From 5b526e1ad579b482cf83ea1d9c3db3778fc54105 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Tue, 29 Mar 2022 12:05:32 +0200 Subject: [PATCH] Updated fds.in (updated ds creation scripts). --- sources/fds.in/c3d/firstboot/data/USERS.txt | 31 +++--- .../firstboot/scripts/01_setupnetworking.sh | 47 ++++++--- .../c3d/firstboot/scripts/10_setupds.sh | 47 +++++++-- .../c3d/firstboot/scripts/11_createusers.sh | 98 +++++++++++++------ sources/fds.in/c3d/owner.txt | 3 +- .../fds.in/c3d/postinstall/data/template.inf | 4 +- .../usr/local/bin/getletsencrypt.sh | 15 +++ .../usr/local/bin/replacedirsrvcerts.sh | 29 ++++++ sources/fds.in/c3d/postinstall/scp/copy.list | 2 +- sources/fds.in/c3d/postinstall/ssh/run.list | 2 +- sources/fds.in/config | 2 +- sources/fds.in/envvars | 2 +- 12 files changed, 210 insertions(+), 72 deletions(-) create mode 100755 sources/fds.in/c3d/postinstall/install-data/usr/local/bin/getletsencrypt.sh create mode 100755 sources/fds.in/c3d/postinstall/install-data/usr/local/bin/replacedirsrvcerts.sh diff --git a/sources/fds.in/c3d/firstboot/data/USERS.txt b/sources/fds.in/c3d/firstboot/data/USERS.txt index f898685..170f0e3 100644 --- a/sources/fds.in/c3d/firstboot/data/USERS.txt +++ b/sources/fds.in/c3d/firstboot/data/USERS.txt @@ -1,15 +1,16 @@ -akosztolanyi, Árpád, Kosztolányi, arpad.kosztolanyi@userrendszerhaz.hu, +36 20 583 7539 -csgulyas, Csaba, Gulyás, csaba.gulyas@userrendszerhaz.hu, +36 30 374 4065 -cslevai, Csilla, Lévai, csilla.levai@userrendszerhaz.hu, +36 30 280 8517 -dhorvath, Dénes, Horváth, denes.horvath@userrendszerhaz.hu, +36 30 971 8563 -dvasary, Dániel, Vásáry, daniel.vasary@userrendszerhaz.hu, +36 30 515 9417 -fritter, Ferenc, Ritter, ferenc.ritter@userrendszerhaz.hu, +36 20 937 8022 -fschnell, Ferenc, Schnellbach, ferenc.schnellbach@userrendszerhaz.hu, +36 30 950 2529 -khorvath, Kálmán, Horváth, kalman.horvath@userrendszerhaz.hu, +36 20 444 8693 -kkancz, Krisztián, Káncz, krisztian.kancz@userrendszerhaz.hu, +36 70 666 2663 -kvajda, Krisztina, Vajda, krisztina.vajda@userrendszerhaz.hu, +36 20 313 0028 -mszabo, Marcell, Szabó, marcell.szabo@userrendszerhaz.hu, +36 70 458 1234 -osweidan, Omár, Sweidan, omar.sweidan@userrendszerhaz.hu, +36 70 382 4621 -rrendek, Róbert, Rendek, robert.rendek@userrendszerhaz.hu, +36 30 977 5888 -tlevai, Tibor, Lévai, tibor.levai@userrendszerhaz.hu, +36 30 297 6481 -zfelleg, Zoltán, Felleg, zoltan.felleg@userrendszerhaz.hu, +36 20 954 1513 +5000, dsadmin, , , , +10000, akosztolanyi, Árpád, Kosztolányi, arpad.kosztolanyi@userrendszerhaz.hu, +36 20 583 7539 +10000, csgulyas, Csaba, Gulyás, csaba.gulyas@userrendszerhaz.hu, +36 30 374 4065 +10000, cslevai, Csilla, Lévai, csilla.levai@userrendszerhaz.hu, +36 30 280 8517 +10000, dhorvath, Dénes, Horváth, denes.horvath@userrendszerhaz.hu, +36 30 971 8563 +10000, dvasary, Dániel, Vásáry, daniel.vasary@userrendszerhaz.hu, +36 30 515 9417 +10000, fritter, Ferenc, Ritter, ferenc.ritter@userrendszerhaz.hu, +36 20 937 8022 +10000, fschnell, Ferenc, Schnellbach, ferenc.schnellbach@userrendszerhaz.hu, +36 30 950 2529 +10000, khorvath, Kálmán, Horváth, kalman.horvath@userrendszerhaz.hu, +36 20 444 8693 +10000, kkancz, Krisztián, Káncz, krisztian.kancz@userrendszerhaz.hu, +36 