I decided that it would be helpful to produce a monthly report about our Identity Vault and its accounts and groups. So I began to write a shell script to produce my report. To start with If you want to know how many total accounts you have you can learn this with an ldapsearch command like this:

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU" -s sub -D "cn=LDAP,o=services" -w password "(objectclass=inetOrgPerson)" dn | grep ^dn: | wc -l)

In my vault this number is so large that I needed to format it correctly so this command will add the commas as necessary so that it is easier to read.

LC_NUMERIC=en_US printf "%'.f\n"

To learn how many groups I have its another simple Ldapsearch

ldapsearch -x -h duidv7.davenport.edu -b "ou=Groups,o=DU" -s sub -D "cn=LDAP,o=services" -w password "(objectclass=groupOfNames)" dn | grep ^dn: | wc -l)

Next I wanted to know how many accounts were created in the last year. To do this you first need to create two variables to comprise the Ldapsearch. The first is the date one year ago formated as seen by LDAP.

(date --date="365 days ago" +"%Y%m%d")

The second is for the time portion of the dates it can always be the same no matter what you search so I made it a separate variable.

timeadds=$"000000Z"

So now for the LDAP search to find accounts created in the last year.

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU" -s sub -D "cn=LDAP,o=services" -w password "(&(objectclass=inetOrgPerson)(createTimestamp>=$date_365days$timeadds))" dn | grep ^dn: | wc -l)

We can use the same two variables to learn how many users have login in the last year

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU" -s sub -D "cn=LDAP,o=services" -w password "(&(objectclass=inetOrgPerson)(lastLoginTime>=$date_365days$timeadds))" dn | grep ^dn: | wc -l)

I wanted to know how many Employee email accounts I had so another Ldapsearch my filed is customized you will need to use yours for your search.

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU" -s sub -D "cn=LDAP,o=services" -w black+c0RAL "(&(objectclass=inetOrgPerson)(staffEmailShort=*))" dn | grep ^dn: | wc -l)

I wanted to know how many Active Directory Accounts we had I did this search based on the IDM role object yours will be differnet.

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU" -s sub -D "cn=LDAP,o=services" -w password "(&(objectclass=inetOrgPerson)(nrfMemberOf=cn=WorkstationLogin,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services))" dn | grep ^dn: | wc -l)

We user roles and I wanted to see how many were in each role. Here is the search of the filed have have customized for roles.

ldapsearch -x -h duidv7.davenport.edu -b "ou=Active,o=DU"  -s sub -D "cn=LDAP,o=services" -w password "(davenportPersonInstitutionRoles=*Faculty*)" dn | grep ^dn: | wc -l

I did a similar search for all of my roles.

Here is the email it produced:

Report

Here is the complete shell script I wrote:

