Commit 0b7f5058 authored by Adam Wujek's avatar Adam Wujek 💬

rootfs: add files for LDAP+kerberos

Signed-off-by: Adam Wujek's avatarAdam Wujek <adam.wujek@cern.ch>
parent 3b84ed46
nslcd.sh
\ No newline at end of file
#!/bin/sh
#
# Starts nslcd needed for LDAP
#
MONIT=/usr/bin/monit
dotconfig=/wr/etc/dot-config
start_counter() {
# increase boot counter
COUNTER_FILE="/tmp/start_cnt_ldap"
START_COUNTER=1
if [ -f "$COUNTER_FILE" ];
then
read -r START_COUNTER < $COUNTER_FILE
START_COUNTER=$((START_COUNTER+1))
fi
echo "$START_COUNTER" > $COUNTER_FILE
}
start() {
echo -n "Starting nslcd (LDAP): "
if [ -f "$dotconfig" ]; then
. "$dotconfig"
else
echo "$0 unable to source dot-config ($dotconfig)!"
fi
if [ "$CONFIG_LDAP_ENABLE" != "y" ]; then
echo "LDAP not enabled in dot-config"
# Unmonitor web server (nslcd), ignore all printouts
# from monit.
# Run in background since monit may wait for a timeout.
$MONIT unmonitor nslcd &>/dev/null &
exit 0
fi
if [ -z "$CONFIG_LDAP_SERVER" ]; then
echo "Failed! LDAP server not defined"
exit 0
fi
# fill LDAP server address
cp -a /usr/etc/nslcd.conf /etc/nslcd.conf
sed -i "s,^uri CONFIG_LDAP_SERVER_ADDRESS,uri $CONFIG_LDAP_SERVER,g" /etc/nslcd.conf
if [ -z "$CONFIG_LDAP_SEARCH_BASE" ]; then
echo "Failed! LDAP search base not defined"
exit 0
fi
# fill LDAP search base
sed -i "s/CONFIG_LDAP_SEARCH_BASE/$CONFIG_LDAP_SEARCH_BASE/g" /etc/nslcd.conf
if [ "$CONFIG_LDAP_FILTER_NONE" = "y" ]; then
# no filter
sed -i "s/CONFIG_LDAP_FILTER//g" /etc/nslcd.conf
elif [ "$CONFIG_LDAP_FILTER_EGROUP" = "y" ]; then
if [ -z "$CONFIG_LDAP_FILTER_EGROUP_STR" ]; then
echo -n "Warning: CONFIG_LDAP_FILTER_EGROUP_STR empty! "
fi
sed -i "s/CONFIG_LDAP_FILTER/(memberOf=CN=$CONFIG_LDAP_FILTER_EGROUP_STR,OU=e-groups,OU=Workgroups,$CONFIG_LDAP_SEARCH_BASE)/g" /etc/nslcd.conf
elif [ "$CONFIG_LDAP_FILTER_CUSTOM" = "y" ]; then
if [ -z "$CONFIG_LDAP_FILTER_CUSTOM_STR" ]; then
echo -n "Warning: CONFIG_LDAP_FILTER_CUSTOM_STR empty! "
fi
sed -i "s/CONFIG_LDAP_FILTER/$CONFIG_LDAP_FILTER_CUSTOM_STR/g" /etc/nslcd.conf
fi
# add ldap to /etc/nsswitch.conf
cp -a /usr/etc/nsswitch.conf /etc/nsswitch.conf
sed -i "s/^passwd:[ \t]*files\$/passwd: files ldap/g" /etc/nsswitch.conf
sed -i "s/^group:[ \t]*files\$/group: files ldap/g" /etc/nsswitch.conf
sed -i "s/^shadow:[ \t]*files\$/shadow: files ldap/g" /etc/nsswitch.conf
cp -a /usr/etc/pam.d/sshd /etc/pam.d/sshd
if [ "$CONFIG_AUTH_KRB5" = "y" ]; then
if [ -z "$CONFIG_AUTH_KRB5_SERVER" ]; then
echo "Failed! CONFIG_AUTH_KRB5_SERVER empty!"
exit 0
fi
sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth sufficient /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount required /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession required /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
cp -a /usr/etc/krb5.conf /etc/krb5.conf
sed -i "s,default_realm = CONFIG_AUTH_KRB5_SERVER,default_realm = $CONFIG_AUTH_KRB5_SERVER,g" /etc/krb5.conf
fi
if [ "$CONFIG_AUTH_LDAP" = "y" ]; then
sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth sufficient /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount required /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession required /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
fi
# /var/run/nslcd/nslcd.pid is created automatically by nslcd
start-stop-daemon -S -q -p /var/run/nslcd/nslcd.pid --exec /usr/sbin/nslcd
ret=$?
if [ $ret -eq 0 ]; then
start_counter
echo "OK"
elif [ $ret -eq 1 ]; then
echo "Failed (already running?)"
else
echo "Failed"
fi
}
stop() {
echo -n "Stopping nslcd (LDAP): "
start-stop-daemon -K -q -p /var/run/nslcd/nslcd.pid
if [ $? -eq 0 ]; then
echo "OK"
else
echo "Failed"
fi
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $?
[libdefaults] [libdefaults]
default_realm = CERN.CH default_realm = CONFIG_AUTH_KRB5_SERVER
kdc_timesync = 1 kdc_timesync = 1
ccache_type = 4 ccache_type = 4
forwardable = true forwardable = true
......
# nslcd is used for LDAP
check process nslcd with pidfile /var/run/nslcd/nslcd.pid
start program = "/etc/init.d/nslcd.sh start"
stop program = "/etc/init.d/nslcd.sh stop"
if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh nslcd"
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# The uri pointing to the LDAP server to use for name lookups. # The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used # Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously). # here should be resolvable without using LDAP (obviously).
uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch uri CONFIG_LDAP_SERVER_ADDRESS
#uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/ #uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/ #uri ldapi://%2fvar%2frun%2fldapi_sock/
...@@ -19,7 +19,7 @@ uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch ...@@ -19,7 +19,7 @@ uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch
#ldap_version 3 #ldap_version 3
# The distinguished name of the search base. # The distinguished name of the search base.
base dc=cern,dc=ch base CONFIG_LDAP_SEARCH_BASE
# The distinguished name to bind to the server with. # The distinguished name to bind to the server with.
# Optional: default is to bind anonymously. # Optional: default is to bind anonymously.
...@@ -39,8 +39,8 @@ scope one ...@@ -39,8 +39,8 @@ scope one
#scope base #scope base
# Customize certain database lookups. # Customize certain database lookups.
base group ou=Unix,ou=Workgroups,dc=cern,dc=ch base group ou=Unix,ou=Workgroups,CONFIG_LDAP_SEARCH_BASE
base passwd ou=Users,ou=Organic Units,dc=cern,dc=ch base passwd ou=Users,ou=Organic Units,CONFIG_LDAP_SEARCH_BASE
#base shadow ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com
#scope group onelevel #scope group onelevel
#scope hosts sub #scope hosts sub
...@@ -107,7 +107,7 @@ ssl no ...@@ -107,7 +107,7 @@ ssl no
# Mappings for Active Directory # Mappings for Active Directory
pagesize 1000 pagesize 1000
referrals off referrals off
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf=CN=white-rabbit-switch-root,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)) filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)CONFIG_LDAP_FILTER)
map passwd uid sAMAccountName map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory #map passwd homeDirectory unixHomeDirectory
map passwd homeDirectory "/home/$sAMAccountName" map passwd homeDirectory "/home/$sAMAccountName"
......
../init.d/ldap.sh
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment