/[pdpsoft]/trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/mkgroup-sshlpk
ViewVC logotype

Diff of /trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/mkgroup-sshlpk

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 41 by davidg, Fri Dec 19 13:57:48 2008 UTC revision 42 by davidg, Mon Jan 5 08:20:21 2009 UTC
# Line 12  my $display_help; Line 12  my $display_help;
12  my $ldapurl="ldaps://teugel.nikhef.nl/";  my $ldapurl="ldaps://teugel.nikhef.nl/";
13  my $ldapbase="ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl";  my $ldapbase="ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl";
14  my $outputfile;  my $outputfile;
15    my $commandprefix;
16    my $uidldapfilter;
17    my $def_uidldapfilter = '(objectclass=*)';
18    
19  &GetOptions(  &GetOptions(
20    "verbose|v+" => \$verb,    "verbose|v+" => \$verb,
21    "url|H=s" => \$ldapurl,    "url|H=s" => \$ldapurl,
22    "base|b=s" => \$ldapbase,    "base|b=s" => \$ldapbase,
23    "output|o=s" => \$outputfile,    "output|o=s" => \$outputfile,
24      "command|c=s" => \$commandprefix,
25      "filter=s" => \$uidldapfilter,
26    "help|h" => \$display_help,    "help|h" => \$display_help,
27    "force|f" => \$force    "force|f" => \$force
28  );  );
# Line 28  if ( $display_help ) { Line 33  if ( $display_help ) {
33  Generate a list of all unique sshPublicKeys for all members of the  Generate a list of all unique sshPublicKeys for all members of the
34  directory groups specified on the command line.  directory groups specified on the command line.
35    
36  Usage: $0 [-h] [-H uri] [-b DITbase] [-o file] [-f] [-v[v]] groupRDN [groupRDN]  Usage: $0 [-h] [-c|--comand strin] [-H uri] [-b DITbase] [-o file]
37              [-f] [-v[v]] groupRDN [groupRDN]
38    -h       Display this help text    -h       Display this help text
39    -H uri   Connect to LDAP server at <uri>    -H uri   Connect to LDAP server at <uri>
40               (default: $ldapurl)               (default: $ldapurl)
41    -b base  Search base DIT for groups    -b base  Search base DIT for groups
42               (default: $ldapbase)               (default: $ldapbase)
43      -c prfx  Prefix pre-pended to each line written. Any text in the
44               original sshPublicKey attribute before the tokens " ssh-.sa "
45               or " \\d+ \\d+ " is replaced.
46               In the prefix itself, \@UID\@, \@GID\@, \@UIDNUMBER\@ are replaced
47    -o file  Writing list of sshPublicKeys to <file>    -o file  Writing list of sshPublicKeys to <file>
48             (only when at least one sshPublicKey is retrieved, unless             (only when at least one sshPublicKey is retrieved, unless
49             -f is also specified)             -f is also specified)
# Line 43  Usage: $0 [-h] [-H uri] [-b DITbase] [-o Line 53  Usage: $0 [-h] [-H uri] [-b DITbase] [-o
53    
54  Example:  Example:
55    $0 systemAdministrators nDPFPrivilegedUsers    $0 systemAdministrators nDPFPrivilegedUsers
56      $0 -c 'command="svnserve -t -r /project/srv/svn --tunnel-user=\@UID\@",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' -o ~svn/.ssh/authorized_keys nDPFSubversionUsers
57    
58  Dependencies:  Dependencies:
59    perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps ($verb)    perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps ($verb)
# Line 59  $ldap or die "Cannot contact remote serv Line 70  $ldap or die "Cannot contact remote serv
70    
71  # start collecting ssh keys from all users in all groups requested  # start collecting ssh keys from all users in all groups requested
72  my @keys = ();  my @keys = ();
73    defined $uidldapfilter or $uidldapfilter = $def_uidldapfilter;
74    
75  foreach my $groupRDN ( @ARGV ) {  foreach my $groupRDN ( @ARGV ) {
76    
# Line 79  foreach my $groupRDN ( @ARGV ) { Line 91  foreach my $groupRDN ( @ARGV ) {
91      foreach my $memberDN ( @groupmembers ) {      foreach my $memberDN ( @groupmembers ) {
92        my $uidresult;        my $uidresult;
93    
94        # sanity check: the uid must exist or the directory is inconsistent        # sanity check: the DN must exist or the directory is inconsistent
95        # but it need not have an ldapPublicKey        # if the filter is fully open, but it need not have an ldapPublicKey
96        $uidresult =        $uidresult =
97          $ldap->search( base=>$memberDN, scope=>"sub",            $ldap->search( base=>$memberDN, scope=>"base",
98                         filter=>"(objectclass=*)" );                           filter=>"$uidldapfilter" );
99        $uidresult->count() or  
100          die "DN $memberDN not found, extracted from group ".        if ( $uidresult->count() <= 0 ) {
101            if ( $uidldapfilter eq $def_uidldapfilter ) {
102              die "DN $memberDN not found, extracted from group ".
103              $groupentry->get_value("cn")."\n  Using directory: $ldapurl\n";              $groupentry->get_value("cn")."\n  Using directory: $ldapurl\n";
104            } else {
105              next;
106            }
107          }
108    
109        # but does it have an ldapPublicKey?        # but does it have an ldapPublicKey?
110        $uidresult =        $uidresult =
111          $ldap->search( base=>$memberDN, scope=>"sub",          $ldap->search( base=>$memberDN, scope=>"base",
112                         filter=>"(objectclass=ldapPublicKey)" );                         filter=>"(objectclass=ldapPublicKey)" );
113    
114        $uidresult->code or do {        $uidresult->code or do {
115          my @uidentries = $uidresult->entries;          my @uidentries = $uidresult->entries;
116          foreach my $uidentry ( @uidentries ) {          foreach my $uidentry ( @uidentries ) {
117            push @keys,$uidentry->get_value("sshPublicKey");            my $keyAttrib = $uidentry->get_value("sshPublicKey");
118              defined "$commandprefix" and do {
119                my $val;
120                $val = $uidentry->get_value('uid');
121                $commandprefix=~s/\@UID\@/$val/g;
122                $val = $uidentry->get_value('cn');
123                $commandprefix=~s/\@CN\@/$val/g;
124                $val = $uidentry->get_value('uidNumber');
125                $commandprefix=~s/\@UIDNUMBER\@/$val/g;
126                $val = $uidentry->get_value('gidNumber');
127                $commandprefix=~s/\@GIDNUMBER\@/$val/g;
128                $keyAttrib=~s/^.* (ssh-\wsa\s+)/$1/;
129                $keyAttrib=~s/^.* (\d+\s+\d+\s+)/$1/;
130                $keyAttrib="$commandprefix $keyAttrib";
131              };
132              push @keys,$keyAttrib;
133          }          }
134        };        };
135      }      }

Legend:
Removed from v.41  
changed lines
  Added in v.42

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28