#!/bin/bash

# Variablen
DOM=$(hostname -f | cut -f 2- -d .)
DC1=$(echo $DOM | cut -f 1 -d .)
DC2=$(echo $DOM | cut -f 2 -d .)

# Zertifikat holen
CERT="$DOM.tgz"
wget -nv -O /tmp/$CERT https://web.samogo.de/certs/$CERT
tar -C /tmp -xvzf /tmp/$CERT
mv /tmp/fullchain.pem /etc/ssl/own.crt
mv /tmp/privkey.pem /etc/ssl/own.key

# Aufräumen
echo "Aufräumen..."
systemctl stop slapd 2>/dev/null
apt purge -y slapd ldap-utils ldapscripts sssd libnss-sss libpam-sss libsss-sudo
rm -rf /etc/ldap/ /var/lib/ldap/ /etc/ldapscripts/ /etc/sssd/

# Installation vorbereiten
debconf-set-selections <<< "slapd slapd/password1 password 123Start$"
debconf-set-selections <<< "slapd slapd/password2 password 123Start$"
debconf-set-selections <<< "slapd slapd/domain string $DOM"
debconf-set-selections <<< "slapd shared/organization string $DOM"
debconf-set-selections <<< "slapd slapd/backend select MDB"
debconf-set-selections <<< "slapd slapd/purge_database boolean false"
debconf-set-selections <<< "slapd slapd/move_old_database boolean true"
debconf-set-selections <<< "slapd slapd/allow_ldap_v2 boolean false"

# Installation
echo "Installation..."
DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils ldapscripts sssd libnss-sss libpam-sss libsss-sudo

# Zertifikat Rechte
chown openldap:openldap /etc/ssl/own.crt /etc/ssl/own.key
chmod 640 /etc/ssl/own.crt /etc/ssl/own.key

# slapd TLS
cat <<HERE > /tmp/tls.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/own.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/own.key
HERE
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls.ldif

# ldap + ldaps aktivieren
sed -i 's|SLAPD_SERVICES=.*|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' /etc/default/slapd
systemctl restart slapd

# ldap.conf
cat <<HERE > /etc/ldap/ldap.conf
BASE    dc=$DC1,dc=$DC2
URI     ldaps://ldap.$DOM
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
HERE

# Grundstruktur
cat <<HERE > /tmp/struktur.ldif
dn: ou=users,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=$DC1,dc=$DC2
objectClass: organizationalUnit
ou: sudo
HERE
ldapadd -xD cn=admin,dc=$DC1,dc=$DC2 -w '123Start$' -H ldap://localhost -f /tmp/struktur.ldif

# Sudo-Schema
cat <<HERE > /tmp/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoOption' DESC 'Options passed to sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description ) )
HERE
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/sudo.ldif

# Sudo-Regeln
cat <<HERE > /tmp/sudo_rule.ldif
dn: cn=defaults,ou=sudo,dc=$DC1,dc=$DC2
objectClass: sudoRole
cn: defaults
sudoOption: env_keep+=SSH_AUTH_SOCK

dn: cn=admin_role,ou=sudo,dc=$DC1,dc=$DC2
objectClass: sudoRole
cn: admin_role
sudoUser: %sudo
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
HERE
ldapadd -xD cn=admin,dc=$DC1,dc=$DC2 -w '123Start$' -H ldap://localhost -f /tmp/sudo_rule.ldif

# ldapscripts
cat <<HERE > /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost"
SUFFIX="dc=$DC1,dc=$DC2"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=$DC1,dc=$DC2"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000"
UIDSTART="10000"
MIDSTART="20000"
GCLASS="posixGroup"
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
HERE
echo -n '123Start$' > /etc/ldapscripts/ldapscripts.passwd
chmod 600 /etc/ldapscripts/ldapscripts.passwd

# Gruppen und User
ldapaddgroup it
ldapaddgroup sudo
ldapadduser thomas it
ldapadduser tina it
echo -e "123Start\$\n123Start\$" | ldapsetpasswd thomas 2>/dev/null
echo -e "123Start\$\n123Start\$" | ldapsetpasswd tina 2>/dev/null
ldapaddusertogroup thomas sudo
ldapaddusertogroup tina sudo

# SSSD
cat <<HERE > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = $DOM

[domain/$DOM]
id_provider = ldap
auth_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldaps://ldap.$DOM
ldap_search_base = dc=$DC1,dc=$DC2
ldap_sudo_search_base = ou=sudo,dc=$DC1,dc=$DC2
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = demand
HERE
chmod 600 /etc/sssd/sssd.conf
pam-auth-update --enable sss mkhomedir
systemctl restart sssd

echo "Fertig."