def install_freeradius(args):
'''
Install and configure the freeradius on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.get_ldap_admin_password()
_install_packages()
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
_configure_ldap()
_enable_ldap()
_configure_radius()
_setup_radius_clients()
x("/etc/init.d/radiusd restart")
version_obj.mark_executed()
def install_freeradius(args):
'''
Install and configure the freeradius on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.get_ldap_admin_password()
_install_packages()
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
_configure_ldap()
_enable_ldap()
_configure_radius()
_setup_radius_clients()
x("/etc/init.d/radiusd restart")
version_obj.mark_executed()
def initialize_passwords():
'''
Get all passwords from installation user at the start of the script.
'''
app.get_ca_password()
app.get_ldap_admin_password()
app.get_ldap_sssd_password()
def initialize_passwords():
'''
Get all passwords from installation user at the start of the script.
'''
app.get_ca_password()
app.get_ldap_admin_password()
app.get_ldap_sssd_password()
def ldapadd(user, value, uri="-H ldap:///"):
'''
Add ldif to openldap over ldap with shell command ldapadd.
user
The user used to bind with openldap.
Only user 'admin' and 'manager' are allowed.
value
The ldif value that should be added to openldap.
'''
if user == 'admin':
user = '******'
elif user == 'manager':
user = '******' + config.general.get_ldap_dn()
else:
raise Exception("Only admin and manager users are supported by ldapXadd")
if isinstance(value, ListType):
tmpvalue = ""
for val in value:
tmpvalue += val
value = tmpvalue
x("ldapadd %s -x -D '%s' -w '%s' << EOF\n%s\nEOF\n\n" % (
uri,
user,
app.get_ldap_admin_password(),
value
))
def _configure_ldap():
app.print_verbose("Copying config")
use_original_file("/etc/raddb/modules/ldap")
# General ldap setup.
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
'\\t*server =.*',
'\\tserver="ldaps://{0}"'.format(config.general.get_ldap_hostname()))
ldapconf.replace(
'\\t#identity = .*',
'\\tidentity = "cn=Manager,{0}"'.format(config.general.get_ldap_dn()))
ldapconf.replace(
'\\t#password = .*',
'\\tpassword = "******"'.format(re.escape(app.get_ldap_admin_password())))
ldapconf.replace('\\tbasedn = .*',
'\\tbasedn ="{0}"'.format(config.general.get_ldap_dn()))
ldapconf.replace('\\tfilter = .*', '\\tfilter ="(uid=%u)"')
ldapconf.replace('\\t#base_filter = .*',
'\\tbase_filter = "(employeeType=Sysop)"')
# Deal with certs
ldapconf.replace('\\t\\t# cacertfile.*=.*',
'\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt')
ldapconf.replace('\\t\\t# certfile.*=.*',
'\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt')
ldapconf.replace('\\t\\t# keyfile.*=.*',
'\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key')
def install_packages():
'''
Install packages and start service.
'''
setup_hosts()
# Install all required packages.
x("yum -y install openldap-servers openldap-clients mlocate")
# Create backend database.
scOpen("/var/lib/ldap/DB_CONFIG").add("set_cachesize 0 268435456 1\n" +
"set_lg_regionmax 262144\n" +
"set_lg_bsize 2097152")
x("chown -R ldap:ldap /var/lib/ldap")
# Set password for cn=config (it's secret)
scOpen(
'/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif'
).add(
'olcRootPW: %(ldap_password)s' %
{'ldap_password': get_hashed_password(app.get_ldap_admin_password())})
# Autostart slapd after reboot.
x("chkconfig slapd on")
# Start ldap server
x("service slapd start")
def ldapadd(user, value, uri="-H ldap:///"):
'''
Add ldif to openldap over ldap with shell command ldapadd.
user
The user used to bind with openldap.
Only user 'admin' and 'manager' are allowed.
value
The ldif value that should be added to openldap.
