freeIPA_otp_tokens.bash 3.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
  1. #!/bin/bash
  2. #This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user
  3. #Set Variables
  4. #ARN of the secret which stores the FreeIPA Login credentials
  5. AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
  6. #Email address to notify
  7. NOTIFY_EMAIL=freeipa-support@domain.com
  8. #IPA User, parsed from the secret
  9. IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
  10. #IPA Password, parsed from the secret
  11. IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
  12. #IPA Server URL
  13. IPA_URL=ipa-master.ipa.domain.com
  14. #From email
  15. FROM_EMAIL="freeipa-noreply@domain.com"
  16. #Set mail html file name
  17. MAILFILE=/tmp/otptokenmail.html
  18. #Set QR Code image file name
  19. QRFILE=/tmp/otptokenqr.png
  20. #Set kerberos ticket
  21. echo $IPA_PASSWORD | kinit $IPA_USER
  22. #List users not in service account groups
  23. USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')
  24. #Function to create the token and email it
  25. create_otptoken()
  26. {
  27. TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
  28. cat /dev/null > $MAILFILE
  29. rm -f $QRFILE
  30. /usr/local/bin/qr "${TOKEN_URI}" > $QRFILE
  31. echo "<p>" >> $MAILFILE
  32. echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
  33. echo "</p>" >> $MAILFILE
  34. echo "<p>" >> $MAILFILE
  35. echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
  36. echo "</p>" >> $MAILFILE
  37. echo "<p>" >> $MAILFILE
  38. echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
  39. echo "</p>" >> $MAILFILE
  40. SUBJECT="FreeIPA OTP Token Created for $USER"
  41. USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
  42. (
  43. echo "Subject: ${SUBJECT}";
  44. echo "From: ${FROM_EMAIL}";
  45. echo "To: ${USER_EMAIL}";
  46. echo "MIME-Version: 1.0";
  47. echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
  48. echo '--OTPEMAIL';
  49. echo 'Content-Type: text/html; charset="utf-8"';
  50. echo "";
  51. echo "$(<$MAILFILE)";
  52. echo '--OTPEMAIL';
  53. echo 'Content-Type: image/png;name="otpqr.png"';
  54. echo "Content-Transfer-Encoding: base64";
  55. echo "Content-ID: <part1.06090408.01060107>";
  56. echo 'Content-Disposition: inline; filename="otpqr.png"';
  57. echo "$(base64 $QRFILE)";
  58. echo '--OTPEMAIL--';
  59. )|sendmail -t
  60. (
  61. echo "Subject: ${SUBJECT}";
  62. echo "From: ${FROM_EMAIL}";
  63. echo "To: ${NOTIFY_EMAIL}";
  64. echo "MIME-Version: 1.0";
  65. echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
  66. echo '--OTPEMAIL';
  67. echo 'Content-Type: text/html; charset="utf-8"';
  68. echo "";
  69. echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
  70. echo '--OTPEMAIL--';
  71. )|sendmail -t
  72. }
  73. for USER in $USERS; do
  74. #Check to see if user has OTP token
  75. ipa otptoken-find --owner=$USER > /dev/null
  76. otp_ec=$?
  77. #If no otp token, create it and send email to aws-support and user
  78. if [[ $otp_ec != 0 ]]; then
  79. echo "No token found for $USER, creating one and sending it to the user...";
  80. create_otptoken;
  81. else
  82. echo "$USER has a token, no need to create a new one.";
  83. fi
  84. done