resources/functions
author Dan Fuhry <dan@fuhry.us>
Sat, 16 Feb 2013 19:02:51 -0500 (2013-02-17)
changeset 6 3ac4e03f28b2
parent 5 cdd708efa505
permissions -rw-r--r--
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     1
# :mode=shellscript:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     2
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     3
krb5_packages="krb5-admin-server krb5-kdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     4
ldap_packages="slapd ldap-utils"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     5
sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     6
radius_packages="freeradius freeradius-ldap freeradius-common"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     7
http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     8
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     9
patch_hosts_file()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    10
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    11
	sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    12
	#sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    13
	echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    14
	#echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    15
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    16
	echo -n "ssoinabox.$domain" > /etc/hostname
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    17
	hostname `cat /etc/hostname`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    18
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    19
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    20
generate_krb5_config()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    21
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    22
	cat <<EOF > /etc/krb5.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    23
[libdefaults]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    24
	default_realm = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    25
	dns_lookup_realm = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    26
	dns_lookup_kdc = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    27
	ticket_lifetime = 24h
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    28
	forwardable = yes
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    29
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    30
[realms]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    31
	$krb5_realm = {
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    32
		kdc = ssoinabox.$domain:88
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    33
		admin_server = ssoinabox.$domain:749
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    34
		kcrap = ssoinabox.$domain:1999
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    35
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    36
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    37
[domain_realm]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    38
	$domain = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    39
	.$domain = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    40
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    41
[login]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    42
	krb4_convert = true
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    43
	krb4_get_tickets = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    44
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    45
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    46
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    47
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    48
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    49
generate_slapd_config()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    50
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    51
	cat <<EOF > /etc/ldap/slapd.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    52
# vim: set ft=conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    53
include         /etc/ldap/schema/core.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    54
include         /etc/ldap/schema/cosine.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    55
include         /etc/ldap/schema/inetorgperson.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    56
include         /etc/ldap/schema/nis.schema
4
2212b2ded8bf Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents: 3
diff changeset
    57
include         /etc/ldap/schema/openssh-lpk_openldap.schema
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    58
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    59
pidfile		/var/run/slapd/slapd.pid	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    60
argsfile	/var/run/slapd/slapd.args
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    61
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    62
# for replication
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    63
moduleload back_bdb.la
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    64
moduleload syncprov
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    65
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    66
disallow bind_anon
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    67
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    68
database	bdb
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    69
suffix		"$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    70
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    71
authz-policy	from
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    72
authz-regexp	"^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth"    "cn=\$1,ou=People,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    73
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    74
rootdn		"cn=Manager,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    75
rootpw		${ldap_manager_pw_hash}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    76
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    77
directory	/var/lib/ldap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    78
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    79
index		objectClass	eq
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    80
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    81
sasl-realm	${krb5_realm}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    82
sasl-host	ssoinabox.${domain}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    83
sasl-secprops	noplain,noactive,noanonymous
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    84
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    85
#TLSCACertificateFile	/etc/ssl/certs/fixme.crt
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    86
#TLSCertificateFile		/etc/ssl/certs/fixme.crt
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    87
#TLSCertificateKeyFile	/etc/ssl/private/fixme.key
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    88
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    89
overlay		syncprov
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    90
syncprov-checkpoint	100	10
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    91
syncprov-sessionlog	100
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    92
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    93
##
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    94
# ACLs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    95
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    96
access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    97
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    98
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    99
access to attrs=userPassword
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   100
	by self =xw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   101
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   102
	by * none
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   103
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   104
access to *
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   105
	by self write
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   106
	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   107
	by dn="cn=freeradius,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   108
	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   109
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   110
# Lock down attributes a user shouldn't change
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   111
access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   112
	by self read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   113
	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   114
	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   115
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   116
access to *
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   117
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   118
	by users read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   119
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   120
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   121
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   122
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   123
generate_base_ldif()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   124
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   125
	domainbit=`echo $domain | cut -d. -f1`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   126
	gn="`echo $fullname | awk '{print \$1;}'`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   127
	sn="`echo $fullname | awk '{print \$2;}'`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   128
	cat <<EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   129
dn: $ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   130
objectClass: dcObject
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   131
objectClass: organization
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   132
o: $domain
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   133
dc: $domainbit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   134
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   135
dn: cn=Manager,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   136
cn: Manager
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   137
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   138
objectClass: organizationalRole
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   139
description: LDAP admin entry with root level access to the server
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   140
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   141
dn: ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   142
ou: People
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   143
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   144
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   145
description: User accounts representing people
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   146
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   147
