For one my project needed a script that retrieves a list of active users who are members of a specific group in Windows 2008 Active Directory using LDAP.
So we have a FreeBSD or Linux box and Windows Active Directory and we need a list of users who are members of specific group and we have access to LDAP. The main problem was that there was nested groups inside that so it was not possible to do it only with ldapsearch and parameters. The next problem was that I need my list in the form: username@DOMAIN and of course as a final this string should not be less than 20 characters. Easy job?
And this is what I made for this need:
#!/usr/local/bin/bash ### Exclusion group and file name must be listed bofore group GROUP=( "Unlimited Internet" "Extended Exclusions" "Extended Internet" "Limited Internet" ) FILENAME=( "unlimited" "ext_exclusions" "extended" "limited" ) EXCLUSIONS=("no" "no" "ext_exclusions" "no" ) options="-LLL -D ITSOL\ldap_user -w pass" totalg=${#GROUP[*]} totalf=${#FILENAME[*]} if [ $totalg -ne $totalf ] then echo "Error - different count in arrays!" exit 1 fi function groups_from_group { ldapsearch $options "(&(objectClass=group)(memberof=$1))" primaryGroupToken | sed -e :a -e '$!N;s/\n //;ta' -e 'P;D'|grep -v "#"|grep -v "^$" >> $2.grp2 } function get_all_members { cat $1.grp | grep primaryGroupToken: | sed "s/primaryGroupToken: //g" | while read line do filter="(&(objectClass=user)(primarygroupid=$line)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" ldapsearch $options $filter userPrincipalName |grep @itsol.biz | sed "s/itsol.biz/ITSOL.BIZ/g" |cut -d ' ' -f 2 >> $1 done cat $1.grp | grep dn: | sed "s/dn: //g" | while read line do ldapsearch $options "(&(objectClass=user)(memberof=$line)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" userPrincipalName |grep @itsol.biz | sed "s/itsol.biz/ITSOL.BIZ/g" |cut -d ' ' -f 2 >> $1 groups_from_group "$line" "$1" done } for (( i = 0; i < $totalg; i++ )) do ldapsearch $options "(&(objectClass=group)(cn=${GROUP[$i]}))" primaryGroupToken | sed -e :a -e '$!N;s/\n //;ta' -e 'P;D'|grep -v "#"|grep -v "^$" > ${FILENAME[$i]}.grp get_all_members "${FILENAME[$i]}" index=0 while [ $index == 0 ] do if [ -s ${FILENAME[$i]}.grp2 ] then mv ${FILENAME[$i]}.grp2 ${FILENAME[$i]}.grp get_all_members "${FILENAME[$i]}" else index=1 rm ${FILENAME[$i]}.grp rm ${FILENAME[$i]}.grp2 sort -f ${FILENAME[$i]} | uniq > ${FILENAME[$i]}.s mv -f ${FILENAME[$i]}.s ${FILENAME[$i]} fi done # Changing usernames in pre-2000 format - 20 characters in username cut -d @ -f 1 ${FILENAME[$i]} |cut -c1-20 | sed -e 's/$/@ITSOL.BIZ/' > temp mv temp ${FILENAME[$i]} if [ ${EXCLUSIONS[$i]} != "no" ] then comm -23 ${FILENAME[$i]} ${EXCLUSIONS[$i]} > ${FILENAME[$i]}.tmp mv ${FILENAME[$i]}.tmp ${FILENAME[$i]} rm ${EXCLUSIONS[$i]} fi done
After running this script you will get 3 files unlimited, extended and limited containing a list of users who are members of groups “Unlimited Internet”, “Extended Internet” and “Limited Internet” in our Microsoft AD. It is possible to make an exclusion of certain group as in extended – this mean that all members of “Extended Internet” without members of “Extended Exclusions” group. Note: exclusion group must bi listed in array before group which will be reduced.
That is all.