Initial commit

.gitignore

+proxmox-user.json

proxmox-user.example.json

+{
+	"ldap": {
+		"admin": {
+			"uri": "ldaps://172.16.10.1/",
+			"userBase": "ou=passwd,dc=crans,dc=org",
+			"realm": "pam"
+		},
+		"user": {
+			"uri": "ldaps://172.16.10.114",
+			"userBase": "ou=users,dc=adh,dc=crans,dc=org",
+			"realm": "pve",
+			"binddn": "cn=admin,dc=adh,dc=crans,dc=org",
+			"passwd": "mot de passe"
+		}
+	}
+}

proxmox-user.py

+#!/usr/bin/python3
+import argparse
+import json
+import os
+import sys
+import subprocess
+
+import ldap
+import jinja2
+import urllib
+
+path = os.path.dirname(os.path.abspath(__file__))
+
+def connect(config):
+	base = ldap.initialize(config['uri'])
+	if config['uri'].startswith('ldaps://'):
+		base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+		base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+	if 'binddn' in config:
+		base.simple_bind_s(config['binddn'],config['passwd'])
+	return base
+
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser(
+		description="Generate user configuration for proxmox",
+	)
+	parser.add_argument('-e', '--export', help='Exporte la configuration vers la sortie standartd', action='store_true')
+	args = parser.parse_args()
+
+	with open(os.path.join(path, 'proxmox-user.json')) as file:
+		config = json.load(file)
+
+	base = {}
+	users = { target: {} for target in config['ldap'] }
+	for target,cfg in config['ldap'].items():
+		base[target] = connect(cfg)
+		field = 'uid' if cfg['realm'] == 'pam' else 'cn'
+		users_qid = base[target].search(cfg['userBase'], ldap.SCOPE_ONELEVEL, 'objectClass=inetOrgPerson')
+		users_q = base[target].result(users_qid)[1]
+		for dn, entries in users_q:
+			uid = entries[field][0].decode('utf-8')
+			users[target][uid] = {}
+			for key in ['givenName', 'sn', 'mail', 'userPassword']:
+				users[target][uid][key] = entries[key][0].decode('utf-8') if key in entries else ''
+			for key in ['givenName', 'sn']:
+				users[target][uid][key] = urllib.parse.quote(users[target][uid][key])
+
+	groups = {}
+	acls = []
+	# Recover groups with admin privileges
+	nounous_qid = base['admin'].search('dc=crans,dc=org', ldap.SCOPE_SUBTREE, 'cn=_nounou')
+	nounous = base['admin'].result(nounous_qid)[1][0][1]
+	nounous = { user.decode('utf-8') for user in nounous['memberUid'] }
+	apprentis = set(users['admin'].keys()) - nounous
+	groups['nounou'] = ','.join(f'{u}@pam' for u in nounous)
+	groups['apprenti'] = ','.join(f'{u}@pam' for u in apprentis)
+	acls.append({ 'propagate': 1, 'role': 'Administrator', 'target': '@nounou', 'path': '/'})
+	acls.append({ 'propagate': 1, 'role': 'PVEAuditor', 'target': '@apprenti', 'path': '/'})
+
+	# Recover clubs
+	if 'user' in config['ldap']:
+		clubs_qid = base['user'].search('ou=clubs,dc=adh,dc=crans,dc=org',
+			ldap.SCOPE_ONELEVEL, 'objectClass=organization')
+		clubs_q = base['user'].result(clubs_qid)[1]
+		for dn, entries in clubs_q:
+			club = entries['o'][0].decode('utf-8')
+			if 'description' in entries:
+				groups[club] = ','.join(
+					[ '{}@pve'.format(user.decode('utf-8')) for user in entries['description'] ]
+				)
+
+	passwords = {}
+	user_db = {}
+	for target,cfg in config['ldap'].items():
+		for user,info in users[target].items():
+			user_db['{}@{}'.format(user,cfg['realm'])] = info
+			if cfg['realm'] == 'pve':
+				passwords[user] = info['userPassword']
+	users = user_db
+
+	with open(os.path.join(path, 'templates', 'user.cfg.j2')) as template:
+		user_template = jinja2.Template(template.read())
+	with open(os.path.join(path, 'templates', 'priv', 'shadow.cfg.j2')) as template:
+		shadow_template = jinja2.Template(template.read())
+	if args.export:
+		print('# +-------------+')
+		print('# | -> user.cfg |')
+		print('# +-------------+')
+		print(user_template.render(users=users, groups=groups, acls=acls))
+		print('')
+		print('# +--------------------+')
+		print('# | -> priv/shadow.cfg |')
+		print('# +--------------------+')
+		print(shadow_template.render(users=passwords))

templates/priv/shadow.cfg.j2

+{% for user,passwd in users.items() %}{{user}}:{{passwd}}:
+{%endfor%}

templates/user.cfg.j2

+{%for user,info in users.items()%}user:{{ user }}:1:0:{{ info['givenName'] }}:{{ info['sn'] }}:{{ info['mail'] }}:::
+{%endfor%}
+{%for group,users in groups.items()%}group:{{ group }}:{{ users }}::
+{%endfor%}
+{%for acl in acls%}acl:{{acl['propagate']}}:{{acl['path']}}:{{acl['target']}}:{{acl['role']}}:
+{%endfor%}