1
2
3
4

timedatectl set-timezone Asia/Taipei
apt install -y vim tmux htop tcpdump nload net-tools mtr tree
wget git.io/nella17-tmux-conf -O ~/.tmux.conf
wget https://github.com/nella17/dotfiles/raw/main/.vimrc.simple -O ~/.vimrc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
> Administrator password
> Confirm password
dpkg-reconfigure slapd
> no
> DNS: <ID>.nasa
> Organization: <ID>.nasa
> Administrator password
> Confirm password
> Do you want the database to be removed when slapd is purged? yes
> Move old database? no

1
2

BASE    dc=<ID>,dc=nasa
URI     ldap://ldap.<ID>.nasa

1
2
3
4
5
6
7

service slapd status
journalctl -u slapd
tail -f /var/log/syslog

ldapwhoami -D "cn=admin,dc=<ID>,dc=nasa" -W
ldapwhoami -Y EXTERNAL -H ldapi:///
ldapsearch -Y EXTERNAL -H ldapi:/// -o ldif-wrap=no -b "cn=config" | less

1

ldapmodify -Y EXTERNAL -H ldapi:///

1
2
3
4
5

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
olcLogLevel: conns config acl stats shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

apt install -y ssl-cert
usermod -aG ssl-cert openldap

cd /etc/ssl/private

# CA
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout ca.key -x509 -days 3650 -out ca.cert -subj "/CN=<ID> nasa"
# cert
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout server.key -out server.req -subj "/CN=ldap.<ID>.nasa"

openssl x509 -req -in server.req -days 365 -CA ca.cert -CAkey ca.key -CAcreateserial -out server.cert

openssl verify -show_chain -CAfile ca.cert server.cert

chown :ssl-cert *
chmod 640 server.key

ln -s /etc/ssl/private/ca.cert /usr/local/share/ca-certificates/ca.crt
update-ca-certificates

ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/private/ca.cert
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/private/server.cert
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server.key

ldapwhoami -H ldap://ldap.<ID>.nasa -x -ZZ

ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

ldapsearch -H ldap://ldap.<ID>.nasa -x -LLL

base64 -w0 /etc/ssl/private/ca.cert

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

ldapadd -Y EXTERNAL -H ldapi:///

dn: cn={4}opensshLPK,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}opensshLPK
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'OpenSSH LPK objectclass' MUST uid MAY sshPublicKey )

ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to attrs=sshPublicKey by self write by * read

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

ldapadd -D "cn=admin,dc=<ID>,dc=nasa" -w $pwd -ZZ

dn: ou=Group,dc=<ID>,dc=nasa
objectclass: organizationalUnit
ou: Group

dn: ou=People,dc=<ID>,dc=nasa
objectclass: organizationalUnit
ou: People

dn: uid=ta1,ou=People,dc=<ID>,dc=nasa
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ldapPublicKey
cn: ta1
uid: ta1
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/ta1
userPassword: <password>
sshPublicKey: <ssh-key>

dn: cn=ta,ou=Group,dc=<ID>,dc=nasa
objectclass: posixGroup
cn: ta
gidNumber: 10000
memberUid: 10001

dn: uid=stu<ID>,ou=People,dc=<ID>,dc=nasa
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ldapPublicKey
cn: stu<ID>
uid: stu<ID>
uidNumber: 200<ID>
gidNumber: 20000
homeDirectory: /home/stu<ID>
loginShell: /bin/bash
userPassword: <password>

dn: cn=stu,ou=Group,dc=<ID>,dc=nasa
objectclass: posixGroup
cn: stu
gidNumber: 20000
memberUid: 200<ID>

1
2
3
4
5
6
7

ldapadd -Y EXTERNAL -H ldapi:///

dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

ldapadd -Y EXTERNAL -H ldapi:///

dn: cn=module{2},cn=config
objectClass: olcModuleList
cn: module{2}
olcModulePath: /usr/lib/ldap
olcModuleLoad: ppolicy

