[OpenAFS] PTS membership (or existence) based on external
Fri, 21 Jan 2011 11:49:56 -0500 (EST)
On 2011-01-21 at 11:36, Stephen Joyce ( firstname.lastname@example.org ) said:
> Has anyone written a script or utility to add/remove PTS entries (either
> membership in PTS groups or actual existence of the PTS user account would be
> acceptable) from an external database, based on date?
> My AFS cell is in the middle of transitioning from authenticating against a
> departmental KRB5 realm to authenticating against a central University-wide
> KRB5 realm. I'd like to be able to continue to have the ability to expire
> students' access to resources automatically--when their affiliation with the
> Department expires: at the end of a semester, research project, etc.
> So I thought I'd ask if anyone has an in-house tool, querying expiration
> dates from an external source such as a non-authoritative KDC, SQL, etc) and
> is willing to share, before I possibly reinvent the wheel.
This is what we use:
It's not perfect, is very specific to our site, has at least one bug that
needs to be fixed (owner of user:group groups needs to match the
username), screen scrapes all of the pts commands, is an example of some
non-ideal Perl programming, and won't scale too well. We run it once every
10 minutes, but we only have 259 accounts and 92 groups, so it may only
take on the order of 30 seconds to run (on a SunFire V100). I wanted to
add support for parsing the output of an openldap accesslog so it syncs in
almost real-time and doesn't have to compare all of ldap against all of
Anyway, might give you some different ideas.