#!/bin/bash set -ex # don't resolve container names to *real* CSC machines sed -E '/^(domain|search)[[:space:]]+csclub.uwaterloo.ca/d' /etc/resolv.conf > /tmp/resolv.conf cat /tmp/resolv.conf > /etc/resolv.conf rm /tmp/resolv.conf get_ip_addr() { getent hosts $1 | cut -d' ' -f1 } add_fqdn_to_hosts() { ip_addr=$1 hostname=$2 sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts cat /tmp/hosts > /etc/hosts rm /tmp/hosts echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts } # set FQDN in /etc/hosts add_fqdn_to_hosts $(get_ip_addr $(hostname)) auth1 # I'm not sure why, but we also need to remove the hosts entry for the # container's real hostname, otherwise slapd only looks for the principal # ldap/ (this is with the sasl-host option) sed -E "/\\b$(hostname)\\b/d" /etc/hosts > /tmp/hosts cat /tmp/hosts > /etc/hosts rm /tmp/hosts export DEBIAN_FRONTEND=noninteractive apt update apt install -y psmisc # LDAP apt install -y --no-install-recommends slapd ldap-utils libnss-ldapd sudo-ldap # `service slapd stop` doesn't seem to work killall slapd || true service nslcd stop || true rm -rf /etc/ldap/slapd.d rm /var/lib/ldap/* cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG cp .drone/slapd.conf /etc/ldap/slapd.conf cp .drone/ldap.conf /etc/ldap/ldap.conf cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema cp .drone/rfc2307bis.schema /etc/ldap/schema/ cp .drone/csc.schema /etc/ldap/schema/ chown -R openldap:openldap /etc/ldap/schema/ /var/lib/ldap/ /etc/ldap/ sleep 0.5 && service slapd start grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \ echo 'map group member uniqueMember' >> /etc/nslcd.conf sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf cp .drone/nsswitch.conf /etc/nsswitch.conf service nslcd start ldapadd -c -f .drone/data.ldif -Y EXTERNAL -H ldapi:/// # KERBEROS apt install -y krb5-admin-server krb5-user libpam-krb5 libsasl2-modules-gssapi-mit sasl2-bin service krb5-admin-server stop || true service krb5-kdc stop || true service saslauthd stop || true cp .drone/krb5.conf /etc/krb5.conf cp .drone/kdc.conf /etc/krb5kdc.conf echo '*/admin *' > /etc/krb5kdc/kadm5.acl rm -f /var/lib/krb5kdc/* echo -e 'krb5\nkrb5' | krb5_newrealm service krb5-kdc start service krb5-admin-server start rm -f /etc/krb5.keytab cat < /usr/lib/sasl2/slapd.conf mech_list: plain login gssapi external pwcheck_method: saslauthd EOF sed -E -i 's/^START=.*$/START=yes/' /etc/default/saslauthd sed -E -i 's/^MECHANISMS=.*$/MECHANISMS="kerberos5"/' /etc/default/saslauthd service saslauthd start killall slapd && sleep 0.5 && service slapd start # sync with phosphoric-acid apt install -y netcat-openbsd nc -l 0.0.0.0 9000