Simple Script to Setup LDAP on Ubuntu 20.04

setupldap.sh

#!/bin/bash

read -p "Enter Domain Name:  " domain_name

#Change to your company details
commonname=$domain_name
country="US"
state="Las Vegas"
locality=$domain_name
organization=$domain_name
organizationalunit=$domain_name
email="abuse@"$domain_name
keypass="password"

# Most likely these will change to read's eventually... 
# But I just want to make this very fast right now as its not working
READONLY_USER="readonly"
READONLY_PASSWORD="password"
ADMIN_USER="admin"
ADMIN_PASSWORD="admin"


# Configure HostName
echo "Setting hostname to $domain_name";
hostnamectl set-hostname $domain_name;
dsplit=$(echo $domain_name | tr "." " ")
ldap_domain=""

for word in $dsplit
do
        if [ ${#ldap_domain} -ge 1 ]; then
                ldap_domain=$ldap_domain","
        fi
        ldap_domain="$ldap_domain""dc=$word"
done

echo "LDAP Domain Set to -> " $ldap_domain



# Lets do all our work in tmp, and lets get all the packages we need on the system.
cd /tmp
apt-get -y update

#
#. AppArmor seems to be giving way too many issues.. I really don't see the real need of it anyways.
#  So we're going to disable for now and if really need it we can bring it back later.
#

echo "Disabling App Armor"
#Disable AppArmor
update-rc.d -f apparmor remove
apt-get remove -y apparmor apparmor-utils

apt-get -y upgrade


# Setup Slap Config
cat << EOF | debconf-set-selections
slapd slapd/password2 password    $ADMIN_PASSWORD
slapd slapd/password2 password        $ADMIN_PASSWORD 
slapd slapd/internal/generated_adminpw password $ADMIN_PASSWORD
slapd slapd/password2 password $ADMIN_PASSWORD
slapd slapd/password1 password $ADMIN_PASSWORD
slapd slapd/dump_database select when needed 
slapd slapd/dump_database_destdir string  /var/backups/slapd-VERSION 
slapd slapd/domain string $domain_name
slapd shared/organization string $organization
slapd slapd/purge_database boolean true
slapd slapd/move_old_database boolean true
slapd slapd/dump_database string when needed
slapd slapd/invalid_config    boolean true 
EOF


echo "LDAPSETUP: Installing Required Packages"
apt install -y slapd ldap-utils sssd libpam-sss libnss-sss git python-is-python3 python3-iniparse
echo "LDAPSETUP: Setting LDAP LogLevel to Stats";

ldapmodify -Y EXTERNAL -H ldapi:/// -Q << EOF
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

EOF


echo "LDAPSETUP: Initializing slapd.log"

echo "local4.* /var/log/slapd.log" > /etc/rsyslog.d/51-slapd.conf


echo "LDAPSETUP: Initializind slap logrotate"

cat <<EOT > /etc/logrotate.d/slapd
/var/log/slapd.log
{ 
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}
EOT


echo "LDAPSETUP: Restarting System Log & LogRotate Services"

systemctl restart rsyslog slapd
systemctl restart logrotate

#Setup TLS/SSL Certs
echo "LDAPSETUP: Configuring SSL"

# make necesarry directoryes & fetch the crudini repo to update config
mkdir -p /etc/ssl/openldap/{private,certs,newcerts}
git clone https://github.com/pixelb/crudini.git

# Update SSL Config
crudini/crudini --merge /usr/lib/ssl/openssl.cnf << EOT
[ CA_default ]
dir             = /etc/ssl/openldap
EOT

echo "1001" > /etc/ssl/openldap/serial
touch /etc/ssl/openldap/index.txt

# Generate Certs
openssl genrsa -aes256 -passout pass:$keypass -out /etc/ssl/openldap/private/cakey.pem 2048
openssl rsa -in /etc/ssl/openldap/private/cakey.pem -passin pass:$keypass -out /etc/ssl/openldap/private/cakey.pem
openssl req -new -x509 -days 3650 -passout pass:$keypass -key /etc/ssl/openldap/private/cakey.pem \
        -out /etc/ssl/openldap/certs/cacert.pem \
        -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
openssl genrsa -aes256 -passout pass:$keypass -out /etc/ssl/openldap/private/ldapserver-key.key 2048
openssl rsa -in /etc/ssl/openldap/private/ldapserver-key.key -passin pass:$keypass -out /etc/ssl/openldap/private/ldapserver-key.key
openssl req -new -key /etc/ssl/openldap/private/ldapserver-key.key \
        -out /etc/ssl/openldap/certs/ldapserver-cert.csr \
        -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
openssl ca -keyfile /etc/ssl/openldap/private/cakey.pem -cert /etc/ssl/openldap/certs/cacert.pem \
        -in /etc/ssl/openldap/certs/ldapserver-cert.csr -out /etc/ssl/openldap/certs/ldapserver-cert.crt
openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt

chown -R openldap: /etc/ssl/openldap/

# Update the slapd config
crudini/crudini --merge /etc/default/slapd << EOF
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -Q  << EOT
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
EOT

echo "LDAPSETUP: Verifying LDAP SETUP SSL Config"
slapcat -b "cn=config" | grep -E "olcTLS"

