#!/bin/bash -e # # freeipa-service-password.sh - add/set host service login password # # Version 1.0, latest version, documentation and bugtracker available at: # https://gitlab.lindenaar.net/scripts/freeipa # # Copyright (c) 2019 Frederik Lindenaar # # This script is free software: you can redistribute and/or modify it under the # terms of version 3 of the GNU General Public License as published by the Free # Software Foundation, or (at your option) any later version of the license. # # This script is distributed in the hope that it will be useful but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program. If not, visit <http://www.gnu.org/licenses/> to download it. die() { echo $* >&2; exit 1; } # Exit if hostname not provided if [ $# -lt 2 ]; then die "Usage: `basename $0` <hostname> <service> [<service> ...]" fi # Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server if ! klist -s; then die "no valid Kerberos ticket, please login to FreeIPA using kinit first" elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then die "this script should be run on an active IPA server" fi # Set parameters from command line : ${HOST:=$1} shift if ! ipa host-show "$HOST" > /dev/null 2>&1; then echo Fetching information for $HOST SSHKEYS=($(ssh-keyscan $HOST 2>/dev/null | cut -f2- -d\ | sed "s/\(.*\)/--sshpubkey='\1'/")) echo Creating host $HOST eval ipa host-add "$HOST" ${SSHKEYS[@]} eval ipa host-add-principal "$HOST" $HOSTALIASES else echo host $HOST exists fi for service in $* do if ipa service-add "$service/$HOST" > /dev/null 2>&1; then echo Created service $service/$HOST else echo service $service/$HOST exists fi service_binddn=$(ipa service-show "$service/$HOST" --raw --all | fgrep " dn: " | cut -f2 -d: | tr -d \ ) echo Service Bind DN: $service_binddn service_bindpw=$(pwmake 128) if ipa service-show "$service/$HOST" --all --raw | fgrep "objectClass:" | fgrep -q "simpleSecurityObject" > /dev/null 2>&1; then echo resetting password to generated password: $service_bindpw ldapmodify -Q > /dev/null 2>&1 <<EOLDIF dn: $service_binddn changetype: modify replace: userPassword userPassword: $service_bindpw EOLDIF else echo Enabled login with generated password: $service_bindpw ldapmodify -Q > /dev/null 2>&1 <<EOLDIF dn: $service_binddn changetype: modify add: objectClass objectClass: simpleSecurityObject - add: userPassword userPassword: $service_bindpw EOLDIF fi done