70 666 2663 +10000, kvajda, Krisztina, Vajda, krisztina.vajda@userrendszerhaz.hu, +36 20 313 0028 +10000, mszabo, Marcell, Szabó, marcell.szabo@userrendszerhaz.hu, +36 70 458 1234 +10000, osweidan, Omár, Sweidan, omar.sweidan@userrendszerhaz.hu, +36 70 382 4621 +10000, rrendek, Róbert, Rendek, robert.rendek@userrendszerhaz.hu, +36 30 977 5888 +10000, tlevai, Tibor, Lévai, tibor.levai@userrendszerhaz.hu, +36 30 297 6481 +10000, zfelleg, Zoltán, Felleg, zoltan.felleg@userrendszerhaz.hu, +36 20 954 1513 diff --git a/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh index 2090570..aae217a 100755 --- a/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh +++ b/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh @@ -4,16 +4,47 @@ sleep 1 systemctl --quiet is-active NetworkManager.service NM_RC=$? -WAITED=0 +CYCLES_WAITED=0 while [ $NM_RC -ne 0 ] do + if [ $CYCLES_WAITED -ge 10 ] + then + exit 1 + fi + if [ $CYCLES_WAITED -eq 0 ] + then + echo -n "Waiting for NetworkManager" + fi echo -n . sleep 1 - WAITED=1 + CYCLES_WAITED=$(( $CYCLES_WAITED + 1 )) systemctl --quiet is-active NetworkManager.service NM_RC=$? done -[ $WAITED -eq 1 ] && echo +[ $CYCLES_WAITED -gt 0 ] && echo + +# wait for one/the network connection to come up +CONNECTION_DEVICES_UP=$(nmcli --terse connection show \ + | grep --invert-match ':$' | wc -l) +CYCLES_WAITED=0 +while [ $CONNECTION_DEVICES_UP -lt 1 ] +do + if [ $CYCLES_WAITED -ge 10 ] + then + nmcli connection show + exit 1 + fi + if [ $CYCLES_WAITED -eq 0 ] + then + echo -n "Waiting for the network connection" + fi + echo -n . + sleep 1 + CYCLES_WAITED=$(( $CYCLES_WAITED + 1 )) + CONNECTION_DEVICES_UP=$(nmcli --terse connection show \ + | grep --invert-match ':$' | wc -l) +done +[ $CYCLES_WAITED -gt 0 ] && echo CONNECTIONS=$(nmcli --terse connection show | wc -l) if [ $CONNECTIONS -ne 1 ] @@ -22,16 +53,6 @@ then exit 1 fi -nmcli --terse connection show | grep ':$' >/dev/null -ALL_CONNECTION_DEVICES_KNOWN=$? -while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ] -do - echo "Not all connection devices are known yet" >&2 - sleep 1 - nmcli --terse connection show | grep ':$' >/dev/null - ALL_CONNECTION_DEVICES_KNOWN=$? -done - CONNECTION_LINE=$(nmcli --terse connection show) CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':') diff --git a/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh b/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh index 89726c8..b8cd139 100755 --- a/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh +++ b/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh @@ -5,29 +5,60 @@ REAL_PATH=$(realpath $(dirname $0)) DATA_PATH=$(realpath $REAL_PATH/../data) +INSTANCE_NAME=user + + +/usr/local/bin/getletsencrypt.sh + + /usr/local/bin/restorefds.sh if [ $? -eq 0 ] then exit 0 fi -if [ ! -f $DATA_PATH/user.inf ] +if [ ! -f $DATA_PATH/${INSTANCE_NAME}.inf ] then - dscreate create-template $DATA_PATH/user.inf - vi $DATA_PATH/user.inf + dscreate create-template $DATA_PATH/${INSTANCE_NAME}.inf + vi $DATA_PATH/${INSTANCE_NAME}.inf fi -dscreate from-file $DATA_PATH/user.inf -dsconf user plugin memberof enable -dsconf user pwpolicy set \ +dscreate from-file $DATA_PATH/${INSTANCE_NAME}.inf +dsconf $INSTANCE_NAME config replace nsslapd-auditlog-logging-enabled=on +dsconf $INSTANCE_NAME config replace nsslapd-auditfaillog-logging-enabled=on +dsconf $INSTANCE_NAME plugin memberof enable +dsconf $INSTANCE_NAME pwpolicy set \ --pwdmustchange on \ + --pwdtrack on \ + --pwdexpire on \ + --pwdmaxage 8640000 \ + --pwdgracelimit 5 \ --pwdlockout on \ --pwdchecksyntax on \ - --pwdminlen 10 \ + --pwdminlen 14 \ --pwdmindigits 1 \ + --pwdminalphas 1 \ --pwdminuppers 1 \ --pwdminlowers 1 \ --pwdminspecials 1 \ - --pwdmaxrepeats 2 \ + --pwdmaxrepeats 3 \ + --pwdpalindrome on \ --pwdmincatagories 4 \ --pwddictcheck on + +LDIF_FILE=$(mktemp) +echo 'dn: ou=people,dc=user,dc=hu' >$LDIF_FILE +echo 'changetype: modify' >>$LDIF_FILE +echo 'add: aci' >>$LDIF_FILE +echo 'aci: (targetattr="pwdUpdateTime")(version 3.0; acl "Enable anyone read pwdUpda' >>$LDIF_FILE +echo ' teTime"; allow(read)(userdn="ldap:///anyone");)' >>$LDIF_FILE + +ldapmodify -D "cn=Directory Manager" \ + -w Passw@rd01 \ + -f $LDIF_FILE + +rm --force $LDIF_FILE + +/usr/local/bin/replacedirsrvcerts.sh + +dsctl $INSTANCE_NAME restart diff --git a/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh b/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh index 5ab61b8..8fb9434 100755 --- a/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh +++ b/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh @@ -5,7 +5,10 @@ exit 0 REAL_PATH=$(realpath $(dirname $0)) DATA_PATH=$(realpath $REAL_PATH/../data) +FDS_ADMIN_UID=dsadmin +FDS_BASEDN="dc=user,dc=hu" FDS_INPUT_FILE=$DATA_PATH/FDS_INPUT.txt +INSTANCE_NAME=user UIDS_FILE=$DATA_PATH/UIDS.txt USERS_FILE=$DATA_PATH/USERS.txt @@ -15,19 +18,20 @@ USERS_FILE=$DATA_PATH/USERS.txt cat $USERS_FILE | while read LINE do COMPACT_LINE=$(echo $LINE | sed 's/, /,/g') - LOGIN_NAME=$(echo $COMPACT_LINE | cut -f 1 -d ',') + UID_SHIFT=$(echo $COMPACT_LINE | cut -f 1 -d ',') + LOGIN_NAME=$(echo $COMPACT_LINE | cut -f 2 -d ',') LOGIN_MD5SUM=$(echo $LOGIN_NAME | md5sum | awk '{print $1}') UID_POSITION=30 UID_IS_UNIQUE=0 while [ $UID_IS_UNIQUE -eq 0 ] do LOGIN_UID=$(echo $LOGIN_MD5SUM | cut -c ${UID_POSITION}- | cut -c 1-3) - grep $LOGIN_UID $UIDS_FILE >/dev/null 2>&1 + INT_UID=$(python -c "print($UID_SHIFT + int('$LOGIN_UID', 16))") + grep $INT_UID $UIDS_FILE >/dev/null 2>&1 if [ $? -eq 1 ] then - INT_UID=$(python -c "print(10000 + int('$LOGIN_UID', 16))") - echo $LOGIN_UID >>$UIDS_FILE - echo "${INT_UID},$COMPACT_LINE" >>$FDS_INPUT_FILE + echo $INT_UID >>$UIDS_FILE + echo $COMPACT_LINE | sed "s/^$UID_SHIFT/$INT_UID/" >>$FDS_INPUT_FILE UID_IS_UNIQUE=1 else UID_POSITION=$(( $UID_POSITION - 1 )) @@ -50,14 +54,14 @@ do EMAIL_ADDRESS=$(echo $INPUT_LINE | cut -f 5 -d ',') MOBILE_NUMBER=$(echo $INPUT_LINE | cut -f 6 -d ',') - dsidm -b dc=user,dc=hu \ - user \ + dsidm -b $FDS_BASEDN \ + $INSTANCE_NAME \ group \ create \ --cn $LOGIN_NAME LDIF_FILE=$(mktemp) - echo "dn: cn=${LOGIN_NAME},ou=groups,dc=user,dc=hu" >$LDIF_FILE + echo "dn: cn=${LOGIN_NAME},ou=groups,$FDS_BASEDN" >$LDIF_FILE echo "changetype: modify" >>$LDIF_FILE echo "add: objectClass" >>$LDIF_FILE echo "objectClass: posixGroup" >>$LDIF_FILE @@ -71,26 +75,46 @@ do rm --force $LDIF_FILE - dsidm -b dc=user,dc=hu \ - user \ - user \ - create \ - --uid $LOGIN_NAME \ - --cn $LOGIN_NAME \ - --displayName "$FIRSTNAME $LASTNAME" \ - --uidNumber $LOGIN_UID \ - --gidNumber $LOGIN_UID \ - --homeDirectory /home/$LOGIN_NAME + if [ \( -n "$FIRSTNAME" \) -a \( -n "$LASTNAME" \) ] + then + dsidm -b $FDS_BASEDN \ + $INSTANCE_NAME \ + user \ + create \ + --uid $LOGIN_NAME \ + --cn $LOGIN_NAME \ + --displayName "$FIRSTNAME $LASTNAME" \ + --uidNumber $LOGIN_UID \ + --gidNumber $LOGIN_UID \ + --homeDirectory /home/$LOGIN_NAME + else + dsidm -b $FDS_BASEDN \ + $INSTANCE_NAME \ + user \ + create \ + --uid $LOGIN_NAME \ + --cn $LOGIN_NAME \ + --displayName $LOGIN_NAME \ + --uidNumber $LOGIN_UID \ + --gidNumber $LOGIN_UID \ + --homeDirectory /home/$LOGIN_NAME + fi LDIF_FILE=$(mktemp) - echo "dn: uid=${LOGIN_NAME},ou=people,dc=user,dc=hu" >$LDIF_FILE + echo "dn: uid=${LOGIN_NAME},ou=people,$FDS_BASEDN" >$LDIF_FILE echo "changetype: modify" >>$LDIF_FILE - echo "add: mail" >>$LDIF_FILE - echo "mail: $EMAIL_ADDRESS" >>$LDIF_FILE - echo "-" >>$LDIF_FILE - echo "add: mobile" >>$LDIF_FILE - echo "mobile: $MOBILE_NUMBER" >>$LDIF_FILE - echo "-" >>$LDIF_FILE + if [ -n "$EMAIL_ADDRESS" ] + then + echo "add: mail" >>$LDIF_FILE + echo "mail: $EMAIL_ADDRESS" >>$LDIF_FILE + echo "-" >>$LDIF_FILE + fi + if [ -n "$MOBILE_NUMBER" ] + then + echo "add: mobile" >>$LDIF_FILE + echo "mobile: $MOBILE_NUMBER" >>$LDIF_FILE + echo "-" >>$LDIF_FILE + fi echo "add: userPassword" >>$LDIF_FILE echo "userPassword: pwd" >>$LDIF_FILE @@ -100,10 +124,28 @@ do rm --force $LDIF_FILE - dsidm -b dc=user,dc=hu \ - user \ + dsidm -b $FDS_BASEDN \ + $INSTANCE_NAME \ group \ add_member \ $LOGIN_NAME \ - uid=${LOGIN_NAME},ou=people,dc=user,dc=hu + uid=${LOGIN_NAME},ou=people,$FDS_BASEDN + + if [ "$LOGIN_NAME" = "$FDS_ADMIN_UID" ] + then + for PERMISSION in group_admin group_modify user_admin user_modify user_passwd_reset user_private_read + do + LDIF_FILE=$(mktemp) + echo "dn: cn=${PERMISSION},ou=permissions,$FDS_BASEDN" >$LDIF_FILE + echo "changetype: modify" >>$LDIF_FILE + echo "add: member" >>$LDIF_FILE + echo "member: uid=${LOGIN_NAME},ou=people,$FDS_BASEDN" >>$LDIF_FILE + + ldapmodify -D "cn=Directory Manager" \ + -w Passw@rd01 \ + -f $LDIF_FILE + + rm --force $LDIF_FILE + done + fi done diff --git a/sources/fds.in/c3d/owner.txt b/sources/fds.in/c3d/owner.txt index aac9818..ea1bd74 100644 --- a/sources/fds.in/c3d/owner.txt +++ b/sources/fds.in/c3d/owner.txt @@ -1,3 +1,2 @@ # owner file (relative to /c3d) -# shell globbing does not work -root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_ed25519_key +root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_*_key diff --git a/sources/fds.in/c3d/postinstall/data/template.inf b/sources/fds.in/c3d/postinstall/data/template.inf index a6ef224..06fe863 100644 --- a/sources/fds.in/c3d/postinstall/data/template.inf +++ b/sources/fds.in/c3d/postinstall/data/template.inf @@ -21,8 +21,8 @@ # full_machine_name (str) # Description: Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set "strict_host_checking" to "false". -# Default value: fds.in.useribm.hu -;full_machine_name = fds.in.useribm.hu +# Default value: fds.useribm.hu +;full_machine_name = fds.useribm.hu # start (bool) # Description: Starts the instance after the install completes. If false, the instance is created but started. diff --git a/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/getletsencrypt.sh b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/getletsencrypt.sh new file mode 100755 index 0000000..2b9a3bb --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/getletsencrypt.