Member Avatar for mo_show_me

Background: Minimal experience with Perl and none with Expect. We have 1,000's of users. 150+ Unix servers (Primarily AIX, some Solaris, and a couple of HP-UX). NIS is not an option and neither is purchasing a commercial product. The team (40 staff) has to maintain our own ID's across all the servers, plus perform account creations and password maintenance for all internal clients across the same servers. It's a nightmare and time consuming to say the least. Trying to build a process that we can run from our desktops through Cygwin. We must use ssh to connect to each server. My thought is to use Perl and Expect to automate the process.

Looking For: Some guidance and code snippets or base script from which to build on. In short, I know what I want to do, but I'm not sure how to go about it.

Pseudo Code: (All of the below actions (successes, failures, etc.) need to written to a log for audit purposes. Would create a file containing server names, ID's, UID's for new account creations, unlock ID only flag, old password for existing and new password for new ID's or separate files for each)

Connect to server
Connection successful?
Yes, continue.
No, try next server.
Does ID already exist?
Yes, is account locked?
Yes, unlock account.
Does client want password reset?
Yes, reset password.
No, go to next server.
No, reset password.
No, create account and and set new temp password.
Go to next server and repeat process until all servers have been looped thru.
Thanks in advance!!

  • 3 Contributors
  • 2 Replies
  • 205 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by masijade
Member Avatar for MattEvans

i know it's the ultimate cliché advice, but try searching for how to do each part on google/etc.

how do you want to connect to the servers? if you can do these things by getting into a servers filesystem, an ftp connection could work.. you'd be able to audit centralized then. there's guaranteed to be an FTP package on CPAN (http://www.cpan.org/)

If you control a physical or virtual link between the servers filesystems, you could write a script that just jumps around between them doing these things. that's preferable to an FTP connection.

Or if they're not linked and you need to execute system commands, install your perl script on each server, daemonize it to listen to a port, and invoke and control it via a telnet connection from the auditing server. that's a risky business though, and it'd probably take you longer to make it safe and configure it than it would to go round to each server and personally make the changes. alternatively, install your script on each server and invoke it via a HTTP request. you'll have alot of data flying around in order to keep a centralized audit, and it's as risky as running telnet daemons...

well, thats some issues to consider with the "connect" part.

EDIT:

SSH

- didn't even know what that was until I re-read your post and researched it; the same applies though, if you can find a module at CPAN (address above) to handle the SSH FTP or SSH shell connection (and probably provide helper functions aswell), the rest should be simple.

Member Avatar for masijade

There is a Net::SSH CPAN module that is easy to install, and needs a preinstalled OpenSSH, and I don't think it can do SFTP. There is also the module Net::SSH::Perl. This module does not need a preinstalled OpenSSH (or any other other SSH install), but it does need a whole slew of other CPAN modules (various encryption and MessageDigest Modules).
There is also a Net::SFTP Module, but this modules relies on the Net::SSH::Perl Module, so have fun, since, like I said, There are a whole slew of Modules that Net::SSH::Perl needs, and one of them only compiles "directly out of the box" on Linux. If you have Solaris (or other Unix flavors) you will need to change a few lines in one of the C Code files to get it to work (or at least that is the way it was when I downloaded it last a couple of years ago). It is one of the encryption modules, it uses some "endian" variable names that differ from system to system, and this is what needs to be changed.

Sorry about that big run on paragraph above, I got a bit long winded.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.