summaryrefslogtreecommitdiffstats
path: root/debian/generate-config
blob: 17ac9065a119d7f41997b3841f38ef68971771ec (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/bin/sh

# Generate sssd.conf setup dynamically based on autodetectet LDAP
# and Kerberos server.

set -e

# See if we can find an LDAP server.  Prefer ldap.domain, but also
# accept SRV records if no ldap.domain server is found.
lookup_ldap_uri() {
    domain="$1"
    if ping -c2 ldap.$domain > /dev/null 2>&1; then
	echo ldap://ldap.$domain
    else
	host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
	if [ "$host" ] ; then
	    echo ldap://$host | sed 's/\.$//'
	fi
    fi
}

lookup_ldap_base() {
    ldapuri="$1"
    defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext  2>/dev/null | awk '/^defaultNamingContext: / { print $2}')"
    if [ -z "$defaultcontext" ] ; then
	# If there are several contexts, pick the first one with
	# posixAccount or posixGroup objects in it.
	for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \
	    -s base namingContexts 2>/dev/null | \
	    awk '/^namingContexts: / { print $2}') ; do
	    if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
		'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
		egrep -q '^dn:|^Administrative limit exceeded' ; then
		echo $context
		return
	    fi
	done
    fi
    echo $defaultcontext
}

lookup_kerberos_server() {
    domain="$1"
    if ping -c2 kerberos.$domain > /dev/null 2>&1; then
	echo kerberos.$domain
    else
	host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1)
	if [ "$host" ] ; then
	    echo $host | sed 's/\.$//'
	fi
    fi
}

lookup_kerberos_realm() {
    domain="$1"
    realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"')
    if [ -z "$realm" ] ; then
	realm=$(echo $domain | tr a-z A-Z)
    fi
    echo $realm
}


generate_config() {
    if [ "$1" ] ; then
	domain=$1
    else
	domain="$(hostname -d)"
    fi
    kerberosrealm=$(lookup_kerberos_realm $domain)
    ldapuri=$(lookup_ldap_uri "$domain")
    if [ -z "$ldapuri" ];  then
	# autodetection failed
	return
    fi

    ldapbase="$(lookup_ldap_base "$ldapuri")"
    if [ -z "$ldapbase" ];  then
	# autodetection failed
	return
    fi
    kerberosserver=$(lookup_kerberos_server "$domain")

cat <<EOF
# SSSD configuration generated using $0
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = $domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
EOF
if [ "$kerberosserver" ] ; then
    auth="krb5"
    chpass="krb5"
else
    auth="ldap"
    chpass="ldap";
fi

cat <<EOF

[domain/$domain]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = $auth
chpass_provider = $chpass

ldap_uri = $ldapuri
ldap_search_base = $ldapbase
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
EOF

if [ "$kerberosserver" ] ; then
    cat <<EOF

krb5_server = $kerberosserver
krb5_realm = $kerberosrealm
krb5_auth_timeout = 15
EOF
fi
}
generate_config "$@"