def modify_ldap_attributes(username, attributes, keytab, principal):
"""Adds or modifies arbitrary attributes of a user's LDAP record subject to
minor validation beyond the LDAP schema.
At the moment, the only attribute that benefits from extra validation is
the 'loginShell' attribute.
"""
for value in attributes.get('loginShell', ()):
if not misc.validators.valid_login_shell(value):
raise ValueError("Invalid login shell '{}'".format(value))
ldap_ocf.modify_ldap_entry_with_keytab(
utils.dn_for_username(username),
attributes,
keytab,
principal,
)
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def test_dn_for_username():
assert (dn_for_username('kpengboy') ==
'uid=kpengboy,ou=People,dc=OCF,dc=Berkeley,dc=EDU')
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(timezone.utc).astimezone(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn,
attrs,
creds.kerberos_keytab,
creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def test_dn_for_username():
assert (dn_for_username('kpengboy') ==
'uid=kpengboy,ou=People,dc=OCF,dc=Berkeley,dc=EDU')
