From 6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 24 Sep 2024 22:35:45 -0400 Subject: finish up idm_server hostclass --- scripts/hostclass/idm_server/30-kdc | 41 ++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) (limited to 'scripts/hostclass/idm_server/30-kdc') diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc index 4921688..abe040a 100644 --- a/scripts/hostclass/idm_server/30-kdc +++ b/scripts/hostclass/idm_server/30-kdc @@ -1,12 +1,43 @@ #!/bin/sh +kdc_conf_dir=/usr/local/var/krb5kdc +kdc_master_key_path="${kdc_conf_dir}/master_key" + +: ${kdc_max_life:='24h'} +: ${kdc_max_renewable_life:='7d'} + # Install MIT kerberos. pkg install -y krb5 +# Generate the system kerberos configuration. +install_template -m 0644 /etc/krb5.conf +ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf + +# Generate KDC configuration files. +install_template -m 0644 \ + "${kdc_conf_dir}/kdc.conf" \ + "${kdc_conf_dir}/kadm5.acl" + +# If the realm does not exist in LDAP, create it. Otherwise, stash the master key. +if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then + kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s +elif ! [ -f "$kdc_master_key_path" ]; then + kdb5_util -P "$kdc_master_key" stash +fi + +# Start the KDC and kadmind. +sysrc -v \ + kdc_program=/usr/local/sbin/krb5kdc \ + kadmind_program=/usr/local/sbin/kadmind \ + kdc_flags="" \ + kdc_enable=YES \ + kadmind_enable=YES + +service kdc restart +service kadmind restart + +# Create the boxconf administrative user. if is_primary_server; then - # ou=kdc,dc=example,dc=com - ldap_add "$kdc_basedn" <