--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/resources/functions Tue Jan 08 23:13:29 2013 -0500
@@ -0,0 +1,456 @@
+# :mode=shellscript:
+
+krb5_packages="krb5-admin-server krb5-kdc"
+ldap_packages="slapd ldap-utils"
+sasl_packages="sasl2-bin libsasl2-modules-gssapi-mit"
+radius_packages="freeradius freeradius-ldap freeradius-common"
+http_packages="apache2.2-bin libapache2-mod-php5 libapache2-webauth libapache2-webkdc webauth-weblogin php-pear"
+
+patch_hosts_file()
+{
+ sed -re '/^127\.0\.1\.1\s+/d' -i /etc/hosts
+ #sed -re '/^10\.0\.2\.2\s+/d' -i /etc/hosts
+ echo -e "127.0.1.1\tssoinabox.${domain}\tssoinabox" >> /etc/hosts
+ #echo -e "10.0.2.2\tsso-clients.${domain}\tssoinabox" >> /etc/hosts
+
+ echo -n "ssoinabox.$domain" > /etc/hostname
+ hostname `cat /etc/hostname`
+}
+
+generate_krb5_config()
+{
+ cat <<EOF > /etc/krb5.conf
+[libdefaults]
+ default_realm = $krb5_realm
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[realms]
+ $krb5_realm = {
+ kdc = ssoinabox.$domain:88
+ admin_server = ssoinabox.$domain:749
+ kcrap = ssoinabox.$domain:1999
+ }
+
+[domain_realm]
+ $domain = $krb5_realm
+ .$domain = $krb5_realm
+
+[login]
+ krb4_convert = true
+ krb4_get_tickets = false
+
+
+EOF
+}
+
+generate_slapd_config()
+{
+ cat <<EOF > /etc/ldap/slapd.conf
+# vim: set ft=conf
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/nis.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+# for replication
+moduleload back_bdb.la
+moduleload syncprov
+
+disallow bind_anon
+
+database bdb
+suffix "$ldap_suffix"
+
+authz-policy from
+authz-regexp "^uid=([^,/]+)(,cn=${domain//\./\\.})?,cn=gssapi,cn=auth" "cn=\$1,ou=People,$ldap_suffix"
+
+rootdn "cn=Manager,$ldap_suffix"
+rootpw ${ldap_manager_pw_hash}
+
+directory /var/lib/ldap
+
+index objectClass eq
+
+sasl-realm ${krb5_realm}
+sasl-host ssoinabox.${domain}
+sasl-secprops noplain,noactive,noanonymous
+
+#TLSCACertificateFile /etc/ssl/certs/fixme.crt
+#TLSCertificateFile /etc/ssl/certs/fixme.crt
+#TLSCertificateKeyFile /etc/ssl/private/fixme.key
+
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100
+
+##
+# ACLs
+
+access to dn="cn=ldap-reader,ou=Roles,$ldap_suffix"
+ by anonymous auth
+
+access to attrs=userPassword
+ by self =xw
+ by anonymous auth
+ by * none
+
+access to *
+ by self write
+ by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
+ by dn="cn=freeradius,ou=Roles,$ldap_suffix" read
+ by dn="cn=replicator,ou=Roles,$ldap_suffix" read
+
+# Lock down attributes a user shouldn't change
+access to attrs="loginShell,homeDirectory,uidNumber,gidNumber,uid,cn"
+ by self read
+ by dn="cn=replicator,ou=Roles,$ldap_suffix" read
+ by dn="cn=ldap-reader,ou=Roles,$ldap_suffix" read
+
+access to *
+ by anonymous auth
+ by users read
+
+EOF
+}
+
+generate_base_ldif()
+{
+ domainbit=`echo $domain | cut -d. -f1`
+ gn="`echo $fullname | awk '{print \$1;}'`"
+ sn="`echo $fullname | awk '{print \$2;}'`"
+ cat <<EOF
+dn: $ldap_suffix
+objectClass: dcObject
+objectClass: organization
+o: $domain
+dc: $domainbit
+
+dn: cn=Manager,$ldap_suffix
+cn: Manager
+objectClass: top
+objectClass: organizationalRole
+description: LDAP admin entry with root level access to the server
+
+dn: ou=People,$ldap_suffix
+ou: People
+objectClass: top
+objectClass: organizationalUnit
+description: User accounts representing people
+
+dn: uid=$username,ou=People,$ldap_suffix
+uid: $username
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: posixAccount
+cn: $fullname
+givenName: $gn
+sn: $sn
+loginShell: /bin/bash
+homeDirectory: /home/users/$username
+uidNumber: 501
+gidNumber: 500
+userPassword: {SASL}$username@$krb5_realm
+
+dn: ou=Groups,$ldap_suffix
+ou: Groups
+objectClass: top
+objectClass: organizationalUnit
+description: POSIX user account groups
+
+dn: cn=users,ou=Groups,$ldap_suffix
+cn: users
+objectClass: top
+objectClass: posixGroup
+description: Default POSIX group for users
+gidNumber: 500
+
+dn: cn=rtp,ou=Groups,$ldap_suffix
+cn: rtp
+objectClass: top
+objectClass: posixGroup
+description: POSIX group for people with root access to servers
+gidNumber: 501
+memberUid: $username
+
+dn: ou=Roles,$ldap_suffix
+ou: Roles
+objectClass: top
+objectClass: organizationalUnit
+description: User accounts representing bots or other administrative functions
+
+dn: cn=ldap-reader,ou=Roles,$ldap_suffix
+cn: ldap-reader
+objectClass: top
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+description: Low-security account used for read-only LDAP access by NSS clients
+userPassword: $ldap_reader_pw
+
+
+EOF
+}
+
+configure_saslauthd()
+{
+ sed -re 's/^START=no$/START=yes/' \
+ -e 's/^MECHANISMS=".+"$/MECHANISMS="kerberos5"/' \
+ -i /etc/default/saslauthd
+}
+
+generate_password()
+{
+ local length="${1:-64}"
+ dd if=/dev/urandom bs=2048 count=1 2>/dev/null | tr -dc 'A-Za-z0-9' | cut -c 1-$length
+}
+
+build_kcrap()
+{
+ oldcwd="`pwd`"
+ tempdir=`mktemp -d /tmp/kcrapXXXXXX`
+ cd "$tempdir"
+ wget https://aur.archlinux.org/packages/kc/kcrap/kcrap.tar.gz
+ tar xzvf kcrap.tar.gz
+ cd kcrap
+ mkdir pkg src
+ export srcdir="$PWD/src"
+ export pkgdir="$PWD/pkg"
+ . PKGBUILD
+ wget "${source[0]}"
+ for f in ${source[@]}; do
+ f=`basename $f`
+ ln -sf ../$f src/$f
+ done
+ cd "${srcdir}"
+ for f in *.tar.bz2; do
+ tar xjf $f
+ done
+ patch -p0 -i "$oldcwd/patches/kcrap-0.2.3-ntlm-extra.patch.patch"
+ cd kcrap-0.2.3
+ patch -p1 -i "$oldcwd/patches/kcrapclient.patch"
+ cd ..
+ build
+ make install
+ cp -v "test/kcrapclient" "/usr/local/bin/"
+ cd "$oldcwd" && rm -rf "$tempdir"
+
+ echo "/usr/local/lib" > /etc/ld.so.conf.d/usrlocal.conf
+ ldconfig
+}
+
+configure_kcrap()
+{
+ cat <<EOF > /etc/kcrap_server.conf
+[kcrap_server]
+ port = 1999
+ realm = $krb5_realm
+
+[realms]
+ $krb5_realm = {
+ database_name = /var/lib/krb5kdc/principal
+ key_stash_file = /etc/krb5kdc/stash
+ }
+
+EOF
+}
+
+configure_freerad()
+{
+ # mschap module needs to use our ntlm_auth program for auth requests
+ sed -re 's/^#?(\s*)ntlm_auth = ".+"$/\1ntlm_auth = "\/usr\/local\/bin\/kcrapclient %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"/' \
+ -i /etc/freeradius/modules/mschap
+
+ # configure ldap module with our settings
+ sed -re 's/^(\s*)#?server = ".+"$/\1server = "ssoinabox.'$domain'"/' \
+ -e 's/^(\s*)#?identity = ".+"$/\1identity = "cn=ldap-reader,ou=Roles,'$ldap_suffix'"/' \
+ -e 's/^(\s*)#?password = .+$/\1password = "'$ldap_reader_pw'"/' \
+ -e 's/^(\s*)#?basedn = ".+"$/\1basedn = "'$ldap_suffix'"/' \
+ -i /etc/freeradius/modules/ldap
+
+ # enable ldap for authorization and authentication
+ for site in default inner-tunnel; do
+ sed -rf `dirname $0`/resources/freerad-site-patcher.sed \
+ -i /etc/freeradius/sites-available/$site
+ done
+
+ # give freerad access to the kerberos keytab
+ setfacl -m u:freerad:r /etc/krb5.keytab
+}
+
+test_freerad()
+{
+ build_eapol_test > /dev/null
+ set +e
+ echo -n "Testing RADIUS auth via EAP/TTLS/PAP..."
+ conf=`mktemp /tmp/frXXXXXX`
+ cat <<EOF > $conf
+network={
+ ssid="example"
+ key_mgmt=WPA-EAP
+ eap=TTLS
+ anonymous_identity="$username"
+ identity="$username"
+ password="$password"
+ phase2="auth=PAP"
+}
+
+EOF
+ if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
+ echo "GOOD"
+ else
+ echo "BAD"
+ fi
+ echo -n "Testing RADIUS auth via PEAP/MSCHAPv2..."
+ cat <<EOF > $conf
+network={
+ ssid="example"
+ key_mgmt=WPA-EAP
+ eap=PEAP
+ anonymous_identity="$username"
+ identity="$username"
+ password="$password"
+ phase2="autheap=MSCHAPv2"
+}
+
+EOF
+ if /usr/local/bin/eapol_test -s testing123 -c "$conf" 2>&1 > /dev/null; then
+ echo "GOOD"
+ else
+ echo "BAD"
+ fi
+ rm -f $conf
+ set -e
+}
+
+generate_web_yaml()
+{
+ test -d /usr/local/etc/ssoinabox || mkdir -p /usr/local/etc/ssoinabox
+ cat <<EOF > /usr/local/etc/ssoinabox/webcreds.yml
+LDAP_BASEDN: $ldap_suffix
+
+UID_MIN: 501
+GID_MIN: 500
+
+ldap_server: ldap://localhost:389/
+ldap_manager:
+ dn: cn=Manager,$ldap_suffix
+ password: $ldap_manager_pw
+
+ldap_user_basedn: ou=People,$ldap_suffix
+ldap_group_basedn: ou=Groups,$ldap_suffix
+
+kerberos_admin:
+ principal: webkerb/admin
+ password: $webkerb_pw
+
+PHONE_EXT_MIN: 500
+
+EOF
+
+ chown root:www-data /usr/local/etc/ssoinabox/webcreds.yml
