SRV-LIN1-01 - Configuration de LDAP Automatisée

📝 Description

Ce script automatise l'installation et la configuration d'OpenLDAP sur un serveur Debian. Il inclut la création de la structure de base pour les utilisateurs et les groupes, la configuration des mots de passe chiffrés et l'installation de LDAP Account Manager (LAM) pour une gestion plus facile via une interface web.

📦 Fonctionnalités

Installation complète d'OpenLDAP.
Création automatique d'unités organisationnelles (Utilisateurs, Groupes).
Ajout automatique des utilisateurs et des groupes dans le répertoire LDAP.
Configuration de LDAP Account Manager (LAM) pour une gestion via une interface web.
Configuration automatique de /etc/ldap/ldap.conf avec les paramètres corrects de BASE et URI.
Réinitialisation automatique du mot de passe administrateur OpenLDAP après l'installation pour résoudre des problèmes connus.

🚀 Commande d'exécution rapide

Pour exécuter ce script de manière automatisée sur votre serveur Debian, utilisez la commande suivante. Cela installera curl si nécessaire, puis téléchargera et exécutera le script en une seule étape :

sudo apt-get install curl -y && sudo bash -c "$(curl -fsSL https://gitlab.com/Ruimmp/cpnv-es/-/raw/LIN1/2.%20Configuration%20compl%C3%A8te%20du%20NAS%20et%20LDAP/cpnv_lin1_ldap_setup.sh)"

⚠️ Prérequis : Ce script nécessite une connexion Internet, un accès sudo, et des ports 389 (LDAP) et 80 (HTTP) ouverts pour la communication.

⚙️ Le Script en Détail

Voici le code brut du script d'installation et de configuration LDAP. Ce script a été testé sur Debian 12.6.4.

#!/bin/bash

############################################################################################################
# Script Name   : cpnv_lin1_ldap_setup.sh
# Author        : Rui Monteiro (rui.monteiro@eduvaud.ch)
# Created       : 2024-09-27
# Last Updated  : 2024-11-08
#
# Version       : 1.4
#
# Description   : This script automates the installation and configuration of OpenLDAP on a Debian server.
#                 It also configures LDAP with a base structure for users and groups, sets up encrypted
#                 passwords, and installs LDAP Account Manager for easier LDAP management through a web
#                 interface. Additionally, it updates /etc/ldap/ldap.conf with the correct BASE and URI,
#                 and resets the OpenLDAP admin password after installation to address known issues.
#
# Features      : - Full installation and configuration of OpenLDAP.
#                 - Automatic creation of organizational units (Users, Groups).
#                 - Predefined users and groups added to the LDAP directory.
#                 - LDAP Account Manager (LAM) setup for web-based LDAP management.
#                 - Automatic configuration of /etc/ldap/ldap.conf with the correct BASE and URI.
#                 - Resets the OpenLDAP admin password after installation to address known issues.
#
# Usage         : Run the script with sudo privileges:
#                     sudo bash -c "$(curl -fsSL https://gitlab.com/Ruimmp/cpnv-es/-/raw/LIN1/2.%20Configuration%20compl%C3%A8te%20du%20NAS%20et%20LDAP/cpnv_lin1_ldap_setup.sh)"
#                 The script is fully automated and does not require manual intervention once executed.
#                 The output will provide details about the LDAP domain and credentials upon completion.
#
# System Tested : Debian 12.6.4
#
# Prerequisites : - Debian 12.6.4 or a compatible Debian-based distribution.
#                 - Sudo privileges for package installation and system configuration.
#                 - Internet connection to download necessary packages.
#                 - Ensure that ports 389 (LDAP) and 80 (HTTP) are open for proper communication.
#
# Dependencies  : This script requires the following packages:
#                 - slapd (OpenLDAP server).
#                 - ldap-utils (LDAP utilities for management).
#                 - apache2 (Web server for LDAP Account Manager).
#                 - php (Required for LDAP Account Manager).
#                 - ldap-account-manager (LDAP management interface).
#
# Return Values : On successful completion, the script returns:
#                 - LDAP Domain details.
#                 - LDAP Admin credentials.
#                 - Confirmation of successful LDAP and LDAP Account Manager setup.
#                 - Confirmation of OpenLDAP admin password reset.
#
# Notes         : - The script uses "debconf-set-selections" to configure slapd non-interactively.
#                 - The admin password for LDAP is automatically reset after installation due to a known bug.
#                 - Be cautious when setting the LDAP admin password, as it is stored in plaintext within
#                   the script. For better security, consider using environment variables or a secrets manager.
############################################################################################################

# LDAP configuration variables
LDAP_DOMAIN="lin1.local"
LDAP_ORGANIZATION="LIN1-LABO"

# LDAP credentials
LDAP_ADMIN_PASSWORD="Pa\$\$w0rd"

# LDAP base configuration
LDAP_BASE_DN="dc=lin1,dc=local"
LDAP_USERS_DN="ou=Users,dc=lin1,dc=local"
LDAP_GROUPS_DN="ou=Groups,dc=lin1,dc=local"

# Server names
SRV1_HOSTNAME="SRV-LIN1-01"
SRV2_HOSTNAME="SRV-LIN1-02"
NAS1_HOSTNAME="NAS-LIN1-01"

# Function to update the system
update_system() {
  echo "Updating system packages..."
  apt-get update && apt-get upgrade -y
}

# Install the slappasswd utility to generate hashed passwords
install_slappasswd() {
  echo "Installing slappasswd utility..."
  apt-get install slappasswd -y
}

# Function to configure debconf settings for LDAP
configure_ldap_debconf() {
  echo "Configuring LDAP debconf settings..."

