[CentOS] LDAP useradd command?

Mon Aug 17 21:08:16 UTC 2009
Paul Heinlein <heinlein at madboa.com>

On Mon, 17 Aug 2009, Miguel Medalha wrote:

>
>> Isn't that only for samba-ldap?  Can I still use them if I am not running
>> samba?  I don't want to install and run Samba for no particular reason..
>
> It can be used to create Posix accounts only.
>
> The documentation resides here:
>
> http://download.gna.org/smbldap-tools/docs/

The samba-ldap tools are great. I don't use their mechanism to store 
the highest UID/GID in use. Instead, I use a script like the one 
below. It's interactive, but it'd be to modify to take command-line 
options for full name, username, etc.

----- %< -----
#!/bin/sh
#
# script for creating a new user account and its corresponding
# group account in Samba+LDAP environment using the smbldap tools
#
======================================================================

#
# let person running this script know what's about to happen
#
cat <<__eom__

You're about to create a new system account that allows general login
and e-mail access. You'll need to know ahead of time the new user's
preferred username and his or her full name. The system will take care
of the rest...

__eom__

#
# figure out the highest UID and GID currently in production, but
# rule out really high numbers (greater than 8000) which are typically
# assigned to pseudo accounts like "nobody."
#
AWKTEST='END { print HUID } { if (($3 > HUID) && ($3 < 8000)) HUID = $3}'
HUID=$(/usr/bin/getent passwd | /bin/gawk -F: "$AWKTEST")
HGID=$(/usr/bin/getent group  | /bin/gawk -F: "$AWKTEST")

#
# increment those UID and GID numbers by 1 for use with the new 
# account
#
let HUID=$HUID+1
let HGID=$HGID+1

#
# poll for new account holder's username and full name.
#
read -p "Username: " UNAME
read -p "Full name: " FNAME

#
# test to see if username or associated group name is already in use.
# exit now if it is.
#
/usr/bin/getent passwd $UNAME >/dev/null
if test $? -eq 0; then
   echo "" >/dev/stderr
   echo "Sorry. Username $UNAME is already in use:" >/dev/stderr
   /usr/bin/getent passwd $UNAME >/dev/stderr
   echo "" >/dev/stderr
   echo "Exiting now." >/dev/stderr
   exit 1
fi
/usr/bin/getent group $UNAME >/dev/null
if test $? -eq 0; then
   echo "" >/dev/stderr
   echo "Sorry. Group $UNAME is already in use:" >/dev/stderr
   /usr/bin/getent group $UNAME >/dev/stderr
   echo "" >/dev/stderr
   echo "Exiting now." >/dev/stderr
   exit 1
fi

#
# ask the account creator to verify details of the new account. exit
# immediately if things are amiss.
#
echo
echo "Please verify the details of the new account:"
echo "============================================="
echo "Full name : $FNAME"
echo "Username  : $UNAME"
echo "UID       : $HUID"
echo "Group name: $UNAME"
echo "GID       : $HGID"
echo "============================================="
echo
read -p "Do you want to create that account [yes/No]? " ANSWER

case "$ANSWER" in
   [yY]es)
     echo
     echo "OK. Full steam ahead!"
     echo
     ;;
   [yY]*)
     echo
     echo "If you mean 'yes' then you have to type 'yes'"
     echo
     exit
     ;;
   *)
     echo
     echo "You're a cautious one. That's cool. Try again later."
     echo
     exit
     ;;
esac

#
# use the smbldap tools to create the new group account and then
# the new user account. those tools don't appear to set the Windows
# display-name attibute correctly, however, so use pdbedit for
# that task.
#
echo "Creating new group $UNAME with GID $HGID ..."
/usr/sbin/smbldap-groupadd -a -g $HGID $UNAME
echo "Creating new user $UNAME with UID $HUID ..."
/usr/sbin/smbldap-useradd -a -c "$FNAME" -g $HGID -u $HUID $UNAME
echo "Setting Windows display name for user $UNAME ..."
/usr/bin/pdbedit -f "$FNAME" $UNAME

#
# for now, create a random password for the new account, just
# to make sure account is not accessed accidentally ...
#
echo "Installing temporary random password for user $UNAME ..."
PASSW=$(/usr/bin/openssl rand -base64 12)
echo -e "$PASSW\n$PASSW" | /usr/bin/smbpasswd -s $UNAME

#
# all done!
#
echo
echo "done ... for now ..."
echo
----- %< -----

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/