resources/functions
author Dan Fuhry <dan@fuhry.us>
Tue, 08 Jan 2013 23:21:25 -0500
changeset 2 700d61d93b1b
parent 0 3906ca745819
child 3 a044870a9d3d
permissions -rw-r--r--
Fix accidentally hardcoded ldap basedn
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     1
# :mode=shellscript:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     2
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     3
krb5_packages="krb5-admin-server krb5-kdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     4
ldap_packages="slapd ldap-utils"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     5
sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     6
radius_packages="freeradius freeradius-ldap freeradius-common"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     7
http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     8
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     9
patch_hosts_file()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    10
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    11
	sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    12
	#sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    13
	echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    14
	#echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    15
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    16
	echo -n "ssoinabox.$domain" > /etc/hostname
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    17
	hostname `cat /etc/hostname`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    18
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    19
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    20
generate_krb5_config()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    21
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    22
	cat <<EOF > /etc/krb5.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    23
[libdefaults]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    24
	default_realm = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    25
	dns_lookup_realm = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    26
	dns_lookup_kdc = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    27
	ticket_lifetime = 24h
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    28
	forwardable = yes
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    29
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    30
[realms]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    31
	$krb5_realm = {
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    32
		kdc = ssoinabox.$domain:88
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    33
		admin_server = ssoinabox.$domain:749
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    34
		kcrap = ssoinabox.$domain:1999
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    35
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    36
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    37
[domain_realm]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    38
	$domain = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    39
	.$domain = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    40
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    41
[login]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    42
	krb4_convert = true
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    43
	krb4_get_tickets = false
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    44
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    45
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    46
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    47
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    48
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    49
generate_slapd_config()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    50
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    51
	cat <<EOF > /etc/ldap/slapd.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    52
# vim: set ft=conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    53
include         /etc/ldap/schema/core.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    54
include         /etc/ldap/schema/cosine.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    55
include         /etc/ldap/schema/inetorgperson.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    56
include         /etc/ldap/schema/nis.schema
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    57
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    58
pidfile		/var/run/slapd/slapd.pid	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    59
argsfile	/var/run/slapd/slapd.args
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    60
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    61
# for replication
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    62
moduleload back_bdb.la
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    63
moduleload syncprov
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    64
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    65
disallow bind_anon
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    66
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    67
database	bdb
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    68
suffix		"$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    69
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    70
authz-policy	from
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    71
authz-regexp	"^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth"    "cn=\$1,ou=People,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    72
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    73
rootdn		"cn=Manager,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    74
rootpw		${ldap_manager_pw_hash}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    75
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    76
directory	/var/lib/ldap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    77
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    78
index		objectClass	eq
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    79
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    80
sasl-realm	${krb5_realm}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    81
sasl-host	ssoinabox.${domain}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    82
sasl-secprops	noplain,noactive,noanonymous
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    83
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    84
#TLSCACertificateFile	/etc/ssl/certs/fixme.crt
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    85
#TLSCertificateFile		/etc/ssl/certs/fixme.crt
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    86
#TLSCertificateKeyFile	/etc/ssl/private/fixme.key
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    87
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    88
overlay		syncprov
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    89
syncprov-checkpoint	100	10
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    90
syncprov-sessionlog	100
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    91
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    92
##
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    93
# ACLs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    94
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    95
access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    96
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    97
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    98
access to attrs=userPassword
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    99
	by self =xw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   100
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   101
	by * none
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   102
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   103
access to *
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   104
	by self write
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   105
	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   106
	by dn="cn=freeradius,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   107
	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   108
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   109
# Lock down attributes a user shouldn't change
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   110
access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   111
	by self read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   112
	by dn="cn=replicator,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   113
	by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   114
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   115
access to *
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   116
	by anonymous auth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   117
	by users read
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   118
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   119
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   120
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   121
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   122
generate_base_ldif()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   123
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   124
	domainbit=`echo $domain | cut -d. -f1`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   125
	gn="`echo $fullname | awk '{print \$1;}'`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   126
	sn="`echo $fullname | awk '{print \$2;}'`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   127
	cat <<EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   128
dn: $ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   129
objectClass: dcObject
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   130
objectClass: organization
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   131
o: $domain
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   132
dc: $domainbit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   133
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   134
dn: cn=Manager,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   135
cn: Manager
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   136
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   137
objectClass: organizationalRole
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   138
description: LDAP admin entry with root level access to the server
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   139
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   140
dn: ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   141
ou: People
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   142
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   143
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   144
description: User accounts representing people
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   145
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   146
dn: uid=$username,ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   147
uid: $username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   148
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   149
objectClass: person
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   150
objectClass: inetOrgPerson
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   151
objectClass: organizationalPerson
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   152
objectClass: posixAccount
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   153
cn: $fullname
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   154
