commit 7f00c9f2ebfe1e61c90880259ada47e26dd92f34 Author: Georg Date: Wed Aug 11 15:41:35 2021 +0200 Init Signed-off-by: Georg diff --git a/README.md b/README.md new file mode 100644 index 0000000..708e976 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +This houses exports of my Confluence Space: https://confluence.psyched.dev/x/dYBR. diff --git a/georg/389_Directory_Server_+_CA.md b/georg/389_Directory_Server_+_CA.md new file mode 100644 index 0000000..eef07ce --- /dev/null +++ b/georg/389_Directory_Server_+_CA.md @@ -0,0 +1,121 @@ +# 389 Directory Server + CA + +
+ +
+ +``` bash +# install +zypper in 389-ds openldap2-client + +# base config +cat <<'EOF' >instance.inf +[general] +config_version = 2 + +[slapd] +instance_name = syscid +root_password = J0TMD8GdS5cNJD1jxg16WBtzr9SWWFVHzOpUoCn4QSlXkwKT + +[backend-userroot] +create_suffix_entry = True +sample_entries = True +suffix = dc=syscid,dc=com +EOF + +# init +dscreate from-file instance.inf + +# stop +dsctl syscid stop + +# modify /etc/ssl/openssl.cnf +... +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +... +database = index.txt +serial = serial +... + +# create CA + +mkdir /etc/pki/CA +cd /etc/pki/CA + +# init first CA +touch index.txt +echo 01 > serial + +# generate CA key +openssl genrsa -out ca.key 4096 + +# generate CA certificate +openssl req -new -x509 -days 365 -key ca.key -out ca.crt + +# create extension config (for SANs) +cat <<'EOF' >server_cert_ext.cnf +[v3_ca] +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "LDAP01 Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[ alt_names ] +DNS.1 = ldap.syscid.com +DNS.2 = ldap01.syscid.com +DNS.3 = dir.syscid.com +DNS.4 = dir01.syscid.com +DNS.5 = gaia.syscid.com +EOF + +# +mkdir private +cd private/ + +# generate server key +openssl genrsa -out ldap.syscid.com.key 4096 + +# generate CSR +openssl req -new -key ldap.syscid.com.key -out ldap.syscid.com.csr + +# generate server certificate +openssl ca -keyfile ca.key -cert ca.crt -in private/ldap.syscid.com.csr -out private/ldap.syscid.com.crt -extensions v3_ca -extfile server_cert_ext.cnf -outdir . + +# wipe existing SLAPD NSS certificate database +rm /etc/dirsrv/slapd-syscid/*.db +certutil -d /etc/dirsrv/slapd-syscid/ -N + +# export server certificate and server key to P12 bundle +openssl pkcs12 -export -in private/ldap.syscid.com.crt -inkey private/ldap.syscid.com.key -out /etc/dirsrv/slapd-syscid/ldap.syscid.com.p12 -name Server-Cert + +# install server certificate in SLAPD certstore +pk12util -i /etc/dirsrv/slapd-syscid/ldap.syscid.com.p12 -d /etc/dirsrv/slapd-syscid/ -n Server-Cert + +# install CA in SLAPD certstore +certutil -d /etc/dirsrv/slapd-syscid/ -A -n "SysCid CA" -t CT,, -a -i ca.crt + +# check SLAPD certstore +# should show Server-Cert and Syscid CA (the comments assigned in the above two imports) +certutil -d /etc/dirsrv/slapd-syscid/ -L + +# install CA locally +ln -s /etc/pki/CA/ca.crt /etc/pki/trust/anchors/syscid-ca.crt +update-ca-certificates + +# start +# asks for NSS DB store password if one was set +dsctl syscid start + +# check +dsctl syscid status +``` + +
+ +
diff --git a/georg/Drafts.md b/georg/Drafts.md new file mode 100644 index 0000000..2ccbba7 --- /dev/null +++ b/georg/Drafts.md @@ -0,0 +1 @@ +# Drafts diff --git a/georg/Georg’s_Home.md b/georg/Georg’s_Home.md new file mode 100644 index 0000000..66ace8c --- /dev/null +++ b/georg/Georg’s_Home.md @@ -0,0 +1,339 @@ +# Georg’s Home + +
