diff options
57 files changed, 2244 insertions, 16 deletions
diff --git a/docs/10-bootstrapping.md b/docs/10-bootstrapping.md index 05f8867..cda5c80 100644 --- a/docs/10-bootstrapping.md +++ b/docs/10-bootstrapping.md @@ -41,13 +41,13 @@ all the necessary packages and serve them over HTTP. On the FreeBSD hypervisor, use `jailctl` to create a jail for the `pkg` repo. The following command will create a jail named `pkg1` with VLAN tag `199`, -IP address `10.11.199.4`, 32G memory limit, 256G disk quota, and 32 CPU cores. +IP address `10.99.99.4`, 32G memory limit, 256G disk quota, and 32 CPU cores. Note that running `poudriere` in a jail requires many custom jail options, which are also set with this command. alcatraz1# jailctl create \ -v 199 \ - -a 10.11.199.4 \ + -a 10.99.99.4 \ -k ~/id_ed25519.pub \ -c 64-95 \ -m 32g \ @@ -70,7 +70,132 @@ are also set with this command. Now you are ready to build all the packages and create the repository. `boxconf` assumes that any host named `pkg[0-1]` has the `pkg_repository` hostclass. - ./boxconf -e idm_bootstrap=true 10.11.199.4 + ./boxconf -e idm_bootstrap=true 10.99.99.4 Substitute whatever IP you chose for the `pkg1` jail as necessary. Note that it will take a while to build all the packages for the first time. + + +## Step 3: The IDM Servers + +Next, we'll build the IDM jails. While you technically only need one, you should +build at least two so that you can reboot one of them without causing a DNS +outage for your entire environment. + + +### Create the Jails + +Let's two jails named `idm1` and `idm2`. Note that `boxconf` assumes any host +named `idm[0-9]` has the `idm_server` hostclass. + + alcatraz1# jailctl create \ + -v 199 \ + -a 10.99.99.2 \ + -k ~/id_ed25519.pub \ + -c 2-3 \ + -m 4g \ + -q 32G \ + idm1 freebsd14 + + alcatraz1# jailctl create \ + -v 199 \ + -a 10.99.99.3 \ + -k ~/id_ed25519.pub \ + -c 4-5 \ + -m 4g \ + -q 32G \ + idm2 freebsd14 + + +## Set Boxconf Variables + +Before continuing, you'll need to tailor `site/vars/common` to your +environment: + + - The `domain` variable must contain your internal domain name. Eg: + + domain=idm.example.com + + - The `pkg_host_ip` variable must contain the IP address of the `pkg1` jail: + + pkg_host_ip=10.99.99.4 + + - The `idm_server_list` variable must contain a newline-separated list of + IDM server hostnames, along with their associated LDAP server ID and IP address. + These should be the IPs of the jails you just created. + + The server ID can be any number 1-9, as long as it is unique for each host + and you never, ever change it. Eg: + + idm_server_list="\ + idm1 1 10.99.99.2 + idm2 2 10.99.99.3" + + - The `reverse_dns_zones` variable must contain a space-separated list of + all the reverse DNS zones in your environment. Eg: + + reverse_dns_zones="\ + 99.99.10.in-addr.arpa + 88.99.10.in-addr.arpa" + + Note: only 3-octet IPv4 zones are supported (`10.in-addr.arpa` won't work). + + +## Create TLS Certificates + +We will also need some TLS certificates for the LDAP servers. These certificates +allow for secure replication between the LDAP daemons on the IDM servers. + +First, initialize the PKI. This will create a root certificate authority with +a name contraint for hostnames underneath your internal domain. + +*However,* the LDAP servers replicate using their IP addresses, rather than DNS +names. Therefore, you will need to specify additional constraints for the IP +address of each IDM server. Eg: + + ./pki init \ + -c IP:10.99.0.0/255.255.0.0 \ + idm.example.com + +Next, create server certificates for each IDM server. Each certificate will +need three SANs: + + - The FQDN of the IDM server. + - The IP of the IDM server. + - The bare domain name (we'll make this a multi-valued A record later). + +Eg: + + ./pki cert -d 3650 idm1 slapd idm1.idm.example.com IP:10.99.99.2 idm.example.com + ./pki cert -d 3650 idm2 slapd idm2.idm.example.com IP:10.99.99.3 idm.example.com + +Finally, create a client certificate for the OpenLDAP replicator DN. Eg: + + ./pki client-cert -d 3650 idm1 replicator cn=replicator,dc=idm,dc=example,dc=com + ./pki client-cert -d 3650 idm2 replicator cn=replicator,dc=idm,dc=example,dc=com + + +## Configure the IDM servers. + +Now, you're ready to build the IDM servers! + +The first server in the `$idm_server_list` is somewhat special, as the +`boxconf` scripts will use that one to create all the initial LDAP objects. +So make sure you configure that one first. + + ./boxconf -s 10.99.99.2 -e idm_bootstrap=true idm1 + ./boxconf -s 10.99.99.3 -e idm_bootstrap=true idm2 + + +## Verify LDAP replication, DNS, etc. + +If everything is working, you should get the same result from each of the +following `dig` queries: + + $ dig +short @10.99.99.2 idm.example.com + 10.99.99.3 + 10.99.99.2 + + $ dig +short @10.99.99.3 idm.example.com + 10.99.99.3 + 10.99.99.2 diff --git a/files/etc/devd/lid-close.conf.laptop b/files/etc/devd/lid-close.conf.laptop new file mode 100644 index 0000000..751c546 --- /dev/null +++ b/files/etc/devd/lid-close.conf.laptop @@ -0,0 +1,6 @@ +notify 20 { + match "system" "ACPI"; + match "subsystem" "Lid"; + match "notify" "0x00"; + action "/usr/local/libexec/lid-close"; +}; diff --git a/files/etc/devd/lid-close.conf.roadwarrior_laptop b/files/etc/devd/lid-close.conf.roadwarrior_laptop new file mode 120000 index 0000000..b6dd50e --- /dev/null +++ b/files/etc/devd/lid-close.conf.roadwarrior_laptop @@ -0,0 +1 @@ +lid-close.conf.laptop
\ No newline at end of file diff --git a/files/etc/devd/thinkpad-brightness.conf.laptop b/files/etc/devd/thinkpad-brightness.conf.laptop new file mode 100644 index 0000000..24bd750 --- /dev/null +++ b/files/etc/devd/thinkpad-brightness.conf.laptop @@ -0,0 +1,13 @@ +notify 20 { + match "system" "ACPI"; + match "subsystem" "IBM"; + match "notify" "0x10"; + action "/usr/local/libexec/thinkpad-brightness up"; +}; + +notify 20 { + match "system" "ACPI"; + match "subsystem" "IBM"; + match "notify" "0x11"; + action "/usr/local/libexec/thinkpad-brightness down"; +}; diff --git a/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop b/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop new file mode 120000 index 0000000..77502f3 --- /dev/null +++ b/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop @@ -0,0 +1 @@ +thinkpad-brightness.conf.laptop
\ No newline at end of file diff --git a/files/etc/rc.local.laptop b/files/etc/rc.local.laptop new file mode 100644 index 0000000..d3b9958 --- /dev/null +++ b/files/etc/rc.local.laptop @@ -0,0 +1 @@ +usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save diff --git a/files/etc/rc.local.roadwarrior_laptop b/files/etc/rc.local.roadwarrior_laptop new file mode 120000 index 0000000..e86eca1 --- /dev/null +++ b/files/etc/rc.local.roadwarrior_laptop @@ -0,0 +1 @@ +rc.local.laptop
\ No newline at end of file diff --git a/files/etc/ssh/ssh_config.roadwarrior_laptop b/files/etc/ssh/ssh_config.roadwarrior_laptop new file mode 120000 index 0000000..338cdba --- /dev/null +++ b/files/etc/ssh/ssh_config.roadwarrior_laptop @@ -0,0 +1 @@ +ssh_config.no_idm
\ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common new file mode 100644 index 0000000..d0bb2ae --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common @@ -0,0 +1,3 @@ +Section "Files" + FontPath "/usr/local/share/fonts/terminus-font/" +EndSection diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.common new file mode 100644 index 0000000..0e57885 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.common @@ -0,0 +1,96 @@ +{ + "AdvancedProtectionAllowed": false, + "AlternateErrorPagesEnabled": false, + "AutofillCreditCardEnabled": false, + "AuthNegotiateDelegateAllowlist": "*.${domain}", + "AuthServerAllowlist": "*.${domain}", + "BackgroundModeEnabled": false, + "BlockThirdPartyCookies": true, + "BrowserGuestModeEnabled": false, + "BrowserLabsEnabled": false, + "BrowserNetworkTimeQueriesEnabled": false, + "BrowserSignin": 0, + "CloudPrintProxyEnabled": false, + "CloudReportingEnabled": false, + "DefaultBrowserSettingEnabled": false, + "DefaultCookiesSetting": 1, + "DefaultSearchProviderEnabled": true, + "DefaultSearchProviderName": "DuckDuckGo", + "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", + "DefaultSearchProviderEncodings": [ + "UTF-8" + ], + "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", + "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", + "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", + "DnsOverHttpsMode": "off", + "EnableAuthNegotiatePort": true, + "EnableMediaRouter": false, + "MetricsReportingEnabled": false, + "NetworkPredictionOptions": 2, + "PasswordManagerEnabled": false, + "PaymentMethodQueryEnabled": false, + "PrivacySandboxAdMeasurementEnabled": false, + "PrivacySandboxAdTopicsEnabled": false, + "PrivacySandboxPromptEnabled": false, + "PrivacySandboxSiteEnabledAdsEnabled": false, + "PromotionalTabsEnabled": false, + "SafeBrowsingProtectionLevel": 0, + "SearchSuggestEnabled": false, + "SyncDisabled": true, + "TranslateEnabled": false, + "UrlKeyedAnonymizedDataCollectionEnabled": false, + "ManagedBookmarks": [ + { + "toplevel_name": "Internal" + }, + { + "name": "Poudriere", + "url": "http://pkg.