  # Group debconf entries into a single command
  debconf-set-selections <<EOF
slapd slapd/password1 password $LDAP_ADMIN_PASSWORD
slapd slapd/password2 password $LDAP_ADMIN_PASSWORD
slapd slapd/domain string $LDAP_DOMAIN
slapd shared/organization string $LDAP_ORGANIZATION
slapd slapd/purge_database boolean true
slapd slapd/move_old_database boolean true
EOF

  echo "LDAP debconf settings configured successfully."
}

# Function to install OpenLDAP and utilities
install_openldap() {
  echo "Installing OpenLDAP and utilities..."
  apt-get install slapd ldap-utils -y
  DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd
}

# Funcion to reset the OpenLDAP admin password
reset_ldap_admin_password() {
  echo "Resetting OpenLDAP admin password..."

  # Reset the OpenLDAP admin password using ldapi
  ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={1}mdb,cn=config
replace: olcRootPW
olcRootPW: $(slappasswd -s "$LDAP_ADMIN_PASSWORD")
EOF

  if [[ $? -ne 0 ]]; then
    echo "Error: Failed to reset OpenLDAP admin password."
    return 1
  fi

  echo "OpenLDAP admin password reset successfully."
}

# Function to install Apache and LDAP Account Manager
install_lam() {
  echo "Installing Apache, PHP, and LDAP Account Manager..."
  apt-get install apache2 php php-ldap ldap-account-manager -y

  # Create a symbolic link for LDAP Account Manager
  ln -s /usr/share/ldap-account-manager /var/www/html/ldap-account-manager
  chown -R www-data:www-data /usr/share/ldap-account-manager
  chmod -R 755 /usr/share/ldap-account-manager

  # Restart Apache
  systemctl restart apache2
}

# Function to create the LDAP base structure (Users and Groups)
create_ldap_structure() {
  echo "Creating LDAP base structure..."

  cat <<EOF >/tmp/ldap_base.ldif
dn: $LDAP_USERS_DN
objectClass: organizationalUnit
ou: Users

dn: $LDAP_GROUPS_DN
objectClass: organizationalUnit
ou: Groups
EOF

  ldapadd -x -D "cn=admin,$LDAP_BASE_DN" -w $LDAP_ADMIN_PASSWORD -f /tmp/ldap_base.ldif
}

# Function to add groups to LDAP
create_ldap_groups() {
  echo "Creating LDAP groups..."

  cat <<EOF >/tmp/ldap_groups.ldif
dn: cn=Managers,$LDAP_GROUPS_DN
objectClass: posixGroup
objectClass: top
gidNumber: 20000

dn: cn=Ingenieurs,$LDAP_GROUPS_DN
objectClass: posixGroup
objectClass: top
gidNumber: 20010

dn: cn=Devloppeurs,$LDAP_GROUPS_DN
objectClass: posixGroup
objectClass: top
gidNumber: 20020
EOF

  ldapadd -x -D "cn=admin,$LDAP_BASE_DN" -w $LDAP_ADMIN_PASSWORD -f /tmp/ldap_groups.ldif
}

# Function to add users to LDAP
create_ldap_users() {
  echo "Creating LDAP users..."

  cat <<EOF >/tmp/ldap_users.ldif
dn: uid=man01,$LDAP_USERS_DN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
displayName: Man 01
givenName: Man
cn: Man 01
sn: 1
uid: man01
uidNumber: 10000
gidNumber: 20000
homeDirectory: /home/man01
loginShell: /bin/bash
mail: man01@$LDAP_DOMAIN
description: Manager 01 User
userPassword: $(slappasswd -s $LDAP_ADMIN_PASSWORD)

dn: uid=man02,$LDAP_USERS_DN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
displayName: Man 02
givenName: Man
cn: Man 02
sn: 2
uid: man02
uidNumber: 10001
gidNumber: 20000
homeDirectory: /home/man02
loginShell: /bin/bash
mail: man02@$LDAP_DOMAIN
description: Manager 02 User
userPassword: $(slappasswd -s $LDAP_ADMIN_PASSWORD)

dn: uid=ing01,$LDAP_USERS_DN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
displayName: Ing 01
givenName: Ing
cn: Ing 01
sn: 1
uid: ing01
uidNumber: 10010
gidNumber: 20010
homeDirectory: /home/ing02
loginShell: /bin/bash
mail: ing01@$LDAP_DOMAIN
description: Ingeneer 01 User
userPassword: $(slappasswd -s $LDAP_ADMIN_PASSWORD)

