LDAP 用户管理与 RSCT配置最后

look_w

RSCT 脚本RSCT LDAP 监控脚本 /opt/usrmgt/mon/checkldap

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155

#!/usr/bin/perl $ITDS = "/opt/IBM/ldap/V6.3";       # LDAP Source Code Directory $SUFFIX = "o=ORG,c=US";         # Your LDAP Suffix $SOURCE = "/opt/usrmgt";            # User Management Code directory $LOG    = "$SOURCE/mon/CheckLDAP.log";  # Monitor Log file $running = 0;                   # initialization of runtime vars $userregerror = 0; $usersyserror = 0; $groupregerror = 0; $LDAPH1 = "host1"; $LDAPH2 = "host2"; $LDAPI1 = "inst1"; $LDAPI2 = "inst2"; $LDAPP1 = 20389; $LDAPP2 = 20389; # Note that coding passwords in scripts is not recommended # but you could replace this with your own password retrieval method $pwd = "rootdnpwd";         # LDAP rootdn password $arg = $ARGV[0];            # Testflag for command line execution if ( $arg eq "offline" ) {     $termoutput = 1; } #Check status of the LDAP servers and fill the errormessage with the status information for ( $i=1 ; $i<=2 ; $i++) { $host = "LDAPH${i}"; $inst = "LDAPI${i}"; $port = "LDAPP${i}"; # Check for a valid root user entry in LDAP $cmd = "$ITDS/bin/ldapsearch -h $$host -p $$port -D cn=rootdn -w '\?' -b $SUFFIX uid=root userpassword"; # Use this method to parse the rootdn password, without risking that the # password appears in the process list #print("CMD = $cmd writing to $LOG.$$inst using $pwd\n"); open(IDS,"| $cmd > $LOG.$$inst 2>&1"); print(IDS "$pwd\n"); close(IDS); open(IDS,"< $LOG.$$inst"); @ids = <IDS>; close(IDS); chomp(@ids); shift(@ids); #unlink("$LOG"); if ( $#ids == 1 ) {     foreach $line (@ids) {     #print("LINE = $line\n");         if ( $line =~ /userpassword/ ) {             @row = split("=",$line);             if ( $row[1] =~ /crypt/ ) {             $running = 1;             $errormessage .= "# $$inst,$$port,$$host=1 ";             } else {             $errormessage .= "# $$inst,$$port,$$host=2 '";             }         }         } } else {     $errormessage .= "# $$inst,$$port,$$host=0 "; } } # Check status of the registry and SYSTEM parameters in /etc/security/user and group open(SEC,"/usr/bin/lssec -c -f /etc/security/user -s default -a registry -a SYSTEM |"); @sec = <SEC>; close(SEC); chomp(@sec); foreach $line (@sec) { if ( $line =~ /^default/ ) { @row = split(":",$line); # The second field holds the registry value     if ( $row[1] eq "LDAP" ) {         $userregldapset = 1;     } elsif ( $row[1] eq "files" ) {         $userregldapset = 0;     } else {         $userregerror = 1;     }     $errormessage .= "# userreg=$row[1];"; # The third field holds the SYSTEM value     if ( $row[2] eq "\"LDAP or compat\"" ) {         $usersysldapset = $running;     } else {         $usersyserror = 1;     }     $row[2] =~ s/"//g;     $errormessage .= "SYSTEM='$row[2]';"; } } open(SEC,"/usr/bin/lssec -c -f /etc/security/group -s default -a registry |"); @sec = <SEC>; close(SEC); chomp(@sec); foreach $line (@sec) { if ( $line =~ /^default/ ) {     $line =~ s/"//g;     @row = split(":",$line);     if ( $row[1] eq "LDAP" ) {         $groupregldapset = 1;     } elsif ( $row[1] eq "files" ) {         $groupregldapset = 0;     } else {         $groupregerror = 1;     }     $errormessage .= "groupreg='$row[1]'"; } } $action = 0; if ( $running ) { if ( not ${userregldapset} || not ${usersysldapset} || not ${groupregldapset} ) {     $action = 1; } } else { if ( ${userregldapset} || ${usersysldapset} || ${groupregldapset} ) {     $action = 1; } } if ( $groupregerror || $userregerror ) { $action = 1; } if ( $userregerror || $usersyserror || $groupregerror ) { $actionstring = "-${running}${userregerror}${usersyserror}${groupregerror}" } else { $actionstring = "${running}${userregldapset}${usersysldapset}${groupregldapset}" } $errormessage = "$actionstring $errormessage"; if ( $termoutput ) { print("$running\n"); print("Int32=$action String=\"$errormessage\"\n"); } else { print("Int32=$action String=\"$errormessage\""); }

