Skip to content

Instantly share code, notes, and snippets.

@pandeybk

pandeybk/README.md

Last active October 11, 2024 21:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pandeybk/4ff39aa3b29fa8707492007d38cadbde to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pandeybk/4ff39aa3b29fa8707492007d38cadbde to your computer and use it in GitHub Desktop.
Download ZIP
Raw
create-new-ldap-users-and-group.sh
# User passwords
USER_PASS_JDOE="UserPass123"
USER_PASS_JSMITH="UserPass123"
USER_PASS_BJOHNSON="UserPass123"
# Generate hashed passwords
LDAPHASHEDPASS_JDOE=$(slappasswd -s "$USER_PASS_JDOE")
LDAPHASHEDPASS_JSMITH=$(slappasswd -s "$USER_PASS_JSMITH")
LDAPHASHEDPASS_BJOHNSON=$(slappasswd -s "$USER_PASS_BJOHNSON")
cat <<EOF > /tmp/jdoe.ldif
dn: uid=jdoe,ou=People,$DC
objectClass: inetOrgPerson
cn: John Doe
sn: Doe
givenName: John
uid: jdoe
mail: jdoe@$DOMAIN
userPassword: $LDAPHASHEDPASS_JDOE
EOF
cat <<EOF > /tmp/jsmith.ldif
dn: uid=jsmith,ou=People,$DC
objectClass: inetOrgPerson
cn: Jane Smith
sn: Smith
givenName: Jane
uid: jsmith
mail: jsmith@$DOMAIN
userPassword: $LDAPHASHEDPASS_JSMITH
EOF
cat <<EOF > /tmp/bjohnson.ldif
dn: uid=bjohnson,ou=People,$DC
objectClass: inetOrgPerson
cn: Bob Johnson
sn: Johnson
givenName: Bob
uid: bjohnson
mail: bjohnson@$DOMAIN
userPassword: $LDAPHASHEDPASS_BJOHNSON
EOF
# Create users
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/jdoe.ldif
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/jsmith.ldif
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/bjohnson.ldif
# Verify users
ldapsearch -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -b "$DC" "(uid=jdoe)"
ldapsearch -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -b "$DC" "(uid=jsmith)"
ldapsearch -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -b "$DC" "(uid=bjohnson)"
##############
### Groups ###
##############
cat <<EOF > /tmp/groups_ou.ldif
dn: ou=Groups,$DC
objectClass: organizationalUnit
ou: Groups
EOF
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/groups_ou.ldif
cat <<EOF > /tmp/developers_group.ldif
dn: cn=developers,ou=Groups,$DC
objectClass: groupOfNames
cn: developers
member: uid=jdoe,ou=People,$DC
member: uid=jsmith,ou=People,$DC
EOF
cat <<EOF > /tmp/admins_group.ldif
dn: cn=admins,ou=Groups,$DC
objectClass: groupOfNames
cn: admins
member: uid=bpandey,ou=People,$DC
member: uid=bjohnson,ou=People,$DC
EOF
cat <<EOF > /tmp/superadmins_group.ldif
dn: cn=superadmins,ou=Groups,$DC
objectClass: groupOfNames
cn: superadmins
member: uid=bpandey,ou=People,$DC
EOF
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/developers_group.ldif
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/admins_group.ldif
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/superadmins_group.ldif
# Verify groups
ldapsearch -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -b "ou=Groups,$DC" "(cn=developers)"
Raw
ldap-sync-config.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldaps://dtldap.xtoph152.dfw.ocp.run:636
bindDN: cn=Directory Manager
bindPassword: "LDAPRootPass123"
ca: /tmp/ldap-ca.crt
rfc2307:
groupsQuery:
baseDN: ou=Groups,dc=dtldap,dc=xtoph152,dc=dfw,dc=ocp,dc=run
scope: sub
derefAliases: never
filter: (objectClass=groupOfNames)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ member ]
usersQuery:
baseDN: ou=People,dc=dtldap,dc=xtoph152,dc=dfw,dc=ocp,dc=run
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ uid ]
tolerateMemberNotFoundErrors: false
tolerateMemberOutOfScopeErrors: false
Raw
oauth.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/create-only: "true"
name: cluster
spec:
identityProviders:
- ldap:
attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- uid
bindDN: cn=Directory Manager
bindPassword:
name: ldap-bind-password-l489k
ca:
name: ldap-ca-mb5k5
insecure: false
url: ldaps://dtldap.xtoph152.dfw.ocp.run:636/ou=People,dc=dtldap,dc=xtoph152,dc=dfw,dc=ocp,dc=run?uid
mappingMethod: claim
name: ldap
type: LDAP
Raw
setup-ldapserver-rhel9.sh
#!/bin/bash
set -x
# Ensure the script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# Variables
DOMAIN="dtldap.xtoph152.dfw.ocp.run"
DC="dc=dtldap,dc=xtoph152,dc=dfw,dc=ocp,dc=run"
LDAP_ROOT_PASS="LDAPRootPass123"
LDAP_USER_PASS="UserPass123"
LDAP_MANAGER_DN="cn=Directory Manager"
INSTANCE_NAME="ldap"
CERTDB_DIR="/etc/dirsrv/slapd-$INSTANCE_NAME"
# Install 389 Directory Server and OpenLDAP clients
dnf install -y 389-ds-base openldap-clients
# Remove existing instance if any
systemctl stop dirsrv@$INSTANCE_NAME
dsctl $INSTANCE_NAME remove --do-it
# Create an instance configuration file without SSL certificates
cat <<EOF > /tmp/ds_setup.inf
[general]
config_version = 2
[slapd]
instance_name = $INSTANCE_NAME
root_password = $LDAP_ROOT_PASS
[backend-userroot]
suffix = $DC
sample_entries = yes
EOF
# Create the directory server instance and capture output
dscreate from-file /tmp/ds_setup.inf | tee dscreate_output.txt
# Start and enable the directory server
systemctl start dirsrv@$INSTANCE_NAME
systemctl enable dirsrv@$INSTANCE_NAME
# Wait for the service to start
sleep 5
# Generate SSL certificates using OpenSSL
cat <<EOF > openssl.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = CO
L = Denver
O = Red Hat
CN = $DOMAIN
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $DOMAIN
EOF
openssl genrsa -out ldap_server.key 2048
openssl req -new -key ldap_server.key -out ldap_server.csr -config openssl.conf
openssl x509 -req -days 365 -in ldap_server.csr -signkey ldap_server.key -out ldap_server.crt -extensions req_ext -extfile openssl.conf
# Convert certificates to PKCS#12 format
openssl pkcs12 -export -inkey ldap_server.key -in ldap_server.crt -out ldap_server.p12 -name "Server-Cert" -passout pass:""
# Stop the LDAP instance
systemctl stop dirsrv@$INSTANCE_NAME
# Remove existing certificates
certutil -D -d $CERTDB_DIR -n "Server-Cert"
certutil -D -d $CERTDB_DIR -n "Self-Signed-CA"
# Import the new certificate
pk12util -i ldap_server.p12 -d $CERTDB_DIR -K ''
# Set trust attributes
certutil -M -n "Server-Cert" -t "u,u,u" -d $CERTDB_DIR
# Start the LDAP instance
systemctl start dirsrv@$INSTANCE_NAME
# Export the server certificate
certutil -L -d $CERTDB_DIR -n "Server-Cert" -a > ldap-server.crt
# Add hostname to /etc/hosts
echo "127.0.0.1 $DOMAIN" >> /etc/hosts
# Configure LDAP client to trust the server's certificate
cp ldap-server.crt /etc/openldap/certs/
chown root:root /etc/openldap/certs/ldap-server.crt
chmod 644 /etc/openldap/certs/ldap-server.crt
echo "TLS_CACERT /etc/openldap/certs/ldap-server.crt" >> /etc/openldap/ldap.conf
echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
# Verify the base DN exists
ldapsearch -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -b "$DC" -s base "(objectclass=*)"
# Add People organizational unit
cat <<EOF > /tmp/people.ldif
dn: ou=People,$DC
objectClass: organizationalUnit
ou: People
EOF
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/people.ldif
# Add a user
cat <<EOF > /tmp/user.ldif
dn: uid=bpandey,ou=People,$DC
objectClass: inetOrgPerson
cn: Balkrishna Pandey
sn: Pandey
givenName: Balkrishna
uid: bpandey
mail: bpandey@$DOMAIN
userPassword: $LDAP_USER_PASS
EOF
ldapadd -x -H ldaps://$DOMAIN -D "$LDAP_MANAGER_DN" -w "$LDAP_ROOT_PASS" -f /tmp/user.ldif
echo "LDAP server setup complete with domain $DOMAIN."
echo "User 'bpandey' has been created with password '$LDAP_USER_PASS'."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment