-
Notifications
You must be signed in to change notification settings - Fork 1
/
init_all.sh
executable file
·92 lines (74 loc) · 2.57 KB
/
init_all.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
# This script initializes the LDAP and CA setup
# Make sure to edit common/config.sh before running it.
SCRIPT=$(readlink -f $0)
SCRIPT_PATH=`dirname $SCRIPT`
source ${SCRIPT_PATH}/common/config.sh
source ${SCRIPT_PATH}/ca_management/ca_functions.sh
source ${SCRIPT_PATH}/ldap_management/ldap_functions.sh
log () {
echo ${1}
}
# We don't have slappaswd on openwrt
# so grab the hash from the ldif file
# directly (it's ugly, I know).
#get_sysadmin_hashed_pass () {
# local TMP=$(echo ${BASE_DN}/cn=sysadmin.ldif | awk '{print tolower($0)}')
# local SYSADMIN_LDIF="${LDAP_DATA_DIR}/${TMP}"
# local PASS_ENC=$(cat "${SYSADMIN_LDIF}" | grep userPassword | awk '{print $2}')
# SYSADMIN_PHASH=$(echo ${PASS_ENC} | base64 -d -)
#}
get_sysadmin_hashed_pass () {
SYSADMIN_PHASH=$(slappasswd -s ${LDAP_BIND_PASS})
}
upload_ca_certs () {
scp ${CERT_DIR}/ca.pem dbsync@${CA_HOST}:~/ca/
scp ${CERT_DIR}/ssh_ca.pub dbsync@${CA_HOST}:~/ca/
log "Upladed CA certificates to web"
}
upload_crls () {
log "Generating CRLs"
ca_gen_crl
ssh_ca_gen_crl
scp ${CRL_DIR}/crl.pem dbsync@${CA_HOST}:~/ca/
scp ${CRL_DIR}/ssh_crl dbsync@${CA_HOST}:~/ca/
log "Upladed renewed CRLs to web"
}
# Create CA
${SCRIPT_PATH}/ca_management/ca_init.sh
# Using CA, build LDAP's certificate
${SCRIPT_PATH}/ca_management/gen_host_cert.sh ${LDAP_HOST}
# Generate LDAP's config file and put the custom
# schema on the schema subdirectory.
${SCRIPT_PATH}/ldap_management/generate_slapd.conf.sh
cp ${SCRIPT_PATH}/ldap_management/custom-schema/* ${LDAP_CONF_DIR}/schema/
# Create LDAP's data directory
mkdir -p ${LDAP_DATA_DIR}
# Reload config in case slapd is running
# else run it.
pidof slapd &> /dev/null
if [[ $? != 0 ]]; then
slapd -h "ldap://localhost/ ldaps:///"
else
# Didn't work on openwrt
# killall -s SIGHUP slapd
killall slapd
slapd -h "ldap://localhost/ ldaps:///"
fi
# Initialize LDAP structure
${SCRIPT_PATH}/ldap_management/ldap_init.sh
# Add LDAP host on LDAP
${SCRIPT_PATH}/ldap_management/add_ldap_host.sh ${LDAP_HOST} ${LDAP_HOST_IP}
# Get its ldap.conf and put it on the config dir, overwrite
# any existing one
mv ${LDAP_HOSTS_CONF_DIR}/${LDAP_HOST}/ldap.conf ${LDAP_CONF_DIR}/ldap.conf
# Remove plaintext rootpw from slapd.conf
cat ${LDAP_CONF_DIR}/slapd.conf | grep -v "rootpw" > /tmp/tmp.conf
cat /tmp/tmp.conf > ${LDAP_CONF_DIR}/slapd.conf
rm /tmp/tmp.conf
# Now grab the password hash from the directory and
# put rootpw back on slapd.conf
get_sysadmin_hashed_pass
echo "rootpw \"${SYSADMIN_PHASH}\"" >> ${LDAP_CONF_DIR}/slapd.conf
upload_ca_certs
upload_crls