-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into production
- Loading branch information
Showing
30 changed files
with
891 additions
and
1,459 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
#!/usr/bin/perl | ||
use feature "switch"; | ||
use Switch; | ||
use strict; | ||
use warnings; | ||
use perunServicesInit; | ||
use perunServicesUtils; | ||
no if $] >= 5.017011, warnings => 'experimental::smartmatch'; | ||
|
||
local $::SERVICE_NAME = "ad_admin_group_mu_ucn"; | ||
local $::PROTOCOL_VERSION = "3.0.0"; | ||
my $SCRIPT_VERSION = "3.0.0"; | ||
|
||
sub addMemberToGroup; | ||
sub processWorkplaces; | ||
sub processGroup; | ||
sub createGroup; | ||
sub processTree; | ||
sub writeDebug; | ||
|
||
perunServicesInit::init; | ||
my $DIRECTORY = perunServicesInit::getDirectory; | ||
my $fileName = "$DIRECTORY/$::SERVICE_NAME".".ldif"; | ||
|
||
#Get hierarchical data without expired members | ||
my $data = perunServicesInit::getHashedDataWithGroups(1); | ||
my $DEBUG = 0; | ||
|
||
#Constants | ||
our $A_LOGIN; *A_LOGIN = \'urn:perun:user:attribute-def:def:login-namespace:mu-adm'; | ||
our $A_R_GROUP_NAME; *A_R_GROUP_NAME = \'urn:perun:resource:attribute-def:def:adGroupName'; | ||
our $A_MR_V_IS_BANNED; *A_MR_V_IS_BANNED = \'urn:perun:member_resource:attribute-def:virt:isBanned'; | ||
our $A_R_DESCRIPTION; *A_R_DESCRIPTION = \'urn:perun:resource:attribute-def:core:description'; | ||
|
||
# Default description of group in Active Directory | ||
my $defaultDescription = "no-desc in Perun"; | ||
# OUs for groups and users | ||
my $adOuNameGroups = "OU=PrivilegedGroups,OU=MU,DC=ucn,DC=muni,DC=cz"; | ||
my $adOuNameUsers = "OU=PrivilegedUsers,OU=MU,DC=ucn,DC=muni,DC=cz"; | ||
|
||
our $groups = {}; | ||
our $usersByGroups = {}; | ||
|
||
# FOR EACH RESOURCE | ||
foreach my $resourceId ($data->getResourceIds()) { | ||
processGroup($resourceId); | ||
} | ||
|
||
# | ||
# Print group data LDIF | ||
# | ||
open FILE,">:encoding(UTF-8)","$fileName" or die "Cannot open $fileName: $! \n"; | ||
|
||
for my $group (sort keys %$groups) { | ||
|
||
print FILE "dn: CN=" . $group . "," . $adOuNameGroups . "\n"; | ||
print FILE "cn: " . $group . "\n"; | ||
print FILE "samAccountName: " . $group . "\n"; | ||
print FILE "description: " . $groups->{$group}->{"description"} . "\n"; | ||
print FILE "objectClass: group\n"; | ||
print FILE "objectClass: top\n"; | ||
|
||
my @groupMembers = sort keys %{$usersByGroups->{$group}}; | ||
for my $member (@groupMembers) { | ||
print FILE "member: " . $member . "\n"; | ||
} | ||
|
||
# there must be empty line after each entry | ||
print FILE "\n"; | ||
|
||
} | ||
|
||
close FILE; | ||
|
||
perunServicesInit::finalize; | ||
|
||
#################### | ||
# Helper functions # | ||
#################### | ||
|
||
sub addMemberToGroup { | ||
my $memberId = shift; | ||
my $group = shift; | ||
my $resourceId = shift; | ||
|
||
my $login = $data->getUserAttributeValue( member => $memberId, attrName => $A_LOGIN ); | ||
my $isBanned = $data->getMemberResourceAttributeValue( member => $memberId, resource => $resourceId, attrName => $A_MR_V_IS_BANNED ); | ||
