[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sync /etc/passwd
On Mon, 21 Feb 2000, Claudio Miranda wrote:
> Dear all, like to know if ldap can synchronize /etc/passwd along the
> clients like (arghh!) winnt do, I just depend this to begin a good
> diskless solution, that after I will post here.
If you let the clients authenticate themselves using LDAP (for example,
with pam_ldap on Solaris or Linux), you don't need to do this.
If you insist on local copies in /etc/passwd, a simple solution is
te let each client periodically generate a new /etc/passwd from the
information in LDAP. Updates to the LDAP tree will only be reflected
_AFTER_ the client has updated its /etc/passwd; in many cases this is
acceptable (ie. changing a user's password on the LDAP server will not
have an immediate effect on the client machines).
This perl script retrieves user accounts from LDAP and creates
/etc/passwd.ldap and /etc/group.ldap files (it assumes RedHat-style
user-private groups). These should then be merged with
/etc/(passwd|group).local, containing the clients' accounts which
are not in LDAP (for example root, bin, lp, sync, shutdown,
halt, mail, news, ... system user accounts might not be defined in LDAP)
(I use this script to periodically generate passwd/group files which
are then pushed to a NIS server, smoothing the migration from NIS
to LDAP; it might have to be adapted to the schema you use)
------------
#!/usr/bin/perl
# This script should only be readable by root, as it contains the
# LDAP rootdn password
$ldapserver = 'ldap.mydomain.com';
$base_dn = 'dc=mydomain,dc=com';
$groupfn='/etc/group.ldap';
$passwdfn='/etc/passwd.ldap';
use Net::LDAP;
$users='';
$ldap = Net::LDAP->new($ldapserver) or die "$@";
# Bind with rootdn, because we need read access to userpassword
$ldap->bind (
dn => 'cn=root, dc=mydomain, dc=com',
password => 'secret' # Replace with LDAP rootdn passwd
);
$mesg = $ldap->search ( # Users are:
base=> 'ou=People,'.$base_dn, # uid={userid},ou=People,dc=mydomain,dc=com
scope => one,
filter => "(objectclass=posixAccount)"
);
$mesg->code && die $mesg->error;
open(PASSWD,">$passwdfn");
open(GROUP,">$groupfn");
foreach $entry ($mesg->all_entries) {
print PASSWD $entry->get('uid'); print PASSWD ":";
$passwd=sprintf "%s", ($entry->get('userpassword')) ;
($junk, $passwd) = split(/{crypt}/,$passwd);
# Assumes locked users have '{crypt}*[...]' in userpassword
print PASSWD $passwd; print PASSWD ":";
print PASSWD $entry->get('uidnumber'); print PASSWD ":";
print PASSWD $entry->get('gidnumber'); print PASSWD ":";
print PASSWD $entry->get('gecos'); print PASSWD ":";
print PASSWD $entry->get('homedirectory'); print PASSWD ":";
print PASSWD $entry->get('loginshell');
print PASSWD "\n";
$ulgroup=sprintf "%s::%s:\n",$entry->get('uid'),$entry->get('gidnumber');
print GROUP $ulgroup;
if ($users eq '') {
$users =sprintf "%s",$entry->get('uid');
} else {
$users .= sprintf ",%s",$entry->get('uid');
}
}
$ldap->unbind;
print GROUP "users::100:",$users,"\n";
close PASSWD;
close GROUP;
------------
-------------------------------------------------------------------------
Ivo Clarysse <soggie@starlab.net> TEL +32-2-7400788 FAX +32-2-7429654
Research Scientist Starlab - http://www.starlab.org/
PGP ID: 0x50154325 // A0A0 EDBC 37B2 C574 CC4D F1F0 FF94 04B9 5015 4325