On Mon, Aug 19, 2019 at 01:33:31PM +0000, Mike Gabriel wrote:
> On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote:
> > Note, I have no idea why slapcat is used in the script to locate hosts:
> >
> > # cleanup from leftover host principals and keytab file:
> > for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed
> > 's#.intern.keytab##') ; do
> > if slapcat | grep $i | grep -q dhcp ; then
> > :
> > else
> > kadmin.local delprinc host/$i.intern@INTERN
> > kadmin.local delprinc nfs/$i.intern@INTERN
> > rm /etc/debian-edu/host-keytabs/$i.intern.keytab
> > fi
> > done
>
> Using slapcat here is wrong, it should be proper LDAP db queries with
> specific search pattern.
Maybe this would be better:
# cleanup from leftover host principals and keytab file:
for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
if [ "" = "$(ldapsearch -xLLL "(&(objectclass=dhcpHost)(cn=$i))")" ] ; then
kadmin.local delprinc host/$i.intern@INTERN
kadmin.local delprinc nfs/$i.intern@INTERN
rm /etc/debian-edu/host-keytabs/$i.intern.keytab
fi
done
Works for me, expert feedback appreciated.
> > I have no idea why Wolfgang decided to use slapcat instead of ldapsearch
> > here. Perhaps to make sure he is operating on the local LDAP database,
> > or because he did not have the LDAP connection details available in the
> > script?
I wasn't aware of possible drawbacks like the ones Mike reported.
> IMHO, the LDAP db will answer anonymous queries just right when it comes to
> DHCP hosts.
Yes, seems to be so, see the proposed change above.
Wolfgang
Attachment:
signature.asc
Description: PGP signature