source: trunk/server/common/oursrc/accountadm/signup-scripts-backend.in @ 2713

Last change on this file since 2713 was 2575, checked in by glasgall, 10 years ago
Make signup use GSSAPI auth for LDAP now that ldap master is remote, and pick which server to use at random because we can't use scripts-ldap yet. Committed on trunk because achernya asked me to put it on trunk.
File size: 5.1 KB
Line 
1#!/usr/bin/perl
2use strict;
3use File::Temp qw/ :POSIX /;
4
5# signup-scripts-backend
6# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
7#
8# This program is free software; you can redistribute it and/or
9# modify it under the terms of the GNU General Public License
10# as published by the Free Software Foundation; either version 2
11# of the License, or (at your option) any later version.
12#
13# This program is distributed in the hope that it will be useful,
14# but WITHOUT ANY WARRANTY; without even the implied warranty of
15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16# GNU General Public License for more details.
17#
18# You should have received a copy of the GNU General Public License
19# along with this program; if not, write to the Free Software
20# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
21#
22# See /COPYRIGHT in this repository for more information.
23
24$ENV{PATH} = '';
25
26my $username = $ARGV[0];
27
28# Complain unless submitted username contains only valid characters
29complain("bad username") unless($username =~ /^[\w._-]+$/);
30
31open BANNEDUSERS, "</afs/athena.mit.edu/contrib/scripts/admin/users.banned" or
32    complain("internal error");
33while (<BANNEDUSERS>) {
34    chomp;
35    complain("banned username") if (lc eq lc $username);
36}
37close(BANNEDUSERS);
38
39my %filsys;
40open HESINFO, '-|', '@hesinfo_path@', '--', $username, 'filsys' or
41    complain("internal error");
42while (<HESINFO>) {
43        chomp;
44        my %f; @f{qw(type path rw mount order)} = split / /;
45        %filsys = %f if (($f{order} || 9999) <= ($filsys{order} || 9999));
46}
47close HESINFO;
48unless (%filsys &&
49        $filsys{type} eq 'AFS' &&
50        $filsys{path} =~ /^\/afs\/[\w\._\/-]+/ &&
51        $filsys{mount} eq "/mit/$username") {
52        complain("athena user not found");
53}
54my $homedir = $filsys{path};
55
56# Tell AFS that we don't want to trigger fakestat, and confirm user's homedir
57chdir $homedir or complain("athena homedir not found");
58opendir TEMP, '.';
59closedir TEMP;
60
61# Obtain user's homedir uid
62my (undef, undef, undef, undef, $uid1, $gid1, undef, undef, undef, undef, undef, undef, undef) = stat '.' or complain("athena homedir could not be examined");
63
64# Complain if user's uid is too low or too high
65complain("bad uid") unless($uid1 > 110 and $uid1 < (1 << 31));
66
67# Complain if user's .scripts-signup file does not exist
68#complain("scripts-signup file not found") unless(-e '.scripts-signup');
69
70# Complain if the user's username is already taken
71complain("username already taken") if(getpwnam $username);
72
73# Complain if user's uid is already taken
74complain("uid already taken") if(getpwuid $uid1);
75
76if($homedir !~ /\/afs\/athena\.mit\.edu\/user\//) {
77        $gid1 = $uid1;
78}
79
80# Complain if user's gid is already taken
81complain("gid already taken") if(getgrgid $gid1);
82
83my $disabledmsg = "scripts.mit.edu signups are currently disabled";
84if(-e "/afs/athena.mit.edu/contrib/scripts/admin/nosignup") {
85        open NOSIGNUP, "</afs/athena.mit.edu/contrib/scripts/admin/nosignup" or
86                complain("internal error");
87        while (<NOSIGNUP>) {
88                chomp;
89                $disabledmsg .= "\n$_";
90        }
91        close NOSIGNUP;
92        complain($disabledmsg);
93}
94elsif(-e "/etc/nosignup") {
95        $disabledmsg .= " on this server";
96        open NOSIGNUP, "</etc/nosignup" or complain("internal error");
97        while (<NOSIGNUP>) {
98                chomp;
99                $disabledmsg .= "\n$_";
100        }
101        close NOSIGNUP;
102        complain($disabledmsg);
103}
104
105# Get credentials
106my $ccache = tmpnam();
107$ENV{'KRB5CCNAME'} = $ccache;
108my $exit_status = system("/usr/bin/kinit", "-k", "-t", "/etc/signup.keytab", "daemon/scripts-signup.mit.edu");
109if (($exit_status >> 8) != 0) {
110    die "Couldn't get Kerberos credentials for account creation!";
111}
112my $pid;
113my @ldap_servers = ('doppelganger', 'alter-ego', 'body-double');
114my $selected_server = $ldap_servers[int(rand(3))];
115defined ($pid = open LDAP, '|-') or complain("internal error");
116if (!$pid) {
117        close STDOUT;
118        open STDOUT, '>/dev/null';
119        exec '@ldapadd_path@', '-c', '-Y', 'gssapi', '-H', "ldap://$selected_server.mit.edu";
120        exit 1;
121}
122print LDAP <<EOF;
123dn: uid=$username,ou=People,dc=scripts,dc=mit,dc=edu
124objectClass: posixAccount
125cn: $username
126uid: $username
127uidNumber: $uid1
128gidNumber: $gid1
129homeDirectory: $homedir
130loginShell: /usr/local/bin/mbash
131
132dn: cn=$username,ou=Groups,dc=scripts,dc=mit,dc=edu
133objectClass: posixGroup
134cn: $username
135gidNumber: $gid1
136
137dn: apacheServerName=$username.scripts.mit.edu,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
138objectClass: apacheConfig
139apacheServerName: $username.scripts.mit.edu
140apacheServerAlias: $username.scripts
141apacheDocumentRoot: $homedir/web_scripts
142apacheSuexecUid: $uid1
143apacheSuexecGid: $gid1
144
145dn: scriptsVhostName=$username.scripts.mit.edu,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
146objectClass: scriptsVhost
147scriptsVhostName: $username.scripts.mit.edu
148scriptsVhostAlias: $username.scripts
149scriptsVhostAccount: uid=$username,ou=People,dc=scripts,dc=mit,dc=edu
150scriptsVhostDirectory:
151
152EOF
153close LDAP or complain("internal error");
154# Add disk quota for user
155#system('@sudo_path@', '-u', 'root', '/usr/sbin/setquota', $username, '0', '25000', '0', '10000', '-a');
156
157system("kdestroy");
158
159printexit("done", 0);
160
161sub complain {
162  my ($complaint) = @_;
163  printexit($complaint, 1);
164}
165
166sub printexit {
167  my ($msg, $status) = @_;
168  print $msg;
169  exit($status);
170}
Note: See TracBrowser for help on using the repository browser.