make-sso
changeset 0 3906ca745819
child 4 2212b2ded8bf
equal deleted inserted replaced
-1:000000000000 0:3906ca745819
       
     1 #!/bin/bash
       
     2 
       
     3 set -e
       
     4 . resources/functions
       
     5 
       
     6 cat <<EOF
       
     7 Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install
       
     8 into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for
       
     9 details on your domain and your first administrative account, then get started
       
    10 creating things.
       
    11 
       
    12 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
       
    13 >>>   If you have ANY existing LDAP or Kerberos database that you   <<<
       
    14 >>>    want to save, EXIT THIS SCRIPT NOW by pressing Control-C.    <<<
       
    15 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
       
    16 
       
    17 EOF
       
    18 
       
    19 get_input()
       
    20 {
       
    21 	local var="$1"
       
    22 	local prompt="$2"
       
    23 	local prefill="${3:-}"
       
    24 	[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"
       
    25 	eval "$var="\""$prefill"\"
       
    26 	while true; do
       
    27 		read -p "$prompt: " "$var"
       
    28 		if [ -z "${!var}" ]; then
       
    29 			if [ -n "$prefill" ]; then
       
    30 				eval "$var="\""$prefill"\"
       
    31 				break
       
    32 			fi
       
    33 		else
       
    34 			break
       
    35 		fi
       
    36 		echo "Invalid input."
       
    37 	done
       
    38 }
       
    39 
       
    40 get_input fullname "Your full name"
       
    41 username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`
       
    42 get_input username "Admin username" "$username"
       
    43 password="`generate_password 16`"
       
    44 #while true; do
       
    45 #	stty -echo
       
    46 #	get_input password "Admin password"
       
    47 #	echo
       
    48 #	get_input pconf "Confirm password"
       
    49 #	stty echo; echo
       
    50 #	[ "$password" = "$pconf" ] && break
       
    51 #	echo "Passwords do not match."
       
    52 #done
       
    53 get_input domain "Domain name"
       
    54 
       
    55 domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"
       
    56 ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"
       
    57 krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"
       
    58 
       
    59 echo "Your LDAP suffix is: $ldap_suffix"
       
    60 echo "Your Kerberos V realm is: $krb5_realm"
       
    61 
       
    62 echo "Setting up your /etc/hosts file"
       
    63 patch_hosts_file
       
    64 
       
    65 echo "Setting up your Kerberos V client config."
       
    66 generate_krb5_config
       
    67 
       
    68 echo "Updating apt, purging any existing SSO packages and installing stuff."
       
    69 # silence apt etc.
       
    70 export DEBIAN_FRONTEND=noninteractive
       
    71 #apt-get update
       
    72 apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \
       
    73 		${radius_packages} ${http_packages}
       
    74 apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \
       
    75 		${radius_packages} build-essential libkrb5-dev libssl-dev acl \
       
    76 		${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \
       
    77 		libnl-dev
       
    78 
       
    79 # stop any running services
       
    80 if pidof apache2 > /dev/null; then
       
    81 	invoke-rc.d apache2 stop
       
    82 fi
       
    83 
       
    84 if pidof freeradius > /dev/null; then
       
    85 	invoke-rc.d freeradius stop
       
    86 fi
       
    87 
       
    88 if pidof kcrap_server > /dev/null; then
       
    89 	killall kcrap_server
       
    90 fi
       
    91 
       
    92 if pidof saslauthd > /dev/null; then
       
    93 	invoke-rc.d saslauthd stop
       
    94 fi
       
    95 
       
    96 if pidof slapd > /dev/null; then
       
    97 	invoke-rc.d slapd stop
       
    98 fi
       
    99 
       
   100 if pidof krb5kdc > /dev/null; then
       
   101 	invoke-rc.d krb5-kdc stop
       
   102 fi
       
   103 
       
   104 if pidof kadmind > /dev/null; then
       
   105 	invoke-rc.d krb5-admin-server stop
       
   106 fi
       
   107 
       
   108 # LDAP setup
       
   109 # remove any existing LDAP db
       
   110 pidof slapd && killall -9 slapd
       
   111 if [ -f /var/lib/ldap/__db.001 ]; then
       
   112 	rm -fv /var/lib/ldap/__db.* \
       
   113 		/var/lib/ldap/alock \
       
   114 		/var/lib/ldap/dn2id.bdb \
       
   115 		/var/lib/ldap/id2entry.bdb \
       
   116 		/var/lib/ldap/log.* \
       
   117 		/var/lib/ldap/objectClass.bdb
       
   118 fi
       
   119 ldap_manager_pw="`generate_password 40`"
       
