blob: 17ac9065a119d7f41997b3841f38ef68971771ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#!/bin/sh
# Generate sssd.conf setup dynamically based on autodetectet LDAP
# and Kerberos server.
set -e
# See if we can find an LDAP server. Prefer ldap.domain, but also
# accept SRV records if no ldap.domain server is found.
lookup_ldap_uri() {
domain="$1"
if ping -c2 ldap.$domain > /dev/null 2>&1; then
echo ldap://ldap.$domain
else
host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
if [ "$host" ] ; then
echo ldap://$host | sed 's/\.$//'
fi
fi
}
lookup_ldap_base() {
ldapuri="$1"
defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')"
if [ -z "$defaultcontext" ] ; then
# If there are several contexts, pick the first one with
# posixAccount or posixGroup objects in it.
for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \
-s base namingContexts 2>/dev/null | \
awk '/^namingContexts: / { print $2}') ; do
if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
egrep -q '^dn:|^Administrative limit exceeded' ; then
echo $context
return
fi
done
fi
echo $defaultcontext
}
lookup_kerberos_server() {
domain="$1"
if ping -c2 kerberos.$domain > /dev/null 2>&1; then
echo kerberos.$domain
else
host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1)
if [ "$host" ] ; then
echo $host | sed 's/\.$//'
fi
fi
}
lookup_kerberos_realm() {
domain="$1"
realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"')
if [ -z "$realm" ] ; then
realm=$(echo $domain | tr a-z A-Z)
fi
echo $realm
}
generate_config() {
if [ "$1" ] ; then
domain=$1
else
domain="$(hostname -d)"
fi
kerberosrealm=$(lookup_kerberos_realm $domain)
ldapuri=$(lookup_ldap_uri "$domain")
if [ -z "$ldapuri" ]; then
# autodetection failed
return
fi
ldapbase="$(lookup_ldap_base "$ldapuri")"
if [ -z "$ldapbase" ]; then
# autodetection failed
return
fi
kerberosserver=$(lookup_kerberos_server "$domain")
cat <<EOF
# SSSD configuration generated using $0
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = $domain
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
EOF
if [ "$kerberosserver" ] ; then
auth="krb5"
chpass="krb5"
else
auth="ldap"
chpass="ldap";
fi
cat <<EOF
[domain/$domain]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = $auth
chpass_provider = $chpass
ldap_uri = $ldapuri
ldap_search_base = $ldapbase
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
EOF
if [ "$kerberosserver" ] ; then
cat <<EOF
krb5_server = $kerberosserver
krb5_realm = $kerberosrealm
krb5_auth_timeout = 15
EOF
fi
}
generate_config "$@"
|
