Sorry for the delay
Here's the code
#!/bin/bash
# Revised: Fri Aug 1 10:08:22 2008 by bret_martin@hms.harvard.edu
# RELEASED UNDER THE GNU GPL (http://www.gnu.org/licenses/gpl.html)
# ABSOLUTELY NO WARRANTY
usage()
{
cat << EOF 1>&2
USAGE: $0 [ options ] -t # eCommonsID
Create an account in the existing Centrify Zone
OPTIONS:
-t --ticket # STAT Incident to send output to (Required)
-h --help Help options
-d --debug Enable debugging prompts
-u --uid # Enable UID override (Should not normally be needed)
EOF
exit 1
}
OPTIONS=`getopt -o t:hdu: --long ticket:,help,debug,uid: \
-n 'cl-create-centrify' -- "$@"`
eval set -- "$OPTIONS"
while true ; do
case "$1" in
-h|--help) usage ; shift ;;
-d|--debug) DEBUG=1 ; shift ;;
-t|--ticket) ticket=$2 ; shift 2 ;;
-u|--uid) uid_override=$2 ; shift 2 ;;
--) shift ; break ;;
*) echo "Internal error!" ; exit 1 ;;
esac
done
cleanup() {
rm $OUTPUT_FILE
}
if [ $DEBUG ]
then
echo "DEBUG=$DEBUG"
echo "uid_override=$uid_override"
echo "new_user=$1"
echo "ticket=$ticket"
fi;
# Ticket number is required
if [ ! $ticket ]
then
echo "Ticket number not listed"
usage
fi
SUDO="[sudo] %u@%h\'s password: "
# Set LDAPSERVER to be (default) the current DC that Centrify is connected to.
# If you're having performance problems with a DC, you can force LDAPSERVER
# to be a different DC, but LDAPSERVER and CDC_JOINED_DC should be set to
# the same value.
#LDAPSERVER=itwdomp02.med.harvard.edu
LDAPSERVER=$CDC_JOINED_DC
# This shell glob pattern should match all (and only) the directories
# at which the root of potential home directory filesystems are
# mounted.
HOMEFS=/home
# Define locations of applications we'll call later on.
LDAPSEARCH=/usr/share/centrifydc/bin/ldapsearch
LDAPADD=/usr/share/centrifydc/bin/ldapadd
QMAILINJECT=/var/qmail/bin/qmail-inject
FROMADDRESS=$( cat ~/.forward )
# Look ma, no error checking! (okay, so we do it later)
new_user=$1
cap_user=`echo $new_user | tr '[a-z]' '[A-Z]'`
if [ ! $new_user ]
then
echo "No user listed"
echo
usage
fi;
# Check to see if the user exists already
getent passwd $new_user > /dev/null
if [ $? -eq 0 ]
then
echo "User already exists."
exit 1;
fi;
OUTPUT_FILE=`mktemp`
touch $OUTPUT_FILE
if [ $DEBUG ]
then
echo "Temporary file is $OUTPUT_FILE"
echo "Searching on DN" | tee -a $OUTPUT_FILE
fi;
dn=`$LDAPSEARCH -r -u -Q -LLL -H ldap://$LDAPSERVER -E pr=500/noprompt -b "DC=MED,DC=HARVARD,DC=EDU" -t "(sAMAccountName=$new_user)" dn | grep ^dn | cut -f 2 -d \:`
if [ $DEBUG ]
then
echo "DN is $dn" | tee -a $OUTPUT_FILE
fi;
# Couldn't find the DN for the user. Whoops.
if [ -z "$dn" ]
then
echo "Could not find dn for $new_user. Ensure the user account exists in AD"
cleanup
exit 1
fi;
if [ $uid_override ]
then
uid=$uid_override
else
# Find UID from AD
uid=`$LDAPSEARCH -r -u -Q -LLL -H ldap://$LDAPSERVER -E pr=500/noprompt -b "DC=MED,DC=HARVARD,DC=EDU" -t "(sAMAccountName=$new_user)" uidNumber | grep ^uidNumber | cut -f 2 -d \:`
