Hello all,
I've been spending my day learning more about working with quotas, and I have a question about the reccommended approach on implementing quotas for users.
Even on my home network, I enjoy linking any service I can up to the local LDAP server. When I add a new user who has shell and/or file share access, I wouldn't want to have to go around to each server and adding their quota. To work around this, I cooked up an idea for a script that would implement the quotas for me (either through edquota and a template user or quotatool).
The script would pull group membership and implement the quota appropriately. It would be run via a cron job (or perhaps Puppet once I get up to speed). Example script:
#!/usr/bin/python from grp import getgrnam as getGroup from subprocess import call quotaFileSystem = '/home' quotatoolPath = '/usr/local/sbin/quotatool' groupBlockLimits = { 'domain-admin':0, 'domain-user':60000, 'domain-guest':20000, } userLimits = {} # Get all of the block sizes allocated to each watched-for group in groupBlockLimits.keys(): for user in getGroup(group).gr_mem: print str.format("User {0} is a member of group {1} ({2} blocks).",user,group,groupBlockLimits[group]) if user not in userLimits.keys(): userLimits[user] = [] userLimits[user].append(groupBlockLimits[group]) # Get the highest limit for each user, and apply it. for user in userLimits: # Get the user's highest limit. # If the user is a member of two watched groups it's assumed # that they are authorized for the higher value. quotaValue = max(userLimits[user]) # Check to see if there is a group that gets a limitless quota for whatever reason. if min(userLimits[user]) == 0: quotaValue = 0 print str.format("Applying a limit of {1} blocks to user {0}.",user,quotaValue) # Implement our command using either edquota to copy an existing quota template # appropriate for the group the user is in or quotatool. command = [quotatoolPath, '-u', user, '-b', '-l', str(quotaValue), quotaFileSystem] # Execute command here - commented out for example. #resultCode = call(command) I'm happy with the idea of this command, though it does leave a small window of infinite quota between when the user is assigned to the group and when the script is run.
Does this idea seem sound, or is there a simpler solution that I'm not thinking of?
Edit: Adjusted formatting and comment phrasing.
[link][2 comments]