On 2011-01-21 at 11:36, Stephen Joyce ( step...@physics.unc.edu ) said:
Hello,
Has anyone written a script or utility to add/remove PTS entries (either
membership in PTS groups or actual existence of the PTS user account would be
acceptable) from an external database, based on date?
My AFS cell is in the middle of transitioning from authenticating against a
departmental KRB5 realm to authenticating against a central University-wide
KRB5 realm. I'd like to be able to continue to have the ability to expire
students' access to resources automatically--when their affiliation with the
Department expires: at the end of a semester, research project, etc.
So I thought I'd ask if anyone has an in-house tool, querying expiration
dates from an external source such as a non-authoritative KDC, SQL, etc) and
is willing to share, before I possibly reinvent the wheel.
This is what we use:
https://github.com/phalenor/ldap2pts
It's not perfect, is very specific to our site, has at least one bug that
needs to be fixed (owner of user:group groups needs to match the
username), screen scrapes all of the pts commands, is an example of some
non-ideal Perl programming, and won't scale too well. We run it once every
10 minutes, but we only have 259 accounts and 92 groups, so it may only
take on the order of 30 seconds to run (on a SunFire V100). I wanted to
add support for parsing the output of an openldap accesslog so it syncs in
almost real-time and doesn't have to compare all of ldap against all of
pts.
Anyway, might give you some different ideas.
--andy
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
