migration

files/sssd.conf.mo

@@ -1,34 +1,37 @@
 [sssd]
-services = nss, pam, sudo
+config_file_version = 2
 domains = default
 
 [domain/default]
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
-sudo_provider = ldap
 
-ldap_uri = ldap://{{ldap_host}}
+ldap_uri = ldaps://{{ldap_host}}
 ldap_search_base = {{ldap_base_dn}}
-ldap_network_timeout = 3
+ldap_id_use_start_tls = true
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
 
 ldap_bind_dn = {{ldap_bind_dn}}
 ldap_bind_pw = {{ldap_bind_password}}
 
 # Sudo settings
+sudo_provider = ldap
 ldap_sudo_search_base = {{ldap_base_dn}}
 # Filter for sudo access: global host_admin OR host-specific admin
 ldap_sudo_full_refresh_interval = 900
 ldap_sudo_smart_refresh_interval = 300
+ldap_sudo_search_filter = (|(memberOf=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberOf=cn=host_{hostname}_admin,ou=groups,dc=theta42,dc=com))
 
 # Access control: only allow users in host_access or host_{hostname}_access
 access_provider = ldap
 ldap_access_order = filter
-ldap_access_filter = (|(memberof=cn=host_access,ou=Groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=Groups,{{ldap_base_dn}}))
+ldap_access_filter = (|(memberof=cn=host_access,ou=groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=groups,{{ldap_base_dn}}))
 
 # Mapping
-ldap_user_search_base = ou=People,{{ldap_base_dn}}
-ldap_group_search_base = ou=Groups,{{ldap_base_dn}}
+ldap_user_search_base = ou=people,{{ldap_base_dn}}
+ldap_group_search_base = ou=groups,{{ldap_base_dn}}
+ldap_user_member_of = memberOf
 
 # Cache settings
 cache_credentials = True

index.sh

@@ -13,7 +13,7 @@ export current_host=$(hostname)
 # Install SSSD and required tools
 # We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks
 DEBIAN_FRONTEND=noninteractive apt update
-DEBIAN_FRONTEND=noninteractive apt install -y sssd sssd-ldap libnss-sss libpam-sss ldap-utils curl libsasl2-modules-gssapi-mit
+DEBIAN_FRONTEND=noninteractive apt install -y sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit
 
 # Create the SSSD configuration from template
 mkdir -p /etc/sssd
@@ -47,6 +47,8 @@ if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_c
     systemctl restart ssh
 fi
 
+systemctl enable --now sssd-sudo.socket
+
 # --- SSO Group Creation API Calls ---
 if [[ -v sso_token ]]; then
     echo "Registering host groups via API..."

ldap.vars.theta42

@@ -0,0 +1,9 @@
+# Set some variables for the test of the file
+export ldap_host="ldap.internal.theta42.com"
+export ldap_base_dn="dc=theta42,dc=com"
+
+export ldap_bind_dn="cn=ldapclient service,ou=People,$ldap_base_dn"
+export ldap_bind_password=""
+
+export sso_url="https://sso.theta42.com"
+export sso_token="" # This is the only optional variable

migration.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+set -e
+
+# Pull in the mustache template library for bash
+source lib/mo
+
+if [ ! -f ./ldap.vars ]; then
+    echo "ldap.vars file not found!"
+    echo "Please copy ldap.vars.template to ldap.vars and edit it."
+    exit 1
+fi
+
+source ldap.vars
+export current_host=$(hostname)
+
+echo "--- Starting LDAP to SSSD Migration ---"
+
+echo "1. Cleaning up old LDAP configuration and packages..."
+
+# 1. Remove old packages (libnss-ldap, libpam-ldap, sudo-ldap, nscd, etc.)
+DEBIAN_FRONTEND=noninteractive apt purge -y libnss-ldap libpam-ldap nscd sudo-ldap nslcd
+
+# Preserve ldap-utils if it's still useful for general LDAP querying
+# apt purge -y ldap-utils
+
+# 2. Clean up old configuration files
+echo "  - Removing old configuration files..."
+rm -f /etc/pam_ldap.conf
+rm -f /etc/ldap/ldap.conf
+rm -f /etc/ldap.conf
+rm -f /etc/sudo-ldap.conf
+
+# 3. Revert nsswitch.conf entries related to 'ldap'
+echo "  - Reverting /etc/nsswitch.conf entries for 'ldap'..."
+sed -i '/passwd:/ s/ ldap//' /etc/nsswitch.conf
+sed -i '/group:/ s/ ldap//' /etc/nsswitch.conf
+# You might want to review other services like 'shadow' or 'hosts' if they also had 'ldap'
+# For example: sed -i '/shadow:/ s/ ldap//' /etc/nsswitch.conf
+
+# 4. Clean up PAM configurations
+echo "  - Cleaning up old PAM configurations..."
+# Disable 'ldap' in pam-auth-update if it was enabled directly
+pam-auth-update --remove ldap
+
+# Remove specific common-password modifications made by the old script
+# The old script removed 'use_authtok'. Let's ensure a clean state if SSSD needs a different one.
+# It's generally safer to restore from a backup or let the new SSSD setup configure PAM.
+# For simplicity, we'll rely on the new sssd pam module to set things correctly.
+sed -i '/session required pam_mkhomedir.so skel=\/etc\/skel umask=077/d' /etc/pam.d/common-session
+
+# Ensure nscd is stopped and disabled if it wasn't purged
+systemctl stop nscd || true
+systemctl disable nscd || true
+
+echo "Cleanup complete."
+echo "--- Installing New SSSD Configuration ---"
+
+# Install SSSD and required tools
+# We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks
+DEBIAN_FRONTEND=noninteractive apt update
+DEBIAN_FRONTEND=noninteractive apt install -y sudo sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit
+
+# Create the SSSD configuration from template
+mkdir -p /etc/sssd
+echo "  - Creating /etc/sssd/sssd.conf from template..."
+cat files/sssd.conf.mo | mo > /etc/sssd/sssd.conf
+chmod 600 /etc/sssd/sssd.conf
+
+# Ensure nsswitch uses sss for passwd, group, and sudoers
+echo "  - Updating /etc/nsswitch.conf for SSSD..."
+sed -i 's/^passwd:.*/passwd:         files sss/' /etc/nsswitch.conf
+sed -i 's/^group:.*/group:          files sss/' /etc/nsswitch.conf
+if ! grep -q "sudoers:" /etc/nsswitch.conf; then
+    echo "sudoers:        files sss" >> /etc/nsswitch.conf
+else
+    sed -i 's/^sudoers:.*/sudoers:        files sss/' /etc/nsswitch.conf
+fi
+
+# Enable home directory creation (this should already be handled by pam-auth-update)
+# Double-check this line if it causes issues; pam-auth-update should configure /etc/pam.d/common-session
+# pam-auth-update --enable mkhomedir
+
+# Restart SSSD
+echo "  - Restarting and enabling SSSD service..."
+systemctl restart sssd
+systemctl enable sssd
+
+# --- Maintain Custom SSH Key Script ---
+echo "  - Setting up custom SSH key script..."
+cat files/ldap-ssh-key.sh | mo > /usr/local/bin/ldap-ssh-key
+chmod +x /usr/local/bin/ldap-ssh-key
+
+# Update SSHD config if not already present
+echo "  - Configuring SSHD for LDAP SSH keys..."
+if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_config; then
+    echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
+    echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
+    systemctl restart sshd
+else
+    # If the lines exist, just ensure sshd is restarted in case it wasn't earlier
+    systemctl restart sshd
+fi
+
+echo "  - Enabling sssd-sudo socket..."
+systemctl enable --now sssd-sudo.socket
+
+# --- SSO Group Creation API Calls ---
+if [[ -v sso_token ]]; then
+    echo "  - Registering host groups via API..."
+    # (Existing curl logic remains here)
+    curl "${sso_url}/api/group/" \
+        -H "auth-token: ${sso_token}" \
+        -H "content-type: application/json; charset=UTF-8" \
+        --data-binary "{\"name\":\"host_${current_host}_access\",\"description\":\"Access for $current_host\"}"
+    curl "${sso_url}/api/group/" \
+        -H "auth-token: ${sso_token}" \
+        -H "content-type: application/json; charset=UTF-8" \
+        --data-binary "{\"name\":\"host_${current_host}_admin\",\"description\":\"sudo for $current_host\"}"
+fi
+
+echo "--- SSSD Migration Complete! ---"
+echo "Please verify authentication and user access."