private/old_Sync-RBACSudoRoles.ps1
|
Function old_Sync-RBACSudoRoles { [CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName='None')] Param ( [Parameter(Mandatory=$False, Position = 0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(ParameterSetName = 'SpecificComponent', Mandatory=$True, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ValidateScript({[bool](get-rbacOrg -org $_ -includeGlobal)})] [ArgumentCompleter( {(get-rbacOrg).Org})] [String[]]$Org, [Parameter(ParameterSetName = 'SpecificComponent', Mandatory=$False, Position = 1, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ArgumentCompleter( {(get-rbacComponent).Component})] [String[]]$Component ) BEGIN { } Process { if (-not $org) { $orgList = get-rbacOrg -includeGlobal Write-verbose ("No Org specified; using all.") } else { $OrgList = $org | get-rbacOrg -includeGlobal } Write-verbose ("{0} orgs found: `r`n--> {1}" -f $orgList.count, ($orgList.org -join "`r`n--> ")) foreach ($orgObject in $orgList) { if ($orgObject.org -eq $GlobalOUStruct.name) { $SearchBase = "OU={0},{1}" -f $OrgsOUStruct.name, $OrgsOUStruct.path $ComponentList = $null write-verbose (".....Global org, no components") } else { $searchBase = $orgObject.DistinguishedName if ($component) { $ComponentList = get-RBACComponent -org $orgObject.org -Component $Component } else { $ComponentList = get-rbacComponent -org $orgObject.org } } write-verbose ("Processing org {0} at {1}" -f $orgObject.org, $searchBase) $SudoParams = @{ SudoOrder = "500" } createOrSetNetgroup @NetgroupParams foreach ($componentObject in $componentList ) { $sudoRole_Path = $OU_PATH_SUDOROLES foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { $out = $( write-verbose "Create and / or update the group for sudo$passwd / $sudoRoleType" $sudo_group_name = "sudoer-$($component_name)-$($sudoRoleType.name)$passwd" $sudo_group_desc = "$($component_name) - Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" $this_sudo_group = try { new-adgroup -name $sudo_group_name @group_Params -passthru } catch { get-adgroup $sudo_group_name } set-adgroup $this_sudo_group -replace @{info=$($sudoRoleType.sudoCommands -join "`r`n")} -Description $sudo_group_desc -passthru | select name,objectClass,distinguishedname $sudorole_attributes= @{ sudoCommand=$sudoRoleType.sudocommands;` sudoOrder="500";` sudoHost="+$netgroup_name";` sudoUser=@("%$($this_sudo_group.name)", "%$($this_sudo_group.sid.value)") } if ($passwd -eq "-nopasswd") { $sudorole_attributes.Add("sudoOption","!authenticate") } write-verbose 'Create and / or update the sudorole$passwd' $sudoRole_name = "sudorole-$parent_org-$($component_name)-$($sudoRoleType.name)$passwd" $sudoRole = try { new-adobject -name $sudoRole_name -path $sudoRole_Path -type sudoRole -passthru } catch { get-adobject -filter "objectclass -eq 'sudoRole' -and name -eq '$sudoRole_name'" } $sudoRole |set-adobject -Description "component: $($component_name) sudo$passwd role for $($sudoRoleType.name) admins (Linux)" -replace $sudorole_attributes -passthru | select name,objectClass,distinguishedname ) $out | ft } } } } } } |