summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2005-03-11 12:24:24 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:59 -0500
commit04564f690f4dfbfe142c6bebc48f7f1e74f81497 (patch)
treedb336920364a3c477a2af530203ca5c98a885d78
parent198c8071b8af5d117db25b1cd2f036938594ca8b (diff)
downloadsamba-04564f690f4dfbfe142c6bebc48f7f1e74f81497.tar.gz
samba-04564f690f4dfbfe142c6bebc48f7f1e74f81497.tar.bz2
samba-04564f690f4dfbfe142c6bebc48f7f1e74f81497.zip
r5743: Add perl-script to check for multiple LDAP-entries on request of Richard
Sharpe. Users my run this script after they have vampired a windows domain controller to verify their system has no double sids, double uids, etc. Guenther (This used to be commit 31bd709a41e1bfe1f269a829c30e55a9538303df)
-rwxr-xr-xexamples/misc/check_multiple_LDAP_entries.pl201
1 files changed, 201 insertions, 0 deletions
diff --git a/examples/misc/check_multiple_LDAP_entries.pl b/examples/misc/check_multiple_LDAP_entries.pl
new file mode 100755
index 0000000000..00c197ace4
--- /dev/null
+++ b/examples/misc/check_multiple_LDAP_entries.pl
@@ -0,0 +1,201 @@
+#!/usr/bin/perl -w
+# Guenther Deschner <gd@samba.org>
+#
+# check for multiple LDAP entries
+
+use strict;
+
+use Net::LDAP;
+use Getopt::Std;
+
+my %opts;
+
+if (!@ARGV) {
+ print "usage: $0 -h host -b base -D admindn -w password [-l]\n";
+ print "\tperforms checks for multiple sid, uid and gid-entries on your LDAP server\n";
+ print "\t-l adds additional checks against the local /etc/passwd and /etc/group file\n";
+ exit 1;
+}
+
+getopts('b:h:D:w:l', \%opts);
+
+my $host = $opts{h} || "localhost";
+my $suffix = $opts{b} || die "please set base with -b";
+my $binddn = $opts{D} || die "please set basedn with -D";
+my $bindpw = $opts{w} || die "please set password with -w";
+my $check_local_files = $opts{l} || 0;
+
+########################
+
+
+my ($ldap, $res);
+my (%passwd_h, %group_h);
+my $bad_uids = 0;
+my $bad_gids = 0;
+my $bad_sids = 0;
+my $ret = 0;
+
+if ($check_local_files) {
+ my @uids = `cut -d ':' -f 3 /etc/passwd`;
+ my @gids = `cut -d ':' -f 3 /etc/group`;
+
+ foreach my $uid (@uids) {
+ chomp($uid);
+ $passwd_h{$uid} = $uid;
+ }
+
+ foreach my $gid (@gids) {
+ chomp($gid);
+ $group_h{$gid} = $gid;
+ }
+}
+
+########
+# bind #
+########
+
+$ldap = Net::LDAP->new($host, version => '3');
+
+$res = $ldap->bind( $binddn, password => $bindpw);
+$res->code && die "failed to bind: ", $res->error;
+
+
+
+###########################
+# check for double sids #
+###########################
+
+print "\ntesting for multiple sambaSids\n";
+
+$res = $ldap->search(
+ base => $suffix,
+ filter => "(objectclass=sambaSamAccount)");
+
+$res->code && die "failed to search: ", $res->error;
+
+foreach my $entry ($res->all_entries) {
+
+ my $sid = $entry->get_value('sambaSid');
+
+ my $local_res = $ldap->search(
+ base => $suffix,
+ filter => "(&(objectclass=sambaSamAccount)(sambaSid=$sid))");
+
+ $local_res->code && die "failed to search: ", $local_res->error;
+ if ($local_res->count > 1) {
+ print "A SambaSamAccount with sambaSid [$sid] must exactly exist once\n";
+ print "You have ", $local_res->count, " entries:\n";
+ foreach my $loc_entry ($local_res->all_entries) {
+ printf "\t%s\n", $loc_entry->dn;
+ }
+ ++$bad_sids;
+ }
+}
+
+if ($bad_sids) {
+ $ret = -1;
+ print "You have $bad_sids bad sambaSids in your system. You might need to repair them\n";
+} else {
+ print "No multiple sambaSids found in your system\n";
+}
+
+print "-" x 80, "\n";
+
+###########################
+# check for double groups #
+###########################
+
+print "\ntesting for multiple gidNumbers\n";
+
+$res = $ldap->search(
+ base => $suffix,
+ filter => "(objectclass=posixGroup)");
+
+$res->code && die "failed to search: ", $res->error;
+
+foreach my $entry ($res->all_entries) {
+
+ my $gid = $entry->get_value('gidNumber');
+ my $dn = $entry->dn;
+
+ my $local_res = $ldap->search(
+ base => $suffix,
+ filter => "(&(objectclass=posixGroup)(gidNumber=$gid))");
+
+ $local_res->code && die "failed to search: ", $local_res->error;
+ if ($local_res->count > 1) {
+ print "A PosixGroup with gidNumber [$gid] must exactly exist once\n";
+ print "You have ", $local_res->count, " entries:\n";
+ foreach my $loc_entry ($local_res->all_entries) {
+ printf "\t%s\n", $loc_entry->dn;
+ }
+ ++$bad_gids;
+ next;
+ }
+
+ if ($check_local_files && exists $group_h{$gid}) {
+ print "Warning: There is a group in /etc/group that has gidNumber [$gid] as well\n";
+ print "This entry may conflict with $dn\n";
+ ++$bad_gids;
+ }
+}
+
+if ($bad_gids) {
+ $ret = -1;
+ print "You have $bad_gids bad gidNumbers in your system. You might need to repair them\n";
+} else {
+ print "No multiple gidNumbers found in your system\n";
+}
+
+print "-" x 80, "\n";
+
+
+###########################
+# check for double users #
+###########################
+
+print "\ntesting for multiple uidNumbers\n";
+
+$res = $ldap->search(
+ base => $suffix,
+ filter => "(objectclass=posixAccount)");
+
+$res->code && die "failed to search: ", $res->error;
+
+
+foreach my $entry ($res->all_entries) {
+
+ my $uid = $entry->get_value('uidNumber');
+ my $dn = $entry->dn;
+
+ my $local_res = $ldap->search(
+ base => $suffix,
+ filter => "(&(objectclass=posixAccount)(uidNumber=$uid))");
+
+ $local_res->code && die "failed to search: ", $local_res->error;
+ if ($local_res->count > 1) {
+ print "A PosixAccount with uidNumber [$uid] must exactly exist once\n";
+ print "You have ", $local_res->count, " entries:\n";
+ foreach my $loc_entry ($local_res->all_entries) {
+ printf "\t%s\n", $loc_entry->dn;
+ }
+ ++$bad_uids;
+ next;
+ }
+ if ($check_local_files && exists $passwd_h{$uid}) {
+ print "Warning: There is a user in /etc/passwd that has uidNumber [$uid] as well\n";
+ print "This entry may conflict with $dn\n";
+ ++$bad_uids;
+ }
+}
+
+if ($bad_uids) {
+ $ret = -1;
+ print "You have $bad_uids bad uidNumbers in your system. You might need to repair them\n";
+} else {
+ print "No multiple uidNumbers found in your system\n";
+}
+
+$ldap->unbind;
+
+exit $ret;