make-sso
author Dan Fuhry <dan@fuhry.us>
Sat, 16 Feb 2013 19:02:51 -0500 (2013-02-17)
changeset 6 3ac4e03f28b2
parent 5 cdd708efa505
child 9 f4bf6556fb9f
permissions -rwxr-xr-x
Fixed kerberos path again. Default Ubuntu installs do indeed use /var/lib/krb5kdc. Really should try to autodetect that.
#!/bin/bash

set -e
. resources/functions

cat <<EOF
Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install
into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for
details on your domain and your first administrative account, then get started
creating things.

WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
>>>   If you have ANY existing LDAP or Kerberos database that you   <<<
>>>    want to save, EXIT THIS SCRIPT NOW by pressing Control-C.    <<<
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

EOF

get_input()
{
	local var="$1"
	local prompt="$2"
	local prefill="${3:-}"
	[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"
	eval "$var="\""$prefill"\"
	while true; do
		read -p "$prompt: " "$var"
		if [ -z "${!var}" ]; then
			if [ -n "$prefill" ]; then
				eval "$var="\""$prefill"\"
				break
			fi
		else
			break
		fi
		echo "Invalid input."
	done
}

get_input fullname "Your full name"
username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`
get_input username "Admin username" "$username"
password="`generate_password 16`"
#while true; do
#	stty -echo
#	get_input password "Admin password"
#	echo
#	get_input pconf "Confirm password"
#	stty echo; echo
#	[ "$password" = "$pconf" ] && break
#	echo "Passwords do not match."
#done
get_input domain "Domain name"

domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"
ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"
krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"

echo "Your LDAP suffix is: $ldap_suffix"
echo "Your Kerberos V realm is: $krb5_realm"

echo "Setting up your /etc/hosts file"
patch_hosts_file

echo "Setting up your Kerberos V client config."
generate_krb5_config

echo "Updating apt, purging any existing SSO packages and installing stuff."
# silence apt etc.
export DEBIAN_FRONTEND=noninteractive
#apt-get update
apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \
		${radius_packages} ${http_packages}
apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \
		${radius_packages} build-essential libkrb5-dev libssl-dev acl \
		${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \
		libnl-dev

# stop any running services
if pidof apache2 > /dev/null; then
	invoke-rc.d apache2 stop
fi

if pidof freeradius > /dev/null; then
	invoke-rc.d freeradius stop
fi

if pidof kcrap_server > /dev/null; then
	killall kcrap_server
fi

if pidof saslauthd > /dev/null; then
	invoke-rc.d saslauthd stop
fi

if pidof slapd > /dev/null; then
	invoke-rc.d slapd stop
fi

if pidof krb5kdc > /dev/null; then
	invoke-rc.d krb5-kdc stop
fi

if pidof kadmind > /dev/null; then
	invoke-rc.d krb5-admin-server stop
fi

# LDAP setup
# remove any existing LDAP db
pidof slapd && killall -9 slapd
if [ -f /var/lib/ldap/__db.001 ]; then
	rm -fv /var/lib/ldap/__db.* \
		/var/lib/ldap/alock \
		/var/lib/ldap/dn2id.bdb \
		/var/lib/ldap/id2entry.bdb \
		/var/lib/ldap/log.* \
		/var/lib/ldap/objectClass.bdb
fi
ldap_manager_pw="`generate_password 40`"
echo -n "$ldap_manager_pw" > /etc/ldap.secret
chmod 600 /etc/ldap.secret
ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"
ldap_reader_pw="`generate_password 10`"

if [ -d /etc/ldap/slapd.d ]; then
	rm -rfv /etc/ldap/slapd.d
fi

cp `dirname $0`/resources/openssh-lpk_openldap.schema /etc/ldap/schema/

generate_slapd_config
generate_base_ldif | slapadd
chown -R openldap:openldap /var/lib/ldap

if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then
	echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd
fi

cat <<EOF > /etc/ldap/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

EOF

# this allows slapd access to saslauthd's auth socket
gpasswd -a openldap sasl

# KDC setup
stash_pw="`generate_password 40`"

# seeds /dev/random rather nicely...
screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"
if [ -f /var/lib/krb5kdc/principal ]; then
	rm -fv /var/lib/krb5kdc/principal \
			/var/lib/krb5kdc/principal.kadm5 \
			/var/lib/krb5kdc/principal.kadm5.lock \
			/var/lib/krb5kdc/principal.ok
fi
echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s

echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl

invoke-rc.d krb5-kdc start
invoke-rc.d krb5-admin-server start

kadmin.local -q "ank -pw "\""${password}"\"" $username"

webkerb_pw="`generate_password 40`"
kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"

kadmin.local -q "ank -randkey host/ssoinabox.$domain"
[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab
kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"
kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"
[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab
kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"
chown root:openldap /etc/ldap/keytab
chmod 640 /etc/ldap/keytab

echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"
invoke-rc.d apparmor restart

invoke-rc.d slapd start

# SASL setup
configure_saslauthd
invoke-rc.d saslauthd start

# KCRAP setup
build_kcrap > /dev/null
configure_kcrap
/usr/sbin/kcrap_server

# RADIUS setup
configure_freerad
invoke-rc.d freeradius start

# RADIUS tests
test_freerad

# generate web stuff
generate_web_yaml

# apache config
for module in rewrite authz_dbm webauth webkdc; do
	a2enmod $module
done

build_kadm5 > /dev/null

configure_webkdc
configure_webauth
configure_apache2

if pecl list | grep -q yaml; then
	pecl uninstall yaml
fi
yes "" | pecl install yaml > /dev/null
test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d
echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini
cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups

# install packages
for d in packages/*; do
	cd $d
	./build
	cd ../..
done
find packages -name \*.deb -type f | xargs dpkg -i

/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm

invoke-rc.d apache2 start

echo "Passwords to remember (WRITE THESE DOWN):"
echo "Kerberos master key:   $stash_pw"
echo "LDAP manager password: $ldap_manager_pw"
echo "LDAP reader DN:        cn=ldap-reader,ou=Roles,$ldap_suffix"
echo "LDAP reader password:  $ldap_reader_pw"
echo "Admin username:        $username"
echo "Admin password:        $password"
echo "Change your admin password by typing:"
echo "  kadmin.local -q "\""cpw $username"\"""