givenName: $gn
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   155
sn: $sn
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   156
loginShell: /bin/bash
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   157
homeDirectory: /home/users/$username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   158
uidNumber: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   159
gidNumber: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   160
userPassword: {SASL}$username@$krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   161
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   162
dn: ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   163
ou: Groups
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   164
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   165
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   166
description: POSIX user account groups
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   167
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   168
dn: cn=users,ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   169
cn: users
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   170
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   171
objectClass: posixGroup
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   172
description: Default POSIX group for users
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   173
gidNumber: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   174
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   175
dn: cn=rtp,ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   176
cn: rtp
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   177
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   178
objectClass: posixGroup
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   179
description: POSIX group for people with root access to servers
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   180
gidNumber: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   181
memberUid: $username
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   182
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   183
dn: ou=Roles,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   184
ou: Roles
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   185
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   186
objectClass: organizationalUnit
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   187
description: User accounts representing bots or other administrative functions
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   188
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   189
dn: cn=ldap-reader,ou=Roles,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   190
cn: ldap-reader
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   191
objectClass: top
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   192
objectClass: organizationalRole
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   193
objectClass: simpleSecurityObject
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   194
description: Low-security account used for read-only LDAP access by NSS clients
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   195
userPassword: $ldap_reader_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   196
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   197
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   198
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   199
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   200
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   201
configure_saslauthd()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   202
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   203
	sed -re	's/^START=no$/START=yes/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   204
		-e	's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   205
		-i	/etc/default/saslauthd
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   206
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   207
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   208
generate_password()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   209
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   210
	local length="${1:-64}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   211
	dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   212
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   213
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   214
build_kcrap()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   215
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   216
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   217
	tempdir=`mktemp -d /tmp/kcrapXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   218
	cd "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   219
	wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   220
	tar xzvf kcrap.tar.gz
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   221
	cd kcrap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   222
	mkdir pkg src
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   223
	export srcdir="$PWD/src"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   224
	export pkgdir="$PWD/pkg"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   225
	. PKGBUILD
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   226
	wget "${source[0]}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   227
	for f in ${source[@]}; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   228
		f=`basename $f`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   229
		ln -sf ../$f src/$f
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   230
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   231
	cd "${srcdir}"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   232
	for f in *.tar.bz2; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   233
		tar xjf $f
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   234
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   235
	patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   236
	cd kcrap-0.2.3
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   237
	patch -p1 -i "$oldcwd/patches/kcrapclient.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   238
	cd ..
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   239
	build
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   240
	make install
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   241
	cp -v "test/kcrapclient" "/usr/local/bin/"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   242
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   243
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   244
	echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   245
	ldconfig
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   246
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   247
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   248
configure_kcrap()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   249
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   250
	cat <<EOF > /etc/kcrap_server.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   251
[kcrap_server]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   252
	port = 1999
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   253
	realm = $krb5_realm
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   254
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   255
[realms]
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   256
	$krb5_realm = {
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   257
		database_name = /var/lib/krb5kdc/principal
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   258
		key_stash_file = /etc/krb5kdc/stash
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   259
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   260
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   261
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   262
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   263
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   264
configure_freerad()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   265
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   266
	# mschap module needs to use our ntlm_auth program for auth requests
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   267
	sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   268
		-i /etc/freeradius/modules/mschap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   269
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   270
	# configure ldap module with our settings
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   271
	sed -re	's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   272
		-e	's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   273
		-e	's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   274
		-e	's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   275
		-i /etc/freeradius/modules/ldap
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   276
		
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   277
	# enable ldap for authorization and authentication
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   278
	for site in default inner-tunnel; do
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   279
		sed -rf `dirname $0`/resources/freerad-site-patcher.sed \
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   280
			-i /etc/freeradius/sites-available/$site
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   281
	done
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   282
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   283
	# give freerad access to the kerberos keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   284
	setfacl -m u:freerad:r /etc/krb5.keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   285
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   286
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   287
test_freerad()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   288
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   289
	build_eapol_test > /dev/null
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   290
	set +e
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   291
	echo -n "Testing RADIUS auth via EAP/TTLS/PAP..."
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   292
	conf=`mktemp /tmp/frXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   293
	cat <<EOF > $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   294
network={
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   295
        ssid="example"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   296
        key_mgmt=WPA-EAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   297
        eap=TTLS
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   298
        anonymous_identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   299
        identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   300
        password="$password"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   301
        phase2="auth=PAP"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   302
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   303
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   304
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   305
	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   306
		echo "GOOD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   307
	else
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   308
		echo "BAD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   309
	fi
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   310
	echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..."
