Initial Commit
This commit is contained in:
25
LDAP/README.md
Normal file
25
LDAP/README.md
Normal file
@ -0,0 +1,25 @@
|
||||
# LDAP Deployment Scripts
|
||||
|
||||
Overwatch = read only account used by services to read the LDAP Directory
|
||||
|
||||
# TODO
|
||||
|
||||
make it so that Overwatch is added to the user_passwd_reset permission Organizational Unit
|
||||
|
||||
Make a script that handles letsencrypt cert renewal along with importing new certs into 389 Directory Service.
|
||||
|
||||
Set up an ansible script for automatic user password handling
|
||||
|
||||
# Maintenance Considerations
|
||||
|
||||
After you renew your cert with certbot, it'll be necessary to re-import the TLS keys for your site, this can be done by running
|
||||
`dsctl -v cavemanon tls import-server-key-cert /etc/letsencrypt/live/dev.cavemanon.xyz/fullchain.pem /etc/letsencrypt/live/dev.cavemanon.xyz/privkey.pem`
|
||||
where dev.cavemanon.xyz is the name of your site.
|
||||
|
||||
## What is LDAP and what does this script do?
|
||||
|
||||
LDAP is a protocol for storing information about people in a directory format. Most often used as a central authority on identities. Applications often use LDAP as a back end for authentication so authenticated users need to only remember one set of credentials. Furthermore, you can set up permissions in LDAP that cascade to other programs (so long as you have set those up).
|
||||
|
||||
This script sets up an LDAP server known as [389 Directory Service](https://www.port389.org/) using the `instance.inf` configuration file. Furthermore, it sets up TLS encryption so logging into the LDAP server is done over an encrypted connection so you're not leaking credentials to the open internet. This script assumes you're not using an intranet of any kind and that your LDAP server is public facing.
|
||||
|
||||
After setting the basics up, it creates an admin account (MichaelYick by default, I'll eventually make this configurable) and sets up automatic incrimenting of user and group ids. From there it creates basic roles (specifically the ones used in Cavemanon) and an overwatch account without a proper password set (you will have to set this). I may make this configurable in the future.
|
||||
55
LDAP/deployLDAP.sh
Normal file
55
LDAP/deployLDAP.sh
Normal file
@ -0,0 +1,55 @@
|
||||
#dsctl cavemanon remove --do-it
|
||||
dscreate from-file ./instance.inf
|
||||
|
||||
#Set up CA Certs from Lets Encrypt to avoid doing self-signing schenanigans
|
||||
#Documentation: https://www.dennogumi.org/2021/10/setting-up-lets-encrypt-certificates-for-the-389-ds-ldap-server/
|
||||
|
||||
wget --continue --directory-prefix /tmp/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/isrgrootx1.pem
|
||||
|
||||
dsconf -v -D "cn=Directory Manager" cavemanon security ca-certificate add --file /tmp/isrgrootx1.pem --name "ISRG"
|
||||
dsconf -v -D "cn=Directory Manager" cavemanon security ca-certificate add --file /tmp/lets-encrypt-r3.pem --name "R3"
|
||||
|
||||
dsctl -v cavemanon tls import-server-key-cert /etc/letsencrypt/live/dev.cavemanon.xyz/fullchain.pem /etc/letsencrypt/live/dev.cavemanon.xyz/privkey.pem
|
||||
#dsconf -v -D "cn=Directory Manager" cavemanon security certificate add --file /etc/letsencrypt/live/dev.cavemanon.xyz/fullchain.pem --primary-cert --name "LetsEncrypt"
|
||||
|
||||
dsconf -v -D "cn=Directory Manager" cavemanon config replace nsslapd-securePort=636 nsslapd-security=on
|
||||
|
||||
#disable insecure ports
|
||||
dsconf -v -D "cn=Directory Manager" cavemanon config replace nsslapd-port=0
|
||||
#disable anonymous logons
|
||||
#Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/disabling-anon-binds
|
||||
