useradd-krb-ldap(8) PTWAP SYSADMIN MANUAL useradd-krb-ldap(8) NAME useradd-krb-ldap - Program to create, delete, and manipu­ late Kerberos/LDAP/NIS accounts SYNOPSIS useradd-krb-ldap [-C] [-D] [-M] [-u uidNumber] [-g gidNum­ ber] [-s loginShell] [-h homeDirectory] [-n cn] [-e shad­ owExpire] [--title title] [-?] uid DESCRIPTION useradd-krb-ldap creates, deletes, and manipulates user accounts. These accounts can be stored in different databases such as Kerberos(8), LDAP(3) or NIS(8). The audience of useradd-krb-ldap is a network scenario where one (or more) central server(s) provide the user accounts. It is not intended as a replacement for standard system tools like useradd(8) or adduser(8) (or whatever may be available on your platform). useradd-krb-ldap relies on the availability and function­ ality of the standard tools for administering the respec­ tive databases such as ldapadd(1), ldapmodify(1), ldapdelete(1), kadmin(8), and for the maintenance of NIS(8) accounts, sed(1) and make(1). It further assumes that GSSAPI authentication to the LDAP server works. OPTIONS -C, --convert Operate in convert mode. The default is to operate in create mode. The information found in the NIS database (besides the encrypted password) is stored in the LDAP database. A Kerberos principal with random password is created. The NIS entry is deleted. -D, --delete Operate in delete mode. The default is to operate in create mode. All stuff found of a user is being deleted: NIS entry, LDAP entry, Kerberos principal, and home directory. -M, --modify Operate in modify mode. This allows you to modify the LDAP attributes of an existing LDAP account. -u, --uidNumber uidNumber Numerical user id (uid). -g, --gidNumber gidNumber Numerical group id (gid). -s, --loginShell loginShell Login shell. -h, --homeDirectory homeDirectory Home directory. -n, --cn cn Canonical Name. -e, --shadowExpire shadowExpire Set the date when the account expires. --title title Set the LDAP attribute title. -?, --help Display short help text. uid uid (=login name) of the account to be created. IMPLEMENTATION useradd-krb-ldap is a python script. It can be run in dif­ ferent modes specified on the command line. Per default, an account will be created by creating an LDAP entry, a Kerberos principal, and a home directory (with disc quo­ tas). The other modes currently implemented are delete for deleting an account (by removing the LDAP entry, the Ker­ beros pricipal, and the home directory) and convert for converting an account. This script has been developed on a cluster where a lot of NIS accounts had to be converted to LDAP/Kerberos accounts. Technically, each primitive task is represented by a python class, called Pluggable Configuration Module. There exist PCMs like PCM_LDAP_create for creating an LDAP entry, PCM_LDAP_convert for creating or updating an LDAP entry from NIS information, PCM_LDAP_delete for deleting an LDAP entry, PCM_Kerberos_create for creating a Kerberos principal, PCM_Kerberos_delete for creating a Kerberos principal, PCM_HomeDirectory_create for creating a home directory and setting user quota, PCM_HomeDirectory_delete for deleting a home directory, and PCM_NIS_delete for deleting a NIS entry. Creation of NIS accounts is cur­ rently unsupported. Each PCM must provide two methods, check() and perform(). The check() method should make all checks necessary to ensure that the later perform() call, which does the actual work, will succeed. The different operation modes just append different PCMs to a list of modules, called the module chain. Then, the check() method of all modules in the chain are called. If any module finds that the program should exit it can exit safely now. Then, the perform() method of all modules are called, so that the actual work is getting done. Thus, if you want to adopt this script to your needs, you could either adopt the different modules (for example to port them to MIT Kerberos), or write custom modules (for example to create accounts in the system files), or create custom chains, or a combination of all the above. EXAMPLES useradd-krb-ldap -n "Dominik Epple" -g 101 -e 2005-12-31 epple29 Since not all (optional) information has been provided, the script drops you into an editor to let you fill in the missing values, or delete the corresponding lines. This is done iteratively until the ldapadd call succeeds. ENVIRONMENT EDITOR The editor to edit the temporary ldif file with. KRB5_CCNAME Kerberos ticket to send to the LDAP server to authenticate with. BUGS Currently, useradd-krb-ldap is only developed and tested with openldap and heimdal Kerberos 5. But, due to its mod­ ular design, it should be easily adopted (and extended) to other setups. TODO A --backup option for the delete modus would be desirable. Add command line options for LDAP attributes such as web­ Show, employeeType, mail, roomNumber, and telephoneNumber. See title for the (trivial) implementation thereof. HISTORY Release 0.2.2, February 2005 Add modify mode. Add --title option. Minor bug fixes. Release 0.2.1, February 2005 Add default values for the mail and manager attributes. Release 0.2, January 2005 First working python release. Release 0.1, 2004 Inferior perl implementation. AUTHOR Dominik Epple, epple@tphys.physik.uni-tuebingen.de http://www.dominik-epple.de SEE ALSO ldapadd(1), ldapmodify(1), ldapdelete(1), kadmin(8) version 0.2.1 February 08, 2005 useradd-krb-ldap(8)