#!/bin/bash

# Variablen
DOM=$(hostname -f | cut -f 2- -d .)
DC1=$(echo $DOM | cut -f 1 -d .)
DC2=$(echo $DOM | cut -f 2 -d .)

# Zertifikat holen
echo "Zertifikat holen..."
wget -nv -O /tmp/$DOM.tgz https://web.samogo.de/certs/$DOM.tgz
tar -C /tmp -xvzf /tmp/$DOM.tgz
mv /tmp/fullchain.pem /etc/ssl/own.crt
mv /tmp/privkey.pem /etc/ssl/own.key

# Installation
echo "Installation..."
apt update
debconf-set-selections <<< "slapd slapd/password1 password 123Start$"
debconf-set-selections <<< "slapd slapd/password2 password 123Start$"
debconf-set-selections <<< "slapd slapd/domain string $DOM"
debconf-set-selections <<< "slapd shared/organization string $DOM"
debconf-set-selections <<< "slapd slapd/backend select MDB"
debconf-set-selections <<< "slapd slapd/purge_database boolean false"
debconf-set-selections <<< "slapd slapd/move_old_database boolean true"
debconf-set-selections <<< "slapd slapd/allow_ldap_v2 boolean false"
DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils ldapscripts sssd libnss-sss libpam-sss libsss-sudo sssd-tools oddjob-mkhomedir

# TLS konfigurieren
echo "TLS konfigurieren..."
chown openldap:openldap /etc/ssl/own.crt /etc/ssl/own.key
chmod 640 /etc/ssl/own.crt /etc/ssl/own.key

cat <<EOF > /tmp/tls.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/own.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/own.key
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls.ldif

sed -i 's|SLAPD_SERVICES=.*|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' /etc/default/slapd
systemctl restart slapd

# ldap.conf
cat <<EOF > /etc/ldap/ldap.conf
BASE    dc=$DC1,dc=$DC2
URI     ldaps://ldap.$DOM
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
EOF

# Grundstruktur
echo "Grundstruktur anlegen..."
cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: sudo
EOF
ldapadd -xD cn=admin,dc=$DC1,dc=$DC2 -w '123Start$' -H ldap://localhost -f /root/struktur.ldif

# Sudo-Schema
echo "Sudo-Schema laden..."
wget -nv -O /tmp/sudo.ldif https://xinux.de/downloads/script/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/sudo.ldif

# Sudo-Regeln
echo "Sudo-Regeln anlegen..."
cat <<EOF > /root/sudo_rule.ldif
dn: cn=defaults,ou=sudo,dc=$DC1,dc=$DC2
objectClass: sudoRole
cn: defaults
sudoOption: env_keep+=SSH_AUTH_SOCK

dn: cn=admin_role,ou=sudo,dc=$DC1,dc=$DC2
objectClass: sudoRole
cn: admin_role
sudoUser: %sudo
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
EOF
ldapadd -xD cn=admin,dc=$DC1,dc=$DC2 -w '123Start$' -H ldap://localhost -f /root/sudo_rule.ldif

# ldapscripts
echo "ldapscripts konfigurieren..."
cat <<EOF > /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost"
SUFFIX="dc=$DC1,dc=$DC2"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=$DC1,dc=$DC2"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
EOF
echo -n '123Start$' > /etc/ldapscripts/ldapscripts.passwd
chmod 600 /etc/ldapscripts/ldapscripts.passwd

# Gruppen und Benutzer
echo "Gruppen und Benutzer anlegen..."
ldapaddgroup it
ldapaddgroup sudo
ldapadduser thomas it
ldapadduser tina it
echo -e "123Start\$\n123Start\$" | ldapsetpasswd thomas 2>/dev/null
echo -e "123Start\$\n123Start\$" | ldapsetpasswd tina 2>/dev/null
ldapaddusertogroup thomas sudo
ldapaddusertogroup tina sudo

# SSSD
echo "SSSD konfigurieren..."
cat <<EOF > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = $DOM

[domain/$DOM]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldaps://ldap.$DOM
ldap_search_base = dc=$DC1,dc=$DC2
ldap_sudo_search_base = ou=sudo,dc=$DC1,dc=$DC2
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = hard
cache_credentials = True

[nss]
filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,list,irc,gnats,nobody,systemd-network,systemd-resolve,messagebus,_apt,uuidd,nslcd
filter_groups = root,daemon,bin,sys,adm,tty,disk,lp,mail,news,uucp,man,proxy,kmem,dialout,fax,voice,cdrom,floppy,tape,sudo,audio,dip,www-data,backup,operator,list,irc,src,gnats,shadow,utmp,video,sasl,plugdev,staff,games,users,nogroup,systemd-journal,systemd-network,systemd-resolve,input,kvm,render,crontab,netdev,messagebus,_apt,uuidd,ssh,nslcd

[pam]
offline_credentials_expiration = 2
EOF
chmod 600 /etc/sssd/sssd.conf
pam-auth-update --enable sss mkhomedir
systemctl restart sssd

echo "Fertig."