Mercurial Mercurial > repos > sso-in-a-box / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
make-sso
changeset 0 3906ca745819
child 4 2212b2ded8bf 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make-sso	Tue Jan 08 23:13:29 2013 -0500
@@ -0,0 +1,240 @@
+#!/bin/bash
+
+set -e
+. resources/functions
+
+cat <<EOF
+Welcome to SSO-in-a-Box! This script configures a stock Ubuntu 12.10 install
+into a working Kerberos, LDAP, RADIUS and WebAuth server. We'll ask you for
+details on your domain and your first administrative account, then get started
+creating things.
+
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+>>>   If you have ANY existing LDAP or Kerberos database that you   <<<
+>>>    want to save, EXIT THIS SCRIPT NOW by pressing Control-C.    <<<
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+
+EOF
+
+get_input()
+{
+	local var="$1"
+	local prompt="$2"
+	local prefill="${3:-}"
+	[ -n "$prefill" ] && prompt="${prompt} [${prefill}]"
+	eval "$var="\""$prefill"\"
+	while true; do
+		read -p "$prompt: " "$var"
+		if [ -z "${!var}" ]; then
+			if [ -n "$prefill" ]; then
+				eval "$var="\""$prefill"\"
+				break
+			fi
+		else
+			break
+		fi
+		echo "Invalid input."
+	done
+}
+
+get_input fullname "Your full name"
+username=`echo "$fullname" | awk '{print $1;}' | tr '[A-Z]' '[a-z]'`
+get_input username "Admin username" "$username"
+password="`generate_password 16`"
+#while true; do
+#	stty -echo
+#	get_input password "Admin password"
+#	echo
+#	get_input pconf "Confirm password"
+#	stty echo; echo
+#	[ "$password" = "$pconf" ] && break
+#	echo "Passwords do not match."
+#done
+get_input domain "Domain name"
+
+domain="`echo $domain | tr '[:upper:]' '[:lower:]'`"
+ldap_suffix="dc=`echo $domain | sed -re 's/\./,dc=/g'`"
+krb5_realm="`echo $domain | tr '[:lower:]' '[:upper:]'`"
+
+echo "Your LDAP suffix is: $ldap_suffix"
+echo "Your Kerberos V realm is: $krb5_realm"
+
+echo "Setting up your /etc/hosts file"
+patch_hosts_file
+
+echo "Setting up your Kerberos V client config."
+generate_krb5_config
+
+echo "Updating apt, purging any existing SSO packages and installing stuff."
+# silence apt etc.
+export DEBIAN_FRONTEND=noninteractive
+#apt-get update
+apt-get remove --purge -y ${krb5_packages} ${ldap_packages} ${sasl_packages} \
+		${radius_packages} ${http_packages}
+apt-get install -y ${krb5_packages} ${ldap_packages} ${sasl_packages} screen \
+		${radius_packages} build-essential libkrb5-dev libssl-dev acl \
+		${http_packages} libnet-ldap-perl php5-ldap php5-dev libyaml-dev \
+		libnl-dev
+
+# stop any running services
+if pidof apache2 > /dev/null; then
+	invoke-rc.d apache2 stop
+fi
+
+if pidof freeradius > /dev/null; then
+	invoke-rc.d freeradius stop
+fi
+
+if pidof kcrap_server > /dev/null; then
+	killall kcrap_server
+fi
+
+if pidof saslauthd > /dev/null; then
+	invoke-rc.d saslauthd stop
+fi
+
+if pidof slapd > /dev/null; then
+	invoke-rc.d slapd stop
+fi
+
+if pidof krb5kdc > /dev/null; then
+	invoke-rc.d krb5-kdc stop
+fi
+
+if pidof kadmind > /dev/null; then
+	invoke-rc.d krb5-admin-server stop
+fi
+
+# LDAP setup
+# remove any existing LDAP db
+pidof slapd && killall -9 slapd
+if [ -f /var/lib/ldap/__db.001 ]; then
+	rm -fv /var/lib/ldap/__db.* \
+		/var/lib/ldap/alock \
+		/var/lib/ldap/dn2id.bdb \
+		/var/lib/ldap/id2entry.bdb \
+		/var/lib/ldap/log.* \
+		/var/lib/ldap/objectClass.bdb
+fi
+ldap_manager_pw="`generate_password 40`"
+echo -n "$ldap_manager_pw" > /etc/ldap.secret
+chmod 600 /etc/ldap.secret
+ldap_manager_pw_hash="`echo "$ldap_manager_pw" | slappasswd -T /etc/ldap.secret`"
+ldap_reader_pw="`generate_password 10`"
+
+if [ -d /etc/ldap/slapd.d ]; then
+	rm -rfv /etc/ldap/slapd.d
+fi
+generate_slapd_config
+generate_base_ldif | slapadd
+chown -R openldap:openldap /var/lib/ldap
+
+if ! grep -q "KRB5_KTNAME=/etc/ldap" /etc/default/slapd; then
+	echo 'export KRB5_KTNAME="FILE:/etc/ldap/keytab"' >> /etc/default/slapd
+fi
+
+cat <<EOF > /etc/ldap/sasl2/slapd.conf
+pwcheck_method: saslauthd
+saslauthd_path: /var/run/saslauthd/mux
+
+EOF
+
+# this allows slapd access to saslauthd's auth socket
+gpasswd -a openldap sasl
+
+# KDC setup
+stash_pw="`generate_password 40`"
+
+# seeds /dev/random rather nicely...
