1#!/bin/sh 2set -e 3 4# Create TLS certificate 5sudo mkdir -p /etc/ldap/ssl 6 7alt_names() { 8 ( 9 ( 10 (hostname && hostname -a && hostname -A && hostname -f) | 11 xargs -n 1 | 12 sort -u | 13 sed -e 's/\(\S\+\)/DNS:\1/g' 14 ) && ( 15 (hostname -i && hostname -I && echo "127.0.0.1 ::1") | 16 xargs -n 1 | 17 sort -u | 18 sed -e 's/\(\S\+\)/IP:\1/g' 19 ) 20 ) | paste -d, -s 21} 22 23sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \ 24 -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \ 25 -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \ 26 -addext "subjectAltName = `alt_names`" 27 28sudo chown -R openldap:openldap /etc/ldap/ssl 29 30# Display the TLS certificate (should be world readable) 31openssl x509 -noout -text -in /etc/ldap/ssl/server.crt 32 33# Point to the certificate generated 34if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then 35 sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf 36 echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf 37fi 38 39# Configure LDAP protocols to serve. 40sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd 41 42# Configure LDAP database. 43DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`; 44 45if test -f "/etc/ldap/schema/ppolicy.ldif"; then 46 sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif 47fi 48 49sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF 50dn: $DBDN 51changetype: modify 52replace: olcSuffix 53olcSuffix: dc=my-domain,dc=com 54- 55replace: olcRootDN 56olcRootDN: cn=Manager,dc=my-domain,dc=com 57- 58replace: olcRootPW 59olcRootPW: secret 60 61dn: cn=config 62changetype: modify 63add: olcTLSCACertificateFile 64olcTLSCACertificateFile: /etc/ldap/ssl/server.crt 65- 66add: olcTLSCertificateFile 67olcTLSCertificateFile: /etc/ldap/ssl/server.crt 68- 69add: olcTLSCertificateKeyFile 70olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key 71- 72add: olcTLSVerifyClient 73olcTLSVerifyClient: never 74- 75add: olcAuthzRegexp 76olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com 77- 78replace: olcLogLevel 79olcLogLevel: -1 80 81dn: cn=module{0},cn=config 82changetype: modify 83add: olcModuleLoad 84olcModuleLoad: sssvlv 85- 86add: olcModuleLoad 87olcModuleLoad: ppolicy 88- 89add: olcModuleLoad 90olcModuleLoad: dds 91EOF 92 93sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF 94dn: olcOverlay=sssvlv,$DBDN 95objectClass: olcOverlayConfig 96objectClass: olcSssVlvConfig 97olcOverlay: sssvlv 98olcSssVlvMax: 10 99olcSssVlvMaxKeys: 5 100 101dn: olcOverlay=ppolicy,$DBDN 102objectClass: olcOverlayConfig 103objectClass: olcPPolicyConfig 104olcOverlay: ppolicy 105### This would clutter our DIT and make tests to fail, while ppolicy does not 106### seem to work as we expect (it does not seem to provide expected controls) 107## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com 108## olcPPolicyHashCleartext: FALSE 109## olcPPolicyUseLockout: TRUE 110 111dn: olcOverlay=dds,$DBDN 112objectClass: olcOverlayConfig 113objectClass: olcDdsConfig 114olcOverlay: dds 115EOF 116 117sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF 118dn: $DBDN 119changetype: modify 120add: olcDbIndex 121olcDbIndex: entryExpireTimestamp eq 122EOF 123 124ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF 125dn: dc=my-domain,dc=com 126objectClass: top 127objectClass: organization 128objectClass: dcObject 129dc: my-domain 130o: php ldap tests 131 132### This would clutter our DIT and make tests to fail, while ppolicy does not 133### seem to work as we expect (it does not seem to provide expected controls) 134## dn: ou=pwpolicies,dc=my-domain,dc=com 135## objectClass: top 136## objectClass: organizationalUnit 137## ou: pwpolicies 138## 139## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com 140## objectClass: top 141## objectClass: person 142## objectClass: pwdPolicy 143## cn: default 144## sn: default 145## pwdAttribute: userPassword 146## pwdMaxAge: 2592000 147## pwdExpireWarning: 3600 148## #pwdInHistory: 0 149## pwdCheckQuality: 0 150## pwdMaxFailure: 5 151## pwdLockout: TRUE 152## #pwdLockoutDuration: 0 153## #pwdGraceAuthNLimit: 0 154## #pwdFailureCountInterval: 0 155## pwdMustChange: FALSE 156## pwdMinLength: 3 157## pwdAllowUserChange: TRUE 158## pwdSafeModify: FALSE 159EOF 160 161sudo service slapd restart 162 163# Verify TLS connection 164tries=0 165while : ; do 166 ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*' 167 rt=$? 168 if [ $rt -eq 0 ]; then 169 echo "OK" 170 exit 0 171 else 172 tries=$((tries+1)) 173 if [ $((tries)) -gt 3 ]; then 174 echo "exit failure $rt" 175 exit $rt 176 else 177 echo "trying again" 178 sleep 3 179 fi 180 fi 181done 182