|
||
addMember($login, $group, $isBanned) | ||
} | ||
|
||
sub processGroup { | ||
my $resourceId = shift; | ||
|
||
my $group = $data->getResourceAttributeValue( resource => $resourceId, attrName => $A_R_GROUP_NAME ); | ||
my $description = $data->getResourceAttributeValue( resource => $resourceId, attrName => $A_R_DESCRIPTION ); | ||
|
||
writeDebug("Process Standard Group: '$group'", 1); | ||
createGroup($group, $description); | ||
|
||
writeDebug("Continue to add members", 3); | ||
foreach my $memberId ($data->getMemberIdsForResource( resource => $resourceId )) { | ||
addMemberToGroup($memberId, $group, $resourceId); | ||
} | ||
} | ||
|
||
sub createGroup { | ||
my $name = shift; | ||
my $description = shift; | ||
|
||
# Ensure that there is one group with specific name | ||
$groups->{$name}->{"description"} = $description || $defaultDescription; | ||
writeDebug("Group created", 3); | ||
} | ||
|
||
sub addMember { | ||
my $login = shift; | ||
my $group = shift; | ||
my $isBanned = shift; | ||
|
||
#skip banned members | ||
return if $isBanned; | ||
|
||
# allow only UČOadm, 9UČOadm logins | ||
|
||
return unless $login; | ||
if ($login =~ /^9[0-9]{6}adm$/ or $login =~ /^[0-9]{1,6}adm$/) { | ||
|
||
# store UČO and 9UČO users | ||
$usersByGroups->{$group}->{"CN=" . $login . "," . $adOuNameUsers} = 1 | ||
|
||
} | ||
} | ||
|
||
sub writeDebug { | ||
my $message = shift; | ||
my $indentation = shift; | ||
|
||
return unless $DEBUG; | ||
|
||
print "\t" x $indentation; | ||
print $message . "\n"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
#!/usr/bin/perl | ||
use feature "switch"; | ||
use strict; | ||
use warnings; | ||
use perunServicesInit; | ||
use perunServicesUtils; | ||
use MIME::Base64; | ||
use utf8; | ||
use Encode; | ||
|
||
local $::SERVICE_NAME = "ad_admin_user_mu_ucn"; | ||
local $::PROTOCOL_VERSION = "3.0.0"; | ||
my $SCRIPT_VERSION = "3.0.0"; | ||
|
||
perunServicesInit::init; | ||
my $DIRECTORY = perunServicesInit::getDirectory; | ||
my $fileName = "$DIRECTORY/$::SERVICE_NAME".".ldif"; | ||
|
||
my $data = perunServicesInit::getHashedHierarchicalData(1); | ||
|
||
#Constants | ||
our $A_F_DOMAIN; *A_F_DOMAIN = \'urn:perun:facility:attribute-def:def:adDomain'; | ||
|
||
our $A_LOGIN; *A_LOGIN = \'urn:perun:user:attribute-def:def:login-namespace:mu-adm'; | ||
our $A_FIRST_NAME; *A_FIRST_NAME = \'urn:perun:user:attribute-def:core:firstName'; | ||
our $A_LAST_NAME; *A_LAST_NAME = \'urn:perun:user:attribute-def:core:lastName'; | ||
our $A_DISPLAY_NAME; *A_DISPLAY_NAME = \'urn:perun:user:attribute-def:core:displayName'; | ||
our $A_MAIL; *A_MAIL = \'urn:perun:user:attribute-def:def:preferredMail'; | ||
|
||
our $A_MEMBER_STATUS; *A_MEMBER_STATUS = \'urn:perun:member:attribute-def:core:status'; | ||
|
||
our $STATUS_VALID; *STATUS_VALID = \'VALID'; | ||
our $STATUS_EXPIRED; *STATUS_EXPIRED = \'EXPIRED'; | ||
|
||
# Get the facility ID | ||
my $facilityId = $data->getFacilityId(); | ||
|
||
