resources/functions
changeset 0 3906ca745819
child 3 a044870a9d3d
equal deleted inserted replaced
-1:000000000000 0:3906ca745819
       
     1 # :mode=shellscript:
       
     2 
       
     3 krb5_packages="krb5-admin-server krb5-kdc"
       
     4 ldap_packages="slapd ldap-utils"
       
     5 sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit"
       
     6 radius_packages="freeradius freeradius-ldap freeradius-common"
       
     7 http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear"
       
     8 
       
     9 patch_hosts_file()
       
    10 {
       
    11 	sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts
       
    12 	#sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts
       
    13 	echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts
       
    14 	#echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts
       
    15 	
       
    16 	echo -n "ssoinabox.$domain" > /etc/hostname
       
    17 	hostname `cat /etc/hostname`
       
    18 }
       
    19 
       
    20 generate_krb5_config()
       
    21 {
       
    22 	cat <<EOF > /etc/krb5.conf
       
    23 [libdefaults]
       
    24 	default_realm = $krb5_realm
       
    25 	dns_lookup_realm = false
       
    26 	dns_lookup_kdc = false
       
    27 	ticket_lifetime = 24h
       
    28 	forwardable = yes
       
    29 
       
    30 [realms]
       
    31 	$krb5_realm = {
       
    32 		kdc = ssoinabox.$domain:88
       
    33 		admin_server = ssoinabox.$domain:749
       
    34 		kcrap = ssoinabox.$domain:1999
       
    35 	}
       
    36 
       
    37 [domain_realm]
       
    38 	$domain = $krb5_realm
       
    39 	.$domain = $krb5_realm
       
    40 
       
    41 [login]
       
    42 	krb4_convert = true
       
    43 	krb4_get_tickets = false
       
    44 
       
    45 	
       
    46 EOF
       
    47 }
       
    48 
       
    49 generate_slapd_config()
       
    50 {
       
    51 	cat <<EOF > /etc/ldap/slapd.conf
       
    52 # vim: set ft=conf
       
    53 include         /etc/ldap/schema/core.schema
       
    54 include         /etc/ldap/schema/cosine.schema
       
    55 include         /etc/ldap/schema/inetorgperson.schema
       
    56 include         /etc/ldap/schema/nis.schema
       
    57 
       
    58 pidfile		/var/run/slapd/slapd.pid	
       
    59 argsfile	/var/run/slapd/slapd.args
       
    60 
       
    61 # for replication
       
    62 moduleload back_bdb.la
       
    63 moduleload syncprov
       
    64 
       
    65 disallow bind_anon
       
    66 
       
    67 database	bdb
       
    68 suffix		"$ldap_suffix"
       
    69 
       
    70 authz-policy	from
       
    71 authz-regexp	"^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth"    "cn=\$1,ou=People,$ldap_suffix"
       
    72 
       
    73 rootdn		"cn=Manager,$ldap_suffix"
       
    74 rootpw		${ldap_manager_pw_hash}
       
    75 
       
    76 directory	/var/lib/ldap
       
    77 
       
    78 index		objectClass	eq
       
    79 
       
    80 sasl-realm	${krb5_realm}
       
    81 sasl-host	ssoinabox.${domain}
       
    82 sasl-secprops	noplain,noactive,noanonymous
       
    83 
       
    84 #TLSCACertificateFile	/etc/ssl/certs/fixme.crt
       
    85 #TLSCertificateFile		/etc/ssl/certs/fixme.crt
       
    86 #TLSCertificateKeyFile	/etc/ssl/private/fixme.key
       
    87 
       
    88 overlay		syncprov
       
    89 syncprov-checkpoint	100	10
       
    90 syncprov-sessionlog	100
       
    91 
       
    92 ##
       
    93 # ACLs
       
    94 
       
    95 access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix"
       
    96 	by anonymous auth
       
    97 
       
    98 access to attrs=userPassword
       
    99 	by self =xw
       
   100 	by anonymous auth
       
   101 	by * none
       
   102 
       
   103 access to *
       
   104 	by self write
       
   105 	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
       
   106 	by dn="cn=freeradius,ou=Roles,$ldap_suffix" read
       
   107 	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
       
   108 
       
   109 # Lock down attributes a user shouldn't change
       
   110 access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn"
       
