This script works with the AIX default IBM idsldap client software. Tested against a Novell eDirectory LDAP server on AIX 6.1.
#!/usr/bin/ksh####### addldapuser - Adds users to the LDAP registry in AIX## (C) LGee, 2010# 2010-09-02 - first version published for testing######PATH=/usr/sbin:/usr/bin:/opt/IBM/ldap/V6.1/bin:/usr/ldap/bin:### Usagescriptname="$0"function usage{ echo "\naddldapuser - add user(s) to the LDAP registry\n" echo " Usage: $scriptname user1,user2,user3,..." echo " Please don't use space, uppercase or non-alphanumeric characters, only commas\n"}#### AIX checks### 0.) Are we root...if ! [ $(id -u) = "0" ]; then echo "ERROR: root authority is required" exit 1fi### 1.) Check if we have the LDAP filesets...if ! [ $(lslpp -Ou -lcq | grep -c idsldap) -ge 1 ]; then echo "ERROR: Missing LDAP filesets!" exit 1fi### 2.) Check if the idsldap daemon is running - without pgrepif [ $(ps -eo comm= | grep -c secldapclntd) != 1 ]; then echo "ERROR: The secldapclntd daemon is not running." echo " Try starting it with 'start-secldapclntd'." exit 1fi### 3.) Check if LDAP auth is configuredif [ $(lsldap 2>/dev/null >&2; echo $?) != 0 ]; then echo "ERROR: Error running lsldap... LDAP error?" exit 1fi### Company's LDAP variablesldaphost="10.1.1.1"ldapport="389"searchbase="ou=ou,o=o,c=c"binddn="cn=bind_user,ou=ou,ou=ou,o=o,c=c"bindpw="bind_pw"#### Parse input# - lsuser accepts arbitrary number of commas before, after and between usernames# - lsuser fails if any of the supplied usernames is unknown# - whitespace is filtered by requiring exactly one argument# - uppercase is not allowed### We expect exactly one argument - the list of usersif [ "$#" != 1 ]; then usage # function usage() exit 1fi### Filter illegal charactersif [ x$(echo "$1" | sed 's/[,0-9a-z]//g') != x ]; then echo "ERROR: Illegal characters in input!" usage # function usage() exit 1fiuserlist="$1"#### MAIN### Function to filter system/database/application usersfunction chksystemuser{ case "$username" in root|daemon|bin|sys|adm|uucp|guest|nobody|lpd|lp|invscout|snapp|ipsec|nuucp) echo "$username: ERROR: AIX system user!!!" systemuser=1 ;; db2inst1|dasusr1|db2fenc1|oracle|ias|mqm|mqsiui?|idsldap) echo "$username: ERROR: application user!!!" systemuser=1 ;; *) systemuser= ;; esac}function getuserbasedn{# If ldapsearch cannot find the user, it doesn't fail, but the output will be empty# The part "cn=username," will be cut from the resultuserbasedn=$(ldapsearch -h $ldaphost -p $ldapport -b $searchbase -D $binddn -w $bindpw "cn=$username" dn \2>/dev/null | sed 's/cn=[[:alnum:]]*,//g')if [ -z "$userbasedn" ]; then userbasedn="UNKNOWN USER"fi}for username in $(echo "$userlist" | sed 's/,\{1,\}/ /g'); do # debug echo "\n [debug] Adding $username" # Check for system/app users chksystemuser # function chksystemuser() [ -z "$systemuser" ] || continue # Can the user be resolved at all? # If 'id' returns unknown user, it can still be a result of a missing userbasedn if [ $(id "$username" 2>/dev/null >&2; echo $?) != 0 ]; then getuserbasedn # function getuserbasedn() if [ "$userbasedn" = "UNKNOWN USER" ]; then echo "$username: ERROR: User doesn't exist in LDAP" continue else # Prompt the admin to extend ldap.cfg with the detected userbasedn echo "$username: missing base DN, please add it to /etc/security/ldap/ldap.cfg:" echo " userbasedn:$userbasedn" echo " Then run restart-secldapclntd and retry" continue fi continue # Is the user already in the LDAP registry? elif [ $(lsuser -a registry $username 2>/dev/null | grep -c LDAP) = 1 ]; then echo "$username: OK: already authenticated from LDAP - nothing to do!" continue # Does the user have a local account? elif [ $(lsuser -R compat -a registry $username 2>/dev/null | grep -c files) = 1 ]; then echo "$username: ERROR: exists as a local user. Please delete user with 'rmuser $username' first, then retry." continue elif [ -d /home/$username ]; then echo "$username: Directory /home/$username exists while the user doesn't. Please mv/rmdir it, then retry." continue else # actually adding user to LDAP registry... echo "$username: \\c" chuser -R LDAP SYSTEM=LDAP registry=LDAP $username && echo "Success" && logger $username: LDAP auth OK || echo "Error" fidone