86 lines
3.1 KiB
Python
86 lines
3.1 KiB
Python
|
#!/usr/bin/env python
|
||
|
|
#
|
||
|
|
# A Dovecot post-login script for IMAP. This creates environment
|
||
|
|
# ACL_GROUPS with a comma-separated list of the user's LDAP group
|
||
|
|
# memberships and then execs the Dovecot IMAP handler.
|
||
|
|
#
|
||
|
|
|
||
|
|
import ldap;
|
||
|
|
import logging
|
||
|
|
import os, sys, platform
|
||
|
|
import re
|
||
|
|
logging.basicConfig(level=logging.DEBUG,filename='/var/log/ssh-principalcommand.log')
|
||
|
|
logger = logging.getLogger(__name__)
|
||
|
|
hostname = platform.node()
|
||
|
|
dnFilter = re.compile("^ldap_default_bind_dn *=")
|
||
|
|
pwFilter = re.compile("^ldap_default_authtok *=")
|
||
|
|
with open('/etc/sssd/sssd.conf') as f:
|
||
|
|
content = f.readlines()
|
||
|
|
content = [x.strip() for x in content]
|
||
|
|
for line in content:
|
||
|
|
if dnFilter.search(line):
|
||
|
|
bindAccount = line.partition('=')[2].strip()
|
||
|
|
if pwFilter.search(line):
|
||
|
|
bindPw = line.partition('=')[2].strip()
|
||
|
|
ldapUrl = "ldap://ldap.schuerz.at"
|
||
|
|
|
||
|
|
hostDn = bindAccount.split(',')
|
||
|
|
hostDn.pop(0)
|
||
|
|
hostDn = ','.join(hostDn)
|
||
|
|
|
||
|
|
searchBase = "dc=schuerz,dc=at"
|
||
|
|
searchFilter = "(&(dcAccountStatus=active)(|(memberof=cn=perm-sys_local_admins," + hostDn + ") (memberof=cn=perm-sys_local_users," + hostDn + ") ( memberof=cn=perm-sys_admins,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at) (memberof=cn=perm-sys_users,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at)))"
|
||
|
|
groupBase = re.compile("ou=groups,dc=schuerz,dc=at|cn=perm-svc-mailserver_admins,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at")
|
||
|
|
logger.debug(searchFilter)
|
||
|
|
logger.debug(groupBase)
|
||
|
|
|
||
|
|
logger.debug("ENV: %s" % (os.environ))
|
||
|
|
user = {0}
|
||
|
|
groups = []
|
||
|
|
|
||
|
|
l = ldap.initialize(ldapUrl)
|
||
|
|
l.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/ssl/certs/Xunde_Energie_Chain-CA.pem')
|
||
|
|
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
|
||
|
|
l.set_option(ldap.OPT_X_TLS_DEMAND, True)
|
||
|
|
l.set_option(ldap.OPT_DEBUG_LEVEL, 255)
|
||
|
|
l.set_option(ldap.OPT_REFERRALS, 0)
|
||
|
|
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
|
||
|
|
l.start_tls_s()
|
||
|
|
l.bind(bindAccount, bindPw, ldap.AUTH_SIMPLE)
|
||
|
|
res = l.search_s(searchBase, ldap.SCOPE_SUBTREE,
|
||
|
|
searchFilter,
|
||
|
|
['uid'])
|
||
|
|
|
||
|
|
for dn, entry in res:
|
||
|
|
try:
|
||
|
|
for g in entry['uid']:
|
||
|
|
# Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
|
||
|
|
# Fish out 'All UK staff' as group name.
|
||
|
|
#print g
|
||
|
|
groups.append(g)
|
||
|
|
except KeyError:
|
||
|
|
pass # User in no groups.
|
||
|
|
|
||
|
|
#logger.debug('USERDB_KEYS: (before) '+str(os.environ["USERDB_KEYS"]))
|
||
|
|
print ' '.join(groups)
|
||
|
|
sys.exit(0)
|
||
|
|
os.environ["ACL_GROUPS"] = ",".join(set(groups))
|
||
|
|
try:
|
||
|
|
logger.debug('try')
|
||
|
|
#os.environ["USERDB_KEYS"] += " GROUPS"
|
||
|
|
os.environ["USERDB_KEYS"] += "acl_groups"
|
||
|
|
except KeyError:
|
||
|
|
logger.debug('except')
|
||
|
|
#os.environ["USERDB_KEYS"] = "GROUPS"
|
||
|
|
os.environ["USERDB_KEYS"] = "acl_groups"
|
||
|
|
|
||
|
|
logger.debug('ACL_GROUPS: '+str(os.environ["ACL_GROUPS"]))
|
||
|
|
logger.debug('USERDB_KEYS: '+str(os.environ["USERDB_KEYS"]))
|
||
|
|
logger.debug("ENV(after): %s" % (os.environ))
|
||
|
|
logger.debug('sys.argv[1]: '+str(sys.argv[1]))
|
||
|
|
logger.debug('sys.argv[1:]: '+str(sys.argv[1:]))
|
||
|
|
logger.debug('sys.argv: '+str(sys.argv))
|
||
|
|
logger.debug('-------------------------')
|
||
|
|
os.execv(sys.argv[1], sys.argv[1:])
|
||
|
|
sys.exit(1) # In case above fails
|