From cd1ce69f104686bbb33e049c2c4c112e78febd36 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Wed, 25 Sep 2024 21:38:13 -0400
Subject: finish idm client stuff

---
 scripts/common/10-vars                |   3 +
 scripts/hostclass/idm_server/10-slapd |  34 ++++++----
 scripts/hostclass/idm_server/30-kdc   |   6 --
 scripts/hostclass/idm_server/90-idm   |  16 ++++-
 scripts/os/freebsd/50-idm             | 114 ++++++++++++++++++++++++++++++++++
 5 files changed, 152 insertions(+), 21 deletions(-)
 create mode 100644 scripts/os/freebsd/50-idm

(limited to 'scripts')

diff --git a/scripts/common/10-vars b/scripts/common/10-vars
index 2f0dc9d..3b01cd2 100644
--- a/scripts/common/10-vars
+++ b/scripts/common/10-vars
@@ -5,6 +5,7 @@ if [ "${idm_bootstrap:-}" = true ]; then
   pkg_host=$pkg_host_ip
 else
   : ${resolvers:="$(echo "$idm_server_list" | awk '{print $3}')"}
+  : ${pkg_host:="pkg.${domain}"}
 fi
 
 idm_hostnames=$(echo "$idm_server_list" | awk '{print $1}')
@@ -32,3 +33,5 @@ dns_basedn="ou=dns,${basedn}"
 kdc_basedn="cn=kdc,${basedn}"
 mail_basedn="ou=mail,${basedn}"
 mail_domains_basedn="ou=domains,${mail_basedn}"
+
+boxconf_dn="krbPrincipalName=${boxconf_username}@${realm},${robots_basedn}"
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index 204c405..83cdbb6 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -37,6 +37,17 @@ pkg install -y \
 # Create ZFS dataset for OpenLDAP DB.
 create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data"
 
+# To prevent a circular dependency in poudriere, we have to make a special "set"
+# of packages for the IDM hosts in which cyrus-sasl-gssapi is built with the
+# Heimdal libraries in base, rather than MIT.
+#
+# Heimdal does not support the KRB5_KTNAME environment variable with slapd.
+# However, you *can* specify a keytab by creating a ~/.krb5/config file in
+# the slapd user's home directory.
+pw user mod "$slapd_user" -d "$slapd_conf_dir"
+install_directory -m 0755 "${slapd_conf_dir}/.krb5"
+install_template -m 0644 "${slapd_conf_dir}/.krb5/config"
+
 # Copy TLS certificate for LDAP server.
 install_certificate     -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert"
 install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key"
@@ -69,18 +80,6 @@ if [ ! -d "${slapd_conf_dir}/slapd.d" ]; then
   chown -R "${slapd_user}:${slapd_user}" "${slapd_conf_dir}/slapd.d"
 fi
 
-# Enable OpenLDAP in /etc/rc.conf, and start it.
-# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
-# the `-h` argument to slapd. That's how slapd figures out its own server ID.
-sysrc -v \
-  slapd_enable=YES \
-  slapd_cn_config=YES \
-  slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
-  slapd_sockets="$slapd_socket" \
-  slapd_krb5_ktname="$slapd_keytab"
-
-service slapd restart
-
 # Copy the LDAP client configs.
 install_template -m 0644 "${slapd_conf_dir}/ldap.conf"
 
@@ -90,11 +89,20 @@ install_template -m 0644 /usr/local/lib/sasl2/slapd.conf
 # Allow slapd to read the saslauthd socket.
 install_directory -m 0750 -o "$saslauthd_user" -g "$slapd_user" "$saslauthd_runtime_dir"
 
-# Enable and start saslauthd.
+# Enable OpenLDAP in /etc/rc.conf, and start it.
+# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
+# the `-h` argument to slapd. That's how slapd figures out its own server ID.
 sysrc -v \
+  slapd_enable=YES \
+  slapd_cn_config=YES \
+  slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
+  slapd_sockets="$slapd_socket" \
+  slapd_krb5_ktname="$slapd_keytab" \
   saslauthd_flags='-a kerberos5' \
   saslauthd_enable=YES
+
 service saslauthd restart
+service slapd restart
 
 # Create directory tree.
 if is_primary_server; then
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc
index abe040a..9347ed0 100644
--- a/scripts/hostclass/idm_server/30-kdc
+++ b/scripts/hostclass/idm_server/30-kdc
@@ -35,9 +35,3 @@ sysrc -v \
 
 service kdc restart
 service kadmind restart
-
-# Create the boxconf administrative user.
-if is_primary_server; then
-  kadmin.local get_principal -terse "$boxconf_username" \
-    || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username"
-fi
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 0a28491..adfdf36 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -40,11 +40,11 @@ associatedDomain: ${rdns}
 EOF
 