dn: uid=ing02,$LDAP_USERS_DN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
displayName: Ing 02
givenName: Ing
cn: Ing 02
sn: 2
uid: ing02
uidNumber: 10011
gidNumber: 20010
homeDirectory: /home/ing02
loginShell: /bin/bash
mail: ing02@$LDAP_DOMAIN
description: Ingeneer 02 User

dn: uid=dev01,$LDAP_USERS_DN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
displayName: Dev 01
givenName: Dev
cn: Dev 01
sn: 1
uid: dev01
uidNumber: 10020
gidNumber: 20020
homeDirectory: /home/dev01
loginShell: /bin/bash
mail: dev01@$LDAP_DOMAIN
description: Developer 01 User
userPassword: $(slappasswd -s $LDAP_ADMIN_PASSWORD)
EOF

  ldapadd -x -D "cn=admin,$LDAP_BASE_DN" -w $LDAP_ADMIN_PASSWORD -f /tmp/ldap_users.ldif
}

# Function to restart LDAP service
restart_ldap() {
  echo "Restarting LDAP service..."
  systemctl restart slapd
}

# Function to display final information
display_info() {
  echo "#######################################"
  echo "#         LDAP Setup Summary          #"
  echo "#######################################"

  # Check if LDAP service is active
  echo ""
  echo "LDAP Service Status:"
  if systemctl is-active --quiet slapd; then
    echo "  slapd service is running (configured correctly)"
  else
    echo "  Error: slapd service is not running"
  fi

  # Verify LDAP domain configuration
  echo ""
  echo "LDAP Domain Configuration:"
  if ldapsearch -x -LLL -b "$LDAP_BASE_DN" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" | grep -q "dc=lin1,dc=local"; then
    echo "  LDAP Domain: $LDAP_DOMAIN (configured correctly)"
  else
    echo "  Error: LDAP domain not configured correctly"
  fi

  # Check if LDAP admin password was reset
  echo ""
  echo "LDAP Admin Password Reset:"
  if ldapwhoami -x -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" | grep -q "dn:cn=admin"; then
    echo "  LDAP admin password was reset and is working (configured correctly)"
  else
    echo "  Error: LDAP admin password reset failed"
  fi

  # Check if LDAP groups were added correctly
  echo ""
  echo "LDAP Groups:"
  for group in Managers Ingenieurs Devloppeurs; do
    if ldapsearch -x -LLL -b "cn=$group,$LDAP_GROUPS_DN" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" | grep -q "cn=$group"; then
      echo "  Group '$group' is present (configured correctly)"
    else
      echo "  Error: Group '$group' not found"
    fi
  done

  # Check if LDAP users were added correctly
  echo ""
  echo "LDAP Users:"
  for user in man01 man02 ing01 ing02 dev01; do
    if ldapsearch -x -LLL -b "uid=$user,$LDAP_USERS_DN" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" | grep -q "uid=$user"; then
      echo "  User '$user' is present (configured correctly)"
    else
      echo "  Error: User '$user' not found"
    fi
  done

  echo ""
  echo "###############################################"
  echo "# LDAP setup completed with the results above #"
  echo "###############################################"
}

# Main function to orchestrate the steps
main() {
  update_system
  install_slappasswd
  configure_ldap_debconf
  install_openldap
  reset_ldap_admin_password
  install_lam
  create_ldap_structure
  create_ldap_groups
  create_ldap_users
  restart_ldap
  display_info
}

# Execute the script
main

📋 Résultats et valeurs de sortie

Après l'exécution du script, voici un exemple des résultats attendus :

#######################################
#         LDAP Setup Summary          #
#######################################

LDAP Service Status:
  slapd service is running (configured correctly)

LDAP Domain Configuration:
  LDAP Domain: lin1.local (configured correctly)

LDAP Admin Password Reset:
  LDAP admin password was reset and is working (configured correctly)

LDAP Groups:
  Group 'Managers' is present (configured correctly)
  Group 'Ingenieurs' is present (configured correctly)
  Group 'Devloppeurs' is present (configured correctly)

LDAP Users:
  User 'man01' is present (configured correctly)
  User 'man02' is present (configured correctly)
  User 'ing01' is present (configured correctly)
  User 'ing02' is present (configured correctly)
  User 'dev01' is present (configured correctly)

###############################################
# LDAP setup completed with the results above #
###############################################

PreviousConfiguration du NAS, LDAP et NextCloud NextSRV-LIN1-02 - Configuration de NextCloud Automatisée

Last updated 1 year ago

hashtag📝 Description

hashtag📦 Fonctionnalités

hashtag🚀 Commande d'exécution rapide

hashtag⚙️ Le Script en Détail

hashtag📋 Résultats et valeurs de sortie

📝 Description

📦 Fonctionnalités

🚀 Commande d'exécution rapide

⚙️ Le Script en Détail

📋 Résultats et valeurs de sortie