Cavemanon/enterprise-scripts
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
enterprise-scripts/LDAP
History
Michael Yick bce3069ec1 Initial Commit
2024-07-04 20:32:09 -05:00
..
deployLDAP.sh
Initial Commit
2024-07-04 20:32:09 -05:00
instance.inf
Initial Commit
2024-07-04 20:32:09 -05:00
README.md
Initial Commit
2024-07-04 20:32:09 -05:00
useradd.sh
Initial Commit
2024-07-04 20:32:09 -05:00

README.md

LDAP Deployment Scripts

Overwatch = read only account used by services to read the LDAP Directory

TODO

make it so that Overwatch is added to the user_passwd_reset permission Organizational Unit

Make a script that handles letsencrypt cert renewal along with importing new certs into 389 Directory Service.

Set up an ansible script for automatic user password handling

Maintenance Considerations

After you renew your cert with certbot, it'll be necessary to re-import the TLS keys for your site, this can be done by running dsctl -v cavemanon tls import-server-key-cert /etc/letsencrypt/live/dev.cavemanon.xyz/fullchain.pem /etc/letsencrypt/live/dev.cavemanon.xyz/privkey.pem where dev.cavemanon.xyz is the name of your site.

What is LDAP and what does this script do?

LDAP is a protocol for storing information about people in a directory format. Most often used as a central authority on identities. Applications often use LDAP as a back end for authentication so authenticated users need to only remember one set of credentials. Furthermore, you can set up permissions in LDAP that cascade to other programs (so long as you have set those up).

This script sets up an LDAP server known as 389 Directory Service using the instance.inf configuration file. Furthermore, it sets up TLS encryption so logging into the LDAP server is done over an encrypted connection so you're not leaking credentials to the open internet. This script assumes you're not using an intranet of any kind and that your LDAP server is public facing.

After setting the basics up, it creates an admin account (MichaelYick by default, I'll eventually make this configurable) and sets up automatic incrimenting of user and group ids. From there it creates basic roles (specifically the ones used in Cavemanon) and an overwatch account without a proper password set (you will have to set this). I may make this configurable in the future.