Commit 93e1a3f9 authored by Haarst, Jan van's avatar Haarst, Jan van
Browse files

Use personal credentials to access the AD

parent d4534597
......@@ -2,32 +2,42 @@
set -o nounset
set -o errexit
if [ -z "${1-}" ] || [ -z "${SUDO_USER-}" ]
then
echo "Usage : sudo $0 USERNAME"
exit 1
fi
# Variables
NEW_USER=${1}
ADMINPASSWORD=''
binddn=${SUDO_USER}@wurnet.nl
# Functions
function ad_id_to_dn() {
echo `ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" dn | \
sed -e '/^$/,$d' | sed ':a;N;$!ba;s/\n //g'| awk '{$1=""; print $0}'`
echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" dn | sed -e '/^$/,$d' | sed ':a;N;$!ba;s/\n //g'| awk '{$1=""; print $0}')
}
function ad_id_to_mail() {
TERM=mail
echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | \
grep $TERM | cut -f 2 -d':')
TERM=mail
echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | grep $TERM | cut -f 2 -d':')
}
function ad_id_to_name() {
TERM=cn
echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | \
grep $TERM | cut -f 2 -d':') | awk -F, '{ print $2 " " $1 }' | sed 's/^ *//g'
TERM=cn
echo $(ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" "(&(samAccountName="$1"))" -b "dc=wurnet,dc=nl" $TERM | grep $TERM | cut -f 2 -d':') | awk -F, '{ print $2 " " $1 }' | sed 's/^ *//g'
}
function add_to_ad_group() {
binddn=${SUDO_USER}@wurnet.nl
# If changing this, als change DN
# Lookup with
# Lookup with
# ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://ldap.wurnet.nl -D srv_ldap_reader@wur.nl -w ldap_reader "(&(samAccountName="SERVERS_dev1_Rusr"))" -b "dc=wurnet,dc=nl" dn
local USERDN=$(ad_id_to_dn $1)
group=SERVERS_dev1_Rusr
echo "Adding $1 to group $group in the AD."
ldapmodify -x -H ldaps://ldap.wurnet.nl -D "$binddn" -w "$ADMINPASSWORD" << EOF
local USERDN=$(ad_id_to_dn $NEW_USER)
group=SERVERS_dev1_Rusr
echo "Adding $NEW_USER to group $group in the AD."
ldapmodify -x -H ldaps://ldap.wurnet.nl -D "$binddn" -w "${ADMINPASSWORD}" << EOF
dn: CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl
changetype: modify
add: member
......@@ -35,33 +45,28 @@ member: $USERDN
EOF
}
############## Start of script
if [ -z "${1-}" ] || [ -z "${SUDO_USER-}" ]
# Start of script
if [ -z "${ADMINPASSWORD-}" ]
then
echo "Usage : sudo $0 USERNAME"
exit 1
read -sp "Enter your password for ${SUDO_USER}:" ADMINPASSWORD
fi
NEW_USER=${1}
NAME=$(ad_id_to_name $1)
MAIL=$(ad_id_to_mail $1)
NAME=$(ad_id_to_name $NEW_USER)
MAIL=$(ad_id_to_mail $NEW_USER)
ADMIN_NAME=$(ad_id_to_name $SUDO_USER)
# If the user isn't in the list yet, add her
if $(ldapsearch -LLL -h scomp0001.wurnet.nl -x -b "DC=wurnet,DC=nl" -D 'srv_ldap_reader@wur.nl' -w ldap_reader 'memberOf=CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl' sAMAccountName | grep sAMAccountName| cut -f2 -d ':' | grep -q $NEW_USER)
then
if $(ldapsearch -LLL -H ldaps://ldap.wurnet.nl -x -b "DC=wurnet,DC=nl" -D "$binddn" -w "${ADMINPASSWORD}" 'memberOf=CN=SERVERS_dev1_Rusr,OU=dev1.ab,OU=BioInformatics,OU=NoPolicy,OU=Servers,DC=wurnet,DC=nl' sAMAccountName | grep sAMAccountName| cut -f2 -d ':' | grep -q $NEW_USER)
then
echo
echo User already in AD group
else
if [ -z "${ADMINPASSWORD-}" ]
then
read -sp "Enter your password for ${SUDO_USER}:" ADMINPASSWORD
fi
else
add_to_ad_group $NEW_USER
fi
# If the folders don't exist yet, create them, and set the correct permissions
# If the folders don't exist yet, create them, and set the correct permissions
for dir in /mnt/scratch/${NEW_USER} /mnt/LTR_userdata/${NEW_USER} /lustre/BIF/nobackup/${NEW_USER}
do
if [ -d $dir ]
......@@ -83,18 +88,18 @@ Hi $NAME,
You now have access to our shared servers.
We share these servers with a couple of groups, these are :
- Bioscience, Applied bioinformatics
- Chairgroup of bioinformatics
- Bioscience, Applied Bioinformatics
- Chairgroup of Bioinformatics
- Chairgroup of Nematology
- Chairgroup of Genetics
- Host-Microbe Interactomics
You should be able to log in to all our machines via ssh using you WUR account.
From a wired connection within the WUR all machines should be available directly,
from outside of the WUR or via WiFi you first need to log on to a machine that is connected to the internet,
From a wired connection within the WUR all machines should be available directly,
from outside of the WUR or via WiFi you first need to log on to a machine that is connected to the internet,
for instance www.bioinformatics.nl (AKA myers.bioinformatics.nl) and then you can use SSH to connect to the other machines.
If you type a wrong password consecutively three times connecting to www.bioinformatics.nl you will be blocked for a day (manual override is possible),
If you type a wrong password consecutively three times connecting to www.bioinformatics.nl you will be blocked for a day (manual override is possible),
so you should consider using ssh-key based authentication.
Your home directory is shared across all machines, it must contain no more than 10 GB.
......@@ -109,7 +114,8 @@ and
Scratch and lustre are for temporary data, LTR_userdata is for data that should be backed up.
(Lustre is also accessable on HPC/Anunna)
You have your own directory on these as well. Try to keep your data storage within reasonable limits, there should/will be hard limits in the future.
You have your own directory on these as well. Try to keep your data storage within reasonable limits.
Make sure to not claim a complete machine for a long time in terms of CPUs or memory without notice, we do not use a scheduling agent like on the HPC/Anunna.
The machines run Ubuntu. You can ask us to install some software if it is available in one of the repositories through apt, more ‘manual’ installations should be done by yourself.
......@@ -139,3 +145,4 @@ For questions and remarks it is best to use sysop@bioinformatics.nl
Bye,
$ADMIN_NAME
EOF
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment