commit 4a7b7000453bd2eb2776a9f01963aa3a24952194 Author: madumlao Date: Mon Mar 3 08:53:58 2025 +0800 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..6f18301 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +Set of scripts to import passwd entries to LDAP. diff --git a/config.sample b/config.sample new file mode 100644 index 0000000..7289cb2 --- /dev/null +++ b/config.sample @@ -0,0 +1,6 @@ +# move to config +BIND=cn=passwd-importer,ou=apps,dc=bignay,dc=net +PASS=YOUR_BIND_PASSWORD +BASEDN=dc=bignay,dc=net +USER_BASEDN=ou=users,$BASEDN +GROUP_BASEDN=ou=groups,$BASEDN diff --git a/group-to-ldap-create b/group-to-ldap-create new file mode 100755 index 0000000..1d4d279 --- /dev/null +++ b/group-to-ldap-create @@ -0,0 +1,34 @@ +#!/bin/bash + +# get the script dirname +BINPATH="$(readlink "$0" || echo "$0")" +DIRPATH="$(dirname "$BINPATH")" + +if ! [ -r "$DIRPATH/config" ]; then echo "Unable to read config file"; exit 128; fi +source "$DIRPATH/config" + +# run as root +if [ "$EUID" -ne 0 ]; then echo "Must be run as root"; exit 64; fi +# Get user details +GROUPNAME=$1 +if [ -z "$GROUPNAME" ]; then echo "No groupname supplied"; exit 1; fi + +# Get group info +GROUPDB="$(getent group "$GROUPNAME")" +if [ -z "$GROUPDB" ]; then echo "$USERNAME gid $GIDNUMBER not found"; exit 16; fi + +GIDNUMBER="$(echo "$GROUPDB" | cut -f 3 -d :)" +GROUPMEMBERS="$(echo "$GROUPDB" | cut -f 4 -d :)" + +# enforce gid limits +#GIDNUMBER_MIN=1000 +#GIDNUMBER_MAX=10000 +#if [ "$GIDNUMBER" -lt "$GIDNUMBER_MIN" ]; then echo "Refusing to add group below $GIDNUMBER_MIN"; exit 32; fi +#if [ "$GIDNUMBER" -gt "$GIDNUMBER_MAX" ]; then echo "Refusing to add group above $GIDNUMBER_MAX"; exit 32; fi + +ldapadd -D "$BIND" -w "$PASS" -H ldapi:/// <<-LDIF + dn: cn=$GROUPNAME,$GROUP_BASEDN + objectClass: posixGroup + cn: $GROUPNAME + gidNumber: $GIDNUMBER +LDIF diff --git a/passwd-to-ldap-chpass b/passwd-to-ldap-chpass new file mode 100755 index 0000000..2b504f0 --- /dev/null +++ b/passwd-to-ldap-chpass @@ -0,0 +1,40 @@ +#!/bin/bash + +# get the script dirname +BINPATH="$(readlink "$0" || echo "$0")" +DIRPATH="$(dirname "$BINPATH")" + +if ! [ -r "$DIRPATH/config" ]; then echo "Unable to read config file"; exit 128; fi +source "$DIRPATH/config" + +# run as root +if [ "$EUID" -ne 0 ]; then echo "Must be run as root"; exit 64; fi + +# Get user details +USERNAME=$1 +if [ -z "$USERNAME" ]; then echo "No username supplied"; exit 1; fi + +PASSDB="$(getent passwd $USERNAME)" +if [ -z "$PASSDB" ]; then echo "User $USERNAME not found"; exit 2; fi + +UIDNUMBER="$(echo $PASSDB | cut -f 3 -d :)" + +# enforce uid limits +UIDNUMBER_MIN=1000 +UIDNUMBER_MAX=10000 + +if [ "$UIDNUMBER" -lt "$UIDNUMBER_MIN" ]; then echo "Refusing to update user below $UIDNUMBER_MIN"; exit 4; fi +if [ "$UIDNUMBER" -gt "$UIDNUMBER_MAX" ]; then echo "Refusing to update user above $UIDNUMBER_MAX"; exit 4; fi + +# Get encrypted password hash +SHADOWDB="$(getent shadow "$USERNAME")" +if [ -z "$SHADOWDB" ]; then echo "$USERNAME password not found"; exit 8; fi + +SECRET="$(echo "$SHADOWDB" | cut -f 2 -d :)" + +ldapmodify -D "$BIND" -w "$PASS" -H ldapi:/// <<-LDIF + dn: cn=$USERNAME,$USER_BASEDN + changeType: modify + replace: userPassword + userPassword: {CRYPT}$SECRET +LDIF diff --git a/passwd-to-ldap-create b/passwd-to-ldap-create new file mode 100755 index 0000000..69c2a90 --- /dev/null +++ b/passwd-to-ldap-create @@ -0,0 +1,80 @@ +#!/bin/bash + +# get the script dirname +BINPATH="$(readlink "$0" || echo "$0")" +DIRPATH="$(dirname "$BINPATH")" + +if ! [ -r "$DIRPATH/config" ]; then echo "Unable to read config file"; exit 128; fi +source "$DIRPATH/config" + +# run as root +if [ "$EUID" -ne 0 ]; then echo "Must be run as root"; exit 64; fi + +# Get user details +USERNAME=$1 +if [ -z "$USERNAME" ]; then echo "No username supplied"; exit 1; fi + +PASSDB="$(getent passwd $USERNAME)" +if [ -z "$PASSDB" ]; then echo "User $USERNAME not found"; exit 2; fi + +UIDNUMBER="$(echo $PASSDB | cut -f 3 -d :)" + +# enforce uid limits +UIDNUMBER_MIN=900 +UIDNUMBER_MAX=10000 + +if [ "$UIDNUMBER" -lt "$UIDNUMBER_MIN" ]; then echo "Refusing to add user below $UIDNUMBER_MIN"; exit 4; fi +if [ "$UIDNUMBER" -gt "$UIDNUMBER_MAX" ]; then echo "Refusing to add user above $UIDNUMBER_MAX"; exit 4; fi + +GIDNUMBER="$(echo $PASSDB | cut -f 4 -d :)" +GECOS="$(echo $PASSDB | cut -f 5 -d : )" +HOMEDIR="$(echo $PASSDB | cut -f 6 -d :)" +LOGINSHELL="$(echo $PASSDB | cut -f 7 -d :)" + +# parse gecos for given name +FULLNAME="$(echo "$GECOS" | cut -f 1 -d ,)" +GIVENNAME="$(echo "$FULLNAME" | tr -s ' ' | rev | cut -f 2- -d ' ' | rev)" +SURNAME="$(echo "$FULLNAME" | tr -s ' ' | rev | cut -f -1 -d ' ' | rev)" +if [ -z "$GIVENNAME" ]; then GIVENNAME="$USERNAME"; fi +if [ -z "$SURNAME" ]; then SURNAME=_; fi + + +# Get encrypted password hash +SHADOWDB="$(getent shadow "$USERNAME")" +if [ -z "$SHADOWDB" ]; then echo "$USERNAME password not found"; exit 8; fi + +SECRET="$(echo "$SHADOWDB" | cut -f 2 -d :)" + + +# Get group info +GROUPDB="$(getent group "$GIDNUMBER")" +if [ -z "$GROUPDB" ]; then echo "$USERNAME gid $GIDNUMBER not found"; exit 16; fi + +GROUPNAME="$(echo "$GROUPDB" | cut -f 1 -d :)" + +# enforce gid limits +GIDNUMBER_MIN=900 +GIDNUMBER_MAX=10000 +if [ "$GIDNUMBER" -lt "$GIDNUMBER_MIN" ]; then echo "Refusing to add group below $GIDNUMBER_MIN"; exit 32; fi +if [ "$GIDNUMBER" -gt "$GIDNUMBER_MAX" ]; then echo "Refusing to add group above $GIDNUMBER_MAX"; exit 32; fi + +ldapadd -D "$BIND" -w "$PASS" -H ldapi:/// <<-LDIF + dn: cn=$USERNAME,$USER_BASEDN + objectClass: posixAccount + objectClass: inetOrgPerson + objectClass: shadowAccount + cn: $USERNAME + uid: $USERNAME + givenName: $GIVENNAME + sn: $SURNAME + uidNumber: $UIDNUMBER + gidNumber: $GIDNUMBER + homeDirectory: $HOMEDIR + loginShell: $LOGINSHELL + userPassword: {CRYPT}$SECRET + + dn: cn=$USERNAME,$GROUP_BASEDN + objectClass: posixGroup + cn: $USERNAME + gidNumber: $GIDNUMBER +LDIF