369 lines
9.1 KiB
Bash
Executable File
369 lines
9.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
toolName="ldap"
|
|
toolDaemon="slapd"
|
|
toolDeps="$toolDaemon ldap-utils"
|
|
toolUser="openldap"
|
|
|
|
# Get script working directory
|
|
# (when called from a different directory)
|
|
WDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >>/dev/null 2>&1 && pwd )"
|
|
CONFIG=0
|
|
CONFIG_FILE_NAME="${toolName}.cfg"
|
|
CONFIG_FILE_TEMPLATE="$WDIR/${CONFIG_FILE_NAME}.example"
|
|
|
|
step_config() {
|
|
initSeqConfig "$CONFIG_FILE_NAME" "$CONFIG_FILE_TEMPLATE"
|
|
if [ $? -eq 0 ] ; then
|
|
CONFIG=1
|
|
fi
|
|
}
|
|
|
|
step_1_info() { echo "$toolName installation"; }
|
|
step_1_alias() { ALIAS="install"; }
|
|
step_1() {
|
|
exe apt update
|
|
exe apt install $toolDeps
|
|
}
|
|
|
|
step_2_info() { echo "Configuration of $toolName"; }
|
|
step_2() {
|
|
exe dpkg-reconfigure $toolDaemon
|
|
}
|
|
|
|
step_3_info() { echo "Load memberof module"; }
|
|
step_3() {
|
|
local tempLdif=`eval "echo \"$loadMemberof\""`
|
|
exep "echo \"$tempLdif\" | ldapmodify -Q -Y EXTERNAL -H ldapi:///"
|
|
}
|
|
loadMemberof="dn: cn=module{0},cn=config
|
|
changetype: modify
|
|
add: olcModuleLoad
|
|
olcModuleLoad: memberof.la
|
|
"
|
|
|
|
step_4_info() { echo "Configure memberof module"; }
|
|
step_4() {
|
|
local tempLdif=`eval "echo \"$configMemberof\""`
|
|
exep "echo \"$tempLdif\" | ldapadd -Q -Y EXTERNAL -H ldapi:///"
|
|
}
|
|
configMemberof="dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcMemberOf
|
|
olcOverlay: memberof
|
|
olcMemberOfRefint: TRUE
|
|
-
|
|
dn: olcDatabase={1}mdb,cn=config
|
|
olcDbIndex: memberOf eq
|
|
"
|
|
|
|
step_5_info() { echo "Load refint module"; }
|
|
step_5() {
|
|
local tempLdif=`eval "echo \"$loadRefint\""`
|
|
exep "echo \"$tempLdif\" | ldapmodify -Q -Y EXTERNAL -H ldapi:///"
|
|
}
|
|
loadRefint="dn: cn=module{0},cn=config
|
|
changetype: modify
|
|
add: olcModuleLoad
|
|
olcModuleLoad: refint.la
|
|
"
|
|
|
|
step_6_info() { echo "Configure refint module"; }
|
|
step_6() {
|
|
local tempLdif=`eval "echo \"$configRefint\""`
|
|
exep "echo \"$tempLdif\" | ldapadd -Q -Y EXTERNAL -H ldapi:///"
|
|
}
|
|
configRefint="dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
|
|
objectClass: olcConfig
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcRefintConfig
|
|
objectClass: top
|
|
olcOverlay: {1}refint
|
|
olcRefintAttribute: memberof member manager owner
|
|
"
|
|
|
|
step_7_info() { echo "Create base DNs for users ($LDAP_OU_USERS) and groups ($LDAP_OU_GROUPS)"; }
|
|
step_7() {
|
|
variable2Ldif add "$ldapBase"
|
|
}
|
|
ldapBase="dn: \$LDAP_OU_USERS,\$LDAP_DC
|
|
objectClass: organizationalUnit
|
|
\${LDAP_OU_USERS/ou=/ou: }
|
|
|
|
dn: \$LDAP_OU_GROUPS,\$LDAP_DC
|
|
objectClass: organizationalUnit
|
|
\${LDAP_OU_GROUPS/ou=/ou: }
|
|
"
|
|
|
|
step_8_info() { echo "Setup SSL secured ldaps:// access"; }
|
|
step_8() {
|
|
sudo -u $toolUser test -r "$LDAP_CERT_KEY" >>/dev/null 2>&1
|
|
endReturn -o $? "$toolUser cannot access certificate key file: $LDAP_CERT_KEY"
|
|
sudo -u $toolUser test -r "$LDAP_CERT" >>/dev/null 2>&1
|
|
endReturn -o $? "$toolUser cannot access certificate file: $LDAP_CERT"
|
|
sudo -u $toolUser test -r "$LDAP_CERT_CA" >>/dev/null 2>&1
|
|
endReturn -o $? "$toolUser cannot access CA certificate file: $LDAP_CERT_CA"
|
|
|
|
local tempLdif=`eval "echo \"$sslSetup\""`
|
|
exep "echo \"$tempLdif\" | ldapmodify -Y EXTERNAL -H ldapi:///"
|
|
|
|
exe service $toolDaemon restart
|
|
}