dn: uid=$username,ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   148
uid: $username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   149
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   150
objectClass: person
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   151
objectClass: inetOrgPerson
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   152
objectClass: organizationalPerson
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   153
objectClass: posixAccount
4
2212b2ded8bf Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents: 3
diff changeset
   154
objectClass: ldapPublicKey
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   155
cn: $fullname
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   156
givenName: $gn
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   157
sn: $sn
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   158
loginShell: /bin/bash
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   159
homeDirectory: /home/users/$username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   160
uidNumber: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   161
gidNumber: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   162
userPassword: {SASL}$username@$krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   163
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   164
dn: ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   165
ou: Groups
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   166
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   167
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   168
description: POSIX user account groups
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   169
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   170
dn: cn=users,ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   171
cn: users
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   172
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   173
objectClass: posixGroup
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   174
description: Default POSIX group for users
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   175
gidNumber: 500
3
a044870a9d3d Added password reset function
Dan Fuhry <dan@fuhry.us>
parents: 0
diff changeset
   176
memberUid: $username
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   177
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   178
dn: cn=rtp,ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   179
cn: rtp
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   180
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   181
objectClass: posixGroup
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   182
description: POSIX group for people with root access to servers
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   183
gidNumber: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   184
memberUid: $username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   185
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   186
dn: ou=Roles,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   187
ou: Roles
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   188
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   189
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   190
description: User accounts representing bots or other administrative functions
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   191
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   192
dn: cn=ldap-reader,ou=Roles,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   193
cn: ldap-reader
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   194
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   195
objectClass: organizationalRole
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   196
objectClass: simpleSecurityObject
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   197
description: Low-security account used for read-only LDAP access by NSS clients
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   198
userPassword: $ldap_reader_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   199
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   200
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   201
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   202
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   203
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   204
configure_saslauthd()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   205
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   206
	sed -re	's/^START=no$/START=yes/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   207
		-e	's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   208
		-i	/etc/default/saslauthd
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   209
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   210
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   211
generate_password()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   212
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   213
	local length="${1:-64}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   214
	dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   215
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   216
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   217
build_kcrap()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   218
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   219
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   220
	tempdir=`mktemp -d /tmp/kcrapXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   221
	cd "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   222
	wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   223
	tar xzvf kcrap.tar.gz
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   224
	cd kcrap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   225
	mkdir pkg src
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   226
	export srcdir="$PWD/src"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   227
	export pkgdir="$PWD/pkg"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   228
	. PKGBUILD
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   229
	wget "${source[0]}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   230
	for f in ${source[@]}; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   231
		f=`basename $f`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   232
		ln -sf ../$f src/$f
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   233
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   234
	cd "${srcdir}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   235
	for f in *.tar.bz2; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   236
		tar xjf $f
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   237
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   238
	patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   239
	cd kcrap-0.2.3
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   240
	patch -p1 -i "$oldcwd/patches/kcrapclient.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   241
	cd ..
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   242
	build
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   243
	make install
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   244
	cp -v "test/kcrapclient" "/usr/local/bin/"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   245
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   246
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   247
	echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   248
	ldconfig
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   249
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   250
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   251
configure_kcrap()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   252
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   253
	cat <<EOF > /etc/kcrap_server.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   254
[kcrap_server]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   255
	port = 1999
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   256
	realm = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   257
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   258
[realms]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   259
	$krb5_realm = {
6
3ac4e03f28b2 Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents: 5
diff changeset
   260
		database_name = /var/lib/krb5kdc/principal
3ac4e03f28b2 Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents: 5
diff changeset
   261
		key_stash_file = /etc/krb5kdc/stash
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   262
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   263
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   264
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   265
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   266
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   267
configure_freerad()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   268
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   269
	# mschap module needs to use our ntlm_auth program for auth requests
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   270
	sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   271
		-i /etc/freeradius/modules/mschap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   272
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   273
	# configure ldap module with our settings
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   274
	sed -re	's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   275
		-e	's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   276
		-e	's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   277
		-e	's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   278
		-i /etc/freeradius/modules/ldap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   279
		
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   280
	# enable ldap for authorization and authentication
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   281
	for site in default inner-tunnel; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   282
		sed -rf `dirname $0`/resources/freerad-site-patcher.sed \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   283
			-i /etc/freeradius/sites-available/$site
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   284
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   285
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   286
	# give freerad access to the kerberos keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   287
	setfacl -m u:freerad:r /etc/krb5.keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   288
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   289
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   290
test_freerad()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   291
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   292
	build_eapol_test > /dev/null
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   293
	set +e
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   294
	echo -n "Testing RADIUS auth via EAP/TTLS/PAP..."
