1 #!/bin/bash

     2 

     3 set -e

     4 . resources/functions

     5 

     6 cat <<EOF

     7 Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install

     8 into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for

     9 details on your domain and your first administrative account, then get started

    10 creating things.

    11 

    12 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

    13 >>>   If you have ANY existing LDAP or Kerberos database that you   <<<

    14 >>>    want to save, EXIT THIS SCRIPT NOW by pressing Control-C.    <<<

    15 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

    16 

    17 EOF

    18 

    19 get_input()

    20 {

    21 	local var="$1"

    22 	local prompt="$2"

    23 	local prefill="${3:-}"

    24 	[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"

    25 	eval "$var="\""$prefill"\"

    26 	while true; do

    27 		read -p "$prompt: " "$var"

    28 		if [ -z "${!var}" ]; then

    29 			if [ -n "$prefill" ]; then

    30 				eval "$var="\""$prefill"\"

    31 				break

    32 			fi

    33 		else

    34 			break

    35 		fi

    36 		echo "Invalid input."

    37 	done

    38 }

    39 

    40 get_input fullname "Your full name"

    41 username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`

    42 get_input username "Admin username" "$username"

    43 password="`generate_password 16`"

    44 #while true; do

    45 #	stty -echo

    46 #	get_input password "Admin password"

    47 #	echo

    48 #	get_input pconf "Confirm password"

    49 #	stty echo; echo

    50 #	[ "$password" = "$pconf" ] && break

    51 #	echo "Passwords do not match."

    52 #done

    53 get_input domain "Domain name"

    54 

    55 domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"

    56 ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"

    57 krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"

    58 

    59 echo "Your LDAP suffix is: $ldap_suffix"

    60 echo "Your Kerberos V realm is: $krb5_realm"

    61 

    62 echo "Setting up your /etc/hosts file"

    63 patch_hosts_file

    64 

    65 echo "Setting up your Kerberos V client config."

    66 generate_krb5_config

    67 

    68 echo "Updating apt, purging any existing SSO packages and installing stuff."

    69 # silence apt etc.

    70 export DEBIAN_FRONTEND=noninteractive

    71 #apt-get update

    72 apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \

    73 		${radius_packages} ${http_packages}

    74 apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \

    75 		${radius_packages} build-essential libkrb5-dev libssl-dev acl \

    76 		${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \

    77 		libnl-dev

    78 

    79 # stop any running services

    80 if pidof apache2 > /dev/null; then

    81 	invoke-rc.d apache2 stop

    82 fi

    83 

    84 if pidof freeradius > /dev/null; then

    85 	invoke-rc.d freeradius stop

    86 fi

    87 

    88 if pidof kcrap_server > /dev/null; then

    89 	killall kcrap_server

    90 fi

    91 

    92 if pidof saslauthd > /dev/null; then

    93 	invoke-rc.d saslauthd stop

    94 fi

    95 

    96 if pidof slapd > /dev/null; then

    97 	invoke-rc.d slapd stop

    98 fi

    99 

   100 if pidof krb5kdc > /dev/null; then

   101 	invoke-rc.d krb5-kdc stop

   102 fi

   103 

   104 if pidof kadmind > /dev/null; then

   105 	invoke-rc.d krb5-admin-server stop

   106 fi

   107 

   108 # LDAP setup

   109 # remove any existing LDAP db

   110 pidof slapd && killall -9 slapd

   111 if [ -f /var/lib/ldap/__db.001 ]; then

   112 	rm -fv /var/lib/ldap/__db.* \

   113 		/var/lib/ldap/alock \

   114 		/var/lib/ldap/dn2id.bdb \

   115 		/var/lib/ldap/id2entry.bdb \

   116 		/var/lib/ldap/log.* \

   117 		/var/lib/ldap/objectClass.bdb

   118 fi

   119 ldap_manager_pw="`generate_password 40`"

   120 echo -n "$ldap_manager_pw" > /etc/ldap.secret

   121 chmod 600 /etc/ldap.secret

   122 ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"