${domain}/poudriere" + } + ], + "ExtensionSettings": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "installation_mode": "force_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "nngceckbapebfimnlniiiahkandclblb": { + "installation_mode": "normal_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "cimiefiiaegbelhefglklhhakcgmhkai": { + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)", + "update_url": "https://clients2.google.com/service/update2/crx" + } + }, + "3rdparty": { + "extensions": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "toOverwrite": { + "filterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "${domain}" + ] + } + } + } + } +} diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server new file mode 100644 index 0000000..3b285f7 --- /dev/null +++ b/files/usr/local/etc/openldap/ldap.conf.idm_server @@ -0,0 +1,9 @@ +URI ldapi:/// +BASE ${basedn} +USE_SASL yes +ROOTUSE_SASL yes +SASL_MECH EXTERNAL +SASL_REALM ${realm} +GSSAPI_SIGN yes +GSSAPI_ENCRYPT yes +SUDOERS_BASE ${sudo_basedn} diff --git a/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server new file mode 100644 index 0000000..f4fcd01 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server @@ -0,0 +1,252 @@ +dn: cn=dnsdomain2,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: dnsdomain2 +# A schema for storing DNS zones in LDAP +# +# ORDERING is not necessary, and some servers don't support +# integerOrderingMatch. Omit or change if you like +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' + DESC 'An integer denoting time to live' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' + DESC 'The class of a resource record' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord' + DESC 'a well known service description, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' + DESC 'domain name pointer, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' + DESC 'host information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' + DESC 'mailbox or mail list information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' + DESC 'text string, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord' + DESC 'for Responsible Person, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' + DESC 'for AFS Data Base location, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' + DESC 'Signature, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' + DESC 'Key, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord' + DESC 'Geographical Position, RFC 1712' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' + DESC 'IPv6 address, RFC 1886' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' + DESC 'Location, RFC 1876' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' + DESC 'non-existant, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' + DESC 'service location, RFC 2782' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' + DESC 'Naming Authority Pointer, RFC 2915' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' + DESC 'Key Exchange Delegation, RFC 2230' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' + DESC 'certificate, RFC 2538' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' + DESC 'A6 Record Type, RFC 2874' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' + DESC 'Non-Terminal DNS Name Redirection, RFC 2672' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord' + DESC 'Lists of Address Prefixes, RFC 3123' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' + DESC 'Delegation Signer, RFC 3658' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' + DESC 'SSH Key Fingerprint, RFC 4255' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord' + DESC 'SSH Key Fingerprint, RFC 4025' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' + DESC 'RRSIG, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' + DESC 'NSEC, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord' + DESC 'DNSKEY, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord' + DESC 'DHCID, RFC 4701' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record' + DESC 'NSEC record version 3, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' + DESC 'NSEC3 parameters, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord' + DESC 'TLSA certificate association, RFC 6698' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord' + DESC 'Child DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord' + DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord' + DESC 'OpenPGP Key, RFC7929' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord' + DESC 'Service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord' + DESC 'HTTPS service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord' + DESC 'Sender Policy Framework, RFC 4408' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record' + DESC 'EUI-48 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record' + DESC 'EUI-64 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord' + DESC 'Transaction Key, RFC2930' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord' + DESC 'URI, RFC7553' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord' + DESC 'Certification Authority Restriction, RFC6844' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord' + DESC 'DNSSEC Lookaside Validation, RFC4431' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' + SUP 'dNSDomain' STRUCTURAL + MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ + HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ + AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ + AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ + NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ + DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ + IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ + DNSKEYRecord $ DHCIDRecord $ NSEC3Record $ NSEC3PARAMRecord $ + TLSARecord $ CDSRecord $ CDNSKEYRecord $ OPENPGPKEYRecord $ + SVCBRecord $ HTTPSRecord $ + SPFRecord $ EUI48Record $ EUI64Record $ TKEYRecord $ + URIRecord $ CAARecord $ DLVRecord $ TYPE65226Record $ + TYPE65534Record + ) ) diff --git a/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server new file mode 100644 index 0000000..830277d --- /dev/null +++ b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server @@ -0,0 +1,68 @@ +# This LDIF version of the Kerberos schema can be loaded into an +# OpenLDAP database. It was originally converted semi-automatically +# from kerberos.schema using slaptest. + +dn: cn=kerberos,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: kerberos +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn ) diff --git a/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server new file mode 100644 index 0000000..3cdedce --- /dev/null +++ b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server @@ -0,0 +1,177 @@ +dn: cn=mailservice,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: mailservice +olcObjectIdentifier: {0}DebOps 1.3.6.1.4.1.53622 +olcObjectIdentifier: {1}DebOpsLDAP DebOps:42 +olcObjectIdentifier: {2}mailService DebOpsLDAP:2 +olcObjectIdentifier: {3}mailServiceAttribute mailService:3 +olcObjectIdentifier: {4}mailServiceObject mailService:4 +olcAttributeTypes: {0}( mailServiceAttribute:1 NAME 'mailAddress' DESC 'Primar + y RFC 822 email address of this recipient, can be used a + s a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr + ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {1}( mailServiceAttribute:2 NAME 'mailAlternateAddress' DES + C 'Alternate RFC 822 email address(es) of this recipient' EQUALITY caseIgnore + IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.26{256} ) +olcAttributeTypes: {2}( mailServiceAttribute:3 NAME 'mailPrivateAddress' DESC + 'A confidential RFC 822 email address of this recipient + which can be used as a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE + -VALUE ) +olcAttributeTypes: {3}( mailServiceAttribute:4 NAME 'mailContactAddress' DESC + 'RFC 822 email address of this recipient which is meant to + be public and serve as the primary contact address.' EQUALITY caseIgnoreIA + 