Init directory client configurations

Signed-off-by: Georg <georg@lysergic.dev>
This commit is contained in:
Georg Pfuetzenreuter 2021-08-30 21:57:59 +02:00
parent 2edbda39c7
commit 889279a70c
Signed by: Georg
GPG Key ID: 1DAF57F49F8E8F22
5 changed files with 350 additions and 0 deletions

View File

@ -0,0 +1,35 @@
dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: always_set_home
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
sudoOption: env_reset
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
sudoOption: insults
sudoOption: mail_badpass
sudoOption: log_output
sudoOption: timestamp_timeout=15
sudoOrder: 1
dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2
dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3

153
dirsrv/misc/sudoers2ldif.pl Normal file
View File

@ -0,0 +1,153 @@
#!/usr/bin/env perl
#
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
use strict;
#
# Converts a sudoers file to LDIF format in prepration for loading into
# the LDAP server.
#
# BUGS:
# Does not yet handle multiple lines with : in them
# Does not yet remove quotation marks from options
# Does not yet escape + at the beginning of a dn
# Does not yet handle line wraps correctly
# Does not yet handle multiple roles with same name (needs tiebreaker)
#
# CAVEATS:
# Sudoers entries can have multiple RunAs entries that override former ones,
# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
my %RA;
my %UA;
my %HA;
my %CA;
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
my @options=();
my $did_defaults=0;
my $order = 0;
# parse sudoers one line at a time
while (<>){
# remove comment
s/#.*//;
# line continuation
$_.=<> while s/\\\s*$//s;
# cleanup newline
chomp;
# ignore blank lines
next if /^\s*$/;
if (/^Defaults\s+/i) {
my $opt=$';
$opt=~s/\s+$//; # remove trailing whitespace
push @options,$opt;
} elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
# Aliases or Definitions
my ($p1,$p2,$p3)=($1,$2,$3);
$p2=~s/\s+$//; # remove trailing whitespace
$p3=~s/\s+$//; # remove trailing whitespace
if ($p1 eq "User_Alias") {
$UA{$p2}=$p3;
} elsif ($p1 eq "Runas_Alias") {
$RA{$p2}=$p3;
} elsif ($p1 eq "Host_Alias") {
$HA{$p2}=$p3;
} elsif ($p1 eq "Cmnd_Alias") {
$CA{$p2}=$p3;
} else {
if (!$did_defaults++){
# do this once
print "dn: cn=defaults,$base\n";
print "objectClass: top\n";
print "objectClass: sudoRole\n";
print "cn: defaults\n";
print "description: Default sudoOption's go here\n";
print "sudoOption: $_\n" foreach @options;
printf "sudoOrder: %d\n", ++$order;
print "\n";
}
# Definition
my @users=split /\s*,\s*/,$p1;
my @hosts=split /\s*,\s*/,$p2;
my @cmds= split /\s*,\s*/,$p3;
@options=();
print "dn: cn=$users[0],$base\n";
print "objectClass: top\n";
print "objectClass: sudoRole\n";
print "cn: $users[0]\n";
# will clobber options
print "sudoUser: $_\n" foreach expand(\%UA,@users);
print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
foreach (@cmds) {
if (s/^\(([^\)]+)\)\s*//) {
my @runas = split(/:\s*/, $1);
if (defined($runas[0])) {
print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
}
if (defined($runas[1])) {
print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
}
}
}
print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
print "sudoOption: $_\n" foreach @options;
printf "sudoOrder: %d\n", ++$order;
print "\n";
}
} else {
print "parse error: $_\n";
}
}
#
# recursively expand hash elements
sub expand{
my $ref=shift;
my @a=();
# preen the line a little
foreach (@_){
# if NOPASSWD: directive found, mark entire entry as not requiring
s/NOPASSWD:\s*// && push @options,"!authenticate";
s/PASSWD:\s*// && push @options,"authenticate";
s/NOEXEC:\s*// && push @options,"noexec";
s/EXEC:\s*// && push @options,"!noexec";
s/SETENV:\s*// && push @options,"setenv";
s/NOSETENV:\s*// && push @options,"!setenv";
s/LOG_INPUT:\s*// && push @options,"log_input";
s/NOLOG_INPUT:\s*// && push @options,"!log_input";
s/LOG_OUTPUT:\s*// && push @options,"log_output";
s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
s/[[:upper:]]+://; # silently remove other tags
s/\s+$//; # right trim
}
# do the expanding
push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
@a;
}

