bash script to eference value of $GECOS from /etc/passwd with awk or sed to extract first and last name

Red Hat has a sample script to migrate users from NIS to FreeIPA. nis-user.sh looks like this: #!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.passwd) ; do IFS=' ' username=$(echo $line | cut -f1 -d:) # Not collecting encrypted password because we need cleartext password # to create kerberos key uid=$(echo $line | cut -f3 -d:) gid=$(echo $line | cut -f4 -d:) gecos=$(echo $line | cut -f5 -d:) homedir=$(echo $line | cut -f6 -d:) shell=$(echo $line | cut -f7 -d:) # Now create this entry echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \ --password --gidnumber=$gid --uid=$uid --gecos='$gecos' --homedir=$homedir \ --shell=$shell ipa user-show $username done This just sets the First name to NIS and last name to USER. Our /etc/passwd files has users that look like the following: juser:x:4841:200:Jane Q. User:/home/juser:/bin/tcsh kuser:x:5761:200:User, K.:/home/kuser:/bin/bash So that of course complicates things. I got a suggestion that the following could extract the first and last names, and if they were reversed and comma separated (like kuser) it would catch most the names. first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}' last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}' How can I use $first and $last? To test I tried to pipe the results of the $gecos variable to awk: first=$(echo $line | cut -f5 -d: | awk '{print $1}':) awk: cmd. line:1: {print $1}: awk: cmd. line:1: ^ syntax error Same error is I try adding just the following line (after the gecos= line): first=$(echo $gecos | awk '{print $1}':) EDIT: ahhh the colon placement did me in. This works: first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}') last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}') So now on to the next part... And then I want to take this suggestion , to import the passwords that use the CRYPT hash as demonstrated: userpassword='{CRYPT}$6$blahblah$moregibberish' testuser I followed Rob C's previous tips from here and here . Not sure it matters but in /etc/libuser.conf, crypt_style = sha512 In the script I added: password1=$(echo $line | cut -f2 -d:) and in the **Now create this entry** section: --setattr "userpassword='{CRYPT}$password1'" Here's what gets logged when debug is turned on: [Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726] ipa: INFO: [jsonserver_session] admin@OURDOMAIN.EDU: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS So does that appear that {CRYPT} is not being interpreted? I also added some debug: echo "Password hash value is $password1" And what prints is the original hash, sans {CRYPT}. So to test this outside of the script I added a test user: ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser Then I ran the following and the password worked: ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W # testuser, users, accounts, ourdomain.edu dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu givenName: test sn: user uid: testuser cn: test user displayName: test user initials: tu gecos: test user krbPrincipalName: testuser@OURDOMAIN.EDU objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: fasuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/testuser mail: testuser@ourdomain.edu krbCanonicalName: testuser@OURDOMAIN.EDU ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0 uidNumber: 1520800007 gidNumber: 1520800007 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu krbLastPwdChange: 20210203034524Z krbPasswordExpiration: 20210504034524Z # testuser, groups, accounts, ourdomain.edu dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: testuser gidNumber: 1520800007 description: User private group for testuser mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc =edu ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0 # search result search: 2 result: 0 Success Is it still possible to do this in the current versions?