   111 	by self read
       
   112 	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
       
   113 	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
       
   114 
       
   115 access to *
       
   116 	by anonymous auth
       
   117 	by users read
       
   118 
       
   119 EOF
       
   120 }
       
   121 
       
   122 generate_base_ldif()
       
   123 {
       
   124 	domainbit=`echo $domain | cut -d. -f1`
       
   125 	gn="`echo $fullname | awk '{print \$1;}'`"
       
   126 	sn="`echo $fullname | awk '{print \$2;}'`"
       
   127 	cat <<EOF
       
   128 dn: $ldap_suffix
       
   129 objectClass: dcObject
       
   130 objectClass: organization
       
   131 o: $domain
       
   132 dc: $domainbit
       
   133 
       
   134 dn: cn=Manager,$ldap_suffix
       
   135 cn: Manager
       
   136 objectClass: top
       
   137 objectClass: organizationalRole
       
   138 description: LDAP admin entry with root level access to the server
       
   139 
       
   140 dn: ou=People,$ldap_suffix
       
   141 ou: People
       
   142 objectClass: top
       
   143 objectClass: organizationalUnit
       
   144 description: User accounts representing people
       
   145 
       
   146 dn: uid=$username,ou=People,$ldap_suffix
       
   147 uid: $username
       
   148 objectClass: top
       
   149 objectClass: person
       
   150 objectClass: inetOrgPerson
       
   151 objectClass: organizationalPerson
       
   152 objectClass: posixAccount
       
   153 cn: $fullname
       
   154 givenName: $gn
       
   155 sn: $sn
       
   156 loginShell: /bin/bash
       
   157 homeDirectory: /home/users/$username
       
   158 uidNumber: 501
       
   159 gidNumber: 500
       
   160 userPassword: {SASL}$username@$krb5_realm
       
   161 
       
   162 dn: ou=Groups,$ldap_suffix
       
   163 ou: Groups
       
   164 objectClass: top
       
   165 objectClass: organizationalUnit
       
   166 description: POSIX user account groups
       
   167 
       
   168 dn: cn=users,ou=Groups,$ldap_suffix
       
   169 cn: users
       
   170 objectClass: top
       
   171 objectClass: posixGroup
       
   172 description: Default POSIX group for users
       
   173 gidNumber: 500
       
   174 
       
   175 dn: cn=rtp,ou=Groups,$ldap_suffix
       
   176 cn: rtp
       
   177 objectClass: top
       
   178 objectClass: posixGroup
       
   179 description: POSIX group for people with root access to servers
       
   180 gidNumber: 501
       
   181 memberUid: $username
       
   182 
       
   183 dn: ou=Roles,$ldap_suffix
       
   184 ou: Roles
       
   185 objectClass: top
       
   186 objectClass: organizationalUnit
       
   187 description: User accounts representing bots or other administrative functions
       
   188 
       
   189 dn: cn=ldap-reader,ou=Roles,$ldap_suffix
       
   190 cn: ldap-reader
       
   191 objectClass: top
       
   192 objectClass: organizationalRole
       
   193 objectClass: simpleSecurityObject
       
   194 description: Low-security account used for read-only LDAP access by NSS clients
       
   195 userPassword: $ldap_reader_pw
       
   196 
       
   197 
       
   198 EOF
       
   199 }
       
   200 
       
   201 configure_saslauthd()
       
   202 {
       
   203 	sed -re	's/^START=no$/START=yes/' \
       
   204 		-e	's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \
       
   205 		-i	/etc/default/saslauthd
       
   206 }
       
   207 
       
   208 generate_password()
       
   209 {
       
   210 	local length="${1:-64}"
       
   211 	dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length
       
   212 }
       
   213 
       
   214 build_kcrap()
       
   215 {
       
   216 	oldcwd="`pwd`"
       
   217 	tempdir=`mktemp -d /tmp/kcrapXXXXXX`
       
   218 	cd "$tempdir"
       
   219 	wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz
       
   220 	tar xzvf kcrap.tar.gz
       
   221 	cd kcrap
       
   222 	mkdir pkg src
       
   223 	export srcdir="$PWD/src"
       
   224 	export pkgdir="$PWD/pkg"
       
   225 	. PKGBUILD
       
   226 	wget "${source[0]}"
       
   227 	for f in ${source[@]}; do
       
   228 		f=`basename $f`
       
   229 		ln -sf ../$f src/$f
       
   230 	done
       
   231 	cd "${srcdir}"
       
   232 	for f in *.tar.bz2; do
       
   233 		tar xjf $f
       
   234 	done
       
   235 	patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch"
       
   236 	cd kcrap-0.2.3
       
   237 	patch -p1 -i "$oldcwd/patches/kcrapclient.patch"
       
   238 	cd ..
       
