1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#!/usr/bin/python
import sys
import os
import random
import shutil
import tempfile
try:
import ldap
except ImportError, e:
print "Please install python-ldap before running this program"
sys.exit(1)
basedn="<%= dc_suffix %>"
peopledn="ou=people,%s" % basedn
<%-
ldap_servers.map! { |l| "'ldaps://#{l}'" }
-%>
uris=[<%= ldap_servers.join(", ") %>]
random.shuffle(uris)
uri = " ".join(uris)
timeout=5
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn
pwfile="<%= ldap_pwfile %>"
# filter out disabled accounts also
# too bad uidNumber doesn't support >= filters
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))"
keypathprefix='/home'
def usage():
print "%s" % sys.argv[0]
print
print "Will fetch all enabled user accounts under %s" % peopledn
print "with ssh keys in them and write each one to"
print "%s/<login>/authorized_keys" % keypathprefix
print
print "It will return failure when no keys are updated and success"
print "when one or more keys have changed."
print
print "This script is intented to be run from cron as root"
print
def get_pw(pwfile):
try:
f = open(pwfile, 'r')
except IOError, e:
print "Error while reading password file, aborting"
print e
sys.exit(1)
pw = f.readline().strip()
f.close()
return pw
def write_keys(keys, user, uid, gid):
if not os.path.isdir("%s/%s" % (keypathprefix,user)):
shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user))
os.chown("%s/%s" % (keypathprefix,user), uid, gid)
for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)):
for d in dirs:
os.chown(os.path.join(root, d), uid, gid)
for f in files:
os.chown(os.path.join(root, f), uid, gid)
try:
os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700)
except:
pass
os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)
keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
fromldap = ''
for key in keys:
fromldap += key.strip() + "\n"
fromfile = ''
try:
f = open(keyfile, 'r')
fromfile = f.read()
f.close()
except:
pass
if fromldap != fromfile:
(fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
os.write(fd, fromldap);
os.close(fd)
os.chmod(tmpname, 0600)
os.chown(tmpname, uid, gid)
shutil.move(tmpname, keyfile)
# Hmm, aparently shutil.move does not preserve user/group so lets reapply
# them. I still like doing it before as this should be more "automic"
# if it actually worked, so it's "good practice", even if shutil.move sucks
os.chown(keyfile, uid, gid)
os.chmod(keyfile, 0600)
return True
return False
if len(sys.argv) != 1:
usage()
sys.exit(1)
bindpw = get_pw(pwfile)
changed = False
try:
ld = ldap.initialize(uri)
ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
if uri.startswith("ldap:/"):
ld.start_tls_s()
ld.bind_s(binddn, bindpw)
res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
try:
os.makedirs(keypathprefix, 0701)
except:
pass
for result in res:
dn, entry = result
# skip possible system users
if int(entry['uidNumber'][0]) < 500:
continue
if write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])):
changed = True
ld.unbind_s()
except Exception, e:
print "Error"
raise
if changed:
sys.exit(0)
sys.exit(1)
# vim:ts=4:sw=4:et:ai:si
|
