author | Dan Fuhry <dan@fuhry.us> |
Fri, 18 Jan 2013 19:59:50 -0500 | |
changeset 5 | cdd708efa505 |
parent 4 | 2212b2ded8bf |
child 6 | 3ac4e03f28b2 |
permissions | -rw-r--r-- |
0 | 1 |
# :mode=shellscript: |
2 |
||
3 |
krb5_packages="krb5-admin-server krb5-kdc" |
|
4 |
ldap_packages="slapd ldap-utils" |
|
5 |
sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit" |
|
6 |
radius_packages="freeradius freeradius-ldap freeradius-common" |
|
7 |
http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear" |
|
8 |
||
9 |
patch_hosts_file() |
|
10 |
{ |
|
11 |
sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts |
|
12 |
#sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts |
|
13 |
echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts |
|
14 |
#echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts |
|
15 |
||
16 |
echo -n "ssoinabox.$domain" > /etc/hostname |
|
17 |
hostname `cat /etc/hostname` |
|
18 |
} |
|
19 |
||
20 |
generate_krb5_config() |
|
21 |
{ |
|
22 |
cat <<EOF > /etc/krb5.conf |
|
23 |
[libdefaults] |
|
24 |
default_realm = $krb5_realm |
|
25 |
dns_lookup_realm = false |
|
26 |
dns_lookup_kdc = false |
|
27 |
ticket_lifetime = 24h |
|
28 |
forwardable = yes |
|
29 |
||
30 |
[realms] |
|
31 |
$krb5_realm = { |
|
32 |
kdc = ssoinabox.$domain:88 |
|
33 |
admin_server = ssoinabox.$domain:749 |
|
34 |
kcrap = ssoinabox.$domain:1999 |
|
35 |
} |
|
36 |
||
37 |
[domain_realm] |
|
38 |
$domain = $krb5_realm |
|
39 |
.$domain = $krb5_realm |
|
40 |
||
41 |
[login] |
|
42 |
krb4_convert = true |
|
43 |
krb4_get_tickets = false |
|
44 |
||
45 |
||
46 |
EOF |
|
47 |
} |
|
48 |
||
49 |
generate_slapd_config() |
|
50 |
{ |
|
51 |
cat <<EOF > /etc/ldap/slapd.conf |
|
52 |
# vim: set ft=conf |
|
53 |
include /etc/ldap/schema/core.schema |
|
54 |
include /etc/ldap/schema/cosine.schema |
|
55 |
include /etc/ldap/schema/inetorgperson.schema |
|
56 |
include /etc/ldap/schema/nis.schema |
|
4
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
3
diff
changeset
|
57 |
include /etc/ldap/schema/openssh-lpk_openldap.schema |
0 | 58 |
|
59 |
pidfile /var/run/slapd/slapd.pid |
|
60 |
argsfile /var/run/slapd/slapd.args |
|
61 |
||
62 |
# for replication |
|
63 |
moduleload back_bdb.la |
|
64 |
moduleload syncprov |
|
65 |
||
66 |
disallow bind_anon |
|
67 |
||
68 |
database bdb |
|
69 |
suffix "$ldap_suffix" |
|
70 |
||
71 |
authz-policy from |
|
72 |
authz-regexp "^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth" "cn=\$1,ou=People,$ldap_suffix" |
|
73 |
||
74 |
rootdn "cn=Manager,$ldap_suffix" |
|
75 |
rootpw ${ldap_manager_pw_hash} |
|
76 |
||
77 |
directory /var/lib/ldap |
|
78 |
||
79 |
index objectClass eq |
|
80 |
||
81 |
sasl-realm ${krb5_realm} |
|
82 |
sasl-host ssoinabox.${domain} |
|
83 |
sasl-secprops noplain,noactive,noanonymous |
|
84 |
||
85 |
#TLSCACertificateFile /etc/ssl/certs/fixme.crt |
