1#!/bin/sh 2set -ex 3 4# Create TLS certificate 5sudo mkdir -p /etc/ldap/ssl 6 7alt_names() { 8 ( 9 ( 10 (hostname && hostname -a && hostname -A && hostname -f) | 11 xargs -n 1 | 12 sort -u | 13 sed -e 's/\(\S\+\)/DNS:\1/g' 14 ) && ( 15 (hostname -i && hostname -I && echo "127.0.0.1 ::1") | 16 xargs -n 1 | 17 sort -u | 18 sed -e 's/\(\S\+\)/IP:\1/g' 19 ) 20 ) | paste -d, -s 21} 22 23sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \ 24 -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \ 25 -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \ 26 -addext "subjectAltName = `alt_names`" 27 28sudo chown -R openldap:openldap /etc/ldap/ssl 29 30# Display the TLS certificate (should be world readable) 31openssl x509 -noout -text -in /etc/ldap/ssl/server.crt 32 33# Point to the certificate generated 34if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then 35 sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf 36 echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf 37fi 38 39# Configure LDAP protocols to serve. 40sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd 41 42# Configure LDAP database. 43DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`; 44 45sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif 46 47sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF 48dn: $DBDN 49changetype: modify 50replace: olcSuffix 51olcSuffix: dc=my-domain,dc=com 52- 53replace: olcRootDN 54olcRootDN: cn=Manager,dc=my-domain,dc=com 55- 56replace: olcRootPW 57olcRootPW: secret 58 59dn: cn=config 60changetype: modify 61add: olcTLSCACertificateFile 62olcTLSCACertificateFile: /etc/ldap/ssl/server.crt 63- 64add: olcTLSCertificateFile 65olcTLSCertificateFile: /etc/ldap/ssl/server.crt 66- 67add: olcTLSCertificateKeyFile 68olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key 69- 70add: olcTLSVerifyClient 71olcTLSVerifyClient: never 72- 73add: olcAuthzRegexp 74olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com 75- 76replace: olcLogLevel 77olcLogLevel: -1 78 79dn: cn=module{0},cn=config 80changetype: modify 81add: olcModuleLoad 82olcModuleLoad: sssvlv 83- 84add: olcModuleLoad 85olcModuleLoad: ppolicy 86- 87add: olcModuleLoad 88olcModuleLoad: dds 89EOF 90 91sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF 92dn: olcOverlay=sssvlv,$DBDN 93objectClass: olcOverlayConfig 94objectClass: olcSssVlvConfig 95olcOverlay: sssvlv 96olcSssVlvMax: 10 97olcSssVlvMaxKeys: 5 98 99dn: olcOverlay=ppolicy,$DBDN 100objectClass: olcOverlayConfig 101objectClass: olcPPolicyConfig 102olcOverlay: ppolicy 103### This would clutter our DIT and make tests to fail, while ppolicy does not 104### seem to work as we expect (it does not seem to provide expected controls) 105## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com 106## olcPPolicyHashCleartext: FALSE 107## olcPPolicyUseLockout: TRUE 108 109dn: olcOverlay=dds,$DBDN 110objectClass: olcOverlayConfig 111objectClass: olcDdsConfig 112olcOverlay: dds 113EOF 114 115sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF 116dn: $DBDN 117changetype: modify 118add: olcDbIndex 119olcDbIndex: entryExpireTimestamp eq 120EOF 121 122ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF 123dn: dc=my-domain,dc=com 124objectClass: top 125objectClass: organization 126objectClass: dcObject 127dc: my-domain 128o: php ldap tests 129 130### This would clutter our DIT and make tests to fail, while ppolicy does not 131### seem to work as we expect (it does not seem to provide expected controls) 132## dn: ou=pwpolicies,dc=my-domain,dc=com 133## objectClass: top 134## objectClass: organizationalUnit 135## ou: pwpolicies 136## 137## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com 138## objectClass: top 139## objectClass: person 140## objectClass: pwdPolicy 141## cn: default 142## sn: default 143## pwdAttribute: userPassword 144## pwdMaxAge: 2592000 145## pwdExpireWarning: 3600 146## #pwdInHistory: 0 147## pwdCheckQuality: 0 148## pwdMaxFailure: 5 149## pwdLockout: TRUE 150## #pwdLockoutDuration: 0 151## #pwdGraceAuthNLimit: 0 152## #pwdFailureCountInterval: 0 153## pwdMustChange: FALSE 154## pwdMinLength: 3 155## pwdAllowUserChange: TRUE 156## pwdSafeModify: FALSE 157EOF 158 159sudo service slapd restart 160 161# Verify TLS connection 162tries=0 163while : ; do 164 ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*' 165 rt=$? 166 if [ $rt -eq 0 ]; then 167 echo "OK" 168 exit 0 169 else 170 tries=$((tries+1)) 171 if [ $((tries)) -gt 3 ]; then 172 echo "exit failure $rt" 173 exit $rt 174 else 175 echo "trying again" 176 sleep 3 177 fi 178 fi 179done 180
