#!/bin/bash
set -e
cd "`dirname $0`"
. resources/functions
cat <<EOF
Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install
into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for
details on your domain and your first administrative account, then get started
creating things.
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
>>> If you have ANY existing LDAP or Kerberos database that you <<<
>>> want to save, EXIT THIS SCRIPT NOW by pressing Control-C. <<<
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
EOF
get_input()
{
local var="$1"
local prompt="$2"
local prefill="${3:-}"
[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"
eval "$var="\""$prefill"\"
while true; do
read -p "$prompt: " "$var"
if [ -z "${!var}" ]; then
if [ -n "$prefill" ]; then
eval "$var="\""$prefill"\"
break
fi
else
break
fi
echo "Invalid input."
done
}
get_input fullname "Your full name"
username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`
get_input username "Admin username" "$username"
password="`generate_password 16`"
#while true; do
# stty -echo
# get_input password "Admin password"
# echo
# get_input pconf "Confirm password"
# stty echo; echo
# [ "$password" = "$pconf" ] && break
# echo "Passwords do not match."
#done
get_input domain "Domain name"
domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"
ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"
krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"
echo "Your LDAP suffix is: $ldap_suffix"
echo "Your Kerberos V realm is: $krb5_realm"
echo "Setting up your /etc/hosts file"
patch_hosts_file
echo "Setting up your Kerberos V client config."
generate_krb5_config
echo "Updating apt, purging any existing SSO packages and installing stuff."
# silence apt etc.
export DEBIAN_FRONTEND=noninteractive
#apt-get update
apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \
${radius_packages} ${http_packages}
apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \
${radius_packages} build-essential libkrb5-dev libssl-dev acl \
${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \
libnl-dev
# stop any running services
if pidof apache2 > /dev/null; then
invoke-rc.d apache2 stop
fi
if pidof freeradius > /dev/null; then
invoke-rc.d freeradius stop
fi
if pidof kcrap_server > /dev/null; then
killall kcrap_server
fi
if pidof saslauthd > /dev/null; then
invoke-rc.d saslauthd stop
fi
if pidof slapd > /dev/null; then
invoke-rc.d slapd stop
fi
if pidof krb5kdc > /dev/null; then
invoke-rc.d krb5-kdc stop
fi
if pidof kadmind > /dev/null; then
invoke-rc.d krb5-admin-server stop
fi
# LDAP setup
# remove any existing LDAP db
pidof slapd && killall -9 slapd
if [ -f /var/lib/ldap/__db.001 ]; then
rm -fv /var/lib/ldap/__db.* \
/var/lib/ldap/alock \
/var/lib/ldap/dn2id.bdb \
/var/lib/ldap/id2entry.bdb \
/var/lib/ldap/log.* \
/var/lib/ldap/objectClass.bdb
fi
ldap_manager_pw="`generate_password 40`"
echo -n "$ldap_manager_pw" > /etc/ldap.secret
chmod 600 /etc/ldap.secret
ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"
ldap_reader_pw="`generate_password 10`"
if [ -d /etc/ldap/slapd.d ]; then
rm -rfv /etc/ldap/slapd.d
fi
cp `dirname $0`/resources/openssh-lpk_openldap.schema /etc/ldap/schema/
generate_slapd_config
generate_base_ldif | slapadd
chown -R openldap:openldap /var/lib/ldap
if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then
echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd
fi
cat <<EOF > /etc/ldap/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
EOF
# this allows slapd access to saslauthd's auth socket
gpasswd -a openldap sasl
# KDC setup
stash_pw="`generate_password 40`"
# seeds /dev/random rather nicely...
screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"
if [ -f /var/lib/krb5kdc/principal ]; then
rm -fv /var/lib/krb5kdc/principal \
/var/lib/krb5kdc/principal.kadm5 \
/var/lib/krb5kdc/principal.kadm5.lock \
/var/lib/krb5kdc/principal.ok
fi
echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s
echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl
invoke-rc.d krb5-kdc start
invoke-rc.d krb5-admin-server start
kadmin.local -q "ank -pw "\""${password}"\"" $username"
webkerb_pw="`generate_password 40`"
kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"
kadmin.local -q "ank -randkey host/ssoinabox.$domain"
[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab
kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"
kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"
[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab
kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"
chown root:openldap /etc/ldap/keytab
chmod 640 /etc/ldap/keytab
echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"
invoke-rc.d apparmor restart
invoke-rc.d slapd start
# SASL setup
configure_saslauthd
invoke-rc.d saslauthd start
# KCRAP setup
build_kcrap > /dev/null
configure_kcrap
/usr/sbin/kcrap_server
# RADIUS setup
configure_freerad
invoke-rc.d freeradius start
# RADIUS tests
test_freerad
# generate web stuff
generate_web_yaml
# apache config
for module in rewrite authz_dbm webauth webkdc; do
a2enmod $module
done
build_kadm5 > /dev/null
configure_webkdc
configure_webauth
configure_apache2
if pecl list | grep -q yaml; then
pecl uninstall yaml
fi
yes "" | pecl install yaml > /dev/null
test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d
echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini
cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups
# install packages
for d in packages/*; do
cd $d
./build
cd ../..
done
find packages -name \*.deb -type f | xargs dpkg -i
/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm
invoke-rc.d apache2 start
echo "Passwords to remember (WRITE THESE DOWN):"
echo "Kerberos master key: $stash_pw"
echo "LDAP manager password: $ldap_manager_pw"
echo "LDAP reader DN: cn=ldap-reader,ou=Roles,$ldap_suffix"
echo "LDAP reader password: $ldap_reader_pw"
echo "Admin username: $username"
echo "Admin password: $password"
echo "Change your admin password by typing:"
echo " kadmin.local -q "\""cpw $username"\"""