diff --git a/bin/synchronize_vshare_Users.pl b/bin/synchronize_vshare_Users.pl new file mode 100755 index 0000000000000000000000000000000000000000..2869df6b0669b88ca34dd929d34743246e9c0e6b --- /dev/null +++ b/bin/synchronize_vshare_Users.pl @@ -0,0 +1,417 @@ +#!/usr/bin/perl + +# ------------------------------------------------------------------------------ +# $Id$ +# +# ------------------------------------------------------------------------------ + +use strict; +use warnings; +use Getopt::Long; +use Data::Dumper; +use Config::IniFiles; +use Net::LDAP; +use File::Copy; +use File::Basename; +use Sys::Hostname; +use Cwd; +use Net::OpenSSH::Compat 'Net::SSH2'; + +# unbuffered output: +$| = 1; + +use lib ( new Config::IniFiles( -file => "/opt/etc/ini/global.ini" )->val( 'APPLICATION', 'LIBRARY' ) ); + +BEGIN { + my $iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" ); + push( @INC, $iniFile->val( 'APPLICATION', 'LIBRARY' ) ); +} + +use SNET::common; +use SNET::snmpd; +use SNET::LdapNS qw(:all); +use SNET::SSHDeviceInterfacer::Linux; + +use vars qw($verbose $debug $help $force $cli_mode $dry_run ); +$verbose = 0; +$debug = 0; +$cli_mode = 1; + +my $PROGNAME = basename( $0 ); +$PROGNAME =~ s/\.p[lm]$//; + +my %options = ( + "help" => \$help, + "debug" => \$debug, + "verbose" => \$verbose, + "force" => \$force, + "dry-run" => \$dry_run, +); + +my $SNMP_ENTERPRISEOID = "99"; +my $SNMP_OID = "1.3.6.1.4.1.99999.$SNMP_ENTERPRISEOID"; +my $SNMP_GEN = "6"; +my $SNMP_SPE = "1"; +my $msg = ''; +my $title = "Cacti ImportUser"; + +help() if !GetOptions( %options ) or $help; +$verbose = 1 if $debug; + +# ldap_find_users_and_groups() +# +# Read users and groups from SNet LDAP. + +sub ldap_find_users_and_groups ($$$$$$$$$$) +{ + my ( + $cfg_ldap_server, $cfg_ldap_user, $cfg_ldap_passwd, $cfg_ldap_group_search, $cfg_ldap_search_scope, + $cfg_ldap_group_search_filter, $cfg_ldap_group_attribute, $cfg_ldap_groupname, $hostname, $cfg_ldap_cafile + ) = @_; + + my %users; + + # Connect to the LDAP server + metaprint( 'verbose', "Initiating connection to LDAP server <$cfg_ldap_server>:" ) if $verbose; + my $ldap = Net::LDAP->new( + $cfg_ldap_server, + async => 0, + onerror => ( + ( $debug == 0 ) ? sub { return $_[0] } : sub { + my $message = shift; + my $error = defined( $message->error_desc ) ? $message->error_desc : $message->error(); + $msg = "Ldap: Unable to process request: $error."; + metaprint( 'error', $title . ": " . $msg ); + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + return $message; + } + ), + ); + if ( !$ldap ) { + $msg = "LDAP connection to <$cfg_ldap_server> failed."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + metaprint( 'verbose', "* LDAP connection completed successfully." ) if $verbose; + + my $message; + eval { + print STDERR 'Starting tls' . "\n" if ( $debug ); + $message = $ldap->start_tls( verify => 'require', + cafile => $cfg_ldap_cafile, ); + if ( $message->is_error() ) { + $msg = "Could not encrypt LDAP connection."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + }; + if ( $@ ) { + $msg = "Crash - Could not encrypt LDAP connection."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + + eval { + print STDERR 'binding' . "\n" if ( $debug ); + $message = $ldap->bind( + $cfg_ldap_user, + password => $cfg_ldap_passwd, + version => 3, + ); + if ( $message->is_error() ) { + $msg = "LDAP bind error occurred."