Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I honestly don't have a lot of scripting knowledge, but would really like some at this moment in my career.
So there are several parts
1) look at the /etc/passwd file for users, excluding the default system users. I know how to do this the long hard irritating way (cat /etc/passwd | grep -v for 30 different strings) looking for a shorter more friendly method using an exclude list.
2) Perform an ldap query that cross references with AD to see if the users are currently employed. No clue where to even start on this one.
3) lock the users that do not match accross...I can handle the locking out of the returned users.
I don't know how to perform the ldap lookup neither what does it return.. but I hope this script block can give you a direction..
Code:
#!/bin/bash
# Picks up users that have an encrypted password, and for each do a ldap query.
for user in `egrep -e ".*:..+:.*:.*:.*:.*:.*:.*:$" /etc/shadow | awk -F: '{ print $1 }'`; do
if [ ldapquery if $user is not employed ]; then
# Lazy or Unemployed! Lock the user!
passwd -l $user
else
# I can see clearly now the rain is gone... ;)
passwd -u $user
fi
done
Do you have a command which produces output only when a user is employed? As my imagination would name "ldapquery $user --check-employed" would return "employed" or nothing if its not employed anymore. Then the If [ -n "`ldapquery $user`" ]; would be the key you are looking for.. On the other side "ldapquery $user --show-unemployed" would turn the if to use -z instead of -n; -n proceed if the string is not empty; and -z proceeds when the string is empty;
You could supress the else to enable user access.. however I think keeping it makes the script synchronize shell logons with ldap correctly all the time it runs (if someone was re-employed, or by a mistake was marked as unemployed).
Regards!
Last edited by Eduardo Nunes; 09-09-2010 at 08:56 PM.
I honestly don't have a lot of scripting knowledge, but would really like some at this moment in my career.
So there are several parts
1) look at the /etc/passwd file for users, excluding the default system users. I know how to do this the long hard irritating way (cat /etc/passwd | grep -v for 30 different strings) looking for a shorter more friendly method using an exclude list.
2) Perform an ldap query that cross references with AD to see if the users are currently employed. No clue where to even start on this one.
3) lock the users that do not match accross...I can handle the locking out of the returned users.
if you have Python
Code:
import commands
exclude=['root','bin'] #add more here
users=[]
# store all users required
for line in open("/etc/passwd"):
s=line.split()
if not s[0] in users:
users.append([s[0])
# do ldap query here
....
# do locking here
commands.getstatusoutput('passwd -l %s' %( user_to_lock ) )
For ldap, you can download Python wrapper here. Then read this document to see how its used.
It sounds like your ultimate goal is to lock any local account in /etc/passwd (on some Linux machine(s)) if the user doesn't have an active account in AD. Why not just authenticate the users in both environments directly against Active Directory (LDAP) instead? This would greatly simplify management.
All of the included LDAP connection mechanisms included with Linux will work against AD, but can be a pain to setup. However there are some third party solutions (Likewise and Centrify) which make the task a breeze.
Thank you all for your input, I am currently working on the ldap query to check the users on our Solaris, Linux and HP-UX boxes against our users in AD. Once I've finished the script I will post it here.
ALthought the grep bash command worked and I only had to add a grep -v root, in order to lock the account I only need the username and '{print $1}' against /etc/passwd returns the user name the uid gid and the First name, guess that's all in column 1
Anyway I decided to just perform an ls on the /home directory and pull in my users this way using -v greps for oracle and a few other system users that would not need to be referenced. This gives me the username only so I can do the passwd -l <username here>
Here's what I'm testing and modifying currently. In case anyone has any suggestions...
#!/bin/bash
for i in `awk -F: '$7 ~ /\/bin\/bash/ || $7 ~ /\/bin\/sh/ {print $1}'
/etc/passwd`
do
echo "checking account: $i"
# Does account ($i) exist? set DNE (Does not exist) to 1 if
nothing is found.
DNE= `ldapsearch -LLL -x -H ldap://okcldap1.global.tronox.com:389 -b 'ou=Users,ou=Tronox,dc=Global,dc=Tronox,dc=com' -D 'Domain\username' -w 'pA$$w0rd' (sAMAccountName=$i)' | grep "No such object" | wc -l | awk '{print $1}'`
if [ $DNE = 1]
then
echo "$i should be locked"
fi
done
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
The script from HELL.
