openldap之(二)如何添加用户条目 Add Users 及如何将本地linux账户添加至ldap条目树中

openldap添加用户条目(登录后就需要设置修改密码)
声明下面的ou=Group和ou=People之前已经创建好了,参看https://wsfnk.com/archives/431.html
目录树规划

    #先生成一个密码(1234)
[root@openldap-server ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}OaR2RdktjtY2nJlPmuYPfop+QJok1OX5

    #创建新用户的ldif文件
    vi ldapuser.ldif 

#注意要顶格写.这里latiao用户,我将其加入到centos组中
# create new
# replace to your own domain name for "dc=***,dc=***" section

dn: uid=latiao,ou=People,dc=wsfnk,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: centos
sn: 李
givenName: 辣条
displayName: 李辣条
userPassword: {SSHA}OaR2RdktjtY2nJlPmuYPfop+QJok1OX5
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 1000
homeDirectory: /home/latiao
#shadowLastChange: 1620
#shadowMin: 0
#shadowMax: 9999
#shadowWarning: 7
#shadowExpire: 0   #若为负数,会无休无止的让你修改密码
employeeNumber: IDC-B06
mobile: 18170007313
mail: 213212@ws32nk.com
postalAddress: 南昌

#这是添加一个名为centos的cn,在名为Group的ou下
dn: cn=centos,ou=Group,dc=wsfnk,dc=local
objectClass: posixGroup
cn: centos
gidNumber: 1000
memberUid: centos

    #导入用户的ldif
    ldapadd -x -D cn=Manager,dc=wsfnk,dc=local -W -f ldapuser.ldif

    #验证:在客户端查看刚才添加的用户ID号
[root@centos7 ~]# getent passwd latiao
latiao:x:2000:1000:centos:/home/latiao:/bin/bash

导入本地linux的账户到openldap目录树里(先写一个脚本,用于生成本地用户信息)

    vi ldapuser.sh 

# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example

#!/bin/bash

SUFFIX='dc=wsfnk,dc=local'
LDIF='ldapuser.ldif'

echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "sn: $LDAP_SN" >> $LDIF
    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
    echo "cn: $USER_NAME" >> $LDIF
    echo "displayName: $USER_NAME" >> $LDIF
    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
    echo "gecos: $USER_NAME" >> $LDIF
    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
    echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $LDAP_CN" >> $LDIF
    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
    do
        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
    done
    echo >> $LDIF
done
)

    #运行脚本,生成基于本地账户密码的ldif文件
    sh ldapuser.sh

    #查看生成的ldif文件(可以按需修改ldif的内容,以符合自己所需)
    cat ldapuser.ldif
    vi ldapuser.ldif

    #导入
    ldapadd -x -D cn=Manager,dc=wsfnk,dc=local -W -f ldapuser.ldif
声明:本文为原创,作者为 辣条①号,转载时请保留本声明及附带文章链接:https://boke.wsfnk.com/archives/368.html
谢谢你请我吃辣条谢谢你请我吃辣条

如果文章对你有帮助,欢迎点击上方按钮打赏作者

最后编辑于:2022/12/11作者: 辣条①号

现在在做什么? 接下来打算做什么? 你的目标什么? 期限还有多少? 进度如何? 不负遇见,不谈亏欠!

暂无评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

arrow grin ! ? cool roll eek evil razz mrgreen smile oops lol mad twisted wink idea cry shock neutral sad ???