#!/bin/bash ##### reinitialisation ldap des cn=machine ##### # licence GPL # auteur : denis bonnenfant 6/02/2008 ## # $Id: reset-internet.sh 3280 2008-10-12 20:40:29Z dbo $ ## if [ "$1" == "--help" -o "$1" == "-h" ] then echo "Script d'initialisation des enregistrements ldap cn=machine " echo "normalement exécuté en tache cron" echo "Usage : reset-internet.sh [utilisateur|machine]" echo "--help cette aide" exit fi # réinitialisation des droits d'accès à internet : doit être executé la nuit # argument optionnel : un nom (login ou nom machine) if [ -z "$1" ]; then nom="*" else nom="$1" fi if [ -e /var/www/se3/includes/config.inc.php ]; then dbhost=`cat /var/www/se3/includes/config.inc.php | grep "dbhost=" | cut -d = -f 2 |cut -d \" -f 2` dbname=`cat /var/www/se3/includes/config.inc.php | grep "dbname=" | cut -d = -f 2 |cut -d \" -f 2` dbuser=`cat /var/www/se3/includes/config.inc.php | grep "dbuser=" | cut -d = -f 2 |cut -d \" -f 2` dbpass=`cat /var/www/se3/includes/config.inc.php | grep "dbpass=" | cut -d = -f 2 |cut -d \" -f 2` else echo "Fichier de conf inaccessible" >> $SE3LOG exit 1 fi # # Recuperation des params LDAP # BASEDN=`echo "SELECT value FROM params WHERE name='ldap_base_dn'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$BASEDN" ]; then echo "Impossible d'accéder au paramètre BASEDN" exit 1 fi COMPUTERSRDN=`echo "SELECT value FROM params WHERE name='computersRdn'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$COMPUTERSRDN" ]; then echo "Impossible d'accéder au paramètre COMPUTERSRDN" exit 1 fi PEOPLERDN=`echo "SELECT value FROM params WHERE name='peopleRdn'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$PEOPLERDN" ]; then echo "Impossible d'accéder au paramètre PEOPLERDN" exit 1 fi PARCSRDN=`echo "SELECT value FROM params WHERE name='parcsRdn'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$PARCSRDN" ]; then echo "Impossible d'accéder au paramètre PARCSRDN" exit 1 fi ADMINRDN=`echo "SELECT value FROM params WHERE name='adminRdn'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$ADMINRDN" ]; then echo "Impossible d'accéder au paramètre ADMINRDN" exit 1 fi ADMINPW=`echo "SELECT value FROM params WHERE name='adminPw'" | mysql -h $dbhost $dbname -u $dbuser -p$dbpass -N` if [ -z "$ADMINPW" ]; then echo "Impossible d'accéder au paramètre ADMINPW" exit 1 fi # on verifie l'existence des parcs portables_profs et portables_eleves # on cherche le parc portable prof resp=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PARCSRDN,$BASEDN "(cn=portables_profs)" cn | grep "cn: portables_profs" | cut -d " " -f2) if [ -z "$resp" ]; then ( echo "dn: cn=portables_profs,$PARCSRDN,$BASEDN" echo "changetype: add" echo "cn: portables_profs" echo "objectClass: groupOfNames" echo "member: cn=ordi-bidon,$COMPUTERSRDN,$BASEDN" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null fi # on cherche le parc portable eleve resp=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PARCSRDN,$BASEDN "(cn=portables_eleves)" cn | grep "cn: portables_eleves" | cut -d " " -f2) if [ -z "$resp" ]; then ( echo "dn: cn=portables_eleves,$PARCSRDN,$BASEDN" echo "changetype: add" echo "cn: portables_eleves" echo "objectClass: groupOfNames" echo "member: cn=ordi-bidon,$COMPUTERSRDN,$BASEDN" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null fi # on cherche le parc portable internes