/[pdpsoft]/trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/mkgroup-sshlpk
ViewVC logotype

Contents of /trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/mkgroup-sshlpk

Parent Directory Parent Directory | Revision Log Revision Log


Revision 36 - (show annotations) (download)
Fri Dec 19 13:57:48 2008 UTC (13 years, 1 month ago) by davidg
File size: 3926 byte(s)
Add capability to write to file, and make it more paranoid

1 #! /usr/bin/perl -w
2 #
3 use strict;
4 use Getopt::Long qw(:config no_ignore_case bundling);
5 use Net::LDAP qw(:all); # for all code
6 use Net::LDAP::Util qw(ldap_error_name
7 ldap_error_text); # for error handling
8
9 my $verb=0;
10 my $force=0;
11 my $display_help;
12 my $ldapurl="ldaps://teugel.nikhef.nl/";
13 my $ldapbase="ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl";
14 my $outputfile;
15
16 &GetOptions(
17 "verbose|v+" => \$verb,
18 "url|H=s" => \$ldapurl,
19 "base|b=s" => \$ldapbase,
20 "output|o=s" => \$outputfile,
21 "help|h" => \$display_help,
22 "force|f" => \$force
23 );
24
25 if ( $display_help ) {
26 print <<EOF;
27
28 Generate a list of all unique sshPublicKeys for all members of the
29 directory groups specified on the command line.
30
31 Usage: $0 [-h] [-H uri] [-b DITbase] [-o file] [-f] [-v[v]] groupRDN [groupRDN]
32 -h Display this help text
33 -H uri Connect to LDAP server at <uri>
34 (default: $ldapurl)
35 -b base Search base DIT for groups
36 (default: $ldapbase)
37 -o file Writing list of sshPublicKeys to <file>
38 (only when at least one sshPublicKey is retrieved, unless
39 -f is also specified)
40 -f Force writing even if the list of keys is empty
41
42 groupRDN name of groups to traverse for members (list)
43
44 Example:
45 $0 systemAdministrators nDPFPrivilegedUsers
46
47 Dependencies:
48 perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps ($verb)
49
50 EOF
51 exit (0);
52 };
53
54 defined $ARGV[0] or die "groupRDN is a required argument\n";
55
56 my $ldap = Net::LDAP->new( $ldapurl, timeout=>20 );
57 $ldap or die "Cannot contact remote server at $ldapurl: $!\n".
58 " LDAP status: ".$ldap->error."\n";
59
60 # start collecting ssh keys from all users in all groups requested
61 my @keys = ();
62
63 foreach my $groupRDN ( @ARGV ) {
64
65 my $groupresults=$ldap->search(
66 base=>$ldapbase,
67 scope=>"sub",
68 filter=>"(cn=$groupRDN)"
69 );
70
71 $groupresults->code and die "Search failed: ".$groupresults->error."\n";
72 $groupresults->count() or die "No group found matching $groupRDN, exiting\n";
73
74 # list of entries for all groups matching this groupRDN
75 my @grouplistentries=$groupresults->entries;
76
77 foreach my $groupentry ( @grouplistentries ) {
78 my @groupmembers = $groupentry->get_value("uniqueMember");
79 foreach my $memberDN ( @groupmembers ) {
80 my $uidresult;
81
82 # sanity check: the uid must exist or the directory is inconsistent
83 # but it need not have an ldapPublicKey
84 $uidresult =
85 $ldap->search( base=>$memberDN, scope=>"sub",
86 filter=>"(objectclass=*)" );
87 $uidresult->count() or
88 die "DN $memberDN not found, extracted from group ".
89 $groupentry->get_value("cn")."\n Using directory: $ldapurl\n";
90
91 # but does it have an ldapPublicKey?
92 $uidresult =
93 $ldap->search( base=>$memberDN, scope=>"sub",
94 filter=>"(objectclass=ldapPublicKey)" );
95
96 $uidresult->code or do {
97 my @uidentries = $uidresult->entries;
98 foreach my $uidentry ( @uidentries ) {
99 push @keys,$uidentry->get_value("sshPublicKey");
100 }
101 };
102 }
103 }
104 }
105
106 # when writing to file, there must be at least one key to indicate
107 # sanity, unless -f has been specified and you don't care
108 # otherwise, an LDAP search error or typo may accidentally wipe
109 # a authorized_keys file
110
111 ( defined $outputfile ) and (@keys == 0) and
112 die "Empty key list will not be written to $outputfile (use \"-f\" to force)\n";
113
114 # print each key only once
115 my %uniqueKeys;
116 foreach ( @keys ) { $uniqueKeys{$_}=2; }
117
118 if ( defined $outputfile ) {
119 open OF,">$outputfile" or die "Cannot open $outputfile for writing: $!\n";
120 print OF "# Generated by $0 on ".gmtime(time())." UTC\n";
121 print OF "# from groups @ARGV\n";
122 foreach ( keys %uniqueKeys ) { print OF "$_\n"; }
123 close OF;
124 } else {
125 # just write to stdout
126 foreach ( keys %uniqueKeys ) { print "$_\n"; }
127 }

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28