#!/bin/ksh # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. # # Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved # # The contents of this file are subject to the terms # of the Common Development and Distribution License # (the License). You may not use this file except in # compliance with the License. # # You can obtain a copy of the License at # https://opensso.dev.java.net/public/CDDLv1.0.html or # opensso/legal/CDDLv1.0.txt # See the License for the specific language governing # permission and limitations under the License. # # When distributing Covered Code, include this CDDL # Header Notice in each file and include the License file # at opensso/legal/CDDLv1.0.txt. # If applicable, add the following below the CDDL Header, # with the fields enclosed by brackets [] replaced by # your own identifying information: # "Portions Copyrighted [year] [name of copyright owner]" # # $Id # ######################################################################### # # This is a convenient script for federating users in a bulk manner. # # The script assumes that the backend user database is LDAP compliant # and the OpenSSO as the federation software provider. # # This script expects userdn mappins file as the primary input for creating # federation data for the users specified in the file. The userdns must be # separated by "|" and must be in the order of spuser followed by an idpuser. # For e.g. # uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com # # This script generates unique random identifiers for each user mapping # and creates four different files namely: # spnameidentifiers.txt, idpnameidentifiers.txt, # spuserdata.ldif and idpuserdata.ldif. # # This will also load federation data (*.ldif file) locally based on the # given provider role. For e.g. if the local provider role is "SP", this # will load spuserdata.ldif locally or idpuserdata.ldif for IDP role. # # The idpuserdata.ldif/spuserdata.ldif files will also be stored locally for # convenient loading using ldapmodify command if the remote provider is # also an OpenSSO instance. # # If the remote provider is not an OpenSSO instance, the generated # files # spnameidentifies.txt/idpnameidentifies.txt can be exchanged to the second # party so that it can generate federation/user specific data based on # this input. # ######################################################################### OSTYPE=`/bin/uname -s` BASE=BASEDIR/PRODUCT_DIR if [ "$OSTYPE" = "Linux" ]; then gettext=/bin/gettext ECHO=/bin/echo NECHO='/bin/echo -n' RM=/bin/rm OMIT='' else gettext=/usr/bin/gettext ECHO=/usr/bin/echo NECHO=/usr/bin/echo RM=/usr/bin/rm OMIT='\c' fi GENERATE_LDIF=$BASE/bin/amGenerateLDIF.pl GENERATE_NI=$BASE/bin/amGenerateNI.pl LDAPMODIFY=$BASE/bin/ldapmodify export LD_LIBRARY_PATH=$BASE/ldaplib/ldapsdk:TAG_NSS_SO_PATH display_help() { $ECHO "`$gettext 'Usage: ' `" $ECHO "`$gettext ' ' `$0 [ -u | --user ] [ -w | --passfile ] [ -h | --host ] [ -p | --port ] [ -r | --role ] [ -s | --spid ] [ -i | --idpid ] [-f | --file]" $ECHO $ECHO "`$gettext 'Where:'`" $ECHO "`$gettext ' -f, --file'`" $ECHO "`$gettext ' Flat file that contains userDN mappings for'`" $ECHO "`$gettext ' the spusers and idpusers separated by | .'`" $ECHO "`$gettext ' -u, --user'`" $ECHO "`$gettext ' Administrative userdn in LDAP server who has '`" $ECHO "`$gettext ' write priveleges for modifying user entries '`" $ECHO "`$gettext ' -w, --passfile'` " $ECHO "`$gettext ' Password file'` " $ECHO "`$gettext ' -r, --role'` " $ECHO "`$gettext ' Provider Role. It must be either IDP or SP'` " $ECHO "`$gettext ' -h, --host'`" $ECHO "`$gettext ' LDAP Server HostName. Assumes localhost if not present.'