Closed Jnchi closed 5 years ago
/etc/libnss-aad.conf
{
"client": {
"id": "1234abcd-1234-abcd-efgh-123456abcdef",
"secret": "<url-encoded secret>"
},
"tenant": "<company>.onmicrosoft.com"
}
/etc/aad-config.json
{
"tenant" : "<company>.onmicrosoft.com",
"clientId" : "1234abcd-1234-abcd-efgh-123456abcdef",
"clientSecret" : "secret="
}
/usr/local/bin/provision_users.py
import json
import logging
import os
import sys
import adal
import subprocess
import requests
# The information inside such file can be obtained via app registration.
# See https://github.com/AzureAD/azure-activedirectory-library-for-python/wiki/Register-your-application-with-Azure-Active-Directory
#
# {
# "tenant" : "rrandallaad1.onmicrosoft.com",
# "authorityHostUrl" : "https://login.microsoftonline.com",
# "clientId" : "624ac9bd-4c1c-4687-aec8-b56a8991cfb3",
# "clientSecret" : "verySecret=""
# }
config_file = (sys.argv[1] if len(sys.argv) == 2 else
os.environ.get('AAD_CONFIG_FILE'))
if config_file:
with open(config_file, 'r') as f:
parameters = f.read()
config_opts = json.loads(parameters)
else:
raise ValueError('Please provide config file with account information.')
context = adal.AuthenticationContext('https://login.microsoftonline.com/'
+ config_opts['tenant'], validate_authority=None)
token = context.acquire_token_with_client_credentials('00000002-0000-0000-c000-000000000000',
config_opts['clientId'], config_opts['clientSecret'])
headers = {"Authorization": "Bearer " + token['accessToken']}
request = 'https://graph.windows.net/' + config_opts['tenant'] + '/users'
payload = {"api-version": '1.6'}
users = requests.get(request, headers=headers, params=payload).json()
users = users['value']
for user_name in users:
nickname = user_name['mailNickname']
if(subprocess.check_output(["id", nickname], shell=True)):
subprocess.run(["useradd", "-mG", "sudo", nickname])
Modified from: https://github.com/AzureAD/azure-activedirectory-library-for-python
chmod +x /usr/local/bin/provision_users.py
(crontab -l 2>/dev/null; echo "0,30 * * * * /usr/local/bin/provision_users.py") | crontab -
Source: https://stackoverflow.com/questions/4880290/how-do-i-create-a-crontab-through-a-script
NOTE: Requires the Azure Active Directory Graph API
permission Directory.Read.All
, which requires Admin consent
libnss module rewritten from scratch and split out into its own repository (See: https://github.com/CyberNinjas/libnss_aad).
References:
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
https://github.com/azure-samples/active-directory-dotnet-daemon