# Didn't find the UID. Uh oh.
if [ ! $uid ]
then
echo "Can't find uid for $new_user. Find out what the correct UID is"
echo "and re-run this script with the UID as an option"
echo "$0 -u 12345 $new_user "
cleanup
exit 1
fi;
fi;
if [ $DEBUG ]
then
echo "UID for $new_user is $uid" | tee -a $OUTPUT_FILE
fi;
# GID is UID plus 2 million
gid=$(($uid+2000000))
if [ $DEBUG ]
then
echo "GID for $new_user caclulated to be $gid" | tee -a $OUTPUT_FILE
fi;
# Check to see if private group exists
if [ -z "`$LDAPSEARCH -Q -LLL -H ldap://$LDAPSERVER -E pr=500/noprompt -s one -b "CN=PRIVATE GROUPS,CN=CENTRIFY,OU=APPLICATIONS,DC=MED,DC=HARVARD,DC=EDU" -r "(cn=$cap_user.group)"`" ]
then
# group doesn't exist, create it
echo "Creating private group for $new_user" | tee -a $OUTPUT_FILE
( $LDAPADD -H ldap://$LDAPSERVER << END_DATA
dn: CN=$cap_user.group,CN=PRIVATE GROUPS,CN=CENTRIFY,OU=APPLICATIONS,DC=MED,DC=HARVARD,DC=EDU
cn: $cap_user.group
description: Centrify Private Group
distinguishedName: CN=$cap_user.group,CN=PRIVATE GROUPS,CN=CENTRIFY,OU=APPLICATIONS,DC=MED,DC=HARVARD,DC=EDU
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MED,DC=HARVARD,DC=EDU
objectClass: top
objectClass: group
name: $cap_user.group
sAMAccountName: $cap_user.group
END_DATA
) | tee -a $OUTPUT_FILE
echo "New Private group added" | tee -a $OUTPUT_FILE
fi;
addgroup_cmd="adupdate add group -V -g $gid -G $cap_user.group $new_user 2>&1"
# Create the private group in Centrify.
if [ $DEBUG ]
then
echo "Creating private Centrify group" | tee -a $OUTPUT_FILE
fi;
addgroup_result=$(adupdate add group -V -g $gid -G $cap_user.group $new_user 2>&1 )
addgroup_retcode=$?
## Need more error handling.
echo "$addgroup_result" | tee -a $OUTPUT_FILE
if [ $addgroup_retcode == 0 ]; then
echo "Private Centrify Group Created" | tee -a $OUTPUT_FILE
else
echo "There was an error creating Centrify Group"
echo $addgroup_cmd
fi
if [ $DEBUG ]
then
echo "Creating user account" | tee -a $OUTPUT_FILE
fi;
# Create the user account now that everything exists that we need
adupdate add user -U $new_user -u $uid -g $gid -d /home/$new_user -s /bin/bash $new_user | tee -a $OUTPUT_FILE
echo "Checking to see if user exists using id" | tee -a $OUTPUT_FILE
create_home_dir() {
new_user=$1
echo "Creating home directory and copying /etc/skel data" | tee -a $OUTPUT_FILE
sudo mkdir -v -m 755 $HOMEFS/$new_user | tee -a $OUTPUT_FILE
sudo cp -vr /etc/skel/.[a-z]* $HOMEFS/$new_user | tee -a $OUTPUT_FILE
sudo chown -vR $new_user $HOMEFS/$new_user | tee -a $OUTPUT_FILE
sudo chgrp -vR $new_user $HOMEFS/$new_user | tee -a $OUTPUT_FILE
echo "Home directory created and populated." | tee -a $OUTPUT_FILE
}
set_lustre_quota() {
new_user=$1
echo "Setting default Lustre quota for /n/scratch2" | tee -a $OUTPUT_FILE
sudo lfs setquota -g $uid -B 5T -I 1000000 /n/scratch2
}
username=`getent passwd $new_user | cut -f 1 -d :`
if [ $username ]
then
echo "User $new_user exists in Centrify and is seen on Orchestra" | tee -a $OUTPUT_FILE
else
echo "User doesn't exist. Checking again." | tee -a $OUTPUT_FILE
counter=0
while [ -z $username ]
do
echo "Sleeping for 30 seconds" | tee -a $OUTPUT_FILE
sleep 30
counter=$(($counter +1))
username=`getent passwd $new_user | cut -f 1 -d :`
done;
fi;
create_home_dir $new_user;
set_lustre_quota $new_user;
adupdate modify group -m $new_user domain-users | tee -a $OUTPUT_FILE
cl-new-user $new_user $HOMEFS/$new_user | tee -a $OUTPUT_FILE
if [ $ticket ]
then
mail -r $FROMADDRESS -s "$ticket Work Notes" servicenow@hms.harvard.edu < $OUTPUT_FILE
fi;
cleanup
exit 0