`" $ECHO "`$gettext ' -p, --port'`" $ECHO "`$gettext ' LDAP Server Port. Assumes localport if not present.'`" $ECHO "`$gettext ' -s, --spid'`" $ECHO "`$gettext ' Service Provider ID'`" $ECHO "`$gettext ' -i, --idpid'`" $ECHO "`$gettext ' Identity Provider ID'`" $ECHO $ECHO "`$gettext 'Options:'`" $ECHO "`$gettext ' -H, --help'`" $ECHO "`$gettext ' Print Help(this message) and exit.'`" $ECHO "`$gettext ' -V, --version'`" $ECHO "`$gettext ' Prints Version'`" } display_version() { $ECHO "`$gettext 'OpenSSO version 2005Q3.'`" } get_password() { while [ 1 ] do eval $NECHO "`$gettext 'Enter user password : ${OMIT}'`" stty -echo read password $ECHO eval $NECHO "`$gettext 'Re-enter user password : ${OMIT}'`" stty -echo read password1 $ECHO if [ $password = $password1 ];then return else $ECHO "\a`$gettext 'Password does not match!'`" fi done } # Main starts here. role="" user="" pfile="" file="" host="" port="" spproviderid="" idpproviderid="" if [ $# -eq 0 ] then display_help exit 1 fi while [ $# -ne 0 ] do case "$1" in "-r" | "--role") if [ "$2" != "SP" ] && [ "$2" != "IDP" ]; then display_help exit 1 else role=$2 fi shift ;; "-u" | "--user") if [ "$2" = "" ]; then display_help exit 1 fi user=$2 shift ;; "-w" | "--passfile") if [ "$2" = "" ]; then display_help exit 1 fi pfile=$2 shift ;; "-h" | "--host") if [ "$2" = "" ]; then display_help exit 1 fi host=$2 shift ;; "-p" | "--port") if [ "$2" = "" ]; then display_help exit 1 fi port=$2 shift ;; "-V" | "--version") display_version exit 0 shift ;; "-s" | "--spid") if [ "$2" = "" ]; then display_help exit 1 fi spproviderid=$2 shift ;; "-i" | "--idpid") if [ "$2" = "" ]; then display_help exit 1 fi idpproviderid=$2 shift ;; "-f" | "--file") if [ "$2" = "" ]; then display_help exit 1 fi file=$2 shift ;; *) display_help exit 1 ;; esac shift done if [ "$pfile" = "" ]; then get_password else password=`cat $pfile` fi # Check for the non-null values if [ "$idpproviderid" = "" ] && [ "$spproviderid" = "" ]; then display_help exit 1 fi if [ "$host" = "" ]; then host="localhost" fi if [ "$port" = "" ]; then host="389" fi if [ "$file" = "" ] && [ "$user" = "" ] && [ "$password" = "" ]; then display_help exit 1 fi if [ ! -f $GENERATE_NI ] && [ ! -f $GENERATE_LDIF ]; then print "\a `$gettext 'Missing amGenerateNI.pl and amGenerateLDIF.pl scripts'`" exit 1 fi $GENERATE_NI $file if [ $? != 0 ]; then print "\a `$gettext 'Failed in generating name identifier mappings'`" exit 1 fi if [ -f spuserdata.ldif ]; then $RM spuserdata.ldif fi if [ -f idpuserdata.ldif ]; then $RM idpuserdata.ldif fi if [ "$role" = "SP" ]; then $GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP if [ $? != 0 ]; then print "\a `$gettext 'Failed in generating SP LDIF files'`" exit 1 fi $GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP if [ $? != 0 ]; then print "\a `$gettext 'Failed in generating IDP LDIF files'`" exit 1 fi $LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f spuserdata.ldif if [ $? != 0 ]; then print "\a `$gettext 'Failed in modifying spusers data'`" exit 1 fi exit 0 fi if [ "$role" = "IDP" ];then $GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP if [ $? != 0 ]; then print "\a `$gettext 'Failed in generating LDIF files'`" exit 1 fi $GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP if [ $? != 0 ]; then print "\a `$gettext 'Failed in generating SP LDIF files'`" exit 1 fi $LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f idpuserdata.ldif if [ $? != 0 ]; then print "\a `$gettext 'Failed in modifying idpusers data'`" exit 1 fi exit 0 fi