HCoop / hcoop / zz_old / misc / scripts.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add uidNumber to LDAP entries
[hcoop/zz_old/misc/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of wheel unix group
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - while holding tokens for a user who is:
9 # - a member of system:administrator
10 # - listed in 'bos listusers deleuze'
11
12 USER=$1
13
14 if test -z "$USER"; then
15 echo "Invoke as create-user <USERNAME>"
16 exit 1
17 fi
18
19
20 #
21 # Kerberos principals
22 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
23 #
24
25 # We use -randkey for user's main principal as well, to make sure that
26 # the creation process does not continue without having a main
27 # principal. (But you who want to set password for a user, don't
28 # worry - we'll invoke cpw later, so that it has the same effect
29 # as setting password right now - while it is more error tolerant).
30
31 sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
32 sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
33 sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
34
35
36 #
37 # Create AFS users corresponding to krb5 principals.
38 # (fred/cgi principal == fred.cgi AFS user)
39 #
40
41 pts cu $USER || true
42 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
43 pts cu $USER.mailfilter $ID_MF || true
44 ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
45 pts cu $USER.cgi || true
46 ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
47
48
49 #
50 # Construct various paths for later perusal.
51 #
52
53 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
54 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
55 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
56 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
57 DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
58 PGDIR=$DBPATH/postgres
59 MYSQLDIR=$DBPATH/mysql
60
61
62 #
63 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
64 # lost the idea of what I want to do with LDAP, but we'll
65 # see with time how well it integrates...)
66 # The ID returned from AFS is important here, we want to make
67 # sure those IDs match.
68 #
69
70 # USER entry
71 echo "
72 dn: uid=$USER,ou=People,dc=hcoop,dc=net
73 objectClass: top
74 objectClass: person
75 objectClass: posixAccount
76 cn: $USER
77 uid: $USER
78 uidNumber: $ID
79 gidNumber: $ID
80 homeDirectory: $HOMEPATH
81 sn: $USER
82 host: abulafia
83 host: mire
84
85 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
86 objectClass: top
87 objectClass: posixGroup
88 cn: $USER
89 gidNumber: $ID
90 memberUid: $USER
91 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
92
93 # USER.mailfilter entry
94 echo "
95 dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
96 objectClass: top
97 objectClass: person
98 objectClass: posixAccount
99 cn: $USER.mailfilter
100 uid: $USER.mailfilter
101 uidNumber: $ID_MF
102 gidNumber: $ID_MF
103 homeDirectory: $HOMEPATH
104 sn: $USER.mailfilter
105
106 dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
107 objectClass: top
108 objectClass: posixGroup
109 cn: $USER.mailfilter
110 gidNumber: $ID_MF
111 memberUid: $USER.mailfilter
112 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
113
114 # USER.cgi entry
115 echo "
116 dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
117 objectClass: top
118 objectClass: person
119 objectClass: posixAccount
120 cn: $USER.cgi
121 uid: $USER.cgi
122 uidNumber: $ID_CGI
123 gidNumber: $ID_CGI
124 homeDirectory: $HOMEPATH
125 sn: $USER.cgi
126
127 dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
128 objectClass: top
129 objectClass: posixGroup
130 cn: $USER.cgi
131 gidNumber: $ID_CGI
132 memberUid: $USER.cgi
133 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
134
135
136 #
137 # Export .mailfilter and .cgi keys to a keytab file
138 #
139
140 # create a mailfilter keytab (used by /etc/exim4/get-token)
141 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
142
143 # create a cgi keytab
144 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
145
146 # Properly chown/mod keytab files (www-data must own the cgi keytab)
147 sudo chown www-data:wheel /etc/keytabs/cgi/$USER
148 sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
149 sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
150
151 # rsync keytabs to mire
152 rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
153
154 #
155 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
156 #
157
158 # HOME VOLUME
159 vos examine user.$USER 2>/dev/null || \
160 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
161 mkdir -p `dirname $HOMEPATH`
162 fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
163 chown $USER $HOMEPATH
164 fs sa $HOMEPATH $USER all
165 fs sa $HOMEPATH system:anyuser rl
166
167 # Apache logs
168 mkdir -p $HOMEPATH/logs/apache
169 fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
170
171 # public_html
172 mkdir -p $HOMEPATH/public_html/
173 fs sa $HOMEPATH/public_html system:anyuser rl
174 mkdir -p $HOMEPATH/.procmail.d/
175 fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
176
177 # MAIL VOLUME
178 vos examine mail.$USER 2>/dev/null || \
179 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
180 mkdir -p `dirname $MAILPATH`
181 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
182 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
183 fs sa $MAILPATH $USER all
184 fs sa $MAILPATH $USER.mailfilter all
185
186 # DATABASE VOLUME
187 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
188 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
189 vos create -server afs -partition a -name db.$USER -maxquota 400000
190 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
191 vos release common.databases
192 fs sa -dir $DBPATH -acl system:postgres l
193 fs sa -dir $DBPATH -acl system:mysql l
194 fs sa -dir $DBPATH -acl system:backup rl
195 fi
196
197 # Create postgres user and tablespace placeholder within volume
198 if ! [ -d $PGDIR ]; then
199 mkdir -p $PGDIR
200 chown postgres:postgres $PGDIR
201 fs sa -dir $PGDIR -acl system:postgres write
202
203 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
204 fi
205
206 # Create mysql user and databases placeholder within volume
207 mkdir -p $MYSQLDIR
208 chown mysql:mysql $MYSQLDIR
209 fs sa -dir $MYSQLDIR -acl system:mysql write
210
211
212 #
213 # Mount points for backup volumes
214 #
215
216 mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
217 mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
218 fs ls /afs/hcoop.net/old/user/$PATHBITS || \
219 fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
220 fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
221 fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
222
223 # technically this might not be necessary, but for good measure...
224 vos syncserv deleuze
225 vos syncvldb deleuze
226
227 # refresh volume location cache (takes ~2hrs otherwise)
228 fs checkvolumes
229 ssh mire.hcoop.net fs checkvolumes
230
231 #
232 # Finally, set password for main user's principal
233 # Aborting this operation is harmless. Just re-invoke cpw.
234 #
235 # kadmin.local doesn't report errors properly, so we have to
236 # check manually
237 #
238 sudo rm -f /tmp/kadmin.out
239 sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
240 2>&1 | tee /tmp/kadmin.out
241 cat /tmp/kadmin.out | grep 'Password for .* changed'
242 sudo rm -f /tmp/kadmin.out
243
Miscellaneous HCoop scripts.