diff options
| author | B. Stack <bgstack15@gmail.com> | 2024-07-23 20:49:09 -0400 |
|---|---|---|
| committer | B. Stack <bgstack15@gmail.com> | 2024-07-23 20:49:09 -0400 |
| commit | ab90e078ffb1fd8c27d06b0f32c5b4ba9a16861f (patch) | |
| tree | 328d3b27c51d5ac11b2c72486302e1fdf6d3a74d | |
| parent | initial commit (diff) | |
| download | read-cert-template-ab90e078ffb1fd8c27d06b0f32c5b4ba9a16861f.tar.gz read-cert-template-ab90e078ffb1fd8c27d06b0f32c5b4ba9a16861f.tar.bz2 read-cert-template-ab90e078ffb1fd8c27d06b0f32c5b4ba9a16861f.zip | |
| -rw-r--r-- | read-cert-template.conf | 6 | ||||
| -rw-r--r-- | read-cert-template.conf.example | 18 | ||||
| -rwxr-xr-x[-rw-r--r--] | read-cert-template.sh | 29 |
3 files changed, 43 insertions, 10 deletions
diff --git a/read-cert-template.conf b/read-cert-template.conf deleted file mode 100644 index e61d492..0000000 --- a/read-cert-template.conf +++ /dev/null @@ -1,6 +0,0 @@ -# File: ~/.config/read-cert-template.conf -RCT_LDAPSERVER=ldaps://example.corp -# The "CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration," will be prepended to this: -RCT_LDAPBASE="DC=example,DC=corp" -RCT_LDAPAUTHUNQUOTED="-x -w see#keepass" -RCT_LDAPAUTHQUOTED="-D CN=Service Account 319 (sa319),OU=Accounts,DC=example,DC=corp" diff --git a/read-cert-template.conf.example b/read-cert-template.conf.example new file mode 100644 index 0000000..0a875f3 --- /dev/null +++ b/read-cert-template.conf.example @@ -0,0 +1,18 @@ +# File: ~/.config/read-cert-template.conf +# If you know the whole oid, chop off the M$ part, and the first number (awk $10) is this identifier. Technically it is not enough to identify the exact PKI instance, but it is good enough for this! +# You can just use RCT_ALIAS= if you do not want to define per-domain settings. +RCT_ALIAS_1234567="" +RCT_LDAPSERVER_1234567=ldaps://locale1.example.corp +# the "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration," will be added to this: +RCT_LDAPBASE_1234567="DC=example,DC=corp" +# because i struggled with escaped spaces around this stuff +RCT_LDAPAUTH1_1234567="-x -w $( printf '%s' 'base64dPwHere' | base64 -d )" +RCT_LDAPAUTH2_1234567="-D CN=Service Account 23498,OU=Accounts,DC=locale2,DC=example,DC=corp" + +RCT_ALIAS_4928234="DEV" +RCT_LDAPSERVER_4928234=ldaps://locale2.example.corp +# the "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration," will be added to this: +RCT_LDAPBASE_4928234="DC=locale2,DC=example,DC=corp" +# because i struggled with escaped spaces around this stuff +RCT_LDAPAUTH1_4928234="-x -w $( printf '%s' 'SecurityHatesMe' | base64 -d )" +RCT_LDAPAUTH2_4928234="-D CN=Service Account 5822,OU=Accounts,DC=locale2,DC=example,DC=corp" diff --git a/read-cert-template.sh b/read-cert-template.sh index 5006bd5..902a4de 100644..100755 --- a/read-cert-template.sh +++ b/read-cert-template.sh @@ -7,6 +7,7 @@ # Title: Read cert template # Purpose: read certificate and print cert tempalte name if discoverable # History: +# 2024-07-23 added to support RCT_LDAPSERVER_1234567 values in the conf file for domain-specific connection info # Usage: # Reference: see blog post # Improve: @@ -19,7 +20,7 @@ test -f "${RCT_CONF}" && . "${RCT_CONF}" # use RCT_IN env var or first parameter, or else standard input RCT_IN="${RCT_IN:-${1}}" -RCT_IN="${RCT_IN:-/dev/stdin}" +RCT_IN="${RTC_IN:-/dev/stdin}" if echo "${RCT_IN}" | grep -qE -e '^-$|^stdin$' ; then @@ -28,6 +29,26 @@ else _input="$( cat "${RCT_IN}" )" fi -oid="$( echo "${_input}" | openssl x509 -in /dev/stdin -noout -text -certopt no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,ext_parse | sed -n -r -e '/1.3.6.1.4.1.311.21.7/,+2p' | awk '/OBJECT/{print $NF}' | sed -r -e 's/^://;' )" -test -n "${VERBOSE}" && printf 'oid=%s\n' "${oid}" 1>&2 -LDAPTLS_REQCERT=never ldapsearch -LLL -o ldif-wrap=9000 -H "${RCT_LDAPSERVER}" ${RCT_LDAPAUTHUNQUOTED} "${RCT_LDAPAUTHQUOTED}" -b "CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration,${RCT_LDAPBASE}" "(msPKI-Cert-Template-OID=${oid})" CN | awk '$1~/cn:/{$1="";print;}' | sed -r -e 's/^ +| +$//g;' +oid="$( echo "${_input}" | openssl x509 -in /dev/stdin -noout -text -certopt no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,ext_parse | sed -n -r -e '/1.3.6.1.4.1.311.21.7|Microsoft certificate template/,+2p' | awk '/OBJECT/{print $NF}' | sed -r -e 's/^://;' )" +# domain oid segment +_d="$( echo "${oid}" | awk -F'.' '$0~/1\.3\.6\.1\.4\.1\.311\.21\.8/{print $10}' )" +# Load RCT_ALIAS_1234567 where 1234567=domain oid segment +for word in ALIAS LDAPSERVER LDAPBASE LDAPAUTH1 LDAPAUTH2 ; +do + eval test -n \"\${RCT_${word}_${_d}}\" && eval RCT_${word}=\"\${RCT_${word}_${_d}}\" +done +test -n "${VERBOSE}" && { + printf 'oid=%s\n' "${oid}" + printf 'domain=%s\n' "${RCT_ALIAS}" +} 1>&2 + +# look up template +LDAPTLS_REQCERT=never ldapsearch -LLL -o ldif-wrap=9000 -H "${RCT_LDAPSERVER}" ${RCT_LDAPAUTH1} "${RCT_LDAPAUTH2}" -b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,${RCT_LDAPBASE}" "(msPKI-Cert-Template-OID=${oid})" CN | awk '$1~/cn:/{$1="";print;}' | sed -r -e 's/^ +| +$//g;' | { + if test -n "${RCT_ALIAS}" ; + then + # append alias on end + sed -r -e "s/ *$/ (${RCT_ALIAS})/g;" + else + cat + fi +} |