add keycloak

2023-02-13 13:02:29 +07:00
parent 8de0239d1f
commit d462c1c6bb
117 changed files with 11719 additions and 3 deletions
--- a/3.FreeIPA/README.md
+++ b/3.FreeIPA/README.md
@@ -0,0 +1,51 @@
+# Main
+
+Ставим на fedora-37
+
+0. firewall
+
+```shell
+firewall-cmd --permanent --add-port=53/{tcp,udp} --add-port=80/tcp --add-port=88/{tcp,udp} \
+--add-port=123/udp --add-port=389/tcp --add-port=443/tcp --add-port=464/{tcp,udp} \
+--add-port=636/tcp && firewall-cmd --reload
+```
+
+```shell
+sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+sed -i 's/^NETWORKING_IPV6=.*/NETWORKING_IPV6=false/g' /etc/sysconfig/network
+
+reboot
+```
+
+1. dnf update -y && dnf -y install freeipa-server freeipa-server-dns freeipa-client mc htop zip nano git wget curl
+
+- правим /etc/hosts >>
+- убираем все, кроме этих записей
+
+```shell
+135.181.36.160 id.rmnl.ru id
+```
+
+- правим /etc/hostname по необходимости
+
+```shell
+hostname -f
+```
+
+2. ipa-server-install --setup-dns --allow-zone-overlap --domain=rmnl.ru
+
+- Do you want to configure DNS forwarders? [yes]: `yes`
+- Enter an IP address for a DNS forwarder, or press Enter to skip: `8.8.8.8`
+- ntp - ставим, указываем: `91.189.89.198,91.189.91.157,91.189.94.4`
+
+pass = 7MOYtC12B2mSZhu15cWFBw
+
+## Сертификаты
+
+1. dnf install -y certbot
+2. certbot certonly --manual --preferred-challenges=dns --email admin@rmnl.ru --agree-tos  -d id.rmnl.ru
+3. cd letsencrypt && ./setup-le.sh
+
+## Системный юзер
+
+1. ./ipa-ctl.sh
--- a/3.FreeIPA/ipa-ctl.sh
+++ b/3.FreeIPA/ipa-ctl.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+ssleval=true
+prefix=ldaps
+passeval() { [ -z $bindpass ] && passeval="UNSET!" || passeval="SET!"; }
+ssleval() { [ "$prefix" == "ldaps" ] && ssleval="true" || ssleval="false"; }
+actionseval() { [ "$ldapserver" ] && [ "$binduser" ] && [ "$domain" ] && [ "$passeval" == "SET!" ] && actionseval="ready" || actionseval="conditions not yet met" && return 1; }
+
+menu() {
+  passeval
+  ssleval
+  actionseval
+  clear
+  echo "\
+### FreeIPA - System Account Manager ###
+1.) ldapserver=$ldapserver
+2.) domain=$domain (ldapdomain=$ldapdomain)
+3.) binduser=$binduser
+4.) bindpass=$passeval
+5.) ssl=$ssleval
+
+Actions ($actionseval):
+  add | rm | ls | info | passwd
+
+---   Results   ---
+$results
+--- End Results ---
+"
+}
+
+domain2ldapdomain() {
+   echo "${1}" | awk -F'.' '{for(i=1;i<=NF;i++) printf "dc="$i","; print ""}' | sed 's/,$//'
+}
+
+dotask() {
+  case $1 in
+# Setup
+    1|ldapserver)
+      read -p "ldapserver=" ldapserver
+      [ -z $domain ] && domain=${ldapserver#*.} && ldapdomain=$(domain2ldapdomain "$domain")
+      ;;
+    2|domain)
+      read -p "domain=" domain
+      ldapdomain=$(domain2ldapdomain "$domain")
+      #read -p "ldapdomain=" ldapdomain
+      ;;
+    3|binduser)
+      [ -z $domain ] && echo "We need the domain first." &&  dotask domain
+      echo "Enter \"mgr\" for Directory Manager. Otherwise enter the username or full binddn (-D option in ldapsearch)"
+      read -p "binduser=" swap
+      [ "$swap" == "mgr" ] && binduser='cn=Directory Manager' && return
+      echo "$swap" | grep '=' -q && binduser="$swap" || binduser="uid=$swap,cn=users,cn=accounts,$ldapdomain"
+      ;;
+    4|bindpass)
+      read -sp "Enter password (will not echo): " bindpass
+      ;;
+    5|ssl)
+      [ "$prefix" == "ldaps" ] && prefix=ldap || prefix=ldaps
+      ;;
+
+# Actions
+    # poc)
+    #   results=$(ldapsearch "$prefix""://""$ldapserver" -b "$ldapdomain" -D "$binduser" -w "$bindpass")
+    #   ;;
+    ls)
+      results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=*)" "dn" | grep 'dn: uid')
+      ;;
+    info)
+      [ "$2" ] && local uid="$2" || uid="*"
+      results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=$uid)" "uid" "memberOf" "passwordExpirationTime")
+      ;;
+    add)
+      local uid password
+      [ "$2" ] && local uid="$2" || read -p "uid of new user=" uid
+      read -sp "password of new user (blank to generate a password)=" password
