summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg2021-08-30 21:57:59 +0200
committerGeorg2021-08-30 21:57:59 +0200
commit5f1c378aa6b120d036b37fa07ee86c3005376b9e (patch)
treecc5e875f24f446dd29005b15760691ba653c6e09
parent8f34173c6d2629c71260ece861b297c8c2903bcf (diff)
downloadsystem-5f1c378aa6b120d036b37fa07ee86c3005376b9e.tar.gz
system-5f1c378aa6b120d036b37fa07ee86c3005376b9e.tar.bz2
system-5f1c378aa6b120d036b37fa07ee86c3005376b9e.zip
Init directory client configurations
Signed-off-by: Georg <georg@lysergic.dev>
-rw-r--r--dirsrv/ldif/sudoers-389.ldif35
-rw-r--r--dirsrv/misc/sudoers2ldif.pl153
-rw-r--r--generic/nsswitch.conf32
-rw-r--r--sssd/client_sssd.generated.conf72
-rw-r--r--sssd/sssd.conf58
5 files changed, 350 insertions, 0 deletions
diff --git a/dirsrv/ldif/sudoers-389.ldif b/dirsrv/ldif/sudoers-389.ldif
new file mode 100644
index 0000000..f1bd855
--- /dev/null
+++ b/dirsrv/ldif/sudoers-389.ldif
@@ -0,0 +1,35 @@
+dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: always_set_home
+sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+sudoOption: env_reset
+sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+sudoOption: insults
+sudoOption: mail_badpass
+sudoOption: log_output
+sudoOption: timestamp_timeout=15
+sudoOrder: 1
+
+dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+sudoOrder: 2
+
+dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+sudoOrder: 3
+
diff --git a/dirsrv/misc/sudoers2ldif.pl b/dirsrv/misc/sudoers2ldif.pl
new file mode 100644
index 0000000..a94fa04
--- /dev/null
+++ b/dirsrv/misc/sudoers2ldif.pl
@@ -0,0 +1,153 @@
+#!/usr/bin/env perl
+#
+# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+use strict;
+
+#
+# Converts a sudoers file to LDIF format in prepration for loading into
+# the LDAP server.
+#
+
+# BUGS:
+# Does not yet handle multiple lines with : in them
+# Does not yet remove quotation marks from options
+# Does not yet escape + at the beginning of a dn
+# Does not yet handle line wraps correctly
+# Does not yet handle multiple roles with same name (needs tiebreaker)
+#
+# CAVEATS:
+# Sudoers entries can have multiple RunAs entries that override former ones,
+# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
+
+my %RA;
+my %UA;
+my %HA;
+my %CA;
+my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
+my @options=();
+
+my $did_defaults=0;
+my $order = 0;
+
+# parse sudoers one line at a time
+while (<>){
+
+ # remove comment
+ s/#.*//;
+
+ # line continuation
+ $_.=<> while s/\\\s*$//s;
+
+ # cleanup newline
+ chomp;
+
+ # ignore blank lines
+ next if /^\s*$/;
+
+ if (/^Defaults\s+/i) {
+ my $opt=$';
+ $opt=~s/\s+$//; # remove trailing whitespace
+ push @options,$opt;
+ } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
+
+ # Aliases or Definitions
+ my ($p1,$p2,$p3)=($1,$2,$3);
+ $p2=~s/\s+$//; # remove trailing whitespace
+ $p3=~s/\s+$//; # remove trailing whitespace
+
+ if ($p1 eq "User_Alias") {
+ $UA{$p2}=$p3;
+ } elsif ($p1 eq "Runas_Alias") {
+ $RA{$p2}=$p3;
+ } elsif ($p1 eq "Host_Alias") {
+ $HA{$p2}=$p3;
+ } elsif ($p1 eq "Cmnd_Alias") {
+ $CA{$p2}=$p3;
+ } else {
+ if (!$did_defaults++){
+ # do this once
+ print "dn: cn=defaults,$base\n";
+ print "objectClass: top\n";
+ print "objectClass: sudoRole\n";
+ print "cn: defaults\n";
+ print "description: Default sudoOption's go here\n";
+ print "sudoOption: $_\n" foreach @options;
+ printf "sudoOrder: %d\n", ++$order;
+ print "\n";
+ }
+ # Definition
+ my @users=split /\s*,\s*/,$p1;
+ my @hosts=split /\s*,\s*/,$p2;
+ my @cmds= split /\s*,\s*/,$p3;
+ @options=();
+ print "dn: cn=$users[0],$base\n";
+ print "objectClass: top\n";
+ print "objectClass: sudoRole\n";
+ print "cn: $users[0]\n";
+ # will clobber options
+ print "sudoUser: $_\n" foreach expand(\%UA,@users);
+ print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
+ foreach (@cmds) {
+ if (s/^\(([^\)]+)\)\s*//) {
+ my @runas = split(/:\s*/, $1);
+ if (defined($runas[0])) {
+ print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
+ }
+ if (defined($runas[1])) {
+ print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
+ }
+ }
+ }
+ print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
+ print "sudoOption: $_\n" foreach @options;
+ printf "sudoOrder: %d\n", ++$order;
+ print "\n";
+ }
+
+ } else {
+ print "parse error: $_\n";
+ }
+
+}
+
+#
+# recursively expand hash elements
+sub expand{
+ my $ref=shift;
+ my @a=();
+
+ # preen the line a little
+ foreach (@_){
+ # if NOPASSWD: directive found, mark entire entry as not requiring
+ s/NOPASSWD:\s*// && push @options,"!authenticate";
+ s/PASSWD:\s*// && push @options,"authenticate";
+ s/NOEXEC:\s*// && push @options,"noexec";
+ s/EXEC:\s*// && push @options,"!noexec";
