Adding SSL configuration using values from the config file
Other smaller improvements
This commit is contained in:
@@ -5,3 +5,7 @@
|
|||||||
LDAP_DC="dc=winklerfamilie,dc=eu"
|
LDAP_DC="dc=winklerfamilie,dc=eu"
|
||||||
LDAP_OU_GROUPS="ou=Groups"
|
LDAP_OU_GROUPS="ou=Groups"
|
||||||
LDAP_OU_USERS="ou=Users"
|
LDAP_OU_USERS="ou=Users"
|
||||||
|
|
||||||
|
LDAP_CERT="/etc/letsencrypt/live/winklerfamilie.eu/cert.pem"
|
||||||
|
LDAP_CERT_KEY="/etc/letsencrypt/live/winklerfamilie.eu/privkey.pem"
|
||||||
|
LDAP_CERT_CA="/etc/letsencrypt/live/winklerfamilie.eu/fullchain.pem"
|
||||||
|
|||||||
62
seqs/ldap.sh
62
seqs/ldap.sh
@@ -1,7 +1,9 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
toolName=ldap
|
toolName="ldap"
|
||||||
toolDeps="slapd ldap-utils"
|
toolDaemon="slapd"
|
||||||
|
toolDeps="$toolDaemon ldap-utils"
|
||||||
|
toolUser="openldap"
|
||||||
|
|
||||||
# Get script working directory
|
# Get script working directory
|
||||||
# (when called from a different directory)
|
# (when called from a different directory)
|
||||||
@@ -26,7 +28,7 @@ step_1() {
|
|||||||
|
|
||||||
step_2_info() { echo "Configuration of $toolName"; }
|
step_2_info() { echo "Configuration of $toolName"; }
|
||||||
step_2() {
|
step_2() {
|
||||||
exe dpkg-reconfigure slapd
|
exe dpkg-reconfigure $toolDaemon
|
||||||
}
|
}
|
||||||
|
|
||||||
step_3_info() { echo "Load memberof module"; }
|
step_3_info() { echo "Load memberof module"; }
|
||||||
@@ -50,6 +52,9 @@ objectClass: olcOverlayConfig
|
|||||||
objectClass: olcMemberOf
|
objectClass: olcMemberOf
|
||||||
olcOverlay: memberof
|
olcOverlay: memberof
|
||||||
olcMemberOfRefint: TRUE
|
olcMemberOfRefint: TRUE
|
||||||
|
-
|
||||||
|
dn: olcDatabase={1}mdb,cn=config
|
||||||
|
olcDbIndex: memberOf eq
|
||||||
"
|
"
|
||||||
|
|
||||||
step_5_info() { echo "Load refint module"; }
|
step_5_info() { echo "Load refint module"; }
|
||||||
@@ -77,7 +82,7 @@ olcOverlay: {1}refint
|
|||||||
olcRefintAttribute: memberof member manager owner
|
olcRefintAttribute: memberof member manager owner
|
||||||
"
|
"
|
||||||
|
|
||||||
step_7_info() { echo -e "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)\n"; }
|
step_7_info() { echo "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)"; }
|
||||||
step_7() {
|
step_7() {
|
||||||
variable2Ldif add "$ldapBase"
|
variable2Ldif add "$ldapBase"
|
||||||
}
|
}
|
||||||
@@ -90,6 +95,42 @@ objectClass: organizationalUnit
|
|||||||
\${LDAP_OU_GROUPS/ou=/ou: }
|
\${LDAP_OU_GROUPS/ou=/ou: }
|
||||||
"
|
"
|
||||||
|
|
||||||
|
step_8_info() { echo "Setup SSL secured ldaps:// access"; }
|
||||||
|
step_8() {
|
||||||
|
sudo -u $toolUser test -r "$LDAP_CERT_KEY" >>/dev/null 2>&1
|
||||||
|
endReturn -o $? "$toolUser cannot access certificate key file: $LDAP_CERT_KEY"
|
||||||
|
sudo -u $toolUser test -r "$LDAP_CERT" >>/dev/null 2>&1
|
||||||
|
endReturn -o $? "$toolUser cannot access certificate file: $LDAP_CERT"
|
||||||
|
sudo -u $toolUser test -r "$LDAP_CERT_CA" >>/dev/null 2>&1
|
||||||
|
endReturn -o $? "$toolUser cannot access CA certificate file: $LDAP_CERT_CA"
|
||||||
|
|
||||||
|
local tempLdif=`eval "echo \"$sslSetup\""`
|
