-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathinstall-pam-ldap
executable file
·75 lines (62 loc) · 2.22 KB
/
install-pam-ldap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash
set -eo pipefail
err_report() {
echo "errexit on line $(caller)" >&2
}
trap err_report ERR
# QAD script to install and configure libpam-ldap
if [[ -d /etc/apt ]]; then
APT=true
SUDO=sudo
elif [[ -d /etc/yum ]]; then
YUM=true
SUDO=wheel
else
echo "Distribution not supported!"
exit -1
fi
# Support headless installation
export DEBIAN_FRONTEND=noninteractive
export NEEDRESTART_SUSPEND=y
# A *space-separated* list of LDAP URIs
LDAP_SERVERS="ldaps://pdc.example.com"
BASE_DN="dc=example,dc=com"
if [[ -f /etc/install-pam-ldap ]]; then
. /etc/install-pam-ldap
fi
if [[ -f ~/.install-pam-ldap ]]; then
. ~/.install-pam-ldap
fi
if [[ $APT ]]; then
# The only way to reliably use debconf is to purge, config and reinstall.
# If the package is already installed then debconf *does nothing*
dpkg --purge --force-depends libpam-ldap || true
cat >/tmp/debconf-selections <<EOF
# Pre-bullseye
ldap-auth-config ldap-auth-config/ldapns/ldap_version select 3
ldap-auth-config ldap-auth-config/dblogin boolean false
ldap-auth-config ldap-auth-config/move-to-debconf boolean true
ldap-auth-config ldap-auth-config/ldapns/ldap-server string ${LDAP_SERVERS}
ldap-auth-config ldap-auth-config/ldapns/base-dn string ${BASE_DN}
ldap-auth-config ldap-auth-config/dbrootlogin boolean false
# bullseye
libpam-ldap shared/ldapns/ldap_version select 3
libpam-ldap libpam-ldap/dblogin boolean false
libpam-ldap shared/ldapns/ldap-server string ${LDAP_SERVERS}
libpam-ldap shared/ldapns/base-dn string ${BASE_DN}
libpam-ldap libpam-ldap/override boolean true
libpam-ldap libpam-ldap/dbrootlogin boolean false
EOF
debconf-set-selections /tmp/debconf-selections
if [ -z "$(find /var/cache/apt/pkgcache.bin -mmin -60)" ]; then
apt-get update
fi
apt-get install -y libpam-ldap
elif [[ $YUM ]]; then
yum -y --setopt=skip_missing_names_on_install=False install nss-pam-ldapd authconfig
authconfig --enableldapauth --ldapserver="${LDAP_SERVERS}" --ldapbasedn="${BASE_DN}" --enablerfc2307bis --disableldaptls --update
# Unnecessary shit like this is why I use Debian.
# https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues
echo "tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt" >> /etc/nslcd.conf
service nslcd restart
fi