path: root/scripts/os/freebsd/50-idm



#!/bin/sh

if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then
  return 0
fi

# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"

# Install packages.
pkg install -y \
  cyrus-sasl-gssapi \
  nss-pam-ldapd-sasl \
  openldap26-client \
  pam_krb5 \
  perl5 \
  p5-perl-ldap \
  p5-Authen-SASL \
  pam_mkhomedir

# Script to create /usr/local/home/${USER} on login.
install_file -m 0555 /usr/local/libexec/pam-create-local-homedir

# Configure PAM/NSS integration.
install_template -m 0644 \
  /etc/pam.d/login \
  /etc/pam.d/sshd
install_file -m 0644 \
  /etc/nsswitch.conf \
  /etc/pam.d/system \
  /etc/pam.d/sudo \
  /etc/pam.d/su \
  /etc/pam.d/other

install_template -m 0644 /etc/login.access

install_template -m 0644 \
  /etc/krb5.conf \
  /etc/nscd.conf \
  /usr/local/etc/openldap/ldap.conf  \
  /usr/local/etc/nslcd.conf

# Ensure /home exists and configure skel files.
install_directory -m 0755 /home
install_file -m 0644 \
  /usr/share/skel/dot.login \
  /usr/share/skel/dot.profile \
  /usr/share/skel/dot.shrc

# Create ldap.conf symlink.
ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf

# Create host object (if it doesn't exist).
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: FreeBSD $(freebsd-version) ${BOXCONF_HOSTCLASS}
EOF

# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF

# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF

# Create CNAME records.
for cname in ${cnames:-}; do
  ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${cname}
cNAMERecord: ${fqdn}
associatedDomain: ${cname}.${domain}
EOF
done

# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: FreeBSD $(freebsd-version) ${BOXCONF_HOSTCLASS}
EOF

# Create host principal and keytab.
add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab

# Create local group for host keytab access.
add_group -g "$host_keytab_gid" "$host_keytab_groupname"
chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab"
chmod 640 "${keytab_dir}/host.keytab"
pw usermod -n "$nslcd_user" -G "$host_keytab_groupname"

# Create symlinks so host keytab can be used to aquire a TGT on-the-fly.
nslcd_uid=$(id -u "$nslcd_user")
install_directory -m 0755 \
  /var/krb5 \
  /var/krb5/user

install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab"

install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab"

install_directory -o root -m 0700 /var/krb5/user/0
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab

# Copy IDM helper scripts for SSH.
install_file -m 0555 \
  /usr/local/libexec/idm-ssh-known-hosts \
  /usr/local/libexec/idm-ssh-authorized-keys

# Create user for running SSH AuthorizedKeysCommand.
add_user \
  -u "$ssh_authzkeys_uid" \
  -g "$host_keytab_groupname" \
  -d /nonexistent \
  "$ssh_authzkeys_username"

# Enable and start nslcd/nscd.
sysrc -v \
  nslcd_enable=YES \
  nscd_enable=YES

service nslcd restart
service nscd restart
#!/bin/sh

if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then
  return 0
fi

# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"

# Install packages.
pkg install -y \
  cyrus-sasl-gssapi \
  nss-pam-ldapd-sasl \
  openldap26-client \
  pam_krb5 \
  perl5 \
  p5-perl-ldap \
  p5-Authen-SASL \
  pam_mkhomedir

# Script to create /usr/local/home/${USER} on login.
install_file -m 0555 /usr/local/libexec/pam-create-local-homedir

# Configure PAM/NSS integration.
install_template -m 0644 \
  /etc/pam.d/login \
  /etc/pam.d/sshd
install_file -m 0644 \
  /etc/nsswitch.conf \
  /etc/pam.d/system \
  /etc/pam.d/sudo \
  /etc/pam.d/su \
  /etc/pam.d/other

install_template -m 0644 /etc/login.access

install_template -m 0644 \
  /etc/krb5.conf \
  /etc/nscd.conf \
  /usr/local/etc/openldap/ldap.conf  \
  /usr/local/etc/nslcd.conf

# Ensure /home exists and configure skel files.
install_directory -m 0755 /home
install_file -m 0644 \
  /usr/share/skel/dot.login \
  /usr/share/skel/dot.profile \
  /usr/share/skel/dot.shrc

# Create ldap.conf symlink.
ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf

# Create host object (if it doesn't exist).
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: FreeBSD $(freebsd-version) ${BOXCONF_HOSTCLASS}
EOF

# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF

# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF

# Create CNAME records.
for cname in ${cnames:-}; do
  ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${cname}
cNAMERecord: ${fqdn}
associatedDomain: ${cname}.${domain}
EOF
done

# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: FreeBSD $(freebsd-version) ${BOXCONF_HOSTCLASS}
EOF

# Create host principal and keytab.
add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab

# Create local group for host keytab access.
add_group -g "$host_keytab_gid" "$host_keytab_groupname"
chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab"
chmod 640 "${keytab_dir}/host.keytab"
pw usermod -n "$nslcd_user" -G "$host_keytab_groupname"

# Create symlinks so host keytab can be used to aquire a TGT on-the-fly.
nslcd_uid=$(id -u "$nslcd_user")
install_directory -m 0755 \
  /var/krb5 \
  /var/krb5/user

install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab"

install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab"

install_directory -o root -m 0700 /var/krb5/user/0
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab

# Copy IDM helper scripts for SSH.
install_file -m 0555 \
  /usr/local/libexec/idm-ssh-known-hosts \
  /usr/local/libexec/idm-ssh-authorized-keys

# Create user for running SSH AuthorizedKeysCommand.
add_user \
  -u "$ssh_authzkeys_uid" \
  -g "$host_keytab_groupname" \
  -d /nonexistent \
  "$ssh_authzkeys_username"

# Enable and start nslcd/nscd.
sysrc -v \
  nslcd_enable=YES \
  nscd_enable=YES

service nslcd restart
service nscd restart