On Mon, Aug 19, 2019 at 01:33:31PM +0000, Mike Gabriel wrote: > On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote: > > Note, I have no idea why slapcat is used in the script to locate hosts: > > > > # cleanup from leftover host principals and keytab file: > > for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed > > 's#.intern.keytab##') ; do > > if slapcat | grep $i | grep -q dhcp ; then > > : > > else > > kadmin.local delprinc host/$i.intern@INTERN > > kadmin.local delprinc nfs/$i.intern@INTERN > > rm /etc/debian-edu/host-keytabs/$i.intern.keytab > > fi > > done > > Using slapcat here is wrong, it should be proper LDAP db queries with > specific search pattern. Maybe this would be better: # cleanup from leftover host principals and keytab file: for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do if [ "" = "$(ldapsearch -xLLL "(&(objectclass=dhcpHost)(cn=$i))")" ] ; then kadmin.local delprinc host/$i.intern@INTERN kadmin.local delprinc nfs/$i.intern@INTERN rm /etc/debian-edu/host-keytabs/$i.intern.keytab fi done Works for me, expert feedback appreciated. > > I have no idea why Wolfgang decided to use slapcat instead of ldapsearch > > here. Perhaps to make sure he is operating on the local LDAP database, > > or because he did not have the LDAP connection details available in the > > script? I wasn't aware of possible drawbacks like the ones Mike reported. > IMHO, the LDAP db will answer anonymous queries just right when it comes to > DHCP hosts. Yes, seems to be so, see the proposed change above. Wolfgang
Attachment:
signature.asc
Description: PGP signature