diff options
Diffstat (limited to 'scripts')
30 files changed, 383 insertions, 1 deletions
diff --git a/scripts/ds-admin-create.sh b/scripts/ds-admin-create.sh new file mode 100755 index 0000000..2e0b422 --- /dev/null +++ b/scripts/ds-admin-create.sh @@ -0,0 +1,18 @@ +#!/bin/sh -x + +setup-ds-admin.pl --silent --\ + General.FullMachineName=$HOSTNAME\ + General.SuiteSpotUserID=nobody\ + General.SuiteSpotGroup=nobody\ + General.AdminDomain=example.com\ + General.ConfigDirectoryAdminID=admin\ + General.ConfigDirectoryAdminPwd=Secret123\ + General.ConfigDirectoryLdapURL=ldap://$HOSTNAME:389/o=NetscapeRoot\ + slapd.ServerPort=389\ + slapd.ServerIdentifier=pki-tomcat\ + slapd.Suffix=dc=example,dc=com\ + slapd.RootDN="cn=Directory Manager"\ + slapd.RootDNPwd=Secret123\ + admin.Port=9830\ + admin.ServerAdminID=admin\ + admin.ServerAdminPwd=Secret123 diff --git a/scripts/ds-admin-remove.sh b/scripts/ds-admin-remove.sh new file mode 100755 index 0000000..e5ea400 --- /dev/null +++ b/scripts/ds-admin-remove.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +remove-ds-admin.pl -f -a -y diff --git a/scripts/ds-backend-shared-create.sh b/scripts/ds-backend-shared-create.sh new file mode 100755 index 0000000..4cc74a7 --- /dev/null +++ b/scripts/ds-backend-shared-create.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: cn=pki,cn=ldbm database,cn=plugins,cn=config +objectClass: top +objectClass: nsBackendInstance +objectClass: extensibleObject +cn: pki +nsslapd-suffix: dc=pki,dc=example,dc=com +EOF + +ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: cn="dc=pki,dc=example,dc=com",cn=mapping tree,cn=config +objectClass: top +objectClass: extensibleObject +objectClass: nsMappingTree +cn: dc=pki,dc=example,dc=com +nsslapd-backend: pki +nsslapd-state: backend +EOF + +ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: dc=pki,dc=example,dc=com +objectClass: domain +dc: pki +EOF diff --git a/scripts/ds-backup.sh b/scripts/ds-backup.sh new file mode 100755 index 0000000..b9a5f77 --- /dev/null +++ b/scripts/ds-backup.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +db2ldif -Z pki-tomcat -U -n ca -a /tmp/ca.ldif + +/bin/cp /tmp/ca.ldif . diff --git a/scripts/ds-cert-import.sh b/scripts/ds-cert-import.sh new file mode 100755 index 0000000..9dd6dcd --- /dev/null +++ b/scripts/ds-cert-import.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +NICKNAME=$1 +FILENAME=$2 + +INSTANCE=pki-tomcat +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -A -d $NSSDB_DIR -n "$NICKNAME" -i $FILENAME -a -t "CT,C,C" diff --git a/scripts/ds-cert-list.sh b/scripts/ds-cert-list.sh new file mode 100755 index 0000000..5441be7 --- /dev/null +++ b/scripts/ds-cert-list.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -L -d $NSSDB_DIR diff --git a/scripts/ds-cert-remove.sh b/scripts/ds-cert-remove.sh new file mode 100755 index 0000000..c319920 --- /dev/null +++ b/scripts/ds-cert-remove.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -F -d $NSSDB_DIR -f $NSSDB_DIR/password.txt -n "DS Certificate" diff --git a/scripts/ds-cert-show.sh b/scripts/ds-cert-show.sh new file mode 100755 index 0000000..903c83e --- /dev/null +++ b/scripts/ds-cert-show.