AIX: addldapuser
This script works with the AIX default IBM idsldap client software. Tested against a Novell eDirectory LDAP server on AIX 6.1.
#!/usr/bin/ksh
#####
#
# addldapuser - Adds users to the LDAP registry in AIX
#
# (C) LGee, 2010
# 2010-09-02 - first version published for testing
#
#####
PATH=/usr/sbin:/usr/bin:/opt/IBM/ldap/V6.1/bin:/usr/ldap/bin:
### Usage
scriptname="$0"
function usage
{
echo "\naddldapuser - add user(s) to the LDAP registry\n"
echo " Usage: $scriptname user1,user2,user3,..."
echo " Please don't use space, uppercase or non-alphanumeric characters, only commas\n"
}
#### AIX checks
### 0.) Are we root...
if ! [ $(id -u) = "0" ]; then
echo "ERROR: root authority is required"
exit 1
fi
### 1.) Check if we have the LDAP filesets...
if ! [ $(lslpp -Ou -lcq | grep -c idsldap) -ge 1 ]; then
echo "ERROR: Missing LDAP filesets!"
exit 1
fi
### 2.) Check if the idsldap daemon is running - without pgrep
if [ $(ps -eo comm= | grep -c secldapclntd) != 1 ]; then
echo "ERROR: The secldapclntd daemon is not running."
echo " Try starting it with 'start-secldapclntd'."
exit 1
fi
### 3.) Check if LDAP auth is configured
if [ $(lsldap 2>/dev/null >&2; echo $?) != 0 ]; then
echo "ERROR: Error running lsldap... LDAP error?"
exit 1
fi
### Company's LDAP variables
ldaphost="10.1.1.1"
ldapport="389"
searchbase="ou=ou,o=o,c=c"
binddn="cn=bind_user,ou=ou,ou=ou,o=o,c=c"
bindpw="bind_pw"
#### Parse input
# - lsuser accepts arbitrary number of commas before, after and between usernames
# - lsuser fails if any of the supplied usernames is unknown
# - whitespace is filtered by requiring exactly one argument
# - uppercase is not allowed
### We expect exactly one argument - the list of users
if [ "$#" != 1 ]; then
usage # function usage()
exit 1
fi
### Filter illegal characters
if [ x$(echo "$1" | sed 's/[,0-9a-z]//g') != x ]; then
echo "ERROR: Illegal characters in input!"
usage # function usage()
exit 1
fi
userlist="$1"
#### MAIN
### Function to filter system/database/application users
function chksystemuser
{
case "$username" in
root|daemon|bin|sys|adm|uucp|guest|nobody|lpd|lp|invscout|snapp|ipsec|nuucp)
echo "$username: ERROR: AIX system user!!!"
systemuser=1
;;
db2inst1|dasusr1|db2fenc1|oracle|ias|mqm|mqsiui?|idsldap)
echo "$username: ERROR: application user!!!"
systemuser=1
;;
*)
systemuser=
;;
esac
}
function getuserbasedn
{
# If ldapsearch cannot find the user, it doesn't fail, but the output will be empty
# The part "cn=username," will be cut from the result
userbasedn=$(ldapsearch -h $ldaphost -p $ldapport -b $searchbase -D $binddn -w $bindpw "cn=$username" dn \
2>/dev/null | sed 's/cn=[[:alnum:]]*,//g')
if [ -z "$userbasedn" ]; then
userbasedn="UNKNOWN USER"
fi
}
for username in $(echo "$userlist" | sed 's/,\{1,\}/ /g'); do
# debug
echo "\n [debug] Adding $username"
# Check for system/app users
chksystemuser # function chksystemuser()
[ -z "$systemuser" ] || continue
# Can the user be resolved at all?
# If 'id' returns unknown user, it can still be a result of a missing userbasedn
if [ $(id "$username" 2>/dev/null >&2; echo $?) != 0 ]; then
getuserbasedn # function getuserbasedn()
if [ "$userbasedn" = "UNKNOWN USER" ]; then
echo "$username: ERROR: User doesn't exist in LDAP"
continue
else
# Prompt the admin to extend ldap.cfg with the detected userbasedn
echo "$username: missing base DN, please add it to /etc/security/ldap/ldap.cfg:"
echo " userbasedn:$userbasedn"
echo " Then run restart-secldapclntd and retry"
continue
fi
continue
# Is the user already in the LDAP registry?
elif [ $(lsuser -a registry $username 2>/dev/null | grep -c LDAP) = 1 ]; then
echo "$username: OK: already authenticated from LDAP - nothing to do!"
continue
# Does the user have a local account?
elif [ $(lsuser -R compat -a registry $username 2>/dev/null | grep -c files) = 1 ]; then
echo "$username: ERROR: exists as a local user. Please delete user with 'rmuser $username' first, then retry."
continue
elif [ -d /home/$username ]; then
echo "$username: Directory /home/$username exists while the user doesn't. Please mv/rmdir it, then retry."
continue
else
# actually adding user to LDAP registry...
echo "$username: \\c"
chuser -R LDAP SYSTEM=LDAP registry=LDAP $username && echo "Success" && logger $username: LDAP auth OK || echo "Error"
fi
done