|
86 |
#TLSCertificateFile /etc/ssl/certs/fixme.crt |
|
87 |
#TLSCertificateKeyFile /etc/ssl/private/fixme.key |
|
88 |
||
89 |
overlay syncprov |
|
90 |
syncprov-checkpoint 100 10 |
|
91 |
syncprov-sessionlog 100 |
|
92 |
||
93 |
## |
|
94 |
# ACLs |
|
95 |
||
96 |
access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix" |
|
97 |
by anonymous auth |
|
98 |
||
99 |
access to attrs=userPassword |
|
100 |
by self =xw |
|
101 |
by anonymous auth |
|
102 |
by * none |
|
103 |
||
104 |
access to * |
|
105 |
by self write |
|
106 |
by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read |
|
107 |
by dn="cn=freeradius,ou=Roles,$ldap_suffix" read |
|
108 |
by dn="cn=replicator,ou=Roles,$ldap_suffix" read |
|
109 |
||
110 |
# Lock down attributes a user shouldn't change |
|
111 |
access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn" |
|
112 |
by self read |
|
113 |
by dn="cn=replicator,ou=Roles,$ldap_suffix" read |
|
114 |
by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read |
|
115 |
||
116 |
access to * |
|
117 |
by anonymous auth |
|
118 |
by users read |
|
119 |
||
120 |
EOF |
|
121 |
} |
|
122 |
||
123 |
generate_base_ldif() |
|
124 |
{ |
|
125 |
domainbit=`echo $domain | cut -d. -f1` |
|
126 |
gn="`echo $fullname | awk '{print \$1;}'`" |
|
127 |
sn="`echo $fullname | awk '{print \$2;}'`" |
|
128 |
cat <<EOF |
|
129 |
dn: $ldap_suffix |
|
130 |
objectClass: dcObject |
|
131 |
objectClass: organization |
|
132 |
o: $domain |
|
133 |
dc: $domainbit |
|
134 |
||
135 |
dn: cn=Manager,$ldap_suffix |
|
136 |
cn: Manager |
|
137 |
objectClass: top |
|
138 |
objectClass: organizationalRole |
|
139 |
description: LDAP admin entry with root level access to the server |
|
140 |
||
141 |
dn: ou=People,$ldap_suffix |
|
142 |
ou: People |
|
143 |
objectClass: top |
|
144 |
objectClass: organizationalUnit |
|
145 |
description: User accounts representing people |
|
146 |
||
147 |
dn: uid=$username,ou=People,$ldap_suffix |
|
148 |
uid: $username |
|
149 |
objectClass: top |
|
150 |
objectClass: person |
|
151 |
objectClass: inetOrgPerson |
|
152 |
objectClass: organizationalPerson |
|
153 |
objectClass: posixAccount |
|
4
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
3
diff
changeset
|
154 |
objectClass: ldapPublicKey |
0 | 155 |
cn: $fullname |
156 |
givenName: $gn |
|
157 |
sn: $sn |
|
158 |
loginShell: /bin/bash |
|
159 |
homeDirectory: /home/users/$username |
|
160 |
uidNumber: 501 |
|
161 |
gidNumber: 500 |
|
162 |
userPassword: {SASL}$username@$krb5_realm |
|
163 |
||
164 |
dn: ou=Groups,$ldap_suffix |
|
165 |
ou: Groups |
|
166 |
objectClass: top |
|
167 |
objectClass: organizationalUnit |
|
168 |
description: POSIX user account groups |
|
169 |
||
170 |
dn: cn=users,ou=Groups,$ldap_suffix |
|
171 |
cn: users |
|
172 |
objectClass: top |
|
173 |
objectClass: posixGroup |
