diff options
| author | Simon Rettberg | 2014-09-11 14:30:00 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2014-09-11 14:30:00 +0200 |
| commit | cb166c8cfcbd599306da453c80831194128a5cb0 (patch) | |
| tree | ccfee878c9fff06b108da4cdf14a5db7fcb68a6c | |
| parent | Force NFS Version 3 (diff) | |
| download | tmlite-bwlp-cb166c8cfcbd599306da453c80831194128a5cb0.tar.gz tmlite-bwlp-cb166c8cfcbd599306da453c80831194128a5cb0.tar.xz tmlite-bwlp-cb166c8cfcbd599306da453c80831194128a5cb0.zip | |
Use SSL for AD-LDAP-connections
| -rw-r--r-- | data/ad/mountscript | 2 | ||||
| -rw-r--r-- | src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java | 34 |
2 files changed, 31 insertions, 5 deletions
diff --git a/data/ad/mountscript b/data/ad/mountscript index 2256904..74c511e 100644 --- a/data/ad/mountscript +++ b/data/ad/mountscript @@ -9,7 +9,7 @@ if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then # determine fileserver and share for home directories touch "/tmp/ldapsearch.${PAM_USER}" chmod 0600 "/tmp/ldapsearch.${PAM_USER}" - ldapsearch -x -LLL uid="${PAM_USER}" homeMount > "/tmp/ldapsearch.${PAM_USER}" || \ + ldapsearch -x -LLL uid="${PAM_USER}" homeMount > "/tmp/ldapsearch.${PAM_USER}" 2>/dev/null || \ { slxlog "pam-ad-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } VOLUME=$(cat "/tmp/ldapsearch.${PAM_USER}" | grep ^homeMount | head -n 1 | cut -d" " -f2) [ -z "${VOLUME}" ] && slxlog "pam-ad-ldapvolume" "LDAP server did not provide 'homeMount'. Aborting mount for ${PAM_USER}." && exit 1 diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java index 71ef249..67d6099 100644 --- a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java +++ b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java @@ -9,6 +9,7 @@ import java.nio.file.Paths; import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream; import org.apache.commons.io.FileUtils; import org.openslx.satserver.util.Archive; +import org.openslx.satserver.util.Exec; import org.openslx.satserver.util.Util; import org.openslx.taskmanager.api.AbstractTask; @@ -55,7 +56,19 @@ public class CreateAdConfig extends AbstractTask protected boolean execute() { TarArchiveOutputStream outArchive = null; + String keyFile = "/opt/ldadp/configs/" + this.moduleid + ".key.pem"; + String certFile = "/opt/ldadp/configs/" + this.moduleid + ".crt.pem"; try { + // Generate keys + { + int ret = Exec.sync( "openssl", "req", + "-x509", "-new", "-newkey", "rsa:4096", "-keyout", keyFile, "-out", certFile, "-days", "5000", "-nodes", + "-subj", "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip ); + if ( ret != 0 ) { + status.error = "openssl exited with code " + ret; + return false; + } + } // ldadp config String ldadpConf = String.format( "[%s]\n" @@ -64,16 +77,20 @@ public class CreateAdConfig extends AbstractTask + "base=%s\n" + "port=%s\n" + "home=%s\n" + + "cert=%s\n" + + "privkey=%s\n" + "\n", this.server, this.binddn, this.bindpw, this.searchbase, this.proxyport, - this.home ); + this.home, + certFile, + keyFile ); String fileName = "/opt/ldadp/configs/" + this.moduleid + ".cfg"; try { - Files.deleteIfExists( Paths.get( filename ) ); + Files.deleteIfExists( Paths.get( this.filename ) ); } catch ( IOException e1 ) { } try { @@ -91,10 +108,12 @@ public class CreateAdConfig extends AbstractTask // Generic ldap config String ldapConf = String .format( - "URI ldap://%s:%d/\n" + "URI ldaps://%s:%d/\n" + "BASE %s\n" + "BIND_TIMELIMIT 10\n" + "TIMELIMIT 30\n" + + "TLS_REQCERT demand\n" + + "TLS_CACERT /etc/ldap-proxy.pem\n" + "nss_base_passwd %s\n" + "nss_base_group %s\n" + "nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data\n", @@ -106,10 +125,12 @@ public class CreateAdConfig extends AbstractTask // nslcd config String nslcdConf = String .format( - "URI ldap://%s:%d/\n" + "URI ldaps://%s:%d/\n" + "BASE %s\n" + "BIND_TIMELIMIT 10\n" + "TIMELIMIT 30\n" + + "TLS_REQCERT demand\n" + + "TLS_CACERTFILE /etc/ldap-proxy.pem\n" + "scope sub\n" + "nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data\n", this.proxyip, this.proxyport, @@ -117,6 +138,11 @@ public class CreateAdConfig extends AbstractTask this.searchbase, this.searchbase ); + // The cert we just created + if ( !Archive.tarAddFile( outArchive, "/etc/ldap-proxy.pem", new File( certFile ), 0644 ) ) { + status.error = "Could not add ldap-proxy.pem to module"; + return false; + } // nsswitch.conf with ldap enabled if ( !Archive.tarAddFile( outArchive, "/etc/nsswitch.conf", new File( "./data/ad/nsswitch.conf" ), 0644 ) ) { status.error = "Could not add nsswitch.conf to module"; |