%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/share/sssd/
Upload File :
Create Path :
Current File : //usr/share/sssd/generate-config

#!/bin/sh

# Generate sssd.conf setup dynamically based on autodetectet LDAP
# and Kerberos server.

set -e

# See if we can find an LDAP server.  Prefer ldap.domain, but also
# accept SRV records if no ldap.domain server is found.
lookup_ldap_uri() {
    domain="$1"
    if ping -c2 ldap.$domain > /dev/null 2>&1; then
	echo ldap://ldap.$domain
    else
	host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
	if [ "$host" ] ; then
	    echo ldap://$host | sed 's/\.$//'
	fi
    fi
}

lookup_ldap_base() {
    ldapuri="$1"
    defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext  2>/dev/null | awk '/^defaultNamingContext: / { print $2}')"
    if [ -z "$defaultcontext" ] ; then
	# If there are several contexts, pick the first one with
	# posixAccount or posixGroup objects in it.
	for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \
	    -s base namingContexts 2>/dev/null | \
	    awk '/^namingContexts: / { print $2}') ; do
	    if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
		'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
		egrep -q '^dn:|^Administrative limit exceeded' ; then
		echo $context
		return
	    fi
	done
    fi
    echo $defaultcontext
}

lookup_kerberos_server() {
    domain="$1"
    if ping -c2 kerberos.$domain > /dev/null 2>&1; then
	echo kerberos.$domain
    else
	host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1)
	if [ "$host" ] ; then
	    echo $host | sed 's/\.$//'
	fi
    fi
}

lookup_kerberos_realm() {
    domain="$1"
    realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"')
    if [ -z "$realm" ] ; then
	realm=$(echo $domain | tr a-z A-Z)
    fi
    echo $realm
}


generate_config() {
    if [ "$1" ] ; then
	domain=$1
    else
	domain="$(hostname -d)"
    fi
    kerberosrealm=$(lookup_kerberos_realm $domain)
    ldapuri=$(lookup_ldap_uri "$domain")
    if [ -z "$ldapuri" ];  then
	# autodetection failed
	return
    fi

    ldapbase="$(lookup_ldap_base "$ldapuri")"
    if [ -z "$ldapbase" ];  then
	# autodetection failed
	return
    fi
    kerberosserver=$(lookup_kerberos_server "$domain")

cat <<EOF
# SSSD configuration generated using $0
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = $domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
EOF
if [ "$kerberosserver" ] ; then
    auth="krb5"
    chpass="krb5"
else
    auth="ldap"
    chpass="ldap";
fi

cat <<EOF

[domain/$domain]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = $auth
chpass_provider = $chpass

ldap_uri = $ldapuri
ldap_search_base = $ldapbase
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
EOF

if [ "$kerberosserver" ] ; then
    cat <<EOF

krb5_server = $kerberosserver
krb5_realm = $kerberosrealm
krb5_auth_timeout = 15
EOF
fi
}
generate_config "$@"

Zerion Mini Shell 1.0