blob: 1f6920b2e600142f109d2e92c92ce26fee914ff7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
#!/bin/sh
# Create host object.
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF
# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF
# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF
# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF
# Create host principal.
kadmin.local get_principal "host/${fqdn}" \
|| kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
# Create ldap service principal.
kadmin.local get_principal "ldap/${fqdn}" \
|| kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"
# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
# Export host keytab.
[ -f "${keytab_dir}/host.keytab" ] || kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
# Export slapd keytab.
[ -f "$slapd_keytab" ] || kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}"
chown "$slapd_user" "$slapd_keytab"
# Install PAM/NSS integration packages.
pkg install -y \
nss-pam-ldapd-sasl \
pam_krb5 \
perl5 \
p5-perl-ldap \
p5-Authen-SASL
# Configure PAM/NSS integration.
install_file -m 0644 \
/etc/nsswitch.conf \
/etc/pam.d/sshd
install_template -m 0644 \
/usr/local/etc/nslcd.conf \
/etc/nscd.conf
sysrc -v \
nslcd_enable=YES \
nscd_enable=YES
service nslcd restart
service nscd restart
# Create ldap.conf symlink.
ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf
# Copy IDM helper scripts for SSH.
install_file -m 0555 \
/usr/local/libexec/idm-ssh-known-hosts \
/usr/local/libexec/idm-ssh-authorized-keys
# Create the boxconf administrative user.
if is_primary_server && ! ldap_dn_exists "$boxconf_dn"; then
ldap_add "$boxconf_dn" <<EOF
objectClass: account
objectClass: simpleSecurityObject
uid: ${boxconf_username}
userPassword: {SASL}${boxconf_username}@${realm}
EOF
kadmin.local add_principal -x "dn=${boxconf_dn}" -pw "$boxconf_password" "$boxconf_username"
fi
|