aboutsummaryrefslogtreecommitdiff
path: root/scripts/os/freebsd/50-idm
blob: 1e5e87720471194af18a5c982f05eee1d46dc344 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/sh

if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then
  return 0
fi

# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"

# Install packages.
pkg install -y \
  cyrus-sasl-gssapi \
  nss-pam-ldapd-sasl \
  openldap26-client \
  pam_krb5 \
  perl5 \
  p5-perl-ldap \
  p5-Authen-SASL \
  pam_mkhomedir

# Script to create /usr/local/home/${USER} on login.
install_file -m 0555 /usr/local/libexec/pam-create-local-homedir

# Configure PAM/NSS integration.
install_template -m 0644 \
  /etc/pam.d/login \
  /etc/pam.d/sshd
install_file -m 0644 \
  /etc/nsswitch.conf \
  /etc/pam.d/system \
  /etc/pam.d/sudo \
  /etc/pam.d/su \
  /etc/pam.d/other

install_template -m 0644 /etc/login.access

install_template -m 0644 \
  /etc/krb5.conf \
  /etc/nscd.conf \
  /usr/local/etc/openldap/ldap.conf  \
  /usr/local/etc/nslcd.conf

# Ensure /home exists and configure skel files.
install_directory -m 0755 /home
install_file -m 0644 \
  /usr/share/skel/dot.login \
  /usr/share/skel/dot.profile \
  /usr/share/skel/dot.shrc

# Create ldap.conf symlink.
ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf

# Create host object (if it doesn't exist).
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF

# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF

# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF

# Create CNAME records.
for cname in ${cnames:-}; do
  ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${cname}
cNAMERecord: ${fqdn}
associatedDomain: ${cname}.${domain}
EOF
done

# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF

# Create host principal and keytab.
add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab

# Create local group for host keytab access.
add_group -g "$host_keytab_gid" "$host_keytab_groupname"
chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab"
chmod 640 "${keytab_dir}/host.keytab"
pw usermod -n "$nslcd_user" -G "$host_keytab_groupname"

# Create symlinks so host keytab can be used to aquire a TGT on-the-fly.
nslcd_uid=$(id -u "$nslcd_user")
install_directory -m 0755 \
  /var/krb5 \
  /var/krb5/user

install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab"

install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab"

install_directory -o root -m 0700 /var/krb5/user/0
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab

# Copy IDM helper scripts for SSH.
install_file -m 0555 \
  /usr/local/libexec/idm-ssh-known-hosts \
  /usr/local/libexec/idm-ssh-authorized-keys

# Create user for running SSH AuthorizedKeysCommand.
add_user \
  -u "$ssh_authzkeys_uid" \
  -g "$host_keytab_groupname" \
  -d /nonexistent \
  "$ssh_authzkeys_username"

# Enable and start nslcd/nscd.
sysrc -v \
  nslcd_enable=YES \
  nscd_enable=YES

service nslcd restart
service nscd restart