diff --git a/docs/dmzrsaccount/README.md b/docs/dmzrsaccount/README.md new file mode 100644 index 0000000..f0d30ef --- /dev/null +++ b/docs/dmzrsaccount/README.md @@ -0,0 +1,13 @@ +install luser.deb +change /var/luser/luser/config.ini + +add ldap.krov.dmz.rs to /etc/hosts with the IP address op slapd vm by adding a line like "192.168.1.205 ldap.krov.dmz.rs" + +config.ini should contain following: + +LDAPHOST = ldap.krov.dmz.rs +LDAPADMINNAME = cn=admin,dc=dmz,dc=rs +LDAPPASS = +USERBASE = ou=Users,dc=dmz,dc=rs + +run prepare.py diff --git a/docs/dmzrsaccount/listuserskralizec.py b/docs/dmzrsaccount/listuserskralizec.py new file mode 100755 index 0000000..c8991ac --- /dev/null +++ b/docs/dmzrsaccount/listuserskralizec.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python3 +import ldap3 + +LDAPADMINNAME='uid=krovslapd,ou=xmpp,dc=dmz,dc=rs' +LDAPPASS='' +USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail'] + + +ldapserver=ldap3.Server('2001:470:1f1a:1a4:0:1:0:1d',use_ssl=True) +ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True) +ldapconnection.search(search_base=f'ou=xmpp,dc=dmz,dc=rs',search_filter='(objectClass=person)', attributes=USERATTRIBUTES) +print(str(ldapconnection.response)) diff --git a/docs/dmzrsaccount/listuserskrov.py b/docs/dmzrsaccount/listuserskrov.py new file mode 100755 index 0000000..1732acc --- /dev/null +++ b/docs/dmzrsaccount/listuserskrov.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +import ldap3 +import configparser + +CONFIG_PATH = '/var/luser/luser/config.ini' +config = configparser.ConfigParser() +config.read(CONFIG_PATH) +LDAPHOST = config.get('credentials', 'LDAPHOST') +LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME') +LDAPPASS = config.get('credentials', 'LDAPPASS') +USERBASE = config.get('credentials', 'USERBASE') +USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail'] + +ldapserver=ldap3.Server(LDAPHOST,use_ssl=True) +ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True) +ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES) +print(str(ldapconnection.response)) diff --git a/docs/dmzrsaccount/prepare.py b/docs/dmzrsaccount/prepare.py new file mode 100755 index 0000000..cf21ff9 --- /dev/null +++ b/docs/dmzrsaccount/prepare.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +import ldap3 +import configparser + +CONFIG_PATH = "/var/luser/luser/config.ini" +config = configparser.ConfigParser() +config.read(CONFIG_PATH) +LDAPHOST = config.get('credentials', 'LDAPHOST') +LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME') +LDAPPASS = config.get('credentials', 'LDAPPASS') +USERBASE = config.get('credentials', 'USERBASE') + +ldapserver=ldap3.Server(LDAPHOST,use_ssl=True) +ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME, LDAPPASS, auto_bind=True) +rcode1=ldapconnection.add(f'{USERBASE}', ['dcObject', 'organization'], {'o' : "dmz", 'dc' : "dmz"}) +rcode2=ldapconnection.add(USERBASE, ['top', 'organizationalUnit'], {'ou' : "Users"}) +print(str(rcode1)) +print(str(rcode2)) diff --git a/docs/dmzrsaccount/testanon.py b/docs/dmzrsaccount/testanon.py new file mode 100755 index 0000000..66c3c7e --- /dev/null +++ b/docs/dmzrsaccount/testanon.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +import ldap3 +import configparser + +CONFIG_PATH = '/var/luser/luser/config.ini' +config = configparser.ConfigParser() +config.read(CONFIG_PATH) +LDAPHOST = config.get('credentials', 'LDAPHOST') +USERBASE = config.get('credentials', 'USERBASE') +USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail'] + +LDAPADMINNAME='' +LDAPPASS="" + +ldapserver=ldap3.Server(LDAPHOST,use_ssl=True) +ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True) +ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES) +print(str(ldapconnection.response)) diff --git a/docs/dmzrsaccount/testuser.py b/docs/dmzrsaccount/testuser.py new file mode 100755 index 0000000..be919d2 --- /dev/null +++ b/docs/dmzrsaccount/testuser.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +import ldap3 +import configparser + +CONFIG_PATH = '/var/luser/luser/config.ini' +config = configparser.ConfigParser() +config.read(CONFIG_PATH) +LDAPHOST = config.get('credentials', 'LDAPHOST') +USERBASE = config.get('credentials', 'USERBASE') +USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail'] + +LDAPADMINNAME="uid=korisnik,ou=Users,dc=dmz,dc=rs" +LDAPPASS="" + +ldapserver=ldap3.Server(LDAPHOST,use_ssl=True) +ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True) +ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES) +print(str(ldapconnection.response)) diff --git a/docs/slapd/README.md b/docs/slapd/README.md new file mode 100644 index 0000000..11d9e5c --- /dev/null +++ b/docs/slapd/README.md @@ -0,0 +1,18 @@ +Create ldap users at dmz.rs/account for users in the servicesaccounts.txt +these accounts should be listed in /root/ldifs/addacl.ldif +to generate addacl.ldif run generateacl.sh + +add tls keys in /etc/ssl/certs/ldap.krov.dmz.rs + +# Generate password for admin user on this server only and add it when asked during installation +apt install slapd + +# For domain set dmz.rs for Organization set Users for admin password use previously generated password +dpkg-reconfigure slapd + +# change /etc/default/slapd to replace ldap:// with ldaps:// under SLAPD_SERVICES +service slapd restart +./setup.sh + +dmzrsaccount vm should run prepare.py +ldapsync vm should run sync.py diff --git a/docs/slapd/acladd-template.ldif b/docs/slapd/acladd-template.ldif new file mode 100644 index 0000000..3162fb6 --- /dev/null +++ b/docs/slapd/acladd-template.ldif @@ -0,0 +1,18 @@ +dn: olcDatabase={1}mdb,cn=config +add: olcAccess +olcAccess: {1}to attrs=userPassword by self write by anonymous auth + +dn: olcDatabase={1}mdb,cn=config +add: olcAccess +#olcAccess: {2}to * by * none +olcAccess: {2}to * by self write READUSERS by anonymous none + +dn: olcDatabase={-1}frontend,cn=config +add: olcAccess +olcAccess: {1}to attrs=userPassword by self write by anonymous auth + +dn: olcDatabase={-1}frontend,cn=config +add: olcAccess +#olcAccess: {2}to * by * none +olcAccess: {2}to * by self READUSERS by anonymous none + diff --git a/docs/slapd/generateacl.sh b/docs/slapd/generateacl.sh new file mode 100755 index 0000000..fee3005 --- /dev/null +++ b/docs/slapd/generateacl.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +READUSERS="" +for i in $(cat servicesaccounts.txt); do READUSERS="$READUSERS by dn=\"$i\" read" ; done + +sed 's/READUSERS/$READUSERS/g' acladd-template.ldif > acladd.ldif + +for i in $(cat list) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; genpass) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done + diff --git a/docs/slapd/generatecreds.sh b/docs/slapd/generatecreds.sh new file mode 100755 index 0000000..f505bd2 --- /dev/null +++ b/docs/slapd/generatecreds.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +GENPASS=$( echo $(shuf ../../scripts/shared/english.txt | head) | sed "s/ //g") + +for i in $(cat servicesaccounts.txt) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; $(GENPASS)) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done + diff --git a/docs/slapd/servicesaccounts.txt b/docs/slapd/servicesaccounts.txt new file mode 100644 index 0000000..b21048d --- /dev/null +++ b/docs/slapd/servicesaccounts.txt @@ -0,0 +1,9 @@ +uid=readonlykrov,ou=Users,dc=dmz,dc=rs +uid=wikildapkrov,ou=Users,dc=dmz,dc=rs +uid=forumldapkrov,ou=Users,dc=dmz,dc=rs +uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs +uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs +uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs +uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs +uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs +uid=kralizecslapd,ou=Users,dc=dmz,dc=rs diff --git a/hosts/krov/slapd12/etc/default/slapd b/hosts/krov/slapd12/etc/default/slapd new file mode 100644 index 0000000..9337b16 --- /dev/null +++ b/hosts/krov/slapd12/etc/default/slapd @@ -0,0 +1,45 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldaps:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/hosts/krov/slapd12/root/aclupdate.sh b/hosts/krov/slapd12/root/aclupdate.sh new file mode 100755 index 0000000..fd22697 --- /dev/null +++ b/hosts/krov/slapd12/root/aclupdate.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +./modify.sh ldifs/acldel.ldif +./modify.sh ldifs/acladd.ldif diff --git a/hosts/krov/slapd12/root/ldifs/acladd.ldif b/hosts/krov/slapd12/root/ldifs/acladd.ldif new file mode 100644 index 0000000..184e93f --- /dev/null +++ b/hosts/krov/slapd12/root/ldifs/acladd.ldif @@ -0,0 +1,18 @@ +dn: olcDatabase={1}mdb,cn=config +add: olcAccess +olcAccess: {1}to attrs=userPassword by self write by anonymous auth + +dn: olcDatabase={1}mdb,cn=config +add: olcAccess +#olcAccess: {2}to * by * none +olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none + +dn: olcDatabase={-1}frontend,cn=config +add: olcAccess +olcAccess: {1}to attrs=userPassword by self write by anonymous auth + +dn: olcDatabase={-1}frontend,cn=config +add: olcAccess +#olcAccess: {2}to * by * none +olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none + diff --git a/hosts/krov/slapd12/root/ldifs/acldel.ldif b/hosts/krov/slapd12/root/ldifs/acldel.ldif new file mode 100644 index 0000000..5334720 --- /dev/null +++ b/hosts/krov/slapd12/root/ldifs/acldel.ldif @@ -0,0 +1,5 @@ +dn: olcDatabase={-1}frontend,cn=config +delete: olcAccess + +dn: olcDatabase={1}mdb,cn=config +delete: olcAccess diff --git a/hosts/krov/slapd12/root/ldifs/tls.ldif b/hosts/krov/slapd12/root/ldifs/tls.ldif new file mode 100644 index 0000000..7317a29 --- /dev/null +++ b/hosts/krov/slapd12/root/ldifs/tls.ldif @@ -0,0 +1,10 @@ +dn: cn=config +changetype: modify +replace: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/cert.pem +- +replace: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/ssl/certs/ldap.krov.dmz.rs/privkey.pem +- +replace: olcTLSCACertificateFile +olcTLSCACertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/chain.pem diff --git a/hosts/krov/slapd12/root/modify.sh b/hosts/krov/slapd12/root/modify.sh new file mode 100755 index 0000000..4b5e421 --- /dev/null +++ b/hosts/krov/slapd12/root/modify.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ldapmodify -H ldapi:/// -Y EXTERNAL -f $1 diff --git a/hosts/krov/slapd12/root/setup.sh b/hosts/krov/slapd12/root/setup.sh new file mode 100755 index 0000000..2f9adcc --- /dev/null +++ b/hosts/krov/slapd12/root/setup.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +ldapmodify -H ldapi:/// -Y EXTERNAL -f ldifs/tls.ldif +./aclupdate.sh