6 # l = ldap.open("W92-130-LDAP-2.mit.edu")
7 # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8 # l.simple_bind_s("", "")
10 # def getLdapGroups(user):
12 # getLdapGroups(user): returns a generator for the list of LDAP groups containing user
14 # for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15 # for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16 # yield group_data[1]['cn'][0]
18 # def checkLdapGroups(user, group):
20 # checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
22 # for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23 # if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
27 class AfsProcessError(Exception):
30 def getAfsGroupMembers(group, cell):
31 p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell],
32 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
34 if err: #Error code doesn't reveal missing groups, but stderr does
35 raise AfsProcessError(err)
36 return [line.strip() for line in p.stdout.readlines()[1:]]
38 def getLockerPath(locker):
39 if '/' in locker or locker in ['.', '..']:
40 raise AfsProcessError("Locker '%s' is invalid." % locker)
41 return '/mit/' + locker
44 p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)],
45 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
47 raise AfsProcessError(p.stderr.read())
48 return p.stdout.read().split()[-1][1:-1]
50 def getLockerAcl(locker):
51 p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)],
52 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
54 raise AfsProcessError(p.stderr.read())
55 lines = p.stdout.readlines()
57 for line in lines[1:]:
59 if fields[0] == 'Negative':
62 values.append(fields[0])
65 def notLockerOwner(user, locker):
67 notLockerOwner(user, locker) returns false if and only if user administers locker.
69 If the user does not own the locker, returns the string reason for
73 cell = getCell(locker)
74 values = getLockerAcl(locker)
75 except AfsProcessError, e:
79 if entry == user or (entry[0:6] == "system" and
80 user in getAfsGroupMembers(entry, cell)):
82 return "You don't have admin bits on " + getLockerPath(locker)
85 if __name__ == "__main__":
86 # print list(getldapgroups("tabbott"))
87 print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
88 print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
89 print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
90 print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
91 print notLockerOwner("tabbott", "tabbott")
92 print notLockerOwner("tabbott", "debathena")
93 print notLockerOwner("tabbott", "sipb")
94 print notLockerOwner("tabbott", "lsc")
95 print notLockerOwner("tabbott", "scripts")
96 print notLockerOwner("ecprice", "hmmt")