BernhardLinz / zabbix-ldap-sync-bash

Sync Zabbix User with Active Directory Group via LDAP with a pure Bash script
11 stars 11 forks source link

MS AD group of groups #4

Open AlexSamad opened 2 years ago

AlexSamad commented 2 years ago

Hi

https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches example (memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)

My MS AD group is made up of groups !

tested your script and it added in my groups ! :)

you can do 2 things, instead of taking the name of the group, ask for the DN

the instead of looking for member of the group do this

ldapsearch -x -o ldif-wrap=no -H -D "" -w XXX -b "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=))" -LLL dn mail

-LLL reduces the noise make sure you only get users and show only users who are members of the group

AlexSamad commented 2 years ago
--- a/site/role/files/ybzabbix/server/zabbix-ldap-sync.sh
+++ b/site/role/files/ybzabbix/server/zabbix-ldap-sync.sh
@@ -423,33 +423,33 @@ if [ LDAP_Ignore_SSL_Certificate = "false" ]; then
     # normal ldapsearch call
     if [ "$b_verbose" = "true" ]; then
         if [ "$b_showpasswords" = "true" ]; then
-            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn="'$LDAP_Groupname_for_Sync'"))"'
+            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))"'
         else
-            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn="'$LDAP_Groupname_for_Sync'"))"'
+            echo 'ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))"'
         fi
     fi
     # yes, ldapsearch is called twice - first time without grep to catch the exitcode, 2. time to catch the content
-    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member`
+    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn`
     ldapsearch_exitcode="$?"
     if [ "$b_verbose" = "true" ]; then echo "ldapsearch_exitcode: $ldapsearch_exitcode"; fi
-    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member | grep member:`
+    tempvar=`ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn | grep dn:`
 else
     # ignore SSL ldapsearch
     if [ "$b_verbose" = "true" ]; then
         if [ "$b_showpasswords" = "true" ]; then
-            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn='$LDAP_Groupname_for_Sync'))" o member'
+            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "'$LDAP_Bind_User_Password'" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))" -LLL dn'
         else
-            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectClass=group)(cn='$LDAP_Groupname_for_Sync'))" o member'
+            echo 'LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H '$LDAP_Source_URL' -D "'$LDAP_Bind_User_DN'" -w "***********" -b "'$LDAP_SearchBase'" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:='$LDAP_Groupname_for_Sync'))" -LLL dn'
         fi
     fi
     # yes, ldapsearch is called twice - first time without grep to catch the exitcode, 2. time to catch the content
-    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member`
+    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn`
     ldapsearch_exitcode="$?"
     if [ "$b_verbose" = "true" ]; then echo "ldapsearch_exitcode: $ldapsearch_exitcode"; fi
-    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectClass=group)(cn=$LDAP_Groupname_for_Sync))" o member | grep member:`
+    tempvar=`LDAPTLS_REQCERT=never ldapsearch -x -o ldif-wrap=no -H $LDAP_Source_URL -D "$LDAP_Bind_User_DN" -w "$LDAP_Bind_User_Password" -b "$LDAP_SearchBase" "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=$LDAP_Groupname_for_Sync))" -LLL dn | grep dn:`
 fi
 if [ "$b_verbose" = "true" ]; then
-    echo 'Result ldapsearch (with "grep member:" : '"$tempvar"
+    echo 'Result ldapsearch (with "grep dn:" : '"$tempvar"
     echo "Exitcode ldapsearch: $(Translate_ldapsearch_exitcode $ldapsearch_exitcode)"
 fi
 # only continue if ldapsearch was succesfull
@@ -458,7 +458,7 @@ if [ "$ldapsearch_exitcode" -eq 0 ];then
     LDAP_ARRAY_Members_DN=()
     for (( i=0; i < ${#LDAP_ARRAY_Members_RAW[*]}; i++ )); do
         # Search for the word "member:" in Array - the next value is the DN of a Member
-        if [ "${LDAP_ARRAY_Members_RAW[$i]:0:7}" = "member:" ]; then
+        if [ "${LDAP_ARRAY_Members_RAW[$i]:0:3}" = "dn:" ]; then
             i=$(($i + 1))
             LDAP_ARRAY_Members_DN+=("${LDAP_ARRAY_Members_RAW[$i]}") # add new Item to the end of the array
         else
@@ -800,7 +800,7 @@ if [ "$b_verbose" = "true" ]; then
     printf " $ZABBIX_API_URL"
 fi
 tempvar=`curl -k -s -X POST -H "Content-Type:application/json"  -d '{"jsonrpc": "2.0","method":"user.get","params":{"usrgrpids":"'$ZABBIX_LDAP_Group_UsrGrpId'","output":["alias","userid"]},"id":42,"auth":"'$ZABBIX_authentication_token'"}' $ZABBIX_API_URL`
-if [ "$b_verbose" = "true" ]; then echo $tempvar; fi
+if [ "$b_verbose" = "true" ]; then echo ; echo $tempvar; echo ;fi
BernhardLinz commented 2 years ago

I try your changes but did not work in my enviroment, i get no Objects back from ldapsearch cloud you please send me a copy of your script version or make it downloadable for me? bernhard@znil.de

Thx