Automatizando o Slapd Install

Question

Automatizando o Slapd Install

#1 resposta do (1 votos)

1

Estou escrevendo um script que automatiza a instalação do slapd e do phpldapadmin.

O script:

#!/bin/bash 
# make sure to run script as sudo 


# LDAP 

# update first 
apt-get -q -y update 

# install maven 

apt-get install -y maven 

# Install php dependencies 

apt-get -y install php php-cgi libapache2-mod-php php-common php-pear php-mbstring 

a2enconf php7.0-cgi 

service apache2 restart 

# Pre-seed the slapd passwords 

export DEBIAN_FRONTEND='non-interactive'

echo -e "slapd slapd/root_password password KappaRoss" |debconf-set-selections
echo -e "slapd slapd/root_password_again password KappaRoss" |debconf-set-selections

echo -e "slapd slapd/internal/adminpw password test" |debconf-set-selections
echo -e "slapd slapd/internal/generated_adminpw password test" |debconf-set-selections
echo -e "slapd slapd/password2 password test" |debconf-set-selections
echo -e "slapd slapd/password1 password test" |debconf-set-selections
echo -e "slapd slapd/domain string acu.local" |debconf-set-selections
echo -e "slapd shared/organization string IT410" |debconf-set-selections
echo -e "slapd slapd/backend string HDB" |debconf-set-selections
echo -e "slapd slapd/purge_database boolean true" |debconf-set-selections
echo -e "slapd slapd/move_old_database boolean true" |debconf-set-selections
echo -e "slapd slapd/allow_ldap_v2 boolean false" |debconf-set-selections
echo -e "slapd slapd/no_configuration boolean false" |debconf-set-selections

# Grab slapd and ldap-utils (pre-seeded)
apt-get install -y slapd ldap-utils phpldapadmin

# Must reconfigure slapd for it to work properly 
sudo dpkg-reconfigure slapd 

# Gotta replace the ldap.conf file, it comments out stuff we need set by default - first open it for writing 

chmod 777 /etc/ldap/ldap.conf 

cat <<'EOF' > /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.


BASE    dc=acu,dc=local
URI     ldap://104.219.54.109 ldap://104.219.54.109:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
EOF

# Be safe again 
chmod 744 /etc/ldap/ldap.conf 


# Now change all values in /etc/phpldapadmin/config.php to their actual values from example, or .com or localhost (I use sed)


# Line 286 
sed -i "s@$servers->setValue('server','name','My LDAP Server');.*@$servers->setValue('server','name','Nathans_LDAP');@" /etc/phpldapadmin/config.php
# Line 293 
sed -i "s@$servers->setValue('server','host','127.0.0.1');.*@$servers->setValue('server','host','104.219.54.109');@" /etc/phpldapadmin/config.php 
# Line 300 
sed -i "s@$servers->setValue('server','base',array('dc=example,dc=com'));.*@$servers->setValue('server','base',array('dc=acu,dc=local'));@" /etc/phpldapadmin/config.php
# Line 326 
sed -i "s@$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');.*@$servers->setValue('login','bind_id','cn=admin,dc=acu,dc=local');@" /etc/phpldapadmin/config.php

# Prevent error when creating users 

sed -i "s@$default = $this->getServer()->getValue('appearance','password_hash');.*@$default = $this->getServer()->getValue('appearance','password_hash_custom');@g" /usr/share/phpldapadmin/lib/TemplateRender.php

service apache2 restart 

echo ------------------------# 
echo 'PHPldapadmin installed.'
echo ------------------------# 

echo ""

echo ------------------------------------------------------------# 
echo 'Can now access phpldapadmin at http://your-ip/phpldapadmin.'
echo ------------------------------------------------------------# 

echo ""

echo ------------------------------------------------------------------------#
echo 'Username should be acu.local, password is the adminpw set during setup.'
echo ------------------------------------------------------------------------# S

# Logging 

echo -e 'Maven installed -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'slapd and ldap-utils configured and installed -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'phpldapadmin install configured -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'LDAP installed completed by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt

Tudo funciona bem, exceto que eu acho que as seleções do conjunto debconf para pré-semear a porção "dpkg-reconfigure slapd" não estão sendo totalmente aplicadas. Especificamente, quando tento logar no phpldapadmin com a senha do admin que eu pre-seed, ele falha. Eu tenho que executar o "dpkg-reconfigure slapd" novamente (manualmente desta vez) no terminal e definir outra senha de administrador, então eu posso logar no phpldapadmin corretamente e tudo funciona. Qualquer ajuda é apreciada, eu preciso deste aplicativo totalmente automatizado para a minha final e estou muito perto como está.

debconf ldap shell-script

por nwd12a 02.05.2017 / 06:51

1 resposta

Tags debconf ldap shell-script

Como awk linha única e imprimir 2 linhas acima Construindo o pacote .deb para Linux perf?

score 1 · Answer 1

meu debconf preseed parece um pouco diferente, mas é para stretch :

cat > /root/debconf-slapd.conf << 'EOF'
slapd slapd/password1 password admin
slapd slapd/internal/adminpw password admin
slapd slapd/internal/generated_adminpw password admin
slapd slapd/password2 password admin
slapd slapd/unsafe_selfwrite_acl note
slapd slapd/purge_database boolean false
slapd slapd/domain string phys.ethz.ch
slapd slapd/ppolicy_schema_needs_update select abort installation
slapd slapd/invalid_config boolean true
slapd slapd/move_old_database boolean false
slapd slapd/backend select MDB
slapd shared/organization string ETH Zurich
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/no_configuration boolean false
slapd slapd/dump_database select when needed
slapd slapd/password_mismatch note
EOF
export DEBIAN_FRONTEND=noninteractive
cat /root/debconf-slapd.conf | debconf-set-selections
apt install ldap-utils slapd -y

depois disso, uso ldapmodify para atualizar a senha imediatamente. isso é feito armazenando o hash no ldap, portanto, a senha em texto simples não é mostrada no script:

cat > /root/admin_pw_config_dit.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {CRYPT}<sha-512_hash_here>
EOF
cat > /root/admin_pw_normal_dit.ldif << 'EOF'
dn: cn=admin,dc=phys,dc=ethz,dc=ch
changetype: modify
replace: userPassword
userPassword: {CRYPT}<sha-512_hash_here>
ldapmodify -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -w admin -f /root/admin_pw_normal_dit.ldif
ldapmodify -H ldapi:/// -f /root/admin_pw_config_dit.ldif
# verify
ldapsearch -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -W -b dc=phys,dc=ethz,dc=ch cn=admin | grep 'userPassword'

substitua <sha-512_hash_here> pelo valor de hash da sua senha.

você pode gerar esses hashes usando este script: link