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26{256} ) +olcAttributeTypes: {4}( mailServiceAttribute:5 NAME 'mailInternalAddress' DESC + 'An internal RFC 822 email address of this recipient wh + ich will be rewritten to an external email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {5}( mailServiceAttribute:6 NAME 'mailExternalAddress' DESC + 'An external RFC 822 email address of this recipient wh + ich will be rewritten to an internal email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {6}( mailServiceAttribute:7 NAME 'mailSenderBccTo' DESC 'RF + C 822 BCC email address(es) to add for a given mail sender' EQUALITY caseIgno + reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26{256} ) +olcAttributeTypes: {7}( mailServiceAttribute:8 NAME 'mailRecipientBccTo' DESC + 'RFC 822 BCC email address(es) to add for a given mail recipient' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {8}( mailServiceAttribute:9 NAME 'mailForwardTo' DESC 'RFC + 822 email address(es) to forward all incoming messages to' EQUALITY caseIgnor + eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.26{256} ) +olcAttributeTypes: {9}( mailServiceAttribute:10 NAME 'mailForwardToURL' DESC ' + LDAP search URL that defines the recipients of the mail messages + sent to this mailing list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {10}( mailServiceAttribute:11 NAME 'mailErrorsTo' DESC 'RFC + 822 email address(es) to use when routing error and notification + messages to the owner(s) of an email distribution list' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {11}( mailServiceAttribute:12 NAME 'mailRequestsTo' DESC 'R + FC 822 email address(es) to use when routing request mes + sages sent to the email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {12}( mailServiceAttribute:13 NAME 'mailEnvelopeAddress' DE + SC 'RFC 822 envelope sender email address of a given mail user + or email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn + oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE + ) +olcAttributeTypes: {13}( mailServiceAttribute:14 NAME 'mailRoutingAddress' DES + C 'RFC 822 email address to use when routing messages to + the SMTP MTA of this recipient' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor + eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {14}( mailServiceAttribute:15 NAME 'mailHost' DESC 'Fully Q + ualified Domain Name of the SMTP MTA that handles messag + es for this recipient' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) +olcAttributeTypes: {15}( mailServiceAttribute:16 NAME 'mailTransport' DESC 'MT + A mail transport method which will take care of the email delivery' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( mailServiceAttribute:17 NAME 'mailUidNumber' DESC 'UI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {17}( mailServiceAttribute:18 NAME 'mailGidNumber' DESC 'GI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {18}( mailServiceAttribute:19 NAME 'mailHomeDirectory' DESC + 'The absolute path to the mail user home directory' EQUALITY caseExactIA5Mat + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {19}( mailServiceAttribute:20 NAME 'mailMessageStore' DESC + 'The path to the mail user mailbox storage directory' EQUALITY caseExactIA5Ma + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {20}( mailServiceAttribute:21 NAME 'mailQuota' DESC 'Mail q + uota limit in kilobytes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {21}( mailServiceAttribute:22 NAME 'mailGroupACL' DESC 'Com + ma-separated list of mail groups a given mail user belon + gs to, used for mailbox access control' EQUALITY caseExactIA5Match SUBSTR cas + eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {22}( mailServiceAttribute:23 NAME 'mailExpungeTrash' DESC + 'Time to automatically expunge Trash mailbox' EQUALITY caseIgnoreIA5Match SYN + TAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {23}( mailServiceAttribute:24 NAME 'mailSieveRuleSource' DE + SC 'Definition of a Sieve filter script for a given mail user' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {24}( mailServiceAttribute:25 NAME 'mailSuppressErrors' DES + C 'Suppress error messages from being sent back to message originator' EQUALI + TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {25}( mailServiceAttribute:26 NAME 'mailDeliveryFile' DESC + 'Path to a file used for archiving messages sent to the distribution list' EQ + UALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {26}( mailServiceAttribute:27 NAME 'mailDeliveryOption' DES + C 'Message handling option for messages sent to a designated recipient' EQUAL + ITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {27}( mailServiceAttribute:28 NAME 'mailProgramDeliveryInfo + ' DESC 'Named programs for message post-processing' EQUALITY caseExactIA5Matc + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {28}( mailServiceAttribute:29 NAME 'mailAuthorizedDomain' D + ESC 'Domains authorized to submit messages to the distribution list' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {29}( mailServiceAttribute:30 NAME 'mailAuthorizedSender' D + ESC 'Addresses authorized to submit messages to the distribution list' EQUALI + TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {30}( mailServiceAttribute:31 NAME 'mailUnauthorizedDomain' + DESC 'Domains not authorized to submit messages to the distribution list' EQ + UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {31}( mailServiceAttribute:32 NAME 'mailUnauthorizedSender' + DESC 'Addresses not authorized to submit messages to the distribution list' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {32}( mailServiceAttribute:33 NAME 'mailRemoveHeader' DESC + 'Headers to remove from the messages sent to the mailing list' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {33}( mailServiceAttribute:34 NAME 'mailAddHeader' DESC 'He + aders to add to the messages sent to the mailing list' SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.26 ) +olcAttributeTypes: {34}( mailServiceAttribute:35 NAME 'mailAntispamPolicy' DES + C 'Name of the anti-spam policy to apply to a given LDAP entry' SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {35}( mailServiceAttribute:36 NAME 'mailAntivirusPolicy' DE + SC 'Name of the anti-virus policy to apply to a given LDAP entry' SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {36}( mailServiceAttribute:37 NAME 'mailContentPolicy' DESC + 'Name of the content policy to apply to a given LDAP entry' SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcObjectClasses: {0}( mailServiceObject:1 NAME 'mailRecipient' DESC 'The entr + y represents an entity within the organization that can re + ceive SMTP mail, such as a mail user account' SUP top AUXILIARY MUST mailAddr + ess MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $ ma + ilEnvelopeAddress $ mailRoutingAddress $ mailExternalAddress $ mailInternalAd + dress $ mailSenderBccTo $ mailRecipientBccTo $ mailHost $ mailTransport $ mai + lUidNumber $ mailGidNumber $ mailHomeDirectory $ mailMessageStore $ mailQuota + $ mailGroupACL $ mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption + $ mailProgramDeliveryInfo $ mail $ cn $ description $ uid $ userPassword ) ) +olcObjectClasses: {1}( mailServiceObject:2 NAME 'mailAlias' DESC 'The entry re + presents an entity within the organization that defines an + email alias for mail recipients' SUP top STRUCTURAL MUST mailAddress MAY ( m + ailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $ mailDeliveryFile + $ mailDeliveryOption $ mailProgramDeliveryInfo $ mail $ cn $ description $ o + wner ) ) +olcObjectClasses: {2}( mailServiceObject:3 NAME 'mailDistributionList' DESC 'T + he entry represents an entity within the organization that + can receive and forward SMTP mail, such as a mail group a + ccount (mailing list)' SUP top AUXILIARY MUST mailAddress MAY ( mailForwardTo + $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $ mailRequestsTo $ m + ailSuppressErrors $ mailHost $ mailTransport $ mailDeliveryFile $ mailDeliver + yOption $ mailProgramDeliveryInfo $ mailAuthorizedDomain $ mailAuthorizedSend + er $ mailUnauthorizedDomain $ mailUnauthorizedSender $ mailRemoveHeader $ mai + lAddHeader $ mail $ cn $ description $ owner $ manager $ seeAlso ) ) +olcObjectClasses: {3}( mailServiceObject:4 NAME 'mailDomain' DESC 'The entry r + epresents an entity within the organization that defines a + n email domain' SUP domain STRUCTURAL MAY ( mailHost $ mailTransport $ mailSe + nderBccTo $ mailRecipientBccTo $ mailErrorsTo $ mailSuppressErrors $ mailAuth + orizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthoriz + edSender $ mailRemoveHeader $ mailAddHeader $ description $ owner $ manager ) + ) +olcObjectClasses: {4}( mailServiceObject:5 NAME 'mailFilter' DESC 'The entry r + epresents an entity within the organization that can filte + r email messages according to various policies' SUP top AUXILIARY MAY ( mailA + ntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $ cn $ description $ + seeAlso ) ) diff --git a/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server new file mode 100644 index 0000000..6cde0a4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server @@ -0,0 +1,11 @@ +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + ) diff --git a/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server new file mode 100644 index 0000000..83cf2be --- /dev/null +++ b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server @@ -0,0 +1,246 @@ +dn: cn=rfc2307bis,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: rfc2307bis +### +# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02 +### +olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network omitting leading zeros, eg. 192.168' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a generic NIS map' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocol canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC service canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ + manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the network canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other + netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) +olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) +olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL + DESC 'A group with members (DNs)' + MUST cn + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ + description $ member ) ) diff --git a/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server new file mode 100644 index 0000000..8948ca4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server @@ -0,0 +1,79 @@ +dn: cn=sudoschema,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudoschema +# +# OpenLDAP schema file for Sudo in on-line configuration (OLC) format. +# Import using ldapadd or another suitable LDAP browser. +# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be> +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +# +olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server new file mode 100644 index 0000000..784c63a --- /dev/null +++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server @@ -0,0 +1,225 @@ +# Top-level cn=config attributes. +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +olcSaslHost: ${fqdn} +olcSaslSecProps: noanonymous,minssf=56 +olcDisallows: bind_anon +olcSecurity: ssf=56 +olcLocalSSF: 128 +olcTLSCACertificateFile: ${site_cacert_path} +olcTLSCertificateFile: ${slapd_tls_cert} +olcTLSCertificateKeyFile: ${slapd_tls_key} +olcTLSVerifyClient: allow +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do + echo "olcServerID: ${id} ldaps://${ipv4}/" +done) +olcAuthzRegexp: {0}^gidNumber=[0-9]+\+uidNumber=0,cn=peercred,cn=external,cn=auth$ ${slapd_root_dn} +olcAuthzRegexp: {1}^gidNumber=[0-9]+\+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth$ ldap:///${accounts_basedn}??sub?(uidNumber=\$1) +olcAuthzRegexp: {2}^uid=([^,]+),cn=(gssapi|plain|login),cn=auth$ ldap:///${accounts_basedn}??sub?(krbPrincipalName=\$1@${realm}) + +# Load dynamic modules. +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulepath: /usr/local/libexec/openldap +olcModuleload: back_mdb.la +olcModuleload: pw-sha2.la +olcModuleload: accesslog.la +olcModuleload: dynlist.la +olcModuleload: unique.la +olcModuleload: refint.la + +# Frontend configuration. Individual databases can override these settings. +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +olcPasswordHash: {SSHA512} +olcSizeLimit: ${slapd_result_size_limit} +olcRequires: authc +olcAccess: {0}to dn.base="" by * read +olcAccess: {1}to dn.base="cn=Subschema" by * read +olcAccess: {2}to * + by users read + by anonymous auth + +# Load schemas. +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file://${slapd_conf_dir}/schema/core.ldif +include: file://${slapd_conf_dir}/schema/cosine.ldif +include: file://${slapd_conf_dir}/schema/inetorgperson.ldif +include: file://${slapd_conf_dir}/schema/dyngroup.ldif +include: file://${slapd_conf_dir}/schema/rfc2307bis.ldif +include: file://${slapd_conf_dir}/schema/kerberos.ldif +include: file://${slapd_conf_dir}/schema/openssh-lpk.ldif +include: file://${slapd_conf_dir}/schema/sudo.ldif +include: file://${slapd_conf_dir}/schema/dnsdomain2.ldif +include: file://${slapd_conf_dir}/schema/mailservice.ldif + +# cn=config database configuration. +dn: olcDatabase={0}config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcRootDN: ${slapd_root_dn} + +# Default database configuration. +dn: olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbMaxSize: ${slapd_db_max_size} +olcSuffix: ${basedn} +olcRootDN: ${slapd_root_dn} +olcDbDirectory: ${slapd_data_dir} +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do +echo "olcSyncrepl: rid=00${id} + provider=ldaps://${ipv4}/ + searchbase=${basedn} + bindmethod=sasl + saslmech=external + tls_cert=${slapd_replicator_tls_cert} + tls_key=${slapd_replicator_tls_key} + tls_cacert=${site_cacert_path} + tls_reqcert=demand + type=refreshAndPersist + retry=\"5 5 60 +\" + logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" + timeout=5 + logbase=cn=accesslog + syncdata=accesslog" +done) +olcMultiProvider: TRUE +olcDbIndex: objectClass eq +olcDbIndex: cn,uid,uidNumber,gidNumber,member,memberUid,mail,mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress eq +olcDbIndex: sudoUser eq +olcDbIndex: automountMapName eq +olcDbIndex: krbPrincipalName eq,pres +olcDbIndex: entryCSN,entryUUID eq +olcDbIndex: associatedDomain pres,eq,sub +olcDbIndex: description pres,eq,sub +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited +olcLimits: {1}* + size.soft=${slapd_result_size_limit} + size.hard=${slapd_result_size_limit} + size.pr=${slapd_result_size_limit} + size.prtotal=unlimited +olcAccess: {0}to dn.base="" + by * read +olcAccess: {1}to dn.base="cn=Subschema" + by * read +olcAccess: {3}to * + by dn.exact=${slapd_replicator_dn} read + by dn.exact=uid=${idm_admin_username},${robots_basedn} manage + by group/groupOfMembers/member=cn=${idm_admin_groupname},${groups_basedn} manage + by * break +olcAccess: {4}to dn.subtree=${sudo_basedn} + by dn.children=${hosts_basedn} read + by * none +olcAccess: {5}to dn.subtree=${kdc_basedn} + by * none +olcAccess: {6}to attrs=userPassword + by self write + by anonymous auth + by * none +olcAccess: {7}to attrs=shadowLastChange,sshPublicKey + by self write + by * read +olcAccess: {8}to attrs=krbPrincipalKey + by * none +olcAccess: {9}to * + by * read + +# Accesslog database (for syncprov). +dn: olcDatabase={2}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbDirectory: ${slapd_data_dir}/accesslog +olcSuffix: cn=accesslog +olcRootDN: ${slapd_root_dn} +olcDbMaxSize: ${slapd_accesslog_db_max_size} +olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN eq +olcAccess: {0}to * + by dn.exact=${slapd_replicator_dn} read + by * break +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited + +# Monitoring database. +dn: olcDatabase={3}monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcRootDN: ${slapd_root_dn} +olcMonitoring: FALSE + +# Syncprov overlay. +dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpCheckpoint: ${slapd_syncrepl_checkpoint_ops} ${slapd_syncrepl_checkpoint_minutes} +olcSpSessionLog: ${slapd_syncrepl_session_log} + +# Accesslog overlay (for syncrepl). +dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcAccessLogConfig +olcOverlay: accesslog +olcAccessLogDB: cn=accesslog +olcAccessLogOps: writes +olcAccessLogSuccess: TRUE +olcAccessLogPurge: ${slapd_syncrepl_cleanup_age}+00:00 ${slapd_syncrepl_cleanup_interval}+00:00 + +# Dynlist overlay. +dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcDynamicList +olcOverlay: dynlist +olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfMembers* +olcDynListAttrSet: {1}labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames + +# Unique overlay. +dn: olcOverlay={3}unique,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcUniqueConfig +olcOverlay: unique +olcUniqueURI: ldap:///${accounts_basedn}?uid?sub +olcUniqueURI: ldap:///${accounts_basedn}?uidNumber?sub +olcUniqueURI: ldap:///${accounts_basedn}?krbPrincipalName?sub +olcUniqueURI: ldap:///${accounts_basedn}?mail?sub +olcUniqueURI: ldap:///${accounts_basedn}?mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress?sub +olcUniqueURI: ldap:///${groups_basedn}?cn?sub +olcUniqueURI: ldap:///${groups_basedn}?gidNumber?sub +olcUniqueURI: ldap:///${hosts_basedn}?cn,dc?sub +olcUniqueURI: ldap:///${services_basedn}?cn?sub +olcUniqueURI: ldap:///${sudo_basedn}?cn?sub +olcUniqueURI: ldap:///${dns_basedn}?associatedDomain?sub + +# Refint overlay. +dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +olcOverlay: refint +olcRefintAttribute: member +olcRefintNothing: cn=config + +# Syncprov overlay for accesslog db. +dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpNoPresent: TRUE +olcSpReloadHint: TRUE diff --git a/files/usr/local/etc/pdns/pdns.conf.idm_server b/files/usr/local/etc/pdns/pdns.conf.idm_server new file mode 100644 index 0000000..fc63bd6 --- /dev/null +++ b/files/usr/local/etc/pdns/pdns.conf.idm_server @@ -0,0 +1,29 @@ +# With SASL_MECH=EXTERNAL set in system ldap.conf, PowerDNS can be fooled +# into performing an EXTERNAL (Unix peercred) bind over the ldapi:/// domain +# socket. +# +# You must set ldap-bindmethod=gssapi (?!) for this to work. This behavior doesn't +# seem to be documented anywhere, but hey, it's nice! +ldap-host=ldapi:/// +ldap-bindmethod=gssapi + +ldap-basedn=${dns_basedn} +ldap-reconnect-attempts=2147483647 +ldap-method=simple + +launch=ldap + +local-address=127.0.0.1,::1 +local-port=${pdns_port} +distributor-threads=${pdns_distributor_threads} +receiver-threads=${pdns_receiver_threads} +reuseport=yes + +allow-axfr-ips=${pdns_allow_axfr_ips} + +cache-ttl=${pdns_cache_ttl} +query-cache-ttl=${pdns_query_cache_ttl} +negquery-cache-ttl=${pdns_negquery_cache_ttl} +zone-cache-refresh-interval=0 + +security-poll-suffix= diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd new file mode 100644 index 0000000..953ae20 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd @@ -0,0 +1,6 @@ +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server new file mode 100644 index 0000000..5ffad74 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server @@ -0,0 +1,9 @@ +# The "-idm" set is a special poudriere build for the IDM servers that builds +# openldap26-server with GSSAPI_BASE. This workaround is necessary to avoid a +# circular dependency with krb5 and cyrus-sasl2-gssapi. +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest-idm", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository new file mode 100644 index 0000000..1d5ce20 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository @@ -0,0 +1,34 @@ +CFLAGS=-O2 -pipe +DISABLE_LICENSES=yes +DEFAULT_VERSIONS+=${poudriere_default_versions:-} +MAKE_JOBS_NUMBER=${poudriere_make_jobs_number} + +# Global port options +OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE +OPTIONS_SET=GSSAPI GSSAPI_MIT NONFREE LIBEDIT + +# Per-port options +dns_powerdns_SET=OPENLDAP +dns_powerdns_UNSET=PGSQL SQLITE3 +dns_unbound_SET=TFOCL TFOSE +dns_unbound_UNSET=DOH +editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE +editors_vim_UNSET=CTAGS_BASE +net_openldap26-server_SET=DEBUG +net_openldap26-server_UNSET=SMBPWD +security_cyrus-sasl2-saslauthd_UNSET=BDB1 +security_krb5_SET=DNS_FOR_REALM LDAP +security_krb5_UNSET=KRB5_HTML KRB5_PDF +security_sudo_SET=LDAP +security_sudo_UNSET=GSSAPI_MIT +shells_bash_UNSET=PORTS_READLINE +sysutils_htop_SET=LSOF +sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL +sysutils_rsyslog8_UNSET=GCRYPT +www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP +www_nginx_UNSET=MAIL + +# We must use base kerberos to build cyrus to avoid a circular dependency with +# MIT kerberos and LDAP. +security_cyrus-sasl2-gssapi_SET=GSSAPI_BASE +security_cyrus-sasl2-gssapi_UNSET=GSSAPI_MIT diff --git a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository new file mode 100644 index 0000000..86c102e --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository @@ -0,0 +1,24 @@ +devel/git@lite +dns/bind-tools +dns/powerdns +dns/unbound +editors/vim@console +lang/python +net/nss-pam-ldapd-sasl +net/openldap26-client +net/openldap26-server +net/p5-perl-ldap +net/py-python-ldap +net/rsync +security/cyrus-sasl2-saslauthd +security/krb5 +security/pam_krb5@mit +security/pam_mkhomedir +security/sudo +sysutils/htop +sysutils/lsof +sysutils/p5-Sys-Syslog +sysutils/pwgen +sysutils/tmux +sysutils/tree +www/nginx diff --git a/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop new file mode 100644 index 0000000..04284c5 --- /dev/null +++ b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop @@ -0,0 +1 @@ +%operator ALL=NOPASSWD: /usr/local/bin/networkmgr diff --git a/files/usr/local/etc/sudoers.roadwarrior_laptop b/files/usr/local/etc/sudoers.roadwarrior_laptop new file mode 100644 index 0000000..0c1a78c --- /dev/null +++ b/files/usr/local/etc/sudoers.roadwarrior_laptop @@ -0,0 +1,4 @@ +root ALL=(ALL:ALL) ALL +%wheel ALL=(ALL:ALL) ALL + +@includedir /usr/local/etc/sudoers.d diff --git a/files/usr/local/lib/firefox/distribution/policies.json.common b/files/usr/local/lib/firefox/distribution/policies.json.common new file mode 100644 index 0000000..96d463c --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.common @@ -0,0 +1,163 @@ +{ + "policies": { + "ExtensionSettings": { + "uBlock0@raymondhill.net": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi", + "installation_mode": "force_installed" + }, + "{446900e4-71c2-419f-a6a7-df9c091e268b}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi", + "installation_mode": "normal_installed" + }, + "7esoorv3@alefvanoon.anonaddy.me": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi", + "installation_mode": "normal_installed" + }, + "{9cbd40c5-5275-443e-811b-dc57d8c7c5d2}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/kde-default-breeze/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo 'normal_installed'; else echo 'allowed'; fi)" + }, + "plasma-browser-integration@kde.org": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)" + } + }, + "3rdparty": { + "Extensions": { + "uBlock0@raymondhill.net": { + "toOverwrite": { + "filterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "${domain}" + ] + } + } + } + }, + "UserMessaging": { + "WhatsNew": false, + "ExtensionRecommendations": false, + "UrlbarInterventions": false, + "SkipOnboarding": true + }, + "OverridePostUpdatePage": "", + "OverrideFirstRunPage": "", + "EnableTrackingProtection": { + "Value": false, + "Cryptomining": false, + "Fingerprinting": false, + "Locked": false + }, + "Cookies": { + "Behavior": "reject-tracker-and-partition-foreign", + "BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign" + }, + "Authentication": { + "SPNEGO": ["${domain}"], + "AllowNonFQDN": { + "SPNEGO": true + }, + "AllowProxies": { + "SPNEGO": true + } + }, + "NoDefaultBookmarks": true, + "DisablePocket": true, + "DisableAppUpdate": true, + "CaptivePortal": false, + "Certificates": { + "Install": [ + "${site_cacert_path}" + ] + }, + "DisableFeedbackCommands": true, + "DisableFirefoxAccounts": true, + "DisableFirefoxStudies": true, + "DisableTelemetry": true, + "DontCheckDefaultBrowser": true, + "OfferToSaveLoginsDefault": false, + "DNSOverHTTPS": { + "Enabled": false + }, + "SearchSuggestEnabled": false, + "Homepage": { + "URL": "about:home", + "StartPage": "homepage" + }, + "FirefoxHome": { + "Search": true, + "TopSites": false, + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false + }, + "ManagedBookmarks": [ + { + "toplevel_name": "Intranet" + }, + { + "url": "http://pkg.${domain}/poudriere/", + "name": "Poudriere" + } + ], + "ExtensionUpdate": true, + "Preferences": { + "dom.security.https_only_mode": { + "Value": true, + "Status": "locked" + }, + "dom.push.connection.enabled": { + "Value": false, + "Status": "default" + }, + "privacy.trackingprotection.socialtracking.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.nonsponsored": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.sponsored": { + "Value": false, + "Status": "locked" + }, + "browser.toolbars.bookmarks.visibility": { + "Value": "newtab", + "Status": "default" + }, + "browser.safebrowsing.malware.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.phishing.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.downloads.enabled": { + "Value": false, + "Status": "locked" + } + } + } +} diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.common b/files/usr/local/lib/libreoffice/program/sofficerc.common new file mode 100644 index 0000000..77574a4 --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.common @@ -0,0 +1,18 @@ +[Bootstrap] +CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash +CrashDumpEnable=true +HideEula=1 +Logo=0 +NativeProgress=false +ProgressBarColor=0,0,0 +ProgressFrameColor=102,102,102 +ProgressPosition=30,145 +ProgressSize=385,8 +ProgressTextBaseline=170 +ProgressTextColor=0,0,0 +SecureUserConfig=true +SecureUserConfigCompress=true +SecureUserConfigExtensions=true +SecureUserConfigMode=1 +SecureUserConfigNumCopies=2 +URE_BOOTSTRAP=${ORIGIN}/fundamentalrc diff --git a/files/usr/local/lib/sasl2/slapd.conf.idm_server b/files/usr/local/lib/sasl2/slapd.conf.idm_server new file mode 100644 index 0000000..56836c1 --- /dev/null +++ b/files/usr/local/lib/sasl2/slapd.conf.idm_server @@ -0,0 +1,3 @@ +mech_list: gssapi external plain login +pwcheck_method: saslauthd +saslauthd_path: ${saslauthd_runtime_dir}/mux diff --git a/files/usr/local/libexec/lid-close.laptop b/files/usr/local/libexec/lid-close.laptop new file mode 100644 index 0000000..acbd93e --- /dev/null +++ b/files/usr/local/libexec/lid-close.laptop @@ -0,0 +1,4 @@ +#!/bin/sh + +/usr/bin/pkill -USR1 xidle +/usr/sbin/acpiconf -s3 diff --git a/files/usr/local/libexec/lid-close.roadwarrior_laptop b/files/usr/local/libexec/lid-close.roadwarrior_laptop new file mode 120000 index 0000000..698096f --- /dev/null +++ b/files/usr/local/libexec/lid-close.roadwarrior_laptop @@ -0,0 +1 @@ +lid-close.laptop
