systems/eldiron/pub/ldap_pub.sh

   1 ### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
   2 LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@"
   3 LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@"
   4 ECHO="@pub_echo_command@"
   5
   6 if [[ $user == pub ]]; then
   7   allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
   8     ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \
   9       | grep ^dn \
  10       | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
  11       | paste -sd,)
  12
  13   allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \
  14     ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \
  15       | grep ^dn \
  16       | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
  17       | paste -sd,)
  18
  19   psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
  20     if [ ! -z "$key" ]; then
  21       if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
  22         echo -n 'command="@pub_restrict_command@ '$user'" '
  23         echo $key
  24       fi
  25     fi
  26   done
  27
  28   psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" | while IFS='|' read user key; do
  29     if [ ! -z "$key" ]; then
  30       if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
  31         echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
  32         echo $key
  33       fi
  34     fi
  35   done
  36   exit 0
  37 fi
  38