Created
December 18, 2017 17:23
-
-
Save phieber/7f97e480399b0da5602f00b7eaf1e3d6 to your computer and use it in GitHub Desktop.
LDAP setup script which does TLS setup and basic hardening. Improved version of https://riecken.de/index.php/2016/05/openldap-automatisch-installieren-und-einrichten/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Author: Patrick Hieber | |
| # modified version of: | |
| #https://riecken.de/index.php/2016/05/openldap-automatisch-installieren-und-einrichten/ | |
| # Changelog | |
| # v1.1: added TLS via Letsencrypt, heredoc instead of echos, consistent usage of variables | |
| # v1 (original): #https://riecken.de/index.php/2016/05/openldap-automatisch-installieren-und-einrichten/ | |
| # globals | |
| LDAPDB="mdb" | |
| DOMAIN="my.example.tld" # e.g. example.com | |
| DCNAME="$(echo $DOMAIN | sed -e 's@^\(.*\)@DC=\1@g;' -e 's@\.@,DC=@g;')" # e.g. DC=example,DC=com | |
| PPOLICY_FILE="/etc/ldap/schema/ppolicy.ldif" | |
| LOGFILE="/tmp/debug.txt" | |
| # basesetup() | |
| # Installs slapd (openLDAP) unattended | |
| # using debconf | |
| basesetup() { | |
| apt update | |
| # export DEBIAN_FRONTEND=noninteractive | |
| # debconf-set-selections <<-EOInp | |
| # slapd slapd/internal/generated_adminpw password $PASSWORD | |
| # slapd slapd/password2 password $PASSWORD | |
| # slapd slapd/internal/adminpw password $PASSWORD | |
| # slapd slapd/password1 password $PASSWORD | |
| # slapd slapd/backend: string $LDAPDB | |
| # slapd slapd/domain string $DOMAIN | |
| #EOInp | |
| apt install -y slapd ldap-utils | |
| /etc/init.d/slapd restart | |
| } | |
| make_index() { | |
| ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: olcDatabase={1}$LDAPDB,cn=config | |
| changetype: modify | |
| add: olcDbIndex | |
| olcDbIndex: mail,givenName eq,subinitial | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| } | |
| # configure_policy() | |
| # installs: ppolicy-scheme | |
| # ppolicy-module | |
| # overlay | |
| # ppolicycontext | |
| # defaultpolicy | |
| configure_policy() { | |
| ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: olcDatabase={1}$LDAPDB,cn=config | |
| changetype: modify | |
| replace: olcAccess | |
| olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by * none | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| ldapadd -Q -Y EXTERNAL -H ldapi:/// -f $PPOLICY_FILE | |
| ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: cn=module{0},cn=config | |
| changetype: modify | |
| add: olcModuleLoad | |
| olcModuleLoad: ppolicy.la | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| /etc/init.d/slapd restart | |
| ldapadd -Q -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: ou=policies,$DCNAME | |
| objectClass: organizationalUnit | |
| objectClass: top | |
| ou: policies | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| ldapadd -Q -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: cn=default,ou=policies,$DCNAME | |
| objectClass: top | |
| objectClass: person | |
| objectClass: pwdPolicy | |
| cn: default | |
| sn: default | |
| pwdAllowUserChange: TRUE | |
| # this don't work though documentation says it should | |
| # pwdAttribute: userPassword | |
| # So we use OID for workaround | |
| pwdAttribute: 2.5.4.35 | |
| pwdInhistory: 10 | |
| pwdLockout: TRUE | |
| pwdLockoutDuration: 1800 | |
| pwdMaxAge: 0 | |
| pwdMaxFailure: 3 | |
| pwdMinLength: 10 | |
| pwdMustChange: TRUE | |
| pwdSafeModify: TRUE | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| ldapadd -Q -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: olcOverlay=ppolicy,olcDatabase={1}$LDAPDB,cn=config | |
| objectClass: olcOverlayConfig | |