   120 echo -n "$ldap_manager_pw" > /etc/ldap.secret
       
   121 chmod 600 /etc/ldap.secret
       
   122 ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"
       
   123 ldap_reader_pw="`generate_password 10`"
       
   124 
       
   125 if [ -d /etc/ldap/slapd.d ]; then
       
   126 	rm -rfv /etc/ldap/slapd.d
       
   127 fi
       
   128 generate_slapd_config
       
   129 generate_base_ldif | slapadd
       
   130 chown -R openldap:openldap /var/lib/ldap
       
   131 
       
   132 if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then
       
   133 	echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd
       
   134 fi
       
   135 
       
   136 cat <<EOF > /etc/ldap/sasl2/slapd.conf
       
   137 pwcheck_method: saslauthd
       
   138 saslauthd_path: /var/run/saslauthd/mux
       
   139 
       
   140 EOF
       
   141 
       
   142 # this allows slapd access to saslauthd's auth socket
       
   143 gpasswd -a openldap sasl
       
   144 
       
   145 # KDC setup
       
   146 stash_pw="`generate_password 40`"
       
   147 
       
   148 # seeds /dev/random rather nicely...
       
   149 screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"
       
   150 if [ -f /var/lib/krb5kdc/principal ]; then
       
   151 	rm -fv /var/lib/krb5kdc/principal \
       
   152 			/var/lib/krb5kdc/principal.kadm5 \
       
   153 			/var/lib/krb5kdc/principal.kadm5.lock \
       
   154 			/var/lib/krb5kdc/principal.ok
       
   155 fi
       
   156 echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s
       
   157 
       
   158 echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl
       
   159 
       
   160 invoke-rc.d krb5-kdc start
       
   161 invoke-rc.d krb5-admin-server start
       
   162 
       
   163 kadmin.local -q "ank -pw "\""${password}"\"" $username"
       
   164 
       
   165 webkerb_pw="`generate_password 40`"
       
   166 kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"
       
   167 
       
   168 kadmin.local -q "ank -randkey host/ssoinabox.$domain"
       
   169 [ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab
       
   170 kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"
       
   171 kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"
       
   172 [ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab
       
   173 kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"
       
   174 chown root:openldap /etc/ldap/keytab
       
   175 chmod 640 /etc/ldap/keytab
       
   176 
       
   177 echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"
       
   178 invoke-rc.d apparmor restart
       
   179 
       
   180 invoke-rc.d slapd start
       
   181 
       
   182 # SASL setup
       
   183 configure_saslauthd
       
   184 invoke-rc.d saslauthd start
       
   185 
       
   186 # KCRAP setup
       
   187 build_kcrap > /dev/null
       
   188 configure_kcrap
       
   189 /usr/sbin/kcrap_server
       
   190 
       
   191 # RADIUS setup
       
   192 configure_freerad
       
   193 invoke-rc.d freeradius start
       
   194 
       
   195 # RADIUS tests
       
   196 test_freerad
       
   197 
       
   198 # generate web stuff
       
   199 generate_web_yaml
       
   200 
       
   201 # apache config
       
   202 for module in rewrite authz_dbm webauth webkdc; do
       
   203 	a2enmod $module
       
   204 done
       
   205 
       
   206 build_kadm5 > /dev/null
       
   207 
       
   208 configure_webkdc
       
   209 configure_webauth
       
   210 configure_apache2
       
   211 
       
   212 if pecl list | grep -q yaml; then
       
   213 	pecl uninstall yaml
       
   214 fi
       
   215 yes "" | pecl install yaml > /dev/null
       
   216 test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d
       
   217 echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini
       
   218 cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups
       
   219 
       
   220 # install packages
       
   221 for d in packages/*; do
       
   222 	cd $d
       
   223 	./build
       
   224 	cd ../..
       
   225 done
       
   226 find packages -name \*.deb -type f | xargs dpkg -i
       
   227 
       
   228 /usr/local/share/ssoinabox/bin/ldap-groups-to-dbm
       
   229 
       
   230 invoke-rc.d apache2 start
       
   231 
       
   232 echo "Passwords to remember (WRITE THESE DOWN):"
       
   233 echo "Kerberos master key:   $stash_pw"
       
   234 echo "LDAP manager password: $ldap_manager_pw"
       
   235 echo "LDAP reader DN:        cn=ldap-reader,ou=Roles,$ldap_suffix"
       
   236 echo "LDAP reader password:  $ldap_reader_pw"
       
   237 echo "Admin username:        $username"
       
   238 echo "Admin password:        $password"
       
   239 echo "Change your admin password by typing:"
       
   240 echo "  kadmin.local -q "\""cpw $username"\"""