diff options
author | Simon Rettberg | 2015-09-13 17:50:48 +0200 |
---|---|---|
committer | Simon Rettberg | 2015-09-13 17:50:48 +0200 |
commit | 4eb93bd8236e03b4f3a19af41fe98f6aaba28b35 (patch) | |
tree | 456874e11b3c1085debd8fe67c4937fc2b932a3b /src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java | |
parent | Fix pam scripts (ldap -> sss) (diff) | |
download | tmlite-bwlp-4eb93bd8236e03b4f3a19af41fe98f6aaba28b35.tar.gz tmlite-bwlp-4eb93bd8236e03b4f3a19af41fe98f6aaba28b35.tar.xz tmlite-bwlp-4eb93bd8236e03b4f3a19af41fe98f6aaba28b35.zip |
Add LDAP support to previously AD-only tasks
Diffstat (limited to 'src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java')
-rw-r--r-- | src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java | 199 |
1 files changed, 199 insertions, 0 deletions
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java new file mode 100644 index 0000000..8fb8287 --- /dev/null +++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java @@ -0,0 +1,199 @@ +package org.openslx.taskmanager.tasks; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; + +import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream; +import org.apache.commons.io.FileUtils; +import org.openslx.satserver.util.Archive; +import org.openslx.satserver.util.Constants; +import org.openslx.satserver.util.Exec; +import org.openslx.satserver.util.Template; +import org.openslx.satserver.util.Util; +import org.openslx.taskmanager.api.AbstractTask; + +import com.google.gson.annotations.Expose; + +public class CreateLdapConfig extends AbstractTask +{ + @Expose + private int moduleid = 0; + @Expose + private String filename = null; + @Expose + private String server = null; + @Expose + private String searchbase = null; + @Expose + private String binddn = null; + @Expose + private String bindpw = null; + @Expose + private String proxyip = null; + @Expose + private int proxyport = 0; + @Expose + private int adport = 0; + @Expose + private String home = null; + @Expose + private String fingerprint = ""; + @Expose + private boolean plainldap = false; + + private Output status = new Output(); + + @Override + protected boolean initTask() + { + // TODO: Check path is allowed + this.setStatusObject( this.status ); + if ( filename == null || server == null || searchbase == null || proxyip == null || proxyport == 0 || moduleid == 0 ) { + status.error = "Missing argument to task"; + return false; + } + if ( this.home == null ) + this.home = ""; + if ( this.binddn == null ) + this.binddn = ""; + if ( this.bindpw == null ) + this.bindpw = ""; + return true; + } + + @Override + protected boolean execute() + { + TarArchiveOutputStream outArchive = null; + String keyFile = "/opt/ldadp/configs/" + this.moduleid + ".key.pem"; + String certFile = "/opt/ldadp/configs/" + this.moduleid + ".crt.pem"; + String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/"; + String cacertPath = "/etc/ldap-proxy.pem"; + try { + // Generate keys + { + int ret = Exec.sync( 10, "openssl", "req", + "-x509", "-new", "-newkey", "rsa:4096", "-keyout", keyFile, "-out", certFile, "-days", "5000", "-nodes", + "-subj", "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip ); + if ( ret == -1 ) { + status.error = "openssl process didn't finish in time."; + } else if ( ret == -2 ) { + status.error = "Internal error generating certificate."; + } else if ( ret != 0 ) { + status.error = "openssl exited with code " + ret; + } + if ( ret != 0 ) + return false; + } + // ldadp config + String ldadpConf = String.format( + "[%s]\n" + + "binddn=%s\n" + + "bindpw=%s\n" + + "base=%s\n" + + "home=%s\n" + + "port=%s\n" + + "fingerprint=%s\n" + + "plainldap=%s\n" + + "[local]\n" + + "port=%s\n" + + "cert=%s\n" + + "privkey=%s\n" + + "\n", + this.server, + this.binddn, + this.bindpw, + this.searchbase, + this.home, + this.adport, + this.fingerprint, + Boolean.toString( this.plainldap ), + this.proxyport, + certFile, + keyFile ); + // Generic ldap config + final Template ldapConf = new Template( "./data/ad/ldap.conf.template" ); + ldapConf.replace( "%URI%", uri ); + ldapConf.replace( "%SEARCHBASE%", this.searchbase ); + ldapConf.replace( "%CACERT%", cacertPath ); + // sssd config + final Template sssdConf = new Template( "./data/ad/sssd.conf.template" ); + sssdConf.replace( "%URI%", uri ); + sssdConf.replace( "%SEARCHBASE%", this.searchbase ); + sssdConf.replace( "%CACERT%", cacertPath ); + String fileName = "/opt/ldadp/configs/" + this.moduleid + ".cfg"; + try { + Files.deleteIfExists( Paths.get( this.filename ) ); + } catch ( IOException e1 ) { + } + try { + FileUtils.writeStringToFile( new File( fileName ), ldadpConf, StandardCharsets.UTF_8 ); + if ( 0 != Exec.sync( 10, + "/usr/bin/sudo", + "-n", + "-u", "root", + Constants.BASEDIR + "/scripts/ldadp-setperms", + Integer.toString( this.moduleid ) ) ) + status.error = "Could not chown/chmod ldadp config!"; + } catch ( IOException e ) { + status.error = e.toString(); + return false; + } + try { + outArchive = Archive.createTarArchive( this.filename ); + } catch ( IOException e ) { + status.error = "Could not create archive at " + this.filename; + return false; + } + // The cert we just created + if ( !Archive.tarAddFile( outArchive, cacertPath, new File( certFile ), 0644 ) ) { + status.error = "Could not add ldap-proxy.pem to module"; + return false; + } + // nsswitch.conf with ldap enabled + if ( !Archive.tarAddFile( outArchive, "/etc/nsswitch.conf", new File( "./data/ad/nsswitch.conf" ), 0644 ) ) { + status.error = "Could not add nsswitch.conf to module"; + return false; + } + // All the pam.d common-XXXX files + for ( String file : new String[] { "common-auth", "common-account", "common-session", "common-session-noninteractive", "common-password" } ) { + if ( !Archive.tarAddFile( outArchive, "/etc/pam.d/" + file, new File( "./data/ad/" + file ), 0644 ) ) { + status.error = "Could not add " + file + " to module"; + return false; + } + } + // Home if present + if ( !Archive.tarAddFile( outArchive, "/opt/openslx/scripts/pam_script_mount_persistent", new File( "./data/ad/mountscript" ), 0644 ) ) { + status.error = "Could not add mount script to module"; + return false; + } + boolean ret = Archive.tarCreateFileFromString( outArchive, "/etc/ldap.conf", ldapConf.toString(), 0644 ) + && Archive.tarCreateFileFromString( outArchive, "/etc/sssd/sssd.conf", sssdConf.toString(), 0600 ) + && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/ldap/ldap.conf" ) + && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/openldap/ldap.conf" ) + && Archive.tarCreateSymlink( outArchive, "../sssd.service", "/etc/systemd/system/basic.target.wants/sssd.service" ); + if ( !ret ) { + status.error = "Could not add ldap configs to module"; + } + return ret; + } catch ( IOException e ) { + status.error = e.toString(); + return false; + } finally { + Util.multiClose( outArchive ); + } + } + + /** + * Output - contains additional status data of this task + */ + @SuppressWarnings( "unused" ) + private static class Output + { + protected String error = null; + } + +} |