it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improved determination of next available uid/gid pair.

Browse source
This commit is contained in:
Andreas B. Mundt 2020-01-12 09:22:40 +01:00
parent a58010d8d2
commit 21309fb788
3 changed files with 62 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
roles/ldap/tasks/main.yml
View file

@ -104,13 +104,13 @@
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: add group for all ldapusers - name: add group for ldap users
ldap_entry: ldap_entry:
dn: "cn=ldapuser,ou=groups,{{ basedn }}" dn: "cn=ldapuser,ou=groups,{{ basedn }}"
objectClass: objectClass:
- posixGroup - posixGroup
attributes: attributes:
gidNumber: 18000 gidNumber: "{{ ldapuser_gid }}"
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
@ -131,8 +131,8 @@
cn: foo cn: foo
sn: bar sn: bar
userPassword: "{{ foo_pwd }}" userPassword: "{{ foo_pwd }}"
uidNumber: 10000 uidNumber: "{{ min_id }}"
gidNumber: 10000 gidNumber: "{{ min_id }}"
homeDirectory: "{{ lan_homes }}/foo" homeDirectory: "{{ lan_homes }}/foo"
loginShell: /bin/bash loginShell: /bin/bash
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
@ -145,16 +145,7 @@
objectClass: objectClass:
- posixGroup - posixGroup
attributes: attributes:
gidNumber: 10000 gidNumber: "{{ min_id }}"
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0
- name: add dummy user foo to group ldapuser
ldap_attr:
dn: "cn=ldapuser,ou=groups,{{ basedn }}"
name: memberUid
values: foo
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0 when: foo_pwd is defined and foo_pwd | length > 0

78
roles/ldap/templates/debian-lan.j2
View file

@ -8,7 +8,7 @@ set -eu
usage(){ usage(){
cat <<EOF cat <<EOF
Usage: Usage:
$(basename $0) adduser <uid> <password> [<given name>] [<family name>] [<group>] $(basename $0) adduser <uid> <password> [<group>] [<given name>] [<family name>]
$(basename $0) deluser <uid> $(basename $0) deluser <uid>
$(basename $0) delhost <hostname> $(basename $0) delhost <hostname>
$(basename $0) ldapvi $(basename $0) ldapvi
@ -16,12 +16,13 @@ Usage:
<uid>: User ID (login name) <uid>: User ID (login name)
<password>: Password <password>: Password
<group>: If given, the user is added to this posix group (in addition to his personal group).
The group must already exist in the LDAP DT.
<given name>, <family name>: LDAP attributes 'givenName' and 'sn'. If omitted, <uid> is used. <given name>, <family name>: LDAP attributes 'givenName' and 'sn'. If omitted, <uid> is used.
<group>: If given, the user is added to this posix group, which must already exist.
<file>: File containing lines of the form: <file>: File containing lines of the form:
adduser <uid 1> <password 1> [<given name 1>] [<family name 1>] adduser <uid 1> <password 1> [<group 1>] [<given name 1>] [<family name 1>]
adduser <uid 2> <password 2> [<given name 2>] [<family name 2>] adduser <uid 2> <password 2> [<group 2>] [<given name 2>] [<family name 2>]
deluser <uid n> deluser <uid n>
deluser <uid n+1> deluser <uid n+1>
@ -58,16 +59,21 @@ elif [ $1 = adduser -a $# -lt 3 ] ; then
exit 1 exit 1
fi fi
## Range of user and personal group IDs:
MINID={{ min_id }} MINID={{ min_id }}
MAXID={{ max_id }} MAXID={{ max_id }}
## Range to cover in a single ldap search (must be smaller than 'olcSizeLimit' in cn=config):
RANGE=399
HOMES="{{ lan_homes }}" HOMES="{{ lan_homes }}"
COMMAND="$1" COMMAND="$1"
id="$2" id="$2"
pw="${3:-""}" pw="${3:-""}"
gn="${4:-$2}" grp="${4:-""}"
sn="${5:-$2}" gn="${5:-$2}"
grp="${6:-""}" sn="${6:-$2}"
domain="$(hostname -d)" domain="$(hostname -d)"
@ -79,27 +85,54 @@ else
pwEntry="userPassword: $pw" pwEntry="userPassword: $pw"
fi fi
############# ##################################################################################################
nextnum(){ nextnum(){
local num local id=$MINID
num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \ local bsta bend all uids gids num
| tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
if [ $num -lt $MINID ] ; then ## Search for the next pair of identical free IDs:
echo $MINID while [ $id -le $MAXID ] ; do
else bsta=$id
echo "$num" bend=$(( $bsta + $RANGE ))
fi
all="$(seq $bsta $bend)"
uids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uidNumber>=$bsta)(uidNumber<=$bend))" \
uidNumber 2>/dev/null | grep "uidNumber: " | cut -f2 -d ' ' | sort -g | uniq)"
gids="$(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=groups,$BASEDN" "(&(objectClass=posixGroup)(gidNumber>=$bsta)(uidNumber<=$bend))" \
gidNumber 2>/dev/null | grep "gidNumber: " | cut -f2 -d ' ' | sort -g | uniq)"
fuids="$(comm -13 <(echo "$uids") <(echo "$all"))"
fgids="$(comm -13 <(echo "$gids") <(echo "$all"))"
num=$(comm -12 <(echo "$fuids") <(echo "$fgids") | head -1)
if [ -n "$num" ] ; then
echo $num
return
else
id=$(( $bend + 1 ))
fi
done
## something went wrong:
exit 1
} }
add-user(){ add-user(){
local id="$1" local id="$1"
local pwEntry="$2" local pwEntry="$2"
local gn="$3" local grp="$3"
local sn="$4" local gn="$4"
local uidNumber=$(nextnum uidNumber) local sn="$5"
local gidNumber=$(nextnum gidNumber)
if ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" "(&(objectClass=posixAccount)(uid=$id))" uid 2>/dev/null \
| grep -q "uid: $id" ; then
echo "User '$id' exists already, skipping."
return
fi
local uidNumber=$(nextnum)
local gidNumber=$uidNumber
if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}." echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
@ -200,9 +233,10 @@ del-host(){
############################## ##############################
sss_cache -U -G ## clear cache sss_cache -U -G ## clear cache
echo "==== $@ ===="
case $COMMAND in case $COMMAND in
adduser) adduser)
add-user "${id}" "${pwEntry}" "${gn}" "${sn}" add-user "${id}" "${pwEntry}" "${grp}" "${gn}" "${sn}"
;; ;;
deluser) deluser)
del-user "${id}" del-user "${id}"

2
roles/prepare4clients/tasks/main.yml
View file

@ -100,7 +100,7 @@
######## kerberox-client ####### ######## kerberox-client #######
- name: check if we opereate on kerberox - name: check if we operate on kerberox
stat: path=/usr/sbin/krb5kdc stat: path=/usr/sbin/krb5kdc
register: krb5kdc register: krb5kdc