Compare commits
3 Commits
f2f817fa31
...
ad503a2c53
Author | SHA1 | Date | |
---|---|---|---|
ad503a2c53 | |||
4c1ad57acd | |||
cdcd37d6c3 |
19
cert.sh
19
cert.sh
@ -1,19 +0,0 @@
|
|||||||
# requires gnutls-bin ssl-cert
|
|
||||||
|
|
||||||
export CA_FILE
|
|
||||||
export CERT_FILE
|
|
||||||
export KEY_FILE
|
|
||||||
|
|
||||||
read -p "CA Cert File Path: " CA_FILE
|
|
||||||
read -p "Server Cert File Path: " CERT_FILE
|
|
||||||
read -p "Server Key File Path: " KEY_FILE
|
|
||||||
|
|
||||||
envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < cert.template.ldif > cert.ldif
|
|
||||||
|
|
||||||
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif
|
|
||||||
|
|
||||||
rm cert.ldif
|
|
||||||
|
|
||||||
unset CA_FILE
|
|
||||||
unset CERT_FILE
|
|
||||||
unset KEY_FILE
|
|
44
init.sh
44
init.sh
@ -1,44 +0,0 @@
|
|||||||
# PAAS LDAP openldap server initialization script
|
|
||||||
# initializes a blank openldap server using root external bind
|
|
||||||
# requires user input for base dn, admin user, and admin user password
|
|
||||||
# requires slapd ldap-util
|
|
||||||
|
|
||||||
export BASE_DN=''
|
|
||||||
export ADMIN_ID=''
|
|
||||||
export ADMIN_EMAIL=''
|
|
||||||
export ADMIN_CN=''
|
|
||||||
export ADMIN_SN=''
|
|
||||||
export ADMIN_PASSWD=''
|
|
||||||
read -p "Base DN: " BASE_DN
|
|
||||||
read -p "Admin User ID: " ADMIN_ID
|
|
||||||
read -p "Admin User Email: " ADMIN_EMAIL
|
|
||||||
read -p "Admin User CN: " ADMIN_CN
|
|
||||||
read -p "Admin User SN: " ADMIN_SN
|
|
||||||
read -s -p "Admin Password: " ADMIN_PASSWD
|
|
||||||
echo ""
|
|
||||||
read -s -p "Confirm Password: " CONFIRM_PASSWD
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
if [ "$ADMIN_PASSWD" = "$CONFIRM_PASSWD" ]; then
|
|
||||||
|
|
||||||
envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
|
|
||||||
envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
|
|
||||||
envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
|
|
||||||
|
|
||||||
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
|
|
||||||
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
|
|
||||||
sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
|
|
||||||
|
|
||||||
rm auth.ldif init.ldif pass.ldif
|
|
||||||
|
|
||||||
else
|
|
||||||
|
|
||||||
echo "Error: Passwords do not match."
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
unset BASE_DN
|
|
||||||
unset ADMIN_ID
|
|
||||||
unset ADMIN_CN
|
|
||||||
unset ADMIN_SN
|
|
||||||
unset ADMIN_PASSWD
|
|
@ -8,13 +8,7 @@ dn: ou=groups,$BASE_DN
|
|||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: groups
|
ou: groups
|
||||||
|
|
||||||
# admin group
|
# initial user
|
||||||
dn: cn=admins,ou=groups,$BASE_DN
|
|
||||||
objectClass: groupOfNames
|
|
||||||
member: uid=$ADMIN_ID,ou=people,$BASE_DN
|
|
||||||
cn: admins
|
|
||||||
|
|
||||||
# paas user
|
|
||||||
dn: uid=$ADMIN_ID,ou=people,$BASE_DN
|
dn: uid=$ADMIN_ID,ou=people,$BASE_DN
|
||||||
objectClass: inetOrgPerson
|
objectClass: inetOrgPerson
|
||||||
mail: $ADMIN_EMAIL
|
mail: $ADMIN_EMAIL
|
||||||
@ -22,3 +16,15 @@ cn: $ADMIN_CN
|
|||||||
sn: $ADMIN_SN
|
sn: $ADMIN_SN
|
||||||
uid: $ADMIN_ID
|
uid: $ADMIN_ID
|
||||||
userPassword: $ADMIN_PASSWD
|
userPassword: $ADMIN_PASSWD
|
||||||
|
|
||||||
|
# initial user personal group
|
||||||
|
dn: cn=$ADMIN_ID,ou=groups,$BASE_DN
|
||||||
|
objectClass: groupOfNames
|
||||||
|
cn: alu
|
||||||
|
member: uid=$ADMIN_ID,ou=people,$BASE_DN
|
||||||
|
|
||||||
|
# admin group
|
||||||
|
dn: cn=admins,ou=groups,$BASE_DN
|
||||||
|
objectClass: groupOfNames
|
||||||
|
cn: admins
|
||||||
|
member: uid=$ADMIN_ID,ou=people,$BASE_DN
|
||||||
|
@ -1,9 +1,10 @@
|
|||||||
# load pw-sha2 module
|
# load modules: pw-sha2, ppolicy, memberof
|
||||||
dn: cn=module{0},cn=config
|
dn: cn=module{0},cn=config
|
||||||
changetype: modify
|
changetype: modify
|
||||||
add: olcModuleLoad
|
add: olcModuleLoad
|
||||||
olcModuleLoad: pw-sha2.la
|
olcModuleLoad: pw-sha2.la
|
||||||
olcModuleLoad: ppolicy.la
|
olcModuleLoad: ppolicy.la
|
||||||
|
olcModuleLoad: memberof.la
|
||||||
|
|
||||||
# set default password hash to SSHA512
|