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=pwdDefault,ou=Policy,dc=<ID>,dc=nasa
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE

ldapadd -D "cn=admin,dc=<ID>,dc=nasa" -w $pwd -ZZ

dn: ou=Policy,dc=<ID>,dc=nasa
objectclass: organizationalUnit
ou: Policy

dn: cn=pwdDefault,ou=Policy,dc=<ID>,dc=nasa
objectClass: pwdPolicy
objectClass: device
cn: pwdDefault
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 0
pwdInHistory: 1
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

apt install -y libpam-ldapd
# Configuring nslcd
# uri: ldap://ldap.<ID>.nasa
# base: dc=<ID>,dc=nasa
# services: passwd, group, shadow

sed -i 's:#ssl off:ssl start_tls:' /etc/nslcd.conf
# service nslcd restart
# service nscd restart
# getent passwd

sed -i 's:PasswordAuthentication no:PasswordAuthentication yes:' /etc/ssh/sshd_config

sed -i '/pam_ldap.so/i session required\tpam_mkhomedir.so' /etc/pam.d/common-session

wget https://gist.github.com/jirutka/b15c31b2739a4f3eab63/raw/52eab26bf17cf6b01a2b3cd3ee26f034c8cf7ee6/ssh-getkey-ldap -O /usr/local/bin/ssh-keyldap
chmod +x /usr/local/bin/ssh-keyldap
sed -i 's:/etc/ssh/ldap.conf:/etc/ldap/ldap.conf:;s:ldapsearch:& -ZZ:' /usr/local/bin/ssh-keyldap
# LDAPCONF='/etc/ldap/ldap.conf'
# ldapsearch -ZZ

sed -i '/AuthorizedKeysCommand/s:^#::;/AuthorizedKeysCommand\b/s:none:/usr/local/bin/ssh-keyldap:' /etc/ssh/sshd_config
# service sshd restart
# AuthorizedKeysCommand /usr/local/bin/ssh-keyldap
# AuthorizedKeysCommandUser nobody

# echo 'pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(gidNumber=10000)))' | tee -a /etc/nslcd.conf

1
2
3
4

# copy CA to /etc/ssl/private/ca.cert
ln -s /etc/ssl/private/ca.cert /usr/local/share/ca-certificates/ca.crt
update-ca-certificates
apt install -y ldap-utils

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

SUDO_FORCE_REMOVE=yes apt install -y sudo-ldap
sed -i '/TLS_CACERT/a SSL\tstart_tls' /etc/sudo-ldap.conf
sed -i '/BASE/a SUDOERS_BASE\tou=SUDOers,dc=<ID>,dc=nasa' /etc/sudo-ldap.conf

ldapadd -Y EXTERNAL -H ldapi:///

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )

ldapadd -D "cn=admin,dc=<ID>,dc=nasa" -w $pwd -ZZ

dn: ou=SUDOers,dc=<ID>,dc=nasa
objectclass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=<ID>,dc=nasa
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK

dn: cn=%ta,ou=SUDOers,dc=<ID>,dc=nasa
objectClass: top
objectClass: sudoRole
cn: %ta
sudoUser: %ta
sudoHost: ALL
sudoCommand: ALL

dn: cn=%stu,ou=SUDOers,dc=<ID>,dc=nasa
objectClass: top
objectClass: sudoRole
cn: %stu
sudoUser: %stu
sudoHost: ALL
sudoCommand: /usr/bin/cat

1

resolvectl flush-caches

1
2
3
4

apt update
apt install software-properties-common
add-apt-repository --yes --update ppa:ansible/ansible
apt install -y ansible

1
2
3
4

read pwd # prepare password beore demo
ansible-playbook workstation.yml -l ws2
ldapsearch -x -ZZ uid=ta1
ldapadd -D "cn=admin,dc=<ID>,dc=nasa" -w "$pwd" -ZZ

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

dn: uid=<username>,ou=People,dc=<ID>,dc=nasa
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ldapPublicKey
cn: <username>
uid: <username>
uidNumber: 200ID
gidNumber: 20000
homeDirectory: /home/<username>
loginShell: /bin/bash
userPassword: <password>