1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#!/usr/bin/python
import sys
import os
import random
import shutil
try:
import ldap
except ImportError, e:
print "Please install python-ldap before running this program"
sys.exit(1)
basedn="<%= dc_suffix %>"
peopledn="ou=people,%s" % basedn
<%-
ldap_servers.map! { |l| "'ldaps://#{l}'" }
-%>
uris=[<%= ldap_servers.join(", ") %>]
# Temporoary hack because ldap-slave-1 is out of sync... no idea how to resync it :(
# Ask me about it or look at results from:
# ldapsearch -H ldaps://ldap-slave-1.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -b uid=blue_prawn,ou=People,dc=mageia,dc=org
# vs
# ldapsearch -H ldaps://ldap-master.mageia.org -D uid=$USER,ou=People,dc=mageia,dc=org -W -b uid=blue_prawn,ou=People,dc=mageia,dc=org
uris=['ldaps://ldap-master.mageia.org']
random.shuffle(uris)
uri = " ".join(uris)
timeout=5
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn
pwfile="<%= ldap_pwfile %>"
# filter out disabled accounts also
# too bad uidNumber doesn't support >= filters
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))"
keypathprefix='/home'
def usage():
print "%s" % sys.argv[0]
print
print "Will fetch all enabled user accounts under %s" % peopledn
print "with ssh keys in them and write each one to"
print "%s/<login>/authorized_keys" % keypathprefix
print
print "This script is intented to be run from cron as root"
print
def get_pw(pwfile):
try:
f = open(pwfile, 'r')
except IOError, e:
print "Error while reading password file, aborting"
print e
sys.exit(1)
pw = f.readline().strip()
f.close()
return pw
def write_keys(keys, user, uid, gid):
if not os.path.isdir("%s/%s" % (keypathprefix,user)):
shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user))
os.chown("%s/%s" % (keypathprefix,user), uid, gid)
for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)):
for d in dirs:
os.chown(os.path.join(root, d), uid, gid)
for f in files:
os.chown(os.path.join(root, f), uid, gid)
try:
os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700)
except:
pass
keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
f = open(keyfile, 'w')
for key in keys:
f.write(key.strip() + "\n")
f.close()
os.chmod(keyfile, 0600)
os.chown(keyfile, uid, gid)
os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)
if len(sys.argv) != 1:
usage()
sys.exit(1)
bindpw = get_pw(pwfile)
try:
ld = ldap.initialize(uri)
ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
if uri.startswith("ldap:/"):
ld.start_tls_s()
ld.bind_s(binddn, bindpw)
res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
try:
os.makedirs(keypathprefix, 0701)
except:
pass
for result in res:
dn, entry = result
# skip possible system users
if int(entry['uidNumber'][0]) < 500:
continue
write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0]))
ld.unbind_s()
except Exception, e:
print "Error"
raise
sys.exit(0)
# vim:ts=4:sw=4:et:ai:si
|
