#!/bin/bash
# Name: audit-migration-users.sh
# Description: Audit which user accounts remain to migrate 
#              passwords and get kerberos keys
# Last Updated: 2016-11-25
# Recent Changes:-initial release
################################################################

echo -e "This script will determine which users are left to enter their password for a kerberos key."
echo -e "\n>>Continue?[y/n]:\c"
read run_script

if [[ ${run_script} != "y" ]]; then
  echo -e "\n>>Will not run the audit. Exiting..."
  exit 1
fi

# Log file to store hosts left to migrate
log_file="/root/migration-scripts/audits/user-migration.log"

# Clear log file
echo -e "\n>>Clearing log file..."
cat /dev/null > ${log_file}

# Build a list of enabled accounts
#- Find all users | grep logins and disabled status lines |
#- If the current line matches "False" (/False/), print the stored username (print USER),
#- next, store the current line's field 3 in the variable USER (USER=$3)
user_list=$(/usr/bin/ipa user-find --sizelimit=0 --all | grep -E "(User login|Account disabled)" | awk '/False/ { print username }; { username=$3 }')

total_users=$(echo ${user_list} | wc -w)

for user_name in ${user_list}; do

  echo -e ">> Checking ${user_name}..."
  # Check to see if the user has a kerberos key
  kerberos_key="$(ipa user-show ${user_name} | awk '/Kerberos keys available/ {print $4}')"

  # If False, add to the list of users that still need to migrate their password
  if [[ ${kerberos_key} == "False" ]]; then
    echo -e "--> User does not have kerberos keys, adding to the list: ${user_name}"
    echo ${user_name} >> ${log_file}
  fi

done

left_to_convert="$(cat ${log_file} | wc -l)"
echo -e "\n--------------------"
echo -e ">> Users enabled left to get kerberos keys: ${left_to_convert}"
echo -e ">> Total enabled users: ${total_users}"