From f6cef035e28e6b0da19ec875b8c29c18d92893a6 Mon Sep 17 00:00:00 2001 From: William Mantly Date: Thu, 5 Mar 2026 15:20:19 -0500 Subject: [PATCH] migration --- files/sssd.conf.mo | 17 ++++--- index.sh | 4 +- ldap.vars.theta42 | 9 ++++ migration.sh | 122 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 144 insertions(+), 8 deletions(-) create mode 100644 ldap.vars.theta42 create mode 100644 migration.sh diff --git a/files/sssd.conf.mo b/files/sssd.conf.mo index 1189e2e..92689fe 100644 --- a/files/sssd.conf.mo +++ b/files/sssd.conf.mo @@ -1,34 +1,37 @@ [sssd] -services = nss, pam, sudo +config_file_version = 2 domains = default [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap -sudo_provider = ldap -ldap_uri = ldap://{{ldap_host}} +ldap_uri = ldaps://{{ldap_host}} ldap_search_base = {{ldap_base_dn}} -ldap_network_timeout = 3 +ldap_id_use_start_tls = true +ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_bind_dn = {{ldap_bind_dn}} ldap_bind_pw = {{ldap_bind_password}} # Sudo settings +sudo_provider = ldap ldap_sudo_search_base = {{ldap_base_dn}} # Filter for sudo access: global host_admin OR host-specific admin ldap_sudo_full_refresh_interval = 900 ldap_sudo_smart_refresh_interval = 300 +ldap_sudo_search_filter = (|(memberOf=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberOf=cn=host_{hostname}_admin,ou=groups,dc=theta42,dc=com)) # Access control: only allow users in host_access or host_{hostname}_access access_provider = ldap ldap_access_order = filter -ldap_access_filter = (|(memberof=cn=host_access,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=Groups,{{ldap_base_dn}})) +ldap_access_filter = (|(memberof=cn=host_access,ou=groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=groups,{{ldap_base_dn}})) # Mapping -ldap_user_search_base = ou=People,{{ldap_base_dn}} -ldap_group_search_base = ou=Groups,{{ldap_base_dn}} +ldap_user_search_base = ou=people,{{ldap_base_dn}} +ldap_group_search_base = ou=groups,{{ldap_base_dn}} +ldap_user_member_of = memberOf # Cache settings cache_credentials = True diff --git a/index.sh b/index.sh index 3779bc1..5a26054 100755 --- a/index.sh +++ b/index.sh @@ -13,7 +13,7 @@ export current_host=$(hostname) # Install SSSD and required tools # We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks DEBIAN_FRONTEND=noninteractive apt update -DEBIAN_FRONTEND=noninteractive apt install -y sssd sssd-ldap libnss-sss libpam-sss ldap-utils curl libsasl2-modules-gssapi-mit +DEBIAN_FRONTEND=noninteractive apt install -y sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit # Create the SSSD configuration from template mkdir -p /etc/sssd @@ -47,6 +47,8 @@ if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_c systemctl restart ssh fi +systemctl enable --now sssd-sudo.socket + # --- SSO Group Creation API Calls --- if [[ -v sso_token ]]; then echo "Registering host groups via API..." diff --git a/ldap.vars.theta42 b/ldap.vars.theta42 new file mode 100644 index 0000000..83da925 --- /dev/null +++ b/ldap.vars.theta42 @@ -0,0 +1,9 @@ +# Set some variables for the test of the file +export ldap_host="ldap.internal.theta42.com" +export ldap_base_dn="dc=theta42,dc=com" + +export ldap_bind_dn="cn=ldapclient service,ou=People,$ldap_base_dn" +export ldap_bind_password="" + +export sso_url="https://sso.theta42.com" +export sso_token="" # This is the only optional variable \ No newline at end of file diff --git a/migration.sh b/migration.sh new file mode 100644 index 0000000..c1b3830 --- /dev/null +++ b/migration.sh @@ -0,0 +1,122 @@ +#!