11 lines
1.8 KiB
Markdown
11 lines
1.8 KiB
Markdown
## Report Users with UID >= 1000
|
|
|
|
I decided to take a more complex approach with this task than would be necessary on a "standard" Linux installation to make the script more robust. It still has some tweaks that would need to be made on a University domain-joined computer (namely, checking the `lastlog` command and only printing users who have actually logged in, depending on the purpose of the report, since otherwise it would include _all_ accounts, as LDAP providers usually handle authorization independently of user enumeration and authentication). However, for smaller lists of centralized users, or for a system that makes heavy use of ephemeral users managed by `systemd`, this script will work.
|
|
|
|
I did this mainly because I use centralized authentication on my personal computers (mainly for synchronization of user IDs for NFS reasons), so I wanted to make sure I didn't provide a script that wouldn't even function on my own computers. It is, admittedly, less valuable to parse `getent passwd` enumeration when working with a large number of users in the central auth server.
|
|
|
|
However, what I see as the main purpose of a report like this -- getting a list of people who can log into a server -- would be better accomplished by checking the LDAP settings on said server and doing a manual LDAP search based on those settings. That way, you wouldn't have to filter out all the users that are not allowed to log in (and will be blocked at the authorization stage by the PAM `account` LDAP module) but can still be resolved.
|
|
|
|
As for some design decisions I made:
|
|
- I use `awk` to do the filtering, rather than a shell `if` statement, because I'm already using it to format the output. The `cut` command would work for extracting the fields, but can't format the output in one go like `awk` can.
|