vars are good

.gitignore

@@ -0,0 +1 @@
+ldap.vars

files/ldap-ssh-key.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ldapsearch -h {{ldap_host}} -D "{{ldap_bind_dn}}" -w "{{ldap_bind_password}}" '(&(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_access,ou=groups,dc=theta42,dc=com))(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
+ldapsearch -h {{ldap_host}} -D "{{ldap_bind_dn}}" -w "{{ldap_bind_password}}" '(&(|(memberof=cn=host_access,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=Groups,{{ldap_base_dn}}))(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

files/sudo-ldap.conf

@@ -1,9 +1,9 @@
-BASE    dc=theta42,dc=com
+BASE    {{ldap_base_dn}}
 URI     ldap://{{ldap_host}}
 
 BINDDN {{ldap_bind_dn}}
 BINDPW {{ldap_bind_password}}
 
-sudoers_base dc=theta42,dc=com
+sudoers_base {{ldap_bind_dn}}
 
-SUDOERS_SEARCH_FILTER (|(memberof=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberof=cn=host_{{current_host}}_admin,ou=groups,dc=theta42,dc=com))
+SUDOERS_SEARCH_FILTER (|(memberof=cn=host_admin,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_admin,ou=Groups,{{ldap_base_dn}}))

index.sh

@@ -1,28 +1,21 @@
 #!/bin/bash
 
-
 # Stop this script on any error.
 set -e
 
-
 # Pull in the mustache template library for bash
 source lib/mo
 
+if [ ! -f ./ldap.vars ]; then
+    echo "ldap.vars file not found!"
+    echo "Please copy ldap.vars.template to ldap.vars and edit it."
+    exit 1
+fi
 
-# Set some variables for the test of the file
+source ldap.vars
-## TODO! Dont hard code these values.
-export ldap_host="192.168.1.55"
-export ldap_base_dn="dc=theta42,dc=com"
-
-export ldap_admin_dn="cn=admin,dc=theta42,dc=com"
-export ldap_admin_password=$1
-
-export ldap_bind_dn="cn=ldapclient service,ou=people,dc=theta42,dc=com"
-export ldap_bind_password=$2
 
 export current_host=`hostname`
 
-
 # Configure the options for the LDAP packages based on debian or ubuntu
 if grep -qiE "^NAME=\"debian" /etc/os-release; then
 
@@ -90,11 +83,17 @@ systemctl enable nscd
 
 # Apply LDAP group filter for PAM LDAP login
 # Different distros/versions read the filter from different places.
-PAM_LDAP_filter="pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))"
+PAM_LDAP_filter="
+pam_password_prohibit_message Please visit $sso_url to change your password.
+nss_base_group          ou=Groups,$ldap_base_dn?one
+nss_schema rfc2307
+pam_filter &(|(memberof=cn=host_access,ou=Groups,$ldap_bind_dn)(memberof=cn=host_`hostname`_access,ou=Groups,$ldap_bind_dn))
+"
 
 if grep -qiE "^NAME=\"debian" /etc/os-release; then
 	echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf
 fi
+
 echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf
 echo "$PAM_LDAP_filter" >> /etc/ldap.conf
 
@@ -115,3 +114,16 @@ echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
 echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
 
 service ssh restart
+
+if [ -z "$sso_token" ]; then
+
+	curl '$sso_url/api/group/' \
+	  -H 'auth-token: $sso_token' \
+	  -H 'content-type: application/json; charset=UTF-8' \
+	  --data-binary "{\"name\":\"host_$hostname_access\",\"description\":\"Access for $hostname\"}"
+
+	curl '$sso_url/api/group/' \
+	  -H 'auth-token: $sso_token' \
+	  -H 'content-type: application/json; charset=UTF-8' \
+	  --data-binary "{\"name\":\"host_$hostname_admin\",\"description\":\"sudo for $hostname\"}"
+fi

ldap.vars.template

@@ -0,0 +1,12 @@
+# Set some variables for the test of the file
+export ldap_host="192.168.1.55"
+export ldap_base_dn="dc=theta42,dc=com"
+
+export ldap_admin_dn="cn=admin,$ldap_base_dn"
+export ldap_admin_password=""
+
+export ldap_bind_dn="cn=ldapclient service,ou=People,$ldap_base_dn"
+export ldap_bind_password=""
+
+export sso_url="https://sso-dev.theta42.com"
+export sso_token="uuid_thingy" # This is the only optional variable