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -L -d $NSSDB_DIR -n "DS Certificate" diff --git a/scripts/ds-console.sh b/scripts/ds-console.sh new file mode 100755 index 0000000..c3d9ce0 --- /dev/null +++ b/scripts/ds-console.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +389-console -a http://$HOSTNAME:9830 -u "cn=Directory Manager" -w Secret123 diff --git a/scripts/ds-create.sh b/scripts/ds-create.sh index 759160b..12379a4 100755 --- a/scripts/ds-create.sh +++ b/scripts/ds-create.sh @@ -8,4 +8,10 @@ setup-ds.pl --silent --\ slapd.ServerIdentifier=pki-tomcat\ slapd.Suffix=dc=example,dc=com\ slapd.RootDN="cn=Directory Manager"\ - slapd.RootDNPwd=Secret123 + slapd.RootDNPwd=Secret.123 + +ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF +dn: dc=pki,dc=example,dc=com +objectClass: domain +dc: pki +EOF diff --git a/scripts/ds-debug-enable.sh b/scripts/ds-debug-enable.sh new file mode 100755 index 0000000..ce3328c --- /dev/null +++ b/scripts/ds-debug-enable.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +ldapmodify -x -D "cn=Directory Manager" -w Secret.123 <<EOF +dn: cn=config +changetype: modify +replace: nsslapd-errorlog-level +nsslapd-errorlog-level: 16384 +EOF + +systemctl restart dirsrv@pki-tomcat.service diff --git a/scripts/ds-debug-show.sh b/scripts/ds-debug-show.sh new file mode 100755 index 0000000..2b78bb0 --- /dev/null +++ b/scripts/ds-debug-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b cn=config -s base nsslapd-errorlog-level diff --git a/scripts/ds-init.sh b/scripts/ds-init.sh new file mode 100755 index 0000000..8dce094 --- /dev/null +++ b/scripts/ds-init.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f /usr/share/pki/server/conf/schema.ldif + +ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f /usr/share/pki/server/conf/database.ldif diff --git a/scripts/ds-insecure-check.sh b/scripts/ds-insecure-check.sh new file mode 100755 index 0000000..b63ce51 --- /dev/null +++ b/scripts/ds-insecure-check.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +# disable anonymous access +LDAPTLS_CACERT=ds.crt \ + ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" -s base\ + nsslapd-allow-anonymous-access nsslapd-minssf nsslapd-require-secure-binds diff --git a/scripts/ds-insecure-disable.sh b/scripts/ds-insecure-disable.sh new file mode 100755 index 0000000..ec2b4d5 --- /dev/null +++ b/scripts/ds-insecure-disable.sh @@ -0,0 +1,19 @@ +#!/bin/sh -x + +# disable insecure connection +LDAPTLS_CACERT=$HOSTNAME.crt \ + ldapmodify -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: cn=config +changetype: modify +replace: nsslapd-allow-anonymous-access +nsslapd-allow-anonymous-access: rootdse +- +replace: nsslapd-minssf +nsslapd-minssf: 56 +- +replace: nsslapd-require-secure-binds +nsslapd-require-secure-binds: on +- +EOF + +systemctl restart dirsrv@pki-tomcat.service diff --git a/scripts/ds-insecure-enable.sh b/scripts/ds-insecure-enable.sh new file mode 100755 index 0000000..f78dded --- /dev/null +++ b/scripts/ds-insecure-enable.sh @@ -0,0 +1,18 @@ +#!/bin/sh -x + +# enable insecure connection +ldapmodify -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: cn=config +changetype: modify +replace: nsslapd-allow-anonymous-access +nsslapd-allow-anonymous-access: on +- +replace: nsslapd-minssf +nsslapd-minssf: 0 +- +replace: nsslapd-require-secure-binds +nsslapd-require-secure-binds: off +- +EOF + +systemctl restart dirsrv@pki-tomcat.service diff --git a/scripts/ds-key-list.sh b/scripts/ds-key-list.sh new file mode 100755 index 0000000..6126a5e --- /dev/null +++ b/scripts/ds-key-list.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -K -d $NSSDB_DIR -f $NSSDB_DIR/password.txt diff --git a/scripts/ds-ldapi-enable.sh b/scripts/ds-ldapi-enable.sh new file mode 100755 index 0000000..9e033b9 --- /dev/null +++ b/scripts/ds-ldapi-enable.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +ldapmodify -h `hostname` -p 389 -D "cn=Directory Manager" -w Secret123 -x <<EOF +dn: cn=config +changetype: modify +replace: nsslapd-ldapilisten +nsslapd-ldapilisten: on +EOF + +systemctl restart dirsrv@pki-tomcat.service diff --git a/scripts/ds-nss-create.sh b/scripts/ds-nss-create.sh new file mode 100755 index 0000000..81232da --- /dev/null +++ b/scripts/ds-nss-create.sh @@ -0,0 +1,53 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +PASSWORD=Secret123 +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +echo $PASSWORD > $NSSDB_DIR/password.txt +chown nobody.nobody $NSSDB_DIR/password.txt +chmod 400 $NSSDB_DIR/password.txt + +echo "Internal (Software) Token:$PASSWORD" > $NSSDB_DIR/pin.txt +chown nobody.nobody $NSSDB_DIR/pin.txt +chmod 400 $NSSDB_DIR/pin.txt + +certutil -W -d $NSSDB_DIR -f $NSSDB_DIR/password.txt + +echo -e "y\n\ny\n" | \ + certutil -S -x \ + -d $NSSDB_DIR \ + -f $NSSDB_DIR/password.txt \ + -z noise.bin \ + -n "DS CA Signing Certificate" \ + -s "CN=DS CA Signing Certificate" \ + -t "CTu,Cu,Cu" \ + -m $RANDOM\ + -2 \ + --keyUsage certSigning \ + --nsCertType sslCA,smimeCA,objectSigningCA + +certutil -L -d $NSSDB_DIR -n "DS CA Signing Certificate" -a > ca.crt + +echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \ + certutil -C -a \ + -d $NSSDB_DIR \ + -f $NSSDB_DIR/password.txt \ + -m $RANDOM \ + -i ds.csr \ + -o ds.crt \ + -c "DS CA Signing Certificate" \ + -1 -2 + +#echo -e "0\n1\n2\n3\n9\ny\n" | \ +# certutil -S -x \ +# -d $NSSDB_DIR \ +# -f $NSSDB_DIR/password.txt \ +# -z noise.bin \ +# -n "$HOSTNAME" \ +# -s "CN=$HOSTNAME" \ +# -t "CT,C,C" \ +# -m $RANDOM\ +# -1 + +certutil -L -d $NSSDB_DIR -n "$HOSTNAME" -a > $HOSTNAME.crt diff --git a/scripts/ds-nss-request.sh b/scripts/ds-nss-request.sh new file mode 100755 index 0000000..8665f22 --- /dev/null +++ b/scripts/ds-nss-request.sh @@ -0,0 +1,14 @@ +#!/bin/sh -x + +INSTANCE=pki-tomcat +PASSWORD=Secret123 +NSSDB_DIR=/etc/dirsrv/slapd-$INSTANCE + +certutil -R \ + -d $NSSDB_DIR \ + -f $NSSDB_DIR/password.txt \ + -s "CN=$HOSTNAME" \ + -g 2048 \ + -z noise.bin \ + -o ds.csr \ + -a diff --git a/scripts/ds-nss-verify.sh b/scripts/ds-nss-verify.sh new file mode 100755 index 0000000..e522d04 --- /dev/null +++ b/scripts/ds-nss-verify.sh @@ -0,0 +1,4 @@ +#!/bin/sh -x + +/usr/lib64/mozldap/ldapsearch -Z -h $HOSTNAME -p 636 -D "cn=Directory Manager" -w Secret123 \ + -P /etc/dirsrv/slapd-pki-tomcat -b "dc=example,dc=com" -s base "(objectClass=*)" diff --git a/scripts/ds-nuke.sh b/scripts/ds-nuke.sh new file mode 100755 index 0000000..92f8dc7 --- /dev/null +++ b/scripts/ds-nuke.