Use personal credentials to access the AD

93e1a3f9 · Haarst, Jan van · d4534597 · 93e1a3f9
Commit 93e1a3f9 authored Feb 22, 2021 by Haarst, Jan van
--- a/create_new_user.sh
+++ b/create_new_user.sh
@@ -2,32 +2,42 @@
 set -o nounset
 set -o errexit

+if [ -z "${1-}" ] || [ -z "${SUDO_USER-}" ]
+then
+    echo "Usage : sudo $0 USERNAME"
+    exit 1
+fi
+
+# Variables
+NEW_USER=${1}
+ADMINPASSWORD=''
+binddn=${SUDO_USER}@wurnet.nl
+
+# Functions
+
 function ad_id_to_dn() {
-echo `ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" dn | \
-  sed -e '/^$/,$d' | sed ':a;N;$!ba;s/\n //g'| awk '{$1=""; print $0}'`
+echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" dn | sed -e '/^$/,$d' | sed ':a;N;$!ba;s/\n //g'| awk '{$1=""; print $0}')
 }

 function ad_id_to_mail() {
-  TERM=mail 
-  echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | \
-  grep $TERM | cut -f 2 -d':') 
+  TERM=mail
+  echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | grep $TERM | cut -f 2 -d':')
 }

 function ad_id_to_name() {
-  TERM=cn 
-  echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | \
-  grep $TERM | cut -f 2 -d':') | awk -F, '{ print $2 " " $1 }' | sed 's/^ *//g'
+  TERM=cn
+  echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | grep $TERM | cut -f 2 -d':') | awk -F, '{ print $2 " " $1 }' | sed 's/^ *//g'
 }

 function add_to_ad_group() {
  binddn=${SUDO_USER}@wurnet.nl
  # If changing this, als change DN
-  # Lookup with 
+  # Lookup with
  # ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="SERVERS_dev1_Rusr"))" -b "dc=wurnet,dc=nl" dn
-  local USERDN=$(ad_id_to_dn $1)
-  group=SERVERS_dev1_Rusr  
-  echo "Adding $1 to group $group in the AD."
-ldapmodify -x -H ldaps://ldap.wurnet.nl -D "$binddn" -w "$ADMINPASSWORD" << EOF
+  local USERDN=$(ad_id_to_dn $NEW_USER)
+  group=SERVERS_dev1_Rusr
+  echo "Adding $NEW_USER to group $group in the AD."
+ldapmodify -x -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" << EOF
 dn: CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl
 changetype: modify
 add: member
@@ -35,33 +45,28 @@ member: $USERDN
 EOF
 }

-############## Start of script

-if [ -z "${1-}" ] || [ -z "${SUDO_USER-}" ]
+# Start of script
+
+if [ -z "${ADMINPASSWORD-}" ]
 then
-    echo "Usage : sudo $0 USERNAME"
-    exit 1
+    read -sp "Enter your password for ${SUDO_USER}:" ADMINPASSWORD
 fi

-NEW_USER=${1}
-NAME=$(ad_id_to_name $1)
-MAIL=$(ad_id_to_mail $1)
+NAME=$(ad_id_to_name $NEW_USER)
+MAIL=$(ad_id_to_mail $NEW_USER)
 ADMIN_NAME=$(ad_id_to_name $SUDO_USER)

 # If the user isn't in the list yet, add her
-if $(ldapsearch -LLL -h scomp0001.wurnet.nl -x -b "DC=wurnet,DC=nl" -D 'srv_ldap_reader@wur.nl' -w ldap_reader 'memberOf=CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl' sAMAccountName | grep sAMAccountName| cut -f2 -d ':'  | grep -q $NEW_USER) 
-then 
+if $(ldapsearch -LLL -H ldaps://ldap.wurnet.nl -x -b "DC=wurnet,DC=nl"  -D "$binddn" -w "${ADMINPASSWORD}" 'memberOf=CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl' sAMAccountName | grep sAMAccountName| cut -f2 -d ':'  | grep -q $NEW_USER)
+then
    echo
    echo User already in AD group
-else   
-    if [ -z "${ADMINPASSWORD-}" ]
-    then 
-        read -sp "Enter your password for ${SUDO_USER}:" ADMINPASSWORD
-    fi
+else
    add_to_ad_group $NEW_USER
 fi

-# If the folders don't exist yet, create them, and set the correct permissions 
+# If the folders don't exist yet, create them, and set the correct permissions
 for dir in /mnt/scratch/${NEW_USER} /mnt/LTR_userdata/${NEW_USER} /lustre/BIF/nobackup/${NEW_USER}
 do
    if [ -d $dir ]
@@ -83,18 +88,18 @@ Hi $NAME,

 You now have access to our shared servers.
 We share these servers with a couple of groups, these are :
- Bioscience, Applied bioinformatics
- Chairgroup of bioinformatics
+- Bioscience, Applied Bioinformatics
+- Chairgroup of Bioinformatics
 - Chairgroup of Nematology
 - Chairgroup of Genetics
 - Host-Microbe Interactomics

 You should be able to log in to all our machines via ssh using you WUR account.
-From a wired connection within the WUR all machines should be available directly, 
-from outside of the WUR or via WiFi you first need to log on to a machine that is connected to the internet, 
+From a wired connection within the WUR all machines should be available directly,
+from outside of the WUR or via WiFi you first need to log on to a machine that is connected to the internet,
 for instance www.bioinformatics.nl (AKA myers.bioinformatics.nl) and then you can use SSH to connect to the other machines.

-If you type a wrong password consecutively three times connecting to www.bioinformatics.nl you will be blocked for a day (manual override is possible), 
+If you type a wrong password consecutively three times connecting to www.bioinformatics.nl you will be blocked for a day (manual override is possible),
 so you should consider using ssh-key based authentication.

 Your home directory is shared across all machines, it must contain no more than 10 GB.
@@ -109,7 +114,8 @@ and
 Scratch and lustre are for temporary data, LTR_userdata is for data that should be backed up.
 (Lustre is also accessable on HPC/Anunna)

-You have your own directory on these as well. Try to keep your data storage within reasonable limits, there should/will be hard limits in the future.
+You have your own directory on these as well. Try to keep your data storage within reasonable limits.
+
 Make sure to not claim a complete machine for a long time in terms of CPUs or memory without notice, we do not use a scheduling agent like on the HPC/Anunna.

 The machines run Ubuntu. You can ask us to install some software if it is available in one of the repositories through apt, more ‘manual’ installations should be done by yourself.
@@ -139,3 +145,4 @@ For questions and remarks it is best to use sysop@bioinformatics.nl
 Bye,
 $ADMIN_NAME
 EOF
+