From cdb5d5f293e097f472320a7718c18f8ff18162f0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 21 Aug 2011 12:22:27 +0000 Subject: move ldap-sshkey2file.py to openssh module (where it is used) --- .../restrictshell/templates/ldap-sshkey2file.py | 92 ---------------------- 1 file changed, 92 deletions(-) delete mode 100755 modules/restrictshell/templates/ldap-sshkey2file.py (limited to 'modules/restrictshell') diff --git a/modules/restrictshell/templates/ldap-sshkey2file.py b/modules/restrictshell/templates/ldap-sshkey2file.py deleted file mode 100755 index af29a203..00000000 --- a/modules/restrictshell/templates/ldap-sshkey2file.py +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/python - -import sys -import os -import random - -try: - import ldap -except ImportError, e: - print "Please install python-ldap before running this program" - sys.exit(1) - -basedn="<%= dc_suffix %>" -peopledn="ou=people,%s" % basedn -uris=['ldap://ldap.<%= domain %>'] -random.shuffle(uris) -uri = " ".join(uris) -timeout=5 -binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn -pwfile="<%= ldap_pwfile %>" -# filter out disabled accounts also -# too bad uidNumber doesn't support >= filters -filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" -keypathprefix="<%= pubkeys_directory %>" - -def usage(): - print "%s" % sys.argv[0] - print - print "Will fetch all enabled user accounts under %s" % peopledn - print "with ssh keys in them and write each one to" - print "%s//authorized_keys" % keypathprefix - print - print "This script is intented to be run from cron as root" - print - -def get_pw(pwfile): - try: - f = open(pwfile, 'r') - except IOError, e: - print "Error while reading password file, aborting" - print e - sys.exit(1) - pw = f.readline().strip() - f.close() - return pw - -def write_keys(keys, user, uid, gid): - try: - os.makedirs("%s/%s" % (keypathprefix,user), 0700) - except: - pass - keyfile = "%s/%s/authorized_keys" % (keypathprefix,user) - f = open(keyfile, 'w') - for key in keys: - f.write(key.strip() + "\n") - f.close() - os.chmod(keyfile, 0600) - os.chown(keyfile, uid, gid) - os.chmod("%s/%s" % (keypathprefix,user), 0700) - os.chown("%s/%s" % (keypathprefix,user), uid, gid) - -if len(sys.argv) != 1: - usage() - sys.exit(1) - -bindpw = get_pw(pwfile) - -try: - ld = ldap.initialize(uri) - ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) - ld.start_tls_s() - ld.bind_s(binddn, bindpw) - res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) - try: - os.makedirs(keypathprefix, 0701) - except: - pass - for result in res: - dn, entry = result - # skip possible system users - if int(entry['uidNumber'][0]) < 500: - continue - write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])) - ld.unbind_s() -except Exception, e: - print "Error" - raise - -sys.exit(0) - - -# vim:ts=4:sw=4:et:ai:si -- cgit v1.2.1