adname

#!/usr/bin/env bash

set -o errexit \
    -o pipefail \
    -o nounset

# Command deps
ldapsearch_path="/usr/bin/ldapsearch"
getopt_path="/usr/bin/getopt"
command -v "$ldapsearch_path" >/dev/null
command -v "$getopt_path" >/dev/null

help_message="
usage: adname [<flags>] <term>...

A script to quickly query Active Directory for user and group data.

Flags:
  -h, --help                   Show this help.
  -d, --debug                  Debug mode.
  -k, --insecure               Insecurely ignore server certificate. (Current Default)
  -x, --secure                 Don't ignore server certificate.
  -f, --search-field=\"CN\"      Field to search on. (e.g. mail, memberOf, sn)
  -m, --mail                   Special mail mode: searches both email fields. (Overrides -f)
  -s, --server=\"ldaps://ldap-auth-ad-slb.ucl.ac.uk:636/\"  
                               URL of the LDAP/AD server to connect to.
  -u, --user=\"AD\\sa-ritsldap01\"  
                               User to authenticate to the server with. (\"Bind\" user.)
  -p, --password=\"\"          Password to authenticate to the server with. (\"Bind\" password.)
  -P, --passfile=FILE          File to get password from. (Default: first of ~/.adpw /shared/ucl/etc/adpw)
  -b, --base=\"DC=ad,DC=ucl,DC=ac,DC=uk\"  
                               Search base in the LDAP tree.
  -o, --output=OUTPUT          Comma-separated fields to show in output. (Default: all)

Args:
  <term>  Search term (e.g. a username or group name).

Examples:
  adname ccspapp    Search for any objects named ccspapp (should turn up the service account user).
  adname ccsprcop   Search for any objects named ccsprcop (should turn up the group).

  adname -o member ccsprcop
                    Search for any objects named ccsprcop, only showing the member fields. 

  adname -f mail i.kirker@ucl.ac.uk   
                    Search for any objects with the *primary* email address as shown.
  
  adname -f proxyAddresses smtp:i.kirker@ucl.ac.uk  
                    A slightly more thorough search: goes through e.g. alumnus
                     addresses and any alternatives.

  adname -m i.kirker@ucl.ac.uk
                    Uses special mail mode to search both email fields (mail and proxyAddresses).

  adname -f employeeID ikirk33
                    Search for any objects with a UPI (stored under employeeID in AD) of ikirk33.
"

function show_help_and_exit() {
    printf "%s" "$help_message"
    exit "${1:-0}"
}

canonical_args="$(
/usr/bin/getopt \
    -n adname \
    -l "help,debug,insecure,secure,search-field:,mail,server:,hostname:,user:,password::,passfile:,base:,output:" \
    -o "hdukxf:ms:u:p::P:b:o:" \
    -- \
    "$@"
)"


eval set -- "$canonical_args"

# Defaults
debug_mode="false"
check_cert="false"
search_key="CN"
ldap_uri="ldaps://ldap-auth-ad-slb.ucl.ac.uk:636/"
user="AD\\sa-ritsldap01"
password=""
prompt_for_password="false"
pass_file=""
search_base="DC=ad,DC=ucl,DC=ac,DC=uk"
output_fields=""
mail_mode="false"

while true ; do
    case "$1" in
        -h|--help) show_help_and_exit; shift ;;
        -d|--debug) debug_mode="true"; shift ;;
        -k|--insecure) check_cert="false"; shift ;;
        -x|--secure) check_cert="true"; shift ;;
        -f|--search-field) search_key="$2"; shift 2 ;;
        -m|--mail) mail_mode="true"; shift ;;
        -s|--server|--hostname) ldap_uri="$2"; shift 2 ;;
        -u|--user) user="$2"; shift 2 ;;
        -p|--password)
            # c has an optional argument. As we are in quoted mode,
            # an empty parameter will be generated if its optional
            # argument is not found.
            case "$2" in
                "") password=""; prompt_for_password="true"; shift 2 ;;
                *) password="$2" ; shift 2 ;;
            esac ;;
        -P|--passfile) pass_file="$2"; shift 2 ;;
        -b|--base) search_base="$2"; shift 2 ;;
        -o|--output) output_fields="$2"; shift 2 ;;
        --) shift ; break ;;
        *) echo "Error: invalid argument '$1'" ; exit 1 ;;
    esac
done

