Small fixes from Ubuntu 22 -> Debian 12 switch
This commit is contained in:
parent
162951d6dd
commit
45564fa83e
@ -75,15 +75,17 @@ homeDirectory: /home/marisa
|
|||||||
gecos: Marisa Kirisame
|
gecos: Marisa Kirisame
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
|
||||||
|
ADMIN_PW="admin"
|
||||||
|
|
||||||
echo "--> Adding base structure"
|
echo "--> Adding base structure"
|
||||||
ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/base.ldif || true
|
ldapadd -c -x -D "$ADMIN_DN" -w "$ADMIN_PW" -f /tmp/base.ldif || true
|
||||||
|
|
||||||
#──────────────────────────────────────────────────────────────
|
#──────────────────────────────────────────────────────────────
|
||||||
# TLS BLOCK
|
# TLS BLOCK
|
||||||
#──────────────────────────────────────────────────────────────
|
#──────────────────────────────────────────────────────────────
|
||||||
if [ ! -f "/export-certs/mycacert.crt" ]; then
|
if [ ! -f "/export-certs/mycacert.crt" ]; then
|
||||||
echo "--> No CA found, generating new certificates and TLS config..."
|
echo "--> No CA found → generating certificates..."
|
||||||
mkdir -p /etc/ldap/certs
|
mkdir -p /etc/ldap/certs
|
||||||
cd /etc/ldap/certs
|
cd /etc/ldap/certs
|
||||||
certtool --generate-privkey --bits 4096 --outfile ca-key.pem
|
certtool --generate-privkey --bits 4096 --outfile ca-key.pem
|
||||||
@ -94,6 +96,7 @@ cert_signing_key
|
|||||||
expiration_days = 3650
|
expiration_days = 3650
|
||||||
EOF
|
EOF
|
||||||
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
|
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
|
||||||
|
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
|
||||||
cat > ldap01.info <<EOF
|
cat > ldap01.info <<EOF
|
||||||
organization = Example Company
|
organization = Example Company
|
||||||
cn = ${LDAP_HOST}
|
cn = ${LDAP_HOST}
|
||||||
@ -102,7 +105,6 @@ encryption_key
|
|||||||
signing_key
|
signing_key
|
||||||
expiration_days = 365
|
expiration_days = 365
|
||||||
EOF
|
EOF
|
||||||
certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
|
|
||||||
certtool --generate-certificate \
|
certtool --generate-certificate \
|
||||||
--load-privkey ldap01_slapd_key.pem \
|
--load-privkey ldap01_slapd_key.pem \
|
||||||
--load-ca-certificate ca-cert.pem \
|
--load-ca-certificate ca-cert.pem \
|
||||||
@ -114,8 +116,9 @@ EOF
|
|||||||
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
|
cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
|
||||||
chown root:openldap ldap01_slapd_cert_full.pem
|
chown root:openldap ldap01_slapd_cert_full.pem
|
||||||
chmod 640 ldap01_slapd_cert_full.pem
|
chmod 640 ldap01_slapd_cert_full.pem
|
||||||
|
echo "--> Starting second temporary slapd to apply TLS config"
|
||||||
# Generate the LDIF for TLS config now, but apply it later
|
slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
|
||||||
|
sleep 4
|
||||||
cat > /tmp/certinfo.ldif <<EOF
|
cat > /tmp/certinfo.ldif <<EOF
|
||||||
dn: cn=config
|
dn: cn=config
|
||||||
changetype: modify
|
changetype: modify
|
||||||
@ -128,11 +131,14 @@ olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
|
|||||||
replace: olcTLSCertificateKeyFile
|
replace: olcTLSCertificateKeyFile
|
||||||
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
|
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
|
||||||
EOF
|
EOF
|
||||||
|
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
|
||||||
|
cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
|
||||||
|
update-ca-certificates
|
||||||
|
pkill slapd || true
|
||||||
|
sleep 2
|
||||||
echo "--> Exporting certificates to host volume..."