在 RSCT 通知后恢复脚本：/opt/usrmgt/mon/restartldapclient

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

#!/usr/bin/perl $reg{0} = "files";              # if $ldap is down $reg{1} = "LDAP";               # if $ldap is up $sys{0} = "LDAP or compat";     # if $ldap is down $sys{1} = "LDAP or compat";     # if $ldap is up $hostname = `/usr/bin/hostname -s`; chomp($hostname); if ( $ENV{ERRM_VALUE} ) {           # Take ERRM_VALUE from notifier $string = "$ENV{ERRM_VALUE}"; } else {                    # else simulate one for test # Set a string fixed # String = 0000 # host1-e0 NOT running # host2-e0 NOT running # User: registry is 'files' SYSTEM is 'LDAP or compat' , Group: registry is 'files' # or get a string from IBM.Sensor open(LSS,"/usr/sbin/rsct/bin/lssensor CheckLDAP |"); @lss = <LSS>; close(LSS); chomp(@lss); foreach $line (@lss) {     $line =~ s/ *//;     if ( $line =~ /^String/ ) {         $string = $line;         $string =~ s/String = //;         print("STRINGLINE = $string\n");     } } } @row = split("#",$string); $ldapstatus = "$row[0]"; $ldapstatus =~ s/ //; $group = "/etc/security/group"; $users = "/etc/security/user"; $debug = 1; # 1=LDAP,2=UserReg,3=UserSys,4=GroupReg if ( $ldapstatus =~ /^-/ ) { $ldapstatus =~ s/^-//; $ldap = substr($ldapstatus,0,1); $userreg = substr($ldapstatus,1,1); $usersys = substr($ldapstatus,2,1); $groupreg = substr($ldapstatus,3,1); setuserreg($reg{$ldap}) if ( $userreg ); setusersys($sys{$ldap}) if ( $usersys ); setgroupreg($reg{$ldap}) if ( $groupreg ); } else { $ldap = substr($ldapstatus,0,1); $ldap += 0; $userreg = substr($ldapstatus,1,1); $userreg += 0; $usersys = substr($ldapstatus,2,1); $usersys += 0; $groupreg = substr($ldapstatus,3,1); $groupreg += 0; if ( $ldapstatus eq "0000" || $ldapstatus eq "1111" ) {     #print("NO CHANGE NEEDED\n");     $debug = 0; } else {     $doit = ${ldap}^${userreg} ;     setuserreg($reg{$ldap}) if ( $doit );     $doit = ${ldap}^${usersys} ;     setusersys($sys{$ldap}) if ( $doit );     $doit = ${ldap}^${groupreg} ;     setgroupreg($reg{$ldap}) if ( $doit ); } } if ( $userchange || $groupchange ) { system("/usr/sbin/restart-secldapclntd"); } sub setuserreg { my $registry = $_[0]; $cmd = "/usr/bin/chsec -f $users -s default -a registry=$registry"; system("$cmd"); $userchange = 1; } sub setusersys { my $SYSTEM = $_[0]; $cmd = "/usr/bin/chsec -f $users -s default -a SYSTEM=\"$SYSTEM\""; system("$cmd"); $userchange = 1; } sub setgroupreg { my $registry = $_[0]; $cmd = "/usr/bin/chsec -f $group -s default -a registry=$registry"; system("$cmd"); $groupchange= 1;

}