# set default password hash to SSHA512
|
||||||
dn: olcDatabase={-1}frontend,cn=config
|
dn: olcDatabase={-1}frontend,cn=config
|
||||||
@ -21,3 +22,15 @@ olcPPolicyDefault: cn=password,ou=policies,$BASE_DN
|
|||||||
olcPPolicyHashCleartext: TRUE
|
olcPPolicyHashCleartext: TRUE
|
||||||
olcPPolicyUseLockout: FALSE
|
olcPPolicyUseLockout: FALSE
|
||||||
olcPPolicyForwardUpdates: FALSE
|
olcPPolicyForwardUpdates: FALSE
|
||||||
|
|
||||||
|
# add memberof policy
|
||||||
|
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
|
||||||
|
changetype: add
|
||||||
|
objectClass: olcOverlayConfig
|
||||||
|
objectClass: olcMemberOf
|
||||||
|
olcOverlay: memberof
|
||||||
|
olcMemberOfDangling: ignore
|
||||||
|
olcMemberOfRefInt: TRUE
|
||||||
|
olcMemberOfGroupOC: groupOfNames
|
||||||
|
olcMemberOfMemberAD: member
|
||||||
|
olcMemberOfMemberOfAD: memberOf
|
||||||
|
103
setup.sh
Executable file
103
setup.sh
Executable file
@ -0,0 +1,103 @@
|
|||||||
|
# PAAS LDAP openldap server initialization script
|
||||||
|
# initializes a blank openldap server using root external bind
|
||||||
|
# requires user input for base dn, admin user, and admin user password
|
||||||
|
# requires slapd ldap-util
|
||||||
|
|
||||||
|
export BASE_DN=''
|
||||||
|
export ADMIN_ID=''
|
||||||
|
export ADMIN_EMAIL=''
|
||||||
|
export ADMIN_CN=''
|
||||||
|
export ADMIN_SN=''
|
||||||
|
export ADMIN_PASSWD=''
|
||||||
|
export CA_FILE=''
|
||||||
|
export CERT_FILE=''
|
||||||
|
export KEY_FILE=''
|
||||||
|
DO_AUTH=1
|
||||||
|
DO_INIT=1
|
||||||
|
DO_TLS=1
|
||||||
|
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
--skip-auth)
|
||||||
|
DO_AUTH=0
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
--skip-init)
|
||||||
|
DO_INIT=0
|
||||||
|
shift # past pargument
|
||||||
|
;;
|
||||||
|
--skip-tls)
|
||||||
|
DO_TLS=0
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-*|--*)
|
||||||
|
echo "Unknown option $1"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
||||||
|
|
||||||
|
echo "Operations:"
|
||||||
|
echo "DO FIRST TIME = ${DO_INIT}"
|
||||||
|
echo "DO AUTH = ${DO_AUTH}"
|
||||||
|
echo "DO TLS = ${DO_TLS}"
|
||||||
|
echo "+===============+"
|
||||||
|
|
||||||
|
read -p "Base DN: " BASE_DN
|
||||||
|
|
||||||
|
if [ "$DO_INIT" = 1 ]; then
|
||||||
|
read -p "Admin User ID: " ADMIN_ID
|
||||||
|
read -p "Admin User Email: " ADMIN_EMAIL
|
||||||
|
read -p "Admin User CN: " ADMIN_CN
|
||||||
|
read -p "Admin User SN: " ADMIN_SN
|
||||||
|
while
|
||||||
|
read -s -p "Admin Password: " ADMIN_PASSWD
|
||||||
|
echo ""
|
||||||
|
read -s -p "Confirm Password: " CONFIRM_PASSWD
|
||||||
|
echo ""
|
||||||
|
! [ "$ADMIN_PASSWD" = "$CONFIRM_PASSWD" ]
|
||||||
|
do echo "Passwords must match" ; done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DO_TLS" = 1 ]; then
|
||||||
|
read -p "CA Cert File Path: " CA_FILE
|
||||||
|
read -p "Server Cert File Path: " CERT_FILE
|
||||||
|
read -p "Server Key File Path: " KEY_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DO_AUTH" = 1 ]; then
|
||||||
|
envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
|
||||||
|
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
|
||||||
|
rm auth.ldif
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DO_INIT" = 1 ]; then
|
||||||
|
envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
|
||||||
|
envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
|
||||||
|
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f pass.ldif
|
||||||
|
sudo ldapadd -H ldapi:/// -Y EXTERNAL -c -f init.ldif
|
||||||
|
rm pass.ldif init.ldif
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DO_TLS" = 1 ]; then
|
||||||
|
envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < tls.template.ldif > tls.ldif
|
||||||
|
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
|
||||||
|
rm tls.ldif
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset BASE_DN
|
||||||
|
unset ADMIN_ID
|
||||||
|
unset ADMIN_CN
|
||||||
|
unset ADMIN_SN
|
||||||
|
unset ADMIN_PASSWD
|
||||||
|
unset CA_FILE
|
||||||
|
unset CERT_FILE
|
||||||
|
unset KEY_FILE
|
Loading…
Reference in New Issue
Block a user