2021-08-20 14:17:00 -04:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
set -ex
|
|
|
|
|
2021-08-20 14:34:29 -04:00
|
|
|
# don't resolve container names to *real* CSC machines
|
|
|
|
sed -E '/^(domain|search)[[:space:]]+csclub.uwaterloo.ca/d' /etc/resolv.conf > /tmp/resolv.conf
|
|
|
|
cat /tmp/resolv.conf > /etc/resolv.conf
|
|
|
|
rm /tmp/resolv.conf
|
|
|
|
|
2021-08-21 02:27:33 -04:00
|
|
|
get_ip_addr() {
|
|
|
|
getent hosts $1 | cut -d' ' -f1
|
|
|
|
}
|
|
|
|
|
2021-08-20 14:17:00 -04:00
|
|
|
add_fqdn_to_hosts() {
|
2021-08-21 02:27:33 -04:00
|
|
|
ip_addr=$1
|
|
|
|
hostname=$2
|
2021-08-20 14:17:00 -04:00
|
|
|
sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts
|
|
|
|
cat /tmp/hosts > /etc/hosts
|
|
|
|
rm /tmp/hosts
|
|
|
|
echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts
|
|
|
|
}
|
|
|
|
|
|
|
|
# set FQDN in /etc/hosts
|
2021-08-21 02:27:33 -04:00
|
|
|
add_fqdn_to_hosts $(get_ip_addr $(hostname)) auth1
|
2021-08-20 14:17:00 -04:00
|
|
|
|
2021-08-21 03:13:36 -04:00
|
|
|
# I'm not sure why, but we also need to remove the hosts entry for the
|
|
|
|
# container's real hostname, otherwise slapd only looks for the principal
|
|
|
|
# ldap/<container hostname> (this is with the sasl-host option)
|
|
|
|
sed -E "/\\b$(hostname)\\b/d" /etc/hosts > /tmp/hosts
|
|
|
|
cat /tmp/hosts > /etc/hosts
|
|
|
|
rm /tmp/hosts
|
|
|
|
|
2021-08-20 14:17:00 -04:00
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
apt update
|
|
|
|
apt install -y psmisc
|
|
|
|
|
|
|
|
# LDAP
|
|
|
|
apt install -y --no-install-recommends slapd ldap-utils libnss-ldapd sudo-ldap
|
|
|
|
# `service slapd stop` doesn't seem to work
|
|
|
|
killall slapd || true
|
|
|
|
service nslcd stop || true
|
|
|
|
rm -rf /etc/ldap/slapd.d
|
|
|
|
rm /var/lib/ldap/*
|
|
|
|
cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG
|
|
|
|
cp .drone/slapd.conf /etc/ldap/slapd.conf
|
|
|
|
cp .drone/ldap.conf /etc/ldap/ldap.conf
|
|
|
|
cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
|
|
|
|
cp .drone/rfc2307bis.schema /etc/ldap/schema/
|
|
|
|
cp .drone/csc.schema /etc/ldap/schema/
|
|
|
|
chown -R openldap:openldap /etc/ldap/schema/ /var/lib/ldap/ /etc/ldap/
|
|
|
|
sleep 0.5 && service slapd start
|
|
|
|
grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \
|
|
|
|
echo 'map group member uniqueMember' >> /etc/nslcd.conf
|
|
|
|
sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf
|
|
|
|
sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf
|
|
|
|
cp .drone/nsswitch.conf /etc/nsswitch.conf
|
|
|
|
service nslcd start
|
|
|
|
ldapadd -c -f .drone/data.ldif -Y EXTERNAL -H ldapi:///
|
|
|
|
|
|
|
|
# KERBEROS
|
|
|
|
apt install -y krb5-admin-server krb5-user libpam-krb5 libsasl2-modules-gssapi-mit sasl2-bin
|
|
|
|
service krb5-admin-server stop || true
|
|
|
|
service krb5-kdc stop || true
|
|
|
|
service saslauthd stop || true
|
|
|
|
cp .drone/krb5.conf /etc/krb5.conf
|
|
|
|
cp .drone/kdc.conf /etc/krb5kdc.conf
|
|
|
|
echo '*/admin *' > /etc/krb5kdc/kadm5.acl
|
|
|
|
rm -f /var/lib/krb5kdc/*
|
|
|
|
echo -e 'krb5\nkrb5' | krb5_newrealm
|
|
|
|
service krb5-kdc start
|
|
|
|
service krb5-admin-server start
|
|
|
|
rm -f /etc/krb5.keytab
|
|
|
|
cat <<EOF | kadmin.local
|
|
|
|
addpol -minlength 4 default
|
|
|
|
addprinc -pw krb5 sysadmin/admin
|
|
|
|
addprinc -pw krb5 ctdalek
|
|
|
|
addprinc -pw krb5 regular1
|
|
|
|
addprinc -randkey host/auth1.csclub.internal
|
|
|
|
addprinc -randkey ldap/auth1.csclub.internal
|
|
|
|
ktadd host/auth1.csclub.internal
|
|
|
|
ktadd ldap/auth1.csclub.internal
|
|
|
|
EOF
|
|
|
|
groupadd keytab || true
|
|
|
|
chgrp keytab /etc/krb5.keytab
|
|
|
|
chmod 640 /etc/krb5.keytab
|
|
|
|
usermod -a -G keytab openldap
|
|
|
|
usermod -a -G sasl openldap
|
|
|
|
cat <<EOF > /usr/lib/sasl2/slapd.conf
|
|
|
|
mech_list: plain login gssapi external
|
|
|
|
pwcheck_method: saslauthd
|
|
|
|
EOF
|
|
|
|
sed -E -i 's/^START=.*$/START=yes/' /etc/default/saslauthd
|
|
|
|
sed -E -i 's/^MECHANISMS=.*$/MECHANISMS="kerberos5"/' /etc/default/saslauthd
|
|
|
|
service saslauthd start
|
|
|
|
killall slapd && sleep 0.5 && service slapd start
|
|
|
|
|
|
|
|
# sync with phosphoric-acid
|
|
|
|
apt install -y netcat-openbsd
|
|
|
|
nc -l 0.0.0.0 9000
|