\ No newline at end of file diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository index f0291ec..0d713a9 100644 --- a/files/usr/local/libexec/poudriere-cron.pkg_repository +++ b/files/usr/local/libexec/poudriere-cron.pkg_repository @@ -9,6 +9,7 @@ poudriere ports -u -p "$ports_tree" > /dev/null for jail in "$@"; do poudriere jail -u -j "$jail" > /dev/null + poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null done diff --git a/files/usr/local/libexec/thinkpad-brightness.laptop b/files/usr/local/libexec/thinkpad-brightness.laptop new file mode 100644 index 0000000..16cc01a --- /dev/null +++ b/files/usr/local/libexec/thinkpad-brightness.laptop @@ -0,0 +1,31 @@ +#!/bin/sh + +cur=$(/usr/bin/backlight -q) + +case $1 in + up) + if [ "$cur" -ge 50 ]; then + delta=10 + elif [ "$cur" -ge 10 ]; then + delta=5 + else + delta=2 + fi + + /usr/bin/backlight incr "$delta" + ;; + down) + if [ "$cur" -le 10 ]; then + delta=2 + elif [ "$cur" -le 50 ]; then + delta=5 + else + delta=10 + fi + + /usr/bin/backlight decr "$delta" + ;; + *) + exit 1 + ;; +esac diff --git a/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop b/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop new file mode 120000 index 0000000..d1bcb34 --- /dev/null +++ b/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop @@ -0,0 +1 @@ +thinkpad-brightness.laptop
\ No newline at end of file diff --git a/hostclasses b/hostclasses index 7d4274e..cebd7af 100644 --- a/hostclasses +++ b/hostclasses @@ -6,6 +6,7 @@ imap_server ^imap[0-9] dev_server ^dev[0-9] radius_server ^radius[0-9] laptop ^laptop[0-9] +roadwarrior_laptop ^rlaptop[0-9] postgresql_server ^postgres[0-9] dav_server ^dav[0-9] bitwarden_server ^bitwarden[0-9] diff --git a/lib/10-core b/lib/10-core index a97340d..bd4e80a 100644 --- a/lib/10-core +++ b/lib/10-core @@ -81,6 +81,19 @@ _boxconf_decrypt(){ fi } +_boxconf_decrypt_key(){ + # Decrypt an OpenSSL key file using the vault password. + # $1 = encrypted key file + # $2 = plaintext output file (or stdout if unset) + _boxconf_get_vault_password + + if [ $# -gt 1 ]; then + PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -out "$2" -passin env:PASS + else + PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -passin env:PASS + fi +} + _boxconf_is_encrypted(){ # Check if a given file is encrypted. head -n1 "$1" | grep -q '^Salted__' @@ -144,7 +157,7 @@ _boxconf_stage(){ set -f _bcs_relevant_files=$(find -L "$BOXCONF_ROOT" -type f -and \( \ -path "${BOXCONF_CA_DIR}/ca.crt" \ - -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}" \ + -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}/*" \ -or -path "${BOXCONF_VAR_DIR}/common" \ -or -path "${BOXCONF_VAR_DIR}/common/*" \ -or -path "${BOXCONF_VAR_DIR}/os/*" \ @@ -202,18 +215,20 @@ _boxconf_stage(){ set -- $_bcs_relevant_files IFS=$OIFS - for _bc_stage_fullpath; do + for _bcs_fullpath; do # Calculate the file's path relative to the BOXCONF_ROOT. - _bc_stage_relpath=${_bc_stage_fullpath#${BOXCONF_ROOT}/} + _bcs_relpath=${_bcs_fullpath#${BOXCONF_ROOT}/} # Create the file's parent directories (if any) in the stage dir. - mkdir -p "${_bcs_stagedir}/$(dirname "$_bc_stage_relpath")" + mkdir -p "${_bcs_stagedir}/$(dirname "$_bcs_relpath")" # Copy the file to the stage dir, decrypting if necessary. - if _boxconf_is_encrypted "$_bc_stage_fullpath"; then - _boxconf_decrypt "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}" + if _boxconf_is_encrypted "$_bcs_fullpath"; then + _boxconf_decrypt "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" + elif head -n1 "$_bcs_fullpath" | grep -Fxq -- '-----BEGIN ENCRYPTED PRIVATE KEY-----'; then + _boxconf_decrypt_key "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" else - cp -p "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}" + cp -p "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" fi done } diff --git a/lib/60-ldap b/lib/60-ldap new file mode 100644 index 0000000..bc5bcff --- /dev/null +++ b/lib/60-ldap @@ -0,0 +1,56 @@ +#!/bin/sh + +ldap_add(){ + # Add a DN if it doesn't already exist. Takes ldif-formatted attributes on stdin. + # $1 = the DN + _ldap_add_dn=$1; shift + if ldapsearch -QLLL -s base -b "$_ldap_add_dn" dn > /dev/null 2>&1; then + log "${_ldap_add_dn} already exists" + else + { printf 'dn: %s\n' "$_ldap_add_dn"; cat; } | ldapadd -Q "$@" + fi +} + +ldap_modify(){ + # Modify a DN. Takes ldif-formatted attributes on stdin. + # $1 = the DN + _ldap_modify_dn=$1; shift + { printf 'dn: %s\nchangetype: modify\n' "$_ldap_modify_dn"; cat; } | ldapmodify -Q "$@" +} + +ldap_delete(){ + # Delete a DN. + # $1 = the DN + ldapdelete -Q "$@" +} + +ldap_add_attribute(){ + # Add a single attribute value to an object if it's not already present. + # $1 = DN + # $2 = attribute + # $3 = value + ldap_search -b "$1" -s base "(${2}=${3})" dn | grep -q '^dn:' || ldap_modify "$1" <<EOF +add: ${2} +${2}: ${3} +EOF +} + +ldap_replace_attribute(){ + # Replace all values for a single attribute. + # $1 = DN + # $2 = attribute + # $3..$N = values + _ldap_replattr_dn=$1; shift + _ldap_replattr_attr=$1; shift + + ldap_modify "$_ldap_replattr_dn" <<EOF +replace: ${ldap_replattr_attr} +$(printf "${ldap_replattr_attr}: %s\n" "$@") +EOF +} + +ldap_rdn_value(){ + # Get the leftmost attribute value from a DN. + # $1 = DN + echo "$1" | sed -E 's/^[^=]+=([^,]+),.*$/\1/' +} diff --git a/scripts/common/10-vars b/scripts/common/10-vars new file mode 100644 index 0000000..3cfbd8f --- /dev/null +++ b/scripts/common/10-vars @@ -0,0 +1,31 @@ +#!/bin/sh + +if [ "${idm_bootstrap:-}" = true ]; then + resolvers=$bootstrap_resolvers + pkg_host=$pkg_host_ip +else + : ${resolvers:="$(echo "$idm_server_list" | awk '{print $3}')"} +fi + +idm_hostnames=$(echo "$idm_server_list" | awk '{print $1}') + +realm=$(echo "$domain" | tr '[:lower:]' '[:upper:]') + +basedn=$(echo "$domain" | sed -e 's/^/dc=/' -e 's/\./,dc=/g') +ldap_uri=$(printf "ldap://%s.${domain}/ " $idm_hostnames) +ldaps_uri=$(printf "ldaps://%s.${domain}/ " $idm_hostnames) +ldap_hosts=$(printf "%s.${domain} " $idm_hostnames) +accounts_basedn="ou=accounts,${basedn}" +people_basedn="ou=people,${accounts_basedn}" +robots_basedn="ou=robots,${accounts_basedn}" +hosts_basedn="ou=hosts,${accounts_basedn}" +services_basedn="ou=services,${accounts_basedn}" +groups_basedn="ou=groups,${accounts_basedn}" +private_groups_basedn="ou=userprivate,${groups_basedn}" +roles_basedn="ou=roles,${groups_basedn}" +automount_basedn="ou=automount,${basedn}" +sudo_basedn="ou=sudo,${basedn}" +dns_basedn="ou=dns,${basedn}" +kdc_basedn="ou=dns,${basedn}" +mail_basedn="ou=mail,${basedn}" +mail_domains_basedn="ou=domains,${mail_basedn}" diff --git a/scripts/common/10-root-user b/scripts/common/20-root-user index 9a9f5e6..9a9f5e6 100644 --- a/scripts/common/10-root-user +++ b/scripts/common/20-root-user diff --git a/scripts/common/20-dns b/scripts/common/30-dns index e2d5ad6..e2d5ad6 100644 --- a/scripts/common/20-dns +++ b/scripts/common/30-dns diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop new file mode 100644 index 0000000..d90081e --- /dev/null +++ b/scripts/hostclass/desktop @@ -0,0 +1,98 @@ +#!