|
0
|
1 |
#!/bin/bash
|
|
|
2 |
|
|
|
3 |
set -e
|
|
|
4 |
. resources/functions
|
|
|
5 |
|
|
|
6 |
cat <<EOF
|
|
|
7 |
Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install
|
|
|
8 |
into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for
|
|
|
9 |
details on your domain and your first administrative account, then get started
|
|
|
10 |
creating things.
|
|
|
11 |
|
|
|
12 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
|
13 |
>>> If you have ANY existing LDAP or Kerberos database that you <<<
|
|
|
14 |
>>> want to save, EXIT THIS SCRIPT NOW by pressing Control-C. <<<
|
|
|
15 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
|
16 |
|
|
|
17 |
EOF
|
|
|
18 |
|
|
|
19 |
get_input()
|
|
|
20 |
{
|
|
|
21 |
local var="$1"
|
|
|
22 |
local prompt="$2"
|
|
|
23 |
local prefill="${3:-}"
|
|
|
24 |
[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"
|
|
|
25 |
eval "$var="\""$prefill"\"
|
|
|
26 |
while true; do
|
|
|
27 |
read -p "$prompt: " "$var"
|
|
|
28 |
if [ -z "${!var}" ]; then
|
|
|
29 |
if [ -n "$prefill" ]; then
|
|
|
30 |
eval "$var="\""$prefill"\"
|
|
|
31 |
break
|
|
|
32 |
fi
|
|
|
33 |
else
|
|
|
34 |
break
|
|
|
35 |
fi
|
|
|
36 |
echo "Invalid input."
|
|
|
37 |
done
|
|
|
38 |
}
|
|
|
39 |
|
|
|
40 |
get_input fullname "Your full name"
|
|
|
41 |
username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`
|
|
|
42 |
get_input username "Admin username" "$username"
|
|
|
43 |
password="`generate_password 16`"
|
|
|
44 |
#while true; do
|
|
|
45 |
# stty -echo
|
|
|
46 |
# get_input password "Admin password"
|
|
|
47 |
# echo
|
|
|
48 |
# get_input pconf "Confirm password"
|
|
|
49 |
# stty echo; echo
|
|
|
50 |
# [ "$password" = "$pconf" ] && break
|
|
|
51 |
# echo "Passwords do not match."
|
|
|
52 |
#done
|
|
|
53 |
get_input domain "Domain name"
|
|
|
54 |
|
|
|
55 |
domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"
|
|
|
56 |
ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"
|
|
|
57 |
krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"
|
|
|
58 |
|
|
|
59 |
echo "Your LDAP suffix is: $ldap_suffix"
|
|
|
60 |
echo "Your Kerberos V realm is: $krb5_realm"
|
|
|
61 |
|
|
|
62 |
echo "Setting up your /etc/hosts file"
|
|
|
63 |
patch_hosts_file
|
|
|
64 |
|
|
|
65 |
echo "Setting up your Kerberos V client config."
|
|
|
66 |
generate_krb5_config
|
|
|
67 |
|
|
|
68 |
echo "Updating apt, purging any existing SSO packages and installing stuff."
