Stephen Joyce <stephen <at> email.unc.edu> writes: > I wrote a collection of scripts that > scrape my campus's LDAP directory to keep PTS in sync with it. Generally > querying LDAP and: > > - discovering new users and creating PTS entries. > - discovering former users and initiating grace period tracking. > - creating and populating homedir volumes if a user is within my > College and lacks one. > - discovering and fixing up groups and volumes for users with > newly-changed usernames. > - adding users to and removing users from PTS groups based on users' > department(s) and classification(s). > - deleting former user's PTS entries (and groups) (after the grace > period). > - archiving and deleting former users' volumes (after a grace period) for > former users. > > ...this basically handles a lot of the drudgery of what used to be manual > processes, and keeps PTS's state in sync with the reality reflected in > LDAP.
We too run AFS and LDAP in parallel. Up to now, synchronization is done manually, whenever a particular user runs into permission issues. We got away with it, since groups were not used much and most users never changed status. But as AFS and LDAP get more adopted, it starts to be a hassle. Consequently, I am very interested in your set of scripts. > The sync scripts are written in perl and usually take 1-3 hours each day > for my site's cell. It only takes this long because I do PTS operations > atomically to track results. For reference, here's the scope of my site: > > "university" pts users (for use on ACLs): ~35K > "college" users with homedirs: ~13.5K > unc:* groups maintained: ~6,300 Our site is about 200 users. So the hassle is two orders of magnitude below yours. But still, it is a hassle. > Unfortunately, what I have would not be a turn-key solution for other sites > because it makes some assumptions about users' affiliations based on > information UNC has in its LDAP schema (and the different attributes for > different types of affiliates). Even if it needs some tweaking, it may be much more efficient than starting our own homebrew from scratch. Greetings from Hannover, ---<)kaimartin(>--- Kai-Martin Knaak kn...@iqo.uni-hannover.de Universität Hannover, Inst. f. Quantenoptik tel: +49-511-762-2895 Welfengarten 1, 30167 Hannover fax: +49-511-762-2211 GPG key: http://pgp.mit.edu:11371/pks/lookup?search=Knaak+kmk&op=get
