[Freeipa-users] FreeIPA gitolite intergration
Natxo Asenjo
natxo.asenjo at gmail.com
Thu May 16 21:21:48 UTC 2013
hi,
so this is a working version of the script (tested on my test ipa
environment).
You save it as executable and run it as:
$./script ipausername
and you will get the groupnames separated by an empty space a user is
member of.
modify the obvious bits, like kdc.domain.tld, user and password, and base.
You also need the perl-LDAP rpm package.
The user that binds to the ldap server needs privileges (do not know
exactly which ones, but as a normal user I cannot see the group
memberships). I have run it as admin and it works. Probably overkill, if
the user you use is member of the role 'user administrators' it should work
as well. Not tested.
#!/usr/bin/perl
use strict;
use warnings;
use Net::LDAP;
# Script requires user UID as the only parameter
if ( $ARGV[0] eq '' ) {
print "ldap-query.pl requires one argument, user's uid\n";
exit 1;
}
my $user = $ARGV[0];
# Create communication structure for LDAP connection
my $ldap = Net::LDAP->new( 'kdc.domain.tld' ) or die "$@";
# Bind to LDAP with proper user
my $msg = $ldap->bind(
"uid=admin,cn=users,cn=accounts,dc=domain,dc=tld",
password => "pwd",
);
# search objects filtering in uid, get memberOf attribute only
$msg = $ldap->search(
base => "cn=users,cn=accounts,dc=domain,dc=tld",
scope => "sub",
filter => "(uid=$user)",
attr => ['memberOf'],
);
# get the group membership of $user and print it in a line
for my $entry ( $msg->entries ) {
my @memberof = $entry->get_value( 'memberOf') ;
# the memberof attr is a full dn but we only want the cn, so we
# use the map function to strip everything else
@memberof = map { s/^cn=(.*),cn=groups.*/$1/g; $_ } @memberof;
# admin users or users with delegated privileges are members of groups
# names containing spaces, we skip those. If this is not what you want,
# you need to adapt the for loop
for ( @memberof ) {
next if /(replication |add |host|uniqueid|unlock |manage |trust )/ ;
print "$_" . " " ;
}
print "\n";
}
have fun!
--
groet,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130516/e273bcf4/attachment.htm>
More information about the Freeipa-users
mailing list