commit e3b173b2806fff6ccb78f77ad0b1945a68a7610a
Author: Arthur Lu <root@tronnet.net>
Date:   Thu Mar 28 14:28:27 2024 -0700

    add setup scripts from PAAS-LDAP repo

diff --git a/auth.template.ldif b/auth.template.ldif
new file mode 100644
index 0000000..9eab252
--- /dev/null
+++ b/auth.template.ldif
@@ -0,0 +1,21 @@
+# Add permissions
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcAccess
+-
+add: olcAccess
+olcAccess: {0}to attrs=userPassword
+    by group/groupOfNames/member="cn=admins,ou=groups,$BASE_DN" =wcdx
+    by self write 
+    by anonymous auth 
+    by * none
+olcAccess: {1}to attrs=shadowLastChange,cn,sn
+    by self write 
+    by * read
+olcAccess: {2}to dn.subtree="$BASE_DN"
+    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+    by group/groupOfNames/member="cn=admins,ou=groups,$BASE_DN" write
+    by * read
+olcAccess: {3}to * 
+    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+    by * read
diff --git a/cert.sh b/cert.sh
new file mode 100644
index 0000000..5d1b329
--- /dev/null
+++ b/cert.sh
@@ -0,0 +1,19 @@
+# requires gnutls-bin ssl-cert
+
+export CA_FILE
+export CERT_FILE
+export KEY_FILE
+
+read -p "CA Cert File Path: " CA_FILE
+read -p "Server Cert File Path: " CERT_FILE
+read -p "Server Key File Path: " KEY_FILE
+
+envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < cert.template.ldif > cert.ldif
+
+sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif
+
+rm cert.ldif
+
+unset CA_FILE
+unset CERT_FILE
+unset KEY_FILE
\ No newline at end of file
diff --git a/cert.template.ldif b/cert.template.ldif
new file mode 100644
index 0000000..3062c96
--- /dev/null
+++ b/cert.template.ldif
@@ -0,0 +1,9 @@
+dn: cn=config
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: $CA_FILE
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: $CERT_FILE
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: $KEY_FILE
\ No newline at end of file
diff --git a/init.sh b/init.sh
new file mode 100644
index 0000000..77227bb
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,44 @@
+# PAAS LDAP openldap server initialization script
+# initializes a blank openldap server using root external bind
+# requires user input for base dn, admin user, and admin user password
+# requires slapd ldap-util
+
+export BASE_DN=''
+export ADMIN_ID=''
+export ADMIN_EMAIL=''
+export ADMIN_CN=''
+export ADMIN_SN=''
+export ADMIN_PASSWD=''
+read -p "Base DN: " BASE_DN
+read -p "Admin User ID: " ADMIN_ID
+read -p "Admin User Email: " ADMIN_EMAIL
+read -p "Admin User CN: " ADMIN_CN
+read -p "Admin User SN: " ADMIN_SN
+read -s -p "Admin Password: " ADMIN_PASSWD
+echo ""
+read -s -p "Confirm Password: " CONFIRM_PASSWD
+echo ""
+
+if [ "$ADMIN_PASSWD" = "$CONFIRM_PASSWD" ]; then
+
+    envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
+    envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
+    envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
+
+    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
+    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
+    sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
+
+    rm auth.ldif init.ldif pass.ldif
+
+else 
+
+    echo "Error: Passwords do not match."
+
+fi
+
+unset BASE_DN
+unset ADMIN_ID
+unset ADMIN_CN
+unset ADMIN_SN
+unset ADMIN_PASSWD
\ No newline at end of file
diff --git a/init.template.ldif b/init.template.ldif
new file mode 100644
index 0000000..886f4e8
--- /dev/null
+++ b/init.template.ldif
@@ -0,0 +1,24 @@
+# people ou
+dn: ou=people,$BASE_DN
+objectClass: organizationalUnit
+ou: people
+
+# group ou
+dn: ou=groups,$BASE_DN
+objectClass: organizationalUnit
+ou: groups
+
+# admin group
+dn: cn=admins,ou=groups,$BASE_DN
+objectClass: groupOfNames
+member: uid=$ADMIN_ID,ou=people,$BASE_DN
+cn: admins
+
+# paas user 
+dn: uid=$ADMIN_ID,ou=people,$BASE_DN
+objectClass: inetOrgPerson
+mail: $ADMIN_EMAIL
+cn: $ADMIN_CN
+sn: $ADMIN_SN
+uid: $ADMIN_ID
+userPassword: $ADMIN_PASSWD
diff --git a/pass.template.ldif b/pass.template.ldif
new file mode 100644
index 0000000..260fbc9
--- /dev/null
+++ b/pass.template.ldif
@@ -0,0 +1,23 @@
+# load pw-sha2 module
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: pw-sha2.la
+olcModuleLoad: ppolicy.la
+
+# set default password hash to SSHA512
+dn: olcDatabase={-1}frontend,cn=config
+changetype: modify
+add: olcPasswordHash
+olcPasswordHash: {SSHA512}
+
+# add password policy to use SSHA512 hash
+dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+olcPPolicyDefault: cn=password,ou=policies,$BASE_DN
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: FALSE
+olcPPolicyForwardUpdates: FALSE