162 lines
3.9 KiB
Django/Jinja
162 lines
3.9 KiB
Django/Jinja
#!/bin/bash
|
|
#
|
|
# A simple script to add users and their group to ldap, as well as a kerberos principal.
|
|
#
|
|
|
|
set -eu
|
|
|
|
usage(){
|
|
cat <<EOF
|
|
Usage:
|
|
$(basename $0) adduser <uid> <password> [<cn>] [<sn>]
|
|
$(basename $0) deluser <uid>
|
|
$(basename $0) delhost <hostname>
|
|
$(basename $0) ldapvi
|
|
|
|
<uid>: User ID (login name)
|
|
<password>: Password
|
|
<cn>, <sn>: LDAP attributes, if omitted, <uid> is used.
|
|
|
|
EOF
|
|
}
|
|
|
|
#sss_cache -U -G ## should not be necessary
|
|
|
|
BASEDN="{{ basedn }}"
|
|
LDAPADMIN="cn=admin,$BASEDN"
|
|
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"
|
|
|
|
if [ $# -lt 2 ] ; then
|
|
if [ "$1" = ldapvi ] ; then
|
|
exec ldapvi -h ldapi:/// -D "$LDAPADMIN" -b "$BASEDN" -w "$ADPASSWD"
|
|
else
|
|
usage
|
|
exit 1
|
|
fi
|
|
elif [ $1 = adduser -a $# -lt 3 ] ; then
|
|
echo "Error: Password missing."
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
MINID=10000
|
|
MAXID=20000
|
|
HOMES="{{ lan_homes }}"
|
|
|
|
COMMAND="$1"
|
|
id="$2"
|
|
pw="${3:-""}"
|
|
cn="${4:-$2}"
|
|
sn="${5:-$2}"
|
|
domain="$(hostname -d)"
|
|
|
|
if [ -x /usr/sbin/kadmin.local ] ; then
|
|
KRB5=true
|
|
pwEntry=""
|
|
else
|
|
KRB5=false
|
|
pwEntry="userPassword: $pw"
|
|
fi
|
|
|
|
#############
|
|
|
|
|
|
nextnum(){
|
|
local num
|
|
num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \
|
|
| tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
|
|
if [ $num -lt $MINID ] ; then
|
|
echo $MINID
|
|
else
|
|
echo "$num"
|
|
fi
|
|
}
|
|
|
|
add-user(){
|
|
uidNumber=$(nextnum uidNumber)
|
|
gidNumber=$(nextnum gidNumber)
|
|
|
|
if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
|
|
echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
|
|
exit 1
|
|
fi
|
|
|
|
cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" | sed '/^$/d'
|
|
############## LDIF ##############
|
|
dn: uid=${id},ou=people,$BASEDN
|
|
objectClass: inetOrgPerson
|
|
objectClass: posixAccount
|
|
uidNumber: ${uidNumber}
|
|
gidNumber: ${gidNumber}
|
|
homeDirectory: ${HOMES}/${id}
|
|
loginShell: /bin/bash
|
|
cn: ${cn}
|
|
sn: ${sn}
|
|
${pwEntry}
|
|
|
|
dn: cn=${id},ou=groups,$BASEDN
|
|
objectClass: posixGroup
|
|
gidNumber: ${gidNumber}
|
|
##################################
|
|
EOF
|
|
|
|
echo "uidNumber: ${uidNumber} gidNumber: ${gidNumber}"
|
|
|
|
if [ $KRB5 ] ; then
|
|
kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \
|
|
| sed '/Authenticating as principal/d'
|
|
cp -r /etc/skel ${HOMES}/${id}
|
|
chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
|
|
ls -nld ${HOMES}/${id}
|
|
fi
|
|
}
|
|
|
|
|
|
del-user(){
|
|
local KEEPDIR
|
|
if [ $KRB5 ] ; then
|
|
## Remove all kerberos attributes from LDAP, then the whole DN below. The latter should be sufficient.
|
|
kadmin.local -q "delete_principal -force ${id}" \
|
|
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
|
|
fi
|
|
|
|
ldapdelete -v -H ldapi:/// -D "$LDAPADMIN" -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN" "cn=${id},ou=groups,$BASEDN" 2>&1 \
|
|
| sed '/ldap_initialize/d'
|
|
|
|
if [ -d ${HOMES}/${id} ] ; then
|
|
KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}"
|
|
mv ${HOMES}/${id} "${KEEPDIR}"
|
|
chown -R root:root "${KEEPDIR}"
|
|
ls -ld "$KEEPDIR"
|
|
fi
|
|
}
|
|
|
|
|
|
del-host(){
|
|
if [ $KRB5 ] ; then
|
|
## Remove kerberos principals from LDAP.
|
|
kadmin.local -q "delete_principal -force host/${id}.${domain}" \
|
|
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
|
|
kadmin.local -q "delete_principal -force nfs/${id}.${domain}" \
|
|
| sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
|
|
fi
|
|
}
|
|
|
|
##############################
|
|
########### main #############
|
|
##############################
|
|
|
|
case $COMMAND in
|
|
adduser)
|
|
add-user
|
|
;;
|
|
deluser)
|
|
del-user
|
|
;;
|
|
delhost)
|
|
del-host
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|