new contrib/ldap with 3 useful scripts (thanks to Nokia MeeGo folks)

contrib/ldap/README.mkd

@@ -0,0 +1,18 @@
+These programs were contributed by the Nokia MeeGo folks.
+
+The first 2 are perl and shell verisions of programs meant to be used as
+`$GL_GET_MEMBERSHIPS_PGM` (see [this][ldap] for more).
+
+
+  * ldap-query-example.pl
+  * ldap-query-example.sh
+
+The third program is meant to be installed as an adc (admin-defined command,
+see [here][adc]), and helps users change their LDAP passwords.
+
+  * passwd
+
+Enjoy!
+
+[ldap]: http://github.com/sitaramc/gitolite/blob/pu/doc/big-config.mkd#_storing_usergroup_information_outside_gitolite_like_in_LDAP_
+[adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd

contrib/ldap/ldap-query-example.pl

@@ -0,0 +1,80 @@
+#!/usr/bin/perl
+#
+# Copyright (c) 2010 Nokia Corporation
+#
+# This code is licensed to you under MIT-style license. License text for that
+# MIT-style license is as follows:
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+# ldap-query.pl <arg1>
+#
+# this script is used to perform ldap querys by giving one argument:
+# - <arg1> the user UID for ldap search query
+#
+# NOTICE: This script requires libnet-ldap-perl package to be installed
+#         to the system.
+#
+
+use Net::LDAP;
+
+# Script requires user UID as the only parameter
+if ( $ARGV[0] eq '' || $ARGV[1] ne '' )
+{
+	print "ldap-query.pl requires one argument, user's uid\n";
+	exit 1;
+}
+$user = $ARGV[0];
+
+# Create communication structure for LDAP connection
+$ldap = Net::LDAP->new(
+      'localhost',
+      port    => 389,
+      debug   => 0,
+      timeout => 120,
+      version => 3 ) or die "$@";
+
+# Bind to LDAP with proper user
+$ldapret = $ldap->bind( 'cn=administrator,o=company',
+			password => '5ecretpa55w0rd' );
+die "$ldapret->code" if $ldapret->code;
+
+# Create filter for LDAP query
+my $filter = '(&'.
+	'(objectClass=groupAttributeObjectClassName)'.
+	"(uid=$user)".
+	')';
+
+# Execute the actual LDAP search to get groups for the given UID
+$ldapret = $ldap->search( base   => 'ou=users,ou=department,o=company',
+                          scope	 => 'subtree',
+                          filter => $filter );
+
+# Parse search result to get actual group names
+my $default_group = '';
+my $extra_groups = '';
+
+foreach my $entry ( $ldapret->entries ) {
+
+	$default_group = $entry->get_value( 'defaultGroupAttributeName' ) . ' ' . "$default_group";
+	$extra_groups = $entry->get_value( 'extraGroupsAttributeName' ) . ' ' . "$extra_groups";
+}
+
+# Return group names for given user UID
+print "$default_group" . "$extra_groups";

contrib/ldap/ldap-query-example.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Copyright (c) 2010 Nokia Corporation
+#
+# This code is licensed to you under MIT-style license. License text for that
+# MIT-style license is as follows:
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+# ldap-query.sh <arg1>
+#
+# this script is used to perform ldap querys by giving one argument:
+# - <arg1> the user UID for ldap search query
+#
+# NOTICE: This script requires ldap-utils and sed to be installed to the system.
+#
+
+# Script requires user UID as the only parameter
+#
+if [ $# -ne 1 ]
+then
+        echo "ldap-query.sh requires one argument, user's uid"
+        exit 1
+fi
+uid_param="${1}"
+
+# Set needed LDAP search tool options for the query
+ldap_host="localhost"
+ldap_binddn="cn=administrator,o=company"
+ldap_bindpw="5ecretpa55w0rd"
+ldap_searchbase="ou=users,ou=department,o=company"
+ldap_scope="subtree"
+
+# Construct the command line base with needed options for the LDAP query
+ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}"
+
+# Construct the search filter for the LDAP query for the given UID
+ldap_filter="(&(objectClass=groupAttributeObjectClassName)(uid=${uid_param}))"
+
+# Construct return attribute list for LDAP query result
+attr1="defaultGroupAttributeName"
+attr2="extraGroupsAttributeName"
+ldap_attr="${attr1} ${attr2}"
+
+# Execute the actual LDAP search to get groups for the given UID
+ldap_result=$(ldapsearch ${ldap_options} -LLL ${ldap_filter} ${ldap_attr})
+
+# Edit search result to get space separated list of group names
+ldap_result=$(echo ${ldap_result} | sed -e "s/.* ${attr1}://" -e "s/ ${attr2}://")
+
+# Return group names for given user UID
+echo ${ldap_result}