+ +
+ +
+ +
+ +Contact: georg@lysergic.dev + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +## Recently Updated + + + +
+ +-
+ +
+ +
+ + [Leon: Apache Reverse Proxy](Leon_Apache_Reverse_Proxy "Georg") +
+ + yesterday at 11:35 PM • updated by + Georg • + view change + +
+ +
+ +-
+ +
+ +
+ + [Drafts](Drafts "Georg") +
+ + yesterday at 11:24 PM • created by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Georg’s Home](Georg’s_Home "Georg") +
+ + yesterday at 11:24 PM • updated by + Georg • + view change + +
+ +
+ +-
+ +
+ +
+ + [sudoers2ldif.pl](/display/~georg/LDAP%3A+Sudo?preview=%2F5341350%2F5341355%2Fsudoers2ldif.pl) +
+ + yesterday at 11:16 PM • attached by + Georg + +
+ +
+ +-
+ +
+ +
+ + [LDAP: Sudo](LDAP_Sudo "Georg") +
+ + yesterday at 11:16 PM • updated by + Georg • + view change + +
+ +
+ +-
+ +
+ +
+ + [SUDOers_OU.png](/display/~georg/LDAP%3A+Sudo?preview=%2F5341350%2F5341353%2FSUDOers_OU.png) +
+ + yesterday at 11:15 PM • attached by + Georg + +
+ +
+ +-
+ +
+ +
+ + [SUDOers_Defaults.png](/display/~georg/LDAP%3A+Sudo?preview=%2F5341350%2F5341352%2FSUDOers_Defaults.png) +
+ + yesterday at 11:15 PM • attached by + Georg + +
+ +
+ +-
+ +
+ +
+ + [389 Directory Server + CA](389_Directory_Server_+_CA "Georg") +
+ + yesterday at 2:54 AM • updated by + Georg • + view change + +
+ +
+ +-
+ +
+ +
+ + [Notes](/display/~georg/Notes?focusedCommentId=5341309#comment-5341309) +
+ + Aug 04, 2021 • commented by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Notes](Notes "Georg") +
+ + Aug 04, 2021 • created by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Georg’s Home](../georg/Georg’s_Home) +
+ + Aug 04, 2021 • commented by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Georg’s Home](../georg/Georg’s_Home) +
+ + Aug 04, 2021 • commented by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Georg’s Home](../georg/Georg’s_Home) +
+ + Aug 04, 2021 • commented by + Georg + +
+ +
+ +-
+ +
+ +
+ + [Georg](index "Georg") +
+ + Aug 04, 2021 • created by + Georg + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +## Navigate space + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ + + +
+ +
+ +
+ +
+ +
+ +## Comments: + +
+ + +++ + + + + + + + + + + + +

blabla

+
+ Posted by georg at Aug 04, 2021 01:08 +

test

+
+ Posted by georg at Aug 04, 2021 01:18 +

test

+
+ Posted by georg at Aug 04, 2021 01:58 +
diff --git a/georg/LDAP_Sudo.md b/georg/LDAP_Sudo.md new file mode 100644 index 0000000..0e049fd --- /dev/null +++ b/georg/LDAP_Sudo.md @@ -0,0 +1,140 @@ +# LDAP: Sudo + +Prerequisites: + +- 389 DS server +- LDAP Directory Manager (or equivalent) permissions +- SSSD client +- Client root (or equivalent) permissions - ideally not only \`sudo\` + permissions, in case you lock yourself out of \`sudo\` + +### Verify the sudo schema is installed: + +
+ +
+ +``` bash +# file (locate 60sudo.ldif) +/usr/share/dirsrv/schema/60sudo.ldif: ASCII text +``` + +
+ +
+ +### Create OU: + +Create an organizational unit to house SUDOers settings using a GUI or +using ldapadd/ldapmodify. This is not documented here, but the LDIF +query should look something like this: + +
+ +
+ +``` java +dn: ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +changetype: add +ou: SUDOers +objectClass: organizationalUnit +objectClass: top +``` + +
+ +
