author | Dan Fuhry <dan@enanocms.org> |
Sat, 23 Feb 2013 14:26:38 -0500 (2013-02-23) | |
changeset 9 | f4bf6556fb9f |
parent 8 | f68fdcc18df9 |
parent 6 | 3ac4e03f28b2 |
permissions | -rwxr-xr-x |
0 | 1 |
#!/bin/bash |
2 |
||
3 |
set -e |
|
8 | 4 |
cd "`dirname $0`" |
5 |
||
0 | 6 |
. resources/functions |
7 |
||
8 |
cat <<EOF |
|
9 |
Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install |
|
10 |
into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for |
|
11 |
details on your domain and your first administrative account, then get started |
|
12 |
creating things. |
|
13 |
||
14 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING |
|
15 |
>>> If you have ANY existing LDAP or Kerberos database that you <<< |
|
16 |
>>> want to save, EXIT THIS SCRIPT NOW by pressing Control-C. <<< |
|
17 |
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING |
|
18 |
||
19 |
EOF |
|
20 |
||
21 |
get_input() |
|
22 |
{ |
|
23 |
local var="$1" |
|
24 |
local prompt="$2" |
|
25 |
local prefill="${3:-}" |
|
26 |
[ -n "$prefill" ] && prompt="${prompt} [${prefill}]" |
|
27 |
eval "$var="\""$prefill"\" |
|
28 |
while true; do |
|
29 |
read -p "$prompt: " "$var" |
|
30 |
if [ -z "${!var}" ]; then |
|
31 |
if [ -n "$prefill" ]; then |
|
32 |
eval "$var="\""$prefill"\" |
|
33 |
break |
|
34 |
fi |
|
35 |
else |
|
36 |
break |
|
37 |
fi |
|
38 |
echo "Invalid input." |
|
39 |
done |
|
40 |
} |
|
41 |
||
42 |
get_input fullname "Your full name" |
|
43 |
username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'` |
|
44 |
get_input username "Admin username" "$username" |
|
45 |
password="`generate_password 16`" |
|
46 |
#while true; do |
|
47 |
# stty -echo |
|
48 |
# get_input password "Admin password" |
|
49 |
# echo |
|
50 |
# get_input pconf "Confirm password" |
|
51 |
# stty echo; echo |
|
52 |
# [ "$password" = "$pconf" ] && break |
|
53 |
# echo "Passwords do not match." |
|
54 |
#done |
|
55 |
get_input domain "Domain name" |
|
56 |
||
57 |
domain="`echo $domain | tr '[:upper:]' '[:lower:]'`" |
|
58 |
ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`" |
|
59 |
krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`" |
|
60 |
||
61 |
echo "Your LDAP suffix is: $ldap_suffix" |
|
62 |
echo "Your Kerberos V realm is: $krb5_realm" |
|
63 |
||
64 |
echo "Setting up your /etc/hosts file" |
|
65 |
patch_hosts_file |
|
66 |
||
67 |
echo "Setting up your Kerberos V client config." |
|
68 |
generate_krb5_config |
|
69 |
||
70 |
echo "Updating apt, purging any existing SSO packages and installing stuff." |
|
71 |
# silence apt etc. |
|
72 |
export DEBIAN_FRONTEND=noninteractive |
|
73 |
#apt-get update |
|
74 |
apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \ |
|
75 |
${radius_packages} ${http_packages} |
|
76 |
apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \ |
|
77 |
${radius_packages} build-essential libkrb5-dev libssl-dev acl \ |
|
78 |
${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \ |
|
79 |
libnl-dev |
|
80 |
||
81 |
# stop any running services |
|
82 |
if pidof apache2 > /dev/null; then |
|
83 |
invoke-rc.d apache2 stop |
|
84 |
fi |
|
85 |
||
86 |
if pidof freeradius > /dev/null; then |
|
87 |
invoke-rc.d freeradius stop |
|
88 |
fi |
|
89 |
||
90 |
if pidof kcrap_server > /dev/null; then |
|
91 |
killall kcrap_server |
|
92 |
fi |
|
93 |
||
94 |
if pidof saslauthd > /dev/null; then |
|
95 |
invoke-rc.d saslauthd stop |
|
96 |
fi |
|
97 |
||
98 |
if pidof slapd > /dev/null; then |
|
99 |
invoke-rc.d slapd stop |
|
100 |
fi |
|
101 |
||
102 |
if pidof krb5kdc > /dev/null; then |
|
103 |
invoke-rc.d krb5-kdc stop |
|
104 |
fi |
|
105 |
||
106 |
if pidof kadmind > /dev/null; then |
|
107 |
invoke-rc.d krb5-admin-server stop |
|
108 |
fi |
|
109 |
||
110 |
# LDAP setup |
|
111 |
# remove any existing LDAP db |
|
112 |
pidof slapd && killall -9 slapd |
|
113 |
if [ -f /var/lib/ldap/__db.001 ]; then |
|
114 |
rm -fv /var/lib/ldap/__db.* \ |
|
115 |
/var/lib/ldap/alock \ |
|
116 |
/var/lib/ldap/dn2id.bdb \ |
|
117 |
/var/lib/ldap/id2entry.bdb \ |
|
118 |
/var/lib/ldap/log.* \ |
|
119 |
/var/lib/ldap/objectClass.bdb |
|
120 |
fi |
|
121 |
ldap_manager_pw="`generate_password 40`" |
|
122 |
echo -n "$ldap_manager_pw" > /etc/ldap.secret |
|
123 |
chmod 600 /etc/ldap.secret |
|
124 |
ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`" |
|
125 |
ldap_reader_pw="`generate_password 10`" |
|
126 |
||
127 |
if [ -d /etc/ldap/slapd.d ]; then |
|
128 |
rm -rfv /etc/ldap/slapd.d |
|
129 |
fi |
|
4
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
130 |
|
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
131 |
cp `dirname $0`/resources/openssh-lpk_openldap.schema /etc/ldap/schema/ |
2212b2ded8bf
Added OpenSSH public key support in LDAP
Dan Fuhry <dan@fuhry.us>
parents:
0
diff
changeset
|
132 |
|
0 | 133 |
generate_slapd_config |
134 |
generate_base_ldif | slapadd |
|
135 |
chown -R openldap:openldap /var/lib/ldap |
|
136 |
||
137 |
if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then |
|
138 |
echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd |
|
139 |
fi |
|
140 |
||
141 |
cat <<EOF > /etc/ldap/sasl2/slapd.conf |
|
142 |
pwcheck_method: saslauthd |
|
143 |
saslauthd_path: /var/run/saslauthd/mux |
|
144 |
||
145 |
EOF |
|
146 |
||
147 |
# this allows slapd access to saslauthd's auth socket |
|
148 |
gpasswd -a openldap sasl |
|
149 |
||
150 |
# KDC setup |
|
151 |
stash_pw="`generate_password 40`" |
|
152 |
||
153 |
# seeds /dev/random rather nicely... |
|
154 |
screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum" |
|
6
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
155 |
if [ -f /var/lib/krb5kdc/principal ]; then |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
156 |
rm -fv /var/lib/krb5kdc/principal \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
157 |
/var/lib/krb5kdc/principal.kadm5 \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
158 |
/var/lib/krb5kdc/principal.kadm5.lock \ |
3ac4e03f28b2
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
Dan Fuhry <dan@fuhry.us>
parents:
5
diff
changeset
|
159 |
/var/lib/krb5kdc/principal.ok |
0 | 160 |
fi |
161 |
echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s |
|
162 |
||
163 |
echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl |
|
164 |
||
165 |
invoke-rc.d krb5-kdc start |
|
166 |
invoke-rc.d krb5-admin-server start |
|
167 |
||
168 |
kadmin.local -q "ank -pw "\""${password}"\"" $username" |
|
169 |
||
170 |
webkerb_pw="`generate_password 40`" |
|
171 |
kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin" |
|
172 |
||
173 |
kadmin.local -q "ank -randkey host/ssoinabox.$domain" |
|
174 |
[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab |
|
175 |
kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain" |
|
176 |
kadmin.local -q "ank -randkey ldap/ssoinabox.$domain" |
|
177 |
[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab |
|
178 |
kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain" |
|
179 |
chown root:openldap /etc/ldap/keytab |
|
180 |
chmod 640 /etc/ldap/keytab |
|
181 |
||
182 |
echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd" |
|
183 |
invoke-rc.d apparmor restart |
|
184 |
||
185 |
invoke-rc.d slapd start |
|
186 |
||
187 |
# SASL setup |
|
188 |
configure_saslauthd |
|
189 |
invoke-rc.d saslauthd start |
|
190 |
||
191 |
# KCRAP setup |
|
192 |
build_kcrap > /dev/null |
|
193 |
configure_kcrap |
|
194 |
/usr/sbin/kcrap_server |
|
195 |
||
196 |
# RADIUS setup |
|
197 |
configure_freerad |
|
198 |
invoke-rc.d freeradius start |
|
199 |
||
200 |
# RADIUS tests |
|
201 |
test_freerad |
|
202 |
||
203 |
# generate web stuff |
|
204 |
generate_web_yaml |
|
205 |
||
206 |
# apache config |
|
207 |
for module in rewrite authz_dbm webauth webkdc; do |
|
208 |
a2enmod $module |
|
209 |
done |
|
210 |
||
211 |
build_kadm5 > /dev/null |
|
212 |
||
213 |
configure_webkdc |
|
214 |
configure_webauth |
|
215 |
configure_apache2 |
|
216 |
||
217 |
if pecl list | grep -q yaml; then |
|
218 |
pecl uninstall yaml |
|
219 |
fi |
|
220 |
yes "" | pecl install yaml > /dev/null |
|
221 |
test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d |
|
222 |
echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini |
|
223 |
cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups |
|
224 |
||
225 |
# install packages |
|
226 |
for d in packages/*; do |
|
227 |
cd $d |
|
228 |
./build |
|
229 |
cd ../.. |
|
230 |
done |
|
231 |
find packages -name \*.deb -type f | xargs dpkg -i |
|
232 |
||
233 |
/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm |
|
234 |
||
235 |
invoke-rc.d apache2 start |
|
236 |
||
237 |
echo "Passwords to remember (WRITE THESE DOWN):" |
|
238 |
echo "Kerberos master key: $stash_pw" |
|
239 |
echo "LDAP manager password: $ldap_manager_pw" |
|
240 |
echo "LDAP reader DN: cn=ldap-reader,ou=Roles,$ldap_suffix" |
|
241 |
echo "LDAP reader password: $ldap_reader_pw" |
|
242 |
echo "Admin username: $username" |
|
243 |
echo "Admin password: $password" |
|
244 |
echo "Change your admin password by typing:" |
|
245 |
echo " kadmin.local -q "\""cpw $username"\""" |