add docs for slapd and dmzrsaccount

2024-01-05 12:33:19 +01:00 · 2024-01-05 12:33:19 +01:00 · 9be97947b5
commit 9be97947b5
parent 5e4f55af5b
18 changed files with 245 additions and 0 deletions
--- a/docs/dmzrsaccount/README.md
+++ b/docs/dmzrsaccount/README.md
@ -0,0 +1,13 @@
 install luser.deb
 change /var/luser/luser/config.ini
 add ldap.krov.dmz.rs to /etc/hosts with the IP address op slapd vm by adding a line like "192.168.1.205 ldap.krov.dmz.rs"
 config.ini should contain following:
 LDAPHOST = ldap.krov.dmz.rs
 LDAPADMINNAME = cn=admin,dc=dmz,dc=rs
 LDAPPASS = <admin password set during installation of slapd program and dpkg-reconfigure on slapd vm>
 USERBASE = ou=Users,dc=dmz,dc=rs
 run prepare.py
--- a/docs/dmzrsaccount/listuserskralizec.py
+++ b/docs/dmzrsaccount/listuserskralizec.py
@ -0,0 +1,12 @@
 #!/usr/bin/env python3
 import ldap3
 LDAPADMINNAME='uid=krovslapd,ou=xmpp,dc=dmz,dc=rs'
 LDAPPASS='<krovslapd password>'
 USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
 ldapserver=ldap3.Server('2001:470:1f1a:1a4:0:1:0:1d',use_ssl=True)
 ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
 ldapconnection.search(search_base=f'ou=xmpp,dc=dmz,dc=rs',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
 print(str(ldapconnection.response))
--- a/docs/dmzrsaccount/listuserskrov.py
+++ b/docs/dmzrsaccount/listuserskrov.py
@ -0,0 +1,17 @@
 #!/usr/bin/env python3
 import ldap3
 import configparser
 CONFIG_PATH = '/var/luser/luser/config.ini'
 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
 LDAPHOST = config.get('credentials', 'LDAPHOST')
 LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
 LDAPPASS = config.get('credentials', 'LDAPPASS')
 USERBASE = config.get('credentials', 'USERBASE')
 USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
 ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
 ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
 ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
 print(str(ldapconnection.response))
--- a/docs/dmzrsaccount/prepare.py
+++ b/docs/dmzrsaccount/prepare.py
@ -0,0 +1,18 @@
 #!/usr/bin/env python3
 import ldap3
 import configparser
 CONFIG_PATH = "/var/luser/luser/config.ini"
 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
 LDAPHOST = config.get('credentials', 'LDAPHOST')
 LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
 LDAPPASS = config.get('credentials', 'LDAPPASS')
 USERBASE = config.get('credentials', 'USERBASE')
 ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
 ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME, LDAPPASS, auto_bind=True)
 rcode1=ldapconnection.add(f'{USERBASE}', ['dcObject', 'organization'], {'o' : "dmz", 'dc' : "dmz"})
 rcode2=ldapconnection.add(USERBASE, ['top', 'organizationalUnit'], {'ou' : "Users"})
 print(str(rcode1))
 print(str(rcode2))
--- a/docs/dmzrsaccount/testanon.py
+++ b/docs/dmzrsaccount/testanon.py
@ -0,0 +1,18 @@
 #!/usr/bin/env python3
 import ldap3
 import configparser
 CONFIG_PATH = '/var/luser/luser/config.ini'
 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
 LDAPHOST = config.get('credentials', 'LDAPHOST')
 USERBASE = config.get('credentials', 'USERBASE')
 USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
 LDAPADMINNAME=''
 LDAPPASS=""
 ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
 ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
 ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
 print(str(ldapconnection.response))
--- a/docs/dmzrsaccount/testuser.py
+++ b/docs/dmzrsaccount/testuser.py
@ -0,0 +1,18 @@
 #!/usr/bin/env python3
 import ldap3
 import configparser
 CONFIG_PATH = '/var/luser/luser/config.ini'
 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
 LDAPHOST = config.get('credentials', 'LDAPHOST')
 USERBASE = config.get('credentials', 'USERBASE')
 USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
 LDAPADMINNAME="uid=korisnik,ou=Users,dc=dmz,dc=rs"
 LDAPPASS="<password of korisnik>"
 ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
 ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
 ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
 print(str(ldapconnection.response))
--- a/docs/slapd/README.md
+++ b/docs/slapd/README.md
@ -0,0 +1,18 @@
 Create ldap users at dmz.rs/account for users in the servicesaccounts.txt
 these accounts should be listed in /root/ldifs/addacl.ldif
 to generate addacl.ldif run generateacl.sh
 add tls keys in /etc/ssl/certs/ldap.krov.dmz.rs
 # Generate password for admin user on this server only and add it when asked during installation
 apt install slapd
 # For domain set dmz.rs for Organization set Users for admin password use previously generated password
 dpkg-reconfigure slapd
 # change /etc/default/slapd to replace ldap:// with ldaps:// under SLAPD_SERVICES
 service slapd restart
 ./setup.sh
 dmzrsaccount vm should run prepare.py 
 ldapsync vm should run sync.py
--- a/docs/slapd/acladd-template.ldif
+++ b/docs/slapd/acladd-template.ldif
@ -0,0 +1,18 @@
 dn: olcDatabase={1}mdb,cn=config
 add: olcAccess
 olcAccess: {1}to attrs=userPassword by self write by anonymous auth
 dn: olcDatabase={1}mdb,cn=config
 add: olcAccess
 #olcAccess: {2}to * by * none
 olcAccess: {2}to * by self write READUSERS by anonymous none
 dn: olcDatabase={-1}frontend,cn=config
 add: olcAccess
 olcAccess: {1}to attrs=userPassword by self write by anonymous auth
 dn: olcDatabase={-1}frontend,cn=config
 add: olcAccess
 #olcAccess: {2}to * by * none
 olcAccess: {2}to * by self READUSERS by anonymous none
--- a/docs/slapd/generateacl.sh
+++ b/docs/slapd/generateacl.sh
@ -0,0 +1,9 @@
 #!/bin/bash
 READUSERS=""
 for i in $(cat servicesaccounts.txt); do READUSERS="$READUSERS by dn=\"$i\" read" ; done
 sed 's/READUSERS/$READUSERS/g' acladd-template.ldif > acladd.ldif
 for i in $(cat list) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; genpass) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
--- a/docs/slapd/generatecreds.sh
+++ b/docs/slapd/generatecreds.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 GENPASS=$( echo $(shuf ../../scripts/shared/english.txt | head) | sed "s/ //g")
 for i in $(cat servicesaccounts.txt) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; $(GENPASS)) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
--- a/docs/slapd/servicesaccounts.txt
+++ b/docs/slapd/servicesaccounts.txt
@ -0,0 +1,9 @@
 uid=readonlykrov,ou=Users,dc=dmz,dc=rs
 uid=wikildapkrov,ou=Users,dc=dmz,dc=rs
 uid=forumldapkrov,ou=Users,dc=dmz,dc=rs
 uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs
 uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs
 uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs
 uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs
 uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs
 uid=kralizecslapd,ou=Users,dc=dmz,dc=rs
--- a/hosts/krov/slapd12/etc/default/slapd
+++ b/hosts/krov/slapd12/etc/default/slapd
@ -0,0 +1,45 @@
 # Default location of the slapd.conf file or slapd.d cn=config directory. If
 # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
 # /etc/ldap/slapd.conf).
 SLAPD_CONF=
 # System account to run the slapd server under. If empty the server
 # will run as root.
 SLAPD_USER="openldap"
 # System group to run the slapd server under. If empty the server will
 # run in the primary group of its user.
 SLAPD_GROUP="openldap"
 # Path to the pid file of the slapd server. If not set the init.d script
 # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
 # default)
 SLAPD_PIDFILE=
 # slapd normally serves ldap only on all TCP-ports 389. slapd can also
 # service requests on TCP-port 636 (ldaps) and requests via unix
 # sockets.
 # Example usage:
 # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
 SLAPD_SERVICES="ldaps:/// ldapi:///"
 # If SLAPD_NO_START is set, the init script will not start or restart
 # slapd (but stop will still work).  Uncomment this if you are
 # starting slapd via some other means or if you don't want slapd normally
 # started at boot.
 #SLAPD_NO_START=1
 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
 # the init script will not start or restart slapd (but stop will still
 # work).  Use this for temporarily disabling startup of slapd (when doing
 # maintenance, for example, or through a configuration management system)
 # when you don't want to edit a configuration file.
 SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
 # For Kerberos authentication (via SASL), slapd by default uses the system
 # keytab file (/etc/krb5.keytab).  To use a different keytab file,
 # uncomment this line and change the path.
 #export KRB5_KTNAME=/etc/krb5.keytab
 # Additional options to pass to slapd
 SLAPD_OPTIONS=""
--- a/hosts/krov/slapd12/root/aclupdate.sh
+++ b/hosts/krov/slapd12/root/aclupdate.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 ./modify.sh ldifs/acldel.ldif
 ./modify.sh ldifs/acladd.ldif
--- a/hosts/krov/slapd12/root/ldifs/acladd.ldif
+++ b/hosts/krov/slapd12/root/ldifs/acladd.ldif
@ -0,0 +1,18 @@
 dn: olcDatabase={1}mdb,cn=config
 add: olcAccess
 olcAccess: {1}to attrs=userPassword by self write by anonymous auth
 dn: olcDatabase={1}mdb,cn=config
 add: olcAccess
 #olcAccess: {2}to * by * none
 olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none
 dn: olcDatabase={-1}frontend,cn=config
 add: olcAccess
 olcAccess: {1}to attrs=userPassword by self write by anonymous auth
 dn: olcDatabase={-1}frontend,cn=config
 add: olcAccess
 #olcAccess: {2}to * by * none
 olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none
--- a/hosts/krov/slapd12/root/ldifs/acldel.ldif
+++ b/hosts/krov/slapd12/root/ldifs/acldel.ldif
@ -0,0 +1,5 @@
 dn: olcDatabase={-1}frontend,cn=config
 delete: olcAccess
 dn: olcDatabase={1}mdb,cn=config
 delete: olcAccess
--- a/hosts/krov/slapd12/root/ldifs/tls.ldif
+++ b/hosts/krov/slapd12/root/ldifs/tls.ldif
@ -0,0 +1,10 @@
 dn: cn=config
 changetype: modify
 replace: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/cert.pem
 -
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/ssl/certs/ldap.krov.dmz.rs/privkey.pem
 -
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/chain.pem
--- a/hosts/krov/slapd12/root/modify.sh
+++ b/hosts/krov/slapd12/root/modify.sh
@ -0,0 +1,3 @@
 #!/bin/bash
 ldapmodify -H ldapi:/// -Y EXTERNAL -f $1
--- a/hosts/krov/slapd12/root/setup.sh
+++ b/hosts/krov/slapd12/root/setup.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 ldapmodify -H ldapi:/// -Y EXTERNAL -f ldifs/tls.ldif
 ./aclupdate.sh
		`@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`ldapmodify -H ldapi:/// -Y EXTERNAL -f $1`