61 lines
1.5 KiB
Bash
61 lines
1.5 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
# Mapping der Gitea-Workflow Variablen (ENV_...) auf interne Variablen
|
|
# Falls ENV_LDAP_URI nicht gesetzt ist, wird ein Fallback genutzt
|
|
LDAP_URI=${LDAP_URI:-"ldap://localhost:389"}
|
|
LDAP_BASE_DN=${LDAP_BASE_DN:-"dc=example,dc=com"}
|
|
LDAP_BIND_DN=${LDAP_BIND_DN:-"cn=admin,dc=example,dc=com"}
|
|
LDAP_BIND_PASSWORD=${LDAP_BIND_PASSWORD}
|
|
LDAP_SUDO_GROUP=${LDAP_SUDO_GROUP:-"sudo_users"}
|
|
SSSD_DEBUG=${SSSD_DEBUG_LEVEL:-0}
|
|
|
|
echo ">>> Erstelle SSSD Konfiguration..."
|
|
cat <<EOF > /etc/sssd/sssd.conf
|
|
[sssd]
|
|
config_file_version = 2
|
|
services = nss, pam, sudo
|
|
domains = LDAP
|
|
|
|
[domain/LDAP]
|
|
id_provider = ldap
|
|
auth_provider = ldap
|
|
sudo_provider = ldap
|
|
chpass_provider = ldap
|
|
|
|
ldap_uri = ${LDAP_URI}
|
|
ldap_search_base = ${LDAP_BASE_DN}
|
|
ldap_sudo_search_base = ou=SUDOers,${LDAP_BASE_DN}
|
|
|
|
ldap_default_bind_dn = ${LDAP_BIND_DN}
|
|
ldap_default_authtok = ${LDAP_BIND_PASSWORD}
|
|
|
|
ldap_schema = rfc2307bis
|
|
ldap_group_member = uniqueMember
|
|
|
|
ldap_id_use_start_tls = false
|
|
ldap_tls_reqcert = never
|
|
ldap_auth_disable_tls_never_use_in_production = true
|
|
|
|
cache_credentials = true
|
|
enumerate = false
|
|
EOF
|
|
|
|
chmod 600 /etc/sssd/sssd.conf
|
|
chown root:root /etc/sssd/sssd.conf
|
|
|
|
echo ">>> Erstelle Sudoers-Regel für Gruppe: ${LDAP_SUDO_GROUP}..."
|
|
echo "%${LDAP_SUDO_GROUP} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/ldap-admins
|
|
chmod 0440 /etc/sudoers.d/ldap-admins
|
|
|
|
echo ">>> Bereinige SSSD Cache..."
|
|
rm -f /var/lib/sss/db/*
|
|
rm -f /var/lib/sss/mc/*
|
|
|
|
echo ">>> Starte Dienste..."
|
|
# SSSD mit dem gemappten Debug-Level starten
|
|
sssd -D --debug-level=${SSSD_DEBUG}
|
|
|
|
service dbus start
|
|
xrdp-sesman
|
|
exec xrdp -n |