#!/usr/bin/python
# copyright 2011 Michael Weber (michael at xmw dot de )

import ldap, os, re, sys, syslog

syslog.openlog('pam-gaf', 0, syslog.LOG_AUTH)
def log(s):
	syslog.syslog(s)
	print(s)

user = os.getenv('PAM_USER', '').replace('\n', '')
if not re.match('^[a-zA-Z0-9\-]+$', user):
	log('PAM_USER is zero-length or contains invalid chars')
	exit(1)

if user == 'root':
	exit()

passwd = os.getenv('PAM_AUTHTOK')
if not passwd:
	log('PAM_AUTHOK is not set')
	exit(1)

conn = ldap.open('ldap.fs.lmu.de')

conn.simple_bind('uid=ldapauth,dc=fachschaften,dc=uni-muenchen,dc=de',
	file('/etc/pam_ldap.secret').readline())
res = conn.search_st('dc=fachschaften,dc=uni-muenchen,dc=de', 
	ldap.SCOPE_SUBTREE, 
	filterstr='(&(uid=%s)(objectClass=posixAccount))' % user)
if len(res) != 1:
	log('ldap search returned more or less than 1 uids')
	exit(1)
uid = res[0][0]

conn.simple_bind(uid, passwd)
res = conn.search_st(uid, ldap.SCOPE_BASE, attrlist=('shadowLastChange', ) )
if len(res) != 1 or res[0][0] != uid:
	log('internal error')
	exit(1)
last = int(res[0][1].get('shadowLastChange', ('0', ))[0])

if last < 15127:
	log('user %s rejected, password last changed %i' % (user, last))
	exit(1)