On Mon, Aug 19, 2019 at 01:33:31PM +0000, Mike Gabriel wrote: > On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote: > > Note, I have no idea why slapcat is used in the script to locate hosts: > > > > # cleanup from leftover host principals and keytab file: > > for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed > > 's#.intern.keytab##') ; do > > if slapcat | grep $i | grep -q dhcp ; then > > : > > else > > kadmin.local delprinc host/$i.intern@INTERN > > kadmin.local delprinc nfs/$i.intern@INTERN > > rm /etc/debian-edu/host-keytabs/$i.intern.keytab > > fi > > done > > Using slapcat here is wrong, it should be proper LDAP db queries with > specific search pattern.
Maybe this would be better:
# cleanup from leftover host principals and keytab file:
for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed
's#.intern.keytab##') ; do
if [ "" = "$(ldapsearch -xLLL "(&(objectclass=dhcpHost)(cn=$i))")" ] ; then
kadmin.local delprinc host/$i.intern@INTERN
kadmin.local delprinc nfs/$i.intern@INTERN
rm /etc/debian-edu/host-keytabs/$i.intern.keytab
fi
done
Works for me, expert feedback appreciated.
> > I have no idea why Wolfgang decided to use slapcat instead of ldapsearch
> > here. Perhaps to make sure he is operating on the local LDAP database,
> > or because he did not have the LDAP connection details available in the
> > script?
I wasn't aware of possible drawbacks like the ones Mike reported.
> IMHO, the LDAP db will answer anonymous queries just right when it comes to
> DHCP hosts.
Yes, seems to be so, see the proposed change above.
Wolfgang
signature.asc
Description: PGP signature
