自动加ldap帐户的shell script (先自动useradd加/etc/passwd帐户,转完ldap帐户后再userdel删掉)
[root@vmmac ~]# cat addldapuser.sh
#!/bin/sh
先建一个linux帐户
useradd $1
passwd $1
转group id入ldap帐户
cat /etc/group | grep $1 >/tmp/group.in
/usr/share/openldap/migration/migrate_group.pl /tmp/group.in > /tmp/group.ldif
ldapadd -x -D "cn=root,dc=otas,dc=cn" -w admin123 -f /tmp/group.ldif
转uid入ldap帐户
cat /etc/passwd | grep $1 > /tmp/passwd.in
/usr/share/openldap/migration/migrate_passwd.pl /tmp/passwd.in > /tmp/passwd.ldif
ldapadd -x -D "cn=root,dc=otas,dc=cn" –w admin123 -f /tmp/passwd.ldif
删掉linux帐户, 使这个帐户成为纯粹的ldap帐户,而不是local帐户
userdel $1
rm -rf /home/$1
ldapsearch -x "uid=$1"
[root@vmmac ~]# ./addldapuser.sh test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Enter LDAP Password:
adding new entry "cn=test,ou=Group,dc=otas,dc=cn"
Enter LDAP Password:
adding new entry "uid=test,ou=People,dc=otas,dc=cn"
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=test
# requesting: ALL
#
# test, People, otas.cn
dn: uid=test,ou=People,dc=otas,dc=cn
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGJqT2lmNGNYJFFNNEFMV3JjQ1FwSVppYW0wOXllLi8=
shadowLastChange: 14187
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/test
# search result
search: 2
result: 0 Success
为什么加ldap 用户替代linux用户后,要删掉/home/user目录?
因为借用useradd把用户加入ldap后,肯定要userdel用户
此时home目录即使存在,但属主user:group都已不在,将出现属主缺失问题
此时属主处显示一个值500 (这是所有新填加的用户的uid都是从500向上加)
[root@vm ldap]# ls -l /home
total 8
drwxr-xr-x 4 root root 4096 Feb 23 14:00 mac
drwx------ 2 500 500 4096 Feb 24 13:09 macguan
此时如果 useradd了一个新用户,则出现如下情况:(比如新填加了一个g用户)
[root@vm ldap]# ls -l /home
total 16
drwx------ 2 g g 4096 Feb 24 13:09 g
drwxr-xr-x 4 root root 4096 Feb 23 14:00 mac
drwx------ 2 g g 4096 Feb 24 13:09 macguan
LDAP接管Linux登录认证[图文](4)
内容版权声明:除非注明,否则皆为本站原创文章。