diff options
| author | Nicolas Vigier <boklm@mageia.org> | 2011-08-21 12:22:27 +0000 |
|---|---|---|
| committer | Nicolas Vigier <boklm@mageia.org> | 2011-08-21 12:22:27 +0000 |
| commit | cdb5d5f293e097f472320a7718c18f8ff18162f0 (patch) | |
| tree | 95751ba56d9832e16354748dee7c47908ac8d01e /modules/openssh | |
| parent | 9b0eab0b661c79263d0d30001428b8ccc46287c9 (diff) | |
| download | puppet-cdb5d5f293e097f472320a7718c18f8ff18162f0.tar puppet-cdb5d5f293e097f472320a7718c18f8ff18162f0.tar.gz puppet-cdb5d5f293e097f472320a7718c18f8ff18162f0.tar.bz2 puppet-cdb5d5f293e097f472320a7718c18f8ff18162f0.tar.xz puppet-cdb5d5f293e097f472320a7718c18f8ff18162f0.zip | |
move ldap-sshkey2file.py to openssh module (where it is used)
Diffstat (limited to 'modules/openssh')
| -rw-r--r-- | modules/openssh/manifests/init.pp | 2 | ||||
| -rwxr-xr-x | modules/openssh/templates/ldap-sshkey2file.py | 92 |
2 files changed, 93 insertions, 1 deletions
diff --git a/modules/openssh/manifests/init.pp b/modules/openssh/manifests/init.pp index 8c929d79..44561ee0 100644 --- a/modules/openssh/manifests/init.pp +++ b/modules/openssh/manifests/init.pp @@ -84,7 +84,7 @@ class openssh { owner => root, group => root, mode => 755, - content => template("restrictshell/ldap-sshkey2file.py"), + content => template("openssh/ldap-sshkey2file.py"), require => Package['python-ldap'] } cron { 'sshkey2file': diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py new file mode 100755 index 00000000..af29a203 --- /dev/null +++ b/modules/openssh/templates/ldap-sshkey2file.py @@ -0,0 +1,92 @@ +#!/usr/bin/python + +import sys +import os +import random + +try: + import ldap +except ImportError, e: + print "Please install python-ldap before running this program" + sys.exit(1) + +basedn="<%= dc_suffix %>" +peopledn="ou=people,%s" % basedn +uris=['ldap://ldap.<%= domain %>'] +random.shuffle(uris) +uri = " ".join(uris) +timeout=5 +binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn +pwfile="<%= ldap_pwfile %>" +# filter out disabled accounts also +# too bad uidNumber doesn't support >= filters +filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" +keypathprefix="<%= pubkeys_directory %>" + +def usage(): + print "%s" % sys.argv[0] + print + print "Will fetch all enabled user accounts under %s" % peopledn + print "with ssh keys in them and write each one to" + print "%s/<login>/authorized_keys" % keypathprefix + print + print "This script is intented to be run from cron as root" + print + +def get_pw(pwfile): + try: + f = open(pwfile, 'r') + except IOError, e: + print "Error while reading password file, aborting" + print e + sys.exit(1) + pw = f.readline().strip() + f.close() + return pw + +def write_keys(keys, user, uid, gid): + try: + os.makedirs("%s/%s" % (keypathprefix,user), 0700) + except: + pass + keyfile = "%s/%s/authorized_keys" % (keypathprefix,user) + f = open(keyfile, 'w') + for key in keys: + f.write(key.strip() + "\n") + f.close() + os.chmod(keyfile, 0600) + os.chown(keyfile, uid, gid) + os.chmod("%s/%s" % (keypathprefix,user), 0700) + os.chown("%s/%s" % (keypathprefix,user), uid, gid) + +if len(sys.argv) != 1: + usage() + sys.exit(1) + +bindpw = get_pw(pwfile) + +try: + ld = ldap.initialize(uri) + ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) + ld.start_tls_s() + ld.bind_s(binddn, bindpw) + res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) + try: + os.makedirs(keypathprefix, 0701) + except: + pass + for result in res: + dn, entry = result + # skip possible system users + if int(entry['uidNumber'][0]) < 500: + continue + write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])) + ld.unbind_s() +except Exception, e: + print "Error" + raise + +sys.exit(0) + + +# vim:ts=4:sw=4:et:ai:si |