|
|
|
69 |
# silence apt etc.
|
|
|
70 |
export DEBIAN_FRONTEND=noninteractive
|
|
|
71 |
#apt-get update
|
|
|
72 |
apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \
|
|
|
73 |
${radius_packages} ${http_packages}
|
|
|
74 |
apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \
|
|
|
75 |
${radius_packages} build-essential libkrb5-dev libssl-dev acl \
|
|
|
76 |
${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \
|
|
|
77 |
libnl-dev
|
|
|
78 |
|
|
|
79 |
# stop any running services
|
|
|
80 |
if pidof apache2 > /dev/null; then
|
|
|
81 |
invoke-rc.d apache2 stop
|
|
|
82 |
fi
|
|
|
83 |
|
|
|
84 |
if pidof freeradius > /dev/null; then
|
|
|
85 |
invoke-rc.d freeradius stop
|
|
|
86 |
fi
|
|
|
87 |
|
|
|
88 |
if pidof kcrap_server > /dev/null; then
|
|
|
89 |
killall kcrap_server
|
|
|
90 |
fi
|
|
|
91 |
|
|
|
92 |
if pidof saslauthd > /dev/null; then
|
|
|
93 |
invoke-rc.d saslauthd stop
|
|
|
94 |
fi
|
|
|
95 |
|
|
|
96 |
if pidof slapd > /dev/null; then
|
|
|
97 |
invoke-rc.d slapd stop
|
|
|
98 |
fi
|
|
|
99 |
|
|
|
100 |
if pidof krb5kdc > /dev/null; then
|
|
|
101 |
invoke-rc.d krb5-kdc stop
|
|
|
102 |
fi
|
|
|
103 |
|
|
|
104 |
if pidof kadmind > /dev/null; then
|
|
|
105 |
invoke-rc.d krb5-admin-server stop
|
|
|
106 |
fi
|
|
|
107 |
|
|
|
108 |
# LDAP setup
|
|
|
109 |
# remove any existing LDAP db
|
|
|
110 |
pidof slapd && killall -9 slapd
|
|
|
111 |
if [ -f /var/lib/ldap/__db.001 ]; then
|
|
|
112 |
rm -fv /var/lib/ldap/__db.* \
|
|
|
113 |
/var/lib/ldap/alock \
|
|
|
114 |
/var/lib/ldap/dn2id.bdb \
|
|
|
115 |
/var/lib/ldap/id2entry.bdb \
|
|
|
116 |
/var/lib/ldap/log.* \
|
|
|
117 |
/var/lib/ldap/objectClass.bdb
|
|
|
118 |
fi
|
|
|
119 |
ldap_manager_pw="`generate_password 40`"
|
|
|
120 |
echo -n "$ldap_manager_pw" > /etc/ldap.secret
|
|
|
121 |
chmod 600 /etc/ldap.secret
|
|
|
122 |
ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"
|
|
|
123 |
ldap_reader_pw="`generate_password 10`"
|
|
|
124 |
|
|
|
125 |
if [ -d /etc/ldap/slapd.d ]; then
|
|
|
126 |
rm -rfv /etc/ldap/slapd.d
|
|
|
127 |
fi
|
|
|
128 |
generate_slapd_config
|
|
|
129 |
generate_base_ldif | slapadd
|
|
|
130 |
chown -R openldap:openldap /var/lib/ldap
|
|
|
131 |
|
|
|
132 |
if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then
|
|
|
133 |
echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd
|
|
|
134 |
fi
|
|
|
135 |
|
|
|
136 |
cat <<EOF > /etc/ldap/sasl2/slapd.conf
|
|
|
137 |
pwcheck_method: saslauthd
|
|
|
138 |
saslauthd_path: /var/run/saslauthd/mux
|
|
|
139 |
|
|
|
140 |
EOF
|
|
|
141 |
|
|
|
142 |
# this allows slapd access to saslauthd's auth socket
|
|
|
143 |
gpasswd -a openldap sasl
|
|
|
144 |
|
|
|
145 |
# KDC setup
|
|
|
146 |
stash_pw="`generate_password 40`"
