aboutsummaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/restrictshell/manifests/init.pp17
-rwxr-xr-xmodules/restrictshell/templates/ldap-sshkey2file.py92
2 files changed, 109 insertions, 0 deletions
diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp
index b10c7915..2618f401 100644
--- a/modules/restrictshell/manifests/init.pp
+++ b/modules/restrictshell/manifests/init.pp
@@ -26,4 +26,21 @@ class restrictshell {
mode => 755,
content => template("restrictshell/membersh-conf.pl"),
}
+
+ package { 'python-ldap':
+ ensure => installed,
+ }
+
+ file { '/usr/local/bin/ldap-sshkey2file.py':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 755,
+ content => template("restrictshell/ldap-sshkey2file.py"),
+ requires => Package['python-ldap']
+ }
+
+
+
+
}
diff --git a/modules/restrictshell/templates/ldap-sshkey2file.py b/modules/restrictshell/templates/ldap-sshkey2file.py
new file mode 100755
index 00000000..3925176f
--- /dev/null
+++ b/modules/restrictshell/templates/ldap-sshkey2file.py
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+
+import sys
+import os
+import random
+
+try:
+ import ldap
+except ImportError, e:
+ print "Please install python-ldap before running this program"
+ sys.exit(1)
+
+basedn="dc=mandriva,dc=com"
+peopledn="ou=people,%s" % basedn
+uris=['ldap://kenobi.mandriva.com','ldap://svn.mandriva.com']
+random.shuffle(uris)
+uri = " ".join(uris)
+timeout=5
+binddn="uid=sshkeyreader,ou=System Accounts,%s" % basedn
+pwfile="/etc/sshkeyreader.pw"
+# filter out disabled accounts also
+# too bad uidNumber doesn't support >= filters
+filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*)(!(shadowExpire=*)))"
+keypathprefix="/var/lib/config/pubkeys"
+
+def usage():
+ print "%s" % sys.argv[0]
+ print
+ print "Will fetch all enabled user accounts under %s" % peopledn
+ print "with ssh keys in them and write each one to"
+ print "%s/<login>/authorized_keys" % keypathprefix
+ print
+ print "This script is intented to be run from cron as root"
+ print
+
+def get_pw(pwfile):
+ try:
+ f = open(pwfile, 'r')
+ except IOError, e:
+ print "Error while reading password file, aborting"
+ print e
+ sys.exit(1)
+ pw = f.readline().strip()
+ f.close()
+ return pw
+
+def write_keys(keys, user, uid, gid):
+ try:
+ os.makedirs("%s/%s" % (keypathprefix,user), 0700)
+ except:
+ pass
+ keyfile = "%s/%s/authorized_keys" % (keypathprefix,user)
+ f = open(keyfile, 'w')
+ for key in keys:
+ f.write(key.strip() + "\n")
+ f.close()
+ os.chmod(keyfile, 0600)
+ os.chown(keyfile, uid, gid)
+ os.chmod("%s/%s" % (keypathprefix,user), 0700)
+ os.chown("%s/%s" % (keypathprefix,user), uid, gid)
+
+if len(sys.argv) != 1:
+ usage()
+ sys.exit(1)
+
+bindpw = get_pw(pwfile)
+
+try:
+ ld = ldap.initialize(uri)
+ ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
+ ld.start_tls_s()
+ ld.bind_s(binddn, bindpw)
+ res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
+ try:
+ os.makedirs(keypathprefix, 0701)
+ except:
+ pass
+ for result in res:
+ dn, entry = result
+ # skip possible system users
+ if int(entry['uidNumber'][0]) < 500:
+ continue
+ write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0]))
+ ld.unbind_s()
+except Exception, e:
+ print "Error"
+ raise
+
+sys.exit(0)
+
+
+# vim:ts=4:sw=4:et:ai:si