From c24fc7ad8e1c04c6d5a2a94619df05f707d39323 Mon Sep 17 00:00:00 2001 From: B Stack Date: Tue, 23 Oct 2018 14:19:12 -0400 Subject: initial commit and release of v0.0.1 --- src/etc/cron.d/70_laps.cron | 4 ++++ src/etc/laps/laps.conf.example | 40 ++++++++++++++++++++++++++++++++++++++ src/etc/laps/lapsldap.conf.example | 12 ++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 src/etc/cron.d/70_laps.cron create mode 100644 src/etc/laps/laps.conf.example create mode 100644 src/etc/laps/lapsldap.conf.example (limited to 'src/etc') diff --git a/src/etc/cron.d/70_laps.cron b/src/etc/cron.d/70_laps.cron new file mode 100644 index 0000000..6be219b --- /dev/null +++ b/src/etc/cron.d/70_laps.cron @@ -0,0 +1,4 @@ +# file: /etc/cron.d/70_laps.cron +# Local Administrator Password Solution + +30 1 * * * root /usr/share/laps/laps.sh 1>/dev/null 2>&1 diff --git a/src/etc/laps/laps.conf.example b/src/etc/laps/laps.conf.example new file mode 100644 index 0000000..1072451 --- /dev/null +++ b/src/etc/laps/laps.conf.example @@ -0,0 +1,40 @@ +# File: /etc/laps/laps.conf +# Config file for LAPS + +# LAPS config +LAPS_USER="toor" # packaged with a non-root user +LAPS_LDAPCONF="/etc/laps/lapsldap.conf" # a duplicate of ldap.conf(5) +LAPS_THRESHOLD="5 days" # within so much time of expiration, generate a new password +LAPS_TIMELIMIT="45 days" # how much time away to set the new expiration time +LAPS_PWGEN_FLAGS="130" # roughly, how many bits of entropy +LAPS_LOG_MSG="LAPS has updated the password for user ${LAPS_USER}" + +# Ldap configuration +LAPS_LDAPSEARCH_UNIQUE_ID="dn" +LAPS_ATTRIB_PW="ms-Mcs-AdmPwd" +LAPS_ATTRIB_TIME="ms-Mcs-AdmPwdExpirationTime" + +# Ldap interaction. You probably don't need to modify these. The script has a -h flag for selecting a different host to read, which overrides these. +LAPS_HOST="$( hostname -s )" +LAPS_LDAPSEARCH_FILTER="(cn=${LAPS_HOST}*)" + +# External commands and flags +LAPS_KINIT_BIN="/usr/bin/kinit" +LAPS_DATETIME_PY="/usr/share/laps/dependencies/datetime.py" +LAPS_KINIT_HOST_SCRIPT_DEFAULT="/usr/share/bgscripts/work/kinit-host.sh" +LAPS_KINIT_HOST_SCRIPT="/usr/share/bgscripts/work/kinit-host.sh" +LAPS_KLIST_BIN="/usr/bin/klist" +LAPS_LDAPMODIFY_BIN="/usr/bin/ldapmodify" +LAPS_LDAPMODIFY_FLAGS="-O maxssf=0 -Q -o ldif-wrap=300 -Y gssapi -f" +LAPS_LDAPSEARCH_BIN="/usr/bin/ldapsearch" +LAPS_LDAPSEARCH_FLAGS="-LLL -O maxssf=0 -o ldif-wrap=300 -Y gssapi" +LAPS_PASSWD_BIN="/bin/passwd" +LAPS_LOG_BIN="/bin/logger" +LAPS_LOG_FLAGS="-t laps -i -p authpriv.notice" +LAPS_PWGEN_SCRIPT="/usr/bin/pwmake" + +# These are designed primarily for environment variable or parameter usage +LAPS_TEST=0 # -t +LAPS_FORCE=0 # -f +LAPS_KERBEROS_USER="machine" # -u +LAPS_INTERACTIVE=0 # -i diff --git a/src/etc/laps/lapsldap.conf.example b/src/etc/laps/lapsldap.conf.example new file mode 100644 index 0000000..df9e0f8 --- /dev/null +++ b/src/etc/laps/lapsldap.conf.example @@ -0,0 +1,12 @@ +# File: /etc/lapsldap.conf +# Used by laps when calling ldapsearch and ldapmodify +# Package: laps +# Documentation: see ldap.conf(5) + +TLS_CACERTDIR /etc/openldap/cacerts + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on + +URI ldaps://ad.example.com ldaps://ds1.ad.example.com lapds://ds2.ad.example.com +BASE dc=ad,dc=example,dc=com -- cgit