aboutsummaryrefslogtreecommitdiff
path: root/src/etc
diff options
context:
space:
mode:
Diffstat (limited to 'src/etc')
-rw-r--r--src/etc/cron.d/70_laps.cron4
-rw-r--r--src/etc/laps/laps.conf.example40
-rw-r--r--src/etc/laps/lapsldap.conf.example12
3 files changed, 56 insertions, 0 deletions
diff --git a/src/etc/cron.d/70_laps.cron b/src/etc/cron.d/70_laps.cron
new file mode 100644
index 0000000..6be219b
--- /dev/null
+++ b/src/etc/cron.d/70_laps.cron
@@ -0,0 +1,4 @@
+# file: /etc/cron.d/70_laps.cron
+# Local Administrator Password Solution
+
+30 1 * * * root /usr/share/laps/laps.sh 1>/dev/null 2>&1
diff --git a/src/etc/laps/laps.conf.example b/src/etc/laps/laps.conf.example
new file mode 100644
index 0000000..1072451
--- /dev/null
+++ b/src/etc/laps/laps.conf.example
@@ -0,0 +1,40 @@
+# File: /etc/laps/laps.conf
+# Config file for LAPS
+
+# LAPS config
+LAPS_USER="toor" # packaged with a non-root user
+LAPS_LDAPCONF="/etc/laps/lapsldap.conf" # a duplicate of ldap.conf(5)
+LAPS_THRESHOLD="5 days" # within so much time of expiration, generate a new password
+LAPS_TIMELIMIT="45 days" # how much time away to set the new expiration time
+LAPS_PWGEN_FLAGS="130" # roughly, how many bits of entropy
+LAPS_LOG_MSG="LAPS has updated the password for user ${LAPS_USER}"
+
+# Ldap configuration
+LAPS_LDAPSEARCH_UNIQUE_ID="dn"
+LAPS_ATTRIB_PW="ms-Mcs-AdmPwd"
+LAPS_ATTRIB_TIME="ms-Mcs-AdmPwdExpirationTime"
+
+# Ldap interaction. You probably don't need to modify these. The script has a -h flag for selecting a different host to read, which overrides these.
+LAPS_HOST="$( hostname -s )"
+LAPS_LDAPSEARCH_FILTER="(cn=${LAPS_HOST}*)"
+
+# External commands and flags
+LAPS_KINIT_BIN="/usr/bin/kinit"
+LAPS_DATETIME_PY="/usr/share/laps/dependencies/datetime.py"
+LAPS_KINIT_HOST_SCRIPT_DEFAULT="/usr/share/bgscripts/work/kinit-host.sh"
+LAPS_KINIT_HOST_SCRIPT="/usr/share/bgscripts/work/kinit-host.sh"
+LAPS_KLIST_BIN="/usr/bin/klist"
+LAPS_LDAPMODIFY_BIN="/usr/bin/ldapmodify"
+LAPS_LDAPMODIFY_FLAGS="-O maxssf=0 -Q -o ldif-wrap=300 -Y gssapi -f"
+LAPS_LDAPSEARCH_BIN="/usr/bin/ldapsearch"
+LAPS_LDAPSEARCH_FLAGS="-LLL -O maxssf=0 -o ldif-wrap=300 -Y gssapi"
+LAPS_PASSWD_BIN="/bin/passwd"
+LAPS_LOG_BIN="/bin/logger"
+LAPS_LOG_FLAGS="-t laps -i -p authpriv.notice"
+LAPS_PWGEN_SCRIPT="/usr/bin/pwmake"
+
+# These are designed primarily for environment variable or parameter usage
+LAPS_TEST=0 # -t
+LAPS_FORCE=0 # -f
+LAPS_KERBEROS_USER="machine" # -u <username>
+LAPS_INTERACTIVE=0 # -i
diff --git a/src/etc/laps/lapsldap.conf.example b/src/etc/laps/lapsldap.conf.example
new file mode 100644
index 0000000..df9e0f8
--- /dev/null
+++ b/src/etc/laps/lapsldap.conf.example
@@ -0,0 +1,12 @@
+# File: /etc/lapsldap.conf
+# Used by laps when calling ldapsearch and ldapmodify
+# Package: laps
+# Documentation: see ldap.conf(5)
+
+TLS_CACERTDIR /etc/openldap/cacerts
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON on
+
+URI ldaps://ad.example.com ldaps://ds1.ad.example.com lapds://ds2.ad.example.com
+BASE dc=ad,dc=example,dc=com
bgstack15