diff options
| author | Olivier Blin <dev@blino.org> | 2016-02-21 00:07:23 +0100 |
|---|---|---|
| committer | Olivier Blin <dev@blino.org> | 2016-02-21 00:08:57 +0100 |
| commit | 9c88eafb46225df40f8e7a03a54f378e83935f53 (patch) | |
| tree | 47910e652522cda364e09ba04ca84fe62922d172 | |
| parent | 094424ee3e603db6275b7c19fca423e865d01a81 (diff) | |
| download | puppet-9c88eafb46225df40f8e7a03a54f378e83935f53.tar puppet-9c88eafb46225df40f8e7a03a54f378e83935f53.tar.gz puppet-9c88eafb46225df40f8e7a03a54f378e83935f53.tar.bz2 puppet-9c88eafb46225df40f8e7a03a54f378e83935f53.tar.xz puppet-9c88eafb46225df40f8e7a03a54f378e83935f53.zip | |
openssh: Fix writing ssh public keys, with new ldap secret location
ldap secret is now stored in the bindpw field of /etc/nslcd.conf
| -rw-r--r-- | modules/openssh/manifests/ssh_keys_from_ldap.pp | 1 | ||||
| -rwxr-xr-x | modules/openssh/templates/ldap-sshkey2file.py | 44 |
2 files changed, 40 insertions, 5 deletions
diff --git a/modules/openssh/manifests/ssh_keys_from_ldap.pp b/modules/openssh/manifests/ssh_keys_from_ldap.pp index 6d23db5b..3004bc52 100644 --- a/modules/openssh/manifests/ssh_keys_from_ldap.pp +++ b/modules/openssh/manifests/ssh_keys_from_ldap.pp @@ -2,6 +2,7 @@ class openssh::ssh_keys_from_ldap inherits server { package { 'python-ldap': } $ldap_pwfile = '/etc/ldap.secret' + $nslcd_conf_file = '/etc/nslcd.conf' $ldap_servers = get_ldap_servers() mga_common::local_script { 'ldap-sshkey2file.py': content => template('openssh/ldap-sshkey2file.py'), diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py index 475030ec..d974ec9a 100755 --- a/modules/openssh/templates/ldap-sshkey2file.py +++ b/modules/openssh/templates/ldap-sshkey2file.py @@ -22,7 +22,8 @@ random.shuffle(uris) uri = " ".join(uris) timeout=5 binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn -pwfile="<%= ldap_pwfile %>" +ldap_secret_file="<%= ldap_pwfile %>" +nslcd_conf_file="<%= nslcd_conf_file %>" # filter out disabled accounts also # too bad uidNumber doesn't support >= filters filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" @@ -41,13 +42,46 @@ def usage(): print "This script is intented to be run from cron as root" print -def get_pw(pwfile): +def get_bindpw(): + try: + return get_nslcd_bindpw(nslcd_conf_file) + except: + pass + + try: + return get_ldap_secret(ldap_secret_file) + except: + pass + + print "Error while reading password file, aborting" + sys.exit(1) + +def get_nslcd_bindpw(pwfile): + try: + f = open(pwfile, 'r') + except IOError, e: + print "Error while reading nslcd file " + pwfile + print e + raise + + pwfield = "bindpw" + for line in f: + ls = line.strip().split() + if len(ls) == 2 and ls[0] == pwfield: + f.close() + return ls[1] + f.close() + + print "No " + pwfield + " field found in nslcd file " + pwfile + raise Exception() + +def get_ldap_secret(pwfile): try: f = open(pwfile, 'r') except IOError, e: - print "Error while reading password file, aborting" + print "Error while reading password file " + pwfile print e - sys.exit(1) + raise pw = f.readline().strip() f.close() return pw @@ -104,7 +138,7 @@ if len(sys.argv) != 1: usage() sys.exit(1) -bindpw = get_pw(pwfile) +bindpw = get_bindpw() changed = False try: |