+ +### Convert existing, local, sudoers to LDIF: + +Convert an existing, local, sudoers file to an LDAP importable LDIF. Old +articles suggest the Perl script used for this should be included in the +\`sudo\` package, however that does not seem to be the case on the SUSE +systems I worked with - I dug the script out of deep parts of the +internet and attached it here - whether it is "original" I cannot tell. + +Note that the SUDOERS_BASE environment variable needs to be filled with +the DN of the OU created above. + +
+ +
+ +``` bash +# export SUDOERS_BASE=ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +# echo $SUDOERS_BASE +ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +# perl sudoers2ldif.pl /etc/sudoers | tee sudoers-389.ldif +# file sudoers-389.ldif +sudoers-389.ldif: ASCII text +``` + +
+ +
+ +#### Inspect the file for faulty lines: + +In the `sudoers-389.ldif` file generated above, look for failed lines, +which may look similar to the following: + +`parse error: Defaults!/usr/bin/sudoreplay !log_output` + +`parse error: Defaults!REBOOT !log_output` + +Remove them, in order to have a valid LDIF. + +If the lines seem crucial to you, either correct the input sudoers file, +and run the script again, or try to manually add the settings in your OU +after the import. + +### Import the LDIF: + +
+ +
+ +``` bash +# ldapadd -xWD 'cn=Directory Manager' -f sudoers-389.ldif +``` + +
+ +
+ +### Verify the result: + + + +### Configure a client: + +Add to / modify in `/etc/nsswitch.conf`: + +sudoers:        sss + +Add to / modify in /etc/sssd/sssd.conf: + +sudo_provider = ldap ldap_sudo_search_base = +ou=SUDOers,ou=syscid-system,dc=syscid,dc=com + +I read that a \`service\` entry should no longer be necessary, but am +adding it to my existing services for good measure: + +services = nss, pam, ssh, sudo + +
+ +## Attachments: + +
+ +
+ + +[SUDOers_Defaults.png](attachments/5341350/5341352.png) (image/png) + +[SUDOers_OU.png](attachments/5341350/5341353.png) (image/png) + +[sudoers2ldif.pl](attachments/5341350/5341355.pl) (application/x-perl) + +
diff --git a/georg/Leon_Apache_Reverse_Proxy.md b/georg/Leon_Apache_Reverse_Proxy.md new file mode 100644 index 0000000..308cc84 --- /dev/null +++ b/georg/Leon_Apache_Reverse_Proxy.md @@ -0,0 +1,97 @@ +# Leon: Apache Reverse Proxy + + + +# Reverse Proxy Setup + +## Apache2 + +This allows you to access the Leon web app using an Apache virtual host. + +## Prerequisites + +- **A domain** + +> DNS A (and/or AAAA) records have to point to your webserver. + +- **SSL certificate** + +> A valid SSL certificate. + +> The setup is possible without SSL, though using HTTPS is highly +> recommended. The following configuration examples apply to a HTTPS +> enforced site. + +- **An operating system** + +> Obvious. + +- **Apache2 / HTTPD** + +> Apache2 needs to be installed, and the modules `mod_ssl`, `mod_proxy` +> as well as `mod_wstunnel` need to be loaded. +> Refer to the Apache documentation specific to your operating system to +> find the correct procedure on how to install and load modules as well +> as on how and where to define virtual hosts. + +- **Firewall** + +> If a firewall is in place, the ports 80 and 443 need to be opened +> and/or forwarded accordingly. +> If Leon resides on a different machine, the configured `LEON_PORT` +> needs to be reachable by the webserver. + +- **Leon** + +> A working Leon installation. It is recommended to test if Leon works +> as expected before attempting to troubleshoot issues with the reverse +> proxy. + +> Warning - As of writing this document, the following