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + }; + if ( $@ ) { + $msg = "Crash - LDAP bind error occurred ('" . $message->error_name . "')."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + + metaprint( 'verbose', "* LDAP bind operation completed successfully." ) if $verbose; + + # Search AD for objects in a particular group using LDAP + + metaprint( 'info', "Getting the LDAP member with expiration." ) if $verbose; + my %searchargs; + $searchargs{base} = $cfg_ldap_group_search; + $searchargs{scope} = $cfg_ldap_search_scope; + $searchargs{filter} = $cfg_ldap_group_search_filter; + $searchargs{attrs} = $cfg_ldap_group_attribute; + + print Dumper( \%searchargs ) if $verbose; + + my $results; + eval { $results = $ldap->search( %searchargs ); }; + if ( $@ ) { + my $title = "Check Password"; + my $msg = "Crash - LDAP Users Search."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + + if ( $results->is_error() ) { + metaprint( 'error', 'search failed: ' . $results->error_text ); + metaprint( 'error', 'search failed: ' . $results->code ); + metaprint( 'error', 'search failed: ' . $results->error ); + } elsif ( $results->count() == 0 ) { + metaprint( 'error', 'no result' ); + } else { + metaprint( 'verbose', "* Search returned " . $results->count . " object." ) if $verbose; + print Dumper( $results->as_struct() ) if $verbose; + my $ldap_hash = $results->as_struct(); + + my $attribute = $searchargs{attrs}[0]; + if ( defined( $ldap_hash->{ "cn=$cfg_ldap_groupname," . $searchargs{base} }{$attribute} ) ) { + foreach my $url ( @{ $ldap_hash->{ "cn=$cfg_ldap_groupname," . $searchargs{base} }{$attribute} } ) { + + print "$url\n" if $verbose; + push( @{ $users{$url}{'groups'} }, $cfg_ldap_groupname ); + + # fetch the user gecos + my %usersearch; + $usersearch{base} = $cfg_ldap_group_search; + $usersearch{base} =~ s/groups/people/; + $usersearch{attrs} = [ 'gecos', 'uid' ]; + $usersearch{scope} = 'sub'; + $usersearch{filter} = '(&(objectClass=posixAccount)(uid=' . $url . '))'; + print Dumper( \%usersearch ) if $verbose; + + my $userresults; + eval { $userresults = $ldap->search( %usersearch ); }; + if ( $@ ) { + my $title = "Check Password"; + my $msg = "Crash - LDAP Mail Users Search."; + metaprint( 'error', $title . ": " . $msg ) if $verbose; + snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, $title, $msg ] ); + exit 1; + } + if ( $userresults->is_error() ) { + metaprint( 'error', 'search failed: ' . $userresults->error_text ); + metaprint( 'error', 'search failed: ' . $userresults->code ); + metaprint( 'error', 'search failed: ' . $userresults->error ); + } elsif ( $userresults->count() == 0 ) { + metaprint( 'error', 'no result' ); + } else { + metaprint( 'info', "* Search returned " . $userresults->count . " url for '$url'." ) if $verbose; + print Dumper ( $userresults ) if $verbose; + + foreach my $uid ( $userresults->entries ) { + print "'" . $uid->get_value( 'uid' ) . "'\n" if $verbose; + if ( !defined( $uid->get_value( 'gecos' ) ) ) { + $users{ $uid->get_value( 'uid' ) } = ''; + } else { + $users{ $uid->get_value( 'uid' ) }{'gecos'} = $uid->get_value( 'gecos' ); + } + } + } + + } + } else { + metaprint( 'error', "Could not parse the hash result: {" . "cn=$cfg_ldap_groupname," . $searchargs{base} . "} { " . $attribute . " }" ); + } + } + + print "\nClosing LDAP connection.