if [[ $# -eq 0 ]]; then
    show_help_and_exit 1
fi

if [[ "$check_cert" == "false" ]]; then
    export LDAPTLS_REQCERT=never
else
    export LDAPTLS_REQCERT=demand
fi

if [[ -z "$password" ]]; then
    if [[ "$prompt_for_password" == "true" ]]; then
        read -rsp "Please enter password for LDAP Bind User: " password
    else
        if [[ -z "${pass_file:-}" ]]; then
            if [[ -r "$HOME/.adname_ad_pass" ]]; then
                password="$(cat "$HOME/.adname_ad_pass")"
            elif [[ -r "/shared/ucl/etc/adpw" ]]; then
                password="$(cat /shared/ucl/etc/adpw)"
            else
                echo "Error: no ~/.adname_ad_pass or /shared/ucl/etc/adpw file was readable" >&2
                exit 2
            fi
        else
            if [[ -r "$pass_file" ]]; then
                password="$(cat "$pass_file")"
            else
                echo "Error: pass file could not be read: $pass_file" >&2
                exit 2
            fi
        fi
    fi
fi

for name in "$@"; do
    ldap_rdn="$search_base"

    ldap_bind_user="$user"
    ldap_password="$password"
    ldap_rdn="$search_base"

    if [[ "$mail_mode" == "true" ]]; then
        ldap_search_term="(|(mail=${name})(proxyAddresses=smtp:${name}))"
    else
        ldap_search_term="(${search_key}=${name})"
    fi

    if [[ "$debug_mode" == "true" ]]; then
        ldapsearch_args=("-d5" "-Epr=2147483647/noprompt" "-v" "-x" "-LLL" "-w$ldap_password" "-H$ldap_uri" "-b$ldap_rdn" "-D$ldap_bind_user" "$ldap_search_term")
    else
        ldapsearch_args=("-x" "-Epr=2147483647/noprompt" "-LLL" "-w$ldap_password" "-H$ldap_uri" "-b$ldap_rdn" "-D$ldap_bind_user" "$ldap_search_term")
    fi

    if [[ "$debug_mode" == "true" ]]; then 
        echo "Debug: ldapsearch path is: $ldapsearch_path" >&2
        echo "Debug: ldapsearch arguments are: ${ldapsearch_args[*]}" >&2
    fi

    if [[ "$debug_mode" == "true" ]]; then
        set -x
    fi

    # Have to set the NSS_HASH_ALT_SUPPORT environment variable to 
    #  allow MD5 as a cert hash algorithm. Broken in RHEL6.5->6.6 change. Wooooo.
    # The cryptic perl expression removes wrapping 
    if [[ "$debug_mode" == "true" ]]; then
        echo "Debug: command to run: NSS_HASH_ALG_SUPPORT=+MD5 $ldapsearch_path" "${ldapsearch_args[@]}"
    fi

    if [[ "$output_fields" == "" ]]; then
        search_result=$(NSS_HASH_ALG_SUPPORT=+MD5 $ldapsearch_path "${ldapsearch_args[@]}" | perl -p00e 's/\r?\n //g')
    else
        grep_pattern="^(${output_fields//,/|}):"
        search_result=$(NSS_HASH_ALG_SUPPORT=+MD5 $ldapsearch_path "${ldapsearch_args[@]}" | perl -p00e 's/\r?\n //g' | grep -E -e "$grep_pattern")
    fi

    if [[ "$debug_mode" == "true" ]]; then
        set +x
    fi
    # And that's us done with LDAP


    if [[ -n "$search_result" ]]; then
        if [[ $# -gt 1 ]]; then
            echo "${name}: ${search_result}"
        else
            echo "${search_result}"
        fi
    else
        echo "Error: no user found for username \"${name}\"" >&2
    fi
done