fixed filter
This commit is contained in:
parent
39b84ec2f8
commit
c9a745abca
38
index.sh
38
index.sh
@ -1,9 +1,16 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
|
# Stop this script on any error.
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
|
||||||
|
# Pull in the mustache template library for bash
|
||||||
source lib/mo
|
source lib/mo
|
||||||
|
|
||||||
|
|
||||||
|
# Set some variables for the test of the file
|
||||||
|
## TODO! Dont hard code these values.
|
||||||
export ldap_host="192.168.1.55"
|
export ldap_host="192.168.1.55"
|
||||||
export ldap_base_dn="dc=theta42,dc=com"
|
export ldap_base_dn="dc=theta42,dc=com"
|
||||||
|
|
||||||
@ -16,6 +23,7 @@ export ldap_bind_password=$2
|
|||||||
export current_host=`hostname`
|
export current_host=`hostname`
|
||||||
|
|
||||||
|
|
||||||
|
# Configure the options for the LDAP packages based on debian or ubuntu
|
||||||
if grep -qiE "^NAME=\"debian" /etc/os-release; then
|
if grep -qiE "^NAME=\"debian" /etc/os-release; then
|
||||||
|
|
||||||
echo "libnss-ldap libnss-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
|
echo "libnss-ldap libnss-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
|
||||||
@ -53,7 +61,13 @@ else
|
|||||||
echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections
|
echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Install the requires packages for LDAP PAM telling apt to ignore any interactive options
|
||||||
DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd
|
DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd
|
||||||
|
|
||||||
|
|
||||||
|
# Configure the system to use LDAP for PAM. Some versions include `auth-client-config` and others dont.
|
||||||
|
# `auth-client-config` requires python2.x, so support for it is dropping.
|
||||||
if which auth-client-config >/dev/null; then
|
if which auth-client-config >/dev/null; then
|
||||||
auth-client-config -t nss -p lac_ldap
|
auth-client-config -t nss -p lac_ldap
|
||||||
else
|
else
|
||||||
@ -61,22 +75,36 @@ else
|
|||||||
sed -i '/group/ s/$/ ldap/' /etc/nsswitch.conf
|
sed -i '/group/ s/$/ ldap/' /etc/nsswitch.conf
|
||||||
sed -e s/use_authtok//g -i /etc/pam.d/common-password
|
sed -e s/use_authtok//g -i /etc/pam.d/common-password
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pam-auth-update --enable ldap
|
pam-auth-update --enable ldap
|
||||||
|
|
||||||
|
|
||||||
|
# Enable the system to create home directories for LDAP users who do not have one on first login
|
||||||
pam-auth-update --enable mkhomedir
|
pam-auth-update --enable mkhomedir
|
||||||
echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
|
echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
|
||||||
|
|
||||||
|
|
||||||
|
# Restart the Name Service cache daemon, unsure if this is required.
|
||||||
systemctl restart nscd
|
systemctl restart nscd
|
||||||
systemctl enable nscd
|
systemctl enable nscd
|
||||||
|
|
||||||
## filter PAM login for only group members
|
|
||||||
echo "pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))" >> /etc/ldap.conf
|
# Apply LDAP group filter for PAM LDAP login
|
||||||
|
# Different distros/versions read the filter from different places.
|
||||||
|
PAM_LDAP_filter="pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))"
|
||||||
|
|
||||||
|
if grep -qiE "^NAME=\"debian" /etc/os-release; then
|
||||||
|
echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf
|
||||||
|
else
|
||||||
|
echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf
|
||||||
|
echo "$PAM_LDAP_filter" >> /etc/ldap.conf
|
||||||
|
|
||||||
|
|
||||||
## Set up sudo-ldap
|
## Set up sudo-ldap
|
||||||
|
|
||||||
apt install -y sudo-ldap
|
apt install -y sudo-ldap
|
||||||
sudo_ldap_template="$(cat files/sudo-ldap.conf)"
|
sudo_ldap_template="$(cat files/sudo-ldap.conf)"
|
||||||
echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf
|
echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf
|
||||||
|
|
||||||
|
|
||||||
## Set up SSHkey via LDAP
|
## Set up SSHkey via LDAP
|
||||||
sudo_ldap_template="$(cat files/ldap-ssh-key.sh)"
|
sudo_ldap_template="$(cat files/ldap-ssh-key.sh)"
|
||||||
echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key
|
echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key
|
||||||
@ -86,3 +114,5 @@ echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
|
|||||||
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
|
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
|
||||||
|
|
||||||
service ssh restart
|
service ssh restart
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user