1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
#!/usr/bin/python
import sys
import os
import random
import shutil
import tempfile
try:
import ldap
except ImportError, e:
print "Please install python-ldap before running this program"
sys.exit(1)
basedn="<%= dc_suffix %>"
peopledn="ou=people,%s" % basedn
<%-
ldap_servers.map! { |l| "'ldaps://#{l}'" }
-%>
uris=[<%= ldap_servers.join(", ") %>]
random.shuffle(uris)
uri = " ".join(uris)
timeout=5
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn
pwfile="<%= ldap_pwfile %>"
# filter out disabled accounts also
# too bad uidNumber doesn't support >= filters
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))"
keypathprefix='/home'
def usage():
print "%s" % sys.argv[0]
print
print "Will fetch all enabled user accounts under %s" % peopledn
print "with ssh keys in them and write each one to"
print "%s/<login>/authorized_keys" % keypathprefix
print
print "It will return failure when no keys are updated and success"
print "when one or more keys have changed."
print
print "This script is intented to be run from cron as root"
print
def get_pw(pwfile):
try:
f = open(pwfile, 'r')
except IOError, e:
print "Error while reading password file, aborting"
print e
sys.exit(1)
pw = f.readline().strip()
f.close()
return pw
def write_keys(keys, user, uid, gid):
if not os.path.isdir("%s/%s" % (keypathprefix,user)):
shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user))
os.chown("%s/%s" % (keypathprefix,user), uid, gid)
for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)):
for d in dirs:
os.chown(os.path.join(root, d), uid, gid)
for f in files:
os.chown(os.path.join(root, f), uid, gid)
try:
os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700)
except:
pass
os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)
keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
fromldap = ''
for key in keys:
fromldap += key.strip() + "\n"
fromfile = ''
try:
f = open(keyfile, 'r')
fromfile = f.read()
f.close()
except:
pass
if fromldap != fromfile:
(fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
os.write(fd, fromldap);
os.close(fd)
os.chmod(tmpname, 0600)
os.chown(tmpname, uid, gid)
shutil.move(tmpname, keyfile)
return True
return False
if len(sys.argv) != 1:
usage()
sys.exit(1)
bindpw = get_pw(pwfile)
changed = False
try:
ld = ldap.initialize(uri)
ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
if uri.startswith("ldap:/"):
ld.start_tls_s()
ld.bind_s(binddn, bindpw)
res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
try:
os.makedirs(keypathprefix, 0701)
except:
pass
for result in res:
dn, entry = result
# skip possible system users
if int(entry['uidNumber'][0]) < 500:
continue
if write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])):
changed = True
ld.unbind_s()
except Exception, e:
print "Error"
raise
if changed:
sys.exit(0)
sys.exit(1)
# vim:ts=4:sw=4:et:ai:si
|