\n" if $verbose; + $ldap->unbind; + return %users; +} + +# +# Global Declarations +# +# load the INI +metaprint( "info", "Loading INI file Parameters" ); +my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" ); + +my $CiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'RME' ) ); +metaprint( "error", "error value of CiniFile is undefined" ) if ( !defined( $CiniFile ) ); + +my $outpath = $CiniFile->val( 'GLOBAL', 'OUTPATH' ); +metaprint( "error", "The defined outpath is not valid, please correct-it" ) if ( !defined( $outpath ) ); + +my $AiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'LDAP' ) ); +metaprint( "error", "error value of AiniFile is undefined" ) if ( !defined( $AiniFile ) ); + +my $cfg_ldap_server = $AiniFile->val( 'LDAP_SNET_NG', 'SERVER' ); +metaprint( "error", "error value of cfg_ldap_server is undefined" ) if ( !defined( $cfg_ldap_server ) ); +my $cfg_ldap_user = $AiniFile->val( 'LDAP_SNET_NG', 'USER' ); +metaprint( "error", "error value of cfg_ldap_user is undefined" ) if ( !defined( $cfg_ldap_user ) ); +my $cfg_ldap_passwd = $AiniFile->val( 'LDAP_SNET_NG', 'PASSWORD' ); +metaprint( "error", "error value of cfg_ldap_passwd is undefined" ) if ( !defined( $cfg_ldap_passwd ) ); +my $cfg_ldap_group_search = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_SEARCH' ); +metaprint( "error", "error value of cfg_ldap_group_search is undefined" ) if ( !defined( $cfg_ldap_group_search ) ); +my $cfg_ldap_group_search_filter = $AiniFile->val( 'LDAP_SNET_NG', 'FILTER' ); +metaprint( "error", "error value of cfg_ldap_group_search_filter is undefined" ) if ( !defined( $cfg_ldap_group_search_filter ) ); +$cfg_ldap_group_search_filter = "(&(objectclass=posixGroup)(cn=REPLACE))"; +my $cfg_ldap_group_attribute = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_ATTRIBUTE' ); +metaprint( "error", "error value of cfg_ldap_group_attribute is undefined" ) if ( !defined( $cfg_ldap_group_attribute ) ); +$cfg_ldap_group_attribute = ["memberuid"]; +my $cfg_ldap_search_scope = $AiniFile->val( 'LDAP_SNET_NG', 'SEARCH_SCOPE' ); +metaprint( "error", "error value of cfg_ldap_search_scope is undefined" ) if ( !defined( $cfg_ldap_search_scope ) ); +my $cfg_ldap_cafile = $AiniFile->val( 'LDAP_SNET_NG', 'CA' ); +metaprint( "error", "error value of cfg_ldap_cafile is undefined" ) if ( !defined( $cfg_ldap_cafile ) ); + +# vSHARE credentails configuration +my $LiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'RME' ) ); +metaprint( "error", "error value of LiniFile is undefined" ) if ( !defined( $LiniFile ) ); +my $vshare_servers = $LiniFile->val( 'vshare', 'SERVERS' ); +metaprint( "error", "error value of vshare_servers is undefined" ) if ( !defined( $vshare_servers ) ); +my $vshare_user = $LiniFile->val( 'vshare', 'USER' ); +metaprint( "error", "error value of vshare_user is undefined" ) if ( !defined( $vshare_user ) ); +my $vshare_passwd = $LiniFile->val( 'vshare', 'PASSWD' ); +metaprint( "error", "error value of vshare_passwd is undefined" ) if ( !defined( $vshare_passwd ) ); + +my @filters; +push( @filters, 'com' ); +push( @filters, 'mgt' ); +push( @filters, 'net' ); +push( @filters, 'pi' ); +push( @filters, 'pm' ); +push( @filters, 'sd' ); +push( @filters, 'sec' ); +push( @filters, 'ss' ); +push( @filters, 'tda' ); +push( @filters, 'officials' ); + +my $hostname = hostname(); + +# test DVE +#snmp_trap_send_multi_vars( $SNMP_OID, $SNMP_GEN, $SNMP_SPE, [ $hostname, "DVE TEST", "Crash - Ack test." ] ); +#exit 1; + +# Main Application +metaprint( "info", "Starting users synchro" ); + +my $errors = 0; + +my $already_defined_users = {}; +my $ssh; +my $out; + +metaprint( 'info', "processing vshare servers..." ); +foreach my $server ( split( /,/, $vshare_servers ) ) { + + # SSH to server. + metaprint 'info', 'Working on ' . $server . '...'; + $ssh = new SNET::SSHDeviceInterfacer::Linux( $debug, $server, $vshare_user, $vshare_passwd ); + if ( !