serve-ssh-certs/scripts/acl_groups.py

#!/usr/bin/env python
#
# A Dovecot post-login script for IMAP. This creates environment
# ACL_GROUPS with a comma-separated list of the user's LDAP group
# memberships and then execs the Dovecot IMAP handler.
#

import ldap, os, sys;
import logging
import sys
import re
logging.basicConfig(level=logging.DEBUG,filename='/var/log/dovecot-acl/dovecot-acl_groups.py.log')
logger = logging.getLogger(__name__)

ldapUrl = "ldap://ldap.schuerz.at"
bindAccount = "cn=service_id,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at"
bindPw = 'Tha7iekahheeth8zie6Ao1eh'

searchBase = "ou=users,dc=schuerz,dc=at"
searchFilter = "(&(objectClass=posixAccount)(uid={0}))"

groupBase = re.compile("ou=groups,dc=schuerz,dc=at|cn=perm-svc-mailserver_admins,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at")
logger.debug(groupBase)

logger.debug("ENV: %s" % (os.environ))
user = {0}
groups = []

l = ldap.initialize(ldapUrl)
l.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/ssl/certs/Xunde_Energie_Chain-CA.pem')
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.set_option(ldap.OPT_X_TLS_DEMAND, True)
l.set_option(ldap.OPT_DEBUG_LEVEL, 255)
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.start_tls_s()
l.bind(bindAccount, bindPw, ldap.AUTH_SIMPLE)
res = l.search_s(searchBase, ldap.SCOPE_SUBTREE,
                 searchFilter.format(os.environ["USER"]),
                 ['memberOf'])
for dn, entry in res:
    try:
        for g in entry['memberOf']:
            # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
            # Fish out 'All UK staff' as group name.
            if groupBase.search(g):
                logger.debug("XXX " + g)
                groups.append(g.split(',', 1)[0][3:])
            else:
                logger.debug("--- " + g)
    except KeyError:
        pass    # User in no groups.

#logger.debug('USERDB_KEYS: (before) '+str(os.environ["USERDB_KEYS"]))
os.environ["ACL_GROUPS"] = ",".join(set(groups))
try:
    logger.debug('try')
    #os.environ["USERDB_KEYS"] += " GROUPS"
    os.environ["USERDB_KEYS"] += "acl_groups"
except KeyError:
    logger.debug('except')
    #os.environ["USERDB_KEYS"] = "GROUPS"
    os.environ["USERDB_KEYS"] = "acl_groups"

logger.debug('ACL_GROUPS: '+str(os.environ["ACL_GROUPS"]))
logger.debug('USERDB_KEYS: '+str(os.environ["USERDB_KEYS"]))
logger.debug("ENV(after): %s" % (os.environ))
logger.debug('sys.argv[1]: '+str(sys.argv[1]))
logger.debug('sys.argv[1:]: '+str(sys.argv[1:]))
logger.debug('sys.argv: '+str(sys.argv))
logger.debug('-------------------------')
os.execv(sys.argv[1], sys.argv[1:])
sys.exit(1) # In case above fails
add original ldapsearch for groups from dovecot 2019-09-03 09:34:47 +02:00			`#!/usr/bin/env python`
			`#`
			`# A Dovecot post-login script for IMAP. This creates environment`
			`# ACL_GROUPS with a comma-separated list of the user's LDAP group`
			`# memberships and then execs the Dovecot IMAP handler.`
			`#`

			`import ldap, os, sys;`
			`import logging`
			`import sys`
			`import re`
			`logging.basicConfig(level=logging.DEBUG,filename='/var/log/dovecot-acl/dovecot-acl_groups.py.log')`
			`logger = logging.getLogger(__name__)`

			`ldapUrl = "ldap://ldap.schuerz.at"`
			`bindAccount = "cn=service_id,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at"`
			`bindPw = 'Tha7iekahheeth8zie6Ao1eh'`

			`searchBase = "ou=users,dc=schuerz,dc=at"`
			`searchFilter = "(&(objectClass=posixAccount)(uid={0}))"`

			`groupBase = re.compile("ou=groups,dc=schuerz,dc=at\|cn=perm-svc-mailserver_admins,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at")`
			`logger.debug(groupBase)`

			`logger.debug("ENV: %s" % (os.environ))`
			`user = {0}`
			`groups = []`

			`l = ldap.initialize(ldapUrl)`
			`l.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/ssl/certs/Xunde_Energie_Chain-CA.pem')`
			`l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)`
			`l.set_option(ldap.OPT_X_TLS_DEMAND, True)`
			`l.set_option(ldap.OPT_DEBUG_LEVEL, 255)`
			`l.set_option(ldap.OPT_REFERRALS, 0)`
			`l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)`
			`l.start_tls_s()`
			`l.bind(bindAccount, bindPw, ldap.AUTH_SIMPLE)`
			`res = l.search_s(searchBase, ldap.SCOPE_SUBTREE,`
			`searchFilter.format(os.environ["USER"]),`
			`['memberOf'])`
			`for dn, entry in res:`
			`try:`
			`for g in entry['memberOf']:`
			`# Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.`
			`# Fish out 'All UK staff' as group name.`
			`if groupBase.search(g):`
			`logger.debug("XXX " + g)`
			`groups.append(g.split(',', 1)[0][3:])`
			`else:`
			`logger.debug("--- " + g)`
			`except KeyError:`
			`pass # User in no groups.`

			`#logger.debug('USERDB_KEYS: (before) '+str(os.environ["USERDB_KEYS"]))`
			`os.environ["ACL_GROUPS"] = ",".join(set(groups))`
			`try:`
			`logger.debug('try')`
			`#os.environ["USERDB_KEYS"] += " GROUPS"`
			`os.environ["USERDB_KEYS"] += "acl_groups"`
			`except KeyError:`
			`logger.debug('except')`
			`#os.environ["USERDB_KEYS"] = "GROUPS"`
			`os.environ["USERDB_KEYS"] = "acl_groups"`

			`logger.debug('ACL_GROUPS: '+str(os.environ["ACL_GROUPS"]))`
			`logger.debug('USERDB_KEYS: '+str(os.environ["USERDB_KEYS"]))`
			`logger.debug("ENV(after): %s" % (os.environ))`
			`logger.debug('sys.argv[1]: '+str(sys.argv[1]))`
			`logger.debug('sys.argv[1:]: '+str(sys.argv[1:]))`
			`logger.debug('sys.argv: '+str(sys.argv))`
			`logger.debug('-------------------------')`
			`os.execv(sys.argv[1], sys.argv[1:])`
			`sys.exit(1) # In case above fails`