add gencert.sh script to generate tls certificates,

add some comments to setup.sh

gencert.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# https://documentation.ubuntu.com/server/how-to/openldap/ldap-and-tls/
+# requries gnutls-bin ssl-cert
+# only for ubuntu and you should probably double check the script before running
+
+ORG=''
+CN=''
+
+# Define directories and filenames
+CA_DIR="/etc/ssl"
+CA_INFO="${CA_DIR}/ldap-ca.info"
+CA_KEY="${CA_DIR}/private/ldap-ca-key.pem"
+CA_CERT_TEMP="/usr/local/share/ca-certificates/ldap-ca-cert.crt"
+CA_CERT="${CA_DIR}/certs/ldap-ca-cert.pem"
+SERVER_INFO="${CA_DIR}/ldap-server.info"
+LDAP_DIR="/etc/ldap"
+SERVER_KEY="${LDAP_DIR}/ldap-server-key.pem"
+SERVER_CERT="${LDAP_DIR}/ldap-server-cert.pem"
+
+# read in organization and host cn (FQDN)
+read -p "Organization: " ORG
+read -p "CA CN (FQDN): " CN
+
+# write CA tempalte info
+cat > $CA_INFO <<EOF
+cn = ${ORG}
+ca
+cert_signing_key
+expiration_days = 3652
+EOF
+
+# write Server template info
+cat > $SERVER_INFO << EOF
+organization = ${ORG}
+cn = ${CN}
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 3652
+EOF
+
+# generate CA private key
+certtool --generate-privkey \
+    --bits 4096 \
+    --outfile $CA_KEY
+
+# generate CA certificate
+certtool --generate-self-signed \
+    --load-privkey $CA_KEY \
+    --template $CA_INFO \
+    --outfile $CA_CERT_TEMP
+
+# update CA certificates
+update-ca-certificates
+
+# generate server private key
+certtool --generate-privkey \
+    --bits 4096 \
+    --outfile $SERVER_KEY
+
+# generate server certificate and sign certificate using CA
+certtool --generate-certificate \
+    --load-privkey $SERVER_KEY \
+    --load-ca-certificate $CA_CERT \
+    --load-ca-privkey $CA_KEY \
+    --template $SERVER_INFO \
+    --outfile $SERVER_CERT 
+
+# make sure that openldap has access to the server key
+chgrp openldap $SERVER_KEY
+chmod 0640 $SERVER_KEY
+
+# report the relevant files made (this is useful for running setup.sh after)
+echo "
+Generated TLS Certificates
++==============================+
+CA Cert:     ${CA_CERT}
+Server Cert: ${SERVER_CERT}
+Server Key:  ${SERVER_KEY}
+"

setup.sh

@@ -18,6 +18,7 @@ DO_TLS=1
 
 POSITIONAL_ARGS=()
 
+# parse CLI arguments
 while [[ $# -gt 0 ]]; do
     case $1 in
         --skip-auth)
@@ -51,8 +52,10 @@ echo "DO AUTH       = ${DO_AUTH}"
 echo "DO TLS        = ${DO_TLS}"
 echo "+===============+"
 
+# always read in base dn
 read -p "Base DN: " BASE_DN
 
+# read in init admin info
 if [ "$DO_INIT" = 1 ]; then
     read -p "Admin User ID: " ADMIN_ID
     read -p "Admin User Email: " ADMIN_EMAIL
@@ -67,18 +70,21 @@ if [ "$DO_INIT" = 1 ]; then
     do echo "Passwords must match" ; done
 fi
 
+# read in infor for tls config
 if [ "$DO_TLS" = 1 ]; then
     read -p "CA Cert File Path: " CA_FILE
     read -p "Server Cert File Path: " CERT_FILE
     read -p "Server Key File Path: " KEY_FILE
 fi
 
+# execute modify auth
 if [ "$DO_AUTH" = 1 ]; then
     envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
     sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
     rm auth.ldif
 fi
 
+# execute add init, which cannot be done on an already initialized system
 if [ "$DO_INIT" = 1 ]; then
     envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
     envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
@@ -87,6 +93,7 @@ if [ "$DO_INIT" = 1 ]; then
     rm pass.ldif init.ldif
 fi
 
+# execute modify tls
 if [ "$DO_TLS" = 1 ]; then
     envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < tls.template.ldif > tls.ldif
     sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif