ccs/admin/admin.py

#!/usr/bin/env python
# CCS Computer Science
#   Admin
#
# Douglas Thrift
#
# $Id$

from __future__ import with_statement
import common
import ldap
import os
import psycopg2
import shutil
import sys

if sys.hexversion >= 0x2060000:
        import warnings

        with warnings.catch_warnings():
                warnings.filterwarnings('ignore', 'the sets module is deprecated', DeprecationWarning)

                import MySQLdb
else:
        import MySQLdb

MASTER = 'zweihander.ccs.ucsb.edu'
SLAVE = 'wireless.ccs.ucsb.edu'
MASTER_URI = 'ldaps://' + MASTER
SLAVE_URI = 'ldaps://' + SLAVE
BASE = 'dc=ccs,dc=ucsb,dc=edu'
PEOPLE = 'ou=People,' + BASE
GROUP = 'ou=Group,' + BASE
SECRET = '/ccs/etc/secret'
SHELLS = map(lambda system: 'ucsbCcs' + system.capitalize(), common.SYSTEMS)
SAMBA_SID = 'S-1-5-21-3739982181-3886045993-82308153-%u'

ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/ccs/ssl/ccscert.pem')
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)

def _user(user):
        return 'uid=%s,%s' % (user, PEOPLE)

def _group(group):
        return 'cn=%s,%s' % (group, GROUP)

def ldap_connection():
        connection = ldap.initialize(MASTER_URI)

        with open(SECRET, 'rb') as secret:
                connection.simple_bind_s(_user('root'), secret.read())
        
        return connection

def master():
        return common.HOST == MASTER

def run(errors):
        if errors:
                for host, error in errors.iteritems():
                        sys.stderr.write('%s: %s\n' % (host, error))

                sys.exit(1)

def error(error):
        sys.exit('%s: %s' % (sys.argv[0], error))

def eof():
        print

        sys.exit(130)

def adduser(user, name, password):
        connection = ldap_connection()
        uid = max(map(lambda user: int(user[1]['uidNumber'][0]), connection.search_s(PEOPLE, ldap.SCOPE_ONELEVEL, '(&(uid=*)(!(uid=root)))', ('uidNumber',)))) + 1
        gid = uid
        samba_gid = gid + 1000
        home = os.path.join('/home', user)

        connection.add_s(_user(user), [
                ('objectclass', ['top', 'account', 'posixAccount', 'shadowAccount', 'ucsbCcsLoginShells', 'sambaSamAccount']),
                ('cn', name),
                ('uid', user),
                ('uidNumber', str(uid)),
                ('gidNumber', str(gid)),
                ('homeDirectory', home),
                ('loginShell', 'bash'),
        ] + zip(SHELLS, dict(common.SHELLS)['bash']) + [
                ('sambaAcctFlags', '[U          ]'),
                ('sambaSID', SAMBA_SID % uid),
                ('sambaPrimaryGroupSID', SAMBA_SID % samba_gid),
        ])
        connection.add_s(_group(user), [
                ('objectclass', ['top', 'posixGroup', 'sambaGroupMapping']),
                ('cn', user),
                ('gidNumber', str(gid)),
                ('sambaSID', SAMBA_SID % samba_gid),
                ('sambaGroupType', '4'),
        ])

        for group in ('wheel', 'fuse', 'operator'):
                connection.modify_s(_group(group), [(ldap.MOD_ADD, 'memberUid', user)])

        connection.unbind_s()
        os.umask(0022)
        os.mkdir(home)
        os.chown(home, uid, gid)

        for skel in ('/usr/share/skel', '/ccs/skel'):
                for source, directories, files in os.walk(skel):
                        destination = os.path.join(home, source[len(skel):])

                        for directory in directories:
                                target = os.path.join(destination, directory[3:] if directory.startswith('dot') else directory)

                                os.mkdir(target)
                                shutil.copymode(os.path.join(source, directory), target)
                                os.chown(target, uid, gid)

                        for file in files:
                                target = os.path.join(destination, file[3:] if file.startswith('dot') else file)

