Subversion Repositories ALCASAR

Rev

Rev 2490 | Rev 2715 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2447 richard 1
#!/bin/bash
2
 
2490 tom.houday 3
# $Id: alcasar-ldap.sh 2705 2019-03-05 22:30:50Z tom.houdayer $
4
 
2447 richard 5
# alcasar-ldap.sh
6
# by Rexy
7
# This script is distributed under the Gnu General Public License (GPL)
8
 
9
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
10
# enable / disable authentication of users via an extern LDAP server
11
 
2705 tom.houday 12
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
2447 richard 13
SED="/bin/sed -i"
14
CONF_FILE="/usr/local/etc/alcasar.conf"
2465 richard 15
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
2705 tom.houday 16
OPENLDAP_CONF='/etc/openldap/ldap.conf'
17
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
18
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2)                # hostname/IP address of the LDAP server
19
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-)                   # LDAP username used by ALCASAR to read the remote directory
20
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-)           # its password
21
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-)                   # Where to find the users (cn=**,dc=**,dc=**)
22
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2)                      # 'samaccountname' for A.D. - 'UID' for LDAP
23
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-)                     # LDAP SSL status
24
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
25
 
2447 richard 26
nb_args=$#
27
args=$1
2705 tom.houday 28
if [ $nb_args -eq 0 ]; then
2447 richard 29
	nb_args=1
30
	args="-h"
31
fi
2705 tom.houday 32
 
2447 richard 33
case $args in
34
	-\? | -h* | --h*)
35
		echo "$usage"
36
		exit 0
37
		;;
2705 tom.houday 38
	--on | -on)
2465 richard 39
		$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
2705 tom.houday 40
		if [ "$LDAP_SSL" == 'on' ]; then
41
			$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
42
			$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
43
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
44
			$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
45
			echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
46
		else
47
			$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
48
			$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
49
			echo  '' > $OPENLDAP_CONF
50
		fi
2490 tom.houday 51
		$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
52
		$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
53
		$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
2705 tom.houday 54
		$SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
55
		if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
2466 richard 56
			ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
57
		fi
2705 tom.houday 58
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
2467 richard 59
		ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
2465 richard 60
		/usr/bin/systemctl restart radiusd.service
2447 richard 61
		;;
62
	--off | -off)
2465 richard 63
		$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
64
		rm -f /etc/raddb/mods-enabled/ldap
2705 tom.houday 65
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
2467 richard 66
		ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
2465 richard 67
		/usr/bin/systemctl restart radiusd.service
2474 tom.houday 68
		;;
2705 tom.houday 69
	--import-cert)
70
		cert=$2
71
		[ -z "$cert" ] && echo "$usage" && exit 1
72
 
73
		if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
74
			domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed  's@\.\+$@@')
75
			if [ "$domainName" != "$LDAP_SERVER" ]; then
76
				echo 'WARN: the common name of the certificate is different from the server domain name'
77
			fi
78
		fi
79
		# TODO : convert DER format to PEM ?
80
		cp -f "$cert" $LDAPS_CERT_LOC
81
		chown root:radius $LDAPS_CERT_LOC
82
		chmod 644 $LDAPS_CERT_LOC
83
 
84
		$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
85
		$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
86
		$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
87
		$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
88
		[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
89
		$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
90
		echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
91
		/usr/bin/systemctl restart radiusd.service
92
		;;
93
	--delete-cert)
94
		[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
95
		;;
96
	--test)
97
		[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
98
		command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
99
		if [ "$LDAP_SSL" == 'on' ]; then
100
			protocol='ldaps'
101
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
102
			export LDAPTLS_REQCERT="$require_cert"
103
			[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
104
		else
105
			protocol='ldap'
106
		fi
107
		/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1
108
		;;
2447 richard 109
	*)
2474 tom.houday 110
		echo "Argument inconnu : $1";
2447 richard 111
		echo "$usage"
112
		exit 1
113
		;;
114
esac