+ s/SETENV:\s*// && push @options,"setenv";
+ s/NOSETENV:\s*// && push @options,"!setenv";
+ s/LOG_INPUT:\s*// && push @options,"log_input";
+ s/NOLOG_INPUT:\s*// && push @options,"!log_input";
+ s/LOG_OUTPUT:\s*// && push @options,"log_output";
+ s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
+ s/[[:upper:]]+://; # silently remove other tags
+ s/\s+$//; # right trim
+ }
+
+ # do the expanding
+ push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
+ @a;
+}
diff --git a/generic/nsswitch.conf b/generic/nsswitch.conf
new file mode 100644
index 0000000..3a031e1
--- /dev/null
+++ b/generic/nsswitch.conf
@@ -0,0 +1,32 @@
+###
+##
+## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
+#รค
+## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
+## georg@lysergic.dev
+##
+###
+
+passwd: sss files
+group: sss files
+shadow: sss compat
+# initgroups: compat
+
+hosts: files dns
+networks: files dns
+
+aliases: files usrfiles
+ethers: files usrfiles
+gshadow: files usrfiles
+netgroup: files nis
+protocols: files usrfiles
+publickey: files
+rpc: files usrfiles
+services: files usrfiles
+
+automount: files nis
+bootparams: files
+netmasks: files
+
+sudoers: sss
+
diff --git a/sssd/client_sssd.generated.conf b/sssd/client_sssd.generated.conf
new file mode 100644
index 0000000..3615f96
--- /dev/null
+++ b/sssd/client_sssd.generated.conf
@@ -0,0 +1,72 @@
+WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration
+
+#
+# sssd.conf
+# Generated by 389 Directory Server - dsidm
+#
+# For more details see man sssd.conf and man sssd-ldap
+# Be sure to review the content of this file to ensure it is secure and correct
+# in your environment.
+
+[domain/ldap]
+# Uncomment this for more verbose logging.
+# debug_level=3
+
+# Cache hashes of user authentication for offline auth.
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
+# If you have DNS SRV records, you can use the following instead. This derives
+# from your ldap_search_base.
+# ldap_uri = _srv_
+
+ldap_tls_reqcert = demand
+# To use cacert dir, place *.crt files in this path then run:
+# /usr/bin/openssl rehash /etc/openldap/certs
+# or (for older versions of openssl)
+# /usr/bin/c_rehash /etc/openldap/certs
+ldap_tls_cacertdir = /etc/openldap/certs
+
+# Path to the cacert
+# ldap_tls_cacert = /etc/openldap/certs/ca.crt
+
+# Only users who match this filter can login and authorise to this machine. Note
+# that users who do NOT match, will still have their uid/gid resolve, but they
+# can't login.
+# ldap_access_filter = (memberOf=<dn>)
+
+enumerate = false
+access_provider = ldap
+ldap_user_member_of = memberof
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+# This is really important as it allows SSSD to respect nsAccountLock
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire
+# Setup for ssh keys
+# Inside /etc/ssh/sshd_config add the lines:
+# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+# AuthorizedKeysCommandUser nobody
+# You can test with the command: sss_ssh_authorizedkeys <username>
+ldap_user_ssh_public_key = nsSshPublicKey
+
+# This prevents an issue where the Directory is recursively walked on group
+# and user look ups. It makes the client faster and more responsive in almost
+# every scenario.
+ignore_group_members = False
+
+[sssd]
+services = nss, pam, ssh, sudo
+config_file_version = 2
+
+domains = ldap
+[nss]
+homedir_substring = /home
+
+
diff --git a/sssd/sssd.conf b/sssd/sssd.conf
new file mode 100644
index 0000000..7a6664d
--- /dev/null
+++ b/sssd/sssd.conf
@@ -0,0 +1,58 @@
+###
+##
+## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa
+##
+## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
+##
+## georg@lysergic.dev
+##
+###
+
+[sssd]
+debug_level = 10
+config_file_version = 2
+services = nss, pam, ssh, sudo
+domains = SYSCID
+
+[nss]
+homedir_substring = /home
+debug_level = 10
+
+[pam]
+debug_level = 10
+pam_verbosity = 3
+pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
+pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
+
+[ssh]
+debug_level = 10
+
+[sudo]
+debug_level = 10
+
+[domain/SYSCID]
+ignore_group_members = False
+debug_level = 10
+cache_credentials= False
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldaps://ldap.syscid.com
+ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
+access_provider = ldap
+ldap_user_member_of = memberof
+#ldap_group_member = memberUid
+#ldap_group_member = member
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+#ldap_pwd_policy = shadow
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire, pwd_expire_policy_renew
+ldap_user_ssh_public_key = sshPublicKey
+sudo_provider = ldap
+ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+