Hi Wolfgang, thanks for working on this. On So 19 Apr 2020 11:40:51 CEST, Wolfgang Schweer wrote:
On Mon, Aug 19, 2019 at 01:33:31PM +0000, Mike Gabriel wrote:On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote: > Note, I have no idea why slapcat is used in the script to locate hosts: > > # cleanup from leftover host principals and keytab file: > for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed > 's#.intern.keytab##') ; do > if slapcat | grep $i | grep -q dhcp ; then > : > else > kadmin.local delprinc host/$i.intern@INTERN > kadmin.local delprinc nfs/$i.intern@INTERN > rm /etc/debian-edu/host-keytabs/$i.intern.keytab > fi > done Using slapcat here is wrong, it should be proper LDAP db queries with specific search pattern.Maybe this would be better: # cleanup from leftover host principals and keytab file:for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do if [ "" = "$(ldapsearch -xLLL "(&(objectclass=dhcpHost)(cn=$i))")" ] ; thenkadmin.local delprinc host/$i.intern@INTERN kadmin.local delprinc nfs/$i.intern@INTERN rm /etc/debian-edu/host-keytabs/$i.intern.keytab fi done Works for me, expert feedback appreciated.
The problem with above approach (without having tested it) is scalability. For each host keytab you do an ldapsearch query.
IMHO it would be much better to either(a) do it and fork that part of the script to background ( (...)& semantics in bash) or
(b) do one LDAP query and try to cleanup host keytabs from that In fact, doing both might do the trick.On my customer site, we have 300 host entries or so. Doing the above loop for every host change in LDAP will let the script walk over 300 LDAP queries. The response time of GOsa becomes awful with that.
During the next days, I can test your patch, either the one or above or a follow-up version.
> I have no idea why Wolfgang decided to use slapcat instead of ldapsearch > here. Perhaps to make sure he is operating on the local LDAP database, > or because he did not have the LDAP connection details available in the > script?I wasn't aware of possible drawbacks like the ones Mike reported.
;-)
IMHO, the LDAP db will answer anonymous queries just right when it comes to DHCP hosts.Yes, seems to be so, see the proposed change above.
;-) Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgp1gPgO7MHJa.pgp
Description: Digitale PGP-Signatur