Slapd 자동 설치

Slapd 자동 설치

저는 slapd와 phpldapadmin 설치를 자동화하는 스크립트를 작성 중입니다.

스크립트:

#!/bin/bash 
# make sure to run script as sudo 


# LDAP 

# update first 
apt-get -q -y update 

# install maven 

apt-get install -y maven 

# Install php dependencies 

apt-get -y install php php-cgi libapache2-mod-php php-common php-pear php-mbstring 

a2enconf php7.0-cgi 

service apache2 restart 

# Pre-seed the slapd passwords 

export DEBIAN_FRONTEND='non-interactive'

echo -e "slapd slapd/root_password password KappaRoss" |debconf-set-selections
echo -e "slapd slapd/root_password_again password KappaRoss" |debconf-set-selections

echo -e "slapd slapd/internal/adminpw password test" |debconf-set-selections
echo -e "slapd slapd/internal/generated_adminpw password test" |debconf-set-selections
echo -e "slapd slapd/password2 password test" |debconf-set-selections
echo -e "slapd slapd/password1 password test" |debconf-set-selections
echo -e "slapd slapd/domain string acu.local" |debconf-set-selections
echo -e "slapd shared/organization string IT410" |debconf-set-selections
echo -e "slapd slapd/backend string HDB" |debconf-set-selections
echo -e "slapd slapd/purge_database boolean true" |debconf-set-selections
echo -e "slapd slapd/move_old_database boolean true" |debconf-set-selections
echo -e "slapd slapd/allow_ldap_v2 boolean false" |debconf-set-selections
echo -e "slapd slapd/no_configuration boolean false" |debconf-set-selections

# Grab slapd and ldap-utils (pre-seeded)
apt-get install -y slapd ldap-utils phpldapadmin

# Must reconfigure slapd for it to work properly 
sudo dpkg-reconfigure slapd 

# Gotta replace the ldap.conf file, it comments out stuff we need set by default - first open it for writing 

chmod 777 /etc/ldap/ldap.conf 

cat <<'EOF' > /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.


BASE    dc=acu,dc=local
URI     ldap://104.219.54.109 ldap://104.219.54.109:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
EOF

# Be safe again 
chmod 744 /etc/ldap/ldap.conf 


# Now change all values in /etc/phpldapadmin/config.php to their actual values from example, or .com or localhost (I use sed)


# Line 286 
sed -i "s@$servers->setValue('server','name','My LDAP Server');.*@$servers->setValue('server','name','Nathans_LDAP');@" /etc/phpldapadmin/config.php
# Line 293 
sed -i "s@$servers->setValue('server','host','127.0.0.1');.*@$servers->setValue('server','host','104.219.54.109');@" /etc/phpldapadmin/config.php 
# Line 300 
sed -i "s@$servers->setValue('server','base',array('dc=example,dc=com'));.*@$servers->setValue('server','base',array('dc=acu,dc=local'));@" /etc/phpldapadmin/config.php
# Line 326 
sed -i "s@$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');.*@$servers->setValue('login','bind_id','cn=admin,dc=acu,dc=local');@" /etc/phpldapadmin/config.php

# Prevent error when creating users 

sed -i "s@$default = $this->getServer()->getValue('appearance','password_hash');.*@$default = $this->getServer()->getValue('appearance','password_hash_custom');@g" /usr/share/phpldapadmin/lib/TemplateRender.php

service apache2 restart 

echo ------------------------# 
echo 'PHPldapadmin installed.'
echo ------------------------# 

echo ""

echo ------------------------------------------------------------# 
echo 'Can now access phpldapadmin at http://your-ip/phpldapadmin.'
echo ------------------------------------------------------------# 

echo ""

echo ------------------------------------------------------------------------#
echo 'Username should be acu.local, password is the adminpw set during setup.'
echo ------------------------------------------------------------------------# S

# Logging 

echo -e 'Maven installed -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'slapd and ldap-utils configured and installed -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'phpldapadmin install configured -done by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt
echo -e 'LDAP installed completed by' $USER 'at time\n' $DATE '\n' >> /var/log/installs/log.txt

"dpkg-reconfigure slapd" 섹션을 미리 설정하기 위한 debconf 설정 선택이 완전히 적용되지 않은 것 외에는 모든 것이 잘 작동합니다. 특히 미리 설정된 관리자 비밀번호를 사용하여 phpldapadmin에 로그인하려고 하면 실패합니다. 터미널에서 "dpkg-reconfigure slapd"를 다시 실행하고(이번에는 수동으로) 다른 관리자 비밀번호를 설정해야 했습니다. 그러면 phpldapadmin에 제대로 로그인할 수 있었고 모든 것이 잘 작동했습니다. 도움을 주셔서 감사합니다. 최종 시험을 완전히 자동화하려면 이 앱이 필요하며 곧 다가옵니다.

답변1

내 debconf 미리 설정은 약간 다르게 보이지만 여기 있습니다 stretch:

cat > /root/debconf-slapd.conf << 'EOF'
slapd slapd/password1 password admin
slapd slapd/internal/adminpw password admin
slapd slapd/internal/generated_adminpw password admin
slapd slapd/password2 password admin
slapd slapd/unsafe_selfwrite_acl note
slapd slapd/purge_database boolean false
slapd slapd/domain string phys.ethz.ch
slapd slapd/ppolicy_schema_needs_update select abort installation
slapd slapd/invalid_config boolean true
slapd slapd/move_old_database boolean false
slapd slapd/backend select MDB
slapd shared/organization string ETH Zurich
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/no_configuration boolean false
slapd slapd/dump_database select when needed
slapd slapd/password_mismatch note
EOF
export DEBIAN_FRONTEND=noninteractive
cat /root/debconf-slapd.conf | debconf-set-selections
apt install ldap-utils slapd -y

ldapmodify그 후 나는 즉시 비밀번호를 업데이트 하곤 했습니다 . 이는 해시 값을 ldap에 저장하여 수행되므로 일반 텍스트 비밀번호는 스크립트에 표시되지 않습니다.

cat > /root/admin_pw_config_dit.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {CRYPT}<sha-512_hash_here>
EOF
cat > /root/admin_pw_normal_dit.ldif << 'EOF'
dn: cn=admin,dc=phys,dc=ethz,dc=ch
changetype: modify
replace: userPassword
userPassword: {CRYPT}<sha-512_hash_here>
ldapmodify -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -w admin -f /root/admin_pw_normal_dit.ldif
ldapmodify -H ldapi:/// -f /root/admin_pw_config_dit.ldif
# verify
ldapsearch -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -W -b dc=phys,dc=ethz,dc=ch cn=admin | grep 'userPassword'

<sha-512_hash_here>비밀번호의 해시로 바꾸세요 .

다음 스크립트를 사용하여 이러한 해시를 생성할 수 있습니다.https://github.com/rda0/mkpw

또는 다음을 사용할 수 있습니다.slappasswd -h <hashing-algorithm> -s <new_password>

관련 정보