4 files changed, 242 insertions, 0 deletions
diff --git a/libs.nix b/libs.nix
index c85808b..ad517f2 100644
--- a/libs.nix
+++ b/libs.nix
@@ -37,4 +37,22 @@ in
    };
  checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0;
+  wrap = { paths ? [], vars ? {}, file ? null, script ? null, name ? "wrap" }:
+    assert file != null || script != null ||
+      abort "wrap needs 'file' or 'script' argument";
+    with rec {
+      set  = n: v: "--set ${pkgs.lib.escapeShellArg n} " +
+                    "${pkgs.lib.escapeShellArg v}";
+      args = (map (p: "--prefix PATH : ${p}/bin") paths) ++
+            (builtins.attrValues (pkgs.lib.mapAttrs set vars));
+    };
+    runCommand name
+      {
+        f           = if file == null then writeScript name script else file;
+        buildInputs = [ makeWrapper ];
+      }
+      ''
+        makeWrapper "$f" "$out" ${toString args}
+      '';
 }
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 36b765c..292b31a 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -86,6 +86,26 @@
      # };
    };
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+    # FIXME: after initial install, need to
+    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
+    # (2) (mark old readonly and) sync repos except gitolite-admin
+    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
+    #     chown -R gitolite:gitolite /var/lib/gitolite
+    # (3) push force the gitolite-admin to new location (from external point)
+    #     Don't use an existing key, it will take precedence over
+    #     gitolite-admin
+    # (4) su -u gitolite gitolite setup
+    services.gitolite = {
+      enable = true;
+      # FIXME: key from ./ssh
+      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+    };
    services.ympd = mypkgs.ympd.config // { enable = true; };
    services.phpfpm = {
@@ -118,6 +138,45 @@
        mkdir -p /run/redis
        chown redis /run/redis
        '';
+      gitolite =
+        assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+        let
+        gitolite_ldap_groups = mylibs.wrap {
+          name = "gitolite_ldap_groups.sh";
+          file = ./packages/gitolite_ldap_groups.sh;
+          vars = {
+            LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+        };
+      in {
+        deps = [ "users" ];
+        text = ''
+          if [ -d /var/lib/gitolite ]; then
+            ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+          fi
+        '';
+      };
+    };
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+        mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          vars = {
+            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+            ECHO = "${pkgs.coreutils}/bin/echo";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
    };
    services.httpd = let
diff --git a/virtual/ldap_authorized_keys.sh b/virtual/ldap_authorized_keys.sh
new file mode 100755
index 0000000..e8d7a64
--- /dev/null
+++ b/virtual/ldap_authorized_keys.sh
@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+LDAPSEARCH=ldapsearch
+KEY="immaeSshKey"
+LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
+#LDAP_PASS="password taken from environment"
+LDAP_HOST="ldap.immae.eu"
+LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
+LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_BASE="dc=immae,dc=eu"
+suitable_for() {
+  type_for="$1"
+  key="$2"
+  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+    echo "$key"
+  else
+    key_type=$(cut -d " " -f 1 <<< "$key")
+    if grep -q "\b-$type_for\b" <<< "$key_type"; then
+      echo ""
+    elif grep -q "\b$type_for\b" <<< "$key_type"; then
+      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
+    else
+      echo ""
+    fi
+  fi
+}
+clean_key_line() {
+  type_for="$1"
+  line="$2"
+  if [[ "$line" == $KEY::* ]]; then
+    # base64 keys should't happen, unless wrong copy-pasting
+    key=""
+  else
+    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
+  fi
+  suitable_for "$type_for" "$key"
+}
+ldap_search() {
+  $LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
+}
+ldap_keys() {
+  user=$1;
+  if [[ $user == gitolite ]]; then
+    ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            if [ -n "$user" ]; then
+              if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
+                # Capitalize first letter (backward compatibility)
+                user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
+              fi
+            else
+              # Service fake user
+              user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
+            fi
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line git "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  elif [[ $user == pub ]]; then
+    ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line pub "$line")
+            key_forward=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="$HOME/bin/restrict '$user'" '
+                echo $key
+              fi
+            elif [ ! -z "$key_forward" ]; then
+              if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
+                echo "# forward only"
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key_forward
+              fi
+            fi
+          fi
+        fi
+      done
+    echo ""
+    ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  else
+    ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line ssh "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+  fi
+}
+ldap_keys $@
diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/packages/gitolite_ldap_groups.sh
new file mode 100755
index 0000000..5f7ef6d
--- /dev/null
+++ b/virtual/packages/gitolite_ldap_groups.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+uid_param="$1"
+ldap_host="ldap.immae.eu"
+ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
+ldap_bindpw="$LDAP_PASS"
+ldap_searchbase="dc=immae,dc=eu"
+ldap_scope="subtree"
+ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}"
+ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))"
+ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn | grep 'cn:' | cut -d' ' -f2)
+echo "$ldap_result"

diff --git a/libs.nix b/libs.nix index c85808b..ad517f2 100644 --- a/libs.nix +++ b/libs.nix
@@ -37,4 +37,22 @@ in
37	};	37	};
38		38
39	checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0;	39	checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0;
		40
		41	wrap = { paths ? [], vars ? {}, file ? null, script ? null, name ? "wrap" }:
		42	assert file != null \|\| script != null \|\|
		43	abort "wrap needs 'file' or 'script' argument";
		44	with rec {
		45	set = n: v: "--set ${pkgs.lib.escapeShellArg n} " +
		46	"${pkgs.lib.escapeShellArg v}";
		47	args = (map (p: "--prefix PATH : ${p}/bin") paths) ++
		48	(builtins.attrValues (pkgs.lib.mapAttrs set vars));
		49	};
		50	runCommand name
		51	{
		52	f = if file == null then writeScript name script else file;
		53	buildInputs = [ makeWrapper ];
		54	}
		55	''
		56	makeWrapper "$f" "$out" ${toString args}
		57	'';
40	}	58	}


diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 36b765c..292b31a 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -86,6 +86,26 @@
86	# };	86	# };
87	};	87	};
88		88
		89	services.openssh.extraConfig = ''
		90	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
		91	AuthorizedKeysCommandUser nobody
		92	'';
		93
		94	# FIXME: after initial install, need to
		95	# (1) copy rc file (adjust gitolite_ldap_groups.sh)
		96	# (2) (mark old readonly and) sync repos except gitolite-admin
		97	# rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
		98	# chown -R gitolite:gitolite /var/lib/gitolite
		99	# (3) push force the gitolite-admin to new location (from external point)
		100	# Don't use an existing key, it will take precedence over
		101	# gitolite-admin
		102	# (4) su -u gitolite gitolite setup
		103	services.gitolite = {
		104	enable = true;
		105	# FIXME: key from ./ssh
		106	adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
		107	};
		108
89	services.ympd = mypkgs.ympd.config // { enable = true; };	109	services.ympd = mypkgs.ympd.config // { enable = true; };
90		110
91	services.phpfpm = {	111	services.phpfpm = {
@@ -118,6 +138,45 @@
118	mkdir -p /run/redis	138	mkdir -p /run/redis
119	chown redis /run/redis	139	chown redis /run/redis
120	'';	140	'';
		141	gitolite =
		142	assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		143	let
		144	gitolite_ldap_groups = mylibs.wrap {
		145	name = "gitolite_ldap_groups.sh";
		146	file = ./packages/gitolite_ldap_groups.sh;
		147	vars = {
		148	LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		149	};
		150	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
		151	};
		152	in {
		153	deps = [ "users" ];
		154	text = ''
		155	if [ -d /var/lib/gitolite ]; then
		156	ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
		157	fi
		158	'';
		159	};
		160	};
		161
		162	environment.etc."ssh/ldap_authorized_keys" = let
		163	ldap_authorized_keys =
		164	assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
		165	mylibs.wrap {
		166	name = "ldap_authorized_keys";
		167	file = ./ldap_authorized_keys.sh;
		168	vars = {
		169	LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
		170	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
		171	ECHO = "${pkgs.coreutils}/bin/echo";
		172	};
		173	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
		174	};
		175	in {
		176	enable = true;
		177	mode = "0755";
		178	user = "root";
		179	source = ldap_authorized_keys;
121	};	180	};
122		181
123	services.httpd = let	182	services.httpd = let


diff --git a/virtual/ldap_authorized_keys.sh b/virtual/ldap_authorized_keys.sh new file mode 100755 index 0000000..e8d7a64 --- /dev/null +++ b/virtual/ldap_authorized_keys.sh
@@ -0,0 +1,150 @@
