Find LDAP groups with obsolete users
OpenLDAP has a nice "feature" that allows for group members to continue to exist, even if the user does not exist any more. Really handy! Problem is, if you, say, have a user in the "Domain Admins" group, and you delete that account, and then some normal user comes along with the same username, they will end up with unexpected elevated privileges.
So I created a script that I run weekly that finds group members that no longer exist, and sends me a report. It also tells me which groups are empty.
This relies on my toolbox... Find it here.
#! /usr/bin/perl
use strict;
require /path/to/subs.pl;
my %groups;
my %invalid;
my @output;
my @memberlessGroups;
$admin = "somebody\@example.com";
$date = &genDate;
&ldapBindAnon
my @userList = &getUserList;
my @groupList = &getGroupList;
foreach my $group (@grouplist){
@{$groups{$group}} = &getGroupMembers($group);
foreach my $member (@{$groups{group})
foreach $uid (@userList){
my $valid = 0;
if ($uid =~ /$member/){
$valid = 1;
}
if ($vaild == 0){
push (@{$invalid{$group},$member);
}
}
}
}
foreach my $invalidGroup (keys %invalid){
push (@output,"$invalidGroup \n");
foreach my $member (@{invalid{invalidGroup}}{
push (@output, "\t $member\n");
}
push (@output,"\n");
}
foreach $group (@groupList){
if (@{$groups{$group}}){
} else {
push (@output,"$group has no members\n");
}
}
my $subject = "Group Cleanup Report for $date";
&sendMailToUser($admin,"$admin","","",$subject,@output);
&unbindLdap;
- shart's blog
- Log in to post comments
- 5097 reads