I use this to replicate my LDAP groups from FreeIPA into SGE ACLs. Seems to work pretty well so far. Runs as a cronjob every minute or so. Depending on your directory server, you may have to change the members line to reflect the way your ds handles groups (memberlist, uniquemember, etc.). It does not handle group deletion yet; for instance, if delete a group from LDAP, the corresponding SGE list does not get blasted.
-Brian #!/bin/bash groupbase="cn=groups,cn=accounts,dc=rc,dc=usf,dc=edu" ldaphost="ldap://ipa.example.com"; ldapsearch="ldapsearch -LLL -H ${ldaphost} -b ${groupbase} -x" # get list of LDAP groups groups=$($ldapsearch cn description | awk '/^cn:/ { cn= $NF } /^description:/ && /{[ ]*:(owner|desc)/ { print cn }') acls=$(qconf -sul) for group in $groups; do members=$($ldapsearch cn=$group member | awk '/^member:/ { print $NF }' | sed 's/uid=//g;s/\,.*$//g') [ -z "$members" ] && continue if [[ "$acls" =~ "$group" ]]; then qconf -su $group | sed -n '/entries/q;p' > /tmp/.${group}.sge_ul.$$ echo "entries $(echo $members | sed 's/ /\,/g')" >> /tmp/.${group}.sge_ul.$$ qconf -Mu /tmp/.${group}.sge_ul.$$ else cat > /tmp/.${group}.sge_ul.$$ <<EOF name $group type ACL DEPT fshare 100 oticket 0 entries $(echo $members | sed 's/ /\,/g') EOF qconf -Au /tmp/.${group}.sge_ul.$$ fi rm -f /tmp/.${group}.sge_ul.$$ done On Thu, 2013-04-11 at 15:55 -0400, Robert Kirchgessner wrote: > Is there any existing projects or functionality that would enable > fine-grained access control based on LDAP user groups or properties? > Restricting queue access based on user would be sufficient > > > Thank you. > _______________________________________________ > users mailing list > [email protected] > https://gridengine.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