# Comment ldap.conf 
sed -i "s/^TLS_CACERT/#TLS_CACERT/" /etc/ldap/ldap.conf
echo "TLS_CACERT        /etc/ssl/openldap/certs/cacert.pem" >> /etc/ldap/ldap.conf
echo "LDAPSETUP: Disabling Anonymous Users"
ldapadd -Y EXTERNAL -H ldapi:/// << EOT
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOT

export SUDO_FORCE_REMOVE=yes
apt-get install -y sudo-ldap
cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema

echo "LDAPSETUP: Setup LDAP-SUDO Permissions"

cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
mkdir /tmp/ldap-sudo
echo "include /etc/ldap/schema/sudo.schema" > /tmp/ldap-sudo/ldapsudo.conf
cd /tmp/ldap-sudo
slaptest -f ldapsudo.conf -F .
sed  -i -E -e '/(modifyTimestamp|modifiersName|entryCSN|createTimestamp|creatorsName|entryUUID|structuralObjectClass)\:/d' \
           -e  '/cn\:/c cn: sudo' \
           -e  '/dn\:/c dn: cn=sudo,cn=schema,cn=config'  \
           cn\=config/cn\=schema/cn\=\{0\}sudo.ldif
           
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f 'cn=config/cn=schema/cn={0}sudo.ldif'
cd /tmp
# Clean up
rm -rf /tmp/ldap-sudo

# Some tutorials say to do this.. Not sure if its needed or not?
# echo "include /etc/ldap/schema/sudo.schema" >> /etc/ldap/slapd.conf
#

systemctl restart slapd

ldapadd -Y EXTERNAL -H ldapi:/// << EOT
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire by self write by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=readonly,ou=people,$ldap_domain" read by * none
olcAccess: to dn.exact="cn=readonly,ou=people,$ldap_domain" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to dn.subtree="$ldap_domain" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * none

dn: ou=people,$ldap_domain
objectClass: organizationalUnit
objectClass: top
ou: people

dn: ou=groups,$ldap_domain
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: uid=johndoe,ou=people,$ldap_domain
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=johndoe,ou=groups,$ldap_domain
objectClass: posixGroup
cn: johndoe
gidNumber: 10000
memberUid: johndoe
EOT

echo "LDAPSETUP: Setting John Doe Password"
ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,$ldap_domain"


echo "LDAPSETUP: Making Read Only User"
# Set Password as "admin".... 
# Might make this definable at the beginning of the script eventually with a variable read.
# Though this works for now
slapass=`slappasswd -s "$READONLY_PASSWORD" -n`

ldapadd -Y EXTERNAL -H ldapi:/// << EOT
dn: cn=readonly,ou=people,$ldap_domain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: $READONLY_USER
userPassword: $slapass
description: Bind DN user for LDAP Operations
EOT

echo "LDAPSETUP: LDAP readonly password is \"$READONLY_PASSWORD\""

# For UFW.... Need add some logic to detect firewalls here and use the appropriate thing... 
ufw allow "OpenLDAP LDAP"
ufw allow "OpenLDAP LDAPS"

echo "LDAPSETUP: Starting SSSD Configuration"


cat <<EOT > /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = $ldap_domain
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://$domain_name
ldap_default_bind_dn = cn=$READONLY_USER,ou=people,$ldap_domain
ldap_default_authtok = $READONLY_PASSWORD
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/openldap/certs/cacert.pem
ldap_tls_cacertdir = /etc/ssl/openldap/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOT

echo "LDAPSETUP: Fixing SSSD Permissions"
chmod 600 -R /etc/sssd

echo "LDAPSETUP: Configuring Auto-LDAP Home directories"
sed -i '/pam_sss.so/ a session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022' /etc/pam.d/common-session

# We don't need crudini anymore.. clean up
rm -rf /tmp/crudini

# restart some stuff
systemctl restart sssd
systemctl status sssd
systemctl enable sssd

This is mostly based on the setup procedures as outlined @ https://kifarunix.com/install-and-setup-openldap-server-on-ubuntu-20-04/

On a Fresh Server Install, this now works perfectly!