From 595923978a9ad55f4ec55b1aabef44683b111911 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 23 May 2008 23:52:29 +0200 Subject: [PATCH] Do SSL when connecting to the ldap server. --- debian/changelog | 6 ++++++ gpgwrapper | 2 +- sigcheck | 2 +- ud-arbimport | 2 +- ud-echelon | 2 +- ud-emailmatcher | 3 +-- ud-generate | 2 +- ud-gpgimport | 4 ++-- ud-groupadd | 2 +- ud-host | 4 ++-- ud-info | 2 +- ud-ldapshow | 2 +- ud-mailgate | 6 +++--- ud-passchk | 2 +- ud-roleadd | 2 +- ud-useradd | 2 +- ud-userimport | 2 +- ud-xearth | 2 +- userdir-ldap.conf | 1 + userdir_ldap.py | 19 +++++++++++++++++-- 20 files changed, 45 insertions(+), 24 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0073427..bfc6f60 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +userdir-ldap (0.3.32) unstable; urgency=low + + * Do SSL when connecting to the ldap server. + + -- Peter Palfrader Fri, 23 May 2008 23:50:03 +0200 + userdir-ldap (0.3.31) unstable; urgency=low [ Joerg Jaspert ] diff --git a/gpgwrapper b/gpgwrapper index 87ce632..cf25226 100755 --- a/gpgwrapper +++ b/gpgwrapper @@ -85,7 +85,7 @@ def CheckLDAP(FingerPrint): ErrType = EX_TEMPFAIL; ErrMsg = "An error occured while performing the LDAP lookup"; global l; - l = ldap.open(LDAPServer); + l = connectLDAP(LDAPServer); l.simple_bind_s("",""); # Search for the matching key fingerprint diff --git a/sigcheck b/sigcheck index 57c4a90..1ba2a8d 100755 --- a/sigcheck +++ b/sigcheck @@ -54,7 +54,7 @@ def CheckLDAP(FingerPrint): ErrType = EX_TEMPFAIL; ErrMsg = "An error occurred while performing the LDAP lookup:"; global l; - l = ldap.open(LDAPServer); + l = connectLDAP(LDAPServer); l.simple_bind_s("",""); # Search for the matching key fingerprint diff --git a/ud-arbimport b/ud-arbimport index 7d306f7..90a1746 100755 --- a/ud-arbimport +++ b/ud-arbimport @@ -39,7 +39,7 @@ if len(arguments) == 0: sys.exit(0) # Main program starts here -l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) +l = passwdAccessLDAP(BaseDn, AdminUser) List = open(arguments[1],"r"); Set = []; diff --git a/ud-echelon b/ud-echelon index 3632980..6c07a0a 100755 --- a/ud-echelon +++ b/ud-echelon @@ -94,7 +94,7 @@ try: ErrType = EX_TEMPFAIL; ErrMsg = "An error occured while performing the LDAP lookup"; global l; - l = ldap.open(LDAPServer); + l = connectLDAP() if Debug == None: F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); AccessPass = F.readline().strip().split(" ") diff --git a/ud-emailmatcher b/ud-emailmatcher index bae8fd9..4d42d77 100755 --- a/ud-emailmatcher +++ b/ud-emailmatcher @@ -52,8 +52,7 @@ for x in arguments: Args = Args + GPGSearchOptions + [" 2> /dev/null"] Keys = os.popen(" ".join(Args),"r") -l = ldap.open(LDAPServer); -l.simple_bind_s("",""); +l = connectLDAP() # Fetch the key list and map to email address PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=*",\ diff --git a/ud-generate b/ud-generate index 17e54b3..774e032 100755 --- a/ud-generate +++ b/ud-generate @@ -848,7 +848,7 @@ def GenKeyrings(l,OutDir): shutil.copy(k, OutDir) # Connect to the ldap server -l = ldap.open(LDAPServer); +l = connectLDAP() F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); Pass = F.readline().strip().split(" ") F.close(); diff --git a/ud-gpgimport b/ud-gpgimport index 797aa5d..0ad4fc9 100755 --- a/ud-gpgimport +++ b/ud-gpgimport @@ -70,9 +70,9 @@ if len(arguments) == 0: # Connect to the ldap server if NoAct == 0: - l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) + l = passwdAccessLDAP(BaseDn, AdminUser) else: - l = ldap.open(LDAPServer); + l = connectLDAP() l.simple_bind_s("",""); # Download the existing key list and put it into a map diff --git a/ud-groupadd b/ud-groupadd index de074b9..a1e39e4 100755 --- a/ud-groupadd +++ b/ud-groupadd @@ -53,7 +53,7 @@ for (switch, val) in options: if (switch == '-u'): AdminUser = val; -l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) +l = passwdAccessLDAP(BaseDn, AdminUser) while 1: Group = raw_input("Group name? "); diff --git a/ud-host b/ud-host index e186e9a..97af1ef 100755 --- a/ud-host +++ b/ud-host @@ -241,9 +241,9 @@ for (switch, val) in options: FingerPrints = 1 if (BindUser != ""): - l = passwdAccessLDAP(LDAPServer, BaseDn, BindUser) + l = passwdAccessLDAP(BaseDn, BindUser) else: - l = ldap.open(LDAPServer); + l = connectLDAP() l.simple_bind_s("","") if ListMode == 1: diff --git a/ud-info b/ud-info index d099c46..e05cb86 100755 --- a/ud-info +++ b/ud-info @@ -315,7 +315,7 @@ if (BindUser != ""): Password = getpass(BindUser + "'s password: "); # Connect to the ldap server -l = ldap.open(LDAPServer); +l = connectLDAP() UserDn = "uid=" + BindUser + "," + BaseDn; if (BindUser != ""): l.simple_bind_s(UserDn,Password); diff --git a/ud-ldapshow