Create shell script for ldapsearch with input file

Question

I have a list of users in a text file. I need to query our campus Active Directory to make sure these users are still "active" users (my machines are not part of the campus AD). The list of users is mapped to a number of identical attributes on the AD (name, cn, sAMAccountName, uid, gecos). I can successfully query the AD with ldapsearch for individual users, so what I am trying to figure out is:

a) how to use the file as input for the query

b) how to construct a shell script so the query will go line by line, and then output any "non-active" users so i can email it for notification.

Any help is much appreciated.

Answer 1

To answer you question you provided in the comments...

You could use nested if expressions. Example.

if [[ $(some command) = "Some expected result" ]] ; then
  if [[ ${results} != "" ]] ; then
    echo "${i} appears to be an active user"
  else
    echo "${i} IS INACTIVE"
    echo "${i}" >> "${emailFile}"
  fi
fi
done

You could add a second variable where you run a command in the for loop such as

userExists=$(some ldapsearch command to see if user exists)
results=$(*INPUT LDAPSEARCH HERE REPLACING USERNAME WITH ${i}* | grep -i lastlogontimestamp
if [[ ${userExists} = "Some expected result" ]] ; then
  if [[ ${results} != "" ]] ; then

You also asked a question about using "grep" to look for more than one item. Example is below.

grep "514\|546"

Example 2. Lets say I have a file called test.txt with 5 lines

one
two
three
four
five

I would run the following command to look inside the file to find "two" and "three"

cat test.txt | grep "two\|three"

Answer 2

Something you could try to accomplish what you desire would be:

emailFile="/var/tmp/emailFile.txt"
for i in $(cat ${filename}) ; do
  results=$(*INPUT LDAPSEARCH HERE REPLACING USERNAME WITH ${i}* | grep -i lastlogontimestamp)
  if [[ ${results} != "" ]] ; then
    echo "${i} appears to be an active user"
  else
    echo "${i} IS INACTIVE"
    echo "${i}" >> "${emailFile}"
  fi
done

This is NOT a working script, but this should give you a very good idea of how to get this to work in your environment. Couple things to note...

${filename} = location/filename of your list of names

INPUT LDAPSEARCH HERE REPLACING USERNAME WITH ${i} = You would enter in your command to run an ldap search here. example $(ldapsearch -D "cn=manager" -w password -h server.example.com -b "dc=example,dc=com" "cn=${i}" | grep -i "lastlogontimestamp")

"lastlogontimestamp" would be equal to what part of the query you want to examine to determine if the user is active or not.

This would set the ${results} variable to a string you are looking for. This could be a datestamp or empty if users have never logged in.

The next "if" statement, would compare the results to a string/pattern you are expecting. My if statement above, states that if ${results} is not equal to nothing, then inform you that the user you searched is active. If the ${results} are indeed empty, then log the username.

You will have to modify the ldapsearch portion to fit your needs, and the if statement to match what you are expecting to see from your query if the user is not active. I hope this helps.