Created
September 19, 2018 11:12
-
-
Save siepkes/4c64138121d9d3588effa4bae37bb44c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # This script does the basic initialization of Wren:DS. | |
| # | |
| # It loads the required default configuration which is instance specific (ie. not . | |
| # For example all password policies reside in the directory server configuration (cn=config). | |
| # Configuration information is not replicated and is specific to each directory server instance. | |
| # Stop on error. | |
| set -e | |
| # Uncomment to show what we are doing. | |
| #set -x | |
| SU="/usr/bin/su" | |
| KEYOOL="/opt/local/java/openjdk8/bin/keytool" | |
| PWGEN_BIN="/opt/local/bin/pwgen" | |
| OPENDJ_SMF="network/ldap/opendj" | |
| OPENDJ_USER="opendj" | |
| OPENDJ_GROUP="opendj" | |
| OPENDJ_HOME="/opt/opendj" | |
| OPENDJ_DATA="/var/lib/wrends" | |
| OPENDJ_CONFIG_TEMPLATE="/etc/opendj" | |
| OPENDJ_CONFIG="${OPENDJ_DATA}/config" | |
| OPEND_BIN="${OPENDJ_HOME}/bin" | |
| OPENDJ_ROOT_PW="/etc/opendj/root.pw" | |
| echo "Initializing Wren:DS." | |
| echo "Running Wren:DS setup." | |
| # We let Wren:DS generate some self signed certificates. We replace them further on. | |
| ${SU} - ${OPENDJ_USER} ${OPENDJ_HOME}/setup --cli \ | |
| --no-prompt \ | |
| --acceptLicense \ | |
| --addBaseEntry \ | |
| --baseDN "dc=example,dc=nl" \ | |
| --cli \ | |
| --doNotStart \ | |
| --ldapPort 389 \ | |
| --enableStartTLS \ | |
| --ldapsPort 636 \ | |
| --rootUserPasswordFile /etc/opendj/root.pw \ | |
| --generateSelfSignedCertificate \ | |
| --verbose | |
| # Must be called when changing the 'java.properties' file. | |
| ${SU} - ${OPENDJ_USER} ${OPENDJ_HOME}/bin/dsjavaproperties | |
| echo "Preparing Kerberos 5 pass through authentication plugin." | |
| # Because we use a custom INSTANCE_ROOT we need to copy the files that must be in the instance root to that | |
| # location. | |
| cp -R /root/opendj_kpa_plugin/lib/* ${OPENDJ_HOME}/lib/ | |
| cp -R /root/opendj_kpa_plugin/config/* ${OPENDJ_DATA}/config/ | |
| # Ensure all permissions are correct. | |
| chown -R root:${OPENDJ_USER} ${OPENDJ_HOME} | |
| chmod -R u+rwX,go+rX,go-w,o-rwX ${OPENDJ_HOME} | |
| find ${OPENDJ_HOME} -type f -iname *.sh -exec chmod 0750 {} \; | |
| chown -R ${OPENDJ_USER}:${OPENDJ_GROUP} ${OPENDJ_DATA}/config | |
| # The command to install the plugin is run later once Wren:DS is running. | |
| echo "Creating client connector (LDAPS, HTTPS REST API, etc.) keystore." | |
| # Remove the old keystores. | |
| rm -f /etc/opendj/opendj.p12 | |
| rm -f ${OPENDJ_CONFIG}/keystore ${OPENDJ_CONFIG}/truststore | |
| # Generate a new random key for the keystore. | |
| KEYSTORE_PIN=`cat ${OPENDJ_CONFIG}/keystore.pin` | |
| KEYSTORE_PIN=`${PWGEN_BIN} --secure --numerals --capitalize -1 64 1` | |
| echo $KEYSTORE_PIN > ${OPENDJ_CONFIG}/keystore.pin | |
| echo $KEYSTORE_PIN > ${OPENDJ_CONFIG}/admin-keystore.pin | |
| echo "Create a P12 keystore from the PEM certificate / key pair." | |
| openssl pkcs12 -export -inkey /etc/opendj/wrends.key \ | |
| -in /etc/opendj/wrends.crt \ | |
| -out /etc/opendj/wrends.p12 \ | |
| -password "pass:${KEYSTORE_PIN}" | |
| echo "Creating JKS keystore for client connectors (LDAPS, HTTPS REST API, etc.)." | |
| keytool -importkeystore \ | |
| -srckeystore /etc/opendj/wrends.p12 \ | |
| -srcalias '1' \ | |
| -destkeystore ${OPENDJ_CONFIG}/keystore \ | |
| -storepass "${KEYSTORE_PIN}" \ | |
| -srcstoretype pkcs12 \ | |
| -srcstorepass "${KEYSTORE_PIN}" \ | |
| -destalias server-cert | |
| keytool -import \ | |
| -alias "service_planet_root_ca" \ | |
| -keystore ${OPENDJ_CONFIG}/truststore \ | |
| -file /etc/opendj/wrends_ca.crt \ | |
| -storepass "${KEYSTORE_PIN}" \ | |
| -noprompt | |