b/ud-ldapshow index c397340..70e1f70 100755 --- a/ud-ldapshow +++ b/ud-ldapshow @@ -31,7 +31,7 @@ for (switch, val) in options: print "Connecting to LDAP directory"; # Connect to the ldap server -l = ldap.open(LDAPServer); +l = connectLDAP() l.simple_bind_s("",""); if arguments[0] == "nokey": diff --git a/ud-mailgate b/ud-mailgate index 4fa2edf..6341130 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -467,7 +467,7 @@ def HandleChange(Reply,DnRecord,Key): Result = Result + Res + "\n"; # Connect to the ldap server - l = ldap.open(LDAPServer); + l = connectLDAP() F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); AccessPass = F.readline().strip().split(" ") F.close(); @@ -538,7 +538,7 @@ def HandleChPass(Reply,DnRecord,Key): Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read()); # Connect to the ldap server - l = ldap.open(LDAPServer); + l = connectLDAP() F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); AccessPass = F.readline().strip().split(" ") F.close(); @@ -616,7 +616,7 @@ try: ErrType = EX_TEMPFAIL; ErrMsg = "An error occured while performing the LDAP lookup"; global l; - l = ldap.open(LDAPServer); + l = connectLDAP() l.simple_bind_s("",""); # Search for the matching key fingerprint diff --git a/ud-passchk b/ud-passchk index 6a7865a..1364e52 100755 --- a/ud-passchk +++ b/ud-passchk @@ -41,7 +41,7 @@ def PassCheck(l,File,HomePrefix): print "mismatch",Split[0],Miss; # Connect to the ldap server -l = ldap.open(LDAPServer); +l = connectLDAP() l.simple_bind_s("",""); PassCheck(l,sys.argv[1],sys.argv[2]); diff --git a/ud-roleadd b/ud-roleadd index 2117308..9c30bd1 100755 --- a/ud-roleadd +++ b/ud-roleadd @@ -50,7 +50,7 @@ for (switch, val) in options: if (switch == '-u'): AdminUser = val -l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) +l = passwdAccessLDAP(BaseDn, AdminUser) while 1: account = raw_input("Who are you going to add? ") diff --git a/ud-useradd b/ud-useradd index f5c1fbc..23e1cd0 100755 --- a/ud-useradd +++ b/ud-useradd @@ -67,7 +67,7 @@ for (switch, val) in options: elif (switch == '-n'): NoAutomaticIDs = 1; -l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) +l = passwdAccessLDAP(BaseDn, AdminUser) # Locate the key of the user we are adding SetKeyrings(ConfModule.add_keyrings.split(":")) diff --git a/ud-userimport b/ud-userimport index 4e044c7..db81b65 100755 --- a/ud-userimport +++ b/ud-userimport @@ -249,7 +249,7 @@ for (switch, val) in options: # Main program starts here # Connect to the ldap server -l = passwdAccessLDAP(LDAPServer, BaseDn, AdminUser) +l = passwdAccessLDAP(BaseDn, AdminUser) if (Passwd != ""): DoPasswd(l,Passwd); diff --git a/ud-xearth b/ud-xearth index 25e001a..58f8e93 100755 --- a/ud-xearth +++ b/ud-xearth @@ -30,7 +30,7 @@ for (switch, val) in options: Anon = 1; # Connect to the ldap server -l = passwdAccessLDAP(LDAPServer, BaseDn, User) +l = passwdAccessLDAP(BaseDn, User) Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"latitude=*",\ ["uid","cn","mn","sn","latitude","longitude"]); diff --git a/userdir-ldap.conf b/userdir-ldap.conf index 090ac5a..ad37d9d 100644 --- a/userdir-ldap.conf +++ b/userdir-ldap.conf @@ -8,6 +8,7 @@ localsyncon = "*samosa*"; # Basic LDAP configuration ldaphost = "db.debian.org"; +usessl = True; basedn = "ou=users,dc=debian,dc=org"; hostbasedn = "ou=hosts,dc=debian,dc=org"; adminuser = "admin"; diff --git a/userdir_ldap.py b/userdir_ldap.py index 539dbae..e90fffd 100644 --- a/userdir_ldap.py +++ b/userdir_ldap.py @@ -45,6 +45,11 @@ Ech_MainLog = ConfModule.ech_mainlog; MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False) SingleSSHFile = getattr(ConfModule, 'singlesshfile', True) +try: + UseSSL = ConfModule.usessl; +except AttributeError: + UseSSL = False; + # Break up the keyring list userdir_gpg.SetKeyrings(ConfModule.keyrings.split(":")) @@ -102,6 +107,16 @@ def PrettyShow(DnRecord): Result = Result + "%s: %s\n" % (x,i); return Result[:-1]; +def connectLDAP(server = None): + if server == None: + global LDAPServer + server = LDAPServer + l = ldap.open(server); + global UseSSL + if UseSSL: + l.start_tls_s(); + return l; + # Function to prompt for a password def getpass(prompt = "Password: "): import termios, sys; @@ -124,7 +139,7 @@ def getpass(prompt = "Password: "): print; return passwd; -def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser): +def passwdAccessLDAP(BaseDn, AdminUser): """ Ask for the AdminUser's password and connect to the LDAP server. Returns the connection handle. @@ -136,7 +151,7 @@ def passwdAccessLDAP(LDAPServer, BaseDn, AdminUser): if len(Password) == 0: sys.exit(0) - l = ldap.open(LDAPServer); + l = connectLDAP() UserDn = "uid=" + AdminUser + "," + BaseDn; # Connect to the ldap server -- 2.20.1