728x90
반응형
개요
그룹웨어 User 테이블에서 사용자 정보를 불러와서,
LDAP에 자동으로 등록 처리 해주는 구문이다.
새로 추가되는 팀이 있다면, 사용자가 팀을 이동한다면 또한 자동 관리 된다.
해당 스크립을 ldap crontab에 등록 해주면 스케쥴링되어 자동으로 세팅 될 것이다.
#!/bin/bash
/usr/bin/python /usr/share/openldap-servers/userExports.py
sleep 50
cn=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .userid | cut -d\" -f2`)
uid=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .userid | cut -d\" -f2`)
sn=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .username | cut -d\" -f2`)
groupCode=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .deptcode | cut -d\" -f2`)
groupName=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .deptname | cut -d\" -f2 | sed 's/ //g'`)
mailaddr=(`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .mailaddr | cut -d\" -f2`)
userDeleteList=(`/usr/bin/cat /usr/share/openldap-servers/userStopList.json | jq .userid | cut -d\" -f2`)
/usr/bin/ldapsearch -xLLL -H ldap://IP_ADDRESS -b "ou=Group,dc=test,dc=com" | grep "cn:" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | awk '{print $2}' > /usr/share/openldap-servers/groupList.lst
groupList=(`/usr/bin/cat /usr/share/openldap-servers/groupList.lst`)
gwTotalGroupList=(`/usr/bin/cat /usr/share/openldap-servers/gwTotalGroupList.lst | jq .deptname | cut -d\" -f2`)
finalUID=
finalSN=
finalMail=
# 사용자 생성
userCreate() {
/usr/bin/cat > /usr/share/openldap-servers/userCreate.ldif <<EOF
dn: uid=${finalUID},ou=People,dc=test,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
displayName: ${finalUID}
uid: ${finalUID}
homeDirectory: /home/${finalUID}
sambaKickoffTime: 2147483647
sambaAcctFlags: [U]
uidNumber: ${uidNumber}
sambaSID: ${sambaSID}
sambaDomainName: REFINEHUB.COM
sn: ${finalSN}
mail: ${finalMail}
cn: ${finalUID}
gidNumber: ${gidNumber}
sambaNTPassword: 4EFAB4E3D4DD4A1B5837C600E13F5794
sambaPwdLastSet: 1643023108
sambaPrimaryGroupSID: S-1-5-21-2943257643-222489679-77770093-16330
EOF
/usr/bin/ldapadd -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/userCreate.ldif
verifyUser=`/usr/bin/ldapsearch -xLLL -H ldap://IP_ADDRESS -b "ou=People,dc=test,dc=com" "(&(uid=${finalUID}))" | grep "cn: " | cut -d: -f 2 | sed 's/^ //'`
if [[ -n ${verifyUser} ]]; then
/usr/bin/ldappasswd -s Password\$710 -w Wjstkstlf12 -D cn=manager,dc=test,dc=com -x "uid=${finalUID},ou=People,dc=test,dc=com"
fi
}
# 팀에 사용자 추가
userAddInGroup(){
/usr/bin/cat > /usr/share/openldap-servers/userAddInGroup.ldif <<EOF
dn: cn=${groupName[$id]},ou=Group,dc=test,dc=com
changetype: modify
add: memberUid
memberUid: ${finalUID}
EOF
/usr/bin/ldapmodify -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/userAddInGroup.ldif
}
# 새로운 팀을 생성
newGroupCreate(){
/usr/bin/cat > /usr/share/openldap-servers/newGroupCreate.ldif <<EOF
dn: cn=${groupName[$id]},ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: ${groupName[$id]}
sambaGroupType: 2
displayName: ${groupName[$id]}
gidNumber: ${gidNumber}
sambaSID: ${sambaSID}
EOF
/usr/bin/ldapadd -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/newGroupCreate.ldif
}
# GrafanaAdmin 같은 그룹웨어 통해 생성한 그룹이 아닌 LDAP 자체에서 생성한 임의의 그룹인지 비교 후 이전 그룹(팀)에서 사용자 삭제
deleteUserInGroup() {
gwGroupCompare2=`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .deptname | cut -d\" -f2 | sed 's/ //g' | grep ${groupName[$id]} | uniq`
gwGroupCompare=`/usr/bin/cat /usr/share/openldap-servers/gwTotalGroupList.lst | jq .deptname | cut -d\" -f2 | sed 's/ //g' | grep ${line}`
echo "deleteUserInGroup ${gwGroupCompare2} ${gwGroupCompare} ${uid[$id]} ${groupName[$id]}" >> /usr/share/openldap-servers/log
if [[ "${gwGroupCompare2}" != "${gwGroupCompare}" ]] && [[ -z "${gwGroupCompare}" ]]; then
/usr/bin/cat > /usr/share/openldap-servers/deleteUserInGroup.ldif <<EOF
