Fanch
1 year ago
19 changed files with 231 additions and 88 deletions
@ -1,7 +0,0 @@ |
|||
dn: olcDatabase={2}mdb,cn=config |
|||
changeType: modify |
|||
replace: olcAccess |
|||
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="$BINDDN" write by * none |
|||
olcAccess: {1}to dn.base="" by * read |
|||
olcAccess: {2}to dn.base="ou=users,$LDAPROOT" by users read |
|||
olcAccess: {3}to * by self write by dn="$BINDDN" write by * read |
@ -0,0 +1,21 @@ |
|||
dn: olcDatabase={2}mdb,cn=config |
|||
changeType: modify |
|||
replace: olcAccess |
|||
olcAccess: {0}to attrs=userPassword,shadowLastChange |
|||
by self write |
|||
by anonymous auth |
|||
by dn="cn=ldapui,ou=applications,$LDAPROOT" write |
|||
by dn="$BINDDN" write |
|||
by * none |
|||
olcAccess: {1}to dn.subtree="$LDAPROOT" |
|||
by self read |
|||
by dn="cn=ldapui,ou=applications,$LDAPROOT" read |
|||
by dn="cn=postfix,ou=applications,$LDAPROOT" read |
|||
by dn="cn=mattermost,ou=applications,$LDAPROOT" read |
|||
by dn="cn=cloud,ou=applications,$LDAPROOT" read |
|||
by dn="cn=mobilizon,ou=applications,$LDAPROOT" read |
|||
by dn="$BINDDN" write |
|||
by * none |
|||
olcAccess: {2}to * |
|||
by dn="$BINDDN" write |
|||
by * none |
@ -0,0 +1,30 @@ |
|||
dn: cn={$KAZNUMBER}kaz,cn=schema,cn=config |
|||
changeType: modify |
|||
replace: olcAttributeTypes |
|||
olcAttributeTypes: {0}( 1.3.6.1.4.1.5656.1.1.1 NAME 'mailDeSecours' |
|||
DESC 'Adresse mail de secours' |
|||
EQUALITY caseIgnoreIA5Match |
|||
SUBSTR caseIgnoreIA5SubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} ) |
|||
olcAttributeTypes: {1}( 1.3.6.1.4.1.5656.1.1.2 NAME 'quota' |
|||
DESC 'Quota en GO (integer)' |
|||
EQUALITY integerMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) |
|||
olcAttributeTypes: {2}( 1.3.6.1.4.1.5656.1.1.3 NAME 'agoraEnabled' |
|||
DESC 'acces a agora' |
|||
EQUALITY caseIgnoreMatch |
|||
SUBSTR caseIgnoreSubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) |
|||
olcAttributeTypes: {3}( 1.3.6.1.4.1.5656.1.1.4 NAME 'mobilizonEnabled' |
|||
DESC 'acces a mobilizon' |
|||
EQUALITY caseIgnoreMatch |
|||
SUBSTR caseIgnoreSubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) |
|||
- |
|||
replace: olcObjectClasses |
|||
olcObjectClasses: {0}( 1.3.6.1.4.1.5656.1.2.1 NAME 'kaznaute' |
|||
DESC 'Un kaznaute' |
|||
SUP top AUXILIARY |
|||
MUST ( cn $ quota $ mailDeSecours ) |
|||
MAY ( agoraEnabled $ mobilizonEnabled ) |
|||
) |
@ -0,0 +1,32 @@ |
|||
dn: ou=users,$LDAPROOT |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
|
|||
dn: ou=applications,$LDAPROOT |
|||
objectClass: organizationalUnit |
|||
ou: system |
|||
|
|||
dn: cn=postfix,ou=applications,$LDAPROOT |
|||
objectClass: person |
|||
sn: postfix |
|||
userPassword: $POSTFIX_PASSWORD |
|||
|
|||
dn: cn=ldapui,ou=applications,$LDAPROOT |
|||
objectClass: person |
|||
sn: ldapui |
|||
userPassword: $LDAPUI_PASSWORD |
|||
|
|||
dn: cn=mattermost,ou=applications,$LDAPROOT |
|||
objectClass: person |
|||
sn: mattermost |
|||
userPassword: $MATTERMOST_PASSWORD |
|||
|
|||
dn: cn=cloud,ou=applications,$LDAPROOT |
|||
objectClass: person |
|||
sn: cloud |
|||
userPassword: $CLOUD_PASSWORD |
|||
|
|||
dn: cn=mobilizon,ou=applications,$LDAPROOT |
|||
objectClass: person |
|||
sn: mobilizon |
|||
userPassword: $MOBILIZON_PASSWORD |
@ -1,29 +0,0 @@ |
|||
# docker exec -it ldapServ ldapsearch -x -b "$LDAPROOT" |
|||
|
|||
dn: $LDAPROOT |
|||
objectClass: dcObject |
|||
objectClass: organization |
|||
dc: $DC |
|||
o: example |
|||
|
|||
dn: ou=users,$LDAPROOT |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
|
|||
dn: cn=nobody,ou=users,$LDAPROOT |
|||
cn: nobody |
|||
sn: nobody |
|||
objectClass: inetOrgPerson |
|||
objectClass: posixAccount |
|||
objectClass: shadowAccount |
|||
userPassword: $NOBODYPASSWORD |
|||
uid: nobody |
|||
uidNumber: 1000 |
|||
gidNumber: 1000 |
|||
homeDirectory: /home/nobody |
|||
|
|||
|
|||
dn: cn=readers,ou=users,$LDAPROOT |
|||
cn: readers |
|||
objectClass: groupOfNames |
|||
member: cn=nobody,ou=users,$LDAPROOT |
@ -0,0 +1,11 @@ |
|||
# On crée un schéma vide, qui sera peuplé ensuite par update.sh |
|||
# L'attribut mailDeSecours sert juste à bloquer la re-création si on relance |
|||
|
|||
dn: cn=kaz,cn=schema,cn=config |
|||
objectClass: olcSchemaConfig |
|||
cn: kaz |
|||
olcAttributeTypes: {0}( 1.3.6.1.4.1.5656.1.1.1 NAME 'mailDeSecours' |
|||
DESC 'Adresse mail de secours' |
|||
EQUALITY caseIgnoreIA5Match |
|||
SUBSTR caseIgnoreIA5SubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} ) |
@ -0,0 +1,25 @@ |
|||
dn: cn=nextcloud,cn=schema,cn=config |
|||
objectClass: olcSchemaConfig |
|||
cn: nextcloud |
|||
olcAttributeTypes: {0}( 1.3.6.1.4.1.49213.1.1.1 NAME 'nextcloudEnabled' |
|||
DESC 'whether user or group should be available in Nextcloud' |
|||
EQUALITY caseIgnoreMatch |
|||
SUBSTR caseIgnoreSubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) |
|||
olcAttributeTypes: {1}( 1.3.6.1.4.1.49213.1.1.2 NAME 'nextcloudQuota' |
|||
DESC 'defines how much disk space is available for the user' |
|||
EQUALITY caseIgnoreMatch |
|||
SUBSTR caseIgnoreSubstringsMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) |
|||
olcObjectClasses: {0}( 1.3.6.1.4.1.49213.1.2.1 NAME 'nextcloudAccount' |
|||
DESC 'A Nextcloud account' |
|||
SUP top AUXILIARY |
|||
MUST ( cn ) |
|||
MAY ( nextcloudEnabled $ nextcloudQuota ) |
|||
) |
|||
