1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
|
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
DESCRIPTION="This meta ebuild automates the configuration of OpenLDAP as the authentification backend"
HOMEPAGE="http://code.google.com/soc/2008/gentoo/appinfo.html?csaid=79DB497BA0D95148"
SRC_URI=""
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 ~x86"
IUSE="autoconfigure authmaster livecd"
DEPEND=""
RDEPEND="sys-auth/nss_ldap
sys-auth/pam_ldap
app-admin/diradm"
inherit confutils
CONFPATH="/etc/gentoo"
CONFIG_FILE="${CONFPATH}/ldap_auth.conf"
TEMPLATE_FILE="${FILESDIR}/cluster_ldap_skel.conf"
pkg_setup() {
if use authmaster; then
if built_with_use net-nds/openldap minimal ; then
die "You MUST have a non-minimal build of OpenLDAP to use ${P}!"
fi
fi
}
src_install()
{
if use authmaster; then
cp $TEMPLATE_FILE ./ldap_auth.conf
dodir $CONFPATH
insinto $CONFPATH
doins ./ldap_auth.conf
if ! use autoconfigure; then
elog "You need to edit $CONFIG_FILE to your likings"
elog "Once you are done, set CONFIG_OK=\"yes\" in there and"
elog "call emerge --config =${CATEGORY}/${PF}"
fi
fi
}
parse_config()
{
. $1
# Derived VARs:
DC="dc=${DOMAIN//\./,dc=}"
BASE_DN="ou=$OU,$DC"
BASE_DN_DESC="$OU_DESC"
USR_DN="ou=$USERS_OU,$BASE_DN"
GRP_DN="ou=$GROUPS_OU,$BASE_DN"
ROOTDN="cn=$LDAP_ADMIN_DN,$DC"
ROOTDNPWD="$LDAP_ADMIN_DN_PWD"
DBDIR="/var/lib/openldap-${DOMAIN}-data"
# Config Files:
SLAPDCONF="${ROOT}/etc/openldap/slapd.conf"
ETCSLAP="${ROOT}/etc/ldap.conf"
[ -f $SLAPDCONF ] || mkdir -p $(dirname $SLAPDCONF)
[ -f $ETCSLAP ] || mkdir -p $(dirname $ETCSLAP)
}
make_slapd_conf()
{
ewarn "$SLAPDCONF will be created with the password you defined in "
ewarn "$CONFPATH/ldap_auth.conf. This password also affects dirarm."
[ -f $SLAPDCONF ] && mv $SLAPDCONF ${SLAPDCONF}.${PN}.bak
cat > $SLAPDCONF <<-EOF
#
# Based on instructoins from: http://www.gentoo.org/doc/en/ldap-howto.xml
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Schema definitions, these are order sensitive
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Define global ACLs to disable default read access.
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# We define ACLs on a per-DB basis below, so no access as a default:
access to * by * none
# Database definitions (only have one here but you could have more than 1):
database hdb
suffix "$DC"
# <kbyte> <min>
checkpoint 32 30
rootdn "$ROOTDN"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw $(slappasswd -s $ROOTDNPWD)
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory $DBDIR
# Indices to maintain
index objectClass,uid,uidNumber eq
# Auto-Generated ACL definitions:
access to attrs=userPassword
by set="[cn=$ADMIN_GROUP_DN,$GRP_DN]/member* & user" write
by dn="uid=$ADMIN_DN,$USR_DN" write
by self write
by anonymous auth
by * none
access to *
by set="[cn=$ADMIN_GROUP_DN,$GRP_DN]/member* & user" write
by dn="uid=$ADMIN_DN,$USR_DN" write
by * read
EOF
}
make_lapd_confs()
{
# etc/openldap/ldap.conf file:
cat > ${ROOT}/etc/openldap/ldap.conf <<-EOF
# Autogenerated by $0
base $BASE_DN
uri ldap://$(hostname -f):389/
rootbinddn $ROOTDN
EOF
# etc/ldap.conf file:
[[ -f ${ROOT}/etc/ldap.conf ]] && cp ${ROOT}/etc/ldap.conf ${ROOT}/etc/ldap.conf.orig
cat > ${ROOT}/etc/ldap.conf <<-EOF
host $(hostname -f)