'''
if user == 'admin':
user = '******'
elif user == 'manager':
user = '******' + config.general.get_ldap_dn()
else:
raise Exception(
"Only admin and manager users are supported by ldapXadd")
if isinstance(value, ListType):
tmpvalue = ""
for val in value:
tmpvalue += val
value = tmpvalue
x("ldapadd %s -x -D '%s' -w '%s' << EOF\n%s\nEOF\n\n" %
(uri, user, app.get_ldap_admin_password(), value))
def install_packages():
'''
Install packages and start service.
'''
setup_hosts()
# Install all required packages.
x("yum -y install openldap-servers openldap-clients mlocate")
# Create backend database.
scOpen("/var/lib/ldap/DB_CONFIG").add(
"set_cachesize 0 268435456 1\n" +
"set_lg_regionmax 262144\n" +
"set_lg_bsize 2097152"
)
x("chown -R ldap:ldap /var/lib/ldap")
# Set password for cn=config (it's secret)
scOpen('/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif').add(
'olcRootPW: %(ldap_password)s' %
{'ldap_password': get_hashed_password(app.get_ldap_admin_password())}
)
# Autostart slapd after reboot.
x("chkconfig slapd on")
# Start ldap server
x("service slapd start")
def install_freeradius(args):
'''
Install and configure the mysql-server on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Install the mysql-server packages.
if (not os.access("/usr/sbin/radiusd", os.W_OK | os.X_OK)):
x("yum -y install freeradius-utils freeradius-ldap")
x("/sbin/chkconfig radiusd on ")
if (not os.access("/usr/sbin/radiusd", os.F_OK)):
raise Exception("Couldn't install FreeRadius")
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
app.print_verbose("Copying config")
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
"\\t*server =.*",
"\\tserver=\"ldaps://%s\"" % config.general.get_ldap_hostname())
ldapconf.replace("\\t#password = .*",
"\\tpassword =%s" % app.get_ldap_admin_password())
ldapconf.replace(
"\\t#identity = .*",
"\\tidentity = \"cn=Manager,%s\"" % config.general.get_ldap_dn())
ldapconf.replace("\\t#base_filter = .*",
"\\tbase_filter = \"(employeeType=Sysop)\"")
ldapconf.replace("\\tfilter = .*", "\\tfilter =\"(uid=%u)\"")
ldapconf.replace("\\tbasedn = .*",
"\\tbasedn =\"%s\"" % config.general.get_ldap_dn())
#Deal with certs
ldapconf.replace("\\t\\t# cacertfile.*=.*",
"\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt")
ldapconf.replace("\\t\\t# certfile.*=.*",
"\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt")
ldapconf.replace("\\t\\t# keyfile.*=.*",
"\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key")
x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s"
%
"/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp"
)
x("cp /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default"
)
x("rm /etc/raddb/sites-enabled/default.tmp")
version_obj.mark_executed()
def configure_openldap():
'''
General configuration of cn=config like passwords and access rights.
'''
# Ensure that openldap got time to start.
x("sleep 1")
# Do the configurations.
ldapadd(
"admin", """
# Setup what to log.
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: 0
-
replace: olcIdleTimeout
olcIdleTimeout: 30
# Set access for the monitor db.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,%(dn)s" read by * none
# Set password for cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: %(password)s
# Change LDAP-domain, password and access rights.
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: %(dn)s
-
replace: olcRootDN
olcRootDN: cn=Manager,%(dn)s
-
replace: olcRootPW
olcRootPW: %(password)s
-
replace: olcAccess
olcAccess: {0}to attrs=employeeType by dn="cn=sssd,%(dn)s" read by self read by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * none
olcAccess: {3}to * by dn="cn=config" write by dn="cn=sssd,%(dn)s" read by self write by * none
""" % {
"dn": config.general.get_ldap_dn(),
"password": get_hashed_password(app.get_ldap_admin_password())
})
def _configure_ldap():
app.print_verbose("Copying config")
use_original_file("/etc/raddb/modules/ldap")
