Subversion Repositories ALCASAR

Rev

Rev 2715 | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2447 richard 1
#!/bin/bash
2
 
2490 tom.houday 3
# $Id: alcasar-ldap.sh 2731 2019-05-26 21:09:18Z tom.houdayer $
4
 
2447 richard 5
# alcasar-ldap.sh
6
# by Rexy
7
# This script is distributed under the Gnu General Public License (GPL)
8
 
9
# activation / d├ęsactivation de l'authentification des utilisateurs via un serveur LDAP externe
10
# enable / disable authentication of users via an extern LDAP server
11
 
2705 tom.houday 12
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
2447 richard 13
SED="/bin/sed -i"
14
CONF_FILE="/usr/local/etc/alcasar.conf"
2465 richard 15
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
2705 tom.houday 16
OPENLDAP_CONF='/etc/openldap/ldap.conf'
17
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
18
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2)                # hostname/IP address of the LDAP server
19
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-)                   # LDAP username used by ALCASAR to read the remote directory
20
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-)           # its password
21
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-)                   # Where to find the users (cn=**,dc=**,dc=**)
22
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2)                      # 'samaccountname' for A.D. - 'UID' for LDAP
2714 tom.houday 23
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-)               # LDAP filter
2705 tom.houday 24
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-)                     # LDAP SSL status
25
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
26
 
2715 tom.houday 27
add_ldap_server_to_static_dhcp() {
28
        if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
29
                ldap_server_ip="$LDAP_SERVER"
30
        else
31
                ldap_server_ip=$(dig +short $LDAP_SERVER)
32
                [ -z "$ldap_server_ip" ] && return 1
33
        fi
34
 
35
        if [ -z "$(cat /usr/local/etc/alcasar-ethers | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then
36
                ldap_server_mac=$(chilli_query list | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')
37
                [ -z "$ldap_server_mac" ] && return 1
38
 
39
                echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers
40
                echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info
41
        fi
42
}
43
 
2447 richard 44
nb_args=$#
45
args=$1
2705 tom.houday 46
if [ $nb_args -eq 0 ]; then
2447 richard 47
        nb_args=1
48
        args="-h"
49
fi
2705 tom.houday 50
 
2447 richard 51
case $args in
52
        -\? | -h* | --h*)
53
                echo "$usage"
54
                exit 0
55
                ;;
2705 tom.houday 56
        --on | -on)
2465 richard 57
                $SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
2705 tom.houday 58
                if [ "$LDAP_SSL" == 'on' ]; then
59
                        $SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
60
                        $SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
61
                        [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
62
                        $SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
2731 tom.houday 63
                        echo "TLS_REQCERT $require_cert" > $OPENLDAP_CONF
64
                        [ -f "$LDAPS_CERT_LOC" ] && echo "TLS_CACERT $LDAPS_CERT_LOC" >> $OPENLDAP_CONF
2705 tom.houday 65
                else
66
                        $SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
67
                        $SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
68
                        echo  '' > $OPENLDAP_CONF
69
                fi
2490 tom.houday 70
                $SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
71
                $SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
72
                $SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
2714 tom.houday 73
                [ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
2731 tom.houday 74
                $SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})(${filter//&/\\&}))\"/g" $LDAP_MODULE
2705 tom.houday 75
                if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
2466 richard 76
                        ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
77
                fi
2705 tom.houday 78
                [ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
2467 richard 79
                ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
2715 tom.houday 80
                add_ldap_server_to_static_dhcp
2465 richard 81
                /usr/bin/systemctl restart radiusd.service
2447 richard 82
                ;;
83
        --off | -off)
2465 richard 84
                $SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
85
                rm -f /etc/raddb/mods-enabled/ldap
2705 tom.houday 86
                [ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
2467 richard 87
                ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
2465 richard 88
                /usr/bin/systemctl restart radiusd.service
2474 tom.houday 89
                ;;
2705 tom.houday 90
        --import-cert)
91
                cert=$2
92
                [ -z "$cert" ] && echo "$usage" && exit 1
93
 
2731 tom.houday 94
                [ ! -f "$cert" ] && { echo >&2 "ERR: certificate file \"$cert\" not found" ; exit 1; }
95
 
96
                # TODO : convert DER format to PEM ?
97
                cp -f "$cert" $LDAPS_CERT_LOC
98
                chown root:radius $LDAPS_CERT_LOC
99
                chmod 644 $LDAPS_CERT_LOC
100
 
2705 tom.houday 101
                if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
102
                        domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed  's@\.\+$@@')
103
                        if [ "$domainName" != "$LDAP_SERVER" ]; then
104
                                echo 'WARN: the common name of the certificate is different from the server domain name'
105
                        fi
106
                fi
107
 
108
                $SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
109
                $SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
110
                $SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
111
                $SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
112
                [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
113
                $SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
114
                echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
115
                /usr/bin/systemctl restart radiusd.service
116
                ;;
117
        --delete-cert)
118
                [ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
119
                ;;
120
        --test)
121
                [ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
122
                command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
123
                if [ "$LDAP_SSL" == 'on' ]; then
124
                        protocol='ldaps'
125
                        [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
126
                        export LDAPTLS_REQCERT="$require_cert"
127
                        [ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
128
                else
129
                        protocol='ldap'
130
                fi
2714 tom.houday 131
                [ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
132
                /usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
2705 tom.houday 133
                ;;
2447 richard 134
        *)
2474 tom.houday 135
                echo "Argument inconnu : $1";
2447 richard 136
                echo "$usage"
137
                exit 1
138
                ;;
139
esac