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +INSTANCE_NAME=$1 + +if [ "$INSTANCE_NAME" == "" ]; then + echo "usage: ds-nuke.sh <instance name>" + exit 1 +fi + +echo "Deleting instance $INSTANCE_NAME" + +rm -rf /etc/dirsrv/slapd-$INSTANCE_NAME +rm -rf /etc/dirsrv/slapd-$INSTANCE_NAME.removed +rm -rf /var/lock/dirsrv/slapd-$INSTANCE_NAME +rm -rf /var/log/dirsrv/slapd-$INSTANCE_NAME diff --git a/scripts/ds-openssl-create.sh b/scripts/ds-openssl-create.sh new file mode 100755 index 0000000..3cfe71c --- /dev/null +++ b/scripts/ds-openssl-create.sh @@ -0,0 +1,25 @@ +#!/bin/sh -x + +cp password.txt /etc/dirsrv/slapd-pki-tomcat/password.txt +chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/password.txt +chmod 400 /etc/dirsrv/slapd-pki-tomcat/password.txt +echo "Internal (Software) Token:`cat /etc/dirsrv/slapd-pki-tomcat/password.txt`" > /etc/dirsrv/slapd-pki-tomcat/pin.txt +chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/pin.txt +chmod 400 /etc/dirsrv/slapd-pki-tomcat/pin.txt + +# generate CA certificate +#openssl req -newkey rsa:2048 -keyout dsca.key -nodes -x509 -out dsca.pem -subj "/CN=CAcert" -days 365 +#openssl pkcs12 -export -in dsca.pem -inkey dsca.key -out dsca.p12 -name "CA certificate" -passout pass:Secret123 +#pk12util -i dsca.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/pwdfile.txt -W Secret123 +#certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "CA certificate" -t "CTu,u,u" + +# generate server certificate +#openssl req -newkey rsa:2048 -keyout ds.key -nodes -new -out ds.csr -subj "/CN=$HOSTNAME" -days 365 +#openssl x509 -req -in ds.csr -CA dsca.pem -CAkey dsca.key -CAcreateserial -out ds.pem +#openssl pkcs12 -export -in ds.pem -inkey ds.key -out ds.p12 -name "Server-Cert" -passout pass:Secret123 +#pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/pwdfile.txt -W Secret123 + +openssl req -newkey rsa:2048 -keyout ds.key -nodes -x509 -out ds.crt -subj "/CN=$HOSTNAME" -days 365 +openssl pkcs12 -export -in ds.crt -inkey ds.key -out ds.p12 -name "DS Certificate" -passout file:/etc/dirsrv/slapd-pki-tomcat/password.txt +pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat -k /etc/dirsrv/slapd-pki-tomcat/password.txt -w /etc/dirsrv/slapd-pki-tomcat/password.txt +certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -t "CT,C,C" diff --git a/scripts/ds-openssl-verify.sh b/scripts/ds-openssl-verify.sh new file mode 100755 index 0000000..db77b64 --- /dev/null +++ b/scripts/ds-openssl-verify.sh @@ -0,0 +1,11 @@ +#!/bin/sh -x + +LDAPTLS_CACERT=ds.crt \ + ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \ + -b "dc=example,dc=com" -s base "(objectClass=*)" + +LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-pki-tomcat \ + ldapsearch -H ldaps://$HOSTNAME:636 \ + -x -D "cn=Directory Manager" -w Secret123 \ + -b "dc=example,dc=com" -s base "(objectClass=*)" + diff --git a/scripts/ds-populate.sh b/scripts/ds-populate.sh new file mode 100755 index 0000000..1e84e94 --- /dev/null +++ b/scripts/ds-populate.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +/bin/cp /usr/share/pki/ca/conf/index.ldif . +sed -i "s/{database}/ca/" index.