aboutsummaryrefslogtreecommitdiffstats
path: root/modules/openssh/templates/ldap-sshkey2file.py
blob: af29a20344705d95989b4078aa593abb1546ce3d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python

import sys
import os
import random

try:
    import ldap
except ImportError, e:
    print "Please install python-ldap before running this program"
    sys.exit(1)

basedn="<%= dc_suffix %>"
peopledn="ou=people,%s" % basedn
uris=['ldap://ldap.<%= domain %>']
random.shuffle(uris)
uri = " ".join(uris)
timeout=5
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn
pwfile="<%= ldap_pwfile %>"
# filter out disabled accounts also
# too bad uidNumber doesn't support >= filters
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))"
keypathprefix="<%= pubkeys_directory %>"

def usage():
    print "%s" % sys.argv[0]
    print
    print "Will fetch all enabled user accounts under %s" % peopledn
    print "with ssh keys in them and write each one to"
    print "%s/<login>/authorized_keys" % keypathprefix
    print
    print "This script is intented to be run from cron as root"
    print

def get_pw(pwfile):
    try:
        f = open(pwfile, 'r')
    except IOError, e:
        print "Error while reading password file, aborting"
        print e
        sys.exit(1)
    pw = f.readline().strip()
    f.close()
    return pw

def write_keys(keys, user, uid, gid):
    try:
        os.makedirs("%s/%s" % (keypathprefix,user), 0700)
    except:
        pass
    keyfile = "%s/%s/authorized_keys" % (keypathprefix,user)
    f = open(keyfile, 'w')
    for key in keys:
        f.write(key.strip() + "\n")
    f.close()
    os.chmod(keyfile, 0600)
    os.chown(keyfile, uid, gid)
    os.chmod("%s/%s" % (keypathprefix,user), 0700)
    os.chown("%s/%s" % (keypathprefix,user), uid, gid)

if len(sys.argv) != 1:
    usage()
    sys.exit(1)

bindpw = get_pw(pwfile)

try:
    ld = ldap.initialize(uri)
    ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
    ld.start_tls_s()
    ld.bind_s(binddn, bindpw)
    res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
    try:
        os.makedirs(keypathprefix, 0701)
    except:
        pass
    for result in res:
        dn, entry = result
        # skip possible system users
        if int(entry['uidNumber'][0]) < 500:
            continue
        write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0]))
    ld.unbind_s()
except Exception, e:
    print "Error"
    raise

sys.exit(0)


# vim:ts=4:sw=4:et:ai:si