aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/idm_server
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/hostclass/idm_server')
-rw-r--r--scripts/hostclass/idm_server/10-slapd13
-rw-r--r--scripts/hostclass/idm_server/20-powerdns2
-rw-r--r--scripts/hostclass/idm_server/30-kdc41
-rw-r--r--scripts/hostclass/idm_server/40-unbound40
-rw-r--r--scripts/hostclass/idm_server/90-idm96
5 files changed, 177 insertions, 15 deletions
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index dc52a58..204c405 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -10,10 +10,13 @@
: ${slapd_syncrepl_session_log:='1000'}
: ${slapd_syncrepl_cleanup_age:='7'}
: ${slapd_syncrepl_cleanup_interval:='1'}
+: ${slapd_admin_role:='role-ldap-admin'}
slapd_user=ldap
slapd_data_dir=/var/db/openldap-data
slapd_conf_dir=/usr/local/etc/openldap
+slapd_socket=/var/run/openldap/ldapi
+slapd_ldapi_uri="ldapi://$(echo "$slapd_socket" | sed 's|/|%2f|g')"
slapd_tls_cert="${slapd_conf_dir}/slapd.crt"
slapd_tls_key="${slapd_conf_dir}/slapd.key"
slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt"
@@ -72,8 +75,8 @@ fi
sysrc -v \
slapd_enable=YES \
slapd_cn_config=YES \
- slapd_flags="-h 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
- slapd_sockets="/var/run/openldap/ldapi" \
+ slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
+ slapd_sockets="$slapd_socket" \
slapd_krb5_ktname="$slapd_keytab"
service slapd restart
@@ -151,6 +154,12 @@ objectClass: organizationalUnit
ou: $(ldap_rdn_value "$roles_basedn")
EOF
+ # cn=role-ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com
+ ldap_add "cn=${slapd_admin_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${slapd_admin_role}
+EOF
+
# ou=automount,dc=example,dc=com
ldap_add "$automount_basedn" <<EOF
objectClass: organizationalUnit
diff --git a/scripts/hostclass/idm_server/20-powerdns b/scripts/hostclass/idm_server/20-powerdns
index 4d42ee9..26abe52 100644
--- a/scripts/hostclass/idm_server/20-powerdns
+++ b/scripts/hostclass/idm_server/20-powerdns
@@ -40,7 +40,7 @@ objectClass: domainRelatedObject
dc: ${domain}
${pdns_soa_record}
${pdns_ns_records}
-$(echo "$idm_server_list" | awk '{print "aRecord: "$2}')
+$(echo "$idm_server_list" | awk '{print "aRecord: "$3}')
associatedDomain: ${domain}
EOF
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc
index 4921688..abe040a 100644
--- a/scripts/hostclass/idm_server/30-kdc
+++ b/scripts/hostclass/idm_server/30-kdc
@@ -1,12 +1,43 @@
#!/bin/sh
+kdc_conf_dir=/usr/local/var/krb5kdc
+kdc_master_key_path="${kdc_conf_dir}/master_key"
+
+: ${kdc_max_life:='24h'}
+: ${kdc_max_renewable_life:='7d'}
+
# Install MIT kerberos.
pkg install -y krb5
+# Generate the system kerberos configuration.
+install_template -m 0644 /etc/krb5.conf
+ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf
+
+# Generate KDC configuration files.
+install_template -m 0644 \
+ "${kdc_conf_dir}/kdc.conf" \
+ "${kdc_conf_dir}/kadm5.acl"
+
+# If the realm does not exist in LDAP, create it. Otherwise, stash the master key.
+if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then
+ kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s
+elif ! [ -f "$kdc_master_key_path" ]; then
+ kdb5_util -P "$kdc_master_key" stash
+fi
+
+# Start the KDC and kadmind.