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f index.ldif + +ldapadd -x -D "cn=Directory Manager" -w Secret123 << EOF +dn: dc=ca,dc=example,dc=com +objectClass: top +objectClass: domain +dc: ca +EOF + +/bin/cp /usr/share/pki/ca/conf/db.ldif . +sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" db.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f db.ldif + +/bin/cp /usr/share/pki/ca/conf/acl.ldif . +sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" acl.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f acl.ldif + +/bin/cp /usr/share/pki/server/conf/manager.ldif . +sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" manager.ldif +sed -i "s/{dbuser}/uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com/" manager.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f manager.ldif + +/bin/cp /usr/share/pki/ca/conf/vlv.ldif . +sed -i "s/{instanceId}/pki-tomcat/g" vlv.ldif +sed -i "s/{database}/ca/g" vlv.ldif +sed -i "s/{rootSuffix}/dc=ca,dc=example,dc=com/" vlv.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f vlv.ldif diff --git a/scripts/ds-restore.sh b/scripts/ds-restore.sh new file mode 100755 index 0000000..97b67df --- /dev/null +++ b/scripts/ds-restore.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +./ds-create.sh +./ds-init.sh +./ds-backend.sh + +./ds-stop.sh +/bin/cp ca.ldif /tmp/ca.ldif +./ds-start.sh + +ldif2db -Z pki-tomcat -n ca -i /tmp/ca.ldif diff --git a/scripts/ds-ssl-create.sh b/scripts/ds-ssl-create.sh new file mode 100755 index 0000000..54570c6 --- /dev/null +++ b/scripts/ds-ssl-create.sh @@ -0,0 +1,18 @@ +#!/bin/sh -x + +./ds-create.sh +./ds-stop.sh + +sleep 1 + +./ds-nss-create.sh +./ds-start.sh + +sleep 1 + +./ds-ssl-enable.sh + +sleep 1 + +./ds-insecure-disable.sh + diff --git a/scripts/ds-ssl-enable.sh b/scripts/ds-ssl-enable.sh new file mode 100755 index 0000000..0124fe7 --- /dev/null +++ b/scripts/ds-ssl-enable.sh @@ -0,0 +1,25 @@ +#!/bin/sh -x + +# enable SSL +ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF +dn: cn=config +changetype: modify +replace: nsslapd-security +nsslapd-security: on + +dn: cn=RSA,cn=encryption,cn=config +changetype: add +objectclass: top +objectclass: nsEncryptionModule +cn: RSA +nsSSLPersonalitySSL: $HOSTNAME +nsSSLToken: internal (software) +nsSSLActivation: on +EOF + +#dn: cn=encryption,cn=config +#changetype: modify +#add: nsSSL3Ciphers +#nsSSL3Ciphers: +all + +systemctl restart dirsrv@pki-tomcat.service diff --git a/scripts/ds-ssl-show.sh b/scripts/ds-ssl-show.sh new file mode 100755 index 0000000..97860ce --- /dev/null +++ b/scripts/ds-ssl-show.sh @@ -0,0 +1,4 @@ +#!/bin/sh -x + +ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" -s base nsslapd-security +ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=RSA,cn=encryption,cn=config" -s base nsSSLPersonalitySSL nsSSLToken nsSSLActivation diff --git a/scripts/ds-ssl-test.sh b/scripts/ds-ssl-test.sh new file mode 100755 index 0000000..83e85e5 --- /dev/null +++ b/scripts/ds-ssl-test.sh @@ -0,0 +1,6 @@ +#!/bin/sh -x + +yum install mozldap-tools -y + +/usr/lib64/mozldap/ldapsearch -Z -h `hostname` -p 636 -D 'cn=Directory Manager' -w Secret123 \ + -P /etc/dirsrv/slapd-pki-tomcat -b "dc=example,dc=com" "objectclass=*" |