Add ppolicy

sergiomt · Jan 24, 2019 · 8dd8f50 · 8dd8f50
1 parent 6d1442a
commit 8dd8f50
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 178 deletions.
diff --git a/vagrant-setup/.bashrc b/vagrant-setup/.bashrc
@@ -4,4 +4,5 @@ export M2_HOME=/usr/local/maven
 export M2=$M2_HOME/bin
 export SBT_HOME=/usr/local/sbt
 export GRADLE_HOME=/usr/local/gradle
-export PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/vagrant/bin:$M2:$JAVA_HOME/bin:$ANT_HOME/bin:$SBT_HOME/bin:$GRADLE_HOME/bin
+export PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/vagrant/bin:$M2:$JAVA_HOME/bin:$ANT_HOME/bin:$SBT_HOME/bin:$GRADLE_HOME/bin
+export LD_LIBRARY_PATH=/usr/share/db-6.2.32/build_unix/.libs
diff --git a/vagrant-setup/ldap/auth.ldif b/vagrant-setup/ldap/auth.ldif
@@ -9,25 +9,3 @@ dn: ou=Policies,dc=auth,dc=com
 ou: Policies
 description: All users in Clocial
 objectClass: organizationalUnit
-
-# Password policy
-# see http://www.zytrax.com/books/ldap/ch6/ppolicy.html
-dn: cn=default,ou=Users,dc=auth,dc=com
-objectClass: top
-objectClass: device
-objectClass: pwdPolicy
-cn: default
-pwdAttribute: userPassword
-pwdMaxAge: 0
-pwdExpireWarning: 0
-pwdInHistory: 0
-pwdCheckQuality: 0
-pwdMinLength: 0
-pwdMaxFailure: 0
-pwdLockout: FALSE
-pwdLockoutDuration: 86400
-pwdGraceAuthNLimit: 0
-pwdFailureCountInterval: 0
-pwdMustChange: FALSE
-pwdAllowUserChange: TRUE
-pwdSafeModify: FALSE
diff --git a/vagrant-setup/ldap/ppolicymodule.ldif b/vagrant-setup/ldap/ppolicymodule.ldif
diff --git a/vagrant-setup/ldap/slapd.ldif b/vagrant-setup/ldap/slapd.ldif
diff --git a/vagrant-setup/ldap/slapd2.ldif b/vagrant-setup/ldap/slapd2.ldif
@@ -6,9 +6,6 @@ dn: cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: schema
 
-include: file:///usr/local/etc/openldap/schema/core.ldif
-include: file:///usr/local/etc/openldap/schema/ppolicy.ldif
-
 dn: olcDatabase=frontend,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: frontend
@@ -17,8 +14,16 @@ olcAccess: to * by * read
 dn: olcDatabase=config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: config
-olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
-olcAccess: to * by * none
+olcRootDN: cn=root,cn=config
+# Hash value for "secret" generated with slappasswd -s secret
+olcRootPW: {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
+# olcAccess: to * by * none
+olcAccess: to *
+  by dn.exact="cn=root,cn=config" manage
+  by * none
+
+include: file:///usr/local/etc/openldap/schema/core.ldif
+include: file:///usr/local/etc/openldap/schema/ppolicy.ldif
 
 #######################################################################
 # BDB database definitions
@@ -50,4 +55,4 @@ olcAccess: to *
 dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
 objectclass: olcPPolicyConfig
 olcOverlay: ppolicy
-olcPPolicyDefault: cn=default,ou=Policies,dc=auth,dc=com
+olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=auth,dc=com
diff --git a/vagrant-setup/openldap24.sh b/vagrant-setup/openldap24.sh
@@ -21,8 +21,13 @@ else
 			if [[ $EUID -eq 0 ]]
 		  then
 			source /vagrant/vagrant-setup/include.sh
-			yum install -y gnutls tcp_wrappers-devel
-			echo -e "\nsshd: ALL\nslapd: ALL\nslurpd: ALL" >> /etc/hosts.allow
+			yum install -y gnutls tcp_wrappers-devel cyrus-sasl-devel
+			if grep -q "slapd: ALL" /etc/hosts.allow
+			then
+				echo "slapd already present in /etc/hosts.allow"
+			else
+				echo -e "\nsshd: ALL\nslapd: ALL\nslurpd: ALL" >> /etc/hosts.allow
+			fi
 			cd /usr/share
 			wget_and_untar ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/ openldap-2.4.39.tgz
 			mv openldap-2.4.39 openldap
@@ -32,7 +37,8 @@ else
 			export LDFLAGS="-L/usr/share/$BDB/build_unix/.libs"
 			export LD_LIBRARY_PATH="/usr/share/$BDB/build_unix/.libs"
 
-			./configure --enable-wrappers --enable-ppolicy
+			# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libexecdir=/usr/lib --disable-static --disable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic --enable-crypt --enable-spasswd  --enable-slapd --enable-modules --enable-rlookups --enable-backends=mod --disable-ndb --disable-sql --disable-shell --disable-bdb --disable-hdb --enable-overlays=mod
+			./configure --enable-wrappers --enable-ppolicy --disable-hdb --disable-mdb --disable-ndb --disable-sql
 			make depend
 			make
 			make install
@@ -41,6 +47,7 @@ else
 			mkdir -p /usr/local/var/auth-data/logs
 
