| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
|
2 |
|
| 3 |
# $Id: alcasar-ldap.sh 2490 2018-02-26 00:49:37Z tom.houdayer $
|
3 |
# $Id: alcasar-ldap.sh 2705 2019-03-05 22:30:50Z tom.houdayer $
|
| 4 |
|
4 |
|
| 5 |
# alcasar-ldap.sh
|
5 |
# alcasar-ldap.sh
|
| 6 |
# by Rexy
|
6 |
# by Rexy
|
| 7 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 8 |
|
8 |
|
| 9 |
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
|
9 |
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
|
| 10 |
# enable / disable authentication of users via an extern LDAP server
|
10 |
# enable / disable authentication of users via an extern LDAP server
|
| 11 |
|
11 |
|
| 12 |
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off}"
|
12 |
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
|
| 13 |
SED="/bin/sed -i"
|
13 |
SED="/bin/sed -i"
|
| 14 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
14 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| 15 |
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
|
15 |
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
|
| - |
|
16 |
OPENLDAP_CONF='/etc/openldap/ldap.conf'
|
| - |
|
17 |
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
|
| 16 |
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # IP address of the LDAP server
|
18 |
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2) # hostname/IP address of the LDAP server
|
| - |
|
19 |
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory
|
| 17 |
LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2-` # Where to find the users (cn=**,dc=**,dc=**)
|
20 |
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-) # its password
|
| 18 |
LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` # 'samaccuntname' for A.D. - 'UID' for LDAP
|
21 |
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-) # Where to find the users (cn=**,dc=**,dc=**)
|
| 19 |
LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2-` # Filter to limit users search (not used for now)
|
22 |
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP
|
| 20 |
LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2-` # LDAP username used by ALCASAR to read the remote directory
|
23 |
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL status
|
| 21 |
LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2-` # its password
|
24 |
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
|
| - |
|
25 |
|
| 22 |
nb_args=$#
|
26 |
nb_args=$#
|
| 23 |
args=$1
|
27 |
args=$1
|
| 24 |
if [ $nb_args -eq 0 ]
|
28 |
if [ $nb_args -eq 0 ]; then
|
| 25 |
then
|
- |
|
| 26 |
nb_args=1
|
29 |
nb_args=1
|
| 27 |
args="-h"
|
30 |
args="-h"
|
| 28 |
fi
|
31 |
fi
|
| - |
|
32 |
|
| 29 |
case $args in
|
33 |
case $args in
|
| 30 |
-\? | -h* | --h*)
|
34 |
-\? | -h* | --h*)
|
| 31 |
echo "$usage"
|
35 |
echo "$usage"
|
| 32 |
exit 0
|
36 |
exit 0
|
| 33 |
;;
|
37 |
;;
|
| 34 |
--on | -on)
|
38 |
--on | -on)
|
| 35 |
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
|
39 |
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
|
| - |
|
40 |
if [ "$LDAP_SSL" == 'on' ]; then
|
| - |
|
41 |
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| - |
|
42 |
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
|
| - |
|
43 |
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
|
| - |
|
44 |
$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
|
| - |
|
45 |
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
|
| - |
|
46 |
else
|
| 36 |
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
47 |
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| - |
|
48 |
$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
|
| - |
|
49 |
echo '' > $OPENLDAP_CONF
|
| - |
|
50 |
fi
|
| 37 |
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
51 |
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| 38 |
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
52 |
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| 39 |
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
53 |
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| 40 |
$SED "s/^\tfilter =.*/\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
|
54 |
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
|
| 41 |
if [ ! -e /etc/raddb/mods-enabled/ldap ]
|
55 |
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
|
| 42 |
then
|
- |
|
| 43 |
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
|
56 |
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
|
| 44 |
fi
|
57 |
fi
|
| 45 |
if [ -e /etc/raddb/sites-enabled/alcasar ]
|
58 |
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
|
| 46 |
then
|
- |
|
| 47 |
rm /etc/raddb/sites-enabled/alcasar
|
- |
|
| 48 |
fi
|
- |
|
| 49 |
ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
|
59 |
ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
|
| 50 |
/usr/bin/systemctl restart radiusd.service
|
60 |
/usr/bin/systemctl restart radiusd.service
|
| 51 |
;;
|
61 |
;;
|
| 52 |
--off | -off)
|
62 |
--off | -off)
|
| 53 |
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
|
63 |
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
|
| 54 |
rm -f /etc/raddb/mods-enabled/ldap
|
64 |
rm -f /etc/raddb/mods-enabled/ldap
|
| 55 |
if [ -e /etc/raddb/sites-enabled/alcasar ]
|
65 |
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
|
| 56 |
then
|
- |
|
| 57 |
rm /etc/raddb/sites-enabled/alcasar
|
- |
|
| 58 |
fi
|
- |
|
| 59 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
66 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
| 60 |
/usr/bin/systemctl restart radiusd.service
|
67 |
/usr/bin/systemctl restart radiusd.service
|
| 61 |
;;
|
68 |
;;
|
| - |
|
69 |
--import-cert)
|
| - |
|
70 |
cert=$2
|
| - |
|
71 |
[ -z "$cert" ] && echo "$usage" && exit 1
|
| - |
|
72 |
|
| - |
|
73 |
if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
|
| - |
|
74 |
domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed 's@\.\+$@@')
|
| - |
|
75 |
if [ "$domainName" != "$LDAP_SERVER" ]; then
|
| - |
|
76 |
echo 'WARN: the common name of the certificate is different from the server domain name'
|
| - |
|
77 |
fi
|
| - |
|
78 |
fi
|
| - |
|
79 |
# TODO : convert DER format to PEM ?
|
| - |
|
80 |
cp -f "$cert" $LDAPS_CERT_LOC
|
| - |
|
81 |
chown root:radius $LDAPS_CERT_LOC
|
| - |
|
82 |
chmod 644 $LDAPS_CERT_LOC
|
| - |
|
83 |
|
| - |
|
84 |
$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
|
| - |
|
85 |
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
|
| - |
|
86 |
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
|
| - |
|
87 |
$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
|
| - |
|
88 |
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
|
| - |
|
89 |
$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
|
| - |
|
90 |
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
|
| - |
|
91 |
/usr/bin/systemctl restart radiusd.service
|
| - |
|
92 |
;;
|
| - |
|
93 |
--delete-cert)
|
| - |
|
94 |
[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
|
| - |
|
95 |
;;
|
| - |
|
96 |
--test)
|
| - |
|
97 |
[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
|
| - |
|
98 |
command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
|
| - |
|
99 |
if [ "$LDAP_SSL" == 'on' ]; then
|
| - |
|
100 |
protocol='ldaps'
|
| - |
|
101 |
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
|
| - |
|
102 |
export LDAPTLS_REQCERT="$require_cert"
|
| - |
|
103 |
[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
|
| - |
|
104 |
else
|
| - |
|
105 |
protocol='ldap'
|
| - |
|
106 |
fi
|
| - |
|
107 |
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1
|
| - |
|
108 |
;;
|
| 62 |
*)
|
109 |
*)
|
| 63 |
echo "Argument inconnu : $1";
|
110 |
echo "Argument inconnu : $1";
|
| 64 |
echo "$usage"
|
111 |
echo "$usage"
|
| 65 |
exit 1
|
112 |
exit 1
|
| 66 |
;;
|
113 |
;;
|