|
174 |
description: Default POSIX group for users |
|
175 |
gidNumber: 500 |
|
3 | 176 |
memberUid: $username |
0 | 177 |
|
178 |
dn: cn=rtp,ou=Groups,$ldap_suffix |
|
179 |
cn: rtp |
|
180 |
objectClass: top |
|
181 |
objectClass: posixGroup |
|
182 |
description: POSIX group for people with root access to servers |
|
183 |
gidNumber: 501 |
|
184 |
memberUid: $username |
|
185 |
||
186 |
dn: ou=Roles,$ldap_suffix |
|
187 |
ou: Roles |
|
188 |
objectClass: top |
|
189 |
objectClass: organizationalUnit |
|
190 |
description: User accounts representing bots or other administrative functions |
|
191 |
||
192 |
dn: cn=ldap-reader,ou=Roles,$ldap_suffix |
|
193 |
cn: ldap-reader |
|
194 |
objectClass: top |
|
195 |
objectClass: organizationalRole |
|
196 |
objectClass: simpleSecurityObject |
|
197 |
description: Low-security account used for read-only LDAP access by NSS clients |
|
198 |
userPassword: $ldap_reader_pw |
|
199 |
||
200 |
||
201 |
EOF |
|
202 |
} |
|
203 |
||
204 |
configure_saslauthd() |
|
205 |
{ |
|
206 |
sed -re 's/^START=no$/START=yes/' \ |
|
207 |
-e 's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \ |
|
208 |
-i /etc/default/saslauthd |
|
209 |
} |
|
210 |
||
211 |
generate_password() |
|
212 |
{ |
|
213 |
local length="${1:-64}" |
|
214 |
dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length |
|
215 |
} |
|
216 |
||
217 |
build_kcrap() |
|
218 |
{ |
|
219 |
oldcwd="`pwd`" |
|
220 |
tempdir=`mktemp -d /tmp/kcrapXXXXXX` |
|
221 |
cd "$tempdir" |
|
222 |
wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz |
|
223 |
tar xzvf kcrap.tar.gz |
|
224 |
cd kcrap |
|
225 |
mkdir pkg src |
|
226 |
export srcdir="$PWD/src" |
|
227 |
export pkgdir="$PWD/pkg" |
|
228 |
. PKGBUILD |
|
229 |
wget "${source[0]}" |
|
230 |
for f in ${source[@]}; do |
|
231 |
f=`basename $f` |
|
232 |
ln -sf ../$f src/$f |
|
233 |
done |
|
234 |
cd "${srcdir}" |
|
235 |
for f in *.tar.bz2; do |
|
236 |
tar xjf $f |
|
237 |
done |
|
238 |
patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch" |
|
239 |
cd kcrap-0.2.3 |
|
240 |
patch -p1 -i "$oldcwd/patches/kcrapclient.patch" |
|
241 |
cd .. |
|
242 |
build |
|
243 |
make install |
|
244 |
cp -v "test/kcrapclient" "/usr/local/bin/" |
|
245 |
cd "$oldcwd" && rm -rf "$tempdir" |
|
246 |
||
247 |
echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf |
|
248 |
ldconfig |
|
249 |
} |
|
250 |
||
251 |
configure_kcrap() |
|
252 |
{ |
|
253 |
cat <<EOF > /etc/kcrap_server.conf |
|
254 |
[kcrap_server] |
|
255 |
port = 1999 |
|
256 |
realm = $krb5_realm |
|
257 |
||
258 |
[realms] |
|
259 |
$krb5_realm = { |
|
5
cdd708efa505
Apparently Ubuntu switched the location of Kerberos files?
Dan Fuhry <dan@fuhry.us>
parents:
4
diff
changeset
|
260 |
database_name = /etc/krb5kdc/principal |
cdd708efa505
Apparently Ubuntu switched the location of Kerberos files?
