fix issue in setup script

fix init order for memberof overlay

cert.sh

@@ -1,19 +0,0 @@
-# requires gnutls-bin ssl-cert
-
-export CA_FILE
-export CERT_FILE
-export KEY_FILE
-
-read -p "CA Cert File Path: " CA_FILE
-read -p "Server Cert File Path: " CERT_FILE
-read -p "Server Key File Path: " KEY_FILE
-
-envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < cert.template.ldif > cert.ldif
-
-sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif
-
-rm cert.ldif
-
-unset CA_FILE
-unset CERT_FILE
-unset KEY_FILE

init.sh

@@ -1,44 +0,0 @@
-# PAAS LDAP openldap server initialization script
-# initializes a blank openldap server using root external bind
-# requires user input for base dn, admin user, and admin user password
-# requires slapd ldap-util
-
-export BASE_DN=''
-export ADMIN_ID=''
-export ADMIN_EMAIL=''
-export ADMIN_CN=''
-export ADMIN_SN=''
-export ADMIN_PASSWD=''
-read -p "Base DN: " BASE_DN
-read -p "Admin User ID: " ADMIN_ID
-read -p "Admin User Email: " ADMIN_EMAIL
-read -p "Admin User CN: " ADMIN_CN
-read -p "Admin User SN: " ADMIN_SN
-read -s -p "Admin Password: " ADMIN_PASSWD
-echo ""
-read -s -p "Confirm Password: " CONFIRM_PASSWD
-echo ""
-
-if [ "$ADMIN_PASSWD" = "$CONFIRM_PASSWD" ]; then
-
-    envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
-    envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
-    envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
-
-    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
-    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
-    sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
-
-    rm auth.ldif init.ldif pass.ldif
-
-else 
-
-    echo "Error: Passwords do not match."
-
-fi
-
-unset BASE_DN
-unset ADMIN_ID
-unset ADMIN_CN
-unset ADMIN_SN
-unset ADMIN_PASSWD

init.template.ldif

@@ -8,13 +8,7 @@ dn: ou=groups,$BASE_DN
 objectClass: organizationalUnit
 ou: groups
 
-# admin group
-dn: cn=admins,ou=groups,$BASE_DN
-objectClass: groupOfNames
-member: uid=$ADMIN_ID,ou=people,$BASE_DN
-cn: admins
-
-# paas user 
+# initial user 
 dn: uid=$ADMIN_ID,ou=people,$BASE_DN
 objectClass: inetOrgPerson
 mail: $ADMIN_EMAIL
@@ -22,3 +16,15 @@ cn: $ADMIN_CN
 sn: $ADMIN_SN
 uid: $ADMIN_ID
 userPassword: $ADMIN_PASSWD
+
+# initial user personal group
+dn: cn=$ADMIN_ID,ou=groups,$BASE_DN
+objectClass: groupOfNames
+cn: alu
+member: uid=$ADMIN_ID,ou=people,$BASE_DN
+
+# admin group
+dn: cn=admins,ou=groups,$BASE_DN
+objectClass: groupOfNames
+cn: admins
+member: uid=$ADMIN_ID,ou=people,$BASE_DN

pass.template.ldif

@@ -1,9 +1,10 @@
-# load pw-sha2 module
+# load modules: pw-sha2, ppolicy, memberof
 dn: cn=module{0},cn=config
 changetype: modify
 add: olcModuleLoad
 olcModuleLoad: pw-sha2.la
 olcModuleLoad: ppolicy.la
+olcModuleLoad: memberof.la
 
 # set default password hash to SSHA512
 dn: olcDatabase={-1}frontend,cn=config
@@ -21,3 +22,15 @@ olcPPolicyDefault: cn=password,ou=policies,$BASE_DN
 olcPPolicyHashCleartext: TRUE
 olcPPolicyUseLockout: FALSE
 olcPPolicyForwardUpdates: FALSE
+
+# add memberof policy
+dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf

setup.sh

@@ -0,0 +1,103 @@
+# PAAS LDAP openldap server initialization script
+# initializes a blank openldap server using root external bind
+# requires user input for base dn, admin user, and admin user password
+# requires slapd ldap-util
+
+export BASE_DN=''
+export ADMIN_ID=''
+export ADMIN_EMAIL=''
+export ADMIN_CN=''
+export ADMIN_SN=''
+export ADMIN_PASSWD=''
+export CA_FILE=''
+export CERT_FILE=''
+export KEY_FILE=''
+DO_AUTH=1
+DO_INIT=1
+DO_TLS=1
+
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --skip-auth)
+        DO_AUTH=0
+        shift # past argument
+        ;;
+        --skip-init)
+        DO_INIT=0
+        shift # past pargument
+        ;;
+        --skip-tls)
+        DO_TLS=0
+        shift # past argument
+        ;;
+        -*|--*)
+        echo "Unknown option $1"
+        exit 1
+        ;;
+        *)
+        POSITIONAL_ARGS+=("$1") # save positional arg
+        shift # past argument
+        ;;
+    esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+echo "Operations:"
+echo "DO FIRST TIME = ${DO_INIT}"
+echo "DO AUTH       = ${DO_AUTH}"
+echo "DO TLS        = ${DO_TLS}"
+echo "+===============+"
+
+read -p "Base DN: " BASE_DN
+
+if [ "$DO_INIT" = 1 ]; then
+    read -p "Admin User ID: " ADMIN_ID
+    read -p "Admin User Email: " ADMIN_EMAIL
+    read -p "Admin User CN: " ADMIN_CN
+    read -p "Admin User SN: " ADMIN_SN
+    while 
+        read -s -p "Admin Password: " ADMIN_PASSWD
+        echo ""
+        read -s -p "Confirm Password: " CONFIRM_PASSWD
+        echo ""
+        ! [ "$ADMIN_PASSWD" = "$CONFIRM_PASSWD" ]
+    do echo "Passwords must match" ; done
+fi
+
+if [ "$DO_TLS" = 1 ]; then
+    read -p "CA Cert File Path: " CA_FILE
+    read -p "Server Cert File Path: " CERT_FILE
+    read -p "Server Key File Path: " KEY_FILE
+fi
+
+if [ "$DO_AUTH" = 1 ]; then
+    envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
+    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
+    rm auth.ldif
+fi
+
+if [ "$DO_INIT" = 1 ]; then
+    envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
+    envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
+    sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
+    sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
+    rm pass.ldif init.ldif
+fi
+
+if [ "$DO_TLS" = 1 ]; then
+    envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < tls.template.ldif > tls.ldif
+    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
+    rm tls.ldif
+fi
+
+unset BASE_DN
+unset ADMIN_ID
+unset ADMIN_CN
+unset ADMIN_SN
+unset ADMIN_PASSWD
+unset CA_FILE
+unset CERT_FILE
+unset KEY_FILE