Initial Commit
This commit is contained in:
Russ Long
commit
c96e1e65fb
8
README.md
Normal file
8
README.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Purpose
|
||||||
|
To parse the list of users not in the defined service accounts group, and ensure all have OTP tokens configured. If they do not, generate a token and email it to the user.
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
1. Download script to location of your choice
|
||||||
|
2. Update variables at top of file, and service accounts groups listed on line 26
|
||||||
|
3. Run Script
|
||||||
|
4. Ensure user recieves email, and the NOTIFY_EMAIL address will also receive a notification
|
||||||
94
freeIPA_otp_tokens.bash
Normal file
94
freeIPA_otp_tokens.bash
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user
|
||||||
|
|
||||||
|
#Set Variables
|
||||||
|
#ARN of the secret which stores the FreeIPA Login credentials
|
||||||
|
AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
|
||||||
|
#Email address to notify
|
||||||
|
NOTIFY_EMAIL=freeipa-support@domain.com
|
||||||
|
#IPA User, parsed from the secret
|
||||||
|
IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
|
||||||
|
#IPA Password, parsed from the secret
|
||||||
|
IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
|
||||||
|
#IPA Server URL
|
||||||
|
IPA_URL=ipa-master.ipa.domain.com
|
||||||
|
#From email
|
||||||
|
FROM_EMAIL="freeipa-noreply@domain.com"
|
||||||
|
#Set mail html file name
|
||||||
|
MAILFILE=/tmp/otptokenmail.html
|
||||||
|
#Set QR Code image file name
|
||||||
|
QRFILE=/tmp/otptokenqr.png
|
||||||
|
|
||||||
|
#Set kerberos ticket
|
||||||
|
echo $IPA_PASSWORD | kinit $IPA_USER
|
||||||
|
|
||||||
|
#List users not in service account groups
|
||||||
|
USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')
|
||||||
|
|
||||||
|
#Function to create the token and email it
|
||||||
|
create_otptoken()
|
||||||
|
{
|
||||||
|
TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
|
||||||
|
cat /dev/null > $MAILFILE
|
||||||
|
rm -f $QRFILE
|
||||||
|
/usr/local/bin/qr "${TOKEN_URI}" > $QRFILE
|
||||||
|
|
||||||
|
echo "<p>" >> $MAILFILE
|
||||||
|
echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
|
||||||
|
echo "</p>" >> $MAILFILE
|
||||||
|
echo "<p>" >> $MAILFILE
|
||||||
|
echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
|
||||||
|
echo "</p>" >> $MAILFILE
|
||||||
|
echo "<p>" >> $MAILFILE
|
||||||
|
echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
|
||||||
|
echo "</p>" >> $MAILFILE
|
||||||
|
SUBJECT="FreeIPA OTP Token Created for $USER"
|
||||||
|
USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
|
||||||
|
(
|
||||||
|
echo "Subject: ${SUBJECT}";
|
||||||
|
echo "From: ${FROM_EMAIL}";
|
||||||
|
echo "To: ${USER_EMAIL}";
|
||||||
|
echo "MIME-Version: 1.0";
|
||||||
|
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
|
||||||
|
echo '--OTPEMAIL';
|
||||||
|
echo 'Content-Type: text/html; charset="utf-8"';
|
||||||
|
echo "";
|
||||||
|
echo "$(<$MAILFILE)";
|
||||||
|
echo '--OTPEMAIL';
|
||||||
|
echo 'Content-Type: image/png;name="otpqr.png"';
|
||||||
|
echo "Content-Transfer-Encoding: base64";
|
||||||
|
echo "Content-ID: <part1.06090408.01060107>";
|
||||||
|
echo 'Content-Disposition: inline; filename="otpqr.png"';
|
||||||
|
echo "$(base64 $QRFILE)";
|
||||||
|
echo '--OTPEMAIL--';
|
||||||
|
|
||||||
|
)|sendmail -t
|
||||||
|
|
||||||
|
(
|
||||||
|
echo "Subject: ${SUBJECT}";
|
||||||
|
echo "From: ${FROM_EMAIL}";
|
||||||
|
echo "To: ${NOTIFY_EMAIL}";
|
||||||
|
echo "MIME-Version: 1.0";
|
||||||
|
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
|
||||||
|
echo '--OTPEMAIL';
|
||||||
|
echo 'Content-Type: text/html; charset="utf-8"';
|
||||||
|
echo "";
|
||||||
|
echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
|
||||||
|
echo '--OTPEMAIL--';
|
||||||
|
|
||||||
|
)|sendmail -t
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
for USER in $USERS; do
|
||||||
|
#Check to see if user has OTP token
|
||||||
|
ipa otptoken-find --owner=$USER > /dev/null
|
||||||
|
otp_ec=$?
|
||||||
|
#If no otp token, create it and send email to aws-support and user
|
||||||
|
if [[ $otp_ec != 0 ]]; then
|
||||||
|
echo "No token found for $USER, creating one and sending it to the user...";
|
||||||
|
create_otptoken;
|
||||||
|
else
|
||||||
|
echo "$USER has a token, no need to create a new one.";
|
||||||
|
fi
|
||||||
|
done
|
||||||
Loading…
Reference in New Issue
Block a user