| objectClass: olcPPolicyConfig | |
| olcOverlay: ppolicy | |
| olcPPolicyDefault: cn=default,ou=policies,$DCNAME | |
| olcPPolicyHashCleartext: FALSE | |
| olcPPolicyUseLockout: FALSE | |
| olcPPolicyForwardUpdates: FALSE | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| } | |
| # configure_tls() | |
| # does: | |
| # generating of cert-authority | |
| # generating of certs for slapd | |
| # configuring of slapd for using tls | |
| configure_tls() { | |
| echo | |
| apt install -y certbot gnutls-bin | |
| #certbot certonly ##remove after the script is tested thoroughly | |
| chgrp -R openldap /etc/letsencrypt/live/ /etc/letsencrypt/archive | |
| chmod -R g=rx /etc/letsencrypt/live/ /etc/letsencrypt/archive | |
| /etc/init.d/slapd restart | |
| # config openldap accordingly: | |
| ldapmodify -H ldapi:// -Y EXTERNAL <<-EOInp | |
| dn: cn=config | |
| changetype: modify | |
| replace: olcTLSCACertificateFile | |
| olcTLSCACertificateFile: /etc/letsencrypt/live/$(hostname -f)/fullchain.pem | |
| - | |
| replace: olcTLSCertificateFile | |
| olcTLSCertificateFile: /etc/letsencrypt/live/$(hostname -f)/cert.pem | |
| - | |
| replace: olcTLSCertificateKeyFile | |
| olcTLSCertificateKeyFile: /etc/letsencrypt/live/$(hostname -f)/privkey.pem | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| } | |
| # harden() | |
| # does: | |
| # set to TLS only | |
| # listen only to ldaps | |
| # set to TLSv1.2 only | |
| harden() { | |
| ldapmodify -H ldapi:// -Y EXTERNAL <<-EOInp | |
| dn: cn=config | |
| changetype: modify | |
| replace: olcTLSProtocolMin | |
| olcTLSProtocolMin: 3.3 | |
| - | |
| replace: olcDisallows | |
| olcDisallows: bind_anon | |
| - | |
| replace: olcRequires | |
| olcRequires: authc | |
| - | |
| replace: olcLogLevel | |
| olcLogLevel: stats | |
| - | |
| replace: olcSecurity | |
| olcSecurity: tls=1 | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| echo "disable plaintext services and swtich to ldaps only" | |
| sed -i -e 's@^\(SLAPD_SERVICES.*\)@SLAPD_SERVICES="ldaps:///"@g;' /etc/default/slapd | |
| /etc/init.d/slapd restart | |
| } | |
| # toggle_acl() | |
| # sets ACL back to save values after install | |
| toggle_acl() { | |
| ldapmodify -Y EXTERNAL -H ldapi:/// <<-EOInp | |
| dn: olcDatabase={1}$LDAPDB,cn=config | |
| changetype: modify | |
| replace: olcAccess | |
| olcAccess: {0}to * by self write by anonymous auth | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| } | |
| # debug_output() | |
| # dumps to file: | |
| # debconf values for slapd | |
| # complete Root-DN | |
| # complete cn=config | |
| debug_output() { | |
| debconf-show slapd > $LOGFILE | |
| slapcat >> $LOGFILE | |
| ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config >> $LOGFILE | |
| } | |
| # enable_logging() | |
| # enable slapd logging | |
| enable_logging() { | |
| ldapmodify -H ldapi:// -Y EXTERNAL <<-EOInp | |
| dn: cn=config | |
| changetype: modify | |
| replace: olcLogLevel | |
| olcLogLevel: stats | |
| EOInp | |
| if [ $? -ne 0 ] ; then echo ERROR executing ; exit 1 ; fi | |
| } | |
| # cleanldap() | |
| # Removes all of openLDAP | |
| cleanldap() { | |
| apt remove -y slapd ldap-utils --purge | |
| } | |
| # main | |
| basesetup | |
| make_index | |
| configure_tls | |
| configure_policy | |
| enable_logging | |
| debug_output | |
| toggle_acl | |
| harden | |
| #cleanldap |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First, many thanks for publishing your script. It helped me frame up my scripts for a config driven Openldap multi-master install.
Any feedback would be greatly appreciated - https://github.com/jdkelleher/openldap_multi-master