#!/usr/bin/python import sys import os import random import shutil import tempfile try: import ldap except ImportError, e: print "Please install python-ldap before running this program" sys.exit(1) basedn="<%= dc_suffix %>" peopledn="ou=people,%s" % basedn <%- ldap_servers.map! { |l| "'ldaps://#{l}'" } -%> uris=[<%= ldap_servers.join(", ") %>] random.shuffle(uris) uri = " ".join(uris) timeout=5 binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn pwfile="<%= ldap_pwfile %>" # filter out disabled accounts also # too bad uidNumber doesn't support >= filters filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" keypathprefix='/home' def usage(): print "%s" % sys.argv[0] print print "Will fetch all enabled user accounts under %s" % peopledn print "with ssh keys in them and write each one to" print "%s//authorized_keys" % keypathprefix print print "It will return failure when no keys are updated and success" print "when one or more keys have changed." print print "This script is intented to be run from cron as root" print def get_pw(pwfile): try: f = open(pwfile, 'r') except IOError, e: print "Error while reading password file, aborting" print e sys.exit(1) pw = f.readline().strip() f.close() return pw def write_keys(keys, user, uid, gid): if not os.path.isdir("%s/%s" % (keypathprefix,user)): shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user)) os.chown("%s/%s" % (keypathprefix,user), uid, gid) for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)): for d in dirs: os.chown(os.path.join(root, d), uid, gid) for f in files: os.chown(os.path.join(root, f), uid, gid) try: os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700) except: pass os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700) os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid) keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user) fromldap = '' for key in keys: fromldap += key.strip() + "\n" fromfile = '' try: f = open(keyfile, 'r') fromfile = f.read() f.close() except: pass if fromldap != fromfile: (fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-') os.write(fd, fromldap); os.close(fd) os.chmod(tmpname, 0600) os.chown(tmpname, uid, gid) shutil.move(tmpname, keyfile) # Hmm, aparently shutil.move does not preserve user/group so lets reapply # them. I still like doing it before as this should be more "automic" # if it actually worked, so it's "good practice", even if shutil.move sucks os.chown(keyfile, uid, gid) os.chmod(keyfile, 0600) return True return False if len(sys.argv) != 1: usage() sys.exit(1) bindpw = get_pw(pwfile) changed = False try: ld = ldap.initialize(uri) ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) if uri.startswith("ldap:/"): ld.start_tls_s() ld.bind_s(binddn, bindpw) res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) try: os.makedirs(keypathprefix, 0701) except: pass for result in res: dn, entry = result # skip possible system users if int(entry['uidNumber'][0]) < 500: continue if write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])): changed = True ld.unbind_s() except Exception, e: print "Error" raise if changed: sys.exit(0) sys.exit(1) # vim:ts=4:sw=4:et:ai:si