I have a cluster of servers that manage user authentication and group membership in OpenLDAP. The OpenLDAP clients support adding users by importing LDIF files to create the user and set appropriate group membership. I find this process a little annoying and typically find myself sloppily managing template LDIF files. I wrote the following script to simplify the process.
https://gist.github.com/nsabine/6599630
- #!/bin/bash
- #
- # add_user.sh: Add user to LDAP
- # Author: Nick Sabine
- #
- # Defaults
- LDAP_BASE="dc=ORG,dc=local"
- LDAP_ACCOUNTS_DN="ou=people,${LDAP_BASE}"
- LDAP_USER_GROUP="cn=user_group,ou=groups,${LDAP_BASE}"
- LDAP_ADMIN_GROUP="cn=admin_group,ou=groups,${LDAP_BASE}"
- LDAP_BIND_DN="cn=Manager,${LDAP_BASE}"
- USER_NAME=
- USER_CN=
- USER_SN=
- USER_ID=
- GROUP_ID=1000
- IS_ADMIN=
- LDAP_OPTIONS=
- usage()
- {
- cat << EOF
- usage $0 options
- This script creates a user in LDAP
- OPTIONS
- -h Show this message
- -n
Username -c User CN -s User SN -i User ID Number (default: next available number) -g Primary group ID Number (default: $GROUP_ID) -a Add user to administrator group -D LDAP Bind DN (default: $LDAP_BIND_DN) -b LDAP Base (default: $LDAP_BASE) -P LDAP Accounts DN (default: $LDAP_ACCOUNTS_DN) -U LDAP User Group DN (default: $LDAP_USER_GROUP) -A LDAP Admin Group DN (default: $LDAP_ADMIN_GROUP) -t Test. Show what would be done, but don’t actually modify LDAP. EOF } error_ldap() { echo "Error: Error connecting to LDAP or uninitialized user tree" } while getopts "hn:c:s:i:g:aD:b:P:U:A:t" OPTION do case $OPTION in h) usage exit 1 ;; n) USER_NAME=$OPTARG ;; c) USER_CN=$OPTARG ;; s) USER_SN=$OPTARG ;; i) USER_ID=$OPTARG ;; g) GROUP_ID=$OPTARG ;; a) IS_ADMIN=1 ;; D) LDAP_BIND_DN=$OPTARG ;; b) LDAP_BASE=$OPTARG ;; P) LDAP_ACCOUNTS_DN=$OPTARG ;; U) LDAP_USER_GROUP=$OPTARG ;; A) LDAP_ADMIN_GROUP=$OPTARG ;; t) LDAP_OPTIONS+=" -n " ;; ?) usage exit ;; esac done if [ -z $USER_NAME ] || [ -z $USER_CN ] || [ -z $USER_SN ] || [ -z $GROUP_ID ] || [ -z $LDAP_BIND_DN ] || [ -z $LDAP_ACCOUNTS_DN ] || [ -z $LDAP_USER_GROUP ] || [ -z $LDAP_ADMIN_GROUP ] then usage exit 1 fi read -p "LDAP Manager Password: " -s LDAPPASS echo # If USER_ID not supplied, find next using ldap query if [ -z $USER_ID ] then HIGHEST_UID=$(ldapsearch -x -w "$LDAPPASS" -b "${LDAP_ACCOUNTS_DN}" -D "${LDAP_BIND_DN}" "(objectclass=posixaccount)" uidnumber | grep -e '^uid' | cut -d':' -f2 | sort | tail -1) if [ -z $HIGHEST_UID ] then error_ldap exit 1 fi let USER_ID=HIGHEST_UID+1 fi read -p "${USER_NAME} Initial Password: " -s USER_CLEARTEXT_PASS echo USER_PASS=$(slappasswd -h {SSHA} -s $USER_CLEARTEXT_PASS) unset USER_CLEARTEXT_PASS CHANGE_DATE=$(echo "$(date +%s) / ( 60 * 60 * 24 )" | bc) LDIF=$(cat << EOF dn: uid=${USER_NAME},${LDAP_ACCOUNTS_DN} changetype: add uid: ${USER_NAME} cn: ${USER_CN} sn: ${USER_SN} objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: ${USER_PASS} shadowLastChange: ${CHANGE_DATE} shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: ${USER_ID} gidNumber: ${GROUP_ID} homeDirectory: /home/${USER_NAME} dn: ${LDAP_USER_GROUP} changetype: modify add: memberuid memberuid: ${USER_NAME} EOF ) if [ $IS_ADMIN ] then LDIF+=$(cat << EOF dn: ${LDAP_ADMIN_GROUP} changetype: modify add: memberuid memberuid: ${USER_NAME} EOF ) fi echo "--------------------" echo "Adding ${LDIF}" echo "--------------------" echo "$LDIF" | ldapmodify -x -w "$LDAPPASS" -D "${LDAP_BIND_DN}" $LDAP_OPTIONS unset LDAPPASS