#!/bin/bash set -e # ############################################################################ # Install the standalone LDAP server (slapd) # if [ "$(id -u)" -ne 0 ] then echo "Please run as root" exit 1 fi OPENSSL=$(which openssl) if [ "$?" -ne 0 ]; then echo "openssl: command not found" exit 1 fi DOMAIN="stacklight.ci" BASE_DN="dc=stacklight,dc=ci" BIND_DN="cn=admin,${BASE_DN}" BIND_PASSWORD="admin" # The distinguished name of objects that will be created in LDAP UID_UADMIN="uid=uadmin,${BASE_DN}" UID_UVIEWER="uid=uviewer,${BASE_DN}" OU_GROUPS="ou=groups,${BASE_DN}" CN_ADMINS="cn=plugin_admins,${OU_GROUPS}" CN_VIEWERS="cn=plugin_viewers,${OU_GROUPS}" debconf-set-selections << EOF slapd slapd/password1 password ${BIND_PASSWORD} slapd slapd/password1 seen true slapd slapd/password2 password ${BIND_PASSWORD} slapd slapd/password2 seen true slapd slapd/domain string ${DOMAIN} slapd slapd/domain seen true EOF DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::=--force-confnew --no-install-recommends slapd ldap-utils # ############################################################################ # Configure the LDAP database # ldapadd -x -D ${BIND_DN} -w ${BIND_PASSWORD} << EOF # Creation of the user "uadmin" that will belong to admins group dn: ${UID_UADMIN} cn: uadmin gecos: uadmin gidnumber: 500 homedirectory: /home/uadmin loginshell: /bin/bash objectclass: top objectclass: account objectclass: posixAccount objectclass: shadowAccount shadowlastchange: 0 shadowmax: 0 shadowwarning: 0 uid: uadmin uidnumber: 16860 userpassword: uadmin # Creation of the user "uviewer" that will belong to viewers group dn: ${UID_UVIEWER} cn: uviewer gecos: uviewer gidnumber: 500 homedirectory: /home/uviewer loginshell: /bin/bash objectclass: top objectclass: account objectclass: posixAccount objectclass: shadowAccount shadowlastchange: 0 shadowmax: 0 shadowwarning: 0 uid: uviewer uidnumber: 16861 userpassword: uviewer # Creation of the Organization Unit "groups" dn: ${OU_GROUPS} objectclass: organizationalUnit objectclass: top ou: groups # Creation of the admins groups dn: ${CN_ADMINS} cn: plugin_admins gidnumber: 501 memberuid: uadmin objectclass: posixGroup objectclass: top # Creation of the viewers groups dn: ${CN_VIEWERS} cn: plugin_viewers gidnumber: 503 memberuid: uviewer objectclass: posixGroup objectclass: top EOF # ############################################################################ # Configure LDAPS SLAPD_CERT_DIR="/etc/ldap/ssl" SLAPD_CERT="${SLAPD_CERT_DIR}/slapd.pem" mkdir -p $SLAPD_CERT_DIR $OPENSSL req -newkey rsa:2048 -x509 -nodes -days 3650 \ -out $SLAPD_CERT -keyout $SLAPD_CERT \ -subj "/C=FR/ST=Rhone-Alpes/L=Grenoble/O=Mirantis/OU=StackLight CI/CN=localhost" chown -R openldap:openldap $SLAPD_CERT_DIR chmod 0400 $SLAPD_CERT ldapmodify -Y EXTERNAL -H ldapi:/// << EOF dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: "${SLAPD_CERT}" - add: olcTLSCertificateFile olcTLSCertificateFile: "${SLAPD_CERT}" - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: "${SLAPD_CERT}" EOF # Enable ldaps in the configuration file sed -i 's,^SLAPD_SERVICES=.*$,SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///",g' /etc/default/slapd # Restart the service /etc/init.d/slapd restart # ############################################################################ # Validate the installation function check_ldap_value { if grep "$1" "${TMPFILE}" &>/dev/null; then echo " [SUCCESS] $1 found in LDAP" else echo " [FAILURE] $1 not found in LDAP" fi } TMPFILE=$(mktemp -t ldapsearch-output.XXXXX) ldapsearch -x -b ${BASE_DN} -D ${BIND_DN} -w ${BIND_PASSWORD} > "${TMPFILE}" set +e echo "Installation and configuration of LDAP server are done." echo "Starting the validation of the LDAP schema." check_ldap_value $UID_UADMIN check_ldap_value $UID_UVIEWER check_ldap_value $OU_GROUPS check_ldap_value $CN_ADMINS check_ldap_value $CN_VIEWERS echo "Validation completed. You should only see SUCCESS reported." rm -f "${TMPFILE}"