Subversion Repositories ALCASAR

Rev

Rev 2490 | Rev 2714 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2490 Rev 2705
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
 
2
 
3
# $Id: alcasar-ldap.sh 2490 2018-02-26 00:49:37Z tom.houdayer $
3
# $Id: alcasar-ldap.sh 2705 2019-03-05 22:30:50Z tom.houdayer $
4
 
4
 
5
# alcasar-ldap.sh
5
# alcasar-ldap.sh
6
# by Rexy
6
# by Rexy
7
# This script is distributed under the Gnu General Public License (GPL)
7
# This script is distributed under the Gnu General Public License (GPL)
8
 
8
 
9
# activation / d├ęsactivation de l'authentification des utilisateurs via un serveur LDAP externe
9
# activation / d├ęsactivation de l'authentification des utilisateurs via un serveur LDAP externe
10
# enable / disable authentication of users via an extern LDAP server
10
# enable / disable authentication of users via an extern LDAP server
11
 
11
 
12
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off}"
12
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
13
SED="/bin/sed -i"
13
SED="/bin/sed -i"
14
CONF_FILE="/usr/local/etc/alcasar.conf"
14
CONF_FILE="/usr/local/etc/alcasar.conf"
15
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
15
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
-
 
16
OPENLDAP_CONF='/etc/openldap/ldap.conf'
-
 
17
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
16
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2`               # IP address of the LDAP server
18
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2)                # hostname/IP address of the LDAP server
-
 
19
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-)                   # LDAP username used by ALCASAR to read the remote directory
17
LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2-`                  # Where to find the users (cn=**,dc=**,dc=**)
20
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-)           # its password
18
LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2`                             # 'samaccuntname' for A.D. - 'UID' for LDAP
21
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-)                   # Where to find the users (cn=**,dc=**,dc=**)
19
LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2-`              # Filter to limit users search (not used for now)
22
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2)                      # 'samaccountname' for A.D. - 'UID' for LDAP
20
LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2-`                  # LDAP username used by ALCASAR to read the remote directory
23
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-)                     # LDAP SSL status
21
LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2-`  # its password
24
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
-
 
25
 
22
nb_args=$#
26
nb_args=$#
23
args=$1
27
args=$1
24
if [ $nb_args -eq 0 ]
28
if [ $nb_args -eq 0 ]; then
25
then
-
 
26
        nb_args=1
29
        nb_args=1
27
        args="-h"
30
        args="-h"
28
fi
31
fi
-
 
32
 
29
case $args in
33
case $args in
30
        -\? | -h* | --h*)
34
        -\? | -h* | --h*)
31
                echo "$usage"
35
                echo "$usage"
32
                exit 0
36
                exit 0
33
                ;;
37
                ;;
34
        --on | -on)    
38
        --on | -on)
35
                $SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
39
                $SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
-
 
40
                if [ "$LDAP_SSL" == 'on' ]; then
-
 
41
                        $SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
-
 
42
                        $SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
-
 
43
                        [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
-
 
44
                        $SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
-
 
45
                        echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
-
 
46
                else
36
                $SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
47
                        $SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
-
 
48
                        $SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
-
 
49
                        echo  '' > $OPENLDAP_CONF
-
 
50
                fi
37
                $SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
51
                $SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
38
                $SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
52
                $SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
39
                $SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
53
                $SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
40
                $SED "s/^\tfilter =.*/\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
54
                $SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
41
                if [ ! -e /etc/raddb/mods-enabled/ldap ]
55
                if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
42
                then
-
 
43
                        ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
56
                        ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
44
                fi
57
                fi
45
                if [ -e /etc/raddb/sites-enabled/alcasar ]
58
                [ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
46
                then
-
 
47
                        rm /etc/raddb/sites-enabled/alcasar
-
 
48
                fi
-
 
49
                ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
59
                ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
50
                /usr/bin/systemctl restart radiusd.service
60
                /usr/bin/systemctl restart radiusd.service
51
                ;;
61
                ;;
52
        --off | -off)
62
        --off | -off)
53
                $SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
63
                $SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
54
                rm -f /etc/raddb/mods-enabled/ldap
64
                rm -f /etc/raddb/mods-enabled/ldap
55
                if [ -e /etc/raddb/sites-enabled/alcasar ]
65
                [ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
56
                then
-
 
57
                        rm /etc/raddb/sites-enabled/alcasar
-
 
58
                fi
-
 
59
                ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
66
                ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
60
                /usr/bin/systemctl restart radiusd.service
67
                /usr/bin/systemctl restart radiusd.service
-
 
68
                ;;
-
 
69
        --import-cert)
-
 
70
                cert=$2
-
 
71
                [ -z "$cert" ] && echo "$usage" && exit 1
-
 
72
 
-
 
73
                if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
-
 
74
                        domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed  's@\.\+$@@')
-
 
75
                        if [ "$domainName" != "$LDAP_SERVER" ]; then
-
 
76
                                echo 'WARN: the common name of the certificate is different from the server domain name'
-
 
77
                        fi
-
 
78
                fi
-
 
79
                # TODO : convert DER format to PEM ?
-
 
80
                cp -f "$cert" $LDAPS_CERT_LOC
-
 
81
                chown root:radius $LDAPS_CERT_LOC
-
 
82
                chmod 644 $LDAPS_CERT_LOC
-
 
83
 
-
 
84
                $SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
-
 
85
                $SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
-
 
86
                $SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
-
 
87
                $SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
-
 
88
                [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
-
 
89
                $SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
-
 
90
                echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
-
 
91
                /usr/bin/systemctl restart radiusd.service
-
 
92
                ;;
-
 
93
        --delete-cert)
-
 
94
                [ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
-
 
95
                ;;
-
 
96
        --test)
-
 
97
                [ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
-
 
98
                command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
-
 
99
                if [ "$LDAP_SSL" == 'on' ]; then
-
 
100
                        protocol='ldaps'
-
 
101
                        [ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
-
 
102
                        export LDAPTLS_REQCERT="$require_cert"
-
 
103
                        [ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
-
 
104
                else
-
 
105
                        protocol='ldap'
-
 
106
                fi
-
 
107
                /usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1
61
                ;;
108
                ;;
62
        *)
109
        *)
63
                echo "Argument inconnu : $1";
110
                echo "Argument inconnu : $1";
64
                echo "$usage"
111
                echo "$usage"
65
                exit 1
112
                exit 1