Unix CLI - adrmlocal

adrmlocal
1. 命令的产生
客户安装了软件后, 创建他们自己的ad user,然后导入/etc/passwd file中. 因此, 他们的localuser其实就是zone user(机器加入的域中的域用户). 这时候是AD在管理这些users,所以这些users不需要在/etc/passwd file中. 但事实上, 这里会有安全风险. 当在disconnect mode时, user可能会用旧的local user的account去登陆系统. 因此管理员想去除不必要的风险.于是就有了adrmlocal.
{
A customer buys our product, installs it on a machine, then sets up their AD

accounts by importing the /etc/passwd file.  At this point, their local users
are now AD users in the zone they joined.  Now that the accounts are being
managed by AD, they don't need them in the local /etc/passwd file.  In fact,
it's a bit of a security risk having them there, since in disconnected mode a
user might get into the system with their "old" (local) password.  So, the
administrator wants to get rid of the unnecessary local accounts.  This is just
what adrmlocal is designed for.
}

2. 命令的使用
 a. '-i/--interactive' display a prompt before any removal of local users and
                       groups
                       The  --interactive  option  prompts you interactively
                       for confirmation that you want to remove the duplicated                             local user account before performing the delete operation.
NOTE: 显示提示信息提示你是否确认要删除重复的user account.
Qestion: what kinds of users are called conflicted. Here listed four kinds.
1) same uid with different user name
2) same username with different uid
3) same username and uid
4) one local user mapped to one ad user, but they have different uids

1)~3), these users, we called them 'not in conflict'. Because  这些user的unix info 存储在ad 上的 和本地unix系统的匹配.(也就是说, ad可以控制这些信息). 所以, 我们的办法就是安全的删除它们,无需提示.
4), this user, we called it 'in conflict'. Because 同一个user有不同的uid. 这种情况可能会导致在import的过程中,发生错误. 所以我们的做法是给出提示信息让管理员确认是否删除这个localuser.

 b. '-c/--commit'  remove duplicated local users and groups, prompt only
                       when there are uid or gid conflicts

		Our doc explains "-c" option like this:
		Remove duplicate local users if the UID and GID is
		the same in the local database and Active
		Directory. If the UID or GID for a local user conflicts
		with the information stored in Active directory, this
		option prompts you to determine whether a local
		user account should be deleted or not.

 c. '-f/--force'  remove duplicated local users and groups, never prompt
                       even if there are uid or gid conflicts

3. Test cases.
 1) "-i", should prompted message to delete these users
    a. only username conflict
    b. only uid conflict
    c. both username and uid conflict
    d. one unix local user mapped to one ad user, with different uid.[user map setting in /etc/centrifydc/centrifydc.conf]
 2) "-c", Remove duplicated user without prompting message, and prompted message for uid conflict.
 3) "-f", Remove all users who are duplicated and conflicted.