   123 ldap_reader_pw="`generate_password 10`"

   124 

   125 if [ -d /etc/ldap/slapd.d ]; then

   126 	rm -rfv /etc/ldap/slapd.d

   127 fi

   128 generate_slapd_config

   129 generate_base_ldif | slapadd

   130 chown -R openldap:openldap /var/lib/ldap

   131 

   132 if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then

   133 	echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd

   134 fi

   135 

   136 cat <<EOF > /etc/ldap/sasl2/slapd.conf

   137 pwcheck_method: saslauthd

   138 saslauthd_path: /var/run/saslauthd/mux

   139 

   140 EOF

   141 

   142 # this allows slapd access to saslauthd's auth socket

   143 gpasswd -a openldap sasl

   144 

   145 # KDC setup

   146 stash_pw="`generate_password 40`"

   147 

   148 # seeds /dev/random rather nicely...

   149 screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"

   150 if [ -f /var/lib/krb5kdc/principal ]; then

   151 	rm -fv /var/lib/krb5kdc/principal \

   152 			/var/lib/krb5kdc/principal.kadm5 \

   153 			/var/lib/krb5kdc/principal.kadm5.lock \

   154 			/var/lib/krb5kdc/principal.ok

   155 fi

   156 echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s

   157 

   158 echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl

   159 

   160 invoke-rc.d krb5-kdc start

   161 invoke-rc.d krb5-admin-server start

   162 

   163 kadmin.local -q "ank -pw "\""${password}"\"" $username"

   164 

   165 webkerb_pw="`generate_password 40`"

   166 kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"

   167 

   168 kadmin.local -q "ank -randkey host/ssoinabox.$domain"

   169 [ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab

   170 kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"

   171 kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"

   172 [ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab

   173 kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"

   174 chown root:openldap /etc/ldap/keytab

   175 chmod 640 /etc/ldap/keytab

   176 

   177 echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"

   178 invoke-rc.d apparmor restart

   179 

   180 invoke-rc.d slapd start

   181 

   182 # SASL setup

   183 configure_saslauthd

   184 invoke-rc.d saslauthd start

   185 

   186 # KCRAP setup

   187 build_kcrap > /dev/null

   188 configure_kcrap

   189 /usr/sbin/kcrap_server

   190 

   191 # RADIUS setup

   192 configure_freerad

   193 invoke-rc.d freeradius start

   194 

   195 # RADIUS tests

   196 test_freerad

   197 

   198 # generate web stuff

   199 generate_web_yaml

   200 

   201 # apache config

   202 for module in rewrite authz_dbm webauth webkdc; do

   203 	a2enmod $module

   204 done

   205 

   206 build_kadm5 > /dev/null

   207 

   208 configure_webkdc

   209 configure_webauth

   210 configure_apache2

   211 

   212 if pecl list | grep -q yaml; then

   213 	pecl uninstall yaml

   214 fi

   215 yes "" | pecl install yaml > /dev/null

   216 test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d

   217 echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini

   218 cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups

   219 

   220 # install packages

   221 for d in packages/*; do

   222 	cd $d

   223 	./build

   224 	cd ../..

   225 done

   226 find packages -name \*.deb -type f | xargs dpkg -i

   227 

   228 /usr/local/share/ssoinabox/bin/ldap-groups-to-dbm

   229 

   230 invoke-rc.d apache2 start

   231 

   232 echo "Passwords to remember (WRITE THESE DOWN):"

   233 echo "Kerberos master key:   $stash_pw"

   234 echo "LDAP manager password: $ldap_manager_pw"

   235 echo "LDAP reader DN:        cn=ldap-reader,ou=Roles,$ldap_suffix"

   236 echo "LDAP reader password:  $ldap_reader_pw"

   237 echo "Admin username:        $username"

   238 echo "Admin password:        $password"

   239 echo "Change your admin password by typing:"

   240 echo "  kadmin.local -q "\""cpw $username"\"""