out=/root/bin/report/count.html
oneyear=$(date --date="365 days ago" +"%Y%m%d")
oneday=$(date --date="1 days ago" +"%Y%m%d")
timeadds=$"000000Z"
onemonth=$(date --date="30 days ago" +"%Y%m%d")
NOW=$(date)
thismonth=$(date +"%B")
ldapserver=$"duidv7.davenport.edu"
usersearchbase=$"ou=Active,o=DU"
ldapbinduser=$"cn=LDAP,o=services"
ldapbindpassword=$"paassword"
rm -f $out
cd /root/bin/report
DRIVERNAME=$(ldapsearch -x -h $ldapserver -b "cn=DriverSet1,o=services" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(objectclass=DirXML-Driver)" cn| grep ^cn:|sed '/cn:/a '|sed '/cn:/i'|sed 's/cn://g')
RULECOUNT=$(ldapsearch -x -h $ldapserver -b "cn=DriverSet1,o=services" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(objectclass=DirXML-Rule)" dn | grep ^dn: | wc -l)
MAPPINGTABLENAMES=$(ldapsearch -x -h $ldapserver -b "cn=DriverSet1,o=services" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(DirXML-ContentType=application/vnd.novell.dirxml.mapping-table+xml ;charset=UTF-8)" cn| grep ^cn:|sed '/cn:/a '|sed '/cn:/i'|sed 's/cn://g')
YEAR=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(createTimestamp>=$oneyear$timeadds))" dn | grep ^dn: | wc -l)
YEAR=$(LC_NUMERIC=en_US printf "%'.f\n" $YEAR)
MONTH=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(createTimestamp>=$onemonth$timeadds))" dn | grep ^dn: | wc -l)
MONTH=$(LC_NUMERIC=en_US printf "%'.f\n" $MONTH)
TOTAL=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(objectclass=inetOrgPerson)" dn | grep ^dn: | wc -l)
TOTAL=$(LC_NUMERIC=en_US printf "%'.f\n" $TOTAL)
GROUP=$(ldapsearch -x -h $ldapserver -b "ou=Groups,o=DU" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(objectclass=groupOfNames)" dn | grep ^dn: | wc -l)
GROUP=$(LC_NUMERIC=en_US printf "%'.f\n" $GROUP)
ENABLED=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(!(loginDisabled=TRUE)))" dn | grep ^dn: | wc -l)
ENABLED=$(LC_NUMERIC=en_US printf "%'.f\n" $ENABLED)
DISABLED=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(loginDisabled=TRUE))" dn | grep ^dn: | wc -l)
DISABLED=$(LC_NUMERIC=en_US printf "%'.f\n" $DISABLED)
LOGIN=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(lastLoginTime>=$oneyear$timeadds))" dn | grep ^dn: | wc -l)
LOGIN=$(LC_NUMERIC=en_US printf "%'.f\n" $LOGIN)
LOGIN30=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(lastLoginTime>=$onemonth$timeadds))" dn | grep ^dn: | wc -l)
LOGIN30=$(LC_NUMERIC=en_US printf "%'.f\n" $LOGIN30)
LOGIN1=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(lastLoginTime>=$oneday$timeadds))" dn | grep ^dn: | wc -l)
LOGIN1=$(LC_NUMERIC=en_US printf "%'.f\n" $LOGIN1)
DMAIL=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(staffEmailShort=*))" dn | grep ^dn: | wc -l)
DMAIL=$(LC_NUMERIC=en_US printf "%'.f\n" $DMAIL)
PANTHERMAIL=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(studentEmail=*))" dn | grep ^dn: | wc -l)
PANTHERMAIL=$(LC_NUMERIC=en_US printf "%'.f\n" $PANTHERMAIL)
AD=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(&(objectclass=inetOrgPerson)(nrfMemberOf=cn=WorkstationLogin,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services))" dn | grep ^dn: | wc -l)
AD=$(LC_NUMERIC=en_US printf "%'.f\n" $AD)
SF=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(|(nrfMemberOf=cn=SalesForceRoleITAdministratorReadOnly,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserAdmissionsRepresentative,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserAdmissionsRepresentativeCallCenter,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserAdmissionsRepresentativeCorporateContactRecruiter,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserDirectorofAdm-withEmail,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserDirectorofAdmissions,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserITAdministrator,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserMarketingandCommunications,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services)(nrfMemberOf=cn=SalesForceUserSystemAdministrator,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet1,o=services))" dn | grep ^dn: | wc -l)
SF=$(LC_NUMERIC=en_US printf "%'.f\n" $SF)
FACULTY=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Faculty*)" dn | grep ^dn: | wc -l)
FACULTY=$(LC_NUMERIC=en_US printf "%'.f\n" $FACULTY)
ADJUNCT=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Adjunct*)" dn | grep ^dn: | wc -l)
ADJUNCT=$(LC_NUMERIC=en_US printf "%'.f\n" $ADJUNCT)
STAFF=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Staff*)" dn | grep ^dn: | wc -l)
STAFF=$(LC_NUMERIC=en_US printf "%'.f\n" $STAFF)
OTHER=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Other*)" dn | grep ^dn: | wc -l)
OTHER=$(LC_NUMERIC=en_US printf "%'.f\n" $OTHER)
WorkStudy=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Work-Study*)" dn | grep ^dn: | wc -l)
WorkStudy=$(LC_NUMERIC=en_US printf "%'.f\n" $WorkStudy)
STUDENT=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Student*)" dn | grep ^dn: | wc -l)
STUDENT=$(LC_NUMERIC=en_US printf "%'.f\n" $STUDENT)
ALUMNI=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Alumni*)" dn | grep ^dn: | wc -l)
ALUMNI=$(LC_NUMERIC=en_US printf "%'.f\n" $ALUMNI)
PUBLIC=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Public*)" dn | grep ^dn: | wc -l)
PUBLIC=$(LC_NUMERIC=en_US printf "%'.f\n" $PUBLIC)
EVENT=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Event*)" dn | grep ^dn: | wc -l)
EVENT=$(LC_NUMERIC=en_US printf "%'.f\n" $EVENT)
VENDOR=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Vendor*)" dn | grep ^dn: | wc -l)
VENDOR=$(LC_NUMERIC=en_US printf "%'.f\n" $VENDOR)
PUBLIC=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Public*)" dn | grep ^dn: | wc -l)
PUBLIC=$(LC_NUMERIC=en_US printf "%'.f\n" $PUBLIC)
PORTAL=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*Portal*)" dn | grep ^dn: | wc -l)
PORTAL=$(LC_NUMERIC=en_US printf "%'.f\n" $PORTAL)
IPEX=$(ldapsearch -x -h $ldapserver -b "$usersearchbase" -s sub -D "cn=LDAP,o=services" -w $ldapbindpassword "(davenportPersonInstitutionRoles=*IPEX*)" dn | grep ^dn: | wc -l)
IPEX=$(LC_NUMERIC=en_US printf "%'.f\n" $IPEX)
touch $out
echo "HELO" >> $out
echo "MAIL FROM: Customer.SupportCenter@davenport" >> $out
echo "RCPT TO: abc@davenport.edu" >> $out
echo "data" >> $out
echo "Content-Type: text/html; charset=\"us-ascii\"" >> $out
echo "Subject: Identity Services Monthly Report for $thismonth" >> $out
echo "" >> $out echo "" >> $out
echo "" >> $out
echo " Identity Services Monthly Report for $NOW " >> $out echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li><span>The total number of accounts is $TOTAL</span></li>
</ul>
</ul>
" >> $out
echo "