+ chmod 640 /usr/local/etc/ssoinabox/webcreds.yml
+}
+
+configure_webkdc()
+{
+ cat <<EOF > /etc/webkdc/webkdc.conf
+our \$KEYRING_PATH = '/var/lib/webkdc/keyring';
+our \$TEMPLATE_PATH = '/usr/local/share/weblogin/ssoinabox/templates';
+our \$TEMPLATE_COMPILE_PATH = '/var/cache/weblogin';
+our \$URL = 'http://ssoinabox/webkdc-service';
+our \$BYPASS_CONFIRM = 1;
+
+EOF
+
+ cat <<EOF > /etc/webkdc/token.acl
+krb5:webauth/*@$krb5_realm id
+
+EOF
+
+ test -f /etc/webkdc/keytab && rm -f /etc/webkdc/keytab
+ kadmin.local -q "ank -randkey service/webkdc"
+ kadmin.local -q "ktadd -norandkey -k /etc/webkdc/keytab service/webkdc"
+
+ chown root:www-data /etc/webkdc/keytab
+ chmod 640 /etc/webkdc/keytab
+}
+
+configure_webauth()
+{
+ cat <<EOF > /etc/apache2/conf.d/webauth
+WebAuthWebKdcPrincipal service/webkdc
+WebAuthLoginURL "http://ssoinabox.$domain/login"
+WebAuthWebKdcURL "http://ssoinabox.$domain/webkdc-service"
+WebAuthSSLRedirect off
+WebAuthRequireSSL off
+WebAuthDebug on
+
+EOF
+
+ test -f /etc/webauth/keytab && rm -f /etc/webauth/keytab
+ kadmin.local -q "ank -randkey webauth/ssoinabox.$domain"
+ kadmin.local -q "ktadd -norandkey -k /etc/webauth/keytab webauth/ssoinabox.$domain"
+
+ chown root:www-data /etc/webauth/keytab
+ chmod 640 /etc/webauth/keytab
+
+ # doesn't exist by default...?
+ # chown www-data:www-data /var/lib/webauth/keyring
+}
+
+configure_apache2()
+{
+ cp `dirname $0`/resources/apache2-site.conf /etc/apache2/sites-available/ssoinabox
+ sed -re "s/^(\s*)ServerName .+$/\1ServerName ssoinabox.$domain/" -i /etc/apache2/sites-available/ssoinabox
+
+ a2ensite ssoinabox
+ a2dissite default
+}
+
+build_kadm5()
+{
+ test -d tarballs || mkdir tarballs
+ test -f tarballs/kadm5.tar.gz || wget -O tarballs/kadm5.tar.gz http://pecl.php.net/get/kadm5
+ oldcwd="`pwd`"
+ tempdir=`mktemp -d /tmp/kadm5XXXXXX`
+ cd $tempdir
+
+ tar xzf "$oldcwd/tarballs/kadm5.tar.gz"
+ cd kadm5-*
+ patch -p1 -i "$oldcwd/patches/kadm5.patch"
+ phpize
+ ./configure
+ make
+ make install
+
+ cd "$oldcwd" && rm -rf "$tempdir"
+ echo "extension=kadm5.so" > /etc/php5/conf.d/kadm5.ini
+}
+
+build_eapol_test()
+{
+ test -x /usr/local/bin/eapol_test && return 0
+
+ test -d tarballs || mkdir tarballs
+ test -f tarballs/wpa_supplicant-1.1.tar.gz || wget -O tarballs/wpa_supplicant-1.1.tar.gz "http://hostap.epitest.fi/releases/wpa_supplicant-1.1.tar.gz"
+
+ oldcwd="`pwd`"
+ tempdir=`mktemp -d /tmp/wpasXXXXXX`
+ cd $tempdir
+
+ tar xzf "$oldcwd/tarballs/wpa_supplicant-1.1.tar.gz"
+ cd wpa_supplicant-1.1/wpa_supplicant
+ cp defconfig .config
+ sed -re 's/^#?CONFIG_EAPOL_TEST=.+$/CONFIG_EAPOL_TEST=y/' -i .config
+ make eapol_test
+ cp -v eapol_test /usr/local/bin/
+
+ cd "$oldcwd" && rm -rf "$tempdir"
+}