From 7dee7453fe1d9812322e709deef7cd719bc913c6 Mon Sep 17 00:00:00 2001 From: William Mantly Date: Wed, 21 Apr 2021 13:45:37 -0400 Subject: [PATCH] vars are good --- .gitignore | 1 + files/ldap-ssh-key.sh | 2 +- files/sudo-ldap.conf | 6 +++--- index.sh | 40 ++++++++++++++++++++++++++-------------- ldap.vars.template | 12 ++++++++++++ 5 files changed, 43 insertions(+), 18 deletions(-) create mode 100644 .gitignore create mode 100644 ldap.vars.template diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..aa6bd22 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +ldap.vars \ No newline at end of file diff --git a/files/ldap-ssh-key.sh b/files/ldap-ssh-key.sh index 4d40a33..709dc95 100644 --- a/files/ldap-ssh-key.sh +++ b/files/ldap-ssh-key.sh @@ -1,3 +1,3 @@ #!/bin/bash -ldapsearch -h {{ldap_host}} -D "{{ldap_bind_dn}}" -w "{{ldap_bind_password}}" '(&(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_access,ou=groups,dc=theta42,dc=com))(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' +ldapsearch -h {{ldap_host}} -D "{{ldap_bind_dn}}" -w "{{ldap_bind_password}}" '(&(|(memberof=cn=host_access,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=Groups,{{ldap_base_dn}}))(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' diff --git a/files/sudo-ldap.conf b/files/sudo-ldap.conf index 7e997a6..ab24231 100644 --- a/files/sudo-ldap.conf +++ b/files/sudo-ldap.conf @@ -1,9 +1,9 @@ -BASE dc=theta42,dc=com +BASE {{ldap_base_dn}} URI ldap://{{ldap_host}} BINDDN {{ldap_bind_dn}} BINDPW {{ldap_bind_password}} -sudoers_base dc=theta42,dc=com +sudoers_base {{ldap_bind_dn}} -SUDOERS_SEARCH_FILTER (|(memberof=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_admin,ou=groups,dc=theta42,dc=com)) +SUDOERS_SEARCH_FILTER (|(memberof=cn=host_admin,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_admin,ou=Groups,{{ldap_base_dn}})) diff --git a/index.sh b/index.sh index 83d9939..c6920da 100755 --- a/index.sh +++ b/index.sh @@ -1,28 +1,21 @@ #!/bin/bash - # Stop this script on any error. set -e - # Pull in the mustache template library for bash source lib/mo +if [ ! -f ./ldap.vars ]; then + echo "ldap.vars file not found!" + echo "Please copy ldap.vars.template to ldap.vars and edit it." + exit 1 +fi -# Set some variables for the test of the file -## TODO! Dont hard code these values. -export ldap_host="192.168.1.55" -export ldap_base_dn="dc=theta42,dc=com" - -export ldap_admin_dn="cn=admin,dc=theta42,dc=com" -export ldap_admin_password=$1 - -export ldap_bind_dn="cn=ldapclient service,ou=people,dc=theta42,dc=com" -export ldap_bind_password=$2 +source ldap.vars export current_host=`hostname` - # Configure the options for the LDAP packages based on debian or ubuntu if grep -qiE "^NAME=\"debian" /etc/os-release; then @@ -90,11 +83,17 @@ systemctl enable nscd # Apply LDAP group filter for PAM LDAP login # Different distros/versions read the filter from different places. -PAM_LDAP_filter="pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))" +PAM_LDAP_filter=" +pam_password_prohibit_message Please visit $sso_url to change your password. +nss_base_group ou=Groups,$ldap_base_dn?one +nss_schema rfc2307 +pam_filter &(|(memberof=cn=host_access,ou=Groups,$ldap_bind_dn)(memberof=cn=host_`hostname`_access,ou=Groups,$ldap_bind_dn)) +" if grep -qiE "^NAME=\"debian" /etc/os-release; then echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf fi + echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf echo "$PAM_LDAP_filter" >> /etc/ldap.conf @@ -115,3 +114,16 @@ echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config service ssh restart + +if [ -z "$sso_token" ]; then + + curl '$sso_url/api/group/' \ + -H 'auth-token: $sso_token' \ + -H 'content-type: application/json; charset=UTF-8' \ + --data-binary "{\"name\":\"host_$hostname_access\",\"description\":\"Access for $hostname\"}" + + curl '$sso_url/api/group/' \ + -H 'auth-token: $sso_token' \ + -H 'content-type: application/json; charset=UTF-8' \ + --data-binary "{\"name\":\"host_$hostname_admin\",\"description\":\"sudo for $hostname\"}" +fi diff --git a/ldap.vars.template b/ldap.vars.template new file mode 100644 index 0000000..6d295ae --- /dev/null +++ b/ldap.vars.template @@ -0,0 +1,12 @@ +# Set some variables for the test of the file +export ldap_host="192.168.1.55" +export ldap_base_dn="dc=theta42,dc=com" + +export ldap_admin_dn="cn=admin,$ldap_base_dn" +export ldap_admin_password="" + +export ldap_bind_dn="cn=ldapclient service,ou=People,$ldap_base_dn" +export ldap_bind_password="" + +export sso_url="https://sso-dev.theta42.com" +export sso_token="uuid_thingy" # This is the only optional variable