/bin/sh + +load_kernel_module linux linux64 acpi_ibm + +pkg install -y \ + chromium \ + compton \ + dino \ + dmenu \ + eclipse \ + firefox \ + git \ + krb5 \ + i3 \ + libreoffice \ + libva-intel-media-driver \ + networkmgr \ + py${python_version}-pip \ + stow \ + terminus-font \ + terminus-ttf \ + tmux \ + tree \ + wireguard-tools \ + xfontsel \ + xidle \ + xorg \ + xterm + +case $desktop_type in + i3) + pkg install \ + i3 \ + i3lock \ + i3status + ;; + kde) + pkg install \ + juk \ + k3b \ + kde5 \ + kid3-qt6 \ + kmix \ + konversation \ + sddm + ;; +esac + +set_sysctl \ + net.local.stream.recvspace=65536 \ + net.local.stream.sendspace=65536 \ + kern.sched.preempt_thresh=224 \ + vfs.usermount=1 \ + hw.snd.latency=7 + +set_loader_conf \ + kern.ipc.shmseg=1024 \ + kern.ipc.shmmni=1024 \ + kern.maxproc=100000 \ + linux_load=YES \ + linux64_load=YES \ + acpi_ibm_load=YES \ + compat.linuxkpi.i915_enable_dc=2 \ + compat.linuxkpi.i915_enable_fbc=1 \ + compat.linuxkpi.i915_fastboot=1 \ + compat.linuxkpi.i915_disable_power_well=1 \ + machdep.hwpstate_pkg_ctrl=0 \ + vfs.zfs.txg.timeout=10 \ + hw.pci.do_power_nodriver=3 + +# Create policy file for firefox. +install_directory -m 0755 /usr/local/lib/firefox/distribution +install_template -m 0644 /usr/local/lib/firefox/distribution/policies.json + +# Create policy file for chromium. +install_directory -m 0755 \ + /usr/local/etc/chromium/policies \ + /usr/local/etc/chromium/policies/managed +install_template -m 0644 /usr/local/etc/chromium/policies/managed/policies.json + +# Configure libreoffice +install_file -m 0644 /usr/local/lib/libreoffice/program/sofficerc + +# Add terminus font to X11 +install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf + +# Enable dbus. +sysrc -v dbus_enable=YES +service dbus status || service dbus start + +# Configure graphics drivers. +case $graphics_type in + intel) + pkg install -y drm-kmod + sysrc -v kld_list+=i915kms + load_kernel_module i915kms + ;; +esac diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd new file mode 100644 index 0000000..dc52a58 --- /dev/null +++ b/scripts/hostclass/idm_server/10-slapd @@ -0,0 +1,165 @@ +#!/bin/sh + +: ${slapd_root_dn:='cn=admin'} +: ${slapd_replicator_dn:="cn=replicator,${basedn}"} +: ${slapd_result_size_limit:='10000'} +: ${slapd_db_max_size:='1073741824'} # 1 GB +: ${slapd_accesslog_db_max_size:='134217728'} # 128 MB +: ${slapd_syncrepl_checkpoint_ops:='100'} +: ${slapd_syncrepl_checkpoint_minutes:='10'} +: ${slapd_syncrepl_session_log:='1000'} +: ${slapd_syncrepl_cleanup_age:='7'} +: ${slapd_syncrepl_cleanup_interval:='1'} + +slapd_user=ldap +slapd_data_dir=/var/db/openldap-data +slapd_conf_dir=/usr/local/etc/openldap +slapd_tls_cert="${slapd_conf_dir}/slapd.crt" +slapd_tls_key="${slapd_conf_dir}/slapd.key" +slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt" +slapd_replicator_tls_key="${slapd_conf_dir}/replicator.key" +slapd_keytab="${keytab_dir}/slapd.keytab" + +is_primary_server(){ + # Return 0 if the current hostname is equal to $idm_primary_server. + # If $idm_primary_server is unset, use the first hostname in $idm_server_list. + _primary="${idm_primary_server:-$(echo "$idm_server_list" | awk 'NR==1{print $1}')}" + test "$BOXCONF_HOSTNAME" = "$_primary" +} + +pkg install -y \ + openldap26-server \ + cyrus-sasl-saslauthd + +# Create ZFS dataset for OpenLDAP DB. +create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data" + +# Copy TLS certificate for LDAP server. +install_certificate -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert" +install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key" + +# Copy client certificate for LDAP replication. +install_certificate -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_cert" +install_certificate_key -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_key" + +# Copy LDIF for the cn=config database. +install_template -m 0600 "${slapd_conf_dir}/slapd.ldif" + +# Copy third-party schema files. +install_file -m 0644 \ + "${slapd_conf_dir}/schema/rfc2307bis.ldif" \ + "${slapd_conf_dir}/schema/kerberos.ldif" \ + "${slapd_conf_dir}/schema/openssh-lpk.ldif" \ + "${slapd_conf_dir}/schema/sudo.ldif" \ + "${slapd_conf_dir}/schema/dnsdomain2.ldif" \ + "${slapd_conf_dir}/schema/mailservice.ldif" + +# Create the directories for the LDAP databases. +install_directory -m 0770 -o "$slapd_user" -g "$slapd_user" \ + "${slapd_data_dir}" \ + "${slapd_data_dir}/accesslog" + +# If slapd.d doesn't exist, populate it with slapd.ldif. +if [ ! -d "${slapd_conf_dir}/slapd.d" ]; then + install_directory -m 0700 -o "$slapd_user" "${slapd_conf_dir}/slapd.d" + slapadd -v -n0 -F "${slapd_conf_dir}/slapd.d" -l "${slapd_conf_dir}/slapd.ldif" + chown -R "${slapd_user}:${slapd_user}" "${slapd_conf_dir}/slapd.d" +fi + +# Enable OpenLDAP in /etc/rc.conf, and start it. +# Note: whatever LDAP IP you specified in $slapd_server_list must be present in +# the `-h` argument to slapd. That's how slapd figures out its own server ID. +sysrc -v \ + slapd_enable=YES \ + slapd_cn_config=YES \ + slapd_flags="-h 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \ + slapd_sockets="/var/run/openldap/ldapi" \ + slapd_krb5_ktname="$slapd_keytab" + +service slapd restart + +# Copy the LDAP client configs. +install_template -m 0644 "${slapd_conf_dir}/ldap.conf" + +# Copy slapd SASL configuration. +install_template -m 0644 /usr/local/lib/sasl2/slapd.conf + +# Allow slapd to read the saslauthd socket. +install_directory -m 0750 -o "$saslauthd_user" -g "$slapd_user" "$saslauthd_runtime_dir" + +# Enable and start saslauthd. +sysrc -v \ + saslauthd_flags='-a kerberos5' \ + saslauthd_enable=YES +service saslauthd restart + +# Create directory tree. +if is_primary_server; then + # dc=example,dc=com + ldap_add "$basedn" <<EOF +objectClass: dcObject +objectClass: organization +dc: $(ldap_rdn_value "$basedn") +o: ${site} +EOF + + # ou=accounts,dc=example,dc=com + ldap_add "$accounts_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$accounts_basedn") +EOF + + # ou=people,ou=accounts,dc=example,dc=com + ldap_add "$people_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$people_basedn") +EOF + + # ou=robots,ou=accounts,dc=example,dc=com + ldap_add "$robots_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$robots_basedn") +EOF + + # ou=hosts,ou=accounts,dc=example,dc=com + ldap_add "$hosts_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$hosts_basedn") +EOF + + # ou=services,ou=accounts,dc=example,dc=com + ldap_add "$services_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$services_basedn") +EOF + + # ou=groups,ou=accounts,dc=example,dc=com + ldap_add "$groups_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$groups_basedn") +EOF + + # ou=userprivate,ou=groups,ou=accounts,dc=example,dc=com + ldap_add "$private_groups_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$private_groups_basedn") +EOF + + # ou=roles,ou=groups,ou=accounts,dc=example,dc=com + ldap_add "$roles_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$roles_basedn") +EOF + + # ou=automount,dc=example,dc=com + ldap_add "$automount_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$automount_basedn") +EOF + + # ou=sudo,dc=example,dc=com + ldap_add "$sudo_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$sudo_basedn") +EOF +fi diff --git a/scripts/hostclass/idm_server/20-powerdns b/scripts/hostclass/idm_server/20-powerdns new file mode 100644 index 0000000..4d42ee9 --- /dev/null +++ b/scripts/hostclass/idm_server/20-powerdns @@ -0,0 +1,114 @@ +#!/bin/sh + +: ${pdns_port:='1053'} +: ${pdns_distributor_threads:='3'} +: ${pdns_receiver_threads:="$nproc"} +: ${pdns_allow_axfr_ips:='127.0.0.1/8'} +: ${pdns_cache_ttl:='30'} +: ${pdns_query_cache_ttl:='20'} +: ${pdns_negquery_cache_ttl:='60'} + +pdns_conf_dir=/usr/local/etc/pdns +pdns_runtime_dir=/var/run/pdns +pdns_soa_record="sOARecord: ${fqdn} root.${domain} 0 10800 3600 604800 3600" +pdns_ns_records=$(printf "nSRecord: %s.${domain}\n" $idm_hostnames) +pdns_user=pdns + +# Install PowerDNS. +pkg install -y powerdns + +# Generate PowerDNS configuration. +install_template -m 0644 "${pdns_conf_dir}/pdns.conf" + +# Enable PowerDNS and start it. +sysrc -v pdns_enable=YES +service pdns restart + +# Create initial IDM DNS records. +if is_primary_server; then + # ou=dns,dc=example,dc=com + ldap_add "$dns_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$dns_basedn") +EOF + + # Forward DNS zone + # dc=idm.example.com,ou=dns,dc=example,dc=com + ldap_add "dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain +objectClass: domainRelatedObject +dc: ${domain} +${pdns_soa_record} +${pdns_ns_records} +$(echo "$idm_server_list" | awk '{print "aRecord: "$2}') +associatedDomain: ${domain} +EOF + + # Reverse DNS zone(s) + # dc=0.168.192.in-addr.arpa,ou=dns,dc=example.com + for zone in $reverse_dns_zones; do + ldap_add "dc=${zone},${dns_basedn}" <<EOF +objectClass: dNSDomain +objectClass: domainRelatedObject +${pdns_soa_record} +${pdns_ns_records} +associatedDomain: ${zone} +EOF + done + + # LDAP SRV record + ldap_add "dc=_ldap._tcp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _ldap._tcp.