Init directory client configurations

Signed-off-by: Georg <georg@lysergic.dev>

5 files changed, 350 insertions, 0 deletions

diff --git a/dirsrv/ldif/sudoers-389.ldif b/dirsrv/ldif/sudoers-389.ldif
new file mode 100644
index 0000000..f1bd855
--- /dev/null
+++ b/dirsrv/ldif/sudoers-389.ldif
@@ -0,0 +1,35 @@
+dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: always_set_home
+sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+sudoOption: env_reset
+sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+sudoOption: insults
+sudoOption: mail_badpass
+sudoOption: log_output
+sudoOption: timestamp_timeout=15
+sudoOrder: 1
+
+dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+sudoOrder: 2
+
+dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+sudoOrder: 3
+
diff --git a/dirsrv/misc/sudoers2ldif.pl b/dirsrv/misc/sudoers2ldif.pl
new file mode 100644
index 0000000..a94fa04
--- /dev/null
+++ b/dirsrv/misc/sudoers2ldif.pl
@@ -0,0 +1,153 @@
+#!/usr/bin/env perl
+#
+# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+use strict;
+
+#
+# Converts a sudoers file to LDIF format in prepration for loading into
+# the LDAP server.
+#
+
+# BUGS:
+#   Does not yet handle multiple lines with : in them
+#   Does not yet remove quotation marks from options
+#   Does not yet escape + at the beginning of a dn
+#   Does not yet handle line wraps correctly
+#   Does not yet handle multiple roles with same name (needs tiebreaker)
+#
+# CAVEATS:
+#   Sudoers entries can have multiple RunAs entries that override former ones,
+#	with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
+
+my %RA;
+my %UA;
+my %HA;
+my %CA;
+my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
+my @options=();
+
+my $did_defaults=0;
+my $order = 0;
+
+# parse sudoers one line at a time
+while (<>){
+
+  # remove comment
+  s/#.*//;
+
+  # line continuation
+  $_.=<> while s/\\\s*$//s;
+
+  # cleanup newline
+  chomp;
+
+  # ignore blank lines
+  next if /^\s*$/;
+
+  if (/^Defaults\s+/i) {
+    my $opt=$';
+    $opt=~s/\s+$//; # remove trailing whitespace
+    push @options,$opt;
+  } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
+
+    # Aliases or Definitions
+    my ($p1,$p2,$p3)=($1,$2,$3);
+    $p2=~s/\s+$//; # remove trailing whitespace
+    $p3=~s/\s+$//; # remove trailing whitespace
+
+    if ($p1 eq "User_Alias") {
+      $UA{$p2}=$p3;
+    } elsif ($p1 eq "Runas_Alias") {
+      $RA{$p2}=$p3;
+    } elsif ($p1 eq "Host_Alias") {
+      $HA{$p2}=$p3;
+    } elsif ($p1 eq "Cmnd_Alias") {
+      $CA{$p2}=$p3;
+    } else {
+      if (!$did_defaults++){
+        # do this once
+        print "dn: cn=defaults,$base\n";
+        print "objectClass: top\n";
+        print "objectClass: sudoRole\n";
+        print "cn: defaults\n";
+        print "description: Default sudoOption's go here\n";
+        print "sudoOption: $_\n" foreach @options;
+        printf "sudoOrder: %d\n", ++$order;
+        print "\n";
+      }
+      # Definition
+      my @users=split /\s*,\s*/,$p1;
+      my @hosts=split /\s*,\s*/,$p2;
+      my @cmds= split /\s*,\s*/,$p3;
+      @options=();
+      print "dn: cn=$users[0],$base\n";
+      print "objectClass: top\n";
+      print "objectClass: sudoRole\n";
+      print "cn: $users[0]\n";
+      # will clobber options
+      print "sudoUser: $_\n"   foreach expand(\%UA,@users);
+      print "sudoHost: $_\n"   foreach expand(\%HA,@hosts);
+      foreach (@cmds) {
+	if (s/^\(([^\)]+)\)\s*//) {
+	  my @runas = split(/:\s*/, $1);
+	  if (defined($runas[0])) {
+	    print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
+	  }
+	  if (defined($runas[1])) {
+	    print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
+	  }
+	}
+      }
+      print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
+      print "sudoOption: $_\n" foreach @options;
+      printf "sudoOrder: %d\n", ++$order;
+      print "\n";
+    }
+
+  } else {
+    print "parse error: $_\n";
+  }
+
+}
+
+#
+# recursively expand hash elements
+sub expand{
+  my $ref=shift;
+  my @a=();
+
+  # preen the line a little
+  foreach (@_){
+    # if NOPASSWD: directive found, mark entire entry as not requiring
+    s/NOPASSWD:\s*// && push @options,"!authenticate";
+    s/PASSWD:\s*// && push @options,"authenticate";
+    s/NOEXEC:\s*// && push @options,"noexec";
+    s/EXEC:\s*// && push @options,"!noexec";
+    s/SETENV:\s*// && push @options,"setenv";
+    s/NOSETENV:\s*// && push @options,"!setenv";
+    s/LOG_INPUT:\s*// && push @options,"log_input";
+    s/NOLOG_INPUT:\s*// && push @options,"!log_input";