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +if [ -d /etc/letsencrypt ] +then + rm --force --recursive /etc/letsencrypt.old + cp --archive /etc/letsencrypt /etc/letsencrypt.old +fi + +/usr/bin/rsync \ + --archive \ + --delete-after \ + --info=STATS \ + pki.in.useribm.hu::letsencrypt \ + /etc/letsencrypt diff --git a/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/replacedirsrvcerts.sh b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/replacedirsrvcerts.sh new file mode 100755 index 0000000..b4d9755 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/replacedirsrvcerts.sh @@ -0,0 +1,29 @@ +#!/bin/sh + + +INSTANCE_NAME=user + + +if [ -d /etc/letsencrypt ] +then + LETSENCRYPT_BASE=/etc/letsencrypt + CERT_PATH=$LETSENCRYPT_BASE/archive/useribm + + dsconf $INSTANCE_NAME security ca-certificate list \ + | grep '^Certificate Name:' | cut -f 2- -d ':' \ + | while read CA_NAME + do + dsconf $INSTANCE_NAME security ca-certificate del "$CA_NAME" + done + + dsconf $INSTANCE_NAME security ca-certificate add \ + --file $CERT_PATH/chain1.pem \ + --name "Let's Encrypt Certificate Authority" + dsconf $INSTANCE_NAME security ca-certificate set-trust-flags \ + "Let's Encrypt Certificate Authority" \ + --flags "CT,," + dsctl $INSTANCE_NAME tls import-server-key-cert \ + $CERT_PATH/cert1.pem \ + $CERT_PATH/privkey1.pem + +fi diff --git a/sources/fds.in/c3d/postinstall/scp/copy.list b/sources/fds.in/c3d/postinstall/scp/copy.list index 20d78ba..3a9fc90 100644 --- a/sources/fds.in/c3d/postinstall/scp/copy.list +++ b/sources/fds.in/c3d/postinstall/scp/copy.list @@ -1,2 +1,2 @@ # source_host source_path -fds.in.useribm.hu /tmp/fds.tar +fds.useribm.hu /tmp/fds.tar diff --git a/sources/fds.in/c3d/postinstall/ssh/run.list b/sources/fds.in/c3d/postinstall/ssh/run.list index adb1dab..cb83df1 100644 --- a/sources/fds.in/c3d/postinstall/ssh/run.list +++ b/sources/fds.in/c3d/postinstall/ssh/run.list @@ -1,2 +1,2 @@ # target_host target_user target_executable -fds.in.useribm.hu root /usr/local/bin/backupfds.sh +fds.useribm.hu root /usr/local/bin/backupfds.sh diff --git a/sources/fds.in/config b/sources/fds.in/config index 12ac34b..c020290 100644 --- a/sources/fds.in/config +++ b/sources/fds.in/config @@ -1,7 +1,7 @@ lxc.include = /usr/share/lxc/config/common.conf lxc.arch = x86_64 -lxc.uts.name = fds.in.useribm.hu +lxc.uts.name = fds.useribm.hu lxc.rootfs.path = __CONTAINER_PATH__/rootfs lxc.mount.auto = proc:rw sys:ro diff --git a/sources/fds.in/envvars b/sources/fds.in/envvars index 979f882..3107097 100644 --- a/sources/fds.in/envvars +++ b/sources/fds.in/envvars @@ -1,3 +1,3 @@ DISTRIBUTION=Fedora DISTRIBUTION_VERSION=35 -SPEC_PACKAGES="389-ds-base cockpit cockpit-389-ds openssh-clients openssh-server" +SPEC_PACKAGES="389-ds-base cockpit cockpit-389-ds openssh-clients openssh-server rsync" -- 2.54.0