diff options
Diffstat (limited to 'contrib/utils/ad_groups.sh')
-rwxr-xr-x | contrib/utils/ad_groups.sh | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/contrib/utils/ad_groups.sh b/contrib/utils/ad_groups.sh new file mode 100755 index 0000000..cc86692 --- /dev/null +++ b/contrib/utils/ad_groups.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# author derived from: damien.nozay@gmail.com +# author: Jonathan Gray + +# Given a username, +# Provides a space-separated list of groups that the user is a member of. +# +# see http://gitolite.com/gitolite/conf.html#ldap +# GROUPLIST_PGM => /path/to/ldap_groups.sh + +# Be sure to add your domain CA to the trusted certificates in /etc/openldap/ldap.conf using the TLS_CACERT option or you'll get certificate validation errors + +ldaphost='ldap://AD.DC1.local:3268,ldap://AD.DC2.local:3268,ldap://AD.DC3.local:3268' +ldapuser='git@domain.local' +ldappass='super.secret.password' +binddn='dc=domain,dc=local' +username=$1; + +# I don't assume your users share a common OU, so I search the entire domain +ldap_groups() { + # Go fetch the full user CN as it could be anywhere inside the DN + usercn=$( + ldapsearch -ZZ -H ${ldaphost} -D ${ldapuser} -w ${ldappass} -b ${binddn} -LLL -o ldif-wrap=no "(sAMAccountName=${username})" \ + | grep "^dn:" \ + | perl -pe 's|dn: (.*?)|\1|' + ) + + # Using a proprietary AD extension, let the AD Controller resolve all nested group memberships + # http://ddkonline.blogspot.com/2010/05/how-to-recursively-get-group-membership.html + # Also, substitute spaces in AD group names for '_' since gitolite expects a space separated list + echo $( + ldapsearch -ZZ -H ${ldaphost} -D ${ldapuser} -w ${ldappass} -b ${binddn} -LLL -o ldif-wrap=no "(member:1.2.840.113556.1.4.1941:=${usercn})" \ + | grep "^dn:" \ + | perl -pe 's|dn: CN=(.*?),.*|\1|' \ + | sed 's/ /_/g' + ) +} + +ldap_groups $@ |