From efa8e0ff161f46bcbe9c24cd9eb08450971fc486 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Thu, 13 Jan 2011 13:24:01 +0530 Subject: [PATCH] new contrib/ldap with 3 useful scripts (thanks to Nokia MeeGo folks) --- contrib/ldap/README.mkd | 18 +++++ contrib/ldap/ldap-query-example.pl | 80 +++++++++++++++++++++ contrib/ldap/ldap-query-example.sh | 68 ++++++++++++++++++ contrib/ldap/passwd | 112 +++++++++++++++++++++++++++++ doc/who-uses-it.mkd | 5 ++ 5 files changed, 283 insertions(+) create mode 100644 contrib/ldap/README.mkd create mode 100644 contrib/ldap/ldap-query-example.pl create mode 100644 contrib/ldap/ldap-query-example.sh create mode 100644 contrib/ldap/passwd diff --git a/contrib/ldap/README.mkd b/contrib/ldap/README.mkd new file mode 100644 index 0000000..a7dc764 --- /dev/null +++ b/contrib/ldap/README.mkd @@ -0,0 +1,18 @@ +These programs were contributed by the Nokia MeeGo folks. + +The first 2 are perl and shell verisions of programs meant to be used as +`$GL_GET_MEMBERSHIPS_PGM` (see [this][ldap] for more). + + + * ldap-query-example.pl + * ldap-query-example.sh + +The third program is meant to be installed as an adc (admin-defined command, +see [here][adc]), and helps users change their LDAP passwords. + + * passwd + +Enjoy! + +[ldap]: http://github.com/sitaramc/gitolite/blob/pu/doc/big-config.mkd#_storing_usergroup_information_outside_gitolite_like_in_LDAP_ +[adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd diff --git a/contrib/ldap/ldap-query-example.pl b/contrib/ldap/ldap-query-example.pl new file mode 100644 index 0000000..663e318 --- /dev/null +++ b/contrib/ldap/ldap-query-example.pl @@ -0,0 +1,80 @@ +#!/usr/bin/perl +# +# Copyright (c) 2010 Nokia Corporation +# +# This code is licensed to you under MIT-style license. License text for that +# MIT-style license is as follows: +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# +# ldap-query.pl +# +# this script is used to perform ldap querys by giving one argument: +# - the user UID for ldap search query +# +# NOTICE: This script requires libnet-ldap-perl package to be installed +# to the system. +# + +use Net::LDAP; + +# Script requires user UID as the only parameter +if ( $ARGV[0] eq '' || $ARGV[1] ne '' ) +{ + print "ldap-query.pl requires one argument, user's uid\n"; + exit 1; +} +$user = $ARGV[0]; + +# Create communication structure for LDAP connection +$ldap = Net::LDAP->new( + 'localhost', + port => 389, + debug => 0, + timeout => 120, + version => 3 ) or die "$@"; + +# Bind to LDAP with proper user +$ldapret = $ldap->bind( 'cn=administrator,o=company', + password => '5ecretpa55w0rd' ); +die "$ldapret->code" if $ldapret->code; + +# Create filter for LDAP query +my $filter = '(&'. + '(objectClass=groupAttributeObjectClassName)'. + "(uid=$user)". + ')'; + +# Execute the actual LDAP search to get groups for the given UID +$ldapret = $ldap->search( base => 'ou=users,ou=department,o=company', + scope => 'subtree', + filter => $filter ); + +# Parse search result to get actual group names +my $default_group = ''; +my $extra_groups = ''; + +foreach my $entry ( $ldapret->entries ) { + + $default_group = $entry->get_value( 'defaultGroupAttributeName' ) . ' ' . "$default_group"; + $extra_groups = $entry->get_value( 'extraGroupsAttributeName' ) . ' ' . "$extra_groups"; +} + +# Return group names for given user UID +print "$default_group" . "$extra_groups"; diff --git a/contrib/ldap/ldap-query-example.sh b/contrib/ldap/ldap-query-example.sh new file mode 100644 index 0000000..43d13e4 --- /dev/null +++ b/contrib/ldap/ldap-query-example.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Copyright (c) 2010 Nokia Corporation +# +# This code is licensed to you under MIT-style license. License text for that +# MIT-style license is as follows: +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# +# ldap-query.sh +# +# this script is used to perform ldap querys by giving one argument: +# - the user UID for ldap search query +# +# NOTICE: This script requires ldap-utils and sed to be installed to the system. +# + +# Script requires user UID as the only parameter +# +if [ $# -ne 1 ] +then + echo "ldap-query.sh requires one argument, user's uid" + exit 1 +fi +uid_param="${1}" + +# Set needed LDAP search tool options for the query +ldap_host="localhost" +ldap_binddn="cn=administrator,o=company" +ldap_bindpw="5ecretpa55w0rd" +ldap_searchbase="ou=users,ou=department,o=company" +ldap_scope="subtree" + +# Construct the command line base with needed options for the LDAP query +ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}" + +# Construct the search filter for the LDAP query for the given UID +ldap_filter="(&(objectClass=groupAttributeObjectClassName)(uid=${uid_param}))" + +# Construct return attribute list for LDAP query result +attr1="defaultGroupAttributeName" +attr2="extraGroupsAttributeName" +ldap_attr="${attr1} ${attr2}" + +# Execute the actual LDAP search to get groups for the given UID +ldap_result=$(ldapsearch ${ldap_options} -LLL ${ldap_filter} ${ldap_attr}) + +# Edit search result to get space separated list of group names +ldap_result=$(echo ${ldap_result} | sed -e "s/.