it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add commands: Option to remove machine principals, start ldapvi.

Browse source
This commit is contained in:
Andreas B. Mundt 2019-11-30 09:56:40 +01:00
parent 61e4b1d852
commit 6b3c2f0e0f
1 changed files with 49 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
roles/ldap/templates/debian-lan.j2
View file

@ -7,12 +7,14 @@ set -eu
usage(){ usage(){
cat <<EOF cat <<EOF
Usage: Usage:
$(basename $0) adduser <uid> <password> [<cn>] [<sn>] $(basename $0) adduser <uid> <password> [<cn>] [<sn>]
$(basename $0) deluser <uid> $(basename $0) deluser <uid>
$(basename $0) delhost <hostname>
$(basename $0) ldapvi
<uid>: User ID (login name) <uid>: User ID (login name)
<password>: Password <password>: Password
<cn>, <sn>: LDAP attributes, if omitted, <uid> is used. <cn>, <sn>: LDAP attributes, if omitted, <uid> is used.
EOF EOF
@ -20,9 +22,17 @@ EOF
#sss_cache -U -G ## should not be necessary #sss_cache -U -G ## should not be necessary
BASEDN="{{ basedn }}"
LDAPADMIN="cn=admin,$BASEDN"
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"
if [ $# -lt 2 ] ; then if [ $# -lt 2 ] ; then
usage if [ "$1" = ldapvi ] ; then
exit 1 exec ldapvi -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD"
else
usage
exit 1
fi
elif [ $1 = adduser -a $# -lt 3 ] ; then elif [ $1 = adduser -a $# -lt 3 ] ; then
echo "Error: Password missing." echo "Error: Password missing."
usage usage
@ -31,16 +41,14 @@ fi
MINID=10000 MINID=10000
MAXID=20000 MAXID=20000
BASEDN="{{ basedn }}"
HOMES="{{ lan_homes }}" HOMES="{{ lan_homes }}"
LDAPADMIN="cn=admin,$BASEDN"
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"
COMMAND="$1" COMMAND="$1"
uid="$2" id="$2"
pw="${3:-""}" pw="${3:-""}"
cn="${4:-$2}" cn="${4:-$2}"
sn="${5:-$2}" sn="${5:-$2}"
domain="$(hostname -d)"
if [ -x /usr/sbin/kadmin.local ] ; then if [ -x /usr/sbin/kadmin.local ] ; then
KRB5=true KRB5=true
@ -67,26 +75,26 @@ nextnum(){
add-user(){ add-user(){
uidNumber=$(nextnum uidNumber) uidNumber=$(nextnum uidNumber)
gidNumber=$(nextnum gidNumber) gidNumber=$(nextnum gidNumber)
if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}." echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
exit 1 exit 1
fi fi
cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" | sed '/^$/d' cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ############## ############## LDIF ##############
dn: uid=${uid},ou=people,$BASEDN dn: uid=${id},ou=people,$BASEDN
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
uidNumber: ${uidNumber} uidNumber: ${uidNumber}
gidNumber: ${gidNumber} gidNumber: ${gidNumber}
homeDirectory: ${HOMES}/${uid} homeDirectory: ${HOMES}/${id}
loginShell: /bin/bash loginShell: /bin/bash
cn: ${cn} cn: ${cn}
sn: ${sn} sn: ${sn}
${pwEntry} ${pwEntry}
dn: cn=${uid},ou=groups,$BASEDN dn: cn=${id},ou=groups,$BASEDN
objectClass: posixGroup objectClass: posixGroup
gidNumber: ${gidNumber} gidNumber: ${gidNumber}
################################## ##################################
@ -95,11 +103,11 @@ EOF
echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}" echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}"
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${uid},ou=people,$BASEDN\" ${uid}" \ kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \
| sed '/Authenticating as principal/d' | sed '/Authenticating as principal/d'
cp -r /etc/skel ${HOMES}/${uid} cp -r /etc/skel ${HOMES}/${id}
chown -R ${uidNumber}:${gidNumber} ${HOMES}/${uid} chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
ls -nld ${HOMES}/${uid} ls -nld ${HOMES}/${id}
fi fi
} }
@ -107,22 +115,33 @@ EOF
del-user(){ del-user(){
local KEEPDIR local KEEPDIR
if [ $KRB5 ] ; then if [ $KRB5 ] ; then
## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient. ## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient.
kadmin.local -q "delete_principal -force ${uid}" \ kadmin.local -q "delete_principal -force ${id}" \
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d' | sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
fi fi
ldapdelete -v -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" "uid=${uid},ou=people,$BASEDN" "cn=${uid},ou=groups,$BASEDN" 2>&1 \ ldapdelete -v -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN" "cn=${id},ou=groups,$BASEDN" 2>&1 \
| sed '/ldap_initialize/d' | sed '/ldap_initialize/d'
if [ -d ${HOMES}/${uid} ] ; then if [ -d ${HOMES}/${id} ] ; then
KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${uid}" KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}"
mv ${HOMES}/${uid} "${KEEPDIR}" mv ${HOMES}/${id} "${KEEPDIR}"
chown -R root:root "${KEEPDIR}" chown -R root:root "${KEEPDIR}"
ls -ld "$KEEPDIR" ls -ld "$KEEPDIR"
fi fi
} }
del-host(){
if [ $KRB5 ] ; then
## Remove kerberos principals from LDAP.
kadmin.local -q "delete_principal -force host/${id}.${domain}" \
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
kadmin.local -q "delete_principal -force nfs/${id}.${domain}" \
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
fi
}
############################## ##############################
########### main ############# ########### main #############
############################## ##############################
@ -134,6 +153,9 @@ case $COMMAND in
deluser) deluser)
del-user del-user
;; ;;
delhost)
del-host
;;
*) *)
usage usage
;; ;;