diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index d63e3f3..51ac242 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -104,13 +104,13 @@ bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" -- name: add group for all ldapusers +- name: add group for ldap users ldap_entry: dn: "cn=ldapuser,ou=groups,{{ basedn }}" objectClass: - posixGroup attributes: - gidNumber: 18000 + gidNumber: "{{ ldapuser_gid }}" bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" @@ -131,8 +131,8 @@ cn: foo sn: bar userPassword: "{{ foo_pwd }}" - uidNumber: 10000 - gidNumber: 10000 + uidNumber: "{{ min_id }}" + gidNumber: "{{ min_id }}" homeDirectory: "{{ lan_homes }}/foo" loginShell: /bin/bash bind_dn: "cn=admin,{{ basedn }}" @@ -145,16 +145,7 @@ objectClass: - posixGroup attributes: - gidNumber: 10000 - bind_dn: "cn=admin,{{ basedn }}" - bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" - when: foo_pwd is defined and foo_pwd | length > 0 - -- name: add dummy user foo to group ldapuser - ldap_attr: - dn: "cn=ldapuser,ou=groups,{{ basedn }}" - name: memberUid - values: foo + gidNumber: "{{ min_id }}" bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" when: foo_pwd is defined and foo_pwd | length > 0 diff --git a/roles/ldap/templates/debian-lan.j2 b/roles/ldap/templates/debian-lan.j2 index 7523d97..5572869 100644 --- a/roles/ldap/templates/debian-lan.j2 +++ b/roles/ldap/templates/debian-lan.j2 @@ -8,7 +8,7 @@ set -eu usage(){ cat < [] [] [] + $(basename $0) adduser [] [] [] $(basename $0) deluser $(basename $0) delhost $(basename $0) ldapvi @@ -16,12 +16,13 @@ Usage: : User ID (login name) : Password + : If given, the user is added to this posix group (in addition to his personal group). + The group must already exist in the LDAP DT. , : LDAP attributes 'givenName' and 'sn'. If omitted, is used. - : If given, the user is added to this posix group, which must already exist. : File containing lines of the form: - adduser [] [] - adduser [] [] + adduser [] [] [] + adduser [] [] [] … deluser deluser @@ -58,16 +59,21 @@ elif [ $1 = adduser -a $# -lt 3 ] ; then exit 1 fi +## Range of user and personal group IDs: MINID={{ min_id }} MAXID={{ max_id }} + +## Range to cover in a single ldap search (must be smaller than 'olcSizeLimit' in cn=config): +RANGE=399 + HOMES="{{ lan_homes }}" COMMAND="$1" id="$2" pw="${3:-""}" -gn="${4:-$2}" -sn="${5:-$2}" -grp="${6:-""}" +grp="${4:-""}" +gn="${5:-$2}" +sn="${6:-$2}" domain="$(hostname -d)" @@ -79,27 +85,54 @@ else pwEntry="userPassword: $pw" fi -############# - +################################################################################################## nextnum(){ - local num - num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \ - | tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))" - if [ $num -lt $MINID ] ; then - echo $MINID - else - echo "$num" - fi + local id=$MINID + local bsta bend all uids gids num + + ## Search for the next pair of identical free IDs: + while [ $id -le $MAXID ] ; do + bsta=$id + bend=$(( $bsta + $RANGE )) + + all="$(seq $bsta $bend)" + uids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uidNumber>=$bsta)(uidNumber<=$bend))" \ + uidNumber 2>/dev/null | grep "uidNumber: " | cut -f2 -d ' ' | sort -g | uniq)" + gids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=groups,$BASEDN" "(&(objectClass=posixGroup)(gidNumber>=$bsta)(uidNumber<=$bend))" \ + gidNumber 2>/dev/null | grep "gidNumber: " | cut -f2 -d ' ' | sort -g | uniq)" + + fuids="$(comm -13 <(echo "$uids") <(echo "$all"))" + fgids="$(comm -13 <(echo "$gids") <(echo "$all"))" + num=$(comm -12 <(echo "$fuids") <(echo "$fgids") | head -1) + + if [ -n "$num" ] ; then + echo $num + return + else + id=$(( $bend + 1 )) + fi + done + ## something went wrong: + exit 1 } + add-user(){ local id="$1" local pwEntry="$2" - local gn="$3" - local sn="$4" - local uidNumber=$(nextnum uidNumber) - local gidNumber=$(nextnum gidNumber) + local grp="$3" + local gn="$4" + local sn="$5" + + if ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uid=$id))" uid 2>/dev/null \ + | grep -q "uid: $id" ; then + echo "User '$id' exists already, skipping." + return + fi + + local uidNumber=$(nextnum) + local gidNumber=$uidNumber if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}." @@ -200,9 +233,10 @@ del-host(){ ############################## sss_cache -U -G ## clear cache +echo "==== $@ ====" case $COMMAND in adduser) - add-user "${id}" "${pwEntry}" "${gn}" "${sn}" + add-user "${id}" "${pwEntry}" "${grp}" "${gn}" "${sn}" ;; deluser) del-user "${id}" diff --git a/roles/prepare4clients/tasks/main.yml b/roles/prepare4clients/tasks/main.yml index 4ae6d3f..484d170 100644 --- a/roles/prepare4clients/tasks/main.yml +++ b/roles/prepare4clients/tasks/main.yml @@ -100,7 +100,7 @@ ######## kerberox-client ####### -- name: check if we opereate on kerberox +- name: check if we operate on kerberox stat: path=/usr/sbin/krb5kdc register: krb5kdc