|
|
sslSetup="dn: cn=config
|
|
changetype: modify
|
|
replace: olcTLSCertificateKeyFile
|
|
olcTLSCertificateKeyFile: \$LDAP_CERT_KEY
|
|
-
|
|
replace: olcTLSCertificateFile
|
|
olcTLSCertificateFile: \$LDAP_CERT
|
|
-
|
|
replace: olcTLSCACertificateFile
|
|
olcTLSCACertificateFile: \$LDAP_CERT_CA
|
|
-
|
|
replace: olcTLSVerifyClient
|
|
olcTLSVerifyClient: never
|
|
"
|
|
step_9_info() { echo "Finalize SSL configuration (manually)"; }
|
|
step_9() {
|
|
echo "/etc/default/$toolDaemon"
|
|
echo " Add \"ldaps:///\" to line:"
|
|
echo " SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\""
|
|
echo
|
|
}
|
|
|
|
step_20_info() { echo "Test plain ldap connection with anonymous access"; }
|
|
step_20() {
|
|
exe ldapwhoami -H ldapi:/// -x
|
|
}
|
|
|
|
step_80_info() { echo -e "Some ldap command notes\n"; }
|
|
step_80_alias() { ALIAS="notes"; }
|
|
step_80() {
|
|
outColor green
|
|
cat <<NOTES_EOF
|
|
# You can also check LDAP Base DN using the ldapsearch command as shown below
|
|
ldapsearch -H ldapi:/// -x -LLL -s base -b "" namingContexts
|
|
|
|
# To view the RootDN, run the command below
|
|
ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)"
|
|
|
|
# Reset root password
|
|
## Create a password hash {SSHA}....
|
|
slappasswd
|
|
|
|
## Modify olcRootPW
|
|
ldapmodify -Q -Y EXTERNAL -H ldapi:/// << E0F
|
|
dn: olcDatabase={1}mdb,cn=config
|
|
changetype: modify
|
|
replace: olcRootPW
|
|
olcRootPW: {SSHA}thehashyoucreatedabove
|
|
E0F
|
|
NOTES_EOF
|
|
}
|
|
|
|
step_100_info() { echo "Add group <GROUP NAME> <USER ID>"; }
|
|
step_100_alias() { ALIAS="addgroup"; }
|
|
step_100() {
|
|
shift
|
|
local groupName=$1
|
|
local memberDn="uid=$2,${LDAP_OU_USERS},${LDAP_DC}"
|
|
|
|
variable2Ldif add "$addGroup"
|
|
}
|
|
addGroup="dn: cn=\${groupName},\${LDAP_OU_GROUPS},\${LDAP_DC}
|
|
objectClass: groupofnames
|
|
cn: \${groupName}
|
|
description: Created by $0
|
|
member: \${memberDn}
|
|
"
|
|
|
|
step_102_info() { echo "Add user <USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL> [USER GID]"; }
|
|
step_102_alias() { ALIAS="adduser"; }
|
|
step_102() {
|
|
shift
|
|
userId="$1"
|
|
local userCn="$2 $3"
|
|
local givenName="$2"
|
|
local userSn="$3"
|
|
local uidNumber="$4"
|
|
local userMail="$5"
|
|
local userGid=10000
|
|
if [ ! -z $6 ] ; then
|
|
userGid="$6"
|
|
fi
|
|
|
|
variable2Ldif add "$addUser"
|
|
endReturn -o $? "Adding user failed"
|
|
}
|
|
userId=
|
|
addUser="dn: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC
|
|
cn: \$userCn
|
|
givenName: \$givenName
|
|
sn: \$userSn
|
|
uid: \$userId
|
|
uidNumber: \$uidNumber
|
|
gidNumber: \$userGid
|
|
homeDirectory: /home/\$userId
|
|
mail: \$userMail
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: shadowAccount
|
|
objectClass: inetOrgPerson
|
|
objectClass: organizationalPerson
|
|
objectClass: person
|
|
loginShell: /bin/bash
|
|
"
|
|
|
|
step_103_info() { echo "(re)Set passwort for <USER>"; }
|
|
step_103_alias() { ALIAS="passwd"; }
|
|
step_103() {
|
|
shift
|
|
if [ ! -z $1 ] ; then
|
|
echo " [I] Password operation for $1"
|
|
userId="$1"
|
|
elif [ ! -z $userId ] ; then
|
|
echo " [I] Password operation for $userId"
|
|
else
|
|
echoerr " [E] No user id provided"
|
|
return 1
|
|
fi
|
|
exe ldappasswd -H ldapi:/// -x -D "cn=admin,$LDAP_DC" -W -S "uid=$userId,$LDAP_OU_USERS,$LDAP_DC"
|
|
}
|
|
|
|
step_105_info() { echo "Adding <USER ID> to existing group <GROUP NAME>"; }
|
|
step_105_alias() { ALIAS="user2group"; }
|
|
step_105() {
|
|
shift