" >> $out
echo "

<big>Login Enabled/Disabled.</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li>Login is Disabled on $DISABLED</li>
</ul>
</ul>
" >> $out
echo "
<ul>
	<li>Login is Enabled on $ENABLED</li>
</ul>
 

" >> $out
echo "

" >> $out
echo "

<big>Groups</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li>The Vault contains this many Groups $GROUP</li>
</ul>
</ul>
" >> $out
echo "

" >> $out
echo "

<big>IDM Configuration</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "</ul>
</ul>
<dl>" >> $out</dl><dl>echo "<dt>
<ul>
	<li>The Drivers are named:</li>
</ul>
</dt></dl>" >> $out
echo "$DRIVERNAME" >> $out
echo "

" >> $out
echo "
<ul>
	<li>DU has this many rules in the Drivers above $RULECOUNT</li>
</ul>
 

" >> $out
echo "

<dl>" >> $out</dl><dl>echo "<dt>
<ul>
	<li>DU has these Mapping Tables</li>
</ul>
</dt></dl>" >> $out
echo " $MAPPINGTABLENAMES" >> $out
echo "

" >> $out
echo "

" >> $out
echo "

<big>Connected Systems</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li>These users have Dmail Accounts $DMAIL</li>
</ul>
</ul>
" >> $out
echo "
<ul>
	<li>These users have Panthermail Accounts $PANTHERMAIL</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>These users have Active Directory Accounts $AD</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>These users have Sales Force Accounts $SF</li>
</ul>
 

" >> $out
echo "

" >> $out
echo "

<big>Account Creations</big>

" >> $out
echo "
<ul>
	<li>For the last Twelve months we have these new accounts $YEAR</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>For the last 30 days we have these new accounts $MONTH</li>
</ul>
 

" >> $out
echo "

<big>Login Activity</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li>Users who have login in the last year $LOGIN</li>
</ul>
</ul>
" >> $out
echo "
<ul>
	<li>Users who have login in the last month $LOGIN30</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>Users who have login in the last day $LOGIN1</li>
</ul>
 

" >> $out
echo "

" >> $out
echo "

<big>Number of Accounts by Roles</big>

" >> $out
echo "
<ul>
<ul>" >> $out</ul>
</ul>
<ul>
<ul>echo "
	<li>The total Faculty are $FACULTY</li>
</ul>
</ul>
" >> $out
echo "
<ul>
	<li>The total Adjuncts are $ADJUNCT</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Staff are $STAFF</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Partime Staff are $OTHER</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Work-Study are $WorkStudy</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Students are $STUDENT</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Alumni are $ALUMNI</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Public Accesss Users are $PUBLIC</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Event Accounts are $EVENT</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Vendor Accounts are $VENDOR</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total Portal Accounts are $PORTAL</li>
</ul>
 

" >> $out
echo "
<ul>
	<li>The total IPEX Accounts are $IPEX</li>
</ul>
 

" >> $out
echo "

" >> $out
echo "

" >> $out echo "" >> $out echo "." >> $out echo "quit" >> $out cat $out| netcat smtp.davenport.edu 25</blockquote>
 
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: stharp
Dec 1, 2016
11:24 am
Reads:
514
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Sentinel Supported Troubleshooting Workflow