 			# Create slapd.ldif file for auth.com
+			rm -f /usr/local/var/auth-data/DB_CONFIG
 			echo -e "# http://docs.oracle.com/cd/E17076_04/html/api_reference/C/configuration_reference.html\n# http://sepp.oetiker.ch/subversion-1.4.6-rp/ref/toc.html\n\n# Cache 5Mb\nset_cachesize 0 5242880 1\n\n# Transaction Log settings\nset_lg_regionmax 262144\nset_lg_bsize 2097152\nset_lk_detect DB_LOCK_DEFAULT\nset_flags DB_TXN_NOSYNC\nset_lg_dir logs" > /usr/local/var/auth-data/DB_CONFIG
 			cp $SETUP/ldap/slapd2.ldif /usr/local/etc/openldap/slapd.ldif
 			/usr/local/sbin/slapadd -d -1 -F /usr/local/etc/openldap/slapd.d -n 0 -l /usr/local/etc/openldap/slapd.ldif
@@ -59,36 +66,37 @@ else
 				then
 				echo "No httpd service found, skipping phpldapadmin setup"
 			else
-				yum install -y phpldapadmin
-				perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','base',array\x28\x29\x29/\x24servers->setValue\x28'login','base',array\x28'dc=auth,dc=com'\x29\x29/g" /etc/phpldapadmin/config.php
-				perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','bind_id',''\x29/\x24servers->setValue\x28'login','bind_id','cn=Manager,dc=auth,dc=com'\x29/g" /etc/phpldapadmin/config.php
-				perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','attr','uid'\x29/\x24servers->setValue\x28'login','attr','dn'\x29/g" /etc/phpldapadmin/config.php
-				perl -pi -e "s/\x2F\x2F\s+\x24config->custom->appearance\x5B'hide_template_warning'\x5D = false/\x24config->custom->appearance\x5B'hide_template_warning'\x5D = true/g" /etc/phpldapadmin/config.php
-				perl -pi -e "s/Allow from 127\x2E0\x2E0\x2E1/Allow from all/g" /etc/httpd/conf.d/phpldapadmin.conf
-				systemctl restart httpd.service
-		fi
-
-			iptables -A INPUT -p tcp --dport 389 -j ACCEPT
-			service iptables save
-			systemctl restart iptables
+				if isinstalled phpldapadmin
+					then
+					echo "PHP LDAP Admin is already installed."
+				else
+					yum install -y phpldapadmin
+					perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','base',array\x28\x29\x29/\x24servers->setValue\x28'login','base',array\x28'dc=auth,dc=com'\x29\x29/g" /etc/phpldapadmin/config.php
+					perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','bind_id',''\x29/\x24servers->setValue\x28'login','bind_id','cn=Manager,dc=auth,dc=com'\x29/g" /etc/phpldapadmin/config.php
+					perl -pi -e "s/(\x2F\x2F)?\s*\x24servers->setValue\x28'login','attr','uid'\x29/\x24servers->setValue\x28'login','attr','dn'\x29/g" /etc/phpldapadmin/config.php
+					perl -pi -e "s/\x2F\x2F\s+\x24config->custom->appearance\x5B'hide_template_warning'\x5D = false/\x24config->custom->appearance\x5B'hide_template_warning'\x5D = true/g" /etc/phpldapadmin/config.php
+					perl -pi -e "s/Allow from 127\x2E0\x2E0\x2E1/Allow from all/g" /etc/httpd/conf.d/phpldapadmin.conf
+					perl -pi -e "s/Require local/Require all granted/g" /etc/httpd/conf.d/phpldapadmin.conf
+					systemctl restart httpd.service
+				fi
+			fi
+
+			if [[ ! $(iptables -nL | grep "dpt:389") ]]
+			then
+				iptables -A INPUT -p tcp --dport 389 -j ACCEPT
+				service iptables save
+				systemctl restart iptables
+			fi
 
-			# Start slapd server
 			/etc/init.d/slapd start
+
+			echo "Loading Root LDAP entry..."
 			/usr/local/bin/ldapadd -x -w secret -D "cn=Manager,dc=auth,dc=com" -f /vagrant/vagrant-setup/ldap/auth.ldif
-			/usr/local/bin/ldapadd -x -w secret -D "cn=Manager,dc=auth,dc=com" -f /vagrant/vagrant-setup/ldap/admin.ldif
-
-			# # Add password policy overlay
-			# # already included in slapd.ldif
-			# # https://tobru.ch/openldap-password-policy-overlay/
-			# # Load the ppolicy schema into OLC
-			# /usr/local/bin/ldapmodify -w secret -D "cn=root,cn=config" -W -a -f /usr/local/etc/openldap/schema/ppolicy.ldif
-			# # Load the module
-			# /usr/local/bin/ldapmodify -w secret -D "cn=root,cn=config" -W -a -f /vagrant/vagrant-setup/ppolicymodule.ldif
-			# # Configure ppolicy overlay
-			# /usr/local/bin/ldapmodify -D "cn=root,cn=config" -W -a -f /vagrant/vagrant-setup/ppolicyoverlay.ldif
-			# # The policy itself has already been loaded by auth.ldif
-
-			# Verify access to the LDAP server
+
+			echo "Adding password policy overlay"
+			/usr/local/bin/ldapadd -w secret -D "cn=root,cn=config" -f /vagrant/vagrant-setup/ldap/ppolicyoverlay.ldif
+
+			echo "Verifying access to the LDAP server"
 			/usr/local/bin/ldapsearch -x -b "" -s base "(objectclass=*)" namingContexts
 			/usr/local/bin/ldapsearch -x -h localhost -b "dc=auth,dc=com"