 # Create host principal.
-kadmin.local get_principal -terse "host/${fqdn}" \
+kadmin.local get_principal "host/${fqdn}" \
   || kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
 
 # Create ldap service principal.
-kadmin.local get_principal -terse "ldap/${fqdn}" \
+kadmin.local get_principal "ldap/${fqdn}" \
   || kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"
 
 # Create state dataset to persist keytabs across OS rebuilds.
@@ -89,3 +89,15 @@ ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf
 install_file -m 0555 \
   /usr/local/libexec/idm-ssh-known-hosts \
   /usr/local/libexec/idm-ssh-authorized-keys
+
+# Create the boxconf administrative user.
+if is_primary_server && ! ldap_dn_exists "$boxconf_dn"; then
+  ldap_add "$boxconf_dn" <<EOF
+objectClass: krbPrincipal
+objectClass: simpleSecurityObject
+krbPrincipalName: ${boxconf_username}@${realm}
+userPassword: {SASL}${boxconf_username}@${realm}
+EOF
+
+  kadmin.local change_password -pw "$boxconf_password" "$boxconf_username"
+fi
diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm
new file mode 100644
index 0000000..ea94082
--- /dev/null
+++ b/scripts/os/freebsd/50-idm
@@ -0,0 +1,114 @@
+#!/bin/sh
+
+if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then
+  return 0
+fi
+
+# Create state dataset to persist keytabs across OS rebuilds.
+create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
+
+# Install packages.
+pkg install -y \
+  cyrus-sasl-gssapi \
+  nss-pam-ldapd-sasl \
+  openldap26-client \
+  pam_krb5 \
+  perl5 \
+  p5-perl-ldap \
+  p5-Authen-SASL
+
+# Configure PAM/NSS integration.
+install_file -m 0644 \
+  /etc/nsswitch.conf \
+  /etc/pam.d/sshd
+
+install_template -m 0644 \
+  /etc/krb5.conf \
+  /etc/nscd.conf \
+  /usr/local/etc/openldap/ldap.conf  \
+  /usr/local/etc/nslcd.conf
+
+# Create ldap.conf symlink.
+ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf
+
+# Create host object (if it doesn't exist).
+ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+objectClass: device
+objectClass: domainRelatedObject
+objectClass: ldapPublicKey
+cn: ${BOXCONF_HOSTNAME}
+associatedDomain: ${fqdn}
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Create A record.
+ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+dc: ${BOXCONF_HOSTNAME}
+aRecord: ${BOXCONF_DEFAULT_IPV4}
+associatedDomain: ${fqdn}
+EOF
+
+# Create PTR record.
+rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
+ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+dc: ${rdns%%.*}
+pTRRecord: ${fqdn}
+associatedDomain: ${rdns}
+EOF
+
+# Create CNAME records.
+for cname in ${cnames:-}; do
+  ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+dc: ${cname}
+cNAMERecord: ${fqdn}
+associatedDomain: ${cname}.${domain}
+EOF
+done
+
+# Update attributes that may have changed.
+ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+replace: sshPublicKey
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+-
+replace: description
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Create host principal and keytab.
+add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
+ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}"
+ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
+
+# Create symlinks so host keytab can be used to aquire a TGT on-the-fly.
+ln -snfv host.keytab "${keytab_dir}/$(id -u "$nslcd_user").keytab"
+ln -snfv host.keytab "${keytab_dir}/${ssh_authzkeys_uid}.keytab"
+ln -snfv host.keytab "${keytab_dir}/0.keytab"
+
+# Create local group for host keytab access.
+add_group -g "$host_keytab_gid" "$host_keytab_groupname"
+chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab"
+chmod 640 "${keytab_dir}/host.keytab"
+pw usermod -n "$nslcd_user" -G "$host_keytab_groupname"
+
+# Copy IDM helper scripts for SSH.
+install_file -m 0555 \
+  /usr/local/libexec/idm-ssh-known-hosts \
+  /usr/local/libexec/idm-ssh-authorized-keys
+
+# Create user for running SSH AuthorizedKeysCommand.
+add_user -u "$ssh_authzkeys_uid" -g "$host_keytab_groupname" "$ssh_authzkeys_username"
+
+# Enable and start nslcd/nscd.
+sysrc -v \
+  nslcd_enable=YES \
+  nscd_enable=YES
+
+service nslcd restart
+service nscd restart
-- 
cgit v1.2.3