Kapisi/roles/Password/package/ldap-userreport

96 lines
3.0 KiB
Plaintext
Raw Permalink Normal View History

#!/bin/bash
2024-09-02 23:54:57 -05:00
function getLDAPAttr() {
### Get an LDAP attribute
# param: filter
# param attribute
filter="${1}"
attribute="${2}"
ldapsearch -x "${filter}" "${attribute}" | grep -E "^${attribute}: " | sed "s/${attribute}: //"
}
2024-09-02 23:54:57 -05:00
# Clear cleanup files
ldif="/root/cleanup.ldif"
>"${ldif}"
bash="/root/cleanup.bash"
echo "#!/bin/bash" > "${bash}"
# Attributes
basedn=`getLDAPAttr '(cn=root)' dn | sed 's/cn=root,//'`
pwdMaxAge=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdMaxAge`
warning=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdExpireWarning`
pwdWarnAge=$(( $pwdMaxAge - $warning ))
unset EXPIRED EXPIRING OK PENDING
2024-09-02 23:54:57 -05:00
### Check all users
for user in `ldapsearch -x -b "ou=People,$basedn" uid | grep -E ^uid:\ | sed 's/^uid: //'`; do
# Pull changed stats
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
2024-09-02 23:54:57 -05:00
# created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
# email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
2024-09-02 23:54:57 -05:00
# If user has PENDING changed, report
if [ -z "$lastChanged" ]; then
2024-09-02 23:54:57 -05:00
if [ -z "${PENDING}" ]; then
PENDING="${user}"
else
PENDING="${PENDING},${user}"
fi
else
delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8) +%s`))"
2024-09-02 23:54:57 -05:00
# Report if user is expired
if [ $delta -gt $pwdMaxAge ]; then
if [ -z "${EXPIRED}" ]; then
EXPIRED="${user}"
else
2024-09-02 23:54:57 -05:00
EXPIRED="${EXPIRED},${user}"
fi
2024-09-02 23:54:57 -05:00
printf "dn: uid=${user},ou=People,${basedn}\nchangetype: delete\n\n" >> "${ldif}"
printf "rm -Rf `getent passwd "${user}" | cut -f 6 -d ':'`\n" >> "${bash}"
# Report if the user is expiring and needs to update their password.
elif [ $delta -gt $pwdWarnAge ] && [ $delta -le $pwdMaxAge ]; then
if [ -z "${EXPIRING}" ]; then
EXPIRING="${user}"
else
EXPIRING="${EXPIRING},${user}"
fi
2024-09-02 23:54:57 -05:00
# Record the user account is OK.
else
if [ -z "${OK}" ]; then
OK="${user}"
else
OK="${OK},${user}"
fi
fi
fi
done
2024-09-02 23:54:57 -05:00
### Results
# Should always have OK users in the tree.
echo "OK: ${OK}"
# Report when there are users that have not changed their password.
# This may be normal, such as for new user accounts, and may not drive action.
if [ -n "$PENDING" ]; then
echo "PENDING: ${PENDING}"
fi
# Report when users are expiring -- give them several notices to fix it.
if [ -n "${EXPIRING}" ]; then
echo "EXPIRING: ${EXPIRING}"
ravensend -c "#tech" -m "The following users are expiring: ${EXPIRING}"
fi
# Report users that have expired. These users should be contacted or removed.
if [ -n "${EXPIRED}" ]; then
echo "EXPIRED: ${EXPIRED}"
echo "Expired users can be cleaned up with ${ldif} and ${bash}"
ravensend -c "#sharingan" -m 'Users have expired and need attention.'
fi