def create_access(self):
user_mail = self.conf.get('main','client_mail')
unix_user = self.conf.get('access','unix_user')
unix_pass = self.conf.get('access','unix_pass')
unix_group = self.conf.get('access','unix_group')
ldap_user = self.conf.get('access','ldap_user')
ldap_pass = self.conf.get('access','ldap_pass')
ldap_group = self.conf.get('access','ldap_group')
if CONF_MAP('ldap','enabled') and self.conf.get('access','ldap_to_apply'):
self.ask_domain_admin()
if ldap_user and not ldap.user_exists(ldap_user):
ldap.create_user(ldap_user, user_mail, ldap_pass)
if ldap_group and not ldap.group_exists(ldap_group):
ldap.create_group(ldap_group)
if ldap_user and ldap_group and not ldap.is_member_of(ldap_user, ldap_group):
ldap.user_to_group(ldap_user, ldap_group)
if CONF_MAP('unix','enabled'):
if unix_user and not unix.user_exists(unix_user):
unix.create_user(unix_user, user_mail, unix_pass)
if unix_group and not unix.group_exists(unix_group):
unix.create_group(unix_group)
if unix_user and unix_group and not unix.is_member_of(unix_user , unix_group):
unix.user_to_group(unix_user, unix_group)
def is_member(self, args):
completed = True
args.remove('is_member')
user = args[0]
group = args[1]
is_member = ldap.is_member_of(user, group,"")
if is_member:
L.info(t("The user %(user)s is member of %(group)s") % {'user':user,'group':group})
else:
L.info(t("The user %(user)s is NOT member of %(group)s") % {'user':user,'group':group})
return completed
from uwsas.core import L
from uwsas import core
if __name__ == '__main__':
site_name = "${site_name}"
site_path = "${site_path}"
ldap_group = "${ldap_group}"
ldap_dev_team = CONF_MAP('site','ldap_dev_team')
unix_group = "${unix_group}"
pam_user = os.getenv('PAM_USER')
site_home_path = "/home/%s/%s" % (pam_user, site_name)
is_member = False
if ldap_group:
is_member |= ldap.is_member_of(pam_user,ldap_group)
if ldap_dev_team:
is_member |= ldap.is_member_of(pam_user,ldap_dev_team,'')
#L.info("%s, is_member:%s of %s" % (pam_user,is_member,ldap_dev_team))
if unix_group:
is_member |= unix.is_member_of(pam_user,unix_group)
if is_member:
files.mkdir(site_home_path)
files.chown(site_home_path)
cmd_list = [
'mount --bind %s %s' % (site_path, site_home_path),
]
try:
if not is_admin and CONF_MAP("ldap", "enabled"):
is_admin |= ldap.is_admin(pam_user)
if (
not is_admin
and unix.is_notunix_user(pam_user)
and CONF_MAP("ldap", "enabled")
and CONF_MAP("centrify", "pam_allow_workaround")
):
is_allowed_to_login = False
with open("/etc/centrifydc/groups.allow", "r") as f:
for group in f:
group = group.strip()
if group:
print pam_user, group, ldap.is_member_of(pam_user, group, "")
is_allowed_to_login |= ldap.is_member_of(pam_user, group, "")
if not is_allowed_to_login:
L.error(t("%s is not allowed here! Bye!") % pam_user)
exit(1)
if not is_admin:
cmd_list = [
"mkdir -p /home/%(user)s" % {"user": pam_user},
"chown root:%(user)s /home/%(user)s" % {"user": pam_user},
"chmod g+rx /home/%(user)s" % {"user": pam_user},
"run-parts --report %s" % CONF_MAP("libpam_script", "auto_mount_dir"),
]
completed, pinfo = core.exec_cmd_list(cmd_list)
# if not completed:
