modules/private/ssh/ldap_authorized_keys.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

#!/usr/bin/env bash

LDAPSEARCH=ldapsearch
KEY="immaeSshKey"
LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
LDAP_PASS=$(cat /etc/ssh/ldap_password)
LDAP_HOST="ldap.immae.eu"
LDAP_BASE="dc=immae,dc=eu"

suitable_for() {
  type_for="$1"
  key="$2"

  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
    echo "$key"
  else
    key_type=$(cut -d " " -f 1 <<< "$key")

    if grep -q "\b-$type_for\b" <<< "$key_type"; then
      echo ""
    elif grep -q "\b$type_for\b" <<< "$key_type"; then
      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
    else
      echo ""
    fi
  fi
}

clean_key_line() {
  type_for="$1"
  line="$2"

  if [[ "$line" == $KEY::* ]]; then
    # base64 keys should't happen, unless wrong copy-pasting
    key=""
  else
    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
  fi

  suitable_for "$type_for" "$key"
}

ldap_search() {
  $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
}

ldap_keys() {
  user=$1;
  @snippets@
}

ldap_keys $@