber") == 0 or IsInGroup(x) == 0:
          continue;
       if x[1].has_key("supplementarygid") == 0:
          continue;
@@ -170,7 +182,7 @@ def GenGroup(l,File,Allowed):
   Done(File,F,Fdb);
 
 # Generate the email forwarding list
-def GenForward(l,File,Allowed):
+def GenForward(l,File):
   F = None;
   Fdb = None;
   try:
@@ -186,7 +198,7 @@ def GenForward(l,File,Allowed):
 
    # Write out the email address for each user
    for x in PasswdAttrs:
-      if x[1].has_key("emailforward") == 0 or IsInGroup(x,Allowed) == 0:
+      if x[1].has_key("emailforward") == 0 or IsInGroup(x) == 0:
          continue;
       Line = "%s: %s\n" % (GetAttr(x,"uid"),GetAttr(x,"emailforward"));
       F.write(Line);
@@ -248,7 +260,8 @@ PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=*",\
                 ["uid","uidnumber","gidnumber","supplementarygid",\
                  "gecos","loginshell","userpassword","shadowlastchange",\
                  "shadowmin","shadowmax","shadowwarning","shadowinactive",
-	         "shadowexpire","emailforward","latitude","longitude"]);
+	         "shadowexpire","emailforward","latitude","longitude",\
+                 "allowedhosts"]);
 
 # Open the control file
 if len(sys.argv) == 1:
@@ -277,9 +290,13 @@ while(1):
       if GroupIDMap.has_key(I):
          GroupList[str(GroupIDMap[I])] = None;
 
-   GenPasswd(l,OutDir+"passwd",Split[1],GroupList);
-   GenGroup(l,OutDir+"group",GroupList);
-   GenShadow(l,OutDir+"shadow",GroupList);
-   GenForward(l,OutDir+"forward-alias",GroupList);
+   global Allowed,CurrentHost;
+   Allowed = GroupList;
+   CurrentHost = Split[0];
+
+   GenPasswd(l,OutDir+"passwd",Split[1]);
+   GenGroup(l,OutDir+"group");
+   GenShadow(l,OutDir+"shadow");
+   GenForward(l,OutDir+"forward-alias");
    GenMarkers(l,OutDir+"markers");
 
diff --git a/ud-info b/ud-info
index 5e9603e..b1d3b6f 100755
--- a/ud-info
+++ b/ud-info
@@ -36,6 +36,8 @@ AttrInfo = {"cn": ["First Name", 101],
 	    "uid": ["Unix User ID",0],
 	    "loginshell": ["Unix Shell",7],
 	    "supplementarygid": ["Unix Groups",0],
+	    "allowedhosts": ["Host ACL",0],
+	    "member": ["LDAP Group",0],
 	    "emailforward": ["Email Forwarding",8],
 	    "ircnick": ["IRC Nickname",9],
 	    "onvacation": ["Vacation Message",10],
@@ -61,6 +63,8 @@ AttrPrompt = {"cn": ["Common name or first name"],
               "userpassword": ["The users Crypt'd password"],
               "comment": ["Admin Comment about the account"],
               "supplementarygid": ["Groups the user is in"],
+	      "allowedhosts": ["Grant access to certain hosts"],
+              "member": ["LDAP Group Member for slapd ACLs"],
 	      "latitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
 	      "longitude": ["XEarth latitude in ISO 6709 format - see /usr/share/zoneinfo/zone.tab or etak.com"],
               "labeledurl": ["Web home page"]};
@@ -167,7 +171,7 @@ def ShowAttrs(Attrs):
 
 # Change a single attribute
 def ChangeAttr(Attrs,Attr):
-   if (Attr == "supplementarygid"):
+   if (Attr == "supplementarygid" or Attr == "allowedhosts" or Attr == "member"):
       return MultiChangeAttr(Attrs,Attr);
 
    print "Old value: '%s'" % (GetAttr(Attrs,Attr,""));
@@ -272,9 +276,14 @@ UserDn = "uid=" + User + "," + BaseDn;
 
 # Enable changing of supplementary gid's
 if (RootMode == 1):
-   AttrInfo["supplementarygid"][1] = 100;
-   OrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
-   OrigOrderedIndex[AttrInfo["supplementarygid"][1]] = [AttrInfo["supplementarygid"][0], "","supplementarygid"];
+   # Items that root can edit
+   list = ["supplementarygid","allowedhosts","member"];
+   Count = 0;
+   for x in list:
+      AttrInfo[x][1] = 200 + Count;
+      OrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+      OrigOrderedIndex[AttrInfo[x][1]] = [AttrInfo[x][0], "",x];
+      Count = Count + 1;
 
 # Query the server for all of the attributes
 Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid=" + User);
-- 
2.20.1