1 |
#!/usr/bin/python |
2 |
|
3 |
import sys |
4 |
import os |
5 |
import random |
6 |
import shutil |
7 |
|
8 |
try: |
9 |
import ldap |
10 |
except ImportError, e: |
11 |
print "Please install python-ldap before running this program" |
12 |
sys.exit(1) |
13 |
|
14 |
basedn="<%= dc_suffix %>" |
15 |
peopledn="ou=people,%s" % basedn |
16 |
<%- |
17 |
ldap_servers.map! { |l| "'ldaps://#{l}'" } |
18 |
-%> |
19 |
uris=[<%= ldap_servers.join(", ") %>] |
20 |
random.shuffle(uris) |
21 |
uri = " ".join(uris) |
22 |
timeout=5 |
23 |
binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn |
24 |
pwfile="<%= ldap_pwfile %>" |
25 |
# filter out disabled accounts also |
26 |
# too bad uidNumber doesn't support >= filters |
27 |
filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" |
28 |
keypathprefix='/home' |
29 |
|
30 |
def usage(): |
31 |
print "%s" % sys.argv[0] |
32 |
print |
33 |
print "Will fetch all enabled user accounts under %s" % peopledn |
34 |
print "with ssh keys in them and write each one to" |
35 |
print "%s/<login>/authorized_keys" % keypathprefix |
36 |
print |
37 |
print "This script is intented to be run from cron as root" |
38 |
print |
39 |
|
40 |
def get_pw(pwfile): |
41 |
try: |
42 |
f = open(pwfile, 'r') |
43 |
except IOError, e: |
44 |
print "Error while reading password file, aborting" |
45 |
print e |
46 |
sys.exit(1) |
47 |
pw = f.readline().strip() |
48 |
f.close() |
49 |
return pw |
50 |
|
51 |
def write_keys(keys, user, uid, gid): |
52 |
if not os.path.isdir("%s/%s" % (keypathprefix,user)): |
53 |
shutil.copytree('/etc/skel', "%s/%s" % (keypathprefix,user)) |
54 |
os.chown("%s/%s" % (keypathprefix,user), uid, gid) |
55 |
for root, dirs, files in os.walk("%s/%s" % (keypathprefix,user)): |
56 |
for d in dirs: |
57 |
os.chown(os.path.join(root, d), uid, gid) |
58 |
for f in files: |
59 |
os.chown(os.path.join(root, f), uid, gid) |
60 |
try: |
61 |
os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700) |
62 |
except: |
63 |
pass |
64 |
keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user) |
65 |
f = open(keyfile, 'w') |
66 |
for key in keys: |
67 |
f.write(key.strip() + "\n") |
68 |
f.close() |
69 |
os.chmod(keyfile, 0600) |
70 |
os.chown(keyfile, uid, gid) |
71 |
os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700) |
72 |
os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid) |
73 |
|
74 |
if len(sys.argv) != 1: |
75 |
usage() |
76 |
sys.exit(1) |
77 |
|
78 |
bindpw = get_pw(pwfile) |
79 |
|
80 |
try: |
81 |
ld = ldap.initialize(uri) |
82 |
ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) |
83 |
if uri.startswith("ldap:/"): |
84 |
ld.start_tls_s() |
85 |
ld.bind_s(binddn, bindpw) |
86 |
res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) |
87 |
try: |
88 |
os.makedirs(keypathprefix, 0701) |
89 |
except: |
90 |
pass |
91 |
for result in res: |
92 |
dn, entry = result |
93 |
# skip possible system users |
94 |
if int(entry['uidNumber'][0]) < 500: |
95 |
continue |
96 |
write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])) |
97 |
ld.unbind_s() |
98 |
except Exception, e: |
99 |
print "Error" |
100 |
raise |
101 |
|
102 |
sys.exit(0) |
103 |
|
104 |
|
105 |
# vim:ts=4:sw=4:et:ai:si |