Python v3.5 script to compare users' home in IPA and DSEE (LDAP)

• Intro
• Design
• Usage
• Example
• Script

Intro

There are two LDAP directories {(Free)IPA and DSEE} and the task is to compare users' home mount. The idea is to integrate two LDAPs, basically retire one of them, so goal is that a user has same home in both LDAPs.

Design

This is python 3.5 script, it's to be run on FreeIPA client (see function admin_kinit), since first it gets list of all IPA users. There is option to query home of one user or all users (from IPA).
Additionally, the output can be raw or table (on the screen), and there is hidden option to create HTML file, see variable "html_output" (only for all users).

Usage

 

$ compare_ipa_dsee_home.py -h
usage: compare_ipa_dsee_home.py [-h] (-a | -u USER) [-t | -r]

Compare IPA and DSEE home (all or specific user)

optional arguments:
  -h, --help            show this help message and exit
  -a, --all             Compare home of all IPA users
  -u USER, --user USER  Compare home of specified IPA user login
  -t, --table           Output is a table on the screen
  -r, --raw             Raw output (default)

Example

This is raw output (since it's default, no need to type -r), a user has different home.

 

$ compare_ipa_dsee_home.py -u zdudic

Obtaining Kerberos ticket-granting ticket for admin (IPA Administrator)
Check if admin has kerberos ticket
OK, admin has kerberos ticket
 zdudic IPA: mystorage:/export/home/zdudic  DSEE: mystorage-dsee:/export/pool-0/home-02/zdudic

This is table output.

 

$ compare_ipa_dsee_home.py -u zdudic -t

Obtaining Kerberos ticket-granting ticket for admin (IPA Administrator)
Check if admin has kerberos ticket
OK, admin has kerberos ticket
+--------+---------------------------------------------------------------------------------+
|  User  |          IPA home              |             DSEE home                          |
+--------+--------------------------------+------------------------------------------------+
| zdudic | mystorage:/export/home/zdudic  | mystorage-dsee:/export/pool-0/home-002/zdudic  |
+--------+--------------------------------+------------------------------------------------+

This is cronjob, that creates html page (only when query all users).

 

55 15 * * * /some-path/compare_ipa_dsee_home.py -a --html >/dev/null

Script

 

#!/some-path/python3.5

# list users' IPA and DSEE home
# ------------------------------

import sys
import ldap
import argparse
import subprocess
import logging, logging.handlers
from time import gmtime, strftime
import datetime
from prettytable import PrettyTable

# variables
# Bold text: \033[1m ... \033[0m
BOLD = "\033[1m"
END = "\033[0m"
html_output = "/some-nfs-path/users_dsee_ipa_home.html" 

# -- argument work
parser = argparse.ArgumentParser(
             description="Compare IPA and DSEE home (all or specific user)",
             epilog='Brought to you by ZD')
who = parser.add_mutually_exclusive_group(required=True)
who.add_argument("-a", "--all", help="Compare home of all IPA users", action="store_true")
who.add_argument("-u", "--user", help="Compare home of specified IPA user login")
output = parser.add_mutually_exclusive_group()
output.add_argument("-t", "--table", help="Output is a table on the screen", action="store_true")
output.add_argument("-r", "--raw", help="Raw output (default)", action="store_true")
parser.add_argument("--html", help=argparse.SUPPRESS, action="store_true")
args = parser.parse_args()
allusers=args.all
user=args.user
tableoutput=args.table
rawoutput=args.raw
htmloutput=args.html

def admin_kinit():
    """
    Obtain and cache Kerberos ticket-granting ticket for admin
    admin is IPA administrator account
    """
    try:
        print("Obtaining Kerberos ticket-granting ticket for admin (IPA Administrator)")
        subprocess.call(['sudo -u admin kinit -kt /homelocal/admin/.ipa/admin.kt admin'], shell=True)
    except subprocess.CalledProcessError as err:
        print("Admin account (IPA Administrator) cannot obtain Kerberos ticket-granting ticket" )
        sys.exit("subprocess.CalledProcessError: {0}".format(err))

def admin_kerberos_ticket():
    """
    Does admin  have  valid kerberos ticket?
    """
    return True if subprocess.call(['sudo', '-u', 'admin', 'klist', '-s']) == 0 else False

def does_user_exist_in_ipa():
    """
    Check if IPA account exists
    """
    return True if subprocess.call(["sudo -u admin ipa user-find --login %s >/dev/null" % user], shell=True) == 0 else False

def get_all_ipa_users():
    """
    Get list of all IPA users
    """
    global all_ipa_users
    try:
        all_ipa_users = subprocess.check_output(['sudo -u admin ipa user-find | grep \"User login\" | awk \'{print $3}\' '], shell=True)
    except subprocess.SubprocessError as err:
        print("Can't get list of all IPA users")
        sys.exit("SubprocessError: {0}".format(err))