configuration +> examples only apply to the DEVELOPMENT branch of Leon. +> Since this branch is deemed stable enough by the author, the complex +> procedure for setting a reverse proxy up with Leon from the Master +> branch (it involves tampering with the source files) will not be +> explained. + +## Leon configuration (.env) + + # Server + LEON_HOST=https://leon.example.com + LEON_PORT=1337 + +## Apache virtual host (leon.conf) + +`leon.example.com` is the domain we will use to reach the Leon web app. + +`localhost` is where the web server reach the Leon backend. If Leon +resides on a different machine, replace this with the hostname or IP +address of that machine. + +`:1337` is the port the Leon backend listens on (you specified it above +with `LEON_PORT`). + + + ServerName leon.example.com + + RewriteEngine On + RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] + + + ServerName leon.example.com + + SSLEngine On + SSLCertificateFile "/path/to/fullchain.pem" + SSLCertificateKeyFile "/path/to/privkey.pem + + ProxyPreserveHost Off + ProxyPass / http://127.0.0.1:1337/ + ProxyPassReverse / http://127.0.0.1:1337/ + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteCond %{HTTP:Connection} upgrade [NC] + RewriteRule ^/?(.*) "ws://127.0.0.1:1337/$1" [P,L] + + +That's it! diff --git a/georg/Notes.md b/georg/Notes.md new file mode 100644 index 0000000..20f4abd --- /dev/null +++ b/georg/Notes.md @@ -0,0 +1,23 @@ +# Notes + +WIP + +
+ +## Comments: + +
+ + +++ + + + + + +

so cool

+
+ Posted by georg at Aug 04, 2021 02:10 +
diff --git a/georg/attachments/5341350/5341352.png b/georg/attachments/5341350/5341352.png new file mode 100644 index 0000000..0f63102 Binary files /dev/null and b/georg/attachments/5341350/5341352.png differ diff --git a/georg/attachments/5341350/5341353.png b/georg/attachments/5341350/5341353.png new file mode 100644 index 0000000..127b9a3 Binary files /dev/null and b/georg/attachments/5341350/5341353.png differ diff --git a/georg/attachments/5341350/5341355.pl b/georg/attachments/5341350/5341355.pl new file mode 100644 index 0000000..a94fa04 --- /dev/null +++ b/georg/attachments/5341350/5341355.pl @@ -0,0 +1,153 @@ +#!/usr/bin/env perl +# +# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# + +use strict; + +# +# Converts a sudoers file to LDIF format in prepration for loading into +# the LDAP server. +# + +# BUGS: +# Does not yet handle multiple lines with : in them +# Does not yet remove quotation marks from options +# Does not yet escape + at the beginning of a dn +# Does not yet handle line wraps correctly +# Does not yet handle multiple roles with same name (needs tiebreaker) +# +# CAVEATS: +# Sudoers entries can have multiple RunAs entries that override former ones, +# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole + +my %RA; +my %UA; +my %HA; +my %CA; +my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n"; +my @options=(); + +my $did_defaults=0; +my $order = 0; + +# parse sudoers one line at a time +while (<>){ + + # remove comment + s/#.*//; + + # line continuation + $_.=<> while s/\\\s*$//s; + + # cleanup newline + chomp; + + # ignore blank lines + next if /^\s*$/; + + if (/^Defaults\s+/i) { + my $opt=$'; + $opt=~s/\s+$//; # remove trailing whitespace + push @options,$opt; + } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) { + + # Aliases or Definitions + my ($p1,$p2,$p3)=($1,$2,$3); + $p2=~s/\s+$//; # remove trailing whitespace + $p3=~s/\s+$//; # remove trailing whitespace + + if ($p1 eq "User_Alias") { + $UA{$p2}=$p3; + } elsif ($p1 eq "Runas_Alias") { + $RA{$p2}=$p3; + } elsif ($p1 eq "Host_Alias") { + $HA{$p2}=$p3; + } elsif ($p1 eq "Cmnd_Alias") { + $CA{$p2}=$p3; + } else { + if (!