diff options
author | Cullum Smith <cullum@sacredheartsc.com> | 2024-09-24 22:35:45 -0400 |
---|---|---|
committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-09-24 22:35:45 -0400 |
commit | 6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb (patch) | |
tree | 9279f7a330affbb5da6a1f147739b8dfd92d4a19 /scripts/hostclass/idm_server/30-kdc | |
parent | d9c18b3fcb9b036b6cdf69397828b59ab4c53091 (diff) | |
download | infrastructure-6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb.tar.gz |
finish up idm_server hostclass
Diffstat (limited to 'scripts/hostclass/idm_server/30-kdc')
-rw-r--r-- | scripts/hostclass/idm_server/30-kdc | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc index 4921688..abe040a 100644 --- a/scripts/hostclass/idm_server/30-kdc +++ b/scripts/hostclass/idm_server/30-kdc @@ -1,12 +1,43 @@ #!/bin/sh +kdc_conf_dir=/usr/local/var/krb5kdc +kdc_master_key_path="${kdc_conf_dir}/master_key" + +: ${kdc_max_life:='24h'} +: ${kdc_max_renewable_life:='7d'} + # Install MIT kerberos. pkg install -y krb5 +# Generate the system kerberos configuration. +install_template -m 0644 /etc/krb5.conf +ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf + +# Generate KDC configuration files. +install_template -m 0644 \ + "${kdc_conf_dir}/kdc.conf" \ + "${kdc_conf_dir}/kadm5.acl" + +# If the realm does not exist in LDAP, create it. Otherwise, stash the master key. +if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then + kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s +elif ! [ -f "$kdc_master_key_path" ]; then + kdb5_util -P "$kdc_master_key" stash +fi + +# Start the KDC and kadmind. +sysrc -v \ + kdc_program=/usr/local/sbin/krb5kdc \ + kadmind_program=/usr/local/sbin/kadmind \ + kdc_flags="" \ + kdc_enable=YES \ + kadmind_enable=YES + +service kdc restart +service kadmind restart + +# Create the boxconf administrative user. if is_primary_server; then - # ou=kdc,dc=example,dc=com - ldap_add "$kdc_basedn" <<EOF -objectClass: organizationalUnit -ou: $(ldap_rdn_value "$dns_basedn") -EOF + kadmin.local get_principal -terse "$boxconf_username" \ + || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username" fi |