| echo "Creating JKS keystore for administration connector." | |
| keytool -importkeystore \ | |
| -srckeystore /etc/opendj/wrends.p12 \ | |
| -srcalias '1' \ | |
| -destkeystore ${OPENDJ_CONFIG}/admin-keystore \ | |
| -storepass "${KEYSTORE_PIN}" \ | |
| -srcstoretype pkcs12 \ | |
| -srcstorepass "${KEYSTORE_PIN}" \ | |
| -destalias admin-cert | |
| keytool -import \ | |
| -alias "service_planet_root_ca" \ | |
| -keystore ${OPENDJ_CONFIG}/admin-truststore \ | |
| -file /etc/opendj/wrends_ca.crt \ | |
| -storepass "${KEYSTORE_PIN}" \ | |
| -noprompt | |
| echo "Keystore cleanup." | |
| rm -f /etc/opendj/wrends.p12 | |
| chown ${OPENDJ_USER}:${OPENDJ_GROUP} ${OPENDJ_CONFIG}/keystore ${OPENDJ_CONFIG}/truststore | |
| chmod 700 ${OPENDJ_CONFIG}/keystore ${OPENDJ_CONFIG}/truststore | |
| echo "Starting OpenDJ (${OPENDJ_SMF})." | |
| svcadm enable -rs ${OPENDJ_SMF} | |
| echo "Waiting 30 seconds for OpenDJ to complete it's startup sequence." | |
| sleep 30 | |
| echo "Configuring directory config defaults." | |
| DS_CONFIG_LDIF=$(mktemp /tmp/ds-config.ldif.XXXXXX) | |
| cat > ${DS_CONFIG_LDIF} << EOF | |
| dn: ds-cfg-backend-id=userRoot,cn=Backends,cn=config | |
| changetype: modify | |
| replace: ds-cfg-db-cache-percent | |
| ds-cfg-db-cache-percent: 25 | |
| EOF | |
| ${OPEND_BIN}/ldapmodify \ | |
| --defaultAdd \ | |
| --hostname 127.0.0.1 \ | |
| --port 389 \ | |
| --bindDN "cn=Directory Manager" \ | |
| --bindPasswordFile /etc/opendj/root.pw \ | |
| --filename ${DS_CONFIG_LDIF} | |
| rm -f ${DS_CONFIG_LDIF} | |
| # Run with --trustAll since there is not much point in verifying localhost. | |
| echo "Configuring PBKDF2 as default password hash.". | |
| ${OPEND_BIN}/dsconfig set-password-policy-prop \ | |
| --hostname 127.0.0.1 \ | |
| --port 4444 \ | |
| --bindDN "cn=Directory Manager" \ | |
| --bindPasswordFile /etc/opendj/root.pw \ | |
| --policy-name "Default Password Policy" \ | |
| --set default-password-storage-scheme:pbkdf2 \ | |
| --no-prompt \ | |
| --trustAll | |
| # Almost all applications assume the email address is a unique for a user so we enforce it's uniqueness. | |
| echo "Configuring email address unique plugin." | |
| ${OPEND_BIN}/dsconfig create-plugin \ | |
| --plugin-name "Unique Email Address SP Employees Plugin" \ | |
| --type unique-attribute \ | |
| --set type:mail \ | |
| --set enabled:true \ | |
| --set base-dn:ou=people,dc=example,dc=nl \ | |
| --hostname 127.0.0.1 \ | |
| --port 4444 \ | |
| --bindDN "cn=Directory Manager" \ | |
| --bindPasswordFile /etc/opendj/root.pw \ | |
| --no-prompt \ | |
| --trustAll | |
| # ###################### OPENAM INITIALIZATION ###################### | |
| # | |
| # Below is the configuration for OpenDJ in order to use OpenDJ as a configuration backend for OpenAM. | |
| echo "Creating a new backend in Wren:DS for Wren:AM." | |
| ${OPEND_BIN}/dsconfig create-backend \ | |
| --backend-name openam \ | |
| --set base-dn:dc=openam,dc=forgerock,dc=org \ | |
| --set db-cache-percent:25 \ | |
| --set enabled:true \ | |
| --type je \ | |
| --hostname 127.0.0.1 \ | |
| --port 4444 \ | |
| --bindDN "cn=Directory Manager" \ | |
| --bindPasswordFile /etc/opendj/root.pw \ | |
| --no-prompt \ | |
| --trustAll | |
| echo "Configuring Kerberos V authentication pass through plugin." | |
| ${OPEND_BIN}/dsconfig -X create-password-policy \ | |
| --type kerberos-pass-through \ | |
| --policy-name "Kerberos V pass through" \ | |
| --set krb5-realm:example.NL \ | |
| --set mapped-attribute:uid \ | |
| --hostname 127.0.0.1 \ | |
| --port 4444 \ | |
| --bindDN "cn=Directory Manager" \ | |
| --bindPasswordFile /etc/opendj/root.pw \ | |
| --no-prompt \ | |
| --trustAll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment