author | Dan Fuhry <dan@fuhry.us> |
Sat, 16 Feb 2013 20:47:45 -0500 | |
changeset 7 | faf6f7941e8f |
parent 6 | 3ac4e03f28b2 |
child 9 | f4bf6556fb9f |
permissions | -rwxr-xr-x |
0 | 1 |
#!/bin/bash |
2 |
||
3 |
set -e |
|
4 |
. resources/functions |
|
5 |
||
6 |
cat <<EOF |
|
7 |
Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install |
|
8 |
into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for |
|
9 |
details on your domain and your first administrative account, then get started |
|
10 |
creating things. |
|
11 |
||
12 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING |
|
13 |
>>> If you have ANY existing LDAP or Kerberos database that you <<< |
|
14 |
>>> want to save, EXIT THIS SCRIPT NOW by pressing Control-C. <<< |
|
15 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING |
|
16 |
||
17 |
EOF |
|
18 |
||
19 |
get_input() |
|
20 |
{ |
|
21 |
local var="$1" |
|
22 |
local prompt="$2" |
|
23 |
local prefill="${3:-}" |
|
24 |
[ -n "$prefill" ] && prompt="${prompt} [${prefill}]" |
|
25 |
eval "$var="\""$prefill"\" |
|
26 |
while true; do |
|
27 |
read -p "$prompt: " "$var" |
|
28 |
if [ -z "${!var}" ]; then |
|
29 |
if [ -n "$prefill" ]; then |
|
30 |
eval "$var="\""$prefill"\" |
|
31 |
break |
|
32 |
fi |
|
33 |
else |
|
34 |
break |
|
35 |
fi |
|
36 |
echo "Invalid input." |
|
37 |
done |
|
38 |
} |
|
39 |
||
40 |
get_input fullname "Your full name" |
|
41 |
username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'` |
|
42 |
get_input username "Admin username" "$username" |
|
43 |
password="`generate_password 16`" |
|
44 |
#while true; do |
|
45 |
# stty -echo |
|
46 |
# get_input password "Admin password" |
|
47 |
# echo |
|
48 |
# get_input pconf "Confirm password" |
|
49 |
# stty echo; echo |
|
50 |
# [ "$password" = "$pconf" ] && break |
|
51 |
# echo "Passwords do not match." |
|
52 |
#done |
|
53 |
get_input domain "Domain name" |
|
54 |
||
55 |
domain="`echo $domain | tr '[:upper:]' '[:lower:]'`" |
|
56 |
ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`" |
|
57 |
krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`" |
|
58 |
||
59 |
echo "Your LDAP suffix is: $ldap_suffix" |
|
60 |
echo "Your Kerberos V realm is: $krb5_realm" |
|
61 |
||
62 |
echo "Setting up your /etc/hosts file" |
|
63 |
patch_hosts_file |
|
64 |
||
65 |
echo "Setting up your Kerberos V client config." |
|
66 |
generate_krb5_config |
|
67 |
||
68 |
echo "Updating apt, purging any existing SSO packages and installing stuff." |
|
69 |
# silence apt etc. |
|
70 |
export DEBIAN_FRONTEND=noninteractive |
|
71 |
#apt-get update |
|
72 |
apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \ |
|
73 |
${radius_packages} ${http_packages} |
|
74 |
apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \ |
|
75 |
${radius_packages} build-essential libkrb5-dev libssl-dev acl \ |
|
76 |
${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \ |
|
77 |
libnl-dev |
|
78 |
||
79 |
# stop any running services |
|
80 |
if pidof apache2 > /dev/null; then |
|
81 |
invoke-rc.d apache2 stop |
|
82 |
fi |
|
83 |
||
84 |
if pidof freeradius > /dev/null; then |
|
85 |
invoke-rc.d freeradius stop |
|
86 |
fi |
|
87 |
||
88 |
if pidof kcrap_server > /dev/null; then |
|
89 |
killall kcrap_server |
|
90 |
fi |
|
91 |
||
92 |
if pidof saslauthd > /dev/null; then |
|
93 |
invoke-rc.d saslauthd stop |
|
94 |
fi |
|
95 |
||
96 |
if pidof slapd > /dev/null; then |
|
97 |
invoke-rc.d slapd stop |
|
98 |
fi |
|
99 |
||
100 |
if pidof krb5kdc > /dev/null; then |
|
101 |
invoke-rc.d krb5-kdc stop |
|
102 |
fi |
|
103 |
||
104 |
if pidof kadmind > /dev/null; then |
|
105 |
invoke-rc.d krb5-admin-server stop |
|
106 |
fi |
|
107 |
||
108 |
# LDAP setup |
|
109 |
# remove any existing LDAP db |
|
110 |
pidof slapd && killall -9 slapd |
|
111 |
if [ -f /var/lib/ldap/__db.001 ]; then |
|
112 |
rm -fv /var/lib/ldap/__db.* \ |
|
113 |
/var/lib/ldap/alock \ |
|
114 |
/var/lib/ldap/dn2id.bdb \ |
|
115 |
/var/lib/ldap/id2entry.bdb \ |
|
116 |
/var/lib/ldap/log.* \ |
|
117 |
/var/lib/ldap/objectClass.bdb |
|
118 |
fi |
|
119 |
ldap_manager_pw="`generate_password 40`" |
|
120 |
echo -n "$ldap_manager_pw" > /etc/ldap.secret |
|
121 |
chmod 600 /etc/ldap.secret |
|
122 |
ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`" |
|
123 |
ldap_reader_pw="`generate_password 10`" |
|
124 |
||
125 |
if [ -d /etc/ldap/slapd.d ]; then |
|
126 |
rm -rfv /etc/ldap/slapd.d |
|
127 |
fi |
|
4
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