base $BASE_DN
uri ldap://$(hostname -f):389/
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn $ROOTDN
# The search scope.
scope sub
#scope one
#scope base
# Reconnect policy:
# hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
bind_policy hard
ldap_version 3
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password exop
#pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
#RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=users,$BASE_DN?one
nss_base_shadow ou=users,$BASE_DN?one
nss_base_group ou=groups,$BASE_DN?one
#nss_base_hosts ou=Hosts,$BASE_DN?one
#nss_base_services ou=Services,$BASE_DN?one
#nss_base_networks ou=Networks,$BASE_DN?one
#nss_base_protocols ou=Protocols,$BASE_DN?one
#nss_base_rpc ou=Rpc,$BASE_DN?one
#nss_base_ethers ou=Ethers,$BASE_DN?one
#nss_base_netmasks ou=Networks,$BASE_DN?ne
#nss_base_bootparams ou=Ethers,$BASE_DN?one
#nss_base_aliases ou=Aliases,$BASE_DN?one
#nss_base_netgroup ou=Netgroup,$BASE_DN?one
# For Gentoo's distribution of nss_ldap, as of 250-r1, we use these values
# (The hardwired constants in the code are changed to them as well):
#nss_reconnect_tries 4 # number of times to double the sleep time
#nss_reconnect_sleeptime 1 # initial sleep value
#nss_reconnect_maxsleeptime 16 # max sleep value to cap at
#nss_reconnect_maxconntries 2 # how many tries before sleeping
# This leads to a delay of 15 seconds (1+2+4+8=15)
# If you are impatient, and know your LDAP server is reliable, fast or local,
# you may wish to use these values instead:
nss_reconnect_tries 1 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 1 # max sleep value to cap at
nss_reconnect_maxconntries 3 # how many tries before sleeping
# This leads to a delay of 1 second.
EOF
}
install_pam_auth()
{
SYSAUTH="${ROOT}/etc/pam.d/system-auth"
if [[ ! -f $SYSAUTH ]]
then
mkdir -p $(dirname $SYSAUTH)
cp /etc/pam.d/system-auth $SYSAUTH
fi
cp $SYSAUTH ${SYSAUTH}.${PN}.bak
einfo "OVERWRITING $SYSAUTH"
cat > $SYSAUTH <<-EOF
#%PAM-1.0
# Savagely copied over from http://gentoo-wiki.com/HOWTO_LDAPv3#Configuration :P
auth required pam_env.so
auth [success=ignore default=1] pam_localuser.so
auth [success=done new_authtok_reqd=done default=1] pam_unix.so likeauth nullok try_first_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
#Creates the home directories if they do not exist
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so
EOF
}
install_nssswitch()
{
NNSSWITCH="${ROOT}/etc/nsswitch.conf"
if [[ ! -f $NNSSWITCH ]]
then
mkdir -p $(dirname $NNSSWITCH)
cp /etc/nsswitch.conf $NNSSWITCH
fi
cp $NNSSWITCH ${NNSSWITCH}.${PN}.bak
einfo "Modifying $NNSSWITCH"
for I in passwd shadow group $OTHER_OU
do
sed -i -e"s:\(^${I}.*\):\1 ldap:" $NNSSWITCH
done
}
make_ldif()
{
# NOTE: LDIF_OUT is defined in the config file
cat > $LDIF_OUT <<-EOF
dn: $DC
o: $DOMAIN
objectClass: organization
objectClass: dcObject
description: $DOMAIN_DESC
dn: $BASE_DN
ou: $OU
objectClass: top
objectClass: organizationalUnit
description: $BASE_DN_DESC
#dn: cn=${LDAP_ADMIN_DN},$DC
#objectClass: person
#cn: $LDAP_ADMIN_DN
#sn: $LDAP_ADMIN_DN
EOF
for OU in $USERS_OU $GROUPS_OU $OTHER_OU
do
DESC=$(eval echo "$"${I}_DESC)
cat >> $LDIF_OUT <<-EOF
dn: ou=${OU},$BASE_DN
ou: $OU
objectClass: top
objectClass: organizationalUnit
EOF
[[ ! -z $DESC ]] && echo " description: $DESC" >> $LDIF_OUT
done
# We need to define at least one user with GODlike rights :)
cat >> $LDIF_OUT <<-EOF
dn: cn=${ADMIN_DN},$USR_DN
cn: $ADMIN_DN
sn: $ADMIN_DN
gidNumber: 0
uid: $ADMIN_DN
uidNumber: 0
homeDirectory: /home/root
loginShell: /bin/bash
# we need at least one STRUCTURAL objectClass: so we choose inetOrgPerson
# as it is the most popular in such a context and will require less fscking
# around of the management tools (such as lat)
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
description: $ADMIN_DN_DESC
EOF
# Let's provide for multiple diety possibilies O_o!
# This is a group explicitly linked to wheel
cat >> $LDIF_OUT <<-EOF
dn: cn=${ADMIN_GROUP_DN},$GRP_DN
gidNumber: $(getent group wheel | cut -f3 -d:)
cn: $ADMIN_GROUP_DN
# RFCs will eventually define posixGroup as an AUXILIARY class and
# not a STRUCTURAL class, then we'll have to uncomment groupOfNames
#objectClass: groupOfNames
objectClass: posixGroup
description: $DESC NOTE: This group OVERLAPS the local wheel account
EOF
}
creade_db()
{
# NOTE: setting ${ROOT} here is irrelevant since this function should not be
# called unless ROOT=/
# This is bad, I know...all of this should be done using the installed
# openldap version (don't know how to get the installed version from portage)
einfo "Adding default DB_CONFIG file do DB directory."
mkdir -p $DBDIR
bzcat /usr/share/doc/openldap-*/DB_CONFIG.fast.example.bz2 > /$DBDIR/DB_CONFIG
einfo "Initiating the database"
slapadd -v -b $ROOTDN -l $LDIF_OUT
# had ldap been online:
#ldapadd -x -D $ROOTDN -w $ROOTDNPWD -f $LDIF_OUT
einfo "Ensuring proper permissions are set for the data dir."
#chown -R ldap: `awk '/^directory/ {print $2}' $SLAPDCONF`
chown -R ldap: $DBDIR
einfo "Creating /var/run/openldap/ with proper permissions."
mkdir -p /var/run/openldap/
chown ldap: /var/run/openldap/
if ! use livecd; then
einfo "Starting slapd"
/etc/init.d/slapd start || ewarn "Failed to start slapd, check /var/log/messages";
else
ewarn "Don't forget to start slapd as soon as the script completes!"
fi
einfo "Adding slapd to default runlevel"
rc-update add slapd default
}
config_diradm()
{
# diradm has questionnable defaults, we bring them back to
# what most users will expect:
sed -i -e's:HOMEBASE="/home/users":HOMEBASE="/home":' \
-e 's:DEFAULT_LOGINSHELL="/bin/localshell":DEFAULT_LOGINSHELL="/bin/bash":' \
${ROOT}/etc/diradm.conf
echo ${ROOTDNPWD} > /etc/ldap.secret
chmod 600 /etc/ldap.secret
# When we enable automount, we'll add the stuff here
}
pkg_config()
{
[[ -f ${CONFIG_FILE} ]] || die "${CONFIG_FILE} missing!!! re-emerge ${PF}"
if ! use autoconfigure; then
. ${CONFIG_FILE}
[[ $CONFIG_OK != "yes" ]] && die "You need to edit ${CONFIG_FILE} and set CONFIG_OK=\"yes\""
fi
parse_config ${CONFIG_FILE}
if use authmaster; then
make_slapd_conf
make_ldif
config_diradm
echo
# Don't create the DB on a live system if that's not
# where we want to install
[[ ${ROOT} == "/" ]] && creade_db
[[ $LDIF_OUT_KEEP != "yes" ]] && rm $LDIF_OUT
fi
make_lapd_confs
# commented for irrelevancy in this ebuild.
#if [[ $LDAP_AS_AUTH == "yes" ]]
#then
install_pam_auth
install_nssswitch
#fi
ewarn "You must now use 'diradm' as your user, group and password manager!!!"
ewarn "For diradm to work, the rootdn password has to be put in cleartext in"
ewarn "/etc/ldap.secret and the files has to be readable by root only."
ewarn "The script does that for you but you're responsible for managing that"
ewarn "file. You have been warned!"
}
|