samba-mirror/check_multiple_LDAP_entries.pl at 571a05c64951f28c41c73541f5824458a3bba909

mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00

Günther Deschner 04564f690f r5743: Add perl-script to check for multiple LDAP-entries on request of Richard

Sharpe.

Users my run this script after they have vampired a windows domain
controller to verify their system has no double sids, double uids, etc.

Guenther
(This used to be commit 31bd709a41e1bfe1f269a829c30e55a9538303df)

2007-10-10 10:55:59 -05:00

202 lines

4.7 KiB

Perl

Executable File

Raw Blame History

 #!/usr/bin/perl -w
 # Guenther Deschner <gd@samba.org>
 #
 # check for multiple LDAP entries
 use strict;
 use Net::LDAP;
 use Getopt::Std;
 my %opts;
 if (!@ARGV) {
 	print "usage: $0 -h host -b base -D admindn -w password [-l]\n";
 	print "\tperforms checks for multiple sid, uid and gid-entries on your LDAP server\n";
 	print "\t-l adds additional checks against the local /etc/passwd and /etc/group file\n";
 	exit 1;
 }
 getopts('b:h:D:w:l', \%opts);
 my $host =   $opts{h}	|| "localhost";
 my $suffix = $opts{b}	|| die "please set base with -b";
 my $binddn = $opts{D}	|| die "please set basedn with -D";
 my $bindpw = $opts{w}	|| die "please set password with -w";
 my $check_local_files = $opts{l} || 0;
 ########################
 my ($ldap, $res);
 my (%passwd_h, %group_h);
 my $bad_uids = 0;
 my $bad_gids = 0;
 my $bad_sids = 0;
 my $ret = 0;
 if ($check_local_files) {
 	my @uids = `cut -d ':' -f 3 /etc/passwd`;
 	my @gids = `cut -d ':' -f 3 /etc/group`;
 	foreach my $uid (@uids) {
 		chomp($uid);
 		$passwd_h{$uid} = $uid;
 	}
 	foreach my $gid (@gids) {
 		chomp($gid);
 		$group_h{$gid} = $gid;
 	}
 }
 ########
 # bind #
 ########
 $ldap = Net::LDAP->new($host, version => '3');
 $res = $ldap->bind( $binddn, password => $bindpw);
 $res->code && die "failed to bind: ", $res->error;
 ###########################
 # check for double sids   #
 ###########################
 print "\ntesting for multiple sambaSids\n";
 $res = $ldap->search(
 	base => $suffix,
 	filter => "(objectclass=sambaSamAccount)");
 $res->code && die "failed to search: ", $res->error;
 foreach my $entry ($res->all_entries) {
 	my $sid = $entry->get_value('sambaSid');
 	my $local_res = $ldap->search(
 		base => $suffix,
 		filter => "(&(objectclass=sambaSamAccount)(sambaSid=$sid))");
 	$local_res->code && die "failed to search: ", $local_res->error;
 	if ($local_res->count > 1) {
 		print "A SambaSamAccount with sambaSid [$sid] must exactly exist once\n";
 		print "You have ", $local_res->count, " entries:\n";
 		foreach my $loc_entry ($local_res->all_entries) {
 			printf "\t%s\n", $loc_entry->dn;
 		}
 		++$bad_sids;
 	}
 }
 if ($bad_sids) {
 	$ret = -1;
 	print "You have $bad_sids bad sambaSids in your system. You might need to repair them\n";
 } else {
 	print "No multiple sambaSids found in your system\n";
 }
 print "-" x 80, "\n";
 ###########################
 # check for double groups #
 ###########################
 print "\ntesting for multiple gidNumbers\n";
 $res = $ldap->search(
 	base => $suffix,
 	filter => "(objectclass=posixGroup)");
 $res->code && die "failed to search: ", $res->error;
 foreach my $entry ($res->all_entries) {
 	my $gid = $entry->get_value('gidNumber');
 	my $dn  = $entry->dn;
 	my $local_res = $ldap->search(
 		base => $suffix,
 		filter => "(&(objectclass=posixGroup)(gidNumber=$gid))");
 	$local_res->code && die "failed to search: ", $local_res->error;
 	if ($local_res->count > 1) {
 		print "A PosixGroup with gidNumber [$gid] must exactly exist once\n";
 		print "You have ", $local_res->count, " entries:\n";
 		foreach my $loc_entry ($local_res->all_entries) {
 			printf "\t%s\n", $loc_entry->dn;
 		}
 		++$bad_gids;
 		next;
 	}
 	if ($check_local_files && exists $group_h{$gid}) {
 		print "Warning: There is a group in /etc/group that has gidNumber [$gid] as well\n";
 		print "This entry may conflict with $dn\n";
 		++$bad_gids;
 	}
 }
 if ($bad_gids) {
 	$ret = -1;
 	print "You have $bad_gids bad gidNumbers in your system. You might need to repair them\n";
 } else {
 	print "No multiple gidNumbers found in your system\n";
 }
 print "-" x 80, "\n";
 ###########################
 # check for double users  #
 ###########################
 print "\ntesting for multiple uidNumbers\n";
 $res = $ldap->search(
 	base => $suffix,
 	filter => "(objectclass=posixAccount)");
 $res->code && die "failed to search: ", $res->error;
 foreach my $entry ($res->all_entries) {
 	my $uid = $entry->get_value('uidNumber');
 	my $dn  = $entry->dn;
 	my $local_res = $ldap->search(
 		base => $suffix,
 		filter => "(&(objectclass=posixAccount)(uidNumber=$uid))");
 	$local_res->code && die "failed to search: ", $local_res->error;
 	if ($local_res->count > 1) {
 		print "A PosixAccount with uidNumber [$uid] must exactly exist once\n";
 		print "You have ", $local_res->count, " entries:\n";
 		foreach my $loc_entry ($local_res->all_entries) {
 			printf "\t%s\n", $loc_entry->dn;
 		}
 		++$bad_uids;
 		next;
 	}
 	if ($check_local_files && exists $passwd_h{$uid}) {
 		print "Warning: There is a user in /etc/passwd that has uidNumber [$uid] as well\n";
 		print "This entry may conflict with $dn\n";
 		++$bad_uids;
 	}
 }
 if ($bad_uids) {
 	$ret = -1;
 	print "You have $bad_uids bad uidNumbers in your system. You might need to repair them\n";
 } else {
 	print "No multiple uidNumbers found in your system\n";
 }
 $ldap->unbind;
 exit $ret;

202 lines 4.7 KiB Perl Executable File Raw Blame History

202 lines

4.7 KiB

Perl

Executable File

Raw Blame History