* ${attr1}://" -e "s/ ${attr2}://") + +# Return group names for given user UID +echo ${ldap_result} diff --git a/contrib/ldap/passwd b/contrib/ldap/passwd new file mode 100644 index 0000000..f555f65 --- /dev/null +++ b/contrib/ldap/passwd @@ -0,0 +1,112 @@ +#!/usr/bin/perl + +use Net::LDAP; +use Term::ReadPassword; +use Digest::SHA1; +use MIME::Base64; +use Data::UUID; +use Crypt::Cracklib; + +my $PASSWD_MIN_LEN = 8; +my $password; + +# parse RC file +# $ENV{GL_RC} = "/home/gitolite/.gitolite.rc"; +die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC}; + +# These come from .gitolite.rc file +our ($GL_LDAP_HOST, $GL_LDAP_BIND_DN, $GL_LDAP_BIND_PASSWORD, $GL_LDAP_USER_DN); + +$Term::ReadPassword::ALLOW_STDIN = 1; + +# NOTICE: For some reason Perl fails to disable terminal echo +# so following warning about ECHO must be given to the user + +# Warn about password echo because of bugs in Perl ReadPasword +print "\nNOTE THAT THE PASSWORD WILL BE ECHOED TO THE SCREEN!\n" . +"Please make sure no one is shoulder-surfing, and make sure\n" . +"you clear your screen and scrollback history after you are done\n" . +"(or close your terminal session).\n\n"; + +print "Please type in your new password at the prompt.\n\n" . +"Following special keys are available while typing:\n" . +" key to remove the last character\n" . +" to remove all characters\n" . +" to terminate password change operation\n" . +" to end password typing\n"; + +while ( 1 ) { + + print "\n"; # Start reading with new line + $password = read_password("Enter new password: ", 0, 1); + + # Check the validity of new password + if ( length( $password ) >= $PASSWD_MIN_LEN # require minimum length + && $password =~ /([\x20-\x7E])/ # require printable characters + && $password =~ /[a-z]/ # require lower case letter + && $password =~ /[A-Z]/ # require upper case letter + && $password =~ /[0-9]/ # require number + && check( $password ) ) # require other than dictionary words + { + # Re-enter new password to check possible typos + if ( $password ne read_password("Enter password again: ") ) { + + print "Passwords do not match!\n"; + redo; + } else { + + last; # Password is valid and there are no typos, so break out + } + } else { # Given password is not valid + + print "Password must contain at least $PASSWD_MIN_LEN characters and numbers,\n" . + "must have both upper and lower case characters,\n" . + "can have special characters like !,",#,...\n" . + "but cannot be any valid dictionary word.\n"; + redo; + } +} + +# Create hash from the password to be stored to the LDAP +my $ctx = Digest::SHA1->new(); +my $ug = new Data::UUID; +my $salt = $ug->create_b64(); +$ctx->add( $password ); +$ctx->add( $salt ); +$password = '{SSHA}' . encode_base64( $ctx->digest . $salt, '' ); + +# Create communication structure for LDAP connection +my $ldap = Net::LDAP->new( $GL_LDAP_HOST ) or die "$@"; +my $r = $ldap->start_tls( verify => 'none', + sslversion => 'tlsv1' ); +if ( $r->code ) { + print "Password handling failed with $r->code return code!\n"; + log_it( "Password change, LDAP connection failed for $ENV{GL_USER}" ); + exit 1; +} + +# Bind to LDAP with proper user +$r = $ldap->bind( $GL_LDAP_BIND_DN, + password => $GL_LDAP_BIND_PASSWORD ); +if ( $r->code ) { + print "Password update failed with $r->code return code!\n"; + log_it( "Password change, LDAP bind failed for $ENV{GL_USER}" ); + exit 1; +} + +# Update new password to the LDAP +$r = $ldap->modify( "uid=$ENV{GL_USER}, + $GL_LDAP_USER_DN", + replace => { 'userPassword', $password } ); + +if ( $r->code ) { + print "Password change failed!\n" . + "Please contact administrator to change password.\n"; +# log_it( "Password change, LDAP modify failed for $ENV{GL_USER}" ); +} else { + print "Password changed succesfully.\n"; +# log_it( "Password change, LDAP modify done for $ENV{GL_USER}" ); +} + +$r = $ldap->unbind(); + diff --git a/doc/who-uses-it.mkd b/doc/who-uses-it.mkd index f3ecb08..82871f3 100644 --- a/doc/who-uses-it.mkd +++ b/doc/who-uses-it.mkd @@ -50,3 +50,8 @@ users as well. [gentoo1]: http://archives.gentoo.org/gentoo-dev/msg_2812c9b9e768f64b46360ab17b9d0024.xml [gentoo2]: http://www.gentoo.org/proj/en/overlays/ + +**Nokia MeeGo** uses Gitolite internally, and has also contributed LDAP +specific code (see [contrib/ldap][ldap] directory for details). + +[ldap]: http://github.com/sitaramc/gitolite/blob/pu/contrib/ldap