+screen -dmS hasher sh -c "find /usr/lib/ /usr/share/ -print0 -type f | xargs -0 -n1 sha1sum"
+if [ -f /var/lib/krb5kdc/principal ]; then
+	rm -fv /var/lib/krb5kdc/principal \
+			/var/lib/krb5kdc/principal.kadm5 \
+			/var/lib/krb5kdc/principal.kadm5.lock \
+			/var/lib/krb5kdc/principal.ok
+fi
+echo -en "${stash_pw}\n${stash_pw}\n" | kdb5_util create -s
+
+echo -e "*/admin\t*" > /etc/krb5kdc/kadm5.acl
+
+invoke-rc.d krb5-kdc start
+invoke-rc.d krb5-admin-server start
+
+kadmin.local -q "ank -pw "\""${password}"\"" $username"
+
+webkerb_pw="`generate_password 40`"
+kadmin.local -q "ank -pw "\""${webkerb_pw}"\"" webkerb/admin"
+
+kadmin.local -q "ank -randkey host/ssoinabox.$domain"
+[ -f /etc/krb5.keytab ] && rm -f /etc/krb5.keytab
+kadmin.local -q "ktadd -norandkey -kt /etc/krb5.keytab host/ssoinabox.$domain"
+kadmin.local -q "ank -randkey ldap/ssoinabox.$domain"
+[ -f /etc/ldap/keytab ] && rm -f /etc/ldap/keytab
+kadmin.local -q "ktadd -norandkey -kt /etc/ldap/keytab ldap/ssoinabox.$domain"
+chown root:openldap /etc/ldap/keytab
+chmod 640 /etc/ldap/keytab
+
+echo "/etc/ldap/keytab rk," > "/etc/apparmor.d/local/usr.sbin.slapd"
+invoke-rc.d apparmor restart
+
+invoke-rc.d slapd start
+
+# SASL setup
+configure_saslauthd
+invoke-rc.d saslauthd start
+
+# KCRAP setup
+build_kcrap > /dev/null
+configure_kcrap
+/usr/sbin/kcrap_server
+
+# RADIUS setup
+configure_freerad
+invoke-rc.d freeradius start
+
+# RADIUS tests
+test_freerad
+
+# generate web stuff
+generate_web_yaml
+
+# apache config
+for module in rewrite authz_dbm webauth webkdc; do
+	a2enmod $module
+done
+
+build_kadm5 > /dev/null
+
+configure_webkdc
+configure_webauth
+configure_apache2
+
+if pecl list | grep -q yaml; then
+	pecl uninstall yaml
+fi
+yes "" | pecl install yaml > /dev/null
+test -d /etc/php5/conf.d || mkdir /etc/php5/conf.d
+echo "extension=yaml.so" > /etc/php5/conf.d/yaml.ini
+cp `dirname $0`/resources/ldap-groups.db /etc/apache2/ldap-groups
+
+# install packages
+for d in packages/*; do
+	cd $d
+	./build
+	cd ../..
+done
+find packages -name \*.deb -type f | xargs dpkg -i
+
+/usr/local/share/ssoinabox/bin/ldap-groups-to-dbm
+
+invoke-rc.d apache2 start
+
+echo "Passwords to remember (WRITE THESE DOWN):"
+echo "Kerberos master key:   $stash_pw"
+echo "LDAP manager password: $ldap_manager_pw"
+echo "LDAP reader DN:        cn=ldap-reader,ou=Roles,$ldap_suffix"
+echo "LDAP reader password:  $ldap_reader_pw"
+echo "Admin username:        $username"
+echo "Admin password:        $password"
+echo "Change your admin password by typing:"
+echo "  kadmin.local -q "\""cpw $username"\"""
SSO-in-a-Box