opensourceprojects.eu / osp-allura / Diff of /Allura/ldap-setup.py

Diff of /Allura/ldap-setup.py [000000] .. [131348]

Switch to unified view

 b/Allura/ldap-setup.py
+#!/usr/bin/env python
+import os
+import shutil
+import string
+from contextlib import contextmanager
+from tempfile import mkstemp
+from ConfigParser import ConfigParser, NoOptionError
+config = ConfigParser()
+def main():
+    config.read('.setup-scm-cache')
+    if not config.has_section('scm'):
+        config.add_section('scm')
+    suffix = get_value('suffix', 'dc=localdomain')
+    secret = get_value('admin password', 'secret')
+    firstdc = suffix.split(',')[0].split('=')[1]
+    if get_value('clear ldap config', 'y') == 'y':
+        run('apt-get -f install')
+        run('apt-get remove --purge slapd ldap-utils')
+        run('apt-get install slapd ldap-utils')
+    if get_value('start slapd', 'y') == 'y':
+        run('service slapd start')
+    if get_value('add base ldap schemas', 'y') == 'y':
+        run('ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif')
+        run('ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif')
+        run('ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif')
+    if get_value('add backend ldif', 'y') == 'y':
+        with tempfile(backend_ldif, locals()) as name:
+            run('ldapadd -Y EXTERNAL -H ldapi:/// -f %s' % name)
+    with open('/etc/ldap.secret', 'w') as fp:
+        fp.write(secret)
+    os.chmod('/etc/ldap.secret', 0400)
+    if get_value('add frontend ldif', 'y') == 'y':
+        with tempfile(frontend_ldif, locals()) as name:
+            run('ldapadd -c -x -D cn=admin,%s -W -f %s -y /etc/ldap.secret' % (suffix, name))
+    if get_value('add initial user/group', 'y') == 'y':
+        with tempfile(initial_user_ldif, locals()) as name:
+            run('ldapadd -c -x -D cn=admin,%s -W -f %s -y /etc/ldap.secret' % (suffix, name))
+    if get_value('setup ldap auth', 'y') == 'y':
+        run('apt-get install libnss-ldap')
+        run('dpkg-reconfigure ldap-auth-config')
+        run('auth-client-config -t nss -p lac_ldap')
+        run('pam-auth-update')
+    if get_value('setup ldapscripts', 'y') == 'y':
+        run('apt-get install ldapscripts')
+        with tempfile(ldapscripts_conf, locals()) as name:
+            shutil.copy(name, '/etc/ldapscripts/ldapscripts.conf')
+        print 'writing passwd'
+        with open('/etc/ldapscripts/ldapscripts.passwd', 'w') as fp:
+            fp.write(secret)
+        os.chmod('/etc/ldapscripts/ldapscripts.passwd', 0400)
+        print 'writing runtime'
+        with open('/usr/share/ldapscripts/runtime.debian', 'w') as fp:
+            fp.write(ldapscripts_debian)
+def get_value(key, default):
+    try:
+        default = config.get('scm', key)
+    except NoOptionError:
+        pass
+    value = raw_input('%s? [%s]' % (key, default))
+    if not value: value = default
+    config.set('scm', key, value)
+    with open('.setup-scm-cache', 'w') as fp:
+        config.write(fp)
+    return value
+def run(command):
+    rc = os.system(command)
+    if rc != 0:
+        print 'Error running %s' % command
+    assert rc == 0
+    return rc
+@contextmanager
+def tempfile(template, values):
+    fd, name = mkstemp()
+    os.write(fd, template.safe_substitute(values))
+    os.close(fd)
+    yield name
+    os.remove(name)
+backend_ldif=string.Template('''
+# Load dynamic backend modules
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulepath: /usr/lib/ldap
+olcModuleload: back_hdb
+# Database settings
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: {1}hdb
+olcSuffix: $suffix
+olcDbDirectory: /var/lib/ldap
+olcRootDN: cn=admin,$suffix
+olcRootPW: $secret
+olcDbConfig: set_cachesize 0 2097152 0
+olcDbConfig: set_lk_max_objects 1500
+olcDbConfig: set_lk_max_locks 1500
+olcDbConfig: set_lk_max_lockers 1500
+olcDbIndex: objectClass eq
+olcLastMod: TRUE
+olcDbCheckpoint: 512 30
+olcAccess: to attrs=userPassword by dn="cn=admin,$suffix" write by anonymous auth by self write by * none
+olcAccess: to attrs=shadowLastChange by self write by * read
+olcAccess: to dn.base="" by * read
+olcAccess: to * by dn="cn=admin,$suffix" write by * read
+''')
+frontend_ldif=string.Template('''
+# Create top-level object in domain
+dn: $suffix
+objectClass: top
+objectClass: dcObject
+objectclass: organization
+o: Example Organization
+dc: $firstdc
+description: LDAP Example
+# Create max uid generator
+dn: cn=maxUid,$suffix
