# :mode=shellscript:
krb5_packages="krb5-admin-server krb5-kdc"
ldap_packages="slapd ldap-utils"
sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit"
radius_packages="freeradius freeradius-ldap freeradius-common"
http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear"
patch_hosts_file()
{
sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts
#sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts
echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts
#echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts
echo -n "ssoinabox.$domain" > /etc/hostname
hostname `cat /etc/hostname`
}
generate_krb5_config()
{
cat <<EOF > /etc/krb5.conf
[libdefaults]
default_realm = $krb5_realm
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
$krb5_realm = {
kdc = ssoinabox.$domain:88
admin_server = ssoinabox.$domain:749
kcrap = ssoinabox.$domain:1999
}
[domain_realm]
$domain = $krb5_realm
.$domain = $krb5_realm
[login]
krb4_convert = true
krb4_get_tickets = false
EOF
}
generate_slapd_config()
{
cat <<EOF > /etc/ldap/slapd.conf
# vim: set ft=conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openssh-lpk_openldap.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# for replication
moduleload back_bdb.la
moduleload syncprov
disallow bind_anon
database bdb
suffix "$ldap_suffix"
authz-policy from
authz-regexp "^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth" "cn=\$1,ou=People,$ldap_suffix"
rootdn "cn=Manager,$ldap_suffix"
rootpw ${ldap_manager_pw_hash}
directory /var/lib/ldap
index objectClass eq
sasl-realm ${krb5_realm}
sasl-host ssoinabox.${domain}
sasl-secprops noplain,noactive,noanonymous
#TLSCACertificateFile /etc/ssl/certs/fixme.crt
#TLSCertificateFile /etc/ssl/certs/fixme.crt
#TLSCertificateKeyFile /etc/ssl/private/fixme.key
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
##
# ACLs
access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix"
by anonymous auth
access to attrs=userPassword
by self =xw
by anonymous auth
by * none
access to *
by self write
by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
by dn="cn=freeradius,ou=Roles,$ldap_suffix" read
by dn="cn=replicator,ou=Roles,$ldap_suffix" read
# Lock down attributes a user shouldn't change
access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn"
by self read
by dn="cn=replicator,ou=Roles,$ldap_suffix" read
by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
access to *
by anonymous auth
by users read
EOF
}
generate_base_ldif()
{
domainbit=`echo $domain | cut -d. -f1`
gn="`echo $fullname | awk '{print \$1;}'`"
sn="`echo $fullname | awk '{print \$2;}'`"
cat <<EOF
dn: $ldap_suffix
objectClass: dcObject
objectClass: organization
o: $domain
dc: $domainbit
dn: cn=Manager,$ldap_suffix
cn: Manager
objectClass: top
objectClass: organizationalRole
description: LDAP admin entry with root level access to the server
dn: ou=People,$ldap_suffix
ou: People
objectClass: top
objectClass: organizationalUnit
description: User accounts representing people
dn: uid=$username,ou=People,$ldap_suffix
uid: $username
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: ldapPublicKey
cn: $fullname
givenName: $gn
sn: $sn
loginShell: /bin/bash
homeDirectory: /home/users/$username
uidNumber: 501
gidNumber: 500
userPassword: {SASL}$username@$krb5_realm
dn: ou=Groups,$ldap_suffix
ou: Groups
objectClass: top
objectClass: organizationalUnit
description: POSIX user account groups
dn: cn=users,ou=Groups,$ldap_suffix
cn: users
objectClass: top
objectClass: posixGroup
description: Default POSIX group for users
gidNumber: 500
memberUid: $username
dn: cn=rtp,ou=Groups,$ldap_suffix
cn: rtp
objectClass: top
objectClass: posixGroup
description: POSIX group for people with root access to servers
gidNumber: 501
memberUid: $username
dn: ou=Roles,$ldap_suffix
ou: Roles
objectClass: top
objectClass: organizationalUnit
description: User accounts representing bots or other administrative functions
dn: cn=ldap-reader,ou=Roles,$ldap_suffix
cn: ldap-reader
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
description: Low-security account used for read-only LDAP access by NSS clients
userPassword: $ldap_reader_pw
EOF
}
configure_saslauthd()
{
sed -re 's/^START=no$/START=yes/' \
-e 's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \
-i /etc/default/saslauthd
}
generate_password()
{
local length="${1:-64}"
dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length
}
build_kcrap()
{
oldcwd="`pwd`"
tempdir=`mktemp -d /tmp/kcrapXXXXXX`
cd "$tempdir"
wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz
tar xzvf kcrap.tar.gz
cd kcrap
mkdir pkg src
export srcdir="$PWD/src"
export pkgdir="$PWD/pkg"
. PKGBUILD
wget "${source[0]}"
for f in ${source[@]}; do
f=`basename $f`
ln -sf ../$f src/$f
done
cd "${srcdir}"
for f in *.tar.bz2; do
tar xjf $f
done
patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch"
cd kcrap-0.2.3
patch -p1 -i "$oldcwd/patches/kcrapclient.patch"
cd ..
