Find LDAP groups with obsolete users

OpenLDAP has a nice "feature" that allows for group members to continue to exist, even if the user does not exist any more. Really handy! Problem is, if you, say, have a user in the "Domain Admins" group, and you delete that account, and then some normal user comes along with the same username, they will end up with unexpected elevated privileges.

So I created a script that I run weekly that finds group members that no longer exist, and sends me a report. It also tells me which groups are empty.

This relies on my toolbox... Find it here.


#! /usr/bin/perl

use strict;
require /path/to/subs.pl;
my %groups;
my %invalid;
my @output;
my @memberlessGroups;
$admin = "somebody\@example.com";
$date = &genDate;

&ldapBindAnon
my @userList = &getUserList;
my @groupList = &getGroupList;
foreach my $group (@grouplist){
@{$groups{$group}} = &getGroupMembers($group);
foreach my $member (@{$groups{group})
foreach $uid (@userList){
my $valid = 0;
if ($uid =~ /$member/){
$valid = 1;
}
if ($vaild == 0){
push (@{$invalid{$group},$member);
}
}
}
}

foreach my $invalidGroup (keys %invalid){
push (@output,"$invalidGroup \n");
foreach my $member (@{invalid{invalidGroup}}{
push (@output, "\t $member\n");
}
push (@output,"\n");
}

foreach $group (@groupList){
if (@{$groups{$group}}){
} else {
push (@output,"$group has no members\n");
}
}

my $subject = "Group Cleanup Report for $date";
&sendMailToUser($admin,"$admin","","",$subject,@output);

&unbindLdap;