dn: cn=${line},ou=Group,dc=test,dc=com
changetype: modify
delete: memberUid
memberUid: ${uid[$id]}
EOF
/usr/bin/ldapmodify -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/deleteUserInGroup.ldif
fi
gwGroupCompare=""
}
# 새로운 팀에 해당 사용자를 추가
addUserInNewGroup(){
/usr/bin/cat > /usr/share/openldap-servers/addUserInNewGroup.ldif <<EOF
dn: cn=${groupName[$id]},ou=Group,dc=test,dc=com
changetype: modify
add: memberUid
memberUid: ${uid[$id]}
EOF
/usr/bin/ldapmodify -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/addUserInNewGroup.ldif
}
for id in "${!groupName[@]}"; do
uidNumber=(`/usr/bin/cat /dev/urandom | tr -dc '0-9' | fold -w 6 | sed 1q`)
sambaSID=S-1-5-21-2943257643-222489679-77770093-$(/usr/bin/cat /dev/urandom | tr -dc '0-9' | fold -w 5 | sed 1q)
gidNumber=(`/usr/bin/cat /dev/urandom | tr -dc '0-9' | fold -w 6 | sed 1q`)
#id2=`expr ${id} + 1`
# LDAP 사용자의 무슨 팀인지 확인
searchingGroupOfUser=`/usr/bin/ldapsearch -xLLL -H ldap://IP_ADDRESS -b "ou=Group,dc=test,dc=com" "(&(memberUid=${uid[$id]}))" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | grep "cn:" | cut -d: -f 3 | sed 's/^ //' > /usr/share/openldap-servers/searchingGroupOfUser.lst`
# 팀이 바뀐 직원이 있는지 체크
while read line; do
#searchingLdapUser=`/usr/bin/ldapsearch -xLLL -H ldap://IP_ADDRESS -b "cn=${line},ou=Group,dc=test,dc=com" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | grep ${uid[$id]} | cut -d: -f 2 | sed 's/^ //'`
if [[ "${line}" != "${groupName[$id]}" ]]; then
#if [[ "${searchingLdapUser}" != "${groupName[$id]}" ]]; then
deleteUserInGroup
addUserInNewGroup
else
continue
fi
done < /usr/share/openldap-servers/searchingGroupOfUser.lst
# LDAP 그룹 조회
searchingGroupList=`/usr/bin/cat /usr/share/openldap-servers/groupList.lst | grep ${groupName[$id]}`
# 사용자 생성 단계
# 새로운 팀이 생긴 건지 아닌지 판단
if [[ "${groupName[$id]}" == "${searchingGroupList}" ]]; then
finalUID=${uid[$id]}
finalSN=${sn[$id]}
finalMail=${mailaddr[$id]}
userCreate
userAddInGroup
else
# 새로운 팀 추가
newGroupCreate
finalUID=${uid[$id]}
finalSN=${sn[$id]}
finalMail=${mailaddr[$id]}
userCreate
userAddInGroup
fi
#겸임 하는 사람에 대해 체크하여 1개 이상의 그룹을 갖도록 추가
countGroupOfUser=`/usr/bin/cat /usr/share/openldap-servers/userList.json | jq .userid | cut -d\" -f2 | sed 's/ //g' | grep ${uid[$id]} | wc -l`
if [[ ${countGroupOfUser} -gt 2 ]]; then
echo "countGroupOfUser ${countGroupOfUser} ${uid[$id]} ${groupName[$id]}" >> /usr/share/openldap-servers/log
addUserInNewGroup
else
continue
fi
done
# 퇴사자가 있으면 삭제
for empno in "${!userDeleteList[@]}"; do
/usr/bin/ldapsearch -xLLL -H ldap://IP_ADDRESS -b "ou=Group,dc=test,dc=com" "(&(memberUid=${userDeleteList[empno]}))" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | grep "cn:" | cut -d: -f 3 | sed 's/^ //' > /usr/share/openldap-servers/exitedUserInGroup.lst
exitedUserInGroup=`/usr/bin/cat /usr/share/openldap-servers/exitedUserInGroup.lst`
/usr/bin/cat > /usr/share/openldap-servers/exitedUserInGroup.ldif <<EOF
dn: cn=${exitedUserInGroup},ou=Group,dc=test,dc=com
changetype: modify
delete: memberUid
memberUid: ${userDeleteList[empno]}
EOF
/usr/bin/ldapmodify -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 -f /usr/share/openldap-servers/exitedUserInGroup.ldif
/usr/bin/ldapdelete -x -D cn=manager,dc=test,dc=com -w Wjstkstlf12 uid=${userDeleteList[empno]},ou=People,dc=test,dc=com
done728x90
300x250
'IT > OpenLDAP' 카테고리의 다른 글
| OpenLDAP 패스워드 정책 구성하기(with 예외처리도 포함) (0) | 2022.02.21 |
|---|---|
| 실사용에 유용한 ldap command 사용방법 (ldapadd, ldapmodify, ldappassword 등등) (0) | 2022.02.17 |
| OpenLDAP Logging 설정 방법 (0) | 2022.02.03 |
| (최신) Amazon Linux 2에서 OpenLDAP 구성 (with SAMBA) (0) | 2022.01.14 |
| LDAP Account Manager의 설정 (0) | 2021.07.30 |