1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#!/usr/local/bin/perl
use strict;
use warnings;
use Net::LDAP;
use Net::LDAP::Util qw(ldap_explode_dn escape_filter_value);
use Authen::SASL;
open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!);
my %config;
while (<$fh>) {
chomp;
next if /^#/;
my @pair = split(' ', $_, 2);
next unless (@pair == 2);
$config{$pair[0]} = $pair[1];
}
close($fh);
my $mech = $config{SASL_MECH} // 'GSSAPI';
my $uri = $config{URI} // die("URI not specified\n");
my $user_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n");
my $group_basedn = $config{GROUPS_BASE} // die("GROUPS_BASE not specified\n");
my $role_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n");
my $GITOLITE_SHELL = '/usr/local/libexec/gitolite/gitolite-shell';
my $conn = Net::LDAP->new($uri, version => '3') or die "$0: $@";
my $sasl = Authen::SASL->new($mech);
my $status = $conn->bind(sasl => $sasl);
$status->code and die "$0: ".$status->error;
my $filter = '(sshPublicKey=*)';
if (@ARGV) {
$filter = '(&(sshPublicKey=*)(|('.join(')(', map { 'memberOf=cn='.escape_filter_value($_).",$role_basedn" } @ARGV).')))';
}
my $search = $conn->search(
scope => 'sub',
base => $user_basedn,
filter => $filter,
attrs => ['uid', 'sshPublicKey']);
$search->code and die "$0: ".$search->error;
foreach my $entry ($search->entries) {
my $uid = ($entry->get_value('uid'))[0];
foreach my $pubkey ($entry->get_value('sshPublicKey')) {
next unless rindex($pubkey, 'ssh-', 0) == 0;
print "command=\"$GITOLITE_SHELL $uid\",restrict $pubkey\n";
}
}
|