128 |
|
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
129 |
cp `dirname $0`/resources/openssh-lpk_openldap.schema /etc/ldap/schema/ |
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
130 |
|
0 | 131 |
generate_slapd_config |
132 |
generate_base_ldif | slapadd |
|
133 |
chown -R openldap:openldap /var/lib/ldap |
|
134 |
||
135 |
if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then |
|
136 |
echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd |
|
137 |
fi |
|
138 |
||
139 |
cat <<EOF > /etc/ldap/sasl2/slapd.conf |
|
140 |
pwcheck_method: saslauthd |
|
141 |
saslauthd_path: /var/run/saslauthd/mux |
|
142 |
||
143 |
EOF |
|
144 |
||
145 |
# this allows slapd access to saslauthd's auth socket |
|
146 |
gpasswd -a openldap sasl |
|
147 |
||
148 |
# KDC setup |
|
149 |
stash_pw="`generate_password 40`" |
|
150 |
||
151 |
# seeds /dev/random rather nicely... |
|
152 |
screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum" |
|
6
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
153 |
if [ -f /var/lib/krb5kdc/principal ]; then |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
154 |
rm -fv /var/lib/krb5kdc/principal \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
155 |
/var/lib/krb5kdc/principal.kadm5 \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
156 |
/var/lib/krb5kdc/principal.kadm5.lock \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
157 |
/var/lib/krb5kdc/principal.ok |
0 | 158 |
fi |
159 |
echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s |
|
160 |
||
161 |
echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl |
|
162 |
||
163 |
invoke-rc.d krb5-kdc start |
|
164 |
invoke-rc.d krb5-admin-server start |
|
165 |
||
166 |
kadmin.local -q "ank -pw "\""${password}"\"" $username" |
|
167 |
||
168 |
webkerb_pw="`generate_password 40`" |
|
169 |
kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin" |
|
170 |
||
171 |
kadmin.local -q "ank -randkey host/ssoinabox.$domain" |
|
172 |
[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab |
|
173 |
kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain" |
|
174 |
kadmin.local -q "ank -randkey ldap/ssoinabox.$domain" |
|
175 |
[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab |
|
176 |
kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain" |
|
177 |
chown root:openldap /etc/ldap/keytab |
|
178 |
chmod 640 /etc/ldap/keytab |
|
179 |
||
180 |
echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd" |
|
181 |
invoke-rc.d apparmor restart |
|
182 |
||
183 |
invoke-rc.d slapd start |
|
184 |
||
185 |
# SASL setup |
|
186 |
configure_saslauthd |
|
187 |
invoke-rc.d saslauthd start |
|
188 |
||
189 |
# KCRAP setup |
|
190 |
build_kcrap > /dev/null |
|
191 |
configure_kcrap |
|
192 |
/usr/sbin/kcrap_server |
|
193 |
||
194 |
# RADIUS setup |
|
195 |
configure_freerad |
|
196 |
invoke-rc.d freeradius start |
|
197 |
||
198 |
# RADIUS tests |
|
199 |
test_freerad |
|
200 |
||
201 |
# generate web stuff |
|
202 |
generate_web_yaml |
|
203 |
||
204 |
# apache config |
|
205 |
for module in rewrite authz_dbm webauth webkdc; do |
|
206 |
a2enmod $module |
|
207 |
done |
|
208 |
||
209 |
build_kadm5 > /dev/null |
|
210 |
||
211 |
configure_webkdc |
|
212 |
configure_webauth |
|
213 |
configure_apache2 |
|
214 |
||
215 |
if pecl list | grep -q yaml; then |
|
216 |
pecl uninstall yaml |
|
217 |
fi |
|
218 |
yes "" | pecl install yaml > /dev/null |
|
219 |
test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d |
|
220 |
echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini |
|
221 |
cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups |
|
222 |
||
223 |
# install packages |
|
224 |
for d in packages/*; do |
|
225 |
cd $d |
|
226 |
./build |
|
227 |
cd ../.. |
|
228 |
done |
|
229 |
find packages -name \*.deb -type f | xargs dpkg -i |
|
230 |
||
231 |
/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm |
|
232 |
||
233 |
invoke-rc.d apache2 start |
|
234 |
||
235 |
echo "Passwords to remember (WRITE THESE DOWN):" |
|
236 |
echo "Kerberos master key: $stash_pw" |
|
237 |
echo "LDAP manager password: $ldap_manager_pw" |
|
238 |
echo "LDAP reader DN: cn=ldap-reader,ou=Roles,$ldap_suffix" |
|
239 |
echo "LDAP reader password: $ldap_reader_pw" |
|
240 |
echo "Admin username: $username" |
|
241 |
echo "Admin password: $password" |
|
242 |
echo "Change your admin password by typing:" |
|
243 |
echo " kadmin.local -q "\""cpw $username"\""" |