====== FreeIPA Report User Groups Empty ======

**General Information**

Report User Groups that don't have any members. Of those empty user groups, also report the groups that are not in any HBAC rules.

This can help track down unnecessary groups.

**Checklist**
  * Distro(s): Enterprise Linux 6/7
  * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server Installed]] (script runs there)

----

====== The Script ======

<code bash report-usergroups-empty.sh>
#!/bin/bash
# Name: report-usergroups-empty.sh
# Description: Report User Groups that don't have any members
# Last Modified: 2018-06-01
# Recent Changes:-Initial release
###############################################################################################

##### Customize These Variables #####
# IPA admin user
admin_user="admin"
##### End of Customize Variables #####

#=====================================
# Functions; Main starts after
#=====================================
function show_usage
{
  echo -e "\n==== Report: Empty User Groups ===="
  echo -e "\nDescription: Report user groups that don't have any members."
  echo -e "\n--Usage--"
  echo -e "./report-usergroups-empty.sh [OPTIONS]"
  echo -e "\n-OPTIONS-"
  echo -e "-h                    => Display usage."
  echo -e "-v                    => Verbose; extra status output."
  echo -e "\n--Other Requirements--"
  echo -e "-> FreeIPA admin access."
  echo -e
}

#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1

# By default, do not output verbose
verbose_mode="no"

while getopts "hv" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    v) # -v (verbose) argument
      verbose_mode="yes"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done

#===================
# Pre-checks: Make sure we have good options set
#===================
# See if we have a kerberos ticket, if not, prompt login
/usr/bin/klist -s
if [[ $? -ne 0 ]]; then
  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
  /usr/bin/kinit ${admin_user}
  echo
fi

#===================
# Main starts here
#===================
echo -e "======================================================"
echo -e "####========= Report: Empty User Groups ==========####"
echo -e "======================================================"
echo
echo -e "This script will report all user groups that don't have any members."
if [[ ${verbose_mode} == "yes" ]]; then
  echo -e "Verbose: Yes"
else
  echo -e "Verbose: No"
fi
echo -e "=>Continue?[y/n]:\c"
read run_script

if [[ ${run_script} != "y" ]]; then
  echo -e "\n>>Will not run the script. Exiting..."
  exit 1
fi

# Get all user groups
echo -e ">> Getting all user groups."
all_usergroups="$(ipa group-find --sizelimit=0 | awk '/Group name/ {print $3}')"

# Initialize lists to nothing
usergroup_nomembers=""
usergroup_nomembers_nohbac=""
usergroup_error=""

echo -e ">> Checking ($(echo ${all_usergroups} | wc -w)) usergroups for members\c"
if [[ ${verbose_mode} == "yes" ]]; then
  # Extra newline required if verbose messages (due to \c above)
  echo
fi

# Loop through all user groups, add ones with no members to the list
for usergroup in ${all_usergroups}; do

  if [[ ${verbose_mode} == "yes" ]]; then
    echo "--> Usergroup: ${usergroup}"
  else
    # Not verbose, output a single '.' per usergroup search
    echo -e ".\c"
  fi

  ipa group-show ${usergroup} | grep 'Member users' &> /dev/null
  return_code="$?"

  if [[ ${return_code} == "0" ]]; then
    # Members found
    if [[ ${verbose_mode} == "yes" ]]; then
      echo "---Members found."
    else
      # Do nothing ':' (equivalent to Python's 'pass')
      :
    fi

  elif [[ ${return_code} == "1" ]]; then
    # No members found
    if [[ ${verbose_mode} == "yes" ]]; then
      echo "---No members. (${usergroup})"
    fi
    usergroup_nomembers+="${usergroup} "

    # Check empty groups to see if they are in any hbac rules
    ipa group-show ${usergroup} | grep 'Member of HBAC rule' &> /dev/null
    rule_retcode="$?"

    if [[ ${rule_retcode} == "1" ]]; then
      # Group is NOT in any hbac rules, add to addtional list
      usergroup_nomembers_nohbac+="${usergroup} "
    fi

  else
    # Some other error occurred
    if [[ ${verbose_mode} == "yes" ]]; then
      echo "---Warning: Some other error occurred. (${usergroup})"
    fi
    usergroup_error+="${usergroup} "
  fi
done

if [[ ${verbose_mode} == "no" ]]; then
  # Extra space required if not verbose because of no newlines for '.' status output
  echo -e "[Done]"
fi

echo -e "\n-------------------------------------"
echo -e "---- User Groups with No Members ----"
echo -e "-------------------------------------"

echo -e "\n>> User Groups with No Members: $(echo ${usergroup_nomembers} | wc -w)"
for usergroup in ${usergroup_nomembers}; do
  echo -e "${usergroup}"
done

echo -e "\n>> User Groups with No Members AND not in any HBAC rules: $(echo ${usergroup_nomembers_nohbac} | wc -w)"
for usergroup in ${usergroup_nomembers_nohbac}; do
  echo -e "${usergroup}"
done

echo -e "\n>> User Groups that had some type of grep search error: $(echo ${usergroup_error} | wc -w)"
for usergroup in ${usergroup_error}; do
  echo -e "${usergroup}"
done

echo -e "\n=========================================="
echo -e "=- Report: Empty User Groups Completed. -="
echo -e "=========================================="
</code>

----