Added DS scripts.

30 files changed, 383 insertions, 1 deletions

diff --git a/scripts/ds-admin-create.sh b/scripts/ds-admin-create.sh
new file mode 100755
index 0000000..2e0b422
--- /dev/null
+++ b/scripts/ds-admin-create.sh
@@ -0,0 +1,18 @@
+#!/bin/sh -x
+
+setup-ds-admin.pl --silent --\
+	General.FullMachineName=$HOSTNAME\
+	General.SuiteSpotUserID=nobody\
+	General.SuiteSpotGroup=nobody\
+	General.AdminDomain=example.com\
+	General.ConfigDirectoryAdminID=admin\
+	General.ConfigDirectoryAdminPwd=Secret123\
+	General.ConfigDirectoryLdapURL=ldap://$HOSTNAME:389/o=NetscapeRoot\
+	slapd.ServerPort=389\
+	slapd.ServerIdentifier=pki-tomcat\
+	slapd.Suffix=dc=example,dc=com\
+	slapd.RootDN="cn=Directory Manager"\
+	slapd.RootDNPwd=Secret123\
+	admin.Port=9830\
+	admin.ServerAdminID=admin\
+	admin.ServerAdminPwd=Secret123
diff --git a/scripts/ds-admin-remove.sh b/scripts/ds-admin-remove.sh
new file mode 100755
index 0000000..e5ea400
--- /dev/null
+++ b/scripts/ds-admin-remove.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+remove-ds-admin.pl -f -a -y
diff --git a/scripts/ds-backend-shared-create.sh b/scripts/ds-backend-shared-create.sh
new file mode 100755
index 0000000..4cc74a7
--- /dev/null
+++ b/scripts/ds-backend-shared-create.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: cn=pki,cn=ldbm database,cn=plugins,cn=config
+objectClass: top
+objectClass: nsBackendInstance
+objectClass: extensibleObject
+cn: pki
+nsslapd-suffix: dc=pki,dc=example,dc=com
+EOF
+
+ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: cn="dc=pki,dc=example,dc=com",cn=mapping tree,cn=config
+objectClass: top
+objectClass: extensibleObject
+objectClass: nsMappingTree
+cn: dc=pki,dc=example,dc=com
+nsslapd-backend: pki
+nsslapd-state: backend
+EOF
+
+ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: dc=pki,dc=example,dc=com
+objectClass: domain
+dc: pki
+EOF
diff --git a/scripts/ds-backup.sh b/scripts/ds-backup.sh
new file mode 100755
index 0000000..b9a5f77
--- /dev/null
+++ b/scripts/ds-backup.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+db2ldif -Z pki-tomcat -U -n ca -a /tmp/ca.ldif
+
+/bin/cp /tmp/ca.ldif .
diff --git a/scripts/ds-cert-import.sh b/scripts/ds-cert-import.sh
new file mode 100755
index 0000000..9dd6dcd
--- /dev/null
+++ b/scripts/ds-cert-import.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+NICKNAME=$1
+FILENAME=$2
+
+INSTANCE=pki-tomcat
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -A -d $NSSDB_DIR -n "$NICKNAME" -i $FILENAME -a -t "CT,C,C"
diff --git a/scripts/ds-cert-list.sh b/scripts/ds-cert-list.sh
new file mode 100755
index 0000000..5441be7
--- /dev/null
+++ b/scripts/ds-cert-list.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -L -d $NSSDB_DIR
diff --git a/scripts/ds-cert-remove.sh b/scripts/ds-cert-remove.sh
new file mode 100755
index 0000000..c319920
--- /dev/null
+++ b/scripts/ds-cert-remove.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -F -d $NSSDB_DIR -f $NSSDB_DIR/password.txt -n "DS Certificate"
diff --git a/scripts/ds-cert-show.sh b/scripts/ds-cert-show.sh
new file mode 100755
index 0000000..903c83e
--- /dev/null
+++ b/scripts/ds-cert-show.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -L -d $NSSDB_DIR -n "DS Certificate"
diff --git a/scripts/ds-console.sh b/scripts/ds-console.sh
new file mode 100755
index 0000000..c3d9ce0
--- /dev/null
+++ b/scripts/ds-console.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+389-console -a http://$HOSTNAME:9830 -u "cn=Directory Manager" -w Secret123
diff --git a/scripts/ds-create.sh b/scripts/ds-create.sh
index 759160b..12379a4 100755
--- a/scripts/ds-create.sh
+++ b/scripts/ds-create.sh
@@ -8,4 +8,10 @@ setup-ds.pl --silent --\
 	slapd.ServerIdentifier=pki-tomcat\
 	slapd.Suffix=dc=example,dc=com\
 	slapd.RootDN="cn=Directory Manager"\
-	slapd.RootDNPwd=Secret123
+	slapd.RootDNPwd=Secret.123
+
+ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
+dn: dc=pki,dc=example,dc=com
+objectClass: domain
+dc: pki
+EOF
diff --git a/scripts/ds-debug-enable.sh b/scripts/ds-debug-enable.sh
new file mode 100755
index 0000000..ce3328c
--- /dev/null
+++ b/scripts/ds-debug-enable.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret.123 <<EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-errorlog-level
