Initial Commit
This commit is contained in:
Russ Long
commit
c96e1e65fb
8
README.md
Normal file
8
README.md
Normal file
@ -0,0 +1,8 @@
|
||||
# Purpose
|
||||
To parse the list of users not in the defined service accounts group, and ensure all have OTP tokens configured. If they do not, generate a token and email it to the user.
|
||||
|
||||
# Usage
|
||||
1. Download script to location of your choice
|
||||
2. Update variables at top of file, and service accounts groups listed on line 26
|
||||
3. Run Script
|
||||
4. Ensure user recieves email, and the NOTIFY_EMAIL address will also receive a notification
|
||||
94
freeIPA_otp_tokens.bash
Normal file
94
freeIPA_otp_tokens.bash
Normal file
@ -0,0 +1,94 @@
|
||||
#!/bin/bash
|
||||
#This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user
|
||||
|
||||
#Set Variables
|
||||
#ARN of the secret which stores the FreeIPA Login credentials
|
||||
AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
|
||||
#Email address to notify
|
||||
NOTIFY_EMAIL=freeipa-support@domain.com
|
||||
#IPA User, parsed from the secret
|
||||
IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
|
||||
#IPA Password, parsed from the secret
|
||||
IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
|
||||
#IPA Server URL
|
||||
IPA_URL=ipa-master.ipa.domain.com
|
||||
#From email
|
||||
FROM_EMAIL="freeipa-noreply@domain.com"
|
||||
#Set mail html file name
|
||||
MAILFILE=/tmp/otptokenmail.html
|
||||
#Set QR Code image file name
|
||||
QRFILE=/tmp/otptokenqr.png
|
||||
|
||||
#Set kerberos ticket
|
||||
echo $IPA_PASSWORD | kinit $IPA_USER
|
||||
|
||||
#List users not in service account groups
|
||||
USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')
|
||||
|
||||
#Function to create the token and email it
|
||||
create_otptoken()
|
||||
{
|
||||
TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
|
||||
cat /dev/null > $MAILFILE
|
||||
rm -f $QRFILE
|
||||
/usr/local/bin/qr "${TOKEN_URI}" > $QRFILE
|
||||
|
||||
echo "<p>" >> $MAILFILE
|
||||
echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
|
||||
echo "</p>" >> $MAILFILE
|
||||
echo "<p>" >> $MAILFILE
|
||||
echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
|
||||
echo "</p>" >> $MAILFILE
|
||||
echo "<p>" >> $MAILFILE
|
||||
echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
|
||||
echo "</p>" >> $MAILFILE
|
||||
SUBJECT="FreeIPA OTP Token Created for $USER"
|
||||
USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
|
||||
(
|
||||
echo "Subject: ${SUBJECT}";
|
||||
echo "From: ${FROM_EMAIL}";
|
||||
echo "To: ${USER_EMAIL}";
|
||||
echo "MIME-Version: 1.0";
|
||||
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
|
||||
echo '--OTPEMAIL';
|
||||
echo 'Content-Type: text/html; charset="utf-8"';
|
||||
echo "";
|
||||
echo "$(<$MAILFILE)";
|
||||
echo '--OTPEMAIL';
|
||||
echo 'Content-Type: image/png;name="otpqr.png"';
|
||||
echo "Content-Transfer-Encoding: base64";
|
||||
echo "Content-ID: <part1.06090408.01060107>";
|
||||
echo 'Content-Disposition: inline; filename="otpqr.png"';
|
||||
echo "$(base64 $QRFILE)";
|
||||
echo '--OTPEMAIL--';
|
||||
|
||||
)|sendmail -t
|
||||
|
||||
(
|
||||
echo "Subject: ${SUBJECT}";
|
||||
echo "From: ${FROM_EMAIL}";
|
||||
echo "To: ${NOTIFY_EMAIL}";
|
||||
echo "MIME-Version: 1.0";
|
||||
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
|
||||
echo '--OTPEMAIL';
|
||||
echo 'Content-Type: text/html; charset="utf-8"';
|
||||
echo "";
|
||||
echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
|
||||
echo '--OTPEMAIL--';
|
||||
|
||||
)|sendmail -t
|
||||
|
||||
}
|
||||
|
||||
for USER in $USERS; do
|
||||
#Check to see if user has OTP token
|
||||
ipa otptoken-find --owner=$USER > /dev/null
|
||||
otp_ec=$?
|
||||
#If no otp token, create it and send email to aws-support and user
|
||||
if [[ $otp_ec != 0 ]]; then
|
||||
echo "No token found for $USER, creating one and sending it to the user...";
|
||||
create_otptoken;
|
||||
else
|
||||
echo "$USER has a token, no need to create a new one.";
|
||||
fi
|
||||
done
|
||||
Loading…
Reference in New Issue
Block a user