BASH脚本 - AD中有用户移动OU时，OpenLDAP的同步方法

用途：当AD中有用户移动了组织结构时，可以使用此脚本进行同步

#!/bin/bash
# 预定义参数
AD_DOMAIN=""
AD_ADMIN_DN="CN=,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
AD_ADMIN_PWD=""
AD_BASE_DN="DC=XXX,DC=XXX,DC=XXX"
LDAP_DOMAIN=""
LDAP_ADMIN_DN="cn=Manager,dc=XXX,dc=XXX,dc=XXX"
LDAP_ADMIN_PWD=""
LDAP_BASE_DN=${AD_BASE_DN}
DN_TAG1="^dn:.+$"
DN_TAG2="^ .*$"
SAMACCOUNTNAME_TAG="^sAMAccountName: .+$"
COMMENT_TAG="#.+$"
WHITELINE_TAG="\n\s*\r"
LINE_NUM=0
LAST_LINE_NUM=0
DN_VALUE=""
LOGFILE="/root/OpenLdapShell/OpenLdapUserChangeLog.log"

echo "" > /root/OpenLdapShell/TodayADUser.ldif
echo "" > /root/OpenLdapShell/Tmp_TodayADUser.ldif

# 获取AD上的OU并保存成ldif格式
/usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN}:636 "(&(objectClass=top)(objectClass=organizationalUnit))" dn objectClass ou -D "${AD_ADMIN_DN}" -w "${AD_ADMIN_PWD}" -b "${AD_BASE_DN}" -L > /root/OpenLdapShell/Tmp_ldapgroup.ldif

# 导入OU
/usr/bin/ldapadd -x -c -w "${LDAP_ADMIN_PWD}" -D "${LDAP_ADMIN_DN}" -f /root/OpenLdapShell/Tmp_ldapgroup.ldif  > /dev/null 2>&1

# 把所有的OU都查出来，为一会导入用户做准备
/usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN}:636 "(&(objectClass=top)(objectClass=organizationalUnit))" dn -D "${AD_ADMIN_DN}" -w "${LDAP_ADMIN_PWD}" -b "${AD_BASE_DN}" -L |php /root/OpenLdapShell/utf8ldif.php > /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif

# 整理一下LDAP OU的文件，把version，注释之类的都去掉，只留OU的路径:
/usr/bin/sed -i "/^#/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "/^version/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "/^[[:space:]]*$/d" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif
/usr/bin/sed -i "s/^dn: //g" /root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif

# 开始循环读取OU，一行就是一个OU
while read OU_LINE
do
    # 把所有用户都查出来保存在Tmp_TodayADUser.ldif里面
    /usr/bin/ldapsearch -x -H ldaps://${AD_DOMAIN} "(&(objectClass=organizationalPerson)(!(objectClass=computer)))" dn sAMAccountName -D "${AD_ADMIN_DN}" -w "${LDAP_ADMIN_PWD}" -b "${OU_LINE}" -L | php /root/OpenLdapShell/utf8ldif.php >> /root/OpenLdapShell/Tmp_TodayADUser.ldif
done</root/OpenLdapShell/Tmp_ldapgroup_utf8.ldif

/usr/bin/cp -rp /root/OpenLdapShell/Tmp_TodayADUser.ldif /root/OpenLdapShell/TodayADUser.ldif

# 和昨天查出来的ldif比对，如果DN不一样的就修改用户所在OU
while read LINE
do
    if [[ "${LINE}" =~ ${DN_TAG1} ]];then
        grep -w "${LINE}" /root/OpenLdapShell/YesterdayADUser.ldif > /dev/null 2>&1
        if [ $? -ne 0 ];then
            DN_TMP1=${LINE}
            DN_TMP2=${DN_TMP1##*:}
            DN_TMP3=${DN_TMP2/ /}
            DN_HEAD=${DN_TMP3:0:3}
            DN_VALUE=$DN_TMP3
            OU_VALUE=${DN_VALUE#*,}
            CN_VALUE=${DN_VALUE%%,*}
        fi
    fi
    if [ "${DN_VALUE}" != "" ];then
        if [[ "${LINE}" =~ ${SAMACCOUNTNAME_TAG} ]];then
            UID_TMP1=${LINE}
            UID_TMP2=${UID_TMP1##*:}
            UID_VALUE=${UID_TMP2/ /}
            /usr/bin/ldapsearch -x -H ldaps://${LDAP_DOMAIN} "(&(objectClass=inetOrgPerson)(uid=${UID_VALUE}))" dn uid -D "${LDAP_ADMIN_DN}" -w "${LDAP_ADMIN_PWD}" -b "${LDAP_BASE_DN}" -L >> /root/OpenLdapShell/Tmp_LdapModifyUser.ldif
            /usr/bin/sed -i "/^uid: ${UID_VALUE}/a\newsuperior: ${OU_VALUE}" /root/OpenLdapShell/Tmp_LdapModifyUser.ldif
            /usr/bin/sed -i "s/^uid: ${UID_VALUE}/newrdn: ${CN_VALUE}/" /root/OpenLdapShell/Tmp_LdapModifyUser.ldif
            echo "[$(date '+%Y-%m-%d %H:%M:%S')] OpenLdap Server Change User OU, UID: ${UID_VALUE}, The new DN: ${DN_VALUE}." >> ${LOGFILE}
  
            DN_VALUE=""
            OU_VALUE=""
            CN_VALUE=""
        fi
    fi
done</root/OpenLdapShell/TodayADUser.ldif

# 更新一下ldif文件的各种属性，准备导入
/usr/bin/sed -i "/^newrdn: /i\changetype: modrdn" /root/OpenLdapShell/Tmp_LdapModifyUser.ldif
/usr/bin/sed -i "/^newrdn: /a\deleteoldrdn: 0" /root/OpenLdapShell/Tmp_LdapModifyUser.ldif

# 更新OPENLDAP用户信息
/usr/bin/ldapmodify -c -x -w "${LDAP_ADMIN_PWD}" -D "${LDAP_ADMIN_DN}" -f /root/OpenLdapShell/Tmp_LdapModifyUser.ldif > /dev/null 2>&1

# 删除临时文件
/usr/bin/rm -rf /root/OpenLdapShell/YesterdayADUser.ldif
# 把今天的用户文件保存成YesterdayADUser.ldif供明天使用
/usr/bin/cp -rp /root/OpenLdapShell/TodayADUser.ldif /root/OpenLdapShell/YesterdayADUser.ldif
/usr/bin/rm -rf /root/OpenLdapShell/Tmp*
/usr/bin/rm -rf /root/OpenLdapShell/TodayADUser.ldif
[root@ldapproxy OpenLdapShell]#