                                shutil.copy(os.path.join(source, file), target)
                                os.chown(target, uid, gid)

        db = psycopg2.connect(database = 'postgres')
        cursor = db.cursor()

        cursor.execute('create user %s with createdb' % user)
        db.commit()

        passwd(user, None, password)

def chfn(user, name):
        connection = ldap_connection()

        connection.modify_s(_user(user), [(ldap.MOD_REPLACE, 'cn', name)])
        connection.unbind_s()

def chsh(user, shell, shells):
        if shell != 'custom':
                shells = dict(common.SHELLS)[shell]
        else:
                for _shell, _shells in common.SHELLS[:-1]:
                        if shells == _shells:
                                shell = _shell

        connection = ldap_connection()

        connection.modify_s(_user(user), map(lambda (key, value): (ldap.MOD_REPLACE, key, value), [('loginShell', shell)] + zip(SHELLS, shells)))
        connection.unbind_s()

def passwd(user, old_password, new_password):
        connection = ldap_connection()

        connection.passwd_s(_user(user), old_password, new_password)
        connection.unbind_s()

        with open(SECRET, 'rb') as secret:
                db = MySQLdb.connect(passwd = secret.read(), db = 'mysql')

        cursor = db.cursor()

        cursor.execute('select count(User) from user where User = %s', (user,))

        if cursor.fetchone()[0]:
                cursor.execute('update user set Password = PASSWORD(%s) where User = %s', (new_password, user))
                cursor.execute('flush privileges');
        else:
                cursor.executemany('grant all on `' + db.escape_string(user) + r'\_%%`.* to %s@%s identified by %s', map(lambda host: (user, host, new_password), ('localhost', '%')))

if __name__ == '__main__':
        vars = ('MASTER', 'SLAVE', 'MASTER_URI', 'SLAVE_URI', 'BASE', 'PEOPLE', 'GROUP')

