Improved determination of next available uid/gid pair.

2020-01-12 09:22:40 +01:00 · 2020-01-12 09:22:40 +01:00 · 21309fb788
commit 21309fb788
parent a58010d8d2
3 changed files with 62 additions and 37 deletions
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@ -104,13 +104,13 @@
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: add group for all ldapusers
+- name: add group for ldap users
  ldap_entry:
    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
    objectClass:
      - posixGroup
    attributes:
-      gidNumber: 18000
+      gidNumber: "{{ ldapuser_gid }}"
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
@ -131,8 +131,8 @@
      cn: foo
      sn: bar
      userPassword: "{{ foo_pwd }}"
-      uidNumber: 10000
+      uidNumber: "{{ min_id }}"
-      gidNumber: 10000
+      gidNumber: "{{ min_id }}"
      homeDirectory: "{{ lan_homes }}/foo"
      loginShell: /bin/bash
    bind_dn: "cn=admin,{{ basedn }}"
@ -145,16 +145,7 @@
    objectClass:
      - posixGroup
    attributes:
-      gidNumber: 10000
+      gidNumber: "{{ min_id }}"
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  when: foo_pwd is defined and foo_pwd | length > 0
 - name: add dummy user foo to group ldapuser
  ldap_attr:
    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
    name: memberUid
    values: foo
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  when: foo_pwd is defined and foo_pwd | length > 0
--- a/roles/ldap/templates/debian-lan.j2
+++ b/roles/ldap/templates/debian-lan.j2
@ -8,7 +8,7 @@ set -eu
 usage(){
    cat <<EOF
 Usage:
-         $(basename $0)  adduser  <uid>  <password>  [<given name>]  [<family name>]  [<group>]
+         $(basename $0)  adduser  <uid>  <password>  [<group>]  [<given name>]  [<family name>]
         $(basename $0)  deluser  <uid>
         $(basename $0)  delhost  <hostname>
         $(basename $0)  ldapvi
@ -16,12 +16,13 @@ Usage:
     <uid>:  User ID (login name)
     <password>:  Password
     <group>:  If given, the user is added to this posix group (in addition to his personal group).
               The group must already exist in the LDAP DT.
     <given name>, <family name>:  LDAP attributes 'givenName' and 'sn'.  If omitted, <uid> is used.
     <group>:  If given, the user is added to this posix group, which must already exist.
     <file>:  File containing lines of the form:
-                   adduser <uid 1>  <password 1>  [<given name 1>]  [<family name 1>]
+                   adduser <uid 1>  <password 1>  [<group 1>]  [<given name 1>]  [<family name 1>]
-                   adduser <uid 2>  <password 2>  [<given name 2>]  [<family name 2>]
+                   adduser <uid 2>  <password 2>  [<group 2>]  [<given name 2>]  [<family name 2>]
                   …
                   deluser <uid n>
                   deluser <uid n+1>
@ -58,16 +59,21 @@ elif [ $1 = adduser -a $# -lt 3 ] ; then
    exit 1
 fi
 ## Range of user and personal group IDs:
 MINID={{ min_id }}
 MAXID={{ max_id }}
 ## Range to cover in a single ldap search (must be smaller than 'olcSizeLimit' in cn=config):
 RANGE=399
 HOMES="{{ lan_homes }}"
 COMMAND="$1"
 id="$2"
 pw="${3:-""}"
-gn="${4:-$2}"
+grp="${4:-""}"
-sn="${5:-$2}"
+gn="${5:-$2}"
-grp="${6:-""}"
+sn="${6:-$2}"
 domain="$(hostname -d)"
@ -79,27 +85,54 @@ else
    pwEntry="userPassword: $pw"
 fi
-#############
+##################################################################################################
 nextnum(){
-    local num
+    local id=$MINID
-    num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \
+    local bsta bend all uids gids num
-                        |  tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
+
-    if [ $num -lt $MINID ] ; then
+    ## Search for the next pair of identical free IDs:
-        echo $MINID
+    while [ $id -le $MAXID ] ; do
        bsta=$id
        bend=$(( $bsta + $RANGE ))
        all="$(seq $bsta $bend)"
        uids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uidNumber>=$bsta)(uidNumber<=$bend))" \
                         uidNumber 2>/dev/null | grep "uidNumber: " | cut -f2 -d ' ' | sort -g | uniq)"
        gids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=groups,$BASEDN" "(&(objectClass=posixGroup)(gidNumber>=$bsta)(uidNumber<=$bend))" \
                         gidNumber 2>/dev/null | grep "gidNumber: " | cut -f2 -d ' ' | sort -g | uniq)"
        fuids="$(comm -13 <(echo "$uids") <(echo "$all"))"
        fgids="$(comm -13 <(echo "$gids") <(echo "$all"))"
        num=$(comm -12 <(echo "$fuids") <(echo "$fgids") | head -1)
        if [ -n "$num" ] ; then
            echo $num
            return
        else
-        echo "$num"
+            id=$(( $bend + 1 ))
        fi
    done
    ## something went wrong:
    exit 1
 }
 add-user(){
    local id="$1"
    local pwEntry="$2"
-    local gn="$3"
+    local grp="$3"
-    local sn="$4"
+    local gn="$4"
-    local uidNumber=$(nextnum uidNumber)
+    local sn="$5"
-    local gidNumber=$(nextnum gidNumber)
+
    if ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uid=$id))" uid 2>/dev/null \
            | grep -q "uid: $id" ; then
        echo "User '$id' exists already, skipping."
        return
    fi
    local uidNumber=$(nextnum)
    local gidNumber=$uidNumber
    if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
        echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
@ -200,9 +233,10 @@ del-host(){
 ##############################
 sss_cache -U -G  ## clear cache
 echo "==== $@ ===="
 case $COMMAND in
    adduser)
-        add-user "${id}" "${pwEntry}" "${gn}" "${sn}"
+        add-user "${id}" "${pwEntry}" "${grp}" "${gn}" "${sn}"
        ;;
    deluser)
        del-user "${id}"
--- a/roles/prepare4clients/tasks/main.yml
+++ b/roles/prepare4clients/tasks/main.yml
@ -100,7 +100,7 @@
 ########  kerberox-client #######
- name: check if we opereate on kerberox
+- name: check if we operate on kerberox
  stat: path=/usr/sbin/krb5kdc
  register: krb5kdc