# General ldap setup.
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
'\\t*server =.*',
'\\tserver="ldaps://{0}"'.format(
config.general.get_ldap_hostname()
)
)
ldapconf.replace(
'\\t#identity = .*',
'\\tidentity = "cn=Manager,{0}"'.format(
config.general.get_ldap_dn()
)
)
ldapconf.replace(
'\\t#password = .*',
'\\tpassword = "******"'.format(
re.escape(app.get_ldap_admin_password())
)
)
ldapconf.replace(
'\\tbasedn = .*',
'\\tbasedn ="{0}"'.format(
config.general.get_ldap_dn()
)
)
ldapconf.replace(
'\\tfilter = .*',
'\\tfilter ="(uid=%u)"'
)
ldapconf.replace(
'\\t#base_filter = .*',
'\\tbase_filter = "(employeeType=Sysop)"'
)
# Deal with certs
ldapconf.replace(
'\\t\\t# cacertfile.*=.*',
'\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt'
)
ldapconf.replace(
'\\t\\t# certfile.*=.*',
'\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt'
)
ldapconf.replace(
'\\t\\t# keyfile.*=.*',
'\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key'
)
def configure_openldap():
'''
General configuration of cn=config like passwords and access rights.
'''
# Ensure that openldap got time to start.
x("sleep 1")
# Do the configurations.
ldapadd("admin", """
# Setup what to log.
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: config stats shell
-
replace: olcIdleTimeout
olcIdleTimeout: 30
# Set access for the monitor db.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,%(dn)s" read by * none
# Set password for cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: %(password)s
# Change LDAP-domain, password and access rights.
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: %(dn)s
-
replace: olcRootDN
olcRootDN: cn=Manager,%(dn)s
-
replace: olcRootPW
olcRootPW: %(password)s
-
replace: olcAccess
olcAccess: {0}to attrs=employeeType by dn="cn=sssd,%(dn)s" read by self read by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * none
olcAccess: {3}to * by dn="cn=config" write by dn="cn=sssd,%(dn)s" read by self write by * none
""" % {
"dn": config.general.get_ldap_dn(),
"password": get_hashed_password(app.get_ldap_admin_password())
}
)
def password_filename():
"""
Create an ldap password file and returns it's name.
"""
filename = os.path.expanduser("~/.ldap.password")
if not os.path.exists(filename):
print_verbose("Create %s" % filename)
password = app.get_ldap_admin_password()
open(filename, "w").write(password)
x("chmod 400 %s" % filename)
return filename
def password_filename():
"""
Create an ldap password file and returns it's name.
"""
filename = os.path.expanduser("~/.ldap.password")
if not os.path.exists(filename):
print_verbose("Create %s" % filename)
password = app.get_ldap_admin_password()
open(filename, "w").write(password)
x("chmod 400 %s" % filename)
return filename
def passwords(args):
app.print_verbose("Set all passwords used by syco")
app.init_all_passwords()
print "root: ", app.get_root_password()
print "svn: ", app.get_svn_password()
print "ldap_admin: ", app.get_ldap_admin_password()
print "ldap_sssd: ", app.get_ldap_sssd_password()
print "glassfish_master: ", app.get_glassfish_master_password()
print "glassfish_admin: ", app.get_glassfish_admin_password()
print "glassfish_user: "******"glassfish")
print "mysql_root: ", app.get_mysql_root_password()
print "mysql_int: ", app.get_mysql_integration_password()
print "mysql_stable: ", app.get_mysql_stable_password()
print "mysql_uat: ", app.get_mysql_uat_password()
print "mysql_prod: ", app.get_mysql_production_password()
def install_freeradius(args):
'''
Install and configure the mysql-server on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Install the mysql-server packages.
