linux_wiki:freeipa_audit_user_migration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:freeipa_audit_user_migration [2018/06/02 23:28]
billdozor [FreeIPA Audit User Migration] 		linux_wiki:freeipa_audit_user_migration [2019/05/25 23:50]
Line 1: Line 1:
-====== FreeIPA Audit User Migration ====== 
- 
-**General Information** 
- 
-Audit which user accounts remain to migrate passwords and get kerberos hashed keys in the IPA domain.  
- 
-**Checklist** 
-  * FreeIPA servers already installed/configured. 
-  * Client systems migrated 
-  * Now just monitoring user accounts getting their kerberos hashed password keys in the new FreeIPA domain. 
- 
----- 
- 
-====== The Script ====== 
- 
-Run on an IPA server to determine which accounts still need kerberos keys. 
- 
-<code bash audit-migration-users.sh> 
-#!/bin/bash 
-# Name: audit-migration-users.sh 
-# Description: Audit which user accounts remain to migrate  
-#              passwords and get kerberos keys 
-# Last Updated: 2016-11-25 
-# Recent Changes:-initial release 
-################################################################ 
- 
-echo -e "This script will determine which users are left to enter their password for a kerberos key." 
-echo -e "\n>>Continue?[y/n]:\c" 
-read run_script 
- 
-if [[ ${run_script} != "y" ]]; then 
-  echo -e "\n>>Will not run the audit. Exiting..." 
-  exit 1 
-fi 
- 
-# Log file to store hosts left to migrate 
-log_file="/root/migration-scripts/audits/user-migration.log" 
- 
-# Clear log file 
-echo -e "\n>>Clearing log file..." 
-cat /dev/null > ${log_file} 
- 
-# Build a list of enabled accounts 
-#- Find all users | grep logins and disabled status lines | 
-#- If the current line matches "False" (/False/), print the stored username (print USER), 
-#- next, store the current line's field 3 in the variable USER (USER=$3) 
-user_list=$(/usr/bin/ipa user-find --sizelimit=0 --all | grep -E "(User login|Account disabled)" | awk '/False/ { print username }; { username=$3 }') 
- 
-total_users=$(echo ${user_list} | wc -w) 
- 
-for user_name in ${user_list}; do 
- 
-  echo -e ">> Checking ${user_name}..." 
-  # Check to see if the user has a kerberos key 
-  kerberos_key="$(ipa user-show ${user_name} | awk '/Kerberos keys available/ {print $4}')" 
- 
-  # If False, add to the list of users that still need to migrate their password 
-  if [[ ${kerberos_key} == "False" ]]; then 
-    echo -e "--> User does not have kerberos keys, adding to the list: ${user_name}" 
-    echo ${user_name} >> ${log_file} 
-  fi 
- 
-done 
- 
-left_to_convert="$(cat ${log_file} | wc -l)" 
-echo -e "\n--------------------" 
-echo -e ">> Users enabled left to get kerberos keys: ${left_to_convert}" 
-echo -e ">> Total enabled users: ${total_users}" 
-</code> 
- 
----- 
  
  • linux_wiki/freeipa_audit_user_migration.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)