create openldap setup utilities,
prototype ldap api interface
This commit is contained in:
20
openldap/auth.template.ldif
Normal file
20
openldap/auth.template.ldif
Normal file
@@ -0,0 +1,20 @@
|
||||
# Add permissions
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
changetype: modify
|
||||
delete: olcAccess
|
||||
-
|
||||
add: olcAccess
|
||||
olcAccess: {0}to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {1}to attrs=shadowLastChange
|
||||
by self write
|
||||
by * read
|
||||
olcAccess: {2}to dn.subtree="$BASE_DN"
|
||||
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by group/groupOfNames/member="cn=admins,ou=groups,$BASE_DN" write
|
||||
by * read
|
||||
olcAccess: {3}to *
|
||||
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by * read
|
||||
18
openldap/init.sh
Executable file
18
openldap/init.sh
Executable file
@@ -0,0 +1,18 @@
|
||||
export BASE_DN=''
|
||||
read -p "Base DN: " BASE_DN
|
||||
|
||||
export PAAS_PASSWD=$(tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 256; echo)
|
||||
echo "$PAAS_PASSWD" > paas.token
|
||||
echo "Saved PAAS Authentication Token (password) to paas.token"
|
||||
|
||||
envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
|
||||
envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
|
||||
envsubst '$BASE_DN:$PAAS_PASSWD' < init.template.ldif > init.ldif
|
||||
|
||||
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
|
||||
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
|
||||
sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
|
||||
|
||||
unset BASE_DN
|
||||
unset PAAS_PASSWD
|
||||
rm auth.ldif init.ldif pass.ldif
|
||||
23
openldap/init.template.ldif
Normal file
23
openldap/init.template.ldif
Normal file
@@ -0,0 +1,23 @@
|
||||
# people ou
|
||||
dn: ou=people,$BASE_DN
|
||||
objectClass: organizationalUnit
|
||||
ou: people
|
||||
|
||||
# group ou
|
||||
dn: ou=groups,$BASE_DN
|
||||
objectClass: organizationalUnit
|
||||
ou: groups
|
||||
|
||||
# admin group
|
||||
dn: cn=admins,ou=groups,$BASE_DN
|
||||
objectClass: groupOfNames
|
||||
member: uid=paas,ou=people,$BASE_DN
|
||||
cn: admins
|
||||
|
||||
# paas user
|
||||
dn: uid=paas,ou=people,$BASE_DN
|
||||
objectClass: inetOrgPerson
|
||||
cn: paas
|
||||
sn: paas
|
||||
uid: paas
|
||||
userPassword: $PAAS_PASSWD
|
||||
23
openldap/pass.template.ldif
Normal file
23
openldap/pass.template.ldif
Normal file
@@ -0,0 +1,23 @@
|
||||
# load pw-sha2 module
|
||||
dn: cn=module{0},cn=config
|
||||
changetype: modify
|
||||
add: olcModuleLoad
|
||||
olcModuleLoad: pw-sha2.la
|
||||
olcModuleLoad: ppolicy.la
|
||||
|
||||
# set default password hash to SSHA512
|
||||
dn: olcDatabase={-1}frontend,cn=config
|
||||
changetype: modify
|
||||
add: olcPasswordHash
|
||||
olcPasswordHash: {SSHA512}
|
||||
|
||||
# add password policy to use SSHA512 hash
|
||||
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
|
||||
changetype: add
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcPPolicyConfig
|
||||
olcOverlay: ppolicy
|
||||
olcPPolicyDefault: cn=password,ou=policies,$BASE_DN
|
||||
olcPPolicyHashCleartext: TRUE
|
||||
olcPPolicyUseLockout: FALSE
|
||||
olcPPolicyForwardUpdates: FALSE
|
||||
Reference in New Issue
Block a user