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   311
	cat <<EOF > $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   312
network={
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   313
        ssid="example"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   314
        key_mgmt=WPA-EAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   315
        eap=PEAP
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   316
        anonymous_identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   317
        identity="$username"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   318
        password="$password"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   319
        phase2="autheap=MSCHAPv2"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   320
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   321
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   322
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   323
	if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   324
		echo "GOOD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   325
	else
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   326
		echo "BAD"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   327
	fi
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   328
	rm -f $conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   329
	set -e
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   330
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   331
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   332
generate_web_yaml()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   333
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   334
	test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   335
	cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   336
LDAP_BASEDN: $ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   337
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   338
UID_MIN: 501
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   339
GID_MIN: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   340
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   341
ldap_server: ldap://localhost:389/
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   342
ldap_manager:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   343
  dn: cn=Manager,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   344
  password: $ldap_manager_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   345
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   346
ldap_user_basedn: ou=People,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   347
ldap_group_basedn: ou=Groups,$ldap_suffix
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   348
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   349
kerberos_admin:
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   350
  principal: webkerb/admin
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   351
  password: $webkerb_pw
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   352
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   353
PHONE_EXT_MIN: 500
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   354
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   355
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   356
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   357
	chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   358
	chmod 640 /usr/local/etc/ssoinabox/webcreds.yml
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   359
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   360
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   361
configure_webkdc()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   362
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   363
	cat <<EOF > /etc/webkdc/webkdc.conf
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   364
our \$KEYRING_PATH = '/var/lib/webkdc/keyring';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   365
our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   366
our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   367
our \$URL = 'http://ssoinabox/webkdc-service';
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   368
our \$BYPASS_CONFIRM = 1;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   369
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   370
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   371
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   372
	cat <<EOF > /etc/webkdc/token.acl
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   373
krb5:webauth/*@$krb5_realm id
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   374
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   375
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   376
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   377
	test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   378
	kadmin.local -q "ank -randkey service/webkdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   379
	kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   380
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   381
	chown root:www-data /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   382
	chmod 640 /etc/webkdc/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   383
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   384
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   385
configure_webauth()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   386
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   387
	cat <<EOF > /etc/apache2/conf.d/webauth
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   388
WebAuthWebKdcPrincipal			service/webkdc
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   389
WebAuthLoginURL					"http://ssoinabox.$domain/login"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   390
WebAuthWebKdcURL				"http://ssoinabox.$domain/webkdc-service"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   391
WebAuthSSLRedirect				off
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   392
WebAuthRequireSSL				off
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   393
WebAuthDebug					on
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   394
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   395
EOF
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   396
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   397
	test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   398
	kadmin.local -q "ank -randkey webauth/ssoinabox.$domain"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   399
	kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   400
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   401
	chown root:www-data /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   402
	chmod 640 /etc/webauth/keytab
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   403
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   404
	# doesn't exist by default...?
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   405
	# chown www-data:www-data /var/lib/webauth/keyring
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   406
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   407
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   408
configure_apache2()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   409
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   410
	cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   411
	sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   412
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   413
	a2ensite ssoinabox
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   414
	a2dissite default
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   415
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   416
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   417
build_kadm5()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   418
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   419
	test -d tarballs || mkdir tarballs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   420
	test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   421
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   422
	tempdir=`mktemp -d /tmp/kadm5XXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   423
	cd $tempdir
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   424
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   425
	tar xzf "$oldcwd/tarballs/kadm5.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   426
	cd kadm5-*
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   427
	patch -p1 -i "$oldcwd/patches/kadm5.patch"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   428
	phpize
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   429
	./configure
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   430
	make
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   431
	make install
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   432
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   433
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   434
	echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   435
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   436
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   437
build_eapol_test()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   438
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   439
	test -x /usr/local/bin/eapol_test && return 0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   440
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   441
	test -d tarballs || mkdir tarballs
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   442
	test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   443
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   444
	oldcwd="`pwd`"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   445
	tempdir=`mktemp -d /tmp/wpasXXXXXX`
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   446
	cd $tempdir
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   447
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   448
	tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   449
	cd wpa_supplicant-1.1/wpa_supplicant
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   450
	cp defconfig .config
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   451
	sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   452
	make eapol_test
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   453
	cp -v eapol_test /usr/local/bin/
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   454
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   455
	cd "$oldcwd" && rm -rf "$tempdir"
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   456
}