olcObjectClasses: {1}( 1.3.6.1.4.1.49213.1.2.2 NAME 'nextcloudGroup' |
|||
DESC 'A Nextcloud group' |
|||
SUP top AUXILIARY |
|||
MUST ( cn ) |
|||
MAY ( nextcloudEnabled ) |
|||
) |
@ -0,0 +1,40 @@ |
|||
#!/bin/bash |
|||
|
|||
SERV_DIR=$(cd $(dirname $0); pwd) |
|||
KAZ_ROOT=$(cd $(dirname $0)/../..; pwd) |
|||
. "${KAZ_ROOT}/bin/.commonFunctions.sh" |
|||
setKazVars |
|||
|
|||
cd $(dirname $0) |
|||
. "${DOCKERS_ENV}" |
|||
. "${KAZ_KEY_DIR}/env-${ldapServName}" |
|||
|
|||
checkDockerRunning "${ldapServName}" "LDAP" || exit |
|||
|
|||
printKazMsg "\n *** Update du LDAP" |
|||
|
|||
LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ) |
|||
|
|||
BINDDN=cn=${LDAP_ADMIN_USERNAME},${ldap_root} |
|||
DC=$(echo ${ldap_root} | cut -d',' -f1 | cut -d'=' -f2) |
|||
|
|||
cp base/acl.ldif.tmpl /tmp/acl.ldif |
|||
sed -i -e "s/\$BINDDN/${BINDDN}/g" /tmp/acl.ldif |
|||
sed -i -e "s/\$LDAPROOT/${ldap_root}/g" /tmp/acl.ldif |
|||
|
|||
cp base/skeleton.ldif.tmpl /tmp/skeleton.ldif |
|||
sed -i -e "s/\$LDAPROOT/${ldap_root}/g" /tmp/skeleton.ldif |
|||
sed -i -e "s%\$POSTFIX_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_POSTFIX_PASSWORD}`%g" /tmp/skeleton.ldif |
|||
sed -i -e "s%\$LDAPUI_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_LDAPUI_PASSWORD}`%g" /tmp/skeleton.ldif |
|||
sed -i -e "s%\$MATTERMOST_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MATTERMOST_PASSWORD}`%g" /tmp/skeleton.ldif |
|||
sed -i -e "s%\$CLOUD_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_CLOUD_PASSWORD}`%g" /tmp/skeleton.ldif |
|||
sed -i -e "s%\$MOBILIZON_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MOBILIZON_PASSWORD}`%g" /tmp/skeleton.ldif |
|||
|
|||
cp base/kaz-schema.ldif.tmpl /tmp/kaz-schema.ldif |
|||
KAZNUMBER=$(ldapsearch -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -b cn=schema,cn=config | grep "kaz,cn=schema" | head -n1 | cut -d',' -f1 | cut -d'{' -f2 | cut -d'}' -f1) |
|||
sed -i -e "s/\$KAZNUMBER/${KAZNUMBER}/g" /tmp/kaz-schema.ldif |
|||
|
|||
|
|||
ldapmodify -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f /tmp/acl.ldif |
|||
ldapmodify -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f /tmp/kaz-schema.ldif |
|||
ldapadd -c -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD} -f /tmp/skeleton.ldif |
@ -1,7 +1,7 @@ |
|||
LDAP_URI= |
|||
LDAP_BASE_DN= |
|||
LDAP_REQUIRE_STARTTLS= |
|||
LDAP_ADMINS_GROUP= |
|||
LDAP_ADMIN_BIND_DN= |
|||
LDAP_ADMIN_BIND_PWD= |
|||
LDAP_IGNORE_CERT_ERRORS= |
|||
LDAPUI_URI= |
|||
LDAPUI_BASE_DN= |
|||
LDAPUI_REQUIRE_STARTTLS= |
|||
LDAPUI_ADMINS_GROUP= |
|||
LDAPUI_ADMIN_BIND_DN= |
|||
LDAPUI_ADMIN_BIND_PWD= |
|||
LDAPUI_IGNORE_CERT_ERRORS= |
|||
|
Loading…
Reference in new issue