hi,

so this is a working version of the script (tested on my test ipa
environment).

You save it as executable and run it as:

$./script ipausername

and you will get the groupnames separated by an empty space a user is
member of.

modify the obvious bits, like kdc.domain.tld, user and password, and base.
You also need the perl-LDAP rpm package.

The user that binds to the ldap server needs privileges (do not know
exactly which ones, but as a normal user I cannot see the group
memberships). I have run it as admin and it works. Probably overkill, if
the user you use is member of the role 'user administrators' it should work
as well. Not tested.


#!/usr/bin/perl

use strict;
use warnings;
use Net::LDAP;

# Script requires user UID as the only parameter
if ( $ARGV[0] eq '' ) {
    print "ldap-query.pl requires one argument, user's uid\n";
    exit 1;
}

my $user = $ARGV[0];

# Create communication structure for LDAP connection
my $ldap = Net::LDAP->new( 'kdc.domain.tld' ) or die "$@";

# Bind to LDAP with proper user
my $msg = $ldap->bind(
         "uid=admin,cn=users,cn=accounts,dc=domain,dc=tld",
          password => "pwd",
);

# search objects filtering in uid, get memberOf attribute only
$msg = $ldap->search(
            base => "cn=users,cn=accounts,dc=domain,dc=tld",
            scope => "sub",
            filter => "(uid=$user)",
            attr => ['memberOf'],
);

# get the group membership of $user and print it in a line
for my $entry ( $msg->entries ) {
    my @memberof = $entry->get_value( 'memberOf') ;

    # the memberof attr is a full dn but we only want the cn, so we
    # use the map function to strip everything else
    @memberof = map { s/^cn=(.*),cn=groups.*/$1/g; $_ } @memberof;

    # admin users or users with delegated privileges are members of groups
    # names containing spaces, we skip those. If this is not what you want,
    # you need to adapt the for loop
    for ( @memberof ) {
        next if /(replication |add |host|uniqueid|unlock |manage |trust )/ ;
        print "$_" . " " ;
    }
    print "\n";
}

have fun!

-- 
groet,
natxo
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to