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   295
	conf=`mktemp /tmp/frXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   296
	cat <<EOF > $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   297
network={
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   298
        ssid="example"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   299
        key_mgmt=WPA-EAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   300
        eap=TTLS
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   301
        anonymous_identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   302
        identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   303
        password="$password"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   304
        phase2="auth=PAP"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   305
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   306
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   307
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   308
	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   309
		echo "GOOD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   310
	else
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   311
		echo "BAD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   312
	fi
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   313
	echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..."
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   314
	cat <<EOF > $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   315
network={
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   316
        ssid="example"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   317
        key_mgmt=WPA-EAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   318
        eap=PEAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   319
        anonymous_identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   320
        identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   321
        password="$password"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   322
        phase2="autheap=MSCHAPv2"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   323
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   324
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   325
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   326
	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   327
		echo "GOOD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   328
	else
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   329
		echo "BAD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   330
	fi
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   331
	rm -f $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   332
	set -e
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   333
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   334
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   335
generate_web_yaml()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   336
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   337
	test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   338
	cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   339
LDAP_BASEDN: $ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   340
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   341
UID_MIN: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   342
GID_MIN: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   343
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   344
ldap_server: ldap://localhost:389/
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   345
ldap_manager:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   346
  dn: cn=Manager,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   347
  password: $ldap_manager_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   348
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   349
ldap_user_basedn: ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   350
ldap_group_basedn: ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   351
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   352
kerberos_admin:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   353
  principal: webkerb/admin
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   354
  password: $webkerb_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   355
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   356
PHONE_EXT_MIN: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   357
3
a044870a9d3d Added password reset function
Dan Fuhry <dan@fuhry.us>
parents: 0
diff changeset
   358
hmac_secret: `generate_password 40`
a044870a9d3d Added password reset function
Dan Fuhry <dan@fuhry.us>
parents: 0
diff changeset
   359
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   360
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   361
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   362
	chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   363
	chmod 640 /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   364
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   365
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   366
configure_webkdc()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   367
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   368
	cat <<EOF > /etc/webkdc/webkdc.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   369
our \$KEYRING_PATH = '/var/lib/webkdc/keyring';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   370
our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   371
our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   372
our \$URL = 'http://ssoinabox/webkdc-service';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   373
our \$BYPASS_CONFIRM = 1;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   374
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   375
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   376
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   377
	cat <<EOF > /etc/webkdc/token.acl
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   378
krb5:webauth/*@$krb5_realm id
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   379
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   380
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   381
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   382
	test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   383
	kadmin.local -q "ank -randkey service/webkdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   384
	kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   385
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   386
	chown root:www-data /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   387
	chmod 640 /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   388
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   389
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   390
configure_webauth()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   391
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   392
	cat <<EOF > /etc/apache2/conf.d/webauth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   393
WebAuthWebKdcPrincipal			service/webkdc
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   394
WebAuthLoginURL					"http://ssoinabox.$domain/login"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   395
WebAuthWebKdcURL				"http://ssoinabox.$domain/webkdc-service"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   396
WebAuthSSLRedirect				off
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   397
WebAuthRequireSSL				off
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   398
WebAuthDebug					on
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   399
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   400
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   401
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   402
	test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   403
	kadmin.local -q "ank -randkey webauth/ssoinabox.$domain"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   404
	kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   405
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   406
	chown root:www-data /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   407
	chmod 640 /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   408
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   409
	# doesn't exist by default...?
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   410
	# chown www-data:www-data /var/lib/webauth/keyring
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   411
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   412
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   413
configure_apache2()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   414
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   415
	cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   416
	sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   417
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   418
	a2ensite ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   419
	a2dissite default
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   420
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   421
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   422
build_kadm5()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   423
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   424
	test -d tarballs || mkdir tarballs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   425
	test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   426
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   427
	tempdir=`mktemp -d /tmp/kadm5XXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   428
	cd $tempdir
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   429
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   430
	tar xzf "$oldcwd/tarballs/kadm5.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   431
	cd kadm5-*
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   432
	patch -p1 -i "$oldcwd/patches/kadm5.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   433
	phpize
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   434
	./configure
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   435
	make
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   436
	make install
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   437
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   438
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   439
	echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   440
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   441
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   442
build_eapol_test()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   443
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   444
	test -x /usr/local/bin/eapol_test && return 0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   445
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   446
	test -d tarballs || mkdir tarballs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   447
	test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   448
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   449
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   450
	tempdir=`mktemp -d /tmp/wpasXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   451
	cd $tempdir
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   452
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   453
	tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   454
	cd wpa_supplicant-1.1/wpa_supplicant
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   455
	cp defconfig .config
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   456
	sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   457
	make eapol_test
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   458
	cp -v eapol_test /usr/local/bin/
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   459
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   460
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   461
}