$did_defaults++){ + # do this once + print "dn: cn=defaults,$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: defaults\n"; + print "description: Default sudoOption's go here\n"; + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + # Definition + my @users=split /\s*,\s*/,$p1; + my @hosts=split /\s*,\s*/,$p2; + my @cmds= split /\s*,\s*/,$p3; + @options=(); + print "dn: cn=$users[0],$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: $users[0]\n"; + # will clobber options + print "sudoUser: $_\n" foreach expand(\%UA,@users); + print "sudoHost: $_\n" foreach expand(\%HA,@hosts); + foreach (@cmds) { + if (s/^\(([^\)]+)\)\s*//) { + my @runas = split(/:\s*/, $1); + if (defined($runas[0])) { + print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0])); + } + if (defined($runas[1])) { + print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1])); + } + } + } + print "sudoCommand: $_\n" foreach expand(\%CA,@cmds); + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + + } else { + print "parse error: $_\n"; + } + +} + +# +# recursively expand hash elements +sub expand{ + my $ref=shift; + my @a=(); + + # preen the line a little + foreach (@_){ + # if NOPASSWD: directive found, mark entire entry as not requiring + s/NOPASSWD:\s*// && push @options,"!authenticate"; + s/PASSWD:\s*// && push @options,"authenticate"; + s/NOEXEC:\s*// && push @options,"noexec"; + s/EXEC:\s*// && push @options,"!noexec"; + s/SETENV:\s*// && push @options,"setenv"; + s/NOSETENV:\s*// && push @options,"!setenv"; + s/LOG_INPUT:\s*// && push @options,"log_input"; + s/NOLOG_INPUT:\s*// && push @options,"!log_input"; + s/LOG_OUTPUT:\s*// && push @options,"log_output"; + s/NOLOG_OUTPUT:\s*// && push @options,"!log_output"; + s/[[:upper:]]+://; # silently remove other tags + s/\s+$//; # right trim + } + + # do the expanding + push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_; + @a; +} diff --git a/georg/images/icons/bullet_blue.gif b/georg/images/icons/bullet_blue.gif new file mode 100644 index 0000000..25bfa0c Binary files /dev/null and b/georg/images/icons/bullet_blue.gif differ diff --git a/georg/images/icons/contenttypes/comment_16.png b/georg/images/icons/contenttypes/comment_16.png new file mode 100644 index 0000000..566f2a8 Binary files /dev/null and b/georg/images/icons/contenttypes/comment_16.png differ diff --git a/georg/images/icons/contenttypes/home_page_16.png b/georg/images/icons/contenttypes/home_page_16.png new file mode 100644 index 0000000..32888f6 Binary files /dev/null and b/georg/images/icons/contenttypes/home_page_16.png differ diff --git a/georg/index.md b/georg/index.md new file mode 100644 index 0000000..490b6f2 --- /dev/null +++ b/georg/index.md @@ -0,0 +1,35 @@ +# \~georg (Georg) + +
+ +
+ + + + +
+ +
+ +## Available Pages: + +
+ +- [Georg’s Home](Georg’s_Home) + + - [389 Directory Server + CA](389_Directory_Server_+_CA) + + + + - [LDAP: Sudo](LDAP_Sudo) + + + + - [Drafts](Drafts) + - [Notes](Notes) + + + + - [Leon: Apache Reverse Proxy](Leon_Apache_Reverse_Proxy) + +
diff --git a/index.md b/index.md new file mode 100644 index 0000000..080449a --- /dev/null +++ b/index.md @@ -0,0 +1 @@ +- [georg](georg/index)