dsconf -v -D "cn=Directory Manager" cavemanon config replace nsslapd-allow-anonymous-access=rootdse
|
||||
|
||||
systemctl restart dirsrv@cavemanon.service
|
||||
|
||||
openssl s_client -connect dev.cavemanon.xyz:636 || exit 1 #verify shit works
|
||||
|
||||
# memberOf plugin enable
|
||||
# https://www.port389.org/docs/389ds/howto/quickstart.html
|
||||
dsconf cavemanon plugin memberof enable
|
||||
dsctl cavemanon restart
|
||||
dsconf cavemanon plugin memberof set --scope dc=dev,dc=cavemanon,dc=xyz
|
||||
dsidm cavemanon user modify MichaelYick add:objectclass:nsmemberof
|
||||
dsconf cavemanon plugin memberof fixup dc=dev,dc=cavemanon,dc=xyz
|
||||
|
||||
#https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/dna#dna-config-entry
|
||||
|
||||
dsconf cavemanon plugin dna enable
|
||||
|
||||
#https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/dna#configuring_unique_number_assignments_using_the_command_line
|
||||
dsconf cavemanon plugin dna config "Account UIDs" add --type uidNumber --filter "(objectclass=posixAccount)" --scope ou=people,dc=dev,dc=cavemanon,dc=xyz --next-value 1000 --max-value 6650 --threshold 100 --range-request-timeout 60 --magic-regen -1
|
||||
dsconf cavemanon plugin dna config "Account GIDs" add --type gidNumber --filter "(objectclass=posixAccount)" --scope ou=people,dc=dev,dc=cavemanon,dc=xyz --next-value 1000 --max-value 6650 --threshold 100 --range-request-timeout 60 --magic-regen -1
|
||||
|
||||
dsctl cavemanon restart
|
||||
|
||||
dsidm cavemanon group create --cn TechMaster
|
||||
dsidm cavemanon group create --cn Administration
|
||||
dsidm cavemanon group create --cn Exit665
|
||||
dsidm cavemanon group create --cn Wani
|
||||
dsidm cavemanon group create --cn SnootGame
|
||||
dsidm cavemanon group create --cn Shop
|
||||
|
||||
dsidm cavemanon service create --cn overwatch --description "Read-only access to the LDAP server"
|
||||
dsidm cavemanon service modify overwatch add:userPassword:'INSERTPASSWORDHERE'
|
||||
|
||||
dsidm -b dc=dev,dc=cavemanon,dc=xyz cavemanon user create --uid MichaelYick --cn MichaelYick --displayName 'Michael Yick' --uidNumber -1 --gidNumber -1 --homeDirectory /home/MichaelYick
|
||||
12
LDAP/instance.inf
Normal file
12
LDAP/instance.inf
Normal file
@ -0,0 +1,12 @@
|
||||
[general]
|
||||
config_version = 2
|
||||
|
||||
[slapd]
|
||||
instance_name = cavemanon
|
||||
root_dn = cn=Directory Manager
|
||||
root_password = CHANGEME
|
||||
|
||||
[backend-userroot]
|
||||
sample_entries = yes
|
||||
suffix = dc=dev,dc=cavemanon,dc=xyz
|
||||
|
||||
22
LDAP/useradd.sh
Executable file
22
LDAP/useradd.sh
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/sh
|
||||
name=$1
|
||||
shift 1
|
||||
ssh root@dev.cavemanon.xyz "dsidm -b dc=dev,dc=cavemanon,dc=xyz cavemanon user create --uid $name --cn $name --displayName $name --uidNumber -1 --gidNumber -1 --homeDirectory /home/$name"
|
||||
|
||||
for group in "$@"
|
||||
do
|
||||
ssh root@dev.cavemanon.xyz "dsidm cavemanon group add_member $group uid=$name,ou=people,dc=dev,dc=cavemanon,dc=xyz"
|
||||
done
|
||||
|
||||
password=$(openssl rand -hex 16)
|
||||
|
||||
ssh root@dev.cavemanon.xyz "dsidm cavemanon account reset_password uid=$name,ou=people,dc=dev,dc=cavemanon,dc=xyz $password"
|
||||
ssh root@dev.cavemanon.xyz "dsidm cavemanon account modify-by-dn uid=$name,ou=people,dc=dev,dc=cavemanon,dc=xyz add:mail:$name@cavemanon.xyz"
|
||||
|
||||
printf "
|
||||
Landing Page: cloud.dev.cavemanon.xyz \n
|
||||
Username: %s \n
|
||||
Email: %s@cavemanon.xyz \n
|
||||
Password: %s \n
|
||||
You can reset your password at auth.dev.cavemanon.xyz \n
|
||||
" "$name" "$name" "$password" > /tmp/"$name".txt
|
||||
Reference in New Issue
Block a user