Dan Fuhry <dan@fuhry.us>
parents:
4
diff
changeset
|
261 |
key_stash_file = /etc/krb5kdc/.k5.$krb5_realm |
0 | 262 |
} |
263 |
||
264 |
EOF |
|
265 |
} |
|
266 |
||
267 |
configure_freerad() |
|
268 |
{ |
|
269 |
# mschap module needs to use our ntlm_auth program for auth requests |
|
270 |
sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \ |
|
271 |
-i /etc/freeradius/modules/mschap |
|
272 |
||
273 |
# configure ldap module with our settings |
|
274 |
sed -re 's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \ |
|
275 |
-e 's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \ |
|
276 |
-e 's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \ |
|
277 |
-e 's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \ |
|
278 |
-i /etc/freeradius/modules/ldap |
|
279 |
||
280 |
# enable ldap for authorization and authentication |
|
281 |
for site in default inner-tunnel; do |
|
282 |
sed -rf `dirname $0`/resources/freerad-site-patcher.sed \ |
|
283 |
-i /etc/freeradius/sites-available/$site |
|
284 |
done |
|
285 |
||
286 |
# give freerad access to the kerberos keytab |
|
287 |
setfacl -m u:freerad:r /etc/krb5.keytab |
|
288 |
} |
|
289 |
||
290 |
test_freerad() |
|
291 |
{ |
|
292 |
build_eapol_test > /dev/null |
|
293 |
set +e |
|
294 |
echo -n "Testing RADIUS auth via EAP/TTLS/PAP..." |
|
295 |
conf=`mktemp /tmp/frXXXXXX` |
|
296 |
cat <<EOF > $conf |
|
297 |
network={ |
|
298 |
ssid="example" |
|
299 |
key_mgmt=WPA-EAP |
|
300 |
eap=TTLS |
|
301 |
anonymous_identity="$username" |
|
302 |
identity="$username" |
|
303 |
password="$password" |
|
304 |
phase2="auth=PAP" |
|
305 |
} |
|
306 |
||
307 |
EOF |
|
308 |
if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then |
|
309 |
echo "GOOD" |
|
310 |
else |
|
311 |
echo "BAD" |
|
312 |
fi |
|
313 |
echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..." |
|
314 |
cat <<EOF > $conf |
|
315 |
network={ |
|
316 |
ssid="example" |
|
317 |
key_mgmt=WPA-EAP |
|
318 |
eap=PEAP |
|
319 |
anonymous_identity="$username" |
|
320 |
identity="$username" |
|
321 |
password="$password" |
|
322 |
phase2="autheap=MSCHAPv2" |
|
323 |
} |
|
324 |
||
325 |
EOF |
|
326 |
if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then |
|
327 |
echo "GOOD" |
|
328 |
else |
|
329 |
echo "BAD" |
|
330 |
fi |
|
331 |
rm -f $conf |
|
332 |
set -e |
|
333 |
} |
|
334 |
||
335 |
generate_web_yaml() |
|
336 |
{ |
|
337 |
test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox |
|
338 |
cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml |
|
339 |
LDAP_BASEDN: $ldap_suffix |
|
340 |
||
341 |
UID_MIN: 501 |
|
342 |
GID_MIN: 500 |
|
343 |
||
344 |
ldap_server: ldap://localhost:389/ |
|
345 |
ldap_manager: |
|
346 |
dn: cn=Manager,$ldap_suffix |
|
347 |
password: $ldap_manager_pw |
|
348 |
||
349 |
ldap_user_basedn: ou=People,$ldap_suffix |
|
350 |
ldap_group_basedn: ou=Groups,$ldap_suffix |
|
351 |
||
352 |
kerberos_admin: |
|
353 |
principal: webkerb/admin |
|
354 |
password: $webkerb_pw |
|
355 |
||
356 |
PHONE_EXT_MIN: 500 |
|
357 |
||
3 | 358 |
hmac_secret: `generate_password 40` |
359 |
||
0 | 360 |
EOF |
361 |
||
362 |
chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml |
|
363 |
chmod 640 /usr/local/etc/ssoinabox/webcreds.yml |