if (not os.access("/usr/sbin/radiusd", os.W_OK|os.X_OK)):
x("yum -y install freeradius-utils freeradius-ldap")
x("/sbin/chkconfig radiusd on ")
if (not os.access("/usr/sbin/radiusd", os.F_OK)):
raise Exception("Couldn't install FreeRadius")
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
app.print_verbose("Copying config")
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace("\\t*server =.*","\\tserver=\"ldaps://%s\"" % config.general.get_ldap_hostname())
ldapconf.replace("\\t#password = .*","\\tpassword =%s" % app.get_ldap_admin_password())
ldapconf.replace("\\t#identity = .*","\\tidentity = \"cn=Manager,%s\"" % config.general.get_ldap_dn())
ldapconf.replace("\\t#base_filter = .*","\\tbase_filter = \"(employeeType=Sysop)\"")
ldapconf.replace("\\tfilter = .*", "\\tfilter =\"(uid=%u)\"")
ldapconf.replace("\\tbasedn = .*", "\\tbasedn =\"%s\"" % config.general.get_ldap_dn())
#Deal with certs
ldapconf.replace("\\t\\t# cacertfile.*=.*","\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt")
ldapconf.replace("\\t\\t# certfile.*=.*","\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt")
ldapconf.replace("\\t\\t# keyfile.*=.*","\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key")
x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s" % "/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp")
x("cp /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default")
x("rm /etc/raddb/sites-enabled/default.tmp")
version_obj.mark_executed()
def passwords(args):
app.print_verbose("Set all passwords used by syco")
app.init_all_passwords()
print "root: ", app.get_root_password()
print "svn: ", app.get_svn_password()
print "ldap_admin: ", app.get_ldap_admin_password()
print "ldap_sssd: ", app.get_ldap_sssd_password()
print "glassfish_master: ", app.get_glassfish_master_password()
print "glassfish_admin: ", app.get_glassfish_admin_password()
print "glassfish_user: "******"glassfish")
print "mysql_root: ", app.get_mysql_root_password()
print "mysql_int: ", app.get_mysql_integration_password()
print "mysql_stable: ", app.get_mysql_stable_password()
print "mysql_uat: ", app.get_mysql_uat_password()
print "mysql_prod: ", app.get_mysql_production_password()
print "mysql_backup: ", app.get_mysql_backup_password()
print "mysql_monitor: ", app.get_mysql_monitor_password()
print "switch_icmp: ", app.get_switch_icmp_password()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa")
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
x("mkdir -p /etc/openvpn/easy-rsa")
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
general.set_config_property("/etc/sysctl.conf", '[\s]*net.ipv4.ip_forward[\s]*[=].*', "net.ipv4.ip_forward = 1")
x("echo 1 > /proc/sys/net/ipv4/ip_forward")
ldapconf = scOpen("/etc/openvpn/auth/ldap.conf")
ldapconf.replace("^\\s*URL\s*.*","\\tURL\\tldaps://%s" % config.general.get_ldap_hostname())
ldapconf.replace("^\s*# Password\s*.*","\\tPassword\\t%s" % app.get_ldap_admin_password())
ldapconf.replace("^\s*# BindDN\s*.*","\\tBindDN\\tcn=Manager,%s" % config.general.get_ldap_dn())
ldapconf.replace("^\s*TLSEnable\s*.*","\\t# TLSEnable\\t YES")
#Deal with certs
ldapconf.replace("^\s*TLSCACertFile\s*.*","\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt")
ldapconf.replace("^\s*TLSCACertDir\s*.*","\\tTLSCACertDir\\t /etc/openldap/cacerts/")
ldapconf.replace("^\s*TLSCertFile\s*.*","\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt")
ldapconf.replace("^\s*TLSKeyFile\s*.*","\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key")
#Auth
ldapconf.replace("^\s*BaseDN\s*.*","\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn() )
ldapconf.replace("^\s*SearchFilter\s*.*","\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"")
x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ')
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
