contrib/utils/ad_groups.sh

   1 #!/bin/bash
   2
   3 # author derived from: damien.nozay@gmail.com
   4 # author: Jonathan Gray
   5
   6 # Given a username,
   7 # Provides a space-separated list of groups that the user is a member of.
   8 #
   9 # see http://gitolite.com/gitolite/conf.html#getting-user-group-info-from-ldap
  10 # GROUPLIST_PGM => /path/to/ldap_groups.sh
  11
  12 # Be sure to add your domain CA to the trusted certificates in /etc/openldap/ldap.conf using the TLS_CACERT option or you'll get certificate validation errors
  13
  14 ldaphost='ldap://AD.DC1.local:3268,ldap://AD.DC2.local:3268,ldap://AD.DC3.local:3268'
  15 ldapuser='git@domain.local'
  16 ldappass='super.secret.password'
  17 binddn='dc=domain,dc=local'
  18 username=$1;
  19
  20 # I don't assume your users share a common OU, so I search the entire domain
  21 ldap_groups() {
  22         # Go fetch the full user CN as it could be anywhere inside the DN
  23         usercn=$(
  24                 ldapsearch -ZZ -H ${ldaphost} -D ${ldapuser} -w ${ldappass} -b ${binddn} -LLL -o ldif-wrap=no "(sAMAccountName=${username})" \
  25                 | grep "^dn:" \
  26                 | perl -pe 's|dn: (.*?)|\1|'
  27         )
  28
  29         # Using a proprietary AD extension, let the AD Controller resolve all nested group memberships
  30         # http://ddkonline.blogspot.com/2010/05/how-to-recursively-get-group-membership.html
  31         # Also, substitute spaces in AD group names for '_' since gitolite expects a space separated list
  32         echo $(
  33                 ldapsearch -ZZ -H ${ldaphost} -D ${ldapuser} -w ${ldappass} -b ${binddn} -LLL -o ldif-wrap=no "(member:1.2.840.113556.1.4.1941:=${usercn})" \
  34                 | grep "^dn:" \
  35                 | perl -pe 's|dn: CN=(.*?),.*|\1|' \
  36                 | sed 's/ /_/g'
  37         )
  38 }
  39
  40 ldap_groups $@