commit 50772400606dfd780fc587b18314eeb5e31ee733 Author: William Mantly Date: Wed May 13 14:38:39 2020 -0400 files diff --git a/files/ldap-ssh-key.sh b/files/ldap-ssh-key.sh new file mode 100644 index 0000000..4d40a33 --- /dev/null +++ b/files/ldap-ssh-key.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ldapsearch -h {{ldap_host}} -D "{{ldap_bind_dn}}" -w "{{ldap_bind_password}}" '(&(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_access,ou=groups,dc=theta42,dc=com))(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' diff --git a/files/sudo-ldap.conf b/files/sudo-ldap.conf new file mode 100644 index 0000000..7e997a6 --- /dev/null +++ b/files/sudo-ldap.conf @@ -0,0 +1,9 @@ +BASE dc=theta42,dc=com +URI ldap://{{ldap_host}} + +BINDDN {{ldap_bind_dn}} +BINDPW {{ldap_bind_password}} + +sudoers_base dc=theta42,dc=com + +SUDOERS_SEARCH_FILTER (|(memberof=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_admin,ou=groups,dc=theta42,dc=com)) diff --git a/index.sh b/index.sh new file mode 100755 index 0000000..e46f5a3 --- /dev/null +++ b/index.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +export ldap_host="192.168.1.54" +export ldap_base_dn="dc=theta42,dc=com" + +export ldap_admin_dn="cn=admin,dc=theta42,dc=com" +export ldap_admin_password=$1 + +export ldap_bind_dn="cn=ldapclient service,ou=people,dc=theta42,dc=com" +export ldap_bind_password=$2 + +export current_host=`hostname` + +echo "ldap-auth-config ldap-auth-config/ldapns/ldap-server string ldap://$ldap_host" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/bindpw string $ldap_bind_password" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/rootbindpw string $ldap_admin_password" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/dbrootlogin boolean true" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/dblogin boolean true" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/ldapns/ldap_version string 3" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/pam_password string md5" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/ldapns/base-dn string $ldap_base_dn" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/move-to-debconf boolean true" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/rootbinddn string $ldap_admin_dn" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/binddn string $ldap_bind_dn" | debconf-set-selections +echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections + +DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd +auth-client-config -t nss -p lac_ldap +pam-auth-update --enable ldap +pam-auth-update --enable mkhomedir +echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session +systemctl restart nscd +systemctl enable nscd + +## filter PAM login for only group members +echo "pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))" >> /etc/ldap.conf + +## Set up sudo-ldap + +apt install -y sudo-ldap +sudo_ldap_template="$(cat files/sudo-ldap.conf)" +echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf + +## Set up SSHkey via LDAP +sudo_ldap_template="$(cat files/ldap-ssh-key)" +echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key +chmod +x /usr/local/bin/ldap-ssh-key + +echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config +echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config