build
make install
cp -v "test/kcrapclient" "/usr/local/bin/"
cd "$oldcwd" && rm -rf "$tempdir"
echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf
ldconfig
}
configure_kcrap()
{
cat <<EOF > /etc/kcrap_server.conf
[kcrap_server]
port = 1999
realm = $krb5_realm
[realms]
$krb5_realm = {
database_name = /var/lib/krb5kdc/principal
key_stash_file = /etc/krb5kdc/stash
}
EOF
}
configure_freerad()
{
# mschap module needs to use our ntlm_auth program for auth requests
sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \
-i /etc/freeradius/modules/mschap
# configure ldap module with our settings
sed -re 's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \
-e 's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \
-e 's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \
-e 's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \
-i /etc/freeradius/modules/ldap
# enable ldap for authorization and authentication
for site in default inner-tunnel; do
sed -rf `dirname $0`/resources/freerad-site-patcher.sed \
-i /etc/freeradius/sites-available/$site
done
# give freerad access to the kerberos keytab
setfacl -m u:freerad:r /etc/krb5.keytab
}
test_freerad()
{
build_eapol_test > /dev/null
set +e
echo -n "Testing RADIUS auth via EAP/TTLS/PAP..."
conf=`mktemp /tmp/frXXXXXX`
cat <<EOF > $conf
network={
ssid="example"
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="$username"
identity="$username"
password="$password"
phase2="auth=PAP"
}
EOF
if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
echo "GOOD"
else
echo "BAD"
fi
echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..."
cat <<EOF > $conf
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
anonymous_identity="$username"
identity="$username"
password="$password"
phase2="autheap=MSCHAPv2"
}
EOF
if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
echo "GOOD"
else
echo "BAD"
fi
rm -f $conf
set -e
}
generate_web_yaml()
{
test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox
cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml
LDAP_BASEDN: $ldap_suffix
UID_MIN: 501
GID_MIN: 500
ldap_server: ldap://localhost:389/
ldap_manager:
dn: cn=Manager,$ldap_suffix
password: $ldap_manager_pw
ldap_user_basedn: ou=People,$ldap_suffix
ldap_group_basedn: ou=Groups,$ldap_suffix
kerberos_admin:
principal: webkerb/admin
password: $webkerb_pw
PHONE_EXT_MIN: 500
hmac_secret: `generate_password 40`
EOF
chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml
chmod 640 /usr/local/etc/ssoinabox/webcreds.yml
}
configure_webkdc()
{
cat <<EOF > /etc/webkdc/webkdc.conf
our \$KEYRING_PATH = '/var/lib/webkdc/keyring';
our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates';
our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin';
our \$URL = 'http://ssoinabox/webkdc-service';
our \$BYPASS_CONFIRM = 1;
EOF
cat <<EOF > /etc/webkdc/token.acl
krb5:webauth/*@$krb5_realm id
EOF
test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab
kadmin.local -q "ank -randkey service/webkdc"
kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc"
chown root:www-data /etc/webkdc/keytab
chmod 640 /etc/webkdc/keytab
}
configure_webauth()
{
cat <<EOF > /etc/apache2/conf.d/webauth
WebAuthWebKdcPrincipal service/webkdc
WebAuthLoginURL "http://ssoinabox.$domain/login"
WebAuthWebKdcURL "http://ssoinabox.$domain/webkdc-service"
WebAuthSSLRedirect off
WebAuthRequireSSL off
WebAuthDebug on
EOF
test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab
kadmin.local -q "ank -randkey webauth/ssoinabox.$domain"
kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain"
chown root:www-data /etc/webauth/keytab
chmod 640 /etc/webauth/keytab
# doesn't exist by default...?
# chown www-data:www-data /var/lib/webauth/keyring
}
configure_apache2()
{
cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox
sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox
a2ensite ssoinabox
a2dissite default
}
build_kadm5()
{
test -d tarballs || mkdir tarballs
test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5
oldcwd="`pwd`"
tempdir=`mktemp -d /tmp/kadm5XXXXXX`
cd $tempdir
tar xzf "$oldcwd/tarballs/kadm5.tar.gz"
cd kadm5-*
patch -p1 -i "$oldcwd/patches/kadm5.patch"
phpize
./configure
make
make install
cd "$oldcwd" && rm -rf "$tempdir"
echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini
}
build_eapol_test()
{
test -x /usr/local/bin/eapol_test && return 0
test -d tarballs || mkdir tarballs
test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz"
oldcwd="`pwd`"
tempdir=`mktemp -d /tmp/wpasXXXXXX`
cd $tempdir
tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz"
cd wpa_supplicant-1.1/wpa_supplicant
cp defconfig .config
sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config
make eapol_test
cp -v eapol_test /usr/local/bin/
cd "$oldcwd" && rm -rf "$tempdir"
}