manage_admin.sh 3.16 KB
Newer Older
1 2
#!/usr/bin/env bash
#
3
# Create and delete an admin account of FreeIPA
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

KINIT_CMD='/usr/bin/kinit'
KDESTROY_CMD='/usr/bin/kdestroy'
IPA_CMD='/usr/bin/ipa'
ECHO_CMD='/usr/bin/echo'

USED_COMMANDS="$KINIT_CMD $KDESTROY_CMD $IPA_CMD $ECHO_CMD"

#
# display a message about actions on :
#   * Kerberos ticket-granting ticket
#   * IPA object
#
message() {
  local action= status=
  action=$1
  status=$2

  case $action in
    init | destroy)
      if [ $status -eq 0 ]; then
        msg="action '${action}' on Kerberos ticket-granting ticket is done."
      else
        msg="action '${action}' on Kerberos ticket-granting ticket has failed."
      fi
    ;;
30
    user-add | group-add-member | user-del)
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
      if [ $status -eq 0 ]; then
        msg="action '${action}' on IPA object is done."
      else
        msg="action '${action}' on IPA object has failed."
      fi
    ;;
    missing-cmd)
      msg="command ${status} missing or can not be executed."
    ;;
    *)
      msg="Unexpected action '${action}' with function message()"
      exit 1
    ;;
  esac

  echo $msg
}

#
# check used commands are installed
#
is_commands_installed() {
  local commands=
  commands=$1

  for cmd in $commands; do
    if [ ! -x $cmd ]; then
      message 'missing-cmd' $cmd
      exit 1
    fi
  done
  return 0
}

#
# Obtain and destroy a Kerberos ticket-granting ticket
#
krb_tgt() {
  local krb_action= op_login= op_pwd= retval=
  krb_action=$1
  op_login=$2
  op_pwd=$3

  case $krb_action in
    init)
Fabien Combernous's avatar
Fabien Combernous committed
76
      $ECHO_CMD "${op_pwd}" | $KINIT_CMD "${op_login}" 2>&1
77 78 79
      retval=$?
    ;;
    destroy)
Fabien Combernous's avatar
Fabien Combernous committed
80
      $KDESTROY_CMD 2>&1
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
      retval=$?
    ;;
    *)
      msg="Unexpected krb_action '${krb_action}' with function krb_tgt()"
      exit 1
    ;;
  esac

  message $krb_action $retval

  if [ $retval -ne 0 ]; then
    exit $retval
  else
    return $retval
  fi
}

#
# Add user to FreeIPA
#
ipa_add_user() {
  local login= firstname= lastname= password= retval=
  login=$1
  firstname=$2
  lastname=$3
  password=$4

Fabien Combernous's avatar
Fabien Combernous committed
108
  $ECHO_CMD "${password}" | $IPA_CMD user-add "${login}" --first="${firstname}" --last="${lastname}" 2>&1
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
  retval=$?

  message 'user-add' $retval

  if [ $retval -ne 0 ]; then
    krb_tgt destroy
    exit $retval
  else
    return $retval
  fi
}

#
# Add user to admins group
#
ipa_group_add_admins() {
  local login= retval=
  login=$1

Fabien Combernous's avatar
Fabien Combernous committed
128
  $IPA_CMD group-add-member admins --users="${login}" 2>&1
129 130 131 132 133 134 135 136 137 138 139 140
  retval=$?

  message 'group-add-member' $retval

  if [ $retval -ne 0 ]; then
    krb_tgt destroy
    exit $retval
  else
    return $retval
  fi
}

141 142 143 144 145 146 147
#
# Delete user from FreeIPA
#
ipa_del_user() {
  local login= retval=
  login=$1

Fabien Combernous's avatar
Fabien Combernous committed
148
  $IPA_CMD user-del "${login}" 2>&1
149 150 151 152 153 154 155 156 157 158 159 160
  retval=$?

  message 'user-del' $retval

  if [ $retval -ne 0 ]; then
    krb_tgt destroy
    exit $retval
  else
    return $retval
  fi

}
161 162 163 164 165 166 167

#
# Main
#

is_commands_installed $USED_COMMANDS

168
krb_tgt init "${PT_operator_login}" "${PT_operator_password}"
169

170 171
case $PT_ensure in
  present)
172 173
    ipa_add_user "${PT_login}" "${PT_firstname}" "${PT_lastname}" "${PT_password}"
    ipa_group_add_admins "${PT_login}"
174 175
  ;;
  absent)
176
    ipa_del_user "${PT_login}"
177 178 179 180 181 182
  ;;
  *)
    msg="Unexpected ensure value '${PT_ensure}'"
    exit 1
  ;;
esac
183 184

krb_tgt destroy