   239 	build
       
   240 	make install
       
   241 	cp -v "test/kcrapclient" "/usr/local/bin/"
       
   242 	cd "$oldcwd" && rm -rf "$tempdir"
       
   243 	
       
   244 	echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf
       
   245 	ldconfig
       
   246 }
       
   247 
       
   248 configure_kcrap()
       
   249 {
       
   250 	cat <<EOF > /etc/kcrap_server.conf
       
   251 [kcrap_server]
       
   252 	port = 1999
       
   253 	realm = $krb5_realm
       
   254 
       
   255 [realms]
       
   256 	$krb5_realm = {
       
   257 		database_name = /var/lib/krb5kdc/principal
       
   258 		key_stash_file = /etc/krb5kdc/stash
       
   259 	}
       
   260 
       
   261 EOF
       
   262 }
       
   263 
       
   264 configure_freerad()
       
   265 {
       
   266 	# mschap module needs to use our ntlm_auth program for auth requests
       
   267 	sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \
       
   268 		-i /etc/freeradius/modules/mschap
       
   269 	
       
   270 	# configure ldap module with our settings
       
   271 	sed -re	's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \
       
   272 		-e	's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \
       
   273 		-e	's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \
       
   274 		-e	's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \
       
   275 		-i /etc/freeradius/modules/ldap
       
   276 		
       
   277 	# enable ldap for authorization and authentication
       
   278 	for site in default inner-tunnel; do
       
   279 		sed -rf `dirname $0`/resources/freerad-site-patcher.sed \
       
   280 			-i /etc/freeradius/sites-available/$site
       
   281 	done
       
   282 	
       
   283 	# give freerad access to the kerberos keytab
       
   284 	setfacl -m u:freerad:r /etc/krb5.keytab
       
   285 }
       
   286 
       
   287 test_freerad()
       
   288 {
       
   289 	build_eapol_test > /dev/null
       
   290 	set +e
       
   291 	echo -n "Testing RADIUS auth via EAP/TTLS/PAP..."
       
   292 	conf=`mktemp /tmp/frXXXXXX`
       
   293 	cat <<EOF > $conf
       
   294 network={
       
   295         ssid="example"
       
   296         key_mgmt=WPA-EAP
       
   297         eap=TTLS
       
   298         anonymous_identity="$username"
       
   299         identity="$username"
       
   300         password="$password"
       
   301         phase2="auth=PAP"
       
   302 }
       
   303 
       
   304 EOF
       
   305 	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
       
   306 		echo "GOOD"
       
   307 	else
       
   308 		echo "BAD"
       
   309 	fi
       
   310 	echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..."
       
   311 	cat <<EOF > $conf
       
   312 network={
       
   313         ssid="example"
       
   314         key_mgmt=WPA-EAP
       
   315         eap=PEAP
       
   316         anonymous_identity="$username"
       
   317         identity="$username"
       
   318         password="$password"
       
   319         phase2="autheap=MSCHAPv2"
       
   320 }
       
   321 
       
   322 EOF
       
   323 	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
       
   324 		echo "GOOD"
       
   325 	else
       
   326 		echo "BAD"
       
   327 	fi
       
   328 	rm -f $conf
       
   329 	set -e
       
   330 }
       
   331 
       
   332 generate_web_yaml()
       
   333 {
       
   334 	test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox
       
   335 	cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml
       
   336 LDAP_BASEDN: $ldap_suffix
       
   337 
       
   338 UID_MIN: 501
       
   339 GID_MIN: 500
       
   340 
       
   341 ldap_server: ldap://localhost:389/
       
   342 ldap_manager:
       
   343   dn: cn=Manager,$ldap_suffix
       
   344   password: $ldap_manager_pw
       
   345 
       
   346 ldap_user_basedn: ou=People,$ldap_suffix
       
   347 ldap_group_basedn: ou=Groups,$ldap_suffix
       
   348 
       
   349 kerberos_admin:
       