        for arg in sys.argv[1:]:
                if arg in vars:
                        exec 'print %s' % arg
Revision:	606
Committed:	2009-10-16T07:21:23-07:00 (15 years, 8 months ago) by douglas
Content type:	text/x-python
File size:	4888 byte(s)
Log Message:	Clean up the install some more and start the Password Daemon!
#	User	Rev	Content
1	douglas	600	#!/usr/bin/env python
2	douglas	585	# CCS Computer Science
3	douglas	590	# Admin
4	douglas	585	#
5			# Douglas Thrift
6			#
7			# $Id$
8
9	douglas	591	from __future__ import with_statement
10			import common
11	douglas	585	import ldap
12	douglas	598	import os
13			import psycopg2
14			import shutil
15	douglas	592	import sys
16	douglas	585
17	douglas	598	if sys.hexversion >= 0x2060000:
18			import warnings
19
20			with warnings.catch_warnings():
21			warnings.filterwarnings('ignore', 'the sets module is deprecated', DeprecationWarning)
22
23			import MySQLdb
24			else:
25			import MySQLdb
26
27	douglas	585	MASTER = 'zweihander.ccs.ucsb.edu'
28	douglas	600	SLAVE = 'wireless.ccs.ucsb.edu'
29			MASTER_URI = 'ldaps://' + MASTER
30			SLAVE_URI = 'ldaps://' + SLAVE
31	douglas	585	BASE = 'dc=ccs,dc=ucsb,dc=edu'
32	douglas	598	PEOPLE = 'ou=People,' + BASE
33			GROUP = 'ou=Group,' + BASE
34	douglas	606	SECRET = '/ccs/etc/secret'
35	douglas	592	SHELLS = map(lambda system: 'ucsbCcs' + system.capitalize(), common.SYSTEMS)
36	douglas	598	SAMBA_SID = 'S-1-5-21-3739982181-3886045993-82308153-%u'
37	douglas	585
38			ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
39			ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/ccs/ssl/ccscert.pem')
40			ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
41
42			def _user(user):
43	douglas	598	return 'uid=%s,%s' % (user, PEOPLE)
44	douglas	585
45	douglas	598	def _group(group):
46			return 'cn=%s,%s' % (group, GROUP)
47
48	douglas	585	def ldap_connection():
49	douglas	600	connection = ldap.initialize(MASTER_URI)
50	douglas	585
51	douglas	606	with open(SECRET, 'rb') as secret:
52	douglas	585	connection.simple_bind_s(_user('root'), secret.read())
53
54			return connection
55
56	douglas	591	def master():
57	douglas	592	return common.HOST == MASTER
58	douglas	591
59	douglas	593	def run(errors):
60			if errors:
61			for host, error in errors.iteritems():
62			sys.stderr.write('%s: %s\n' % (host, error))
63	douglas	592
64			sys.exit(1)
65
66	douglas	593	def error(error):
67			sys.exit('%s: %s' % (sys.argv[0], error))
68
69	douglas	592	def eof():
70			print
71
72			sys.exit(130)
73
74	douglas	598	def adduser(user, name, password):
75			connection = ldap_connection()
76			uid = max(map(lambda user: int(user[1]['uidNumber'][0]), connection.search_s(PEOPLE, ldap.SCOPE_ONELEVEL, '(&(uid=*)(!(uid=root)))', ('uidNumber',)))) + 1
77			gid = uid
78			samba_gid = gid + 1000
79			home = os.path.join('/home', user)
80
81			connection.add_s(_user(user), [
82			('objectclass', ['top', 'account', 'posixAccount', 'shadowAccount', 'ucsbCcsLoginShells', 'sambaSamAccount']),
83			('cn', name),
84			('uid', user),
85			('uidNumber', str(uid)),
86			('gidNumber', str(gid)),
87			('homeDirectory', home),
88			('loginShell', 'bash'),
89			] + zip(SHELLS, dict(common.SHELLS)['bash']) + [
90			('sambaAcctFlags', '[U ]'),
91			('sambaSID', SAMBA_SID % uid),
92			('sambaPrimaryGroupSID', SAMBA_SID % samba_gid),
93			])
94			connection.add_s(_group(user), [
95			('objectclass', ['top', 'posixGroup', 'sambaGroupMapping']),
96			('cn', user),
97			('gidNumber', str(gid)),
98			('sambaSID', SAMBA_SID % samba_gid),
99			('sambaGroupType', '4'),
100			])
101
102			for group in ('wheel', 'fuse', 'operator'):
103			connection.modify_s(_group(group), [(ldap.MOD_ADD, 'memberUid', user)])
104
105			connection.unbind_s()
106			os.umask(0022)
107			os.mkdir(home)
108			os.chown(home, uid, gid)
109
110			for skel in ('/usr/share/skel', '/ccs/skel'):
111			for source, directories, files in os.walk(skel):
112			destination = os.path.join(home, source[len(skel):])
113
114			for directory in directories:
115			target = os.path.join(destination, directory[3:] if directory.startswith('dot') else directory)
116
117			os.mkdir(target)
118			shutil.copymode(os.path.join(source, directory), target)
119			os.chown(target, uid, gid)
120
121			for file in files:
122			target = os.path.join(destination, file[3:] if file.startswith('dot') else file)
123
124			shutil.copy(os.path.join(source, file), target)
125			os.chown(target, uid, gid)
126
127			db = psycopg2.connect(database = 'postgres')
128			cursor = db.cursor()
129
130			cursor.execute('create user %s with createdb' % user)
131			db.commit()
132
133			passwd(user, None, password)
134
135	douglas	592	def chfn(user, name):
136			connection = ldap_connection()
137
138			connection.modify_s(_user(user), [(ldap.MOD_REPLACE, 'cn', name)])
139			connection.unbind_s()
140
141	douglas	591	def chsh(user, shell, shells):
142			if shell != 'custom':
143			shells = dict(common.SHELLS)[shell]
144			else:
145			for _shell, _shells in common.SHELLS[:-1]:
146			if shells == _shells:
147			shell = _shell
148
149			connection = ldap_connection()
150
151			connection.modify_s(_user(user), map(lambda (key, value): (ldap.MOD_REPLACE, key, value), [('loginShell', shell)] + zip(SHELLS, shells)))
152			connection.unbind_s()
153
154	douglas	585	def passwd(user, old_password, new_password):
155			connection = ldap_connection()
156
157			connection.passwd_s(_user(user), old_password, new_password)
158			connection.unbind_s()
159
160	douglas	606	with open(SECRET, 'rb') as secret:
161	douglas	585	db = MySQLdb.connect(passwd = secret.read(), db = 'mysql')
162
163			cursor = db.cursor()
164
165			cursor.execute('select count(User) from user where User = %s', (user,))
166
167			if cursor.fetchone()[0]:
168			cursor.execute('update user set Password = PASSWORD(%s) where User = %s', (new_password, user))
169			cursor.execute('flush privileges');
170			else:
171			cursor.executemany('grant all on `' + db.escape_string(user) + r'\_%%`.* to %s@%s identified by %s', map(lambda host: (user, host, new_password), ('localhost', '%')))
172	douglas	600
173			if __name__ == '__main__':
174			vars = ('MASTER', 'SLAVE', 'MASTER_URI', 'SLAVE_URI', 'BASE', 'PEOPLE', 'GROUP')
175
176			for arg in sys.argv[1:]:
177			if arg in vars:
178			exec 'print %s' % arg