From ab6283de9b9ac6e20e652716e2d876a391977d30 Mon Sep 17 00:00:00 2001
From: Martin Winkler <efelon@winklerfamilie.eu>
Date: Wed, 29 Apr 2020 23:08:18 +0200
Subject: [PATCH] Adding SSL configuration using values from the config file

Other smaller improvements
---
 seqs/ldap.cfg.example |  4 +++
 seqs/ldap.sh          | 62 ++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/seqs/ldap.cfg.example b/seqs/ldap.cfg.example
index b8c4caa..ea92071 100644
--- a/seqs/ldap.cfg.example
+++ b/seqs/ldap.cfg.example
@@ -5,3 +5,7 @@
 LDAP_DC="dc=winklerfamilie,dc=eu"
 LDAP_OU_GROUPS="ou=Groups"
 LDAP_OU_USERS="ou=Users"
+
+LDAP_CERT="/etc/letsencrypt/live/winklerfamilie.eu/cert.pem"
+LDAP_CERT_KEY="/etc/letsencrypt/live/winklerfamilie.eu/privkey.pem"
+LDAP_CERT_CA="/etc/letsencrypt/live/winklerfamilie.eu/fullchain.pem"
diff --git a/seqs/ldap.sh b/seqs/ldap.sh
index 6198560..e85c23c 100755
--- a/seqs/ldap.sh
+++ b/seqs/ldap.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
 
-toolName=ldap
-toolDeps="slapd ldap-utils"
+toolName="ldap"
+toolDaemon="slapd"
+toolDeps="$toolDaemon ldap-utils"
+toolUser="openldap"
 
 # Get script working directory
 # (when called from a different directory)
@@ -26,7 +28,7 @@ step_1() {
 
 step_2_info() { echo "Configuration of $toolName"; }
 step_2() {
-  exe dpkg-reconfigure slapd
+  exe dpkg-reconfigure $toolDaemon
 }
 
 step_3_info() { echo "Load memberof module"; }
@@ -50,6 +52,9 @@ objectClass: olcOverlayConfig
 objectClass: olcMemberOf
 olcOverlay: memberof
 olcMemberOfRefint: TRUE
+-
+dn: olcDatabase={1}mdb,cn=config
+olcDbIndex: memberOf eq
 "
 
 step_5_info() { echo "Load refint module"; }
@@ -77,7 +82,7 @@ olcOverlay: {1}refint
 olcRefintAttribute: memberof member manager owner
 "
 
-step_7_info() { echo -e "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)\n"; }
+step_7_info() { echo "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)"; }
 step_7() {
   variable2Ldif add "$ldapBase"
 }
@@ -90,6 +95,42 @@ objectClass: organizationalUnit
 \${LDAP_OU_GROUPS/ou=/ou: }
 "
 
+step_8_info() { echo "Setup SSL secured ldaps:// access"; }
+step_8() {
+  sudo -u $toolUser test -r "$LDAP_CERT_KEY" >>/dev/null 2>&1
+  endReturn -o $? "$toolUser cannot access certificate key file: $LDAP_CERT_KEY"
+  sudo -u $toolUser test -r "$LDAP_CERT" >>/dev/null 2>&1
+  endReturn -o $? "$toolUser cannot access certificate file: $LDAP_CERT"
+  sudo -u $toolUser test -r "$LDAP_CERT_CA" >>/dev/null 2>&1
+  endReturn -o $? "$toolUser cannot access CA certificate file: $LDAP_CERT_CA"
+
+  local tempLdif=`eval "echo \"$sslSetup\""`
+  exep "echo \"$tempLdif\" | ldapmodify -Y EXTERNAL -H ldapi:///"
+
+  exe service $toolDaemon restart
+}
+sslSetup="dn: cn=config
+changetype: modify
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: \$LDAP_CERT_KEY
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile:  \$LDAP_CERT
+-
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: \$LDAP_CERT_CA
+-
+replace: olcTLSVerifyClient
+olcTLSVerifyClient: never
+"
+step_9_info() { echo "Finalize SSL configuration (manually)"; }
+step_9() {
+  echo "/etc/default/$toolDaemon"
+  echo "  Add \"ldaps:///\" to line:"
+  echo "  SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\""
+  echo
+}
+
 step_20_info() { echo "Test plain ldap connection with anonymous access"; }
 step_20() {
   exe ldapwhoami -H ldapi:/// -x
@@ -121,7 +162,7 @@ description: Created by $0
 member: \${memberDn}
 "
 
-step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL>"; }
+step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL> [USER GID]"; }
 step_102_alias() { ALIAS="adduser"; }
 step_102() {
   shift
@@ -131,6 +172,10 @@ step_102() {
   local userSn="$3"
   local uidNumber="$4"
   local userMail="$5"
+  local userGid=10000
+  if [ ! -z $6 ] ; then
+    userGid="$6"
+  fi
 
   variable2Ldif add "$addUser"
   endReturn -o $? "Adding user failed"
@@ -142,7 +187,7 @@ givenName: \$givenName
 sn: \$userSn
 uid: \$userId
 uidNumber: \$uidNumber
-gidNumber: 10000
+gidNumber: \$userGid
 homeDirectory: /home/\$userId
 mail: \$userMail
 objectClass: top
@@ -154,7 +199,7 @@ objectClass: person
 loginShell: /bin/bash
 "
 
-step_103_info() { echo "(Re)set passwort for <USER>"; }
+step_103_info() { echo "(re)Set passwort for <USER>"; }
 step_103_alias() { ALIAS="passwd"; }
 step_103() {
   shift
@@ -293,6 +338,9 @@ variable2Ldif() {
     add)
       cmd="ldapadd"
       ;;
+    delete)
+      cmd="ldapdelete"
+      ;;
   esac
   exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
 }