32
generic/nsswitch.conf Normal file
View File

@ -0,0 +1,32 @@
###
##
## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
## georg@lysergic.dev
##
###
passwd: sss files
group: sss files
shadow: sss compat
# initgroups: compat
hosts: files dns
networks: files dns
aliases: files usrfiles
ethers: files usrfiles
gshadow: files usrfiles
netgroup: files nis
protocols: files usrfiles
publickey: files
rpc: files usrfiles
services: files usrfiles
automount: files nis
bootparams: files
netmasks: files
sudoers: sss

View File

@ -0,0 +1,72 @@
WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration
#
# sssd.conf
# Generated by 389 Directory Server - dsidm
#
# For more details see man sssd.conf and man sssd-ldap
# Be sure to review the content of this file to ensure it is secure and correct
# in your environment.
[domain/ldap]
# Uncomment this for more verbose logging.
# debug_level=3
# Cache hashes of user authentication for offline auth.
cache_credentials = True
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=syscid,dc=com
ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
# If you have DNS SRV records, you can use the following instead. This derives
# from your ldap_search_base.
# ldap_uri = _srv_
ldap_tls_reqcert = demand
# To use cacert dir, place *.crt files in this path then run:
# /usr/bin/openssl rehash /etc/openldap/certs
# or (for older versions of openssl)
# /usr/bin/c_rehash /etc/openldap/certs
ldap_tls_cacertdir = /etc/openldap/certs
# Path to the cacert
# ldap_tls_cacert = /etc/openldap/certs/ca.crt
# Only users who match this filter can login and authorise to this machine. Note
# that users who do NOT match, will still have their uid/gid resolve, but they
# can't login.
# ldap_access_filter = (memberOf=<dn>)
enumerate = false
access_provider = ldap
ldap_user_member_of = memberof
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
# This is really important as it allows SSSD to respect nsAccountLock
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire
# Setup for ssh keys
# Inside /etc/ssh/sshd_config add the lines:
# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
# AuthorizedKeysCommandUser nobody
# You can test with the command: sss_ssh_authorizedkeys <username>
ldap_user_ssh_public_key = nsSshPublicKey
# This prevents an issue where the Directory is recursively walked on group
# and user look ups. It makes the client faster and more responsive in almost
# every scenario.
ignore_group_members = False
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ldap
[nss]
homedir_substring = /home

58
sssd/sssd.conf Normal file
View File

@ -0,0 +1,58 @@
###
##
## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa
##
## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
##
## georg@lysergic.dev
##
###
[sssd]
debug_level = 10
config_file_version = 2
services = nss, pam, ssh, sudo
domains = SYSCID
[nss]
homedir_substring = /home
debug_level = 10
[pam]
debug_level = 10
pam_verbosity = 3
pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
[ssh]
debug_level = 10
[sudo]
debug_level = 10
[domain/SYSCID]
ignore_group_members = False
debug_level = 10
cache_credentials= False
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=syscid,dc=com
ldap_uri = ldaps://ldap.syscid.com
ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
access_provider = ldap
ldap_user_member_of = memberof
#ldap_group_member = memberUid
#ldap_group_member = member
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
#ldap_pwd_policy = shadow
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire, pwd_expire_policy_renew
ldap_user_ssh_public_key = sshPublicKey
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com