|
|
if [ ! -z $1 ] ; then
|
|
userId="$1"
|
|
echo " [I] User operation for $userId"
|
|
elif [ ! -z $userId ] ; then
|
|
echo " [I] User operation for $userId"
|
|
else
|
|
echoerr " [E] No user id provided"
|
|
return 1
|
|
fi
|
|
if [ -z $2 ] ; then
|
|
echoerr " [E] No group name provided"
|
|
return 2
|
|
fi
|
|
local groupName="$2"
|
|
|
|
variable2Ldif modify "$removeFromgroup"
|
|
variable2Ldif modify "$add2group"
|
|
endReturn -o $? "Adding user to group failed"
|
|
}
|
|
#remove empty member
|
|
add2group="dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
|
|
changetype: modify
|
|
add: member
|
|
member: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC
|
|
|
|
dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
|
|
changetype: modify
|
|
delete: member
|
|
member:
|
|
"
|
|
|
|
step_107_info() { echo "Removing <USER ID> from existing group <GROUP NAME>"; }
|
|
step_107_alias() { ALIAS="rmusergroup"; }
|
|
step_107() {
|
|
shift
|
|
if [ ! -z $1 ] ; then
|
|
userId="$1"
|
|
echo " [I] User operation for $userId"
|
|
elif [ ! -z $userId ] ; then
|
|
echo " [I] User operation for $userId"
|
|
else
|
|
echoerr " [E] No user id provided"
|
|
return 1
|
|
fi
|
|
if [ -z $2 ] ; then
|
|
echoerr " [E] No group name provided"
|
|
return 2
|
|
fi
|
|
local groupName="$2"
|
|
|
|
variable2Ldif modify "$removeFromgroup"
|
|
}
|
|
# try to delete user entry first to ensure correct memberof status
|
|
# make sure an empty member entry exists
|
|
removeFromgroup="dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
|
|
changetype: modify
|
|
add: member
|
|
member:
|
|
|
|
dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
|
|
changetype: modify
|
|
delete: member
|
|
member: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC
|
|
"
|
|
|
|
step_110_info() { echo "Remove group <GROUP NAME>"; }
|
|
step_110_alias() { ALIAS="rmgroup"; }
|
|
step_110() {
|
|
shift
|
|
if [ -z $1 ] ; then
|
|
echoerr " [E] No group name provided"
|
|
return 1
|
|
fi
|
|
local groupName=$1
|
|
variable2Ldif modify "$rmGroup"
|
|
}
|
|
rmGroup="dn: cn=\${groupName},\${LDAP_OU_GROUPS},\${LDAP_DC}
|
|
changetype: delete
|
|
"
|
|
|
|
step_112_info() { echo "Remove user <USER ID>"; }
|
|
step_112_alias() { ALIAS="rmuser"; }
|
|
step_112() {
|
|
shift
|
|
if [ -z $1 ] ; then
|
|
echoerr " [E] No user id provided"
|
|
return 1
|
|
fi
|
|
local userName=$1
|
|
variable2Ldif modify "$rmUser"
|
|
}
|
|
rmUser="dn: uid=\${userName},\${LDAP_OU_USERS},\${LDAP_DC}
|
|
changetype: delete
|
|
"
|
|
|
|
step_200_info() { echo "List available groups <ADDITONAL ATTRIBUTES...>"; }
|
|
step_200_alias() { ALIAS="listgroups"; }
|
|
step_200() {
|
|
shift
|
|
echo " [I] Available groups:"
|
|
exe ldapsearch -x -LLL -H ldap:/// -b ${LDAP_OU_GROUPS},${LDAP_DC} dn gidNumber $*
|
|
}
|
|
|
|
step_202_info() { echo "List available users <ADDITONAL ATTRIBUTES...>"; }
|
|
step_202_alias() { ALIAS="listusers"; }
|
|
step_202() {
|
|
shift
|
|
echo " [I] Available user:"
|
|
exe ldapsearch -x -LLL -H ldap:/// -b ${LDAP_OU_USERS},${LDAP_DC} dn uidNumber gidNumber $*
|
|
}
|
|
|
|
|
|
variable2Ldif() {
|
|
local cmd="ldapmodify"
|
|
local tempLdif=`eval "echo \"$2\""`
|
|
case $1 in
|
|
add)
|
|
cmd="ldapadd"
|
|
;;
|
|
delete)
|
|
cmd="ldapdelete"
|
|
;;
|
|
esac
|
|
exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
|
|
}
|
|
variable2LdifEcho() {
|
|
local tempLdif=`eval "echo \"$2\""`
|
|
echo "$tempLdif"
|
|
}
|
|
|
|
VERSION_SEQREV=10
|
|
. /usr/local/bin/sequencer.sh
|