def modify_ldap_attributes(username, attributes, keytab, principal): """Adds or modifies arbitrary attributes of a user's LDAP record subject to minor validation beyond the LDAP schema. At the moment, the only attribute that benefits from extra validation is the 'loginShell' attribute. """ for value in attributes.get('loginShell', ()): if not misc.validators.valid_login_shell(value): raise ValueError("Invalid login shell '{}'".format(value)) ldap_ocf.modify_ldap_entry_with_keytab( utils.dn_for_username(username), attributes, keytab, principal, )
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid
def test_dn_for_username(): assert (dn_for_username('kpengboy') == 'uid=kpengboy,ou=People,dc=OCF,dc=Berkeley,dc=EDU')
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(timezone.utc).astimezone(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid