public/Sync-RBACSudoers.ps1
|
Function Sync-RBACSudoers { [CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName='None')] Param ( [Parameter(Mandatory=$False, Position = 0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(ParameterSetName = 'SpecificComponent', Mandatory=$True, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ValidateScript({[bool](get-rbacOrg -org $_ -includeGlobal)})] [ArgumentCompleter( {(get-rbacOrg).Org})] [String[]]$Org, [Parameter(ParameterSetName = 'SpecificComponent', Mandatory=$False, Position = 1, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ArgumentCompleter( {(get-rbacComponent).Component})] [String[]]$Component ) BEGIN { } Process { if (-not $org) { $orgList = get-rbacOrg -includeGlobal Write-verbose ("No Org specified; using all.") } else { $OrgList = $org | get-rbacOrg -includeGlobal } Write-verbose ("{0} orgs found: `r`n--> {1}" -f $orgList.count, ($orgList.org -join "`r`n--> ")) foreach ($orgObject in $orgList) { if ($orgObject.org -eq $GlobalOUStruct.name) { $SearchBase = "OU={0},{1}" -f $OrgsOUStruct.name, $OrgsOUStruct.path $ComponentList = $null write-verbose (".....Global org, no components") } else { $searchBase = $orgObject.DistinguishedName if ($component) { $ComponentList = get-RBACComponent -org $orgObject.org -Component $Component } else { $ComponentList = get-rbacComponent -org $orgObject.org } } write-verbose ("Processing org {0} at {1}" -f $orgObject.org, $searchBase) $NetgroupParams = @{ name = "Netgroup-{0}" -f $orgObject.org Path = "OU={0},OU={1},{2}" -f $NetgroupName, $LinuxFeaturesOUStruct.name, $LinuxFeaturesOUStruct.path Description = "For consumption by sudoers-ldap. Replicates host membership of OU at {0}" -f $searchBase NISNetgroupTriple = [String[]](generateNetgroupTripleFromSearchbase -searchBase $searchBase) } $Org_netgroup = createOrSetNetgroup @NetgroupParams #Region This should be a function $sudoRole_BasePath = "OU={0},OU={1},{2}" -f $sudoRolesName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path $SudoRole_Path = "OU={0},{1}" -f $orgObject.Org, $sudoRole_BasePath $createdOU = createorsetOU -name $orgObject.Org -description "Sudoroles for $($orgObject.Org)" -path $sudorole_BasePath if ($ObjectGUIDs.name.contains("sudoRole")) { foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { write-verbose "Create and / or update the group for sudo$passwd / $($sudoRoleType.name)" $group_Params = @{ Name = "Right-{0}-sudo{1}_{2}" -f $orgObject.org, $passwd, $sudoRoleType.name Description = "$($OrgObject.Org) - Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" Path = "OU={0},{1}" -f "Rights", $OrgObject.DistinguishedName GroupScope = "DomainLocal" Info = $sudoRoleType.SudoCommand -join "`r`n" } $sudoGroup = createOrSetGroup @group_Params $sudorole_Settings = @{ Description = "Org: {0} sudo$passwd role for {1} admins (Linux)" -f $orgObject.org, $sudoRoleType.name replace = @{ sudoCommand=$sudoRoleType.sudocommand;` sudoOrder="500";` sudoHost="+$($Org_netgroup.name)";` sudoUser=@("%$($sudoGroup.name)", "%$($sudoGroup.sid.value)") } } if ($passwd -eq "-nopasswd") { $sudorole_Settings.replace.Add("sudoOption","!authenticate") } write-verbose "Create and / or update the sudorole$passwd" $sudoRole_Params = @{ name = "sudorole-{0}-sudo{1}_{2}" -f $orgObject.org, $passwd, $sudoRoleType.name path = $sudoRole_Path type = "sudorole" } $sudoRole = try { new-adobject @SudoRole_Params -verbose } catch { get-adobject -filter "objectclass -eq 'sudoRole' -and name -eq '$($sudorole_Params.name)'" -verbose } $sudoRole = $sudoRole |set-adobject @sudorole_Settings -passthru -verbose | select-object name,objectClass,distinguishedname } } } else { write-warning "SudoRole schema object is missing: you may need a schema mod." } #endregion foreach ($componentObject in $componentList ) { $searchbase = $componentObject.distinguishedName write-verbose ("Processing org {0} / Component {1} at {2}" -f $orgObject.name, $ComponentObject.name, $searchBase) $NetgroupParams = @{ name = "Netgroup-{0}-{1}" -f $orgObject.org, $componentObject.Component Path = "OU={0},OU={1},{2}" -f $NetgroupName, $LinuxFeaturesOUStruct.name, $LinuxFeaturesOUStruct.path Description = "For consumption by sudoers-ldap. Replicates host membership of OU at {0}" -f $searchBase NISNetgroupTriple = @([String[]](generateNetgroupTripleFromSearchbase -searchBase $searchBase)) } $Component_netgroup = createOrSetNetgroup @NetgroupParams #Region This should be a function $sudoRole_BasePath = "OU={0},OU={1},OU={2},{3}" -f $orgObject.Org, $sudoRolesName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path $SudoRole_Path = "OU={0},{1}" -f $ComponentObject.Component, $sudoRole_BasePath $createdOU = createorsetOU -name $ComponentObject.Component -description "Sudoroles for $($orgObject.Org) - ($ComponentObject.Component)" -path $sudorole_BasePath if ($ObjectGUIDs.name.contains("sudoRole")) { foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { write-verbose "Create and / or update the group for sudo$passwd / $($sudoRoleType.name)" $Group_Params = @{ Name = "Right-{0}-{1}-sudo{2}_{3}" -f $orgObject.org,$ComponentObject.Component, $passwd, $sudoRoleType.name Description = "$($orgObject.Org) - $($ComponentObject.Component) - Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" Path = "OU={0},{1}" -f "Rights", $ComponentObject.DistinguishedName GroupScope = "DomainLocal" Info = $sudoRoleType.SudoCommand -join "`r`n" } $sudoGroup = createOrSetGroup @group_Params $sudorole_Settings = @{ Description = "{0} - {1} sudo$passwd role for {1} admins (Linux)" -f $orgObject.org, $componentObject.Component, $sudoRoleType.name replace = @{ sudoCommand=$sudoRoleType.sudocommand;` sudoOrder="500";` sudoHost="+$($Component_netgroup.name)";` sudoUser=@("%$($sudoGroup.name)", "%$($sudoGroup.sid.value)") } } if ($passwd -eq "-nopasswd") { $sudorole_Settings.replace.Add("sudoOption","!authenticate") } write-verbose "Create and / or update the sudorole$passwd : $($sudoRoleType.sudoCommand)" $sudoRole_Params = @{ name = "sudorole-{0}-{1}-sudo{2}_{3}" -f $orgObject.org, $componentObject.Component,$passwd, $sudoRoleType.name path = $sudoRole_Path type = "sudorole" } $sudoRole = try { new-adobject @SudoRole_Params -verbose } catch { get-adobject -filter "objectclass -eq 'sudoRole' -and name -eq '$($sudorole_Params.name)'" -verbose } $sudoRole = $sudoRole |set-adobject @sudorole_Settings -passthru | select-object name,objectClass,distinguishedname } } } else { write-warning "SudoRole schema object is missing: you may need a schema mod." } #endregion } } } } |