+      [ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
+      echo
+      read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
+      [ -z "$expire" ] && expire=20380119
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: $uid
+userPassword: $password
+passwordExpirationTime: ${expire}031407Z
+nsIdleTimeout: 0" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    rm)
+      local uid
+      [ "$2" ] && local uid="$2" || read -p "uid of user to remove=" uid
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: delete" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    passwd)
+    local uid password
+    [ "$2" ] && local uid="$2" || read -p "uid of user=" uid
+    read -sp "new password for user (blank to generate a password)=" password
+    [ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
+    echo
+    read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
+    [ -z "$expire" ] && expire=20380119
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: modify
+replace: userPassword
+userPassword: $password
+-
+replace: passwordExpirationTime
+passwordExpirationTime: ${expire}031407Z" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    exit)
+      exit
+      ;;
+    "")
+      results=""
+      ;;
+    *)
+      results="\"$input\" command not found."
+  esac
+}
+
+prompt() { read -p '> ' input; dotask $input; }
+randpw() { < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-20};echo;}
+
+while :; do
+  menu
+  prompt
+done
--- a/3.FreeIPA/letsencrypt/ipa-httpd.cnf
+++ b/3.FreeIPA/letsencrypt/ipa-httpd.cnf
@@ -0,0 +1,18 @@
+# the fully qualified server (or service) name
+FQDN = server.example.test
+ALTNAMES = DNS:$FQDN
+
+# --- no modifications required below ---
+[ req ]
+default_bits = 2048
+default_md = sha256
+prompt = no
+encrypt_key = no
+distinguished_name = dn
+req_extensions = req_ext
+
+[ dn ]
+CN = $FQDN
+
+[ req_ext ]
+subjectAltName = $ALTNAMES
--- a/3.FreeIPA/letsencrypt/renew-le.sh
+++ b/3.FreeIPA/letsencrypt/renew-le.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/bash
+set -o nounset
+
+WORKDIR=$(pwd -P)
+EMAIL="mail@mail.ru"
+
+### cron
+# check that the cert will last at
+# least 2 days from now to prevent too frequent renewal
+# comment out this line for the first run
+if [ "${1:-renew}" != "--first-time" ]
+then
+	start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
+	now_timestamp=`date +%s`
+	let diff=($now_timestamp-$start_timestamp)/86400
+	if [ "$diff" -lt "2" ]; then
+		echo "Certificate is actuality"
+		exit 0
+	fi
+fi
+cd "$WORKDIR"
+# cert renewal is needed if we reached this line
+
+# cleanup
+rm -f "$WORKDIR"/*.pem
+rm -f "$WORKDIR"/httpd-csr.*
+
+# generate CSR
+OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
+[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
+openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
+
+# httpd process prevents letsencrypt from working, stop it
+service httpd stop
+
+# get a new cert
+letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
+
+# replace the cert
+cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
+mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
+restorecon -v /var/lib/ipa/certs/httpd.crt
+
+# start httpd with the new cert
+service httpd start
--- a/3.FreeIPA/letsencrypt/setup-le.sh
+++ b/3.FreeIPA/letsencrypt/setup-le.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/bash
+set -o nounset -o errexit
+
+FQDN=$(hostname -f)
+WORKDIR=$(pwd -P)
+CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
+
+sed -i "s/server.example.test/$FQDN/g" $WORKDIR/ipa-httpd.cnf
+
+dnf install letsencrypt -y
+
+if [ ! -d "/etc/ssl/$FQDN" ]
+then
+  mkdir -p "/etc/ssl/$FQDN"
+fi
+
+for CERT in "${CERTS[@]}"
+do
+  if command -v wget &> /dev/null
+  then
+    wget -O "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
+  elif command -v curl &> /dev/null
+  then
+    curl -o "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
+  fi
+  ipa-cacert-manage install "/etc/ssl/$FQDN/$CERT"
+done
+
+ipa-certupdate
+
+"$WORKDIR/renew-le.sh" --first-time