diff -r 000000000000 -r 3906ca745819 resources/functions --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/resources/functions Tue Jan 08 23:13:29 2013 -0500 @@ -0,0 +1,456 @@ +# :mode=shellscript: + +krb5_packages="krb5-admin-server krb5-kdc" +ldap_packages="slapd ldap-utils" +sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit" +radius_packages="freeradius freeradius-ldap freeradius-common" +http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear" + +patch_hosts_file() +{ + sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts + #sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts + echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts + #echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts + + echo -n "ssoinabox.$domain" > /etc/hostname + hostname `cat /etc/hostname` +} + +generate_krb5_config() +{ + cat < /etc/krb5.conf +[libdefaults] + default_realm = $krb5_realm + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + forwardable = yes + +[realms] + $krb5_realm = { + kdc = ssoinabox.$domain:88 + admin_server = ssoinabox.$domain:749 + kcrap = ssoinabox.$domain:1999 + } + +[domain_realm] + $domain = $krb5_realm + .$domain = $krb5_realm + +[login] + krb4_convert = true + krb4_get_tickets = false + + +EOF +} + +generate_slapd_config() +{ + cat < /etc/ldap/slapd.conf +# vim: set ft=conf +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/nis.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +# for replication +moduleload back_bdb.la +moduleload syncprov + +disallow bind_anon + +database bdb +suffix "$ldap_suffix" + +authz-policy from +authz-regexp "^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth" "cn=\$1,ou=People,$ldap_suffix" + +rootdn "cn=Manager,$ldap_suffix" +rootpw ${ldap_manager_pw_hash} + +directory /var/lib/ldap + +index objectClass eq + +sasl-realm ${krb5_realm} +sasl-host ssoinabox.${domain} +sasl-secprops noplain,noactive,noanonymous + +#TLSCACertificateFile /etc/ssl/certs/fixme.crt +#TLSCertificateFile /etc/ssl/certs/fixme.crt +#TLSCertificateKeyFile /etc/ssl/private/fixme.key + +overlay syncprov +syncprov-checkpoint 100 10 +syncprov-sessionlog 100 + +## +# ACLs + +access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix" + by anonymous auth + +access to attrs=userPassword + by self =xw + by anonymous auth + by * none + +access to * + by self write + by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read + by dn="cn=freeradius,ou=Roles,$ldap_suffix" read + by dn="cn=replicator,ou=Roles,$ldap_suffix" read + +# Lock down attributes a user shouldn't change +access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn" + by self read + by dn="cn=replicator,ou=Roles,$ldap_suffix" read + by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read + +access to * + by anonymous auth + by users read + +EOF +} + +generate_base_ldif() +{ + domainbit=`echo $domain | cut -d. -f1` + gn="`echo $fullname | awk '{print \$1;}'`" + sn="`echo $fullname | awk '{print \$2;}'`" + cat </dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length +} + +build_kcrap() +{ + oldcwd="`pwd`" + tempdir=`mktemp -d /tmp/kcrapXXXXXX` + cd "$tempdir" + wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz + tar xzvf kcrap.tar.gz + cd kcrap + mkdir pkg src + export srcdir="$PWD/src" + export pkgdir="$PWD/pkg" + . PKGBUILD + wget "${source[0]}" + for f in ${source[@]}; do + f=`basename $f` + ln -sf ../$f src/$f + done + cd "${srcdir}" + for f in *.tar.bz2; do + tar xjf $f + done + patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch" + cd kcrap-0.2.3 + patch -p1 -i "$oldcwd/patches/kcrapclient.patch" + cd .. + build + make install + cp -v "test/kcrapclient" "/usr/local/bin/" + cd "$oldcwd" && rm -rf "$tempdir" + + echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf + ldconfig +} + +configure_kcrap() +{ + cat < /etc/kcrap_server.conf +[kcrap_server] + port = 1999 + realm = $krb5_realm + +[realms] + $krb5_realm = { + database_name = /var/lib/krb5kdc/principal + key_stash_file = /etc/krb5kdc/stash + } + +EOF +} + +configure_freerad() +{ + # mschap module needs to use our ntlm_auth program for auth requests + sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \ + -i /etc/freeradius/modules/mschap + + # configure ldap module with our settings + sed -re 's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \ + -e 's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \ + -e 's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \ + -e 's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \ + -i /etc/freeradius/modules/ldap + + # enable ldap for authorization and authentication + for site in default inner-tunnel; do + sed -rf `dirname $0`/resources/freerad-site-patcher.sed \ + -i /etc/freeradius/sites-available/$site + done + + # give freerad access to the kerberos keytab + setfacl -m u:freerad:r /etc/krb5.keytab +} + +test_freerad() +{ + build_eapol_test > /dev/null + set +e + echo -n "Testing RADIUS auth via EAP/TTLS/PAP..." + conf=`mktemp /tmp/frXXXXXX` + cat < $conf +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + anonymous_identity="$username" + identity="$username" + password="$password" + phase2="auth=PAP" +} + +EOF + if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then + echo "GOOD" + else + echo "BAD" + fi + echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..." + cat < $conf +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=PEAP + anonymous_identity="$username" + identity="$username" + password="$password" + phase2="autheap=MSCHAPv2" +} + +EOF + if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then + echo "GOOD" + else + echo "BAD" + fi + rm -f $conf + set -e +} + +generate_web_yaml() +{ + test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox + cat < /usr/local/etc/ssoinabox/webcreds.yml +LDAP_BASEDN: $ldap_suffix + +UID_MIN: 501 +GID_MIN: 500 + +ldap_server: ldap://localhost:389/ +ldap_manager: + dn: cn=Manager,$ldap_suffix + password: $ldap_manager_pw + +ldap_user_basedn: ou=People,$ldap_suffix +ldap_group_basedn: ou=Groups,$ldap_suffix + +kerberos_admin: + principal: webkerb/admin + password: $webkerb_pw + +PHONE_EXT_MIN: 500 + +EOF + + chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml + chmod 640 /usr/local/etc/ssoinabox/webcreds.yml +} + +configure_webkdc() +{ + cat < /etc/webkdc/webkdc.conf +our \$KEYRING_PATH = '/var/lib/webkdc/keyring'; +our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates'; +our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin'; +our \$URL = 'http://ssoinabox/webkdc-service'; +our \$BYPASS_CONFIRM = 1; + +EOF + + cat < /etc/webkdc/token.acl +krb5:webauth/*@$krb5_realm id + +EOF + + test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab + kadmin.local -q "ank -randkey service/webkdc" + kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc" + + chown root:www-data /etc/webkdc/keytab + chmod 640 /etc/webkdc/keytab +} + +configure_webauth() +{ + cat < /etc/apache2/conf.d/webauth +WebAuthWebKdcPrincipal service/webkdc +WebAuthLoginURL "http://ssoinabox.$domain/login" +WebAuthWebKdcURL "http://ssoinabox.$domain/webkdc-service" +WebAuthSSLRedirect off +WebAuthRequireSSL off +WebAuthDebug on + +EOF + + test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab + kadmin.local -q "ank -randkey webauth/ssoinabox.$domain" + kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain" + + chown root:www-data /etc/webauth/keytab + chmod 640 /etc/webauth/keytab + + # doesn't exist by default...? + # chown www-data:www-data /var/lib/webauth/keyring +} + +configure_apache2() +{ + cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox + sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox + + a2ensite ssoinabox + a2dissite default +} + +build_kadm5() +{ + test -d tarballs || mkdir tarballs + test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5 + oldcwd="`pwd`" + tempdir=`mktemp -d /tmp/kadm5XXXXXX` + cd $tempdir + + tar xzf "$oldcwd/tarballs/kadm5.tar.gz" + cd kadm5-* + patch -p1 -i "$oldcwd/patches/kadm5.patch" + phpize + ./configure + make + make install + + cd "$oldcwd" && rm -rf "$tempdir" + echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini +} + +build_eapol_test() +{ + test -x /usr/local/bin/eapol_test && return 0 + + test -d tarballs || mkdir tarballs + test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz" + + oldcwd="`pwd`" + tempdir=`mktemp -d /tmp/wpasXXXXXX` + cd $tempdir + + tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz" + cd wpa_supplicant-1.1/wpa_supplicant + cp defconfig .config + sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config + make eapol_test + cp -v eapol_test /usr/local/bin/ + + cd "$oldcwd" && rm -rf "$tempdir" +}