contrib/ldap/passwd

@@ -0,0 +1,112 @@
+#!/usr/bin/perl
+
+use Net::LDAP;
+use Term::ReadPassword;
+use Digest::SHA1;
+use MIME::Base64;
+use Data::UUID;
+use Crypt::Cracklib;
+
+my $PASSWD_MIN_LEN = 8;
+my $password;
+
+# parse RC file
+# $ENV{GL_RC} = "/home/gitolite/.gitolite.rc";
+die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
+
+# These come from .gitolite.rc file
+our ($GL_LDAP_HOST, $GL_LDAP_BIND_DN, $GL_LDAP_BIND_PASSWORD, $GL_LDAP_USER_DN);
+
+$Term::ReadPassword::ALLOW_STDIN = 1;
+
+# NOTICE: For some reason Perl fails to disable terminal echo
+# so following warning about ECHO must be given to the user
+
+# Warn about password echo because of bugs in Perl ReadPasword
+print "\nNOTE THAT THE PASSWORD WILL BE ECHOED TO THE SCREEN!\n" .
+"Please make sure no one is shoulder-surfing, and make sure\n" .
+"you clear your screen and scrollback history after you are done\n" .
+"(or close your terminal session).\n\n";
+
+print "Please type in your new password at the prompt.\n\n" .
+"Following special keys are available while typing:\n" .
+"  <BackSpace> key to remove the last character\n" .
+"  <Ctrl-U> to remove all characters\n" .
+"  <Ctrl-C> to terminate password change operation\n" .
+"  <Enter>  to end password typing\n";
+
+while ( 1 ) {
+
+      print "\n";  # Start reading with new line
+      $password = read_password("Enter new password: ", 0, 1);
+
+      # Check the validity of new password
+      if ( length( $password ) >= $PASSWD_MIN_LEN  # require minimum length
+      && $password =~ /([\x20-\x7E])/   # require printable characters
+      && $password =~ /[a-z]/           # require lower case letter
+      && $password =~ /[A-Z]/           # require upper case letter
+      && $password =~ /[0-9]/           # require number
+      && check( $password ) )           # require other than dictionary words
+      {
+        # Re-enter new password to check possible typos
+        if ( $password ne read_password("Enter password again: ") ) {
+
+          print "Passwords do not match!\n";
+          redo;
+        } else {
+
+          last; # Password is valid and there are no typos, so break out
+        }
+      } else { # Given password is not valid
+
+        print "Password must contain at least $PASSWD_MIN_LEN characters and numbers,\n" .
+        "must have both upper and lower case characters,\n" .
+        "can have special characters like !,",#,...\n" .
+        "but cannot be any valid dictionary word.\n";
+        redo;
+      }
+}
+
+# Create hash from the password to be stored to the LDAP
+my $ctx = Digest::SHA1->new();
+my $ug = new Data::UUID;
+my $salt = $ug->create_b64();
+$ctx->add( $password );
+$ctx->add( $salt );
+$password = '{SSHA}' . encode_base64( $ctx->digest . $salt, '' );
+
+# Create communication structure for LDAP connection
+my $ldap = Net::LDAP->new( $GL_LDAP_HOST ) or die "$@";
+my $r = $ldap->start_tls( verify => 'none',
+                          sslversion => 'tlsv1' );
+if ( $r->code ) {
+      print "Password handling failed with $r->code return code!\n";
+      log_it( "Password change, LDAP connection failed for $ENV{GL_USER}" );
+      exit 1;
+}
+
+# Bind to LDAP with proper user
+$r = $ldap->bind( $GL_LDAP_BIND_DN,
+                  password => $GL_LDAP_BIND_PASSWORD );
+if ( $r->code ) {
+      print "Password update failed with $r->code return code!\n";
+      log_it( "Password change, LDAP bind failed for $ENV{GL_USER}" );
+      exit 1;
+}
+
+# Update new password to the LDAP
+$r = $ldap->modify( "uid=$ENV{GL_USER},
+                    $GL_LDAP_USER_DN",
+                    replace => { 'userPassword', $password } );
+
+if ( $r->code ) {
+      print "Password change failed!\n" .
+      "Please contact administrator to change password.\n";
+#      log_it( "Password change, LDAP modify failed for $ENV{GL_USER}" );
+} else {
+      print "Password changed succesfully.\n";
+#      log_it( "Password change, LDAP modify done for $ENV{GL_USER}" );
+}
+
+$r = $ldap->unbind();
+

doc/who-uses-it.mkd

@@ -50,3 +50,8 @@ users as well.
 
 [gentoo1]: http://archives.gentoo.org/gentoo-dev/msg_2812c9b9e768f64b46360ab17b9d0024.xml
 [gentoo2]: http://www.gentoo.org/proj/en/overlays/
+
+**Nokia MeeGo** uses Gitolite internally, and has also contributed LDAP
+specific code (see [contrib/ldap][ldap] directory for details).
+
+[ldap]: http://github.com/sitaramc/gitolite/blob/pu/contrib/ldap