Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/98700
Change subject: Added 'adminadd' tool to auto-generate new user entries. ...................................................................... Added 'adminadd' tool to auto-generate new user entries. This pulls user data from ldap and modifies admins.pp. Change-Id: Ib2ba8e083c5919690f6da96eb3a0d942c8e05744 --- A manifests/adminadd M manifests/admins.pp 2 files changed, 145 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/98700/1 diff --git a/manifests/adminadd b/manifests/adminadd new file mode 100755 index 0000000..af4bf7b --- /dev/null +++ b/manifests/adminadd @@ -0,0 +1,141 @@ +#!/usr/bin/python + +##################################################################### +### THIS SCRIPT IS STRANGE! +### +### adminadd is in the puppet repo, but it is not installed by puppet. +### Rather, it is run in place (next to Admins.pp) and generates +### a proposed patch which adds the specified user to Admins.pp. +### +##################################################################### + + +import sys +sys.path.append('../modules/ldap/files/scripts') +import traceback +import ldapsupportlib +import copy +import homedirectorymanager +import os +from optparse import OptionParser + + +adminManifest = "admins.pp" +insertFlag = "-- ADMINADD Insertion Point --" + +patchTemplate = ''' class %(name)s inherits baseaccount { + $username = '%(name)s' + $realname = '%(realname)s' + $uid = %(uid)s + + unixaccount { $realname: username => $username, uid => $uid, gid => $gid } + + if $manage_home { + Ssh_authorized_key { require => Unixaccount[$realname] } + + ssh_authorized_key { '%(mail)s': + ensure => present, + user => $username, + type => 'ssh-rsa', + key => '<your production public key goes here>', + } + } + } + +''' + +try: + import ldap + import ldap.modlist +except ImportError: + sys.stderr.write("Unable to import LDAP library.\n") + sys.exit(1) + + +def main(): + parser = OptionParser(conflict_handler="resolve") + parser.set_usage('adminadd [options] <username> \nexample: adminadd laner') + + ldapSupportLib = ldapsupportlib.LDAPSupportLib() + ldapSupportLib.addParserOptions(parser, "user") + + parser.add_option("-m", "--directorymanager", action="store_true", dest="directorymanager", help="Use the Directory Manager's credentials, rather than your own") + (options, args) = parser.parse_args() + + if len(args) != 1: + parser.error("addadmin expects exactly one argument, unless using --rename.") + + options.authuser = 'user' + ldapSupportLib.setBindInfoByOptions(options, parser) + + base = ldapSupportLib.getBase() + + ds = ldapSupportLib.connect() + + # w00t We're in! + try: + username = args[0] + PosixData = ds.search_s("ou=people," + base, ldap.SCOPE_SUBTREE, "(&(objectclass=inetOrgPerson)(uid=" + username + "))") + if not PosixData: + raise ldap.NO_SUCH_OBJECT() + dn = PosixData[0][0] + + gid = PosixData[0][1]['gidNumber'][0] + uid = PosixData[0][1]['uidNumber'][0] + mail = PosixData[0][1]['mail'][0] + + if 'displayName' in PosixData[0][1]: + realName = PosixData[0][1]['displayName'][0] + else: + realName = PosixData[0][1]['givenName'][0] + + patchString = patchTemplate % {'name': args[0], + 'uid': uid, + 'realname': realName, + 'mail': mail} + tmpfile = "%s.tmp" % adminManifest + f = open(adminManifest) + g = open(tmpfile, "w") + + for line in f: + if insertFlag in line: + g.write(patchString) + g.write(line) + f.close() + g.close() + + os.rename(tmpfile, adminManifest) + + print "Done!" + print "To view the change, type 'git diff %s" % adminManifest + print "Before committing, be sure to proofread and add your public key." + + + except ldap.UNWILLING_TO_PERFORM, msg: + sys.stderr.write("LDAP was unwilling to create the user. Error was: %s\n" % msg[0]["info"]) + ds.unbind() + sys.exit(1) + except ldap.NO_SUCH_OBJECT: + sys.stderr.write("The user you are trying to modify doesn't exist.\n") + ds.unbind() + sys.exit(1) + except ldap.PROTOCOL_ERROR: + sys.stderr.write("There was an LDAP protocol error; see traceback.\n") + traceback.print_exc(file=sys.stderr) + ds.unbind() + sys.exit(1) + except Exception: + try: + sys.stderr.write("There was a general error, this is unexpected; see traceback.\n") + traceback.print_exc(file=sys.stderr) + ds.unbind() + except Exception: + sys.stderr.write("Also failed to unbind.\n") + traceback.print_exc(file=sys.stderr) + sys.exit(1) + + ds.unbind() + sys.exit(0) + +if __name__ == "__main__": + main() diff --git a/manifests/admins.pp b/manifests/admins.pp index 726ef8a..12e82c9 100644 --- a/manifests/admins.pp +++ b/manifests/admins.pp @@ -3151,6 +3151,10 @@ } } + # -- ADMINADD Insertion Point -- + # ^ That line is a marker for the 'adminadd' tool. New accounts are inserted + # immediately before the insertion point. + # FIXME: not an admin. This is more like a system account. class l10nupdate inherits baseaccount { $username = "l10nupdate" -- To view, visit https://gerrit.wikimedia.org/r/98700 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib2ba8e083c5919690f6da96eb3a0d942c8e05744 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits