add docs for slapd and dmzrsaccount

docs/dmzrsaccount/README.md

@@ -0,0 +1,13 @@
+install luser.deb
+change /var/luser/luser/config.ini
+
+add ldap.krov.dmz.rs to /etc/hosts with the IP address op slapd vm by adding a line like "192.168.1.205 ldap.krov.dmz.rs"
+
+config.ini should contain following:
+
+LDAPHOST = ldap.krov.dmz.rs
+LDAPADMINNAME = cn=admin,dc=dmz,dc=rs
+LDAPPASS = <admin password set during installation of slapd program and dpkg-reconfigure on slapd vm>
+USERBASE = ou=Users,dc=dmz,dc=rs
+
+run prepare.py

docs/dmzrsaccount/listuserskralizec.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+import ldap3
+
+LDAPADMINNAME='uid=krovslapd,ou=xmpp,dc=dmz,dc=rs'
+LDAPPASS='<krovslapd password>'
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+
+ldapserver=ldap3.Server('2001:470:1f1a:1a4:0:1:0:1d',use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'ou=xmpp,dc=dmz,dc=rs',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

docs/dmzrsaccount/listuserskrov.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

docs/dmzrsaccount/prepare.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = "/var/luser/luser/config.ini"
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME, LDAPPASS, auto_bind=True)
+rcode1=ldapconnection.add(f'{USERBASE}', ['dcObject', 'organization'], {'o' : "dmz", 'dc' : "dmz"})
+rcode2=ldapconnection.add(USERBASE, ['top', 'organizationalUnit'], {'ou' : "Users"})
+print(str(rcode1))
+print(str(rcode2))

docs/dmzrsaccount/testanon.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME=''
+LDAPPASS=""
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

docs/dmzrsaccount/testuser.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME="uid=korisnik,ou=Users,dc=dmz,dc=rs"
+LDAPPASS="<password of korisnik>"
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

docs/slapd/README.md

@@ -0,0 +1,18 @@
+Create ldap users at dmz.rs/account for users in the servicesaccounts.txt
+these accounts should be listed in /root/ldifs/addacl.ldif
+to generate addacl.ldif run generateacl.sh
+
+add tls keys in /etc/ssl/certs/ldap.krov.dmz.rs
+
+# Generate password for admin user on this server only and add it when asked during installation
+apt install slapd
+
+# For domain set dmz.rs for Organization set Users for admin password use previously generated password
+dpkg-reconfigure slapd
+
+# change /etc/default/slapd to replace ldap:// with ldaps:// under SLAPD_SERVICES
+service slapd restart
+./setup.sh
+
+dmzrsaccount vm should run prepare.py 
+ldapsync vm should run sync.py

docs/slapd/acladd-template.ldif

@@ -0,0 +1,18 @@
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self write READUSERS by anonymous none
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self READUSERS by anonymous none
+

docs/slapd/generateacl.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+READUSERS=""
+for i in $(cat servicesaccounts.txt); do READUSERS="$READUSERS by dn=\"$i\" read" ; done
+
+sed 's/READUSERS/$READUSERS/g' acladd-template.ldif > acladd.ldif
+
+for i in $(cat list) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; genpass) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
+

docs/slapd/generatecreds.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+GENPASS=$( echo $(shuf ../../scripts/shared/english.txt | head) | sed "s/ //g")
+
+for i in $(cat servicesaccounts.txt) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; $(GENPASS)) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
+

docs/slapd/servicesaccounts.txt

@@ -0,0 +1,9 @@
+uid=readonlykrov,ou=Users,dc=dmz,dc=rs
+uid=wikildapkrov,ou=Users,dc=dmz,dc=rs
+uid=forumldapkrov,ou=Users,dc=dmz,dc=rs
+uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs
+uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs
+uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs
+uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs
+uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs
+uid=kralizecslapd,ou=Users,dc=dmz,dc=rs