+nsslapd-errorlog-level: 16384
+EOF
+
+systemctl restart dirsrv@pki-tomcat.service
diff --git a/scripts/ds-debug-show.sh b/scripts/ds-debug-show.sh
new file mode 100755
index 0000000..2b78bb0
--- /dev/null
+++ b/scripts/ds-debug-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b cn=config -s base nsslapd-errorlog-level
diff --git a/scripts/ds-init.sh b/scripts/ds-init.sh
new file mode 100755
index 0000000..8dce094
--- /dev/null
+++ b/scripts/ds-init.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f /usr/share/pki/server/conf/schema.ldif
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f /usr/share/pki/server/conf/database.ldif
diff --git a/scripts/ds-insecure-check.sh b/scripts/ds-insecure-check.sh
new file mode 100755
index 0000000..b63ce51
--- /dev/null
+++ b/scripts/ds-insecure-check.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+# disable anonymous access
+LDAPTLS_CACERT=ds.crt \
+    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" -s base\
+    nsslapd-allow-anonymous-access nsslapd-minssf nsslapd-require-secure-binds
diff --git a/scripts/ds-insecure-disable.sh b/scripts/ds-insecure-disable.sh
new file mode 100755
index 0000000..ec2b4d5
--- /dev/null
+++ b/scripts/ds-insecure-disable.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+# disable insecure connection
+LDAPTLS_CACERT=$HOSTNAME.crt \
+    ldapmodify -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-allow-anonymous-access
+nsslapd-allow-anonymous-access: rootdse
+-
+replace: nsslapd-minssf
+nsslapd-minssf: 56
+-
+replace: nsslapd-require-secure-binds
+nsslapd-require-secure-binds: on
+-
+EOF
+
+systemctl restart dirsrv@pki-tomcat.service
diff --git a/scripts/ds-insecure-enable.sh b/scripts/ds-insecure-enable.sh
new file mode 100755
index 0000000..f78dded
--- /dev/null
+++ b/scripts/ds-insecure-enable.sh
@@ -0,0 +1,18 @@
+#!/bin/sh -x
+
+# enable insecure connection
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-allow-anonymous-access
+nsslapd-allow-anonymous-access: on
+-
+replace: nsslapd-minssf
+nsslapd-minssf: 0
+-
+replace: nsslapd-require-secure-binds
+nsslapd-require-secure-binds: off
+-
+EOF
+
+systemctl restart dirsrv@pki-tomcat.service
diff --git a/scripts/ds-key-list.sh b/scripts/ds-key-list.sh
new file mode 100755
index 0000000..6126a5e
--- /dev/null
+++ b/scripts/ds-key-list.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -K -d $NSSDB_DIR -f $NSSDB_DIR/password.txt
diff --git a/scripts/ds-ldapi-enable.sh b/scripts/ds-ldapi-enable.sh
new file mode 100755
index 0000000..9e033b9
--- /dev/null
+++ b/scripts/ds-ldapi-enable.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+ldapmodify -h `hostname` -p 389 -D "cn=Directory Manager" -w Secret123 -x <<EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapilisten
+nsslapd-ldapilisten: on
+EOF
+
+systemctl restart dirsrv@pki-tomcat.service
diff --git a/scripts/ds-nss-create.sh b/scripts/ds-nss-create.sh
new file mode 100755
index 0000000..81232da
--- /dev/null
+++ b/scripts/ds-nss-create.sh
@@ -0,0 +1,53 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+PASSWORD=Secret123
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+echo $PASSWORD > $NSSDB_DIR/password.txt
+chown nobody.nobody $NSSDB_DIR/password.txt
+chmod 400 $NSSDB_DIR/password.txt
+
+echo "Internal (Software) Token:$PASSWORD" > $NSSDB_DIR/pin.txt
+chown nobody.nobody $NSSDB_DIR/pin.txt
+chmod 400 $NSSDB_DIR/pin.txt
+
+certutil -W -d $NSSDB_DIR -f $NSSDB_DIR/password.txt
+
+echo -e "y\n\ny\n" | \
+ certutil -S -x \
+ -d $NSSDB_DIR \
+ -f $NSSDB_DIR/password.txt \
+ -z noise.bin \
+ -n "DS CA Signing Certificate" \
+ -s "CN=DS CA Signing Certificate" \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage certSigning \
+ --nsCertType sslCA,smimeCA,objectSigningCA
+
+certutil -L -d $NSSDB_DIR -n "DS CA Signing Certificate" -a > ca.crt
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C -a \
+ -d $NSSDB_DIR \
+ -f $NSSDB_DIR/password.txt \
+ -m $RANDOM \
+ -i ds.csr \
+ -o ds.crt \
+ -c "DS CA Signing Certificate" \
+ -1 -2
+
+#echo -e "0\n1\n2\n3\n9\ny\n" | \
+# certutil -S -x \
+# -d $NSSDB_DIR \
+# -f $NSSDB_DIR/password.txt \
+# -z noise.bin \
+# -n "$HOSTNAME" \
