#!/bin/sh # # LDAP authentication setup script for sshd on FreeBSD 6.x (version 1.2) # Simonas Kareiva # # This script supplies the system with basic LDAP authentication, assuming # that the LDAP server has been set up with primitive configuration. # Things, that are included: # LDAP authentication modules and configuration # nsswitch.conf setup # mkhomedir module setup # sudo setup for staff group # Things, that are not yet included: # LDAP password change # USE AT YOUR OWN RISK! # configure HOST="ldap1.vub.lt ldap2.vub.lt master.vub.lt 10.250.28.32" BASE="ou=People,dc=vub,dc=lt" GROUP="ou=Groups,dc=vub,dc=lt" PORT="389" CONF="/usr/local/etc/ldap.conf" # comment out this if you do not use home directories over nfs # echo "nfs:/raid/export/home /usr/home nfs rw 0 0" >> /etc/fstab # echo "nfs_client_enable=\"YES\"" >> /etc/rc.conf # add the required packages if not installed yet echo "Setting up required packages, please wait and check for errors..."; pkg_add -r nss_ldap > /dev/null pkg_add -r pam_ldap > /dev/null pkg_add -r pam_mkhomedir > /dev/null pkg_add -r sudo > /dev/null echo "Configuring system..."; # set up FreeBSD home if we are here just after fresh install: if [ ! -d /usr/home ]; then mkdir /usr/home; ln -s /usr/home / # in case we have home over NFS mount -a else echo "/usr/home already exists... good."; fi # set up the configuration file if [ ! -f $CONF ]; then cat <> $CONF host $HOST base $BASE port $PORT nss_base_passwd ${BASE}?one nss_base_group ${GROUP}?one pam_password MD5 EOF else echo "WARNING: $CONF already exists, not modified"; fi; # setup nsswitch.conf if [ `grep -c ldap /etc/nsswitch.conf ` -eq 0 ]; then cat < /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files EOF else echo "WARNING: LDAP already in /etc/nsswitch.conf:"; fi; # setup LDAP authentication for sshd cd /etc/pam.d/ if [ -f /usr/local/lib/pam_ldap.so ]; then if [ `grep -c pam_ldap /etc/pam.d/sshd` -eq 0 ]; then echo "auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass" > /tmp/pam_ldap_ssh mv /etc/pam.d/sshd /etc/pam.d/sshd1 cat /tmp/pam_ldap_ssh /etc/pam.d/sshd1 | grep -v ^# > /etc/pam.d/sshd rm /tmp/pam_ldap_ssh /etc/pam.d/sshd1 else echo "WARNING: pam_ldap.so already in /etc/pam.d/sshd"; fi; else echo "ERR: pam_ldap.so not found in /usr/local/lib/ !"; fi; # configure pam_mkhomedir module if [ -f /usr/local/lib/pam_mkhomedir.so ]; then if [ `grep -c pam_mkhomedir /etc/pam.d/sshd` -eq 0 ]; then sed -e 's/pam_permit.so/pam_permit.so\ session required \/usr\/local\/lib\/pam_mkhomedir.so/' -i .bak sshd else echo "WARNING: pam_mkhomedir already in /etc/pam.d/sshd"; fi; else echo "ERR: pam_mkhomedir.so not found in /usr/local/lib/ !"; fi; # NO MORE messing with PAM: # # # allow staff group su to root # sed -e 's/wheel /wheel,staff /' -i .bak /etc/pam.d/su echo "%staff ALL=(ALL) NOPASSWD: ALL" >> /usr/local/etc/sudoers # create links that may be used by other software if [ -f $CONF ]; then ln -s $CONF /usr/local/etc/nss_ldap.conf ln -s $CONF /etc/ldap.conf else echo "ERR: $CONF not found or broken"; fi; # finished.