RHEL 7에서 LDAP 사용자를 삭제한 후 정리하는 방법은 무엇입니까?

Question

내 솔루션은 사용자가 삭제될 때 스크립트를 수동으로 실행하고, 삭제 시 호스트 연결이 끊길 경우를 대비해 cron 작업이 각 호스트에서 정기적으로 스크립트를 실행하도록 하는 것이었습니다. 내 스크립트:

#!/bin/bash

purge() { # usage: purge <USER_NAME> <USER_ID>
    local USER_NAME=$1
    local USER_ID=$2
    if loginctl | awk '{print $2}' | grep -q $USER_ID
    then
        loginctl kill-user $USER_ID
    fi
    /usr/sbin/sss_cache -u $USER_NAME
    rm -rf /home/$USER_NAME
    rm -f /var/lib/AccountsService/users/$USER_NAME
    USERS_PURGED=true
    {
        sleep 10
        if loginctl | awk '{print $2}' | grep -q $USER_ID
        then
            loginctl terminate-user $USER_ID
        fi
        pkill -u $USER_ID
        echo "Purged user $USER_NAME" | systemd-cat -t ldap-cleanup
    } &
}

# Require root
if [ "$UID" != 0 ]
then
    >&2 echo "Please run this script as root."
    exit 1
fi

# Get LDAP users
LDAP_RESULT=$(ldapsearch -x -LLL uid=* uid uidNumber)
if [[ $? != 0 ]]
then
    >&2 echo "LDAP query failed"
    exit 1
fi

declare -A LDAP_USERS
LDAP_USER_NAMES=($(echo "$LDAP_RESULT" | sed -n 's/uid: //p'))
LDAP_UIDS=($(echo "$LDAP_RESULT" | sed -n 's/uidNumber: //p'))
if [[ ${#LDAP_USER_NAMES[@]} != ${#LDAP_UIDS[@]} ]]
then
    # This shouldn't happen
    >&2 echo "LDAP user name and UID arrays are different lengths!"
    exit 1
fi

for i in ${!LDAP_USER_NAMES[@]}
do
    LDAP_USERS["${LDAP_USER_NAMES[$i]}"]="${LDAP_UIDS[$i]}"
done

# Check local users against LDAP users
HOME_DIRS=$(ls -n /home | tail -n +2 )
LOCAL_USER_NAMES=($(echo "$HOME_DIRS" | awk '{print $9}'))
LOCAL_UIDS=($(echo "$HOME_DIRS" | awk '{print $3}'))
for i in ${!LOCAL_USER_NAMES[@]}
do
    USER_NAME=${LOCAL_USER_NAMES[$i]}
    USER_ID=${LOCAL_UIDS[$i]}
    if [[ ! ${LDAP_USERS[$USER_NAME]+x} ]]
    then
        if ! grep -q "^${USER_NAME}:" /etc/passwd
        then
            # Defunct LDAP user (user not in /etc/passwd nor LDAP)
            purge $USER_NAME $USER_ID
        fi
    elif [[ $USER_ID != ${LDAP_USERS[$USER_NAME]} ]]
    then
        if ! grep -q "^${USER_NAME}:" /etc/passwd
        then
            # Recreated LDAP user (different UID)
            purge $USER_NAME $USER_ID
        else
            >&2 echo "User ${USER_NAME} has a different UID in LDAP: local UID: $USER_ID, LDAP: ${LDAP_USERS[$USER_NAME]}"
        fi
    fi
done

if [ "$USERS_PURGED" = true ]
then
    # This should clean up the gdm user selection screen
    systemctl restart sssd
    systemctl restart accounts-daemon
fi

나는 그것이 훌륭하다고 말하는 것이 아니지만 그것은 내 필요에 충분합니다. 모든 사용자의 홈 디렉토리가 /home에 있다고 가정합니다.

Answer 1

내 솔루션은 사용자가 삭제될 때 스크립트를 수동으로 실행하고, 삭제 시 호스트 연결이 끊길 경우를 대비해 cron 작업이 각 호스트에서 정기적으로 스크립트를 실행하도록 하는 것이었습니다. 내 스크립트:

#!/bin/bash

purge() { # usage: purge <USER_NAME> <USER_ID>
    local USER_NAME=$1
    local USER_ID=$2
    if loginctl | awk '{print $2}' | grep -q $USER_ID
    then
        loginctl kill-user $USER_ID
    fi
    /usr/sbin/sss_cache -u $USER_NAME
    rm -rf /home/$USER_NAME
    rm -f /var/lib/AccountsService/users/$USER_NAME
    USERS_PURGED=true
    {
        sleep 10
        if loginctl | awk '{print $2}' | grep -q $USER_ID
        then
            loginctl terminate-user $USER_ID
        fi
        pkill -u $USER_ID
        echo "Purged user $USER_NAME" | systemd-cat -t ldap-cleanup
    } &
}

# Require root
if [ "$UID" != 0 ]
then
    >&2 echo "Please run this script as root."
    exit 1
fi

# Get LDAP users
LDAP_RESULT=$(ldapsearch -x -LLL uid=* uid uidNumber)
if [[ $? != 0 ]]
then
    >&2 echo "LDAP query failed"
    exit 1
fi

declare -A LDAP_USERS
LDAP_USER_NAMES=($(echo "$LDAP_RESULT" | sed -n 's/uid: //p'))
LDAP_UIDS=($(echo "$LDAP_RESULT" | sed -n 's/uidNumber: //p'))
if [[ ${#LDAP_USER_NAMES[@]} != ${#LDAP_UIDS[@]} ]]
then
    # This shouldn't happen
    >&2 echo "LDAP user name and UID arrays are different lengths!"
    exit 1
fi

for i in ${!LDAP_USER_NAMES[@]}
do
    LDAP_USERS["${LDAP_USER_NAMES[$i]}"]="${LDAP_UIDS[$i]}"
done

# Check local users against LDAP users
HOME_DIRS=$(ls -n /home | tail -n +2 )
LOCAL_USER_NAMES=($(echo "$HOME_DIRS" | awk '{print $9}'))
LOCAL_UIDS=($(echo "$HOME_DIRS" | awk '{print $3}'))
for i in ${!LOCAL_USER_NAMES[@]}
do
    USER_NAME=${LOCAL_USER_NAMES[$i]}
    USER_ID=${LOCAL_UIDS[$i]}
    if [[ ! ${LDAP_USERS[$USER_NAME]+x} ]]
    then
        if ! grep -q "^${USER_NAME}:" /etc/passwd
        then
            # Defunct LDAP user (user not in /etc/passwd nor LDAP)
            purge $USER_NAME $USER_ID
        fi
    elif [[ $USER_ID != ${LDAP_USERS[$USER_NAME]} ]]
    then
        if ! grep -q "^${USER_NAME}:" /etc/passwd
        then
            # Recreated LDAP user (different UID)
            purge $USER_NAME $USER_ID
        else
            >&2 echo "User ${USER_NAME} has a different UID in LDAP: local UID: $USER_ID, LDAP: ${LDAP_USERS[$USER_NAME]}"
        fi
    fi
done

if [ "$USERS_PURGED" = true ]
then
    # This should clean up the gdm user selection screen
    systemctl restart sssd
    systemctl restart accounts-daemon
fi

나는 그것이 훌륭하다고 말하는 것이 아니지만 그것은 내 필요에 충분합니다. 모든 사용자의 홈 디렉토리가 /home에 있다고 가정합니다.

RHEL 7에서 LDAP 사용자를 삭제한 후 정리하는 방법은 무엇입니까?

답변1

관련 정보