+# -s "CN=$HOSTNAME" \
+# -t "CT,C,C" \
+# -m $RANDOM\
+# -1
+
+certutil -L -d $NSSDB_DIR -n "$HOSTNAME" -a > $HOSTNAME.crt
diff --git a/scripts/ds-nss-request.sh b/scripts/ds-nss-request.sh
new file mode 100755
index 0000000..8665f22
--- /dev/null
+++ b/scripts/ds-nss-request.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -x
+
+INSTANCE=pki-tomcat
+PASSWORD=Secret123
+NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE
+
+certutil -R \
+  -d $NSSDB_DIR \
+  -f $NSSDB_DIR/password.txt \
+  -s "CN=$HOSTNAME" \
+  -g 2048 \
+  -z noise.bin \
+  -o ds.csr \
+  -a
diff --git a/scripts/ds-nss-verify.sh b/scripts/ds-nss-verify.sh
new file mode 100755
index 0000000..e522d04
--- /dev/null
+++ b/scripts/ds-nss-verify.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+/usr/lib64/mozldap/ldapsearch -Z -h $HOSTNAME -p 636 -D "cn=Directory Manager" -w Secret123 \
+ -P /etc/dirsrv/slapd-pki-tomcat -b "dc=example,dc=com" -s base "(objectClass=*)"
diff --git a/scripts/ds-nuke.sh b/scripts/ds-nuke.sh
new file mode 100755
index 0000000..92f8dc7
--- /dev/null
+++ b/scripts/ds-nuke.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+INSTANCE_NAME=$1
+
+if [ "$INSTANCE_NAME" == "" ]; then
+    echo "usage: ds-nuke.sh <instance name>"
+    exit 1
+fi
+
+echo "Deleting instance $INSTANCE_NAME"
+
+rm -rf /etc/dirsrv/slapd-$INSTANCE_NAME
+rm -rf /etc/dirsrv/slapd-$INSTANCE_NAME.removed
+rm -rf /var/lock/dirsrv/slapd-$INSTANCE_NAME
+rm -rf /var/log/dirsrv/slapd-$INSTANCE_NAME
diff --git a/scripts/ds-openssl-create.sh b/scripts/ds-openssl-create.sh
new file mode 100755
index 0000000..3cfe71c
--- /dev/null
+++ b/scripts/ds-openssl-create.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -x
+
+cp password.txt /etc/dirsrv/slapd-pki-tomcat/password.txt
+chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/password.txt
+chmod 400 /etc/dirsrv/slapd-pki-tomcat/password.txt
+echo "Internal (Software) Token:`cat /etc/dirsrv/slapd-pki-tomcat/password.txt`" > /etc/dirsrv/slapd-pki-tomcat/pin.txt
+chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/pin.txt
+chmod 400 /etc/dirsrv/slapd-pki-tomcat/pin.txt
+
+# generate CA certificate
+#openssl req -newkey rsa:2048 -keyout dsca.key -nodes -x509 -out dsca.pem -subj "/CN=CAcert" -days 365
+#openssl pkcs12 -export -in dsca.pem -inkey dsca.key -out dsca.p12 -name "CA certificate" -passout pass:Secret123
+#pk12util -i dsca.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/pwdfile.txt -W Secret123
+#certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "CA certificate" -t "CTu,u,u"
+
+# generate server certificate
+#openssl req -newkey rsa:2048 -keyout ds.key -nodes -new -out ds.csr -subj "/CN=$HOSTNAME" -days 365
+#openssl x509 -req -in ds.csr -CA dsca.pem -CAkey dsca.key -CAcreateserial -out ds.pem
+#openssl pkcs12 -export -in ds.pem -inkey ds.key -out ds.p12 -name "Server-Cert" -passout pass:Secret123
+#pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/pwdfile.txt -W Secret123
+
+openssl req -newkey rsa:2048 -keyout ds.key -nodes -x509 -out ds.crt -subj "/CN=$HOSTNAME" -days 365
+openssl pkcs12 -export -in ds.crt -inkey ds.key -out ds.p12 -name "DS Certificate" -passout file:/etc/dirsrv/slapd-pki-tomcat/password.txt
+pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/password.txt -w /etc/dirsrv/slapd-pki-tomcat/password.txt
+certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -t "CT,C,C"
diff --git a/scripts/ds-openssl-verify.sh b/scripts/ds-openssl-verify.sh
new file mode 100755
index 0000000..db77b64
--- /dev/null
+++ b/scripts/ds-openssl-verify.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -x
+
+LDAPTLS_CACERT=ds.crt \
+   ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \
+   -b "dc=example,dc=com" -s base "(objectClass=*)"
+
+LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-pki-tomcat \
+   ldapsearch -H ldaps://$HOSTNAME:636 \
+   -x -D "cn=Directory Manager" -w Secret123 \
+   -b "dc=example,dc=com" -s base "(objectClass=*)"
+
diff --git a/scripts/ds-populate.sh b/scripts/ds-populate.sh
new file mode 100755
index 0000000..1e84e94
--- /dev/null
+++ b/scripts/ds-populate.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+/bin/cp /usr/share/pki/ca/conf/index.ldif .
+sed -i "s/{database}/ca/" index.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f index.ldif
+
+ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF
+dn: dc=ca,dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: ca
+EOF
+
+/bin/cp /usr/share/pki/ca/conf/db.ldif .
+sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" db.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f db.ldif
+
+/bin/cp /usr/share/pki/ca/conf/acl.ldif .
+sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" acl.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f acl.ldif
+
+/bin/cp /usr/share/pki/server/conf/manager.ldif .
+sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" manager.ldif
+sed -i "s/{dbuser}/uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com/" manager.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f manager.ldif
+
+/bin/cp /usr/share/pki/ca/conf/vlv.ldif .
+sed -i "s/{instanceId}/pki-tomcat/g" vlv.ldif
+sed -i "s/{database}/ca/g" vlv.ldif
+sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" vlv.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f vlv.ldif
diff --git a/scripts/ds-restore.sh b/scripts/ds-restore.sh
new file mode 100755
index 0000000..97b67df
--- /dev/null
+++ b/scripts/ds-restore.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+./ds-create.sh
+./ds-init.sh
+./ds-backend.sh
+
+./ds-stop.sh
+/bin/cp ca.ldif /tmp/ca.ldif
+./ds-start.sh
+
+ldif2db -Z pki-tomcat -n ca -i /tmp/ca.ldif
diff --git a/scripts/ds-ssl-create.sh b/scripts/ds-ssl-create.sh
new file mode 100755
index 0000000..54570c6
--- /dev/null
+++ b/scripts/ds-ssl-create.sh
@@ -0,0 +1,18 @@
+#!/bin/sh -x
+
+./ds-create.sh
+./ds-stop.sh
+
+sleep 1
+
+./ds-nss-create.sh
+./ds-start.sh
+
+sleep 1
+
+./ds-ssl-enable.sh
+
+sleep 1
+
+./ds-insecure-disable.sh
+
diff --git a/scripts/ds-ssl-enable.sh b/scripts/ds-ssl-enable.sh
new file mode 100755
index 0000000..0124fe7
--- /dev/null
+++ b/scripts/ds-ssl-enable.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -x
+
+# enable SSL
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-security
+nsslapd-security: on
+
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: $HOSTNAME
+nsSSLToken: internal (software)
+nsSSLActivation: on
+EOF
+
+#dn: cn=encryption,cn=config
+#changetype: modify
+#add: nsSSL3Ciphers
+#nsSSL3Ciphers: +all
+
+systemctl restart dirsrv@pki-tomcat.service
diff --git a/scripts/ds-ssl-show.sh b/scripts/ds-ssl-show.sh
new file mode 100755
index 0000000..97860ce
--- /dev/null
+++ b/scripts/ds-ssl-show.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" -s base nsslapd-security
+ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=RSA,cn=encryption,cn=config" -s base nsSSLPersonalitySSL nsSSLToken nsSSLActivation
diff --git a/scripts/ds-ssl-test.sh b/scripts/ds-ssl-test.sh
new file mode 100755
index 0000000..83e85e5
--- /dev/null
+++ b/scripts/ds-ssl-test.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+yum install mozldap-tools -y
+
+/usr/lib64/mozldap/ldapsearch -Z -h `hostname` -p 636 -D 'cn=Directory Manager' -w Secret123 \
+ -P /etc/dirsrv/slapd-pki-tomcat -b "dc=example,dc=com" "objectclass=*"