it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add user import/deletion from file option, minor improvements.

Browse source
This commit is contained in:
Andreas B. Mundt 2019-12-01 10:17:08 +01:00
parent 6b3c2f0e0f
commit 43cb4dcf13
4 changed files with 50 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
roles/lan-client/templates/sssd.conf.j2
View file

@ -21,4 +21,3 @@ cache_credentials = true
min_id = 10000 min_id = 10000
max_id = 20000 max_id = 20000
enumerate = False

2
roles/ldap/tasks/main.yml
View file

@ -92,7 +92,7 @@
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: provide simple script to add/delete users - name: provide simple script to manage ldap/kdc
template: template:
src: debian-lan.j2 src: debian-lan.j2
dest: /usr/local/bin/debian-lan dest: /usr/local/bin/debian-lan

59
roles/ldap/templates/debian-lan.j2
View file

@ -8,27 +8,45 @@ set -eu
usage(){ usage(){
cat <<EOF cat <<EOF
Usage: Usage:
$(basename $0) adduser <uid> <password> [<cn>] [<sn>] $(basename $0) adduser <uid> <password> [<given name>] [<family name>]
$(basename $0) deluser <uid> $(basename $0) deluser <uid>
$(basename $0) delhost <hostname> $(basename $0) delhost <hostname>
$(basename $0) ldapvi $(basename $0) ldapvi
$(basename $0) <file>
<uid>: User ID (login name) <uid>: User ID (login name)
<password>: Password <password>: Password
<cn>, <sn>: LDAP attributes, if omitted, <uid> is used. <given name>, <family name>: LDAP attributes 'givenName' and 'sn'. If omitted, <uid> is used.
<file>: File containing lines of the form:
adduser <uid 1> <password 1> [<given name 1>] [<family name 1>]
adduser <uid 2> <password 2> [<given name 2>] [<family name 2>]
deluser <uid n>
deluser <uid n+1>
Every line is processed like a single call to the $(basename $0) program.
EOF EOF
} }
#sss_cache -U -G ## should not be necessary
BASEDN="{{ basedn }}" BASEDN="{{ basedn }}"
LDAPADMIN="cn=admin,$BASEDN" LDAPADMIN="cn=admin,$BASEDN"
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})" ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"
if [ $# -lt 2 ] ; then if [ $# -lt 2 ] ; then
if [ "$1" = ldapvi ] ; then if [ $# = 0 ] ; then
exec ldapvi -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD" usage
exit 1
elif [ "$1" = ldapvi ] ; then
exec ldapvi -m -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD"
elif [ -r "$1" ]; then
## recursively call this program:
while read -r LINE ; do
$0 $LINE
done < "$1"
## reset cache after mass import/deletion:
sss_cache -U -G
exit 0
else else
usage usage
exit 1 exit 1
@ -46,8 +64,9 @@ HOMES="{{ lan_homes }}"
COMMAND="$1" COMMAND="$1"
id="$2" id="$2"
pw="${3:-""}" pw="${3:-""}"
cn="${4:-$2}" gn="${4:-$2}"
sn="${5:-$2}" sn="${5:-$2}"
domain="$(hostname -d)" domain="$(hostname -d)"
if [ -x /usr/sbin/kadmin.local ] ; then if [ -x /usr/sbin/kadmin.local ] ; then
@ -73,8 +92,12 @@ nextnum(){
} }
add-user(){ add-user(){
uidNumber=$(nextnum uidNumber) local id="$1"
gidNumber=$(nextnum gidNumber) local pwEntry="$2"
local gn="$3"
local sn="$4"
local uidNumber=$(nextnum uidNumber)
local gidNumber=$(nextnum gidNumber)
if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}." echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
@ -90,8 +113,10 @@ uidNumber: ${uidNumber}
gidNumber: ${gidNumber} gidNumber: ${gidNumber}
homeDirectory: ${HOMES}/${id} homeDirectory: ${HOMES}/${id}
loginShell: /bin/bash loginShell: /bin/bash
cn: ${cn} cn: ${gn} ${sn}
givenName: ${gn}
sn: ${sn} sn: ${sn}
gecos: ${gn} ${sn}
${pwEntry} ${pwEntry}
dn: cn=${id},ou=groups,$BASEDN dn: cn=${id},ou=groups,$BASEDN
@ -100,19 +125,21 @@ gidNumber: ${gidNumber}
################################## ##################################
EOF EOF
echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}"
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \ kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \
| sed '/Authenticating as principal/d' | sed '/Authenticating as principal/d'
if [ ! -e "${HOMES}/${id}" ] ; then
echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}"
cp -r /etc/skel ${HOMES}/${id} cp -r /etc/skel ${HOMES}/${id}
chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id} chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
ls -nld ${HOMES}/${id} ls -nld ${HOMES}/${id}
fi fi
fi
} }
del-user(){ del-user(){
local id="$1"
local KEEPDIR local KEEPDIR
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient. ## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient.
@ -133,6 +160,7 @@ del-user(){
del-host(){ del-host(){
local id="$1"
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
## Remove kerberos principals from LDAP. ## Remove kerberos principals from LDAP.
kadmin.local -q "delete_principal -force host/${id}.${domain}" \ kadmin.local -q "delete_principal -force host/${id}.${domain}" \
@ -146,15 +174,16 @@ del-host(){
########### main ############# ########### main #############
############################## ##############################
sss_cache -U -G ## clear cache
case $COMMAND in case $COMMAND in
adduser) adduser)
add-user add-user "${id}" "${pwEntry}" "${gn}" "${sn}"
;; ;;
deluser) deluser)
del-user del-user "${id}"
;; ;;
delhost) delhost)
del-host del-host "${id}"
;; ;;
*) *)
usage usage

1
roles/nfs-server/templates/sssd.conf.j2
View file

@ -21,4 +21,3 @@ cache_credentials = false
min_id = 10000 min_id = 10000
max_id = 20000 max_id = 20000
enumerate = False