[OpenAFS] PTS membership (or existence) based on external data?

Andy Cobaugh phalenor@gmail.com
Fri, 21 Jan 2011 11:49:56 -0500 (EST)


On 2011-01-21 at 11:36, Stephen Joyce ( stephen@physics.unc.edu ) said:
> Hello,
>
> Has anyone written a script or utility to add/remove PTS entries (either 
> membership in PTS groups or actual existence of the PTS user account would be 
> acceptable) from an external database, based on date?
>
> My AFS cell is in the middle of transitioning from authenticating against a 
> departmental KRB5 realm to authenticating against a central University-wide 
> KRB5 realm. I'd like to be able to continue to have the ability to expire 
> students' access to resources automatically--when their affiliation with the 
> Department expires: at the end of a semester, research project, etc.
>
> So I thought I'd ask if anyone has an in-house tool, querying expiration 
> dates from an external source such as a non-authoritative KDC, SQL, etc) and 
> is willing to share, before I possibly reinvent the wheel.

This is what we use:

https://github.com/phalenor/ldap2pts

It's not perfect, is very specific to our site, has at least one bug that 
needs to be fixed (owner of user:group groups needs to match the 
username), screen scrapes all of the pts commands, is an example of some 
non-ideal Perl programming, and won't scale too well. We run it once every 
10 minutes, but we only have 259 accounts and 92 groups, so it may only 
take on the order of 30 seconds to run (on a SunFire V100). I wanted to 
add support for parsing the output of an openldap accesslog so it syncs in 
almost real-time and doesn't have to compare all of ldap against all of 
pts.

Anyway, might give you some different ideas.

--andy