diff options
Diffstat (limited to 'roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2')
-rw-r--r-- | roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 new file mode 100644 index 0000000..23bfee9 --- /dev/null +++ b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 @@ -0,0 +1,37 @@ +#!/usr/libexec/platform-python + +import os +import ldap +import ldap.sasl +import ldap.filter + +GITOLITE_ACCESS_GROUP = '{{ gitolite_access_group }}' +GITOLITE_ADMIN_GROUP = '{{ gitolite_admin_group }}' +GITOLITE_SHELL = '{{ gitolite_shell }}' + +LDAP_URI = '{{ freeipa_ldap_uri }}' +USER_BASEDN = '{{ freeipa_user_basedn }}' +GROUP_BASEDN = '{{ freeipa_group_basedn }}' + +GITOLITE_KEY_TEMPLATE = 'command="{shell} {uid}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {pubkey}' + +os.environ['GSS_USE_PROXY'] = 'yes' +conn = ldap.initialize(LDAP_URI) +conn.protocol_version = ldap.VERSION3 +conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI')) + +filter = ldap.filter.filter_format( + '(&(ipaSshPubKey=*)(|(memberOf=cn=%s,%s)(memberOf=cn=%s,%s)))', + [GITOLITE_ADMIN_GROUP, GROUP_BASEDN, GITOLITE_ACCESS_GROUP, GROUP_BASEDN]) + +results = conn.search_s( + USER_BASEDN, + ldap.SCOPE_SUBTREE, + filter, + ['uid', 'ipaSshPubKey']) + +for (dn, attributes) in results: + uid = attributes['uid'][0].decode('utf-8') + for pubkey in [pk.decode('utf-8') for pk in attributes['ipaSshPubKey']]: + if pubkey.startswith('ssh-'): + print(GITOLITE_KEY_TEMPLATE.format(shell=GITOLITE_SHELL, uid=uid, pubkey=pubkey)) |