def get_ipa_home(user):
    """
    Get IPA home
    command:
    ipa automountkey-show default auto.home --key user --raw | tail -1 | awk '{for (i=2; i<=NF; i++) printf $i""FS}'
    """
    global user_ipa_home
    try:
        user_ipa_home = subprocess.check_output(['sudo -u admin ipa automountkey-show default auto.home --key %s --raw |tail -1 \
                                |awk \'{for (i=2; i<=NF; i++) printf $i""FS}\'' % user], shell=True)
    except subprocess.CalledProcessError as err:
        print("Can't get IPA home for %s" % user)
        sys.exit("subprocess.CalledProcessError: {0}".format(err))

def get_dsee_home(user):
    """
    Get DSEE home
    command:
    ldapsearch -LLL -h dsee-server.dom.com -x \
    -b automountmapname=auto_home,ou=some-container,dc=dom,dc=com automountKey=user \
    -o ldif-wrap=no | grep automountInformation | awk '{for (i=2; i<=NF; i++) printf $i""FS}'
    """
    global user_dsee_home 
    dsee_server = "dsee-server.dom.com"
    search_base = "ou=some-container,dc=dom,dc=com"
    try:
        user_dsee_home = subprocess.check_output(['ldapsearch -LLL -h %s -x -b automountmapname=auto_home,%s automountKey=%s \
                                -o ldif-wrap=no | grep automountInformation | awk \'{for (i=2; i<=NF; i++) printf $i""FS}\''
                                % (dsee_server, search_base, user)], shell=True)
    except subprocess.CalledProcessError as err:
        print("Can't get DSEE home for %s" % user)
        sys.exit("subprocess.CalledProcessError: {0}".format(err))

def table_output_one_user(user, ipa_home, dsee_home):
    """
    Creates a table with results for only one user
    """
    x = PrettyTable()
    x.field_names = ["User", "IPA home", "DSEE home"]
    x.add_row([user, ipa_home, dsee_home])
    print(x)

def write_to_html_file(file_name, text):
    """
    Write stdout to html file
    Arguments: file name and text
    """
    original = sys.stdout
    sys.stdout = open(file_name, 'w+')
    print("<html>")
    print(strftime("Generated on: %b %d %Y"))
    print(text)
    print("</html>")
    sys.stdout.close()
    sys.stdout = original

def raw_output(user, ipa_home, dsee_home):
    """
    Creates a raw output of result
    """
    print(BOLD + user + " IPA: " + END + ipa_home + BOLD + " DSEE: " + END + dsee_home) 

if __name__ == '__main__':

    admin_kinit()
    print("Check if admin has kerberos ticket")
    if not admin_kerberos_ticket():
        sys.exit("Admin doesn't have a kerberos ticket!")
    print("OK, admin has kerberos ticket")

    # query for only one user
    if user:
        # exit if user is not present in IPA
        if not does_user_exist_in_ipa():
            sys.exit("User %s %s %s is not present in IPA, exiting!" % (BOLD, user, END))
        get_ipa_home(user)
        get_dsee_home(user)
        if tableoutput:
            table_output_one_user(user, user_ipa_home.decode(), user_dsee_home.decode())
        elif rawoutput:
            raw_output(user, user_ipa_home.decode(), user_dsee_home.decode())
        else:  # raw is also default
            raw_output(user, user_ipa_home.decode(), user_dsee_home.decode())
        

    # query for all users
    if allusers:
        get_all_ipa_users()
        if tableoutput: 
            x = PrettyTable()
            x.field_names = ["User", "IPA home", "DSEE home"]
            x.align["User"] = "l"
            x.align["IPA home"] = "l"
            x.align["DSEE home"] = "l"
            for user in all_ipa_users.decode().split("\n"):
                get_ipa_home(user)
                get_dsee_home(user)
                x.add_row([user, user_ipa_home.decode(), user_dsee_home.decode()])
            print(x)
        elif rawoutput:
            for user in all_ipa_users.decode().split("\n"):
                get_ipa_home(user)
                get_dsee_home(user)
                raw_output(user, user_ipa_home.decode(), user_dsee_home.decode())
        elif htmloutput:  # hidden html output only for all users
            x = PrettyTable()
            x.field_names = ["User", "DSEE home", "IPA home"]
            #x.field_names = ["User", "IPA home", "DSEE home"]
            for user in all_ipa_users.decode().split("\n"):
                get_ipa_home(user)
                get_dsee_home(user)
                x.add_row([user, user_dsee_home.decode(), user_ipa_home.decode()])
                #x.add_row([user, user_ipa_home.decode(), user_dsee_home.decode()])
            write_to_html_file(html_output, x.get_html_string(attributes={"border":"1"}))
        else:  # raw is also default
            for user in all_ipa_users.decode().split("\n"):
                get_ipa_home(user)
                get_dsee_home(user)
                raw_output(user, user_ipa_home.decode(), user_dsee_home.decode())
    
sys.exit(0)



Back to the main page