		1	#!/usr/bin/env bash
		2
		3	LDAPSEARCH=ldapsearch
		4	KEY="immaeSshKey"
		5	LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
		6	#LDAP_PASS="password taken from environment"
		7	LDAP_HOST="ldap.immae.eu"
		8	LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
		9	LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
		10	LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
		11	LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
		12	LDAP_BASE="dc=immae,dc=eu"
		13
		14	suitable_for() {
		15	type_for="$1"
		16	key="$2"
		17
		18	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
		19	echo "$key"
		20	else
		21	key_type=$(cut -d " " -f 1 <<< "$key")
		22
		23	if grep -q "\b-$type_for\b" <<< "$key_type"; then
		24	echo ""
		25	elif grep -q "\b$type_for\b" <<< "$key_type"; then
		26	echo $(sed -e "s/^[^ ]* //g" <<< "$key")
		27	else
		28	echo ""
		29	fi
		30	fi
		31	}
		32
		33	clean_key_line() {
		34	type_for="$1"
		35	line="$2"
		36
		37	if [[ "$line" == $KEY::* ]]; then
		38	# base64 keys should't happen, unless wrong copy-pasting
		39	key=""
		40	else
		41	key=$(sed -e "s/^$KEY: //" -e "s/ $//" <<< "$line")
		42	fi
		43
		44	suitable_for "$type_for" "$key"
		45	}
		46
		47	ldap_search() {
		48	$LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
		49	}
		50
		51	ldap_keys() {
		52	user=$1;
		53	if [[ $user == gitolite ]]; then
		54	ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY \| \
		55	while read line ;
		56	do
		57	if [ ! -z "$line" ]; then
		58	if [[ $line == dn* ]]; then
		59	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
		60	if [ -n "$user" ]; then
		61	if [[ $user == "immae" ]] \|\| [[ $user == "denise" ]]; then
		62	# Capitalize first letter (backward compatibility)
		63	user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
		64	fi
		65	else
		66	# Service fake user
		67	user=$(sed -n 's/.cn=\([^,]\).*/\1/p' <<< "$line")
		68	fi
		69	elif [[ $line == $KEY* ]]; then
		70	key=$(clean_key_line git "$line")
		71	if [ ! -z "$key" ]; then
		72	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
		73	echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
		74	echo $key
		75	fi
		76	fi
		77	fi
		78	fi
		79	done
		80	exit 0
		81	elif [[ $user == pub ]]; then
		82	ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY \| \
		83	while read line ;
		84	do
		85	if [ ! -z "$line" ]; then
		86	if [[ $line == dn* ]]; then
		87	echo ""
		88	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
		89	echo "# $user"
		90	elif [[ $line == $KEY* ]]; then
		91	key=$(clean_key_line pub "$line")
		92	key_forward=$(clean_key_line forward "$line")
		93	if [ ! -z "$key" ]; then
		94	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
		95	echo -n 'command="$HOME/bin/restrict '$user'" '
		96	echo $key
		97	fi
		98	elif [ ! -z "$key_forward" ]; then
		99	if [[ $key_forward != $'\n' ]] && [[ $key_forward == ssh-* ]]; then
		100	echo "# forward only"
		101	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
		102	echo $key_forward
		103	fi
		104	fi
		105	fi
		106	fi
		107	done
		108
		109	echo ""
		110	ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY \| \
		111	while read line ;
		112	do
		113	if [ ! -z "$line" ]; then
		114	if [[ $line == dn* ]]; then
		115	echo ""
		116	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
		117	echo "# $user"
		118	elif [[ $line == $KEY* ]]; then
		119	key=$(clean_key_line forward "$line")
		120	if [ ! -z "$key" ]; then
		121	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
		122	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
		123	echo $key
		124	fi
		125	fi
		126	fi
		127	fi
		128	done
		129	exit 0
		130	else
		131	ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY \| \
		132	while read line ;
		133	do
		134	if [ ! -z "$line" ]; then
		135	if [[ $line == dn* ]]; then
		136	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
		137	elif [[ $line == $KEY* ]]; then
		138	key=$(clean_key_line ssh "$line")
		139	if [ ! -z "$key" ]; then
		140	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
		141	echo $key
		142	fi
		143	fi
		144	fi
		145	fi
		146	done
		147	fi
		148	}
		149
		150	ldap_keys $@


diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/packages/gitolite_ldap_groups.sh new file mode 100755 index 0000000..5f7ef6d --- /dev/null +++ b/virtual/packages/gitolite_ldap_groups.sh
@@ -0,0 +1,15 @@
		1	#!/usr/bin/env bash
		2
		3	uid_param="$1"
		4	ldap_host="ldap.immae.eu"
		5	ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
		6	ldap_bindpw="$LDAP_PASS"
		7	ldap_searchbase="dc=immae,dc=eu"
		8	ldap_scope="subtree"
		9
		10	ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}"
		11
		12	ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(\|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))"
		13	ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn \| grep 'cn:' \| cut -d' ' -f2)
		14
		15	echo "$ldap_result"