API tools faq
paste
Guest User

Untitled

a guest
May 23rd, 2018
76
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.11 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. ################################################################################
  3. # using this host's credentials, look up the (yes, plaintext) userpassword for
  4. # cn=LDAP Anonymous,ou=Special,dc=websages,dc=com, to which all members or
  5. # ou=Hosts have read (ACL in /etc/ldap/slapd/domains/${f.q.d.n}_slapd.conf)
  6. # so that we can put it in the global ldap.conf, such that we can disable
  7. # "true" anonymous binds, but getent will work for everyone, because the
  8. # /etc/ldap.secret won't have to exist and be mode 0600
  9. ################################################################################
  10. export PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"
  11. logexit(){
  12. EXIT=$1
  13. WHY=$2
  14. [ -z "${WHY}" ] && WHY="no reason specified"
  15. echo "$0 exited ${EXIT} last time because ${WHY}." >> /var/log/logexit.log
  16. exit ${EXIT}
  17. }
  18.  
  19. grep "^binddn cn=LDAP Anonymous" /etc/ldap/ldap.conf >/dev/null 2>&1
  20. if [ $? -eq 0 ]; then
  21. if [ -x /usr/local/sbin/testldap ]; then
  22. /usr/local/sbin/testldap && exit 0
  23. fi
  24. fi
  25.  
  26. if [ ! -x /usr/local/sbin/secret ]; then
  27. logexit 1 "/usr/local/sbin/secret not executable"
  28. fi
  29.  
  30. SECRET=$(/usr/local/sbin/secret)
  31.  
  32. if [ -z "$(dnsdomainname)" ] ;then
  33. logexit 1 "cannot determine dns domain name"
  34. fi
  35.  
  36. if [ -z "$(hostname -s)" ]; then
  37. logexit 1 "cannot determine short host name"
  38. fi
  39.  
  40. URI=$(
  41. for h in `dig +short -tsrv _ldap._tcp.$(dnsdomainname)|awk '{print $NF}'|sed -e 's/\.$//'`;do
  42. echo "$(traceroute ${h}|grep -v '* * *'|tail -1 |awk '{print $1}') ${h}"
  43. done | sort -n | awk '{if($2!=""){print " ldaps://"$2":636,"}}' | tr '\n' ' '|sed -e 's/, *$//';
  44. )
  45.  
  46. if [ -z "${URI}" ] ;then
  47. logexit 1 "could not get URIs"
  48. fi
  49.  
  50. BASEDN="dc=$(dnsdomainname|sed -e 's/\./,dc=/g')"
  51. HOST=$(hostname -s)
  52. SECRET=$(/usr/local/sbin/secret)
  53. export URI BASEDN HOST SECRET
  54.  
  55. ################################################################################
  56. # get the anonymous password from ldap, and transform from mime if necessary #
  57. ANONPASS=$(
  58. ldapsearch -xLH "$URI" \
  59. -b "${BASEDN}" \
  60. -D "cn=${HOST},ou=Hosts,${BASEDN}" \
  61. -w "${SECRET}" "(cn=LDAP Anonymous)" | \
  62. tr "\n" ''| sed -e 's/ //g' | tr '' "\n" | grep -i userpassword
  63. )
  64.  
  65. echo ${ANONPASS} | grep -qi "userPassword:: " && \
  66. ANONPASS=$(
  67. echo ${ANONPASS}|awk '{print $2}'| \
  68. perl -MMIME::Base64 -le '
  69. while(chomp($line=<STDIN>)){
  70. $key=decode_base64($line);
  71. chomp($key);
  72. print $key;
  73. }
  74. '
  75. ) || \
  76. ANONPASS=$( echo ${ANONPASS} |awk '{print $2}' )
  77. ################################################################################
  78. if [ -z ${ANONPASS} ];then
  79. logexit 1 "cannot retrieve the anonymous password"
  80. fi
  81.  
  82. if [ -z ${ANONPASS} ];then
  83. logexit 1 "cannot retrieve the anonymous password"
  84. fi
  85.  
  86. cat<<EOF > /etc/ldap/ldap.conf.new
  87. uri ${URI}
  88. base ${BASEDN}
  89. ldap_version 3
  90. scope sub
  91. TLS_CACERT /etc/ldap/ssl/domain_trustchain.pem
  92. # sudo-ldap uses this one but not the one above... ugh
  93. TLS_CACERTFILE /etc/ldap/ssl/domain_trustchain.pem
  94. TLS_REQCERT allow
  95. binddn cn=LDAP Anonymous,ou=Special,${BASEDN}
  96. bindpw ${ANONPASS}
  97. pam_filter objectclass=posixAccount
  98. pam_login_attribute uid
  99. pam_crypt local
  100. pam_password md5
  101. sudoers_base ou=sudoers,${BASEDN}
  102. #sudoers_debug 5
  103. ssl yes
  104. EOF
  105.  
  106. if [ -f /etc/ldap/ldap.conf.new ];then
  107. grep ${ANONPASS} /etc/ldap/ldap.conf.new > /dev/null 2>&1
  108. if [ $? -ne 0 ]; then
  109. logexit 1 "anonymous password is not in new file"
  110. fi
  111. fi
  112.  
  113.  
  114. OLD=$(md5sum /etc/ldap/ldap.conf|awk '{print $1}')
  115. NEW=$(md5sum /etc/ldap/ldap.conf.new|awk '{print $1}')
  116.  
  117. if [ "${NEW}" != "${OLD}" ]; then
  118. /bin/cp /etc/ldap/ldap.conf.new /etc/ldap/ldap.conf
  119. chmod 444 /etc/ldap/ldap.conf
  120. fi
  121.  
  122. logexit 0 "everything looks good"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!