|
echo "--> Exporting certificates to host volume..."
|
||||||
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
|
cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
|
||||||
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
|
cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
|
||||||
cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
|
|
||||||
else
|
else
|
||||||
echo "--> Certificates already exist — skipping generation and using existing ones"
|
echo "--> Certificates already exist — skipping generation and using existing ones"
|
||||||
fi
|
fi
|
||||||
@ -140,6 +146,12 @@ fi
|
|||||||
export LDAPTLS_REQCERT=allow
|
export LDAPTLS_REQCERT=allow
|
||||||
|
|
||||||
# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
|
# ←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←←
|
||||||
|
# NEW: Save and restore the LDIF — no changes to TLS block
|
||||||
|
if [ ! -f "/export-certs/certinfo.ldif" ]; then
|
||||||
|
echo "--> Saving TLS config LDIF for future restarts"
|
||||||
|
cp /tmp/certinfo.ldif /export-certs/certinfo.ldif
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "/export-certs/certinfo.ldif" ]; then
|
if [ -f "/export-certs/certinfo.ldif" ]; then
|
||||||
echo "--> Restoring TLS config LDIF from persistent volume"
|
echo "--> Restoring TLS config LDIF from persistent volume"
|
||||||
cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
|
cp /export-certs/certinfo.ldif /tmp/certinfo.ldif
|
||||||
@ -148,8 +160,6 @@ fi
|
|||||||
|
|
||||||
# Set Marisa password (full LDIF — so ldapmodify knows what to modify)
|
# Set Marisa password (full LDIF — so ldapmodify knows what to modify)
|
||||||
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
|
echo "--> Setting Marisa password to 'MarisaNewPass2025' using Admin Bind"
|
||||||
ADMIN_DN="cn=admin,${LDAP_BASE_DN}"
|
|
||||||
ADMIN_PW="admin"
|
|
||||||
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
|
slappasswd -h '{SSHA}' -s MarisaNewPass2025 | \
|
||||||
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" <<EOF >/dev/null 2>&1
|
ldapmodify -x -D "$ADMIN_DN" -w "$ADMIN_PW" <<EOF >/dev/null 2>&1
|
||||||
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
|
dn: uid=marisa,ou=People,${LDAP_BASE_DN}
|
||||||
@ -222,14 +232,11 @@ echo "--> Installing phpLDAPadmin"
|
|||||||
|
|
||||||
# Only install once — use a flag file
|
# Only install once — use a flag file
|
||||||
if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then
|
if [ ! -f "/var/www/html/phpldapadmin-installed" ]; then
|
||||||
# Clean up any previous partial installation
|
|
||||||
rm -rf /var/www/html/phpldapadmin*
|
|
||||||
|
|
||||||
cd /var/www/html
|
cd /var/www/html
|
||||||
|
|
||||||
# Download and extract (direct tarball, no git needed)
|
# Download and extract (direct tarball, no git needed)
|
||||||
wget -q -O phpldapadmin.tgz \
|
wget -q -O phpldapadmin.tgz \
|
||||||
https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz || exit 1
|
https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.6.7.tar.gz
|
||||||
tar xzf phpldapadmin.tgz
|
tar xzf phpldapadmin.tgz
|
||||||
mv phpLDAPadmin-1.2.6.7 phpldapadmin
|
mv phpLDAPadmin-1.2.6.7 phpldapadmin
|
||||||
rm phpldapadmin.tgz
|
rm phpldapadmin.tgz
|
||||||
@ -273,3 +280,4 @@ trap 'echo "Stopping services..."; kill $SLAPD_PID $APACHE_PID 2>/dev/null; wait
|
|||||||
|
|
||||||
# Give you your interactive shell — forever
|
# Give you your interactive shell — forever
|
||||||
exec "$@"
|
exec "$@"
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user