|
364 |
} |
|
365 |
||
366 |
configure_webkdc() |
|
367 |
{ |
|
368 |
cat <<EOF > /etc/webkdc/webkdc.conf |
|
369 |
our \$KEYRING_PATH = '/var/lib/webkdc/keyring'; |
|
370 |
our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates'; |
|
371 |
our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin'; |
|
372 |
our \$URL = 'http://ssoinabox/webkdc-service'; |
|
373 |
our \$BYPASS_CONFIRM = 1; |
|
374 |
||
375 |
EOF |
|
376 |
||
377 |
cat <<EOF > /etc/webkdc/token.acl |
|
378 |
krb5:webauth/*@$krb5_realm id |
|
379 |
||
380 |
EOF |
|
381 |
||
382 |
test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab |
|
383 |
kadmin.local -q "ank -randkey service/webkdc" |
|
384 |
kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc" |
|
385 |
||
386 |
chown root:www-data /etc/webkdc/keytab |
|
387 |
chmod 640 /etc/webkdc/keytab |
|
388 |
} |
|
389 |
||
390 |
configure_webauth() |
|
391 |
{ |
|
392 |
cat <<EOF > /etc/apache2/conf.d/webauth |
|
393 |
WebAuthWebKdcPrincipal service/webkdc |
|
394 |
WebAuthLoginURL "http://ssoinabox.$domain/login" |
|
395 |
WebAuthWebKdcURL "http://ssoinabox.$domain/webkdc-service" |
|
396 |
WebAuthSSLRedirect off |
|
397 |
WebAuthRequireSSL off |
|
398 |
WebAuthDebug on |
|
399 |
||
400 |
EOF |
|
401 |
||
402 |
test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab |
|
403 |
kadmin.local -q "ank -randkey webauth/ssoinabox.$domain" |
|
404 |
kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain" |
|
405 |
||
406 |
chown root:www-data /etc/webauth/keytab |
|
407 |
chmod 640 /etc/webauth/keytab |
|
408 |
||
409 |
# doesn't exist by default...? |
|
410 |
# chown www-data:www-data /var/lib/webauth/keyring |
|
411 |
} |
|
412 |
||
413 |
configure_apache2() |
|
414 |
{ |
|
415 |
cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox |
|
416 |
sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox |
|
417 |
||
418 |
a2ensite ssoinabox |
|
419 |
a2dissite default |
|
420 |
} |
|
421 |
||
422 |
build_kadm5() |
|
423 |
{ |
|
424 |
test -d tarballs || mkdir tarballs |
|
425 |
test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5 |
|
426 |
oldcwd="`pwd`" |
|
427 |
tempdir=`mktemp -d /tmp/kadm5XXXXXX` |
|
428 |
cd $tempdir |
|
429 |
||
430 |
tar xzf "$oldcwd/tarballs/kadm5.tar.gz" |
|
431 |
cd kadm5-* |
|
432 |
patch -p1 -i "$oldcwd/patches/kadm5.patch" |
|
433 |
phpize |
|
434 |
./configure |
|
435 |
make |
|
436 |
make install |
|
437 |
||
438 |
cd "$oldcwd" && rm -rf "$tempdir" |
|
439 |
echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini |
|
440 |
} |
|
441 |
||
442 |
build_eapol_test() |
|
443 |
{ |
|
444 |
test -x /usr/local/bin/eapol_test && return 0 |
|
445 |
||
446 |
test -d tarballs || mkdir tarballs |
|
447 |
test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz" |
|
448 |
||
449 |
oldcwd="`pwd`" |
|
450 |
tempdir=`mktemp -d /tmp/wpasXXXXXX` |
|
451 |
cd $tempdir |
|
452 |
||
453 |
tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz" |
|
454 |
cd wpa_supplicant-1.1/wpa_supplicant |
|
455 |
cp defconfig .config |
|
456 |
sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config |
|
457 |
make eapol_test |
|
458 |
cp -v eapol_test /usr/local/bin/ |
|
459 |
||
460 |
cd "$oldcwd" && rm -rf "$tempdir" |
|
461 |
} |