   350   principal: webkerb/admin
       
   351   password: $webkerb_pw
       
   352 
       
   353 PHONE_EXT_MIN: 500
       
   354 
       
   355 EOF
       
   356 	
       
   357 	chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml
       
   358 	chmod 640 /usr/local/etc/ssoinabox/webcreds.yml
       
   359 }
       
   360 
       
   361 configure_webkdc()
       
   362 {
       
   363 	cat <<EOF > /etc/webkdc/webkdc.conf
       
   364 our \$KEYRING_PATH = '/var/lib/webkdc/keyring';
       
   365 our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates';
       
   366 our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin';
       
   367 our \$URL = 'http://ssoinabox/webkdc-service';
       
   368 our \$BYPASS_CONFIRM = 1;
       
   369 
       
   370 EOF
       
   371 
       
   372 	cat <<EOF > /etc/webkdc/token.acl
       
   373 krb5:webauth/*@$krb5_realm id
       
   374 
       
   375 EOF
       
   376 	
       
   377 	test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab
       
   378 	kadmin.local -q "ank -randkey service/webkdc"
       
   379 	kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc"
       
   380 	
       
   381 	chown root:www-data /etc/webkdc/keytab
       
   382 	chmod 640 /etc/webkdc/keytab
       
   383 }
       
   384 
       
   385 configure_webauth()
       
   386 {
       
   387 	cat <<EOF > /etc/apache2/conf.d/webauth
       
   388 WebAuthWebKdcPrincipal			service/webkdc
       
   389 WebAuthLoginURL					"http://ssoinabox.$domain/login"
       
   390 WebAuthWebKdcURL				"http://ssoinabox.$domain/webkdc-service"
       
   391 WebAuthSSLRedirect				off
       
   392 WebAuthRequireSSL				off
       
   393 WebAuthDebug					on
       
   394 
       
   395 EOF
       
   396 	
       
   397 	test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab
       
   398 	kadmin.local -q "ank -randkey webauth/ssoinabox.$domain"
       
   399 	kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain"
       
   400 	
       
   401 	chown root:www-data /etc/webauth/keytab
       
   402 	chmod 640 /etc/webauth/keytab
       
   403 	
       
   404 	# doesn't exist by default...?
       
   405 	# chown www-data:www-data /var/lib/webauth/keyring
       
   406 }
       
   407 
       
   408 configure_apache2()
       
   409 {
       
   410 	cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox
       
   411 	sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox
       
   412 	
       
   413 	a2ensite ssoinabox
       
   414 	a2dissite default
       
   415 }
       
   416 
       
   417 build_kadm5()
       
   418 {
       
   419 	test -d tarballs || mkdir tarballs
       
   420 	test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5
       
   421 	oldcwd="`pwd`"
       
   422 	tempdir=`mktemp -d /tmp/kadm5XXXXXX`
       
   423 	cd $tempdir
       
   424 	
       
   425 	tar xzf "$oldcwd/tarballs/kadm5.tar.gz"
       
   426 	cd kadm5-*
       
   427 	patch -p1 -i "$oldcwd/patches/kadm5.patch"
       
   428 	phpize
       
   429 	./configure
       
   430 	make
       
   431 	make install
       
   432 	
       
   433 	cd "$oldcwd" && rm -rf "$tempdir"
       
   434 	echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini
       
   435 }
       
   436 
       
   437 build_eapol_test()
       
   438 {
       
   439 	test -x /usr/local/bin/eapol_test && return 0
       
   440 	
       
   441 	test -d tarballs || mkdir tarballs
       
   442 	test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz"
       
   443 	
       
   444 	oldcwd="`pwd`"
       
   445 	tempdir=`mktemp -d /tmp/wpasXXXXXX`
       
   446 	cd $tempdir
       
   447 	
       
   448 	tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz"
       
   449 	cd wpa_supplicant-1.1/wpa_supplicant
       
   450 	cp defconfig .config
       
   451 	sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config
       
   452 	make eapol_test
       
   453 	cp -v eapol_test /usr/local/bin/
       
   454 	
       
   455 	cd "$oldcwd" && rm -rf "$tempdir"
       
   456 }