用途:当AD中有新增用户时,可以使用此脚本进行同步
#!/bin/bash
# 预定义参数
AD_DOMAIN="<Your AD's domain>"
AD_ADMIN_DN="CN=<Admin account name>,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
AD_ADMIN_PWD="<Your admin password>"
AD_BASE_DN="DC=XXX,DC=XXX,DC=XXX"
LDAP_DOMAIN="<Your OpenLDAP's domain>"
LDAP_ADMIN_DN="cn=Manager,dc=XXX,dc=XXX,dc=XXX"
LDAP_ADMIN_PWD="<Your admin password>"
LDAP_BASE_DN=${AD_BASE_DN}
ADUSERNAME="^sAMAccountName: .+$"
LDAPUSERNAME="^uid: .+$"
LOGFILE="/root/OpenLdapShell/OpenLdapUserChangeLog.log"
# 把所有的OU都查出来,为一会导入用户做准备,因为现在AD的人数太多了,所以只能按OU分别导入/更新
/usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN}:636 "(&(objectClass=top)(objectClass=organizationalUnit))" dn -D "${AD_ADMIN_DN}" -w "${AD_ADMIN_PWD}" -b "${AD_BASE_DN}" -L |php /root/OpenLdapShell/utf8ldif.php > /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
# 整理一下LDAP OU的文件,把version,注释之类的都去掉,只留dn
/usr/bin/sed -i "/^#/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "/^version/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "/^[[:space:]]*$/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "s/^dn: //g" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
# 开始循环读取OU,一行就是一个OU
while read OU_LINE
do
# 初始化一个文件用来存储待更新的用户
echo "" > /root/OpenLdapShell/Tmp_UpdateUser.ldif
# 读取AD上这个OU下的所有用户,存储到Tmp_ADUser.ldif文件里
/usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN}:636 "(&(objectClass=organizationalPerson)(!(objectClass=computer)))" dn objectClass cn description sAMAccountName uSNCreated -D "${AD_ADMIN_DN}" -w "${AD_ADMIN_PWD}" -b "${OU_LINE}" -L > /root/OpenLdapShell/Tmp_ADUser.ldif
# 读取OPENLDAP上这个OU下的所有用户,存储到Tmp_OpenLdapUser.ldif文件里
/usr/bin/ldapsearch -x -H ldaps://${LDAP_DOMAIN} "(&(objectClass=organizationalPerson))" uid -D "${LDAP_ADMIN_DN}" -w "${LDAP_ADMIN_PWD}" -b "${OU_LINE}" -L > /root/OpenLdapShell/Tmp_OpenLdapUser.ldif
# 比较Tmp_OpenLdapUser.ldif和Tmp_ADUser.ldif里面的用户,如果openldap里面没有,就加上
while read LINE
do
if [[ "${LINE}" =~ ${ADUSERNAME} ]];then
TMP1=${LINE/sAMAccountName: /uid: }
grep -w "${TMP1}" /root/OpenLdapShell/Tmp_OpenLdapUser.ldif > /dev/null 2>&1
if [ $? -ne 0 ];then
TMP2=${TMP1##*:}
UID_VALUE=${TMP2/ /}
echo "[$(date '+%Y-%m-%d %H:%M:%S')] OpenLdap Server Add User, UID: ${UID_VALUE}" >> ${LOGFILE}
/usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN} "(&(objectClass=organizationalPerson)(!(objectClass=computer))(sAMAccountName=${UID_VALUE}))" dn objectClass cn description sAMAccountName email uSNCreated -D "${AD_ADMIN_DN}" -w "${AD_ADMIN_PWD}" -b "${AD_BASE_DN}" -L >> /root/OpenLdapShell/Tmp_UpdateUser.ldif
fi
fi
done</root/OpenLdapShell/Tmp_ADUser.ldif
# 整理一下ldif的文件,使其适应openldap的导入格式
/usr/bin/sed -i "/^sAMAccountName: /H;s/^sAMAccountName: /userPassword: {SASL}/;x" /root/OpenLdapShell/Tmp_UpdateUser.ldif
/usr/bin/sed -i "/^objectClass: user/d" /root/OpenLdapShell/Tmp_UpdateUser.ldif
/usr/bin/sed -i "/^cn:/H;s/^cn:/sn:/;x" /root/OpenLdapShell/Tmp_UpdateUser.ldif
/usr/bin/sed -i "s/^sAMAccountName:/uid:/g" /root/OpenLdapShell/Tmp_UpdateUser.ldif
/usr/bin/sed -i "/^objectClass: organizationalPerson/H;s/^objectClass: organizationalPerson/objectClass: inetOrgPerson/;x" /root/OpenLdapShell/Tmp_UpdateUser.ldif
/usr/bin/sed -i "s/^uSNCreated:/employeeNumber:/g" /root/OpenLdapShell/Tmp_UpdateUser.ldif
# 导入用户
/usr/bin/ldapadd -c -x -w "${LDAP_ADMIN_PWD}" -D "${LDAP_ADMIN_DN}" -f /root/OpenLdapShell/Tmp_UpdateUser.ldif > /dev/null 2>&1
done</root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
# 删掉临时文件
/usr/bin/rm -rf /root/OpenLdapShell/Tmp*
补充:
utf8ldif.php的内容可以从此处获得
https://blog.csdn.net/yes_is_ok/article/details/103088226