|
|
|
147 |
|
|
|
148 |
# seeds /dev/random rather nicely...
|
|
|
149 |
screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"
|
|
|
150 |
if [ -f /var/lib/krb5kdc/principal ]; then
|
|
|
151 |
rm -fv /var/lib/krb5kdc/principal \
|
|
|
152 |
/var/lib/krb5kdc/principal.kadm5 \
|
|
|
153 |
/var/lib/krb5kdc/principal.kadm5.lock \
|
|
|
154 |
/var/lib/krb5kdc/principal.ok
|
|
|
155 |
fi
|
|
|
156 |
echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s
|
|
|
157 |
|
|
|
158 |
echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl
|
|
|
159 |
|
|
|
160 |
invoke-rc.d krb5-kdc start
|
|
|
161 |
invoke-rc.d krb5-admin-server start
|
|
|
162 |
|
|
|
163 |
kadmin.local -q "ank -pw "\""${password}"\"" $username"
|
|
|
164 |
|
|
|
165 |
webkerb_pw="`generate_password 40`"
|
|
|
166 |
kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"
|
|
|
167 |
|
|
|
168 |
kadmin.local -q "ank -randkey host/ssoinabox.$domain"
|
|
|
169 |
[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab
|
|
|
170 |
kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"
|
|
|
171 |
kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"
|
|
|
172 |
[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab
|
|
|
173 |
kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"
|
|
|
174 |
chown root:openldap /etc/ldap/keytab
|
|
|
175 |
chmod 640 /etc/ldap/keytab
|
|
|
176 |
|
|
|
177 |
echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"
|
|
|
178 |
invoke-rc.d apparmor restart
|
|
|
179 |
|
|
|
180 |
invoke-rc.d slapd start
|
|
|
181 |
|
|
|
182 |
# SASL setup
|
|
|
183 |
configure_saslauthd
|
|
|
184 |
invoke-rc.d saslauthd start
|
|
|
185 |
|
|
|
186 |
# KCRAP setup
|
|
|
187 |
build_kcrap > /dev/null
|
|
|
188 |
configure_kcrap
|
|
|
189 |
/usr/sbin/kcrap_server
|
|
|
190 |
|
|
|
191 |
# RADIUS setup
|
|
|
192 |
configure_freerad
|
|
|
193 |
invoke-rc.d freeradius start
|
|
|
194 |
|
|
|
195 |
# RADIUS tests
|
|
|
196 |
test_freerad
|
|
|
197 |
|
|
|
198 |
# generate web stuff
|
|
|
199 |
generate_web_yaml
|
|
|
200 |
|
|
|
201 |
# apache config
|
|
|
202 |
for module in rewrite authz_dbm webauth webkdc; do
|
|
|
203 |
a2enmod $module
|
|
|
204 |
done
|
|
|
205 |
|
|
|
206 |
build_kadm5 > /dev/null
|
|
|
207 |
|
|
|
208 |
configure_webkdc
|
|
|
209 |
configure_webauth
|
|
|
210 |
configure_apache2
|
|
|
211 |
|
|
|
212 |
if pecl list | grep -q yaml; then
|
|
|
213 |
pecl uninstall yaml
|
|
|
214 |
fi
|
|
|
215 |
yes "" | pecl install yaml > /dev/null
|
|
|
216 |
test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d
|
|
|
217 |
echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini
|
|
|
218 |
cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups
|
|
|
219 |
|
|
|
220 |
# install packages
|
|
|
221 |
for d in packages/*; do
|
|
|
222 |
cd $d
|
|
|
223 |
./build
|
|
|
224 |
cd ../..
|
|
|
225 |
done
|
|
|
226 |
find packages -name \*.deb -type f | xargs dpkg -i
|
|
|
227 |
|
|
|
228 |
/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm
|
|
|
229 |
|
|
|
230 |
invoke-rc.d apache2 start
|
|
|
231 |
|
|
|
232 |
echo "Passwords to remember (WRITE THESE DOWN):"
|
|
|
233 |
echo "Kerberos master key: $stash_pw"
|
|
|
234 |
echo "LDAP manager password: $ldap_manager_pw"
|
|
|
235 |
echo "LDAP reader DN: cn=ldap-reader,ou=Roles,$ldap_suffix"
|
|
|
236 |
echo "LDAP reader password: $ldap_reader_pw"
|
|
|
237 |
echo "Admin username: $username"
|
|
|
238 |
echo "Admin password: $password"
|
|
|
239 |
echo "Change your admin password by typing:"
|
|
|
240 |
echo " kadmin.local -q "\""cpw $username"\"""
|