|
| 1 | +#!/bin/sh |
| 2 | +set -ev |
| 3 | + |
| 4 | +# Create TLS certificate |
| 5 | +sudo mkdir -p /etc/ldap/ssl |
| 6 | + |
| 7 | +alt_names() { |
| 8 | + ( |
| 9 | + ( |
| 10 | + (hostname && hostname -a && hostname -A && hostname -f) | |
| 11 | + xargs -n 1 | |
| 12 | + sort -u | |
| 13 | + sed -e 's/\(\S\+\)/DNS:\1/g' |
| 14 | + ) && ( |
| 15 | + (hostname -i && hostname -I && echo "127.0.0.1 ::1") | |
| 16 | + xargs -n 1 | |
| 17 | + sort -u | |
| 18 | + sed -e 's/\(\S\+\)/IP:\1/g' |
| 19 | + ) |
| 20 | + ) | paste -d, -s |
| 21 | +} |
| 22 | + |
| 23 | +sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \ |
| 24 | + -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \ |
| 25 | + -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \ |
| 26 | + -addext "subjectAltName = `alt_names`" |
| 27 | + |
| 28 | +sudo chown -R openldap:openldap /etc/ldap/ssl |
| 29 | + |
| 30 | +# Display the TLS certificate (should be world readable) |
| 31 | +openssl x509 -noout -text -in /etc/ldap/ssl/server.crt |
| 32 | + |
| 33 | +# Point to the certificate generated |
| 34 | +if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then |
| 35 | + sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf |
| 36 | + echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf |
| 37 | +fi |
| 38 | + |
| 39 | +# Configure LDAP protocols to serve. |
| 40 | +sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd |
| 41 | + |
| 42 | +# Configure LDAP database. |
| 43 | +DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`; |
| 44 | + |
| 45 | +sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif |
| 46 | + |
| 47 | +sudo service slapd restart |
| 48 | + |
| 49 | +sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF |
| 50 | +dn: $DBDN |
| 51 | +changetype: modify |
| 52 | +replace: olcSuffix |
| 53 | +olcSuffix: dc=my-domain,dc=com |
| 54 | +- |
| 55 | +replace: olcRootDN |
| 56 | +olcRootDN: cn=Manager,dc=my-domain,dc=com |
| 57 | +- |
| 58 | +replace: olcRootPW |
| 59 | +olcRootPW: secret |
| 60 | +
|
| 61 | +dn: cn=config |
| 62 | +changetype: modify |
| 63 | +add: olcTLSCACertificateFile |
| 64 | +olcTLSCACertificateFile: /etc/ldap/ssl/server.crt |
| 65 | +- |
| 66 | +add: olcTLSCertificateFile |
| 67 | +olcTLSCertificateFile: /etc/ldap/ssl/server.crt |
| 68 | +- |
| 69 | +add: olcTLSCertificateKeyFile |
| 70 | +olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key |
| 71 | +- |
| 72 | +add: olcTLSVerifyClient |
| 73 | +olcTLSVerifyClient: never |
| 74 | +- |
| 75 | +add: olcAuthzRegexp |
| 76 | +olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com |
| 77 | +- |
| 78 | +replace: olcLogLevel |
| 79 | +olcLogLevel: -1 |
| 80 | +
|
| 81 | +dn: cn=module{0},cn=config |
| 82 | +changetype: modify |
| 83 | +add: olcModuleLoad |
| 84 | +olcModuleLoad: sssvlv |
| 85 | +- |
| 86 | +add: olcModuleLoad |
| 87 | +olcModuleLoad: ppolicy |
| 88 | +- |
| 89 | +add: olcModuleLoad |
| 90 | +olcModuleLoad: dds |
| 91 | +EOF |
| 92 | + |
| 93 | +sudo service slapd restart |
| 94 | + |
| 95 | +sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF |
| 96 | +dn: olcOverlay=sssvlv,$DBDN |
| 97 | +objectClass: olcOverlayConfig |
| 98 | +objectClass: olcSssVlvConfig |
| 99 | +olcOverlay: sssvlv |
| 100 | +olcSssVlvMax: 10 |
| 101 | +olcSssVlvMaxKeys: 5 |
| 102 | +
|
| 103 | +dn: olcOverlay=ppolicy,$DBDN |
| 104 | +objectClass: olcOverlayConfig |
| 105 | +objectClass: olcPPolicyConfig |
| 106 | +olcOverlay: ppolicy |
| 107 | +### This would clutter our DIT and make tests to fail, while ppolicy does not |
| 108 | +### seem to work as we expect (it does not seem to provide expected controls) |
| 109 | +## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com |
| 110 | +## olcPPolicyHashCleartext: FALSE |
| 111 | +## olcPPolicyUseLockout: TRUE |
| 112 | +
|
| 113 | +dn: olcOverlay=dds,$DBDN |
| 114 | +objectClass: olcOverlayConfig |
| 115 | +objectClass: olcDdsConfig |
| 116 | +olcOverlay: dds |
| 117 | +EOF |
| 118 | + |
| 119 | +sudo service slapd restart |
| 120 | + |
| 121 | +sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF |
| 122 | +dn: $DBDN |
| 123 | +changetype: modify |
| 124 | +add: olcDbIndex |
| 125 | +olcDbIndex: entryExpireTimestamp eq |
| 126 | +EOF |
| 127 | + |
| 128 | +sudo service slapd restart |
| 129 | + |
| 130 | +ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF |
| 131 | +dn: dc=my-domain,dc=com |
| 132 | +objectClass: top |
| 133 | +objectClass: organization |
| 134 | +objectClass: dcObject |
| 135 | +dc: my-domain |
| 136 | +o: php ldap tests |
| 137 | +
|
| 138 | +### This would clutter our DIT and make tests to fail, while ppolicy does not |
| 139 | +### seem to work as we expect (it does not seem to provide expected controls) |
| 140 | +## dn: ou=pwpolicies,dc=my-domain,dc=com |
| 141 | +## objectClass: top |
| 142 | +## objectClass: organizationalUnit |
| 143 | +## ou: pwpolicies |
| 144 | +## |
| 145 | +## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com |
| 146 | +## objectClass: top |
| 147 | +## objectClass: person |
| 148 | +## objectClass: pwdPolicy |
| 149 | +## cn: default |
| 150 | +## sn: default |
| 151 | +## pwdAttribute: userPassword |
| 152 | +## pwdMaxAge: 2592000 |
| 153 | +## pwdExpireWarning: 3600 |
| 154 | +## #pwdInHistory: 0 |
| 155 | +## pwdCheckQuality: 0 |
| 156 | +## pwdMaxFailure: 5 |
| 157 | +## pwdLockout: TRUE |
| 158 | +## #pwdLockoutDuration: 0 |
| 159 | +## #pwdGraceAuthNLimit: 0 |
| 160 | +## #pwdFailureCountInterval: 0 |
| 161 | +## pwdMustChange: FALSE |
| 162 | +## pwdMinLength: 3 |
| 163 | +## pwdAllowUserChange: TRUE |
| 164 | +## pwdSafeModify: FALSE |
| 165 | +EOF |
| 166 | + |
| 167 | +# Verify TLS connection |
| 168 | + |
| 169 | +ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*' |
0 commit comments