+    s/LOG_OUTPUT:\s*// && push @options,"log_output";
+    s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
+    s/[[:upper:]]+://; # silently remove other tags
+    s/\s+$//; # right trim
+  }
+
+  # do the expanding
+  push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
+  @a;
+}
diff --git a/generic/nsswitch.conf b/generic/nsswitch.conf
new file mode 100644
index 0000000..3a031e1
--- /dev/null
+++ b/generic/nsswitch.conf
@@ -0,0 +1,32 @@
+###
+##
+## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
+#ä
+## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
+## georg@lysergic.dev
+##
+###
+
+passwd:         sss files
+group:          sss files
+shadow:         sss compat
+# initgroups:   compat
+
+hosts:          files dns
+networks:       files dns
+
+aliases:        files usrfiles
+ethers:         files usrfiles
+gshadow:        files usrfiles
+netgroup:       files nis
+protocols:      files usrfiles
+publickey:      files
+rpc:            files usrfiles
+services:       files usrfiles
+
+automount:      files nis
+bootparams:     files
+netmasks:       files
+
+sudoers:        sss
+
diff --git a/sssd/client_sssd.generated.conf b/sssd/client_sssd.generated.conf
new file mode 100644
index 0000000..3615f96
--- /dev/null
+++ b/sssd/client_sssd.generated.conf
@@ -0,0 +1,72 @@
+WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration
+
+#
+# sssd.conf
+# Generated by 389 Directory Server - dsidm
+#
+# For more details see man sssd.conf and man sssd-ldap
+# Be sure to review the content of this file to ensure it is secure and correct
+# in your environment.
+
+[domain/ldap]
+# Uncomment this for more verbose logging.
+# debug_level=3
+
+# Cache hashes of user authentication for offline auth.
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
+# If you have DNS SRV records, you can use the following instead. This derives
+# from your ldap_search_base.
+# ldap_uri = _srv_
+
+ldap_tls_reqcert = demand
+# To use cacert dir, place *.crt files in this path then run:
+# /usr/bin/openssl rehash /etc/openldap/certs
+# or (for older versions of openssl)
+# /usr/bin/c_rehash /etc/openldap/certs
+ldap_tls_cacertdir = /etc/openldap/certs
+
+# Path to the cacert
+# ldap_tls_cacert = /etc/openldap/certs/ca.crt
+
+# Only users who match this filter can login and authorise to this machine. Note
+# that users who do NOT match, will still have their uid/gid resolve, but they
+# can't login.
+# ldap_access_filter = (memberOf=<dn>)
+
+enumerate = false
+access_provider = ldap
+ldap_user_member_of = memberof
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+# This is really important as it allows SSSD to respect nsAccountLock
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire
+# Setup for ssh keys
+# Inside /etc/ssh/sshd_config add the lines:
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommandUser nobody
+# You can test with the command: sss_ssh_authorizedkeys <username>
+ldap_user_ssh_public_key = nsSshPublicKey
+
+# This prevents an issue where the Directory is recursively walked on group
+# and user look ups. It makes the client faster and more responsive in almost
+# every scenario.
+ignore_group_members = False
+
+[sssd]
+services = nss, pam, ssh, sudo
+config_file_version = 2
+
+domains = ldap
+[nss]
+homedir_substring = /home
+
+
diff --git a/sssd/sssd.conf b/sssd/sssd.conf
new file mode 100644
index 0000000..7a6664d
--- /dev/null
+++ b/sssd/sssd.conf
@@ -0,0 +1,58 @@
+###
+##
+## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa
+##
+## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
+##
+## georg@lysergic.dev
+##
+###
+
+[sssd]
+debug_level = 10
+config_file_version = 2
+services = nss, pam, ssh, sudo
+domains = SYSCID
+
+[nss]
+homedir_substring = /home
+debug_level = 10
+
+[pam]
+debug_level = 10
+pam_verbosity = 3
+pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
+pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
+
+[ssh]
+debug_level = 10
+
+[sudo]
+debug_level = 10
+
+[domain/SYSCID]
+ignore_group_members = False
+debug_level = 10
+cache_credentials= False
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldaps://ldap.syscid.com
+ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
+access_provider = ldap
+ldap_user_member_of = memberof
+#ldap_group_member = memberUid
+#ldap_group_member = member
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+#ldap_pwd_policy = shadow
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire, pwd_expire_policy_renew
+ldap_user_ssh_public_key = sshPublicKey
+sudo_provider = ldap
+ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+