Adding SSL configuration using values from the config file
Other smaller improvements
This commit is contained in:
@@ -5,3 +5,7 @@
|
||||
LDAP_DC="dc=winklerfamilie,dc=eu"
|
||||
LDAP_OU_GROUPS="ou=Groups"
|
||||
LDAP_OU_USERS="ou=Users"
|
||||
|
||||
LDAP_CERT="/etc/letsencrypt/live/winklerfamilie.eu/cert.pem"
|
||||
LDAP_CERT_KEY="/etc/letsencrypt/live/winklerfamilie.eu/privkey.pem"
|
||||
LDAP_CERT_CA="/etc/letsencrypt/live/winklerfamilie.eu/fullchain.pem"
|
||||
|
||||
62
seqs/ldap.sh
62
seqs/ldap.sh
@@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
toolName=ldap
|
||||
toolDeps="slapd ldap-utils"
|
||||
toolName="ldap"
|
||||
toolDaemon="slapd"
|
||||
toolDeps="$toolDaemon ldap-utils"
|
||||
toolUser="openldap"
|
||||
|
||||
# Get script working directory
|
||||
# (when called from a different directory)
|
||||
@@ -26,7 +28,7 @@ step_1() {
|
||||
|
||||
step_2_info() { echo "Configuration of $toolName"; }
|
||||
step_2() {
|
||||
exe dpkg-reconfigure slapd
|
||||
exe dpkg-reconfigure $toolDaemon
|
||||
}
|
||||
|
||||
step_3_info() { echo "Load memberof module"; }
|
||||
@@ -50,6 +52,9 @@ objectClass: olcOverlayConfig
|
||||
objectClass: olcMemberOf
|
||||
olcOverlay: memberof
|
||||
olcMemberOfRefint: TRUE
|
||||
-
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
olcDbIndex: memberOf eq
|
||||
"
|
||||
|
||||
step_5_info() { echo "Load refint module"; }
|
||||
@@ -77,7 +82,7 @@ olcOverlay: {1}refint
|
||||
olcRefintAttribute: memberof member manager owner
|
||||
"
|
||||
|
||||
step_7_info() { echo -e "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)\n"; }
|
||||
step_7_info() { echo "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)"; }
|
||||
step_7() {
|
||||
variable2Ldif add "$ldapBase"
|
||||
}
|
||||
@@ -90,6 +95,42 @@ objectClass: organizationalUnit
|
||||
\${LDAP_OU_GROUPS/ou=/ou: }
|
||||
"
|
||||
|
||||
step_8_info() { echo "Setup SSL secured ldaps:// access"; }
|
||||
step_8() {
|
||||
sudo -u $toolUser test -r "$LDAP_CERT_KEY" >>/dev/null 2>&1
|
||||
endReturn -o $? "$toolUser cannot access certificate key file: $LDAP_CERT_KEY"
|
||||
sudo -u $toolUser test -r "$LDAP_CERT" >>/dev/null 2>&1
|
||||
endReturn -o $? "$toolUser cannot access certificate file: $LDAP_CERT"
|
||||
sudo -u $toolUser test -r "$LDAP_CERT_CA" >>/dev/null 2>&1
|
||||
endReturn -o $? "$toolUser cannot access CA certificate file: $LDAP_CERT_CA"
|
||||
|
||||
local tempLdif=`eval "echo \"$sslSetup\""`
|
||||
exep "echo \"$tempLdif\" | ldapmodify -Y EXTERNAL -H ldapi:///"
|
||||
|
||||
exe service $toolDaemon restart
|
||||
}
|
||||
sslSetup="dn: cn=config
|
||||
changetype: modify
|
||||
replace: olcTLSCertificateKeyFile
|
||||
olcTLSCertificateKeyFile: \$LDAP_CERT_KEY
|
||||
-
|
||||
replace: olcTLSCertificateFile
|
||||
olcTLSCertificateFile: \$LDAP_CERT
|
||||
-
|
||||
replace: olcTLSCACertificateFile
|
||||
olcTLSCACertificateFile: \$LDAP_CERT_CA
|
||||
-
|
||||
replace: olcTLSVerifyClient
|
||||
olcTLSVerifyClient: never
|
||||
"
|
||||
step_9_info() { echo "Finalize SSL configuration (manually)"; }
|
||||
step_9() {
|
||||
echo "/etc/default/$toolDaemon"
|
||||
echo " Add \"ldaps:///\" to line:"
|
||||
echo " SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\""
|
||||
echo
|
||||
}
|
||||
|
||||
step_20_info() { echo "Test plain ldap connection with anonymous access"; }
|
||||
step_20() {
|
||||
exe ldapwhoami -H ldapi:/// -x
|
||||
@@ -121,7 +162,7 @@ description: Created by $0
|
||||
member: \${memberDn}
|
||||
"
|
||||
|
||||
step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL>"; }
|
||||
step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL> [USER GID]"; }
|
||||
step_102_alias() { ALIAS="adduser"; }
|
||||
step_102() {
|
||||
shift
|
||||
@@ -131,6 +172,10 @@ step_102() {
|
||||
local userSn="$3"
|
||||
local uidNumber="$4"
|
||||
local userMail="$5"
|
||||
local userGid=10000
|
||||
if [ ! -z $6 ] ; then
|
||||
userGid="$6"
|
||||
fi
|
||||
|
||||
variable2Ldif add "$addUser"
|
||||
endReturn -o $? "Adding user failed"
|
||||
@@ -142,7 +187,7 @@ givenName: \$givenName
|
||||
sn: \$userSn
|
||||
uid: \$userId
|
||||
uidNumber: \$uidNumber
|
||||
gidNumber: 10000
|
||||
gidNumber: \$userGid
|
||||
homeDirectory: /home/\$userId
|
||||
mail: \$userMail
|
||||
objectClass: top
|
||||
@@ -154,7 +199,7 @@ objectClass: person
|
||||
loginShell: /bin/bash
|
||||
"
|
||||
|
||||
step_103_info() { echo "(Re)set passwort for <USER>"; }
|
||||
step_103_info() { echo "(re)Set passwort for <USER>"; }
|
||||
step_103_alias() { ALIAS="passwd"; }
|
||||
step_103() {
|
||||
shift
|
||||
@@ -293,6 +338,9 @@ variable2Ldif() {
|
||||
add)
|
||||
cmd="ldapadd"
|
||||
;;
|
||||
delete)
|
||||
cmd="ldapdelete"
|
||||
;;
|
||||
esac
|
||||
exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user