-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstall.sh
179 lines (153 loc) · 4.57 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/bash
# Install and config openldap+sasl+google_authenticator
# OS; CentOS 7.2
export LC_ALL=C
export LANG=C
export PATH=$PATH:/usr/local/bin
setenforce 0
SOURCE ./config
# Config and install cyrus-sasl
yum -y install epel-release-7-6.noarch
yum -y install cyrus-sasl-plain cyrus-sasl-lib cyrus-sasl-devel \
cyrus-sasl oathtool gcc autoconf openldap-servers \
openldap-devel openldap-client automake pam-devel \
libtool-ltdl libtool
# Gengrate root password
root_password_ssha=`slappasswd -s "${root_password}"`
# Build and install pam_google_authenticator module
if [ ! -e /usr/local/lib/security/pam_google_authenticator.so ]; then
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam
./bootstrap.sh
./configure
make && sudo make install
fi
if [ ! -e /usr/local/lib/security/pam_google_authenticator.so ]; then
echo "google_authenticator module build failed!"
exit 1
fi
echo "
SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS=
" > /etc/sysconfig/saslauthd
echo "
auth required /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account include password-auth
" > /etc/pam.d/ldap
systemctl start saslauthd
systemctl enable saslauthd
# debug pam
touch /etc/pam_debug
echo '*.debug /var/log/auth.log' > /etc/rsyslog.d/pam.conf
systemctl restart rsyslog
# Check sasl config
adduser test -p '$6$oX3U2JJF$HKcfCIn7A3u9y3VB3RBG2OQ437rV2hITMRBTIXxrvPc3qgPzhwggZabwtVahoCCmBGJoXyjVnR5TBfQDgP79B1'
su test -c "google-authenticator -t -d -f -r 1 -R 15 -w 3"
test_key=`cat /home/test/.google_authenticator | head -1`
code=`oathtool --totp --base32 -d6 "${test_key}"` && testsaslauthd -s ldap -u test -p "test${code}"
if [ $? != 0 ]; then
echo "testsaslauthd failed!"
exit
fi
# Install packages and start service
yum install openldap-servers openldap-clients openldap git -y
if [ ! -f /var/lib/ldap/DB_CONFIG ]; then
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
fi
systemctl restart slapd
systemctl enable slapd
# Set root password
echo "
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${root_password_ssha}
" > chrootpw.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
# import basic schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# Set root privilege
echo "
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,${dc}" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: ${dc}
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,${dc}
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: "${root_password_ssha}"
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,${dc}" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,${dc}" write by * read
" > set_privilege.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f set_privilege.ldif
# create dc and ou
echo "
dn: ${dc}
objectClass: top
objectClass: dcObject
objectclass: organization
o: base ou
dc: ${dc_leaf}
dn: cn=root,${dc}
objectClass: organizationalRole
cn: Manager
description: Directory Root
dn: ou=People,${dc}
objectClass: organizationalUnit
ou: People
dn: ou=Group,${dc}
objectClass: organizationalUnit
ou: Group
" > basedomain.ldif
ldapadd -x -D "cn=root,${dc}" -w "${root_password}" -f basedomain.ldif
# create user and group
echo "
dn: uid=test,ou=People,${dc}
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: test
givenName: test
displayName: test
uid: test
uidNumber: 10019
gidNumber: 5002
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test
userPassword: {SASL}test@ci
description: User account
mail: [email protected]
dn: cn=devops,ou=Group,${dc}
objectClass: posixGroup
gidNumber: 5002
cn: devops
" > user_group.ldif
ldapadd -x -D "cn=root,${dc}" -w "${root_password}" -f user_group.ldif
# Config ldap use sasl
echo "
pwcheck_method: saslauthd
mech_list: plain login
" > /etc/sasl2/slapd.conf
systemctl restart slapd
# ldapsearch -x -LLL -b ou=People,dc=weiyu,dc=com
# ldapwhoami -D "uid=test,ou=People,dc=weiyu,dc=com" -W -H ldap://