From 43cb4dcf13787c48903f49b60eb66c449bf76ba3 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Sun, 1 Dec 2019 10:17:08 +0100 Subject: [PATCH] Add user import/deletion from file option, minor improvements. --- roles/lan-client/templates/sssd.conf.j2 | 1 - roles/ldap/tasks/main.yml | 2 +- roles/ldap/templates/debian-lan.j2 | 69 ++++++++++++++++++------- roles/nfs-server/templates/sssd.conf.j2 | 1 - 4 files changed, 50 insertions(+), 23 deletions(-) diff --git a/roles/lan-client/templates/sssd.conf.j2 b/roles/lan-client/templates/sssd.conf.j2 index d55c2c7..2d4f287 100644 --- a/roles/lan-client/templates/sssd.conf.j2 +++ b/roles/lan-client/templates/sssd.conf.j2 @@ -21,4 +21,3 @@ cache_credentials = true min_id = 10000 max_id = 20000 -enumerate = False diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 15e0665..13123ae 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -92,7 +92,7 @@ bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" -- name: provide simple script to add/delete users +- name: provide simple script to manage ldap/kdc template: src: debian-lan.j2 dest: /usr/local/bin/debian-lan diff --git a/roles/ldap/templates/debian-lan.j2 b/roles/ldap/templates/debian-lan.j2 index 54222ba..f94ad23 100644 --- a/roles/ldap/templates/debian-lan.j2 +++ b/roles/ldap/templates/debian-lan.j2 @@ -8,27 +8,45 @@ set -eu usage(){ cat < [] [] + $(basename $0) adduser [] [] $(basename $0) deluser $(basename $0) delhost $(basename $0) ldapvi + $(basename $0) - : User ID (login name) - : Password - , : LDAP attributes, if omitted, is used. + : User ID (login name) + : Password + , : LDAP attributes 'givenName' and 'sn'. If omitted, is used. + : File containing lines of the form: + adduser [] [] + adduser [] [] + … + deluser + deluser + … + Every line is processed like a single call to the $(basename $0) program. EOF } -#sss_cache -U -G ## should not be necessary - BASEDN="{{ basedn }}" LDAPADMIN="cn=admin,$BASEDN" ADPASSWD="$(cat {{ ldap_admin_pwd_file }})" if [ $# -lt 2 ] ; then - if [ "$1" = ldapvi ] ; then - exec ldapvi -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD" + if [ $# = 0 ] ; then + usage + exit 1 + elif [ "$1" = ldapvi ] ; then + exec ldapvi -m -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD" + elif [ -r "$1" ]; then + ## recursively call this program: + while read -r LINE ; do + $0 $LINE + done < "$1" + ## reset cache after mass import/deletion: + sss_cache -U -G + exit 0 else usage exit 1 @@ -46,8 +64,9 @@ HOMES="{{ lan_homes }}" COMMAND="$1" id="$2" pw="${3:-""}" -cn="${4:-$2}" +gn="${4:-$2}" sn="${5:-$2}" + domain="$(hostname -d)" if [ -x /usr/sbin/kadmin.local ] ; then @@ -73,8 +92,12 @@ nextnum(){ } add-user(){ - uidNumber=$(nextnum uidNumber) - gidNumber=$(nextnum gidNumber) + local id="$1" + local pwEntry="$2" + local gn="$3" + local sn="$4" + local uidNumber=$(nextnum uidNumber) + local gidNumber=$(nextnum gidNumber) if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}." @@ -90,8 +113,10 @@ uidNumber: ${uidNumber} gidNumber: ${gidNumber} homeDirectory: ${HOMES}/${id} loginShell: /bin/bash -cn: ${cn} +cn: ${gn} ${sn} +givenName: ${gn} sn: ${sn} +gecos: ${gn} ${sn} ${pwEntry} dn: cn=${id},ou=groups,$BASEDN @@ -100,19 +125,21 @@ gidNumber: ${gidNumber} ################################## EOF - echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}" - if [ $KRB5 ] ; then kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \ | sed '/Authenticating as principal/d' - cp -r /etc/skel ${HOMES}/${id} - chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id} - ls -nld ${HOMES}/${id} + if [ ! -e "${HOMES}/${id}" ] ; then + echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}" + cp -r /etc/skel ${HOMES}/${id} + chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id} + ls -nld ${HOMES}/${id} + fi fi } del-user(){ + local id="$1" local KEEPDIR if [ $KRB5 ] ; then ## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient. @@ -133,6 +160,7 @@ del-user(){ del-host(){ + local id="$1" if [ $KRB5 ] ; then ## Remove kerberos principals from LDAP. kadmin.local -q "delete_principal -force host/${id}.${domain}" \ @@ -146,15 +174,16 @@ del-host(){ ########### main ############# ############################## +sss_cache -U -G ## clear cache case $COMMAND in adduser) - add-user + add-user "${id}" "${pwEntry}" "${gn}" "${sn}" ;; deluser) - del-user + del-user "${id}" ;; delhost) - del-host + del-host "${id}" ;; *) usage diff --git a/roles/nfs-server/templates/sssd.conf.j2 b/roles/nfs-server/templates/sssd.conf.j2 index 54868d2..40fba97 100644 --- a/roles/nfs-server/templates/sssd.conf.j2 +++ b/roles/nfs-server/templates/sssd.conf.j2 @@ -21,4 +21,3 @@ cache_credentials = false min_id = 10000 max_id = 20000 -enumerate = False