#!/usr/bin/python

import sys
import os
import random
import shutil
import tempfile

try:
    import ldap
except ImportError, e:
    print "Please install python-ldap before running this program"
    sys.exit(1)

basedn="<%= dc_suffix %>"
peopledn="ou=people,%s" % basedn
<%-
  ldap_servers.map! { |l| "'ldaps://#{l}'" }
-%>
uris=[<%= ldap_servers.join(", ") %>]
random.shuffle(uris)
uri = " ".join(uris)
timeout=5
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn
pwfile="<%= ldap_pwfile %>"
# filter out disabled accounts also
# too bad uidNumber doesn't support >= filters
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))"
keypathprefix='/home'

def usage():
    print "%s" % sys.argv[0]
    print
    print "Will fetch all enabled user accounts under %s" % peopledn
    print "with ssh keys in them and write each one to"
    print "%s/<login>/authorized_keys" % keypathprefix
    print
    print "This script is intented to be run from cron as root"
    print

def get_pw(pwfile):
    try:
        f = open(pwfile, 'r')
    except IOError, e:
        print "Error while reading password file, aborting"
        print e
        sys.exit(1)
    pw = f.readline().strip()
    f.close()
    return pw

def write_keys(keys, user, uid, gid):
    if not os.path.isdir("%s/%s" % (keypathprefix,user)):
       shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user))
       os.chown("%s/%s" % (keypathprefix,user), uid, gid)
       for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)):
           for d in dirs:
               os.chown(os.path.join(root, d), uid, gid)
           for f in files:
               os.chown(os.path.join(root, f), uid, gid)

    try:
        os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700)
    except:
        pass
    os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
    os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)

    (fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
    for key in keys:
        os.write(fd, key.strip() + "\n")
    os.close(fd)
    os.chmod(tmpname, 0600)
    os.chown(tmpname, uid, gid)
    keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
    shutil.move(tmpname, keyfile)


if len(sys.argv) != 1:
    usage()
    sys.exit(1)

bindpw = get_pw(pwfile)

try:
    ld = ldap.initialize(uri)
    ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
    if uri.startswith("ldap:/"):
        ld.start_tls_s()
    ld.bind_s(binddn, bindpw)
    res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
    try:
        os.makedirs(keypathprefix, 0701)
    except:
        pass
    for result in res:
        dn, entry = result
        # skip possible system users
        if int(entry['uidNumber'][0]) < 500:
            continue
        write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0]))
    ld.unbind_s()
except Exception, e:
    print "Error"
    raise

sys.exit(0)


# vim:ts=4:sw=4:et:ai:si