+sysrc -v \
+ kdc_program=/usr/local/sbin/krb5kdc \
+ kadmind_program=/usr/local/sbin/kadmind \
+ kdc_flags="" \
+ kdc_enable=YES \
+ kadmind_enable=YES
+
+service kdc restart
+service kadmind restart
+
+# Create the boxconf administrative user.
if is_primary_server; then
- # ou=kdc,dc=example,dc=com
- ldap_add "$kdc_basedn" <<EOF
-objectClass: organizationalUnit
-ou: $(ldap_rdn_value "$dns_basedn")
-EOF
+ kadmin.local get_principal -terse "$boxconf_username" \
+ || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username"
fi
diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound
new file mode 100644
index 0000000..39f1317
--- /dev/null
+++ b/scripts/hostclass/idm_server/40-unbound
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+unbound_user=unbound
+unbound_conf_dir=/usr/local/etc/unbound
+unbound_blocklist_dir="${unbound_conf_dir}/blocklists"
+unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls"
+
+: ${unbound_blocklist_urls:=''}
+: ${unbound_cache_max_negative_ttl:='60'}
+: ${unbound_rrset_cache_size:='104857600'} # 100 MB
+: ${unbound_msg_cache_size:='52428800'} # 50 MB
+: ${unbound_slabs:='2'}
+: ${unbound_insecure_domains:=''}
+: ${unbound_local_zones:=''}
+: ${unbound_local_data:=''}
+: ${unbound_blocklists:=''}
+: ${unbound_threads:="$nproc"}
+
+# Install unbound recursive resolver.
+pkg install -y unbound
+
+# Generate unbound configuration.
+install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir"
+install_template -m 0644 "${unbound_conf_dir}/unbound.conf"
+
+# Download blocklists.
+echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file"
+install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists
+su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}"
+
+# Enable and start unbound.
+sysrc -v unbound_enable=YES
+service unbound restart
+
+# Now we are ready to us unbound as the local resolver.
+install_template -m 0644 /etc/resolv.conf
+
+# Update blocklists with a cron job.
+echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \
+ | tee /etc/cron.d/idm-update-unbound-blocklists
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 7881f14..0a28491 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -1,9 +1,91 @@
#!/bin/sh
-# Create host object for this server
-# Create ldap service principal for this server
-# Create A record
-# Create PTR record
-# Create boxconf user
-# Create sudo rules
-# Create admin group
+# Create host object.
+ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+objectClass: device
+objectClass: domainRelatedObject
+objectClass: ldapPublicKey
+cn: ${BOXCONF_HOSTNAME}
+associatedDomain: ${fqdn}
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Update attributes that may have changed.
+ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+replace: sshPublicKey
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+-
+replace: description
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Create A record.
+ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+dc: ${BOXCONF_HOSTNAME}
+aRecord: ${BOXCONF_DEFAULT_IPV4}
+associatedDomain: ${fqdn}
+EOF
+
+# Create PTR record.
+rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
+ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+dc: ${rdns%%.*}
+pTRRecord: ${fqdn}
+associatedDomain: ${rdns}
+EOF
+
+# Create host principal.
+kadmin.local get_principal -terse "host/${fqdn}" \
+ || kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
+
+# Create ldap service principal.
+kadmin.local get_principal -terse "ldap/${fqdn}" \
+ || kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"
+
+# Create state dataset to persist keytabs across OS rebuilds.
+create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
+
+# Export host keytab.
+[ -f "${keytab_dir}/host.keytab" ] || kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}"
+ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
+
+# Export slapd keytab.
+[ -f "$slapd_keytab" ] || kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}"
+chown "$slapd_user" "$slapd_keytab"
+
+# Install PAM/NSS integration packages.
+pkg install -y \
+ nss-pam-ldapd-sasl \
+ pam_krb5 \
+ perl5 \
+ p5-perl-ldap \
+ p5-Authen-SASL
+
+# Configure PAM/NSS integration.
+install_file -m 0644 \
+ /etc/nsswitch.conf \
+ /etc/pam.d/sshd
+
+install_template -m 0644 \
+ /usr/local/etc/nslcd.conf \
+ /etc/nscd.conf
+
+sysrc -v \
+ nslcd_enable=YES \
+ nscd_enable=YES
+
+service nslcd restart
+service nscd restart
+
+# Create ldap.conf symlink.
+ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf
+
+# Copy IDM helper scripts for SSH.
+install_file -m 0555 \
+ /usr/local/libexec/idm-ssh-known-hosts \
+ /usr/local/libexec/idm-ssh-authorized-keys
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-30 17:07:05 -0500