/bin/bash +set -e + +# Pull in the mustache template library for bash +source lib/mo + +if [ ! -f ./ldap.vars ]; then + echo "ldap.vars file not found!" + echo "Please copy ldap.vars.template to ldap.vars and edit it." + exit 1 +fi + +source ldap.vars +export current_host=$(hostname) + +echo "--- Starting LDAP to SSSD Migration ---" + +echo "1. Cleaning up old LDAP configuration and packages..." + +# 1. Remove old packages (libnss-ldap, libpam-ldap, sudo-ldap, nscd, etc.) +DEBIAN_FRONTEND=noninteractive apt purge -y libnss-ldap libpam-ldap nscd sudo-ldap nslcd + +# Preserve ldap-utils if it's still useful for general LDAP querying +# apt purge -y ldap-utils + +# 2. Clean up old configuration files +echo " - Removing old configuration files..." +rm -f /etc/pam_ldap.conf +rm -f /etc/ldap/ldap.conf +rm -f /etc/ldap.conf +rm -f /etc/sudo-ldap.conf + +# 3. Revert nsswitch.conf entries related to 'ldap' +echo " - Reverting /etc/nsswitch.conf entries for 'ldap'..." +sed -i '/passwd:/ s/ ldap//' /etc/nsswitch.conf +sed -i '/group:/ s/ ldap//' /etc/nsswitch.conf +# You might want to review other services like 'shadow' or 'hosts' if they also had 'ldap' +# For example: sed -i '/shadow:/ s/ ldap//' /etc/nsswitch.conf + +# 4. Clean up PAM configurations +echo " - Cleaning up old PAM configurations..." +# Disable 'ldap' in pam-auth-update if it was enabled directly +pam-auth-update --remove ldap + +# Remove specific common-password modifications made by the old script +# The old script removed 'use_authtok'. Let's ensure a clean state if SSSD needs a different one. +# It's generally safer to restore from a backup or let the new SSSD setup configure PAM. +# For simplicity, we'll rely on the new sssd pam module to set things correctly. +sed -i '/session required pam_mkhomedir.so skel=\/etc\/skel umask=077/d' /etc/pam.d/common-session + +# Ensure nscd is stopped and disabled if it wasn't purged +systemctl stop nscd || true +systemctl disable nscd || true + +echo "Cleanup complete." +echo "--- Installing New SSSD Configuration ---" + +# Install SSSD and required tools +# We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks +DEBIAN_FRONTEND=noninteractive apt update +DEBIAN_FRONTEND=noninteractive apt install -y sudo sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit + +# Create the SSSD configuration from template +mkdir -p /etc/sssd +echo " - Creating /etc/sssd/sssd.conf from template..." +cat files/sssd.conf.mo | mo > /etc/sssd/sssd.conf +chmod 600 /etc/sssd/sssd.conf + +# Ensure nsswitch uses sss for passwd, group, and sudoers +echo " - Updating /etc/nsswitch.conf for SSSD..." +sed -i 's/^passwd:.*/passwd: files sss/' /etc/nsswitch.conf +sed -i 's/^group:.*/group: files sss/' /etc/nsswitch.conf +if ! grep -q "sudoers:" /etc/nsswitch.conf; then + echo "sudoers: files sss" >> /etc/nsswitch.conf +else + sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf +fi + +# Enable home directory creation (this should already be handled by pam-auth-update) +# Double-check this line if it causes issues; pam-auth-update should configure /etc/pam.d/common-session +# pam-auth-update --enable mkhomedir + +# Restart SSSD +echo " - Restarting and enabling SSSD service..." +systemctl restart sssd +systemctl enable sssd + +# --- Maintain Custom SSH Key Script --- +echo " - Setting up custom SSH key script..." +cat files/ldap-ssh-key.sh | mo > /usr/local/bin/ldap-ssh-key +chmod +x /usr/local/bin/ldap-ssh-key + +# Update SSHD config if not already present +echo " - Configuring SSHD for LDAP SSH keys..." +if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_config; then + echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config + echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config + systemctl restart sshd +else + # If the lines exist, just ensure sshd is restarted in case it wasn't earlier + systemctl restart sshd +fi + +echo " - Enabling sssd-sudo socket..." +systemctl enable --now sssd-sudo.socket + +# --- SSO Group Creation API Calls --- +if [[ -v sso_token ]]; then + echo " - Registering host groups via API..." + # (Existing curl logic remains here) + curl "${sso_url}/api/group/" \ + -H "auth-token: ${sso_token}" \ + -H "content-type: application/json; charset=UTF-8" \ + --data-binary "{\"name\":\"host_${current_host}_access\",\"description\":\"Access for $current_host\"}" + curl "${sso_url}/api/group/" \ + -H "auth-token: ${sso_token}" \ + -H "content-type: application/json; charset=UTF-8" \ + --data-binary "{\"name\":\"host_${current_host}_admin\",\"description\":\"sudo for $current_host\"}" +fi + +echo "--- SSSD Migration Complete! ---" +echo "Please verify authentication and user access."