-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpuavo-init-standalone
executable file
·182 lines (140 loc) · 5.31 KB
/
puavo-init-standalone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#!/bin/sh
help () {
echo "
usage: $(basename $0) [--unsafe-passwords] <topdomain>
Init standalone installation for Puavo development.
--unsafe-passwords Set unsafe passwords for development.
This script does following:
- Create certificates using the given topdomain and copies them to
/etc/ssl/certs for slapd.
- Set fqdn to point localhost
- Configure LDAP client
- Configure rng-tools-debian
"
}
set -eu
use_unsafe_passwords=false
if [ "${1:-}" = "--unsafe-passwords" ]; then
use_unsafe_passwords=true
shift
fi
[ "${1:-}" = "--help" -o "${1:-}" = "-h" ] && help && exit
[ "${1:-}" = "" ] && help && exit 1
topdomain="$1"
unsafe_password="password"
hostname=$(hostname)
puavo_certificates_dir=/etc/puavo-ca/certificates
system_certdir=/etc/ssl/certs
mkdir -p /etc/puavo/kerberos
echo "Writing topdomain with kerberos to /etc/puavo"
echo "$topdomain" > /etc/puavo/topdomain
echo "$topdomain" | tr '[:lower:]' '[:upper:]' > /etc/puavo/kerberos/toprealm
if $use_unsafe_passwords; then
mkdir -p /etc/puavo/ldap
echo "uid=admin,o=puavo" > /etc/puavo/ldap/dn
echo "$unsafe_password" > /etc/puavo/ldap/password
echo $( hostname -f ) > /etc/puavo/ldap/master
mkdir -p /etc/puavo/ds/puavo
echo "uid=puavo,o=puavo" > /etc/puavo/ds/puavo/dn
echo "$unsafe_password" > /etc/puavo/ds/puavo/password
mkdir -p /etc/puavo/ds/slave
echo "uid=slave,o=puavo" > /etc/puavo/ds/slave/dn
echo "$unsafe_password" > /etc/puavo/ds/slave/password
mkdir -p /etc/puavo/ds/kadmin
echo "uid=kadmin,o=puavo" > /etc/puavo/ds/kadmin/dn
echo "$unsafe_password" > /etc/puavo/ds/kadmin/password
mkdir -p /etc/puavo/ds/monitor
echo "uid=monitor,o=puavo" > /etc/puavo/ds/monitor/dn
echo "$unsafe_password" > /etc/puavo/ds/monitor/password
mkdir -p /etc/puavo/ds/kdc
echo "uid=kdc,o=puavo" > /etc/puavo/ds/kdc/dn
echo "$unsafe_password" > /etc/puavo/ds/kdc/password
mkdir -p /etc/puavo/ds/pw-mgmt
echo "uid=pw-mgmt,o=puavo" > /etc/puavo/ds/pw-mgmt/dn
echo "$unsafe_password" > /etc/puavo/ds/pw-mgmt/password
mkdir -p /etc/puavo/ds/statistics
echo "uid=statistics,o=puavo" > /etc/puavo/ds/statistics/dn
echo "$unsafe_password" > /etc/puavo/ds/statistics/password
mkdir -p /etc/puavo/ds/cert-mgmt
echo "uid=cert-mgmt,o=puavo" > /etc/puavo/ds/cert-mgmt/dn
echo "$unsafe_password" > /etc/puavo/ds/cert-mgmt/password
mkdir -p /etc/puavo/ds/email-mgmt
echo "uid=email-mgmt,o=puavo" > /etc/puavo/ds/email-mgmt/dn
echo "$unsafe_password" > /etc/puavo/ds/email-mgmt/password
mkdir -p /etc/puavo/ds/examomatic
echo "uid=examomatic,o=puavo" > /etc/puavo/ds/examomatic/dn
echo "$unsafe_password" > /etc/puavo/ds/examomatic/password
mkdir -p /etc/puavo/ds/mfa-mgmt
echo "uid=mfa-mgmt,o=puavo" > /etc/puavo/ds/mfa-mgmt/dn
echo "$unsafe_password" > /etc/puavo/ds/mfa-mgmt/password
fi
for certchain_dir in ${puavo_certificates_dir}/*; do
if [ -d "$certchain_dir" ]; then
echo 'A certificate chain already exists, aborting...' >&2
exit 1
fi
done
echo 'Making a new certificate chain'
puavo-make-new-ca-chain 20191001
echo 'Making another certificate chain'
puavo-make-new-ca-chain
for certchain_dir in ${puavo_certificates_dir}/*; do
cat <<'EOF' > "${certchain_dir}/organisations/LIST"
example
hogwarts
EOF
echo "$hostname" > "${certchain_dir}/servers/SERVERLIST"
cd "$certchain_dir"
if $use_unsafe_passwords; then
make ROOT_PASS=$unsafe_password SERVER_PASS=$unsafe_password
else
make
fi
echo "Certificates generated at ${certchain_dir}. Copying them for slapd..."
install -v -m 640 -g openldap \
"${certchain_dir}/servers/${hostname}.${topdomain}.key" \
"${system_certdir}/slapd-server.key"
install -v -m 644 -g openldap \
"${certchain_dir}/servers/${hostname}.${topdomain}.crt" \
"${system_certdir}/slapd-server.crt"
install -v -m 644 -g openldap \
"${certchain_dir}/servers/ca.servers.${topdomain}-bundle.pem" \
"${system_certdir}/slapd-ca.crt"
install -v -m 644 -g openldap \
"${certchain_dir}/rootca/ca.${topdomain}.crt" \
"${system_certdir}/ca.${topdomain}.crt"
cat <<EOF > /etc/puavo-ca-rails/puavo.yml
certdirpath: ${puavo_certificates_dir}
default_certchain_version: ${certchain_dir##*/}
ldap_server:
EOF
done
echo "Setting up rng-tools-debian for puavo-ds"
# Often entropy for randomness is lacking on virtual machines which might cause
# puavo-add-new-organisation to timeout. This can be worked around with
# rng-tools-debian
echo "HRNGDEVICE=/dev/urandom" > /etc/default/rng-tools-debian
/etc/init.d/rng-tools-debian restart
# Write fqdn
cat > /etc/hosts <<EOF
127.0.0.1 $hostname.$topdomain $hostname localhost
EOF
echo "Writing LDAP client config /etc/ldap/ldap.conf"
cat >/etc/ldap/ldap.conf <<EOF
SASL_MECH GSSAPI
TLS_CACERT ${system_certdir}/ca.${topdomain}.crt
TLS_REQCERT demand
EOF
echo "Initializing slapd"
if $use_unsafe_passwords; then
puavo-init-ldap --AUTO-YES --save-admin-password
else
puavo-init-ldap --save-admin-password
fi
# This initializes the puavo-ca production database.
puavo-ca-rails-migrate
# This initializes the puavo-ca test database.
cd /var/app/puavo-ca-rails
sudo -u puavo RAILS_ENV=test bundle exec rake db:migrate
service puavo-ca-rails restart
echo "Standalone init ok!"