resp=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PARCSRDN,$BASEDN "(cn=portables_internes)" cn | grep "cn: portables_internes" | cut -d " " -f2) if [ -z "$resp" ]; then ( echo "dn: cn=portables_internes,$PARCSRDN,$BASEDN" echo "changetype: add" echo "cn: portables_internes" echo "objectClass: groupOfNames" echo "member: cn=ordi-bidon,$COMPUTERSRDN,$BASEDN" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null fi # On cherche les machines echo "raz machines" for machine in $(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $COMPUTERSRDN,$BASEDN "(&(objectClass=ipHost)(cn=$nom))" cn | grep "cn:" | cut -d ' ' -f2) ; do droit_m=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $COMPUTERSRDN,$BASEDN "(&(objectClass=ipHost)(cn=$machine))" destinationIndicator | grep -i "destinationIndicator:" | cut -d " " -f2) if [ -z "$droit_m" ]; then ( echo "dn: cn=$machine,$COMPUTERSRDN,$BASEDN" echo "changetype: modify" echo "add: destinationIndicator" echo "destinationIndicator: intranet:intranet:tous" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null echo -n "." else droit_m_p=$(echo $droit_m | cut -d ":" -f1) case $droit_m_p in intranet|internet-cours|internet-pause|internet-soir|internet|total) ;; *) droit_m_p="intranet" ;; esac # # on cherche le(s) parc(s) pour savoir si c'est un portable prof resp=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PARCSRDN,$BASEDN "(member=cn=$machine,$COMPUTERSRDN,$BASEDN)" cn | grep "cn: portables_" | cut -d " " -f2) case $resp in portables_profs) descr="internet:internet:tous" ;; portables_eleves) descr="internet-pause:internet-pause:tous" ;; portables_internes) descr="internet-soir:internet-soir:tous" ;; # toutes les autres machines : on se base sur les scripts de login *) descr="$droit_m_p:intranet:tous" ;; esac if [ "$droit_m" != "$descr" ]; then ( echo "dn: cn=$machine,$COMPUTERSRDN,$BASEDN" echo "changetype: modify" echo "replace: destinationIndicator" echo "destinationIndicator: $descr" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null echo -n "." fi fi done # on cherche les utilisateurs et on réinitialise leurs droits echo "raz utilisateurs" for user in $(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PEOPLERDN,$BASEDN "(uid=$nom)" uid | grep "uid:" | cut -d " " -f2) ; do droit_u=$(ldapsearch -xLLL -D $ADMINRDN,$BASEDN -w $ADMINPW -b $PEOPLERDN,$BASEDN "(uid=$user)" destinationIndicator | grep -i "destinationIndicator:" | cut -d " " -f2) if [ -z "$droit_u" ]; then descr="eleve:aucun:tous" ( echo "dn: uid=$user,$PEOPLERDN,$BASEDN" echo "changetype: modify" echo "add: destinationIndicator" echo "destinationIndicator: $descr" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null echo -n "." else droit_u_p=$(echo $droit_u | cut -d ":" -f1) droit_u_t=$(echo $droit_u |cut -d ":" -f2) plage_u=$(echo $droit_u |cut -d ":" -f3) case $droit_u_p in eleve) # eleve case $plage_u in tous) # acces permanent ! ;; cours*) droit_u_t="intranet" plage_u="tous" ;; esac ;; prof|administratif|admin) # prof droit_u_t="internet" plage_u="tous" ;; *) droit_u_p="eleve" droit_u_t="aucun" plage_u="tous" ;; esac descr="$droit_u_p:$droit_u_t:$plage_u" if [ "$droit_u" != "$descr" ]; then ( echo "dn: uid=$user,$PEOPLERDN,$BASEDN" echo "changetype: modify" echo "replace: destinationIndicator" echo "destinationIndicator: $descr" )| ldapmodify -x -D $ADMINRDN,$BASEDN -w $ADMINPW > /dev/null echo -n "." fi fi done