||||||
|
exep "echo \"$tempLdif\" | ldapmodify -Y EXTERNAL -H ldapi:///"
|
||||||
|
|
||||||
|
exe service $toolDaemon restart
|
||||||
|
}
|
||||||
|
sslSetup="dn: cn=config
|
||||||
|
changetype: modify
|
||||||
|
replace: olcTLSCertificateKeyFile
|
||||||
|
olcTLSCertificateKeyFile: \$LDAP_CERT_KEY
|
||||||
|
-
|
||||||
|
replace: olcTLSCertificateFile
|
||||||
|
olcTLSCertificateFile: \$LDAP_CERT
|
||||||
|
-
|
||||||
|
replace: olcTLSCACertificateFile
|
||||||
|
olcTLSCACertificateFile: \$LDAP_CERT_CA
|
||||||
|
-
|
||||||
|
replace: olcTLSVerifyClient
|
||||||
|
olcTLSVerifyClient: never
|
||||||
|
"
|
||||||
|
step_9_info() { echo "Finalize SSL configuration (manually)"; }
|
||||||
|
step_9() {
|
||||||
|
echo "/etc/default/$toolDaemon"
|
||||||
|
echo " Add \"ldaps:///\" to line:"
|
||||||
|
echo " SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\""
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
step_20_info() { echo "Test plain ldap connection with anonymous access"; }
|
step_20_info() { echo "Test plain ldap connection with anonymous access"; }
|
||||||
step_20() {
|
step_20() {
|
||||||
exe ldapwhoami -H ldapi:/// -x
|
exe ldapwhoami -H ldapi:/// -x
|
||||||
@@ -121,7 +162,7 @@ description: Created by $0
|
|||||||
member: \${memberDn}
|
member: \${memberDn}
|
||||||
"
|
"
|
||||||
|
|
||||||
step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL>"; }
|
step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL> [USER GID]"; }
|
||||||
step_102_alias() { ALIAS="adduser"; }
|
step_102_alias() { ALIAS="adduser"; }
|
||||||
step_102() {
|
step_102() {
|
||||||
shift
|
shift
|
||||||
@@ -131,6 +172,10 @@ step_102() {
|
|||||||
local userSn="$3"
|
local userSn="$3"
|
||||||
local uidNumber="$4"
|
local uidNumber="$4"
|
||||||
local userMail="$5"
|
local userMail="$5"
|
||||||
|
local userGid=10000
|
||||||
|
if [ ! -z $6 ] ; then
|
||||||
|
userGid="$6"
|
||||||
|
fi
|
||||||
|
|
||||||
variable2Ldif add "$addUser"
|
variable2Ldif add "$addUser"
|
||||||
endReturn -o $? "Adding user failed"
|
endReturn -o $? "Adding user failed"
|
||||||
@@ -142,7 +187,7 @@ givenName: \$givenName
|
|||||||
sn: \$userSn
|
sn: \$userSn
|
||||||
uid: \$userId
|
uid: \$userId
|
||||||
uidNumber: \$uidNumber
|
uidNumber: \$uidNumber
|
||||||
gidNumber: 10000
|
gidNumber: \$userGid
|
||||||
homeDirectory: /home/\$userId
|
homeDirectory: /home/\$userId
|
||||||
mail: \$userMail
|
mail: \$userMail
|
||||||
objectClass: top
|
objectClass: top
|
||||||
@@ -154,7 +199,7 @@ objectClass: person
|
|||||||
loginShell: /bin/bash
|
loginShell: /bin/bash
|
||||||
"
|
"
|
||||||
|
|
||||||
step_103_info() { echo "(Re)set passwort for <USER>"; }
|
step_103_info() { echo "(re)Set passwort for <USER>"; }
|
||||||
step_103_alias() { ALIAS="passwd"; }
|
step_103_alias() { ALIAS="passwd"; }
|
||||||
step_103() {
|
step_103() {
|
||||||
shift
|
shift
|
||||||
@@ -293,6 +338,9 @@ variable2Ldif() {
|
|||||||
add)
|
add)
|
||||||
cmd="ldapadd"
|
cmd="ldapadd"
|
||||||
;;
|
;;
|
||||||
|
delete)
|
||||||
|
cmd="ldapdelete"
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
|
exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user