$cli_mode ) { + $ssh->set_webmode( 1 ); + } + + if ( $ssh->openSSHConnection() ) { + metaprint 'info', "-> ok connected"; + } else { + metaprint 'error', "-> connection failed"; + $errors++; + next; + } + + my $cln = (); + $cln->{'uid'} = 3; + $cln->{'gid'} = 4; + $cln->{'name'} = 9; + + $out = $ssh->sendCMD( "/bin/ls -aildn /opt/home/*" ); + if ( $out =~ m/\s\/opt\/home\/\w+/i ) { + foreach my $line ( split( /\n/, $out ) ) { + chomp $line; + next if ( $line =~ /ls -aildn/ ); + next if ( $line =~ /\/export\/home\/snet/ ); + next if ( $line =~ /lost\+found/ ); + $line =~ s/^\s*//; + print Dumper ( $line ) if $debug; + + my $tmp = (); + @$tmp = split( /\s+/, $line ); + $tmp->[ $cln->{'name'} ] =~ s/\/*$//g; + $tmp->[ $cln->{'name'} ] =~ s/^\/.*\///; + print Dumper ( $tmp ) if $debug; + + # 3 : uid + # 4 : gid + # 9 : name + foreach my $pos ( keys %$cln ) { + $already_defined_users->{ $tmp->[ $cln->{'name'} ] }{$pos} = $tmp->[ $cln->{$pos} ]; + } + } + last; + } else { + $errors++; + next; + } + +} + +if ( $errors ) { + metaprint( 'error', "Some errors have been found, please contact SS Team!" . nl() . "Please copy/paste the output to the email!" ); + exit 1; +} + +#Print Users from Cacti +print Dumper ( $already_defined_users ) if $verbose; + +# -- Create the import file +my $cpt = 0; +my $cpt_del = 0; + +foreach my $filter ( @filters ) { + + metaprint "info", "Checking groups '$filter'."; + my $cfg_ldap_group_search_f = $cfg_ldap_group_search_filter; + $cfg_ldap_group_search_f =~ s/REPLACE/$filter/; + print "$cfg_ldap_group_search_f\n" if $verbose; + my %ldap_users = ldap_find_users_and_groups( $cfg_ldap_server, $cfg_ldap_user, $cfg_ldap_passwd, $cfg_ldap_group_search, $cfg_ldap_search_scope, + $cfg_ldap_group_search_f, $cfg_ldap_group_attribute, $filter, $hostname, $cfg_ldap_cafile ); + + print Dumper ( \%ldap_users ) if $verbose; + + foreach my $u ( keys %ldap_users ) { + if ( defined( $already_defined_users->{$u} ) && ( $already_defined_users->{$u} ) ) { + metaprint( "info", "Skipping user $u import, user is already defined, but user need to be checked." ) if $verbose; + + # TODO check uid:gid + $already_defined_users->{$u}{'found'} = 1; + next; + } + + next if ( $ldap_users{$u} =~ /^$/ ); + my $cmd = "sudo mkdir /opt/home/$u && sudo chown $u:snmc /opt/home/$u"; + metaprint( "info", "$u need to be created: '$cmd'." ); + if ( !$dry_run ) { + eval { $out = $ssh->sendCMD( $cmd ); }; + if ( $out =~ m/password/i ) { + $out = $ssh->sendCMD( $vshare_passwd ); + } + print $out; + } + $cpt++; + } +} + +metaprint "info", "Checking all others vshare home directory users defined."; +foreach my $u ( keys %$already_defined_users ) { + if ( defined( $already_defined_users->{$u} ) + && ( $already_defined_users->{$u} ) + && defined( $already_defined_users->{$u}{'found'} ) + && ( $already_defined_users->{$u}{'found'} ) ) { + next; + } else { + metaprint( "error", "User $u need to be deleted manually." ); + $cpt_del++; + } +} +eval { $out = $ssh->sendCMD( "exit" ); }; + +metaprint( "info", "$cpt user(s) created." ); +metaprint( "info", "$cpt_del user(s) need to be deleted." ); +metaprint( "info", "--- Process Done ---" ); +exit( 0 );