+objectClass: extensibleObject
+objectClass: top
+uidNumber: 10000
+# Admin user.
+dn: cn=admin,$suffix
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+userPassword: $secret
+dn: ou=people,$suffix
+objectClass: organizationalUnit
+ou: people
+dn: ou=groups,$suffix
+objectClass: organizationalUnit
+ou: groups
+''')
+initial_user_ldif=string.Template('''
+dn: uid=john,ou=people,$suffix
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: john
+sn: Doe
+givenName: John
+cn: John Doe
+displayName: John Doe
+uidNumber: 1000
+gidNumber: 10000
+userPassword: password
+gecos: John Doe
+loginShell: /bin/bash
+homeDirectory: /home/john
+shadowExpire: -1
+shadowFlag: 0
+shadowWarning: 7
+shadowMin: 8
+shadowMax: 999999
+shadowLastChange: 10877
+mail: john.doe@example.com
+postalCode: 31000
+l: Toulouse
+o: Example
+mobile: +33 (0)6 xx xx xx xx
+homePhone: +33 (0)5 xx xx xx xx
+title: System Administrator
+postalAddress:
+initials: JD
+dn: cn=example,ou=groups,$suffix
+objectClass: posixGroup
+cn: example
+gidNumber: 10000
+''')
+open_ldap_config=string.Template('''
+[open_ldap]
+nss_passwd=passwd: files ldap
+nss_group=group: files ldap
+nss_shadow=shadow: files ldap
+nss_netgroup=netgroup: files ldap
+pam_auth=auth       required     pam_env.so
+        auth       sufficient   pam_unix.so likeauth nullok
+#the following line (containing pam_group.so) must be placed before pam_ldap.so
+#for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
+        auth       required     pam_group.so use_first_pass
+        auth       sufficient   pam_ldap.so use_first_pass
+        auth       required     pam_deny.so
+pam_account=account    sufficient   pam_unix.so
+        account    sufficient   pam_ldap.so
+        account    required     pam_deny.so
+pam_password=password   sufficient   pam_unix.so nullok md5 shadow
+        password   sufficient   pam_ldap.so use_first_pass
+        password   required     pam_deny.so
+pam_session=session    required     pam_limits.so
+        session    required     pam_mkhomedir.so skel=/etc/skel/
+        session    required     pam_unix.so
+        session    optional     pam_ldap.so
+''')
+ldapscripts_conf=string.Template('''
+SERVER=127.0.0.1
+BINDDN='cn=admin,$suffix'
+BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
+SUFFIX='$suffix'
+GSUFFIX='ou=Groups'
+USUFFIX='ou=People'
+MSUFFIX='ou=Computers'
+GIDSTART=10000
+UIDSTART=10000
+MIDSTART=10000
+''')
+ldapscripts_debian='''
+### Allura-customized
+### This file predefine some ldapscripts variables for Debian boxes.
+#
+#  Copyright (c) 2005 Ganal LAPLANCHE - Linagora
+#  Copyright (c) 2005-2007 Pierre Habouzit
+#  Copyright (c) 2009 Alexander GQ Gerasiov
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License
+#  as published by the Free Software Foundation; either version 2
+#  of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+#  USA.
+##### Beginning of ldapscripts configuration #####
+getfield() {
+    local field="$1"
+    local nssconffile='/etc/libnss-ldap.conf'
+    if [ -f "$nssconffile" ];then
+  local value=$(awk "/^\s*$field/ {print \$2}" /etc/libnss-ldap.conf)
+    else
+  local value="$2"
+    fi
+    echo ${value:-$2}
+}
+getsuffix() {
+    field="$1"
+    value="$(getfield "$1" | sed -e "s/,.*$//")"
+    echo ${value:-$2}
+}
+# LDAP Configuration
+SERVER=$(getfield uri "$(getfield host '')")
+BINDDN=$(getfield rootbinddn '')
+if [ -f /etc/libnss-ldap.secret ];then
+  BINDPWDFILE=/etc/libnss-ldap.secret
+elif [ -f /etc/ldap.secret ];then
+  BINDPWDFILE=/etc/ldap.secret
+fi
+SUFFIX=`getfield base`
+GSUFFIX=`getsuffix nss_base_group   'ou=Group'`
+USUFFIX=`getsuffix nss_base_passwd  'ou=People'`
+MSUFFIX=`getsuffix nss_base_hosts   'ou=Hosts'`
+# User properties
+[ -f /etc/adduser.conf ] && . /etc/adduser.conf
+USHELL=${DSHELL:-"/bin/bash"}
+UHOMES=${DHOME:-"/home"}"/%u"
+HOMESKEL=${SKEL:-"/etc/skel"}
+HOMEPERMS=${DIR_MODE:-"0755"}
+# Where to log
+LOGFILE="/var/log/ldapscripts.log"
+# Various binaries used within scripts
+LDAPSEARCHBIN=`which ldapsearch`
+LDAPADDBIN=`which ldapadd`
+LDAPDELETEBIN=`which ldapdelete`
+LDAPMODIFYBIN=`which ldapmodify`
+LDAPMODRDNBIN=`which ldapmodrdn`
+LDAPPASSWDBIN=`which ldappasswd`
+# Getent command to use - choose the ones used on your system. Leave blank or comment for auto-guess.
+# GNU/Linux
+GETENTPWCMD="getent passwd"
+GETENTGRCMD="getent group"
+TMPDIR="/tmp"
+##### End of configuration #####
+'''
+if __name__ == '__main__':
+    main()