${domain} +$(printf "sRVRecord: 0 100 389 %s.${domain}\n" ${idm_hostnames}) +EOF + + # LDAPS SRV record + ldap_add "dc=_ldaps._tcp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _ldaps._tcp.${domain} +$(printf "sRVRecord: 0 100 636 %s.${domain}\n" ${idm_hostnames}) +EOF + + # Kerberos SRV record (UDP) + ldap_add "dc=_kerberos._udp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _kerberos._udp.${domain} +$(printf "sRVRecord: 0 100 88 %s.${domain}\n" ${idm_hostnames}) +EOF + + # Kerberos SRV record (TCP) + ldap_add "dc=_kerberos._tcp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _kerberos._tcp.${domain} +$(printf "sRVRecord: 0 100 88 %s.${domain}\n" ${idm_hostnames}) +EOF + + # Kadmin SRV record + ldap_add "dc=_kerberos-adm._tcp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _kerberos-adm._tcp.${domain} +$(printf "sRVRecord: 0 100 749 %s.${domain}\n" ${idm_hostnames}) +EOF + + # Kpasswd SRV record + ldap_add "dc=_kpasswd._udp,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _kpasswd._udp.${domain} +$(printf "sRVRecord: 0 100 464 %s.${domain}\n" ${idm_hostnames}) +EOF + + # Kerberos realm TXT record + ldap_add "dc=_kerberos,dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +associatedDomain: _kerberos.${domain} +tXTRecord: ${realm} +EOF +fi diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc new file mode 100644 index 0000000..4921688 --- /dev/null +++ b/scripts/hostclass/idm_server/30-kdc @@ -0,0 +1,12 @@ +#!/bin/sh + +# Install MIT kerberos. +pkg install -y krb5 + +if is_primary_server; then + # ou=kdc,dc=example,dc=com + ldap_add "$kdc_basedn" <<EOF +objectClass: organizationalUnit +ou: $(ldap_rdn_value "$dns_basedn") +EOF +fi diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm new file mode 100644 index 0000000..7881f14 --- /dev/null +++ b/scripts/hostclass/idm_server/90-idm @@ -0,0 +1,9 @@ +#!/bin/sh + +# Create host object for this server +# Create ldap service principal for this server +# Create A record +# Create PTR record +# Create boxconf user +# Create sudo rules +# Create admin group diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop new file mode 100644 index 0000000..83c7457 --- /dev/null +++ b/scripts/hostclass/laptop @@ -0,0 +1,15 @@ +#!/bin/sh + +# Set USB power savings +usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||: +install_file /etc/rc.local + +# Create devd rule for lid close. +install_file -m 0555 /usr/local/libexec/lid-close +install_file -m 0644 /etc/devd/lid-close.conf +service devd restart + +# Configure wireless card. +sysrc -v \ + create_args_wlan0='country US regdomain FCC' \ + ifconfig_wlan0="WPA DHCP powersave" diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index b86704a..a356b3e 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -28,7 +28,9 @@ pkg install -y \ install_template -m 0644 \ /usr/local/etc/poudriere.conf \ "${poudriere_conf_dir}/make.conf" \ - "${poudriere_conf_dir}/pkglist" + "${poudriere_conf_dir}/idm-make.conf" \ + "${poudriere_conf_dir}/pkglist" \ + "${poudriere_conf_dir}/idm-pkglist" install_file -m 0400 /usr/local/etc/ssl/repo.key install_directory -m 0755 /usr/ports/distfiles install_directory -m 0755 -o nobody -g nobody "${poudriere_data_dir}/ccache" @@ -57,10 +59,12 @@ for version in $poudriere_versions; do [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version" poudriere jail -u -j "$jail" + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}" ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest" + ln -snfv "../${jail}-latest-idm" "${poudriere_data_dir}/data/packages/${abi}/latest-idm" done # Clean stale distfiles and logs. diff --git a/scripts/hostclass/roadwarrior_laptop/10-desktop b/scripts/hostclass/roadwarrior_laptop/10-desktop new file mode 120000 index 0000000..2c7c348 --- /dev/null +++ b/scripts/hostclass/roadwarrior_laptop/10-desktop @@ -0,0 +1 @@ +../desktop
\ No newline at end of file diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop new file mode 120000 index 0000000..874f665 --- /dev/null +++ b/scripts/hostclass/roadwarrior_laptop/20-laptop @@ -0,0 +1 @@ +../laptop
\ No newline at end of file diff --git a/scripts/hostclass/roadwarrior_laptop/30-roadwarrior b/scripts/hostclass/roadwarrior_laptop/30-roadwarrior new file mode 100644 index 0000000..2cc0a3e --- /dev/null +++ b/scripts/hostclass/roadwarrior_laptop/30-roadwarrior @@ -0,0 +1,6 @@ +#!/bin/sh + +# Configure sudoers. +install_file -m 0600 \ + /usr/local/etc/sudoers \ + /usr/local/etc/sudoers.d/networkmgr diff --git a/scripts/hostname/rlaptop1 b/scripts/hostname/rlaptop1 new file mode 100644 index 0000000..874c9dd --- /dev/null +++ b/scripts/hostname/rlaptop1 @@ -0,0 +1,21 @@ +#!/bin/sh + +set_loader_conf \ + if_iwm_load=YES \ + iwm8265fw_load=YES + +sysrc -v wlans_iwm0='wlan0' + +# On this laptop, kern.vt.suspendswitch=1 (the default) breaks graphics +# acceleration after resuming from sleep. +set_sysctl \ + dev.acpi_ibm.0.handlerevents='0x10 0x11' \ + kern.vt.suspendswitch=0 + +install_file -m 0555 /usr/local/libexec/thinkpad-brightness +install_file -m 0644 /etc/devd/thinkpad-brightness.conf + +service devd restart + +pw usershow cullum || \ + pw useradd cullum -c "Cullum Smith" -d /home/cullum -G wheel,operator,video -s /bin/sh -m -M 700 diff --git a/scripts/os/freebsd/30-ssh b/scripts/os/freebsd/30-ssh index 91b1991..7a57943 100644 --- a/scripts/os/freebsd/30-ssh +++ b/scripts/os/freebsd/30-ssh @@ -28,4 +28,5 @@ install_template -m 0644 \ /etc/ssh/ssh_config # Restart sshd. +sysrc -v sshd_enable=YES service sshd restart diff --git a/scripts/os/freebsd/40-pkg b/scripts/os/freebsd/40-pkg index 7c1c828..46adc66 100644 --- a/scripts/os/freebsd/40-pkg +++ b/scripts/os/freebsd/40-pkg @@ -4,7 +4,7 @@ case $BOXCONF_HOSTCLASS in pkg_repository) return # Do nothing. ;; - freebsd_hypervisor) + freebsd_hypervisor|roadwarrior_laptop) ;; # Keep default FreeBSD pkg repository. *) # Configure on-prem pkg repository. diff --git a/vars/common b/vars/common index 6ecfc24..845b0b8 100644 --- a/vars/common +++ b/vars/common @@ -12,11 +12,31 @@ root_mail_alias="you@${email_domain}" smtp_host_ip=1.2.3.4 timezone=America/New_York +# hostname id ipv4 +idm_server_list="\ +idm1 1 1.2.3.4 +idm2 2 5.6.7.8" + +reverse_dns_zones="0.168.192.in-addr.arpa 12.11.10.in-addr.arpa" + + +############################################################################### +# Variables following this line do not (generally) need to be changed. +############################################################################### nproc=$(nproc) allowed_tcp_ports=ssh bootstrap_resolvers='1.1.1.1' +desktop_type=kde fqdn="${BOXCONF_HOSTNAME}.${domain}" +graphics_type=intel +idm_admin_username='s-boxconf' +idm_admin_uid='20000' +idm_admin_groupname='sysadmins' +idm_admin_gid='30000' +nslcd_min_uid=1000 +nscd_ttl=600 +nscd_negative_ttl=20 smtp_host="smtp.${domain}" ssh_authzkeys_user=_authzkeys tcp_buffer_size=2097152 # suitable for 1 GigE @@ -28,7 +48,3 @@ if $(( nproc > 4 )); then else nginx_worker_processes=$nproc fi - -if [ "${idm_bootstrap:-}" = true ]; then - resolvers=$bootstrap_resolvers -fi diff --git a/vars/hostclass/idm_server b/vars/hostclass/idm_server new file mode 100644 index 0000000..eec6d1c --- /dev/null +++ b/vars/hostclass/idm_server @@ -0,0 +1,9 @@ +#!/bin/sh + +allowed_tcp_ports='ssh ldap ldaps domain kerberos-sec kerberos-adm' +allowed_udp_ports='domain kerberos-sec kpasswd' + +ssh_authorized_keys_user=nobody + +unbound_blocklists="\ +https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/pro.plus.blacklist.conf" diff --git a/vars/hostclass/roadwarrior_laptop b/vars/hostclass/roadwarrior_laptop new file mode 100644 index 0000000..99f8b9c --- /dev/null +++ b/vars/hostclass/roadwarrior_laptop @@ -0,0 +1,2 @@ +#!/bin/sh +resolvers=$bootstrap_resolvers diff --git a/vars/hostname/rlaptop1 b/vars/hostname/rlaptop1 new file mode 100644 index 0000000..0eb1518 --- /dev/null +++ b/vars/hostname/rlaptop1 @@ -0,0 +1,3 @@ +#!/bin/sh + +desktop_type=i3 diff --git a/vars/os/freebsd b/vars/os/freebsd index 0d4a6fb..17e7edb 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -10,7 +10,11 @@ intel_epp=50 export ASSUME_ALWAYS_YES=yes acme_standalone_port=9080 acme_uid=169 +keytab_dir=/var/db/keytabs nfscbd_port=7745 +python_version=311 +saslauthd_runtime_dir=/var/run/saslauthd +saslauthd_user=cyrus site_cacert_path=/usr/local/etc/ssl/certs/ca.crt ssh_host_key_dir=/var/db/ssh |