# CHECK ON FACILITY ATTRIBUTES | ||
if (!defined($data->getFacilityAttributeValue( attrName => $A_F_DOMAIN ))) { | ||
exit 1; | ||
} | ||
|
||
my $baseDN = "OU=PrivilegedUsers,OU=MU,DC=ucn,DC=muni,DC=cz"; | ||
my $domain = $data->getFacilityAttributeValue( attrName => $A_F_DOMAIN ); | ||
my $uac = "66048"; | ||
|
||
# GATHER USERS | ||
my $users; # $users->{$login}->{ATTR} = $attrValue; | ||
|
||
# | ||
# AGGREGATE DATA | ||
# | ||
# FOR EACH RESOURCE | ||
foreach my $resourceId ( $data->getResourceIds() ){ | ||
|
||
# EACH USER ON RESOURCE | ||
foreach my $memberId ($data->getMemberIdsForResource( resource => $resourceId )) { | ||
|
||
my $login = $data->getUserAttributeValue( member => $memberId, attrName => $A_LOGIN ); | ||
next unless $login; | ||
my $memberStatus = $data->getMemberAttributeValue( member => $memberId, attrName => $A_MEMBER_STATUS ); | ||
next unless ($memberStatus eq $STATUS_VALID); | ||
|
||
# store standard attrs | ||
$users->{$login}->{"DN"} = "CN=" . $login . "," . $baseDN; | ||
$users->{$login}->{$A_FIRST_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_FIRST_NAME); | ||
$users->{$login}->{$A_LAST_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_LAST_NAME); | ||
$users->{$login}->{$A_DISPLAY_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_DISPLAY_NAME); | ||
$users->{$login}->{$A_MAIL} = $data->getUserAttributeValue(member => $memberId, attrName => $A_MAIL); | ||
} | ||
} | ||
|
||
# | ||
# PRINT user data LDIF | ||
# | ||
open FILE,">$fileName" or die "Cannot open $fileName: $! \n"; | ||
binmode FILE, ":utf8"; | ||
|
||
# FOR EACH USER ON FACILITY | ||
my @logins = sort keys %{$users}; | ||
for my $login (@logins) { | ||
|
||
# print attributes, which are never empty | ||
print FILE "dn: " . $users->{$login}->{"DN"} . "\n"; | ||
|
||
print FILE "cn: " . $login . "\n"; | ||
print FILE "samAccountName: " . $login . "\n"; | ||
print FILE "userPrincipalName: " . $login . "\@" . $domain . "\n"; | ||
# enable accounts (if not) using service propagation | ||
print FILE "userAccountControl: " . $uac . "\n"; | ||
|
||
# skip attributes which are empty and LDAP can't handle it (FIRST_NAME, EMAIL) | ||
my $sn = $users->{$login}->{$A_LAST_NAME}; | ||
my $givenName = $users->{$login}->{$A_FIRST_NAME}; | ||
my $displayName = ($users->{$login}->{$A_FIRST_NAME} || "") . " " . ($users->{$login}->{$A_LAST_NAME} || "") . " (adm)"; | ||
my $mail = $users->{$login}->{$A_MAIL}; | ||
|
||
if (defined $displayName and length $displayName) { | ||
print FILE "displayName: " . $displayName . "\n"; | ||
} | ||
if (defined $sn and length $sn) { | ||
print FILE "sn: " . $sn . "\n"; | ||
} | ||
if (defined $givenName and length $givenName) { | ||
print FILE "givenName: " . $givenName . "\n"; | ||
} | ||
if (defined $mail and length $mail) { | ||
print FILE "mail: " . $mail . "\n"; | ||
} | ||
|
||
# There MUST be an empty line after each entry, so entry sorting and diff works on slave part | ||
print FILE "\n"; | ||
|
||
} | ||
|
||
close(FILE); | ||
|
||
perunServicesInit::finalize; |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.