From ab90e078ffb1fd8c27d06b0f32c5b4ba9a16861f Mon Sep 17 00:00:00 2001 From: "B. Stack" Date: Tue, 23 Jul 2024 20:49:09 -0400 Subject: support domain lookup from oid --- read-cert-template.conf | 6 ------ read-cert-template.conf.example | 18 ++++++++++++++++++ read-cert-template.sh | 29 +++++++++++++++++++++++++---- 3 files changed, 43 insertions(+), 10 deletions(-) delete mode 100644 read-cert-template.conf create mode 100644 read-cert-template.conf.example mode change 100644 => 100755 read-cert-template.sh diff --git a/read-cert-template.conf b/read-cert-template.conf deleted file mode 100644 index e61d492..0000000 --- a/read-cert-template.conf +++ /dev/null @@ -1,6 +0,0 @@ -# File: ~/.config/read-cert-template.conf -RCT_LDAPSERVER=ldaps://example.corp -# The "CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration," will be prepended to this: -RCT_LDAPBASE="DC=example,DC=corp" -RCT_LDAPAUTHUNQUOTED="-x -w see#keepass" -RCT_LDAPAUTHQUOTED="-D CN=Service Account 319 (sa319),OU=Accounts,DC=example,DC=corp" diff --git a/read-cert-template.conf.example b/read-cert-template.conf.example new file mode 100644 index 0000000..0a875f3 --- /dev/null +++ b/read-cert-template.conf.example @@ -0,0 +1,18 @@ +# File: ~/.config/read-cert-template.conf +# If you know the whole oid, chop off the M$ part, and the first number (awk $10) is this identifier. Technically it is not enough to identify the exact PKI instance, but it is good enough for this! +# You can just use RCT_ALIAS= if you do not want to define per-domain settings. +RCT_ALIAS_1234567="" +RCT_LDAPSERVER_1234567=ldaps://locale1.example.corp +# the "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration," will be added to this: +RCT_LDAPBASE_1234567="DC=example,DC=corp" +# because i struggled with escaped spaces around this stuff +RCT_LDAPAUTH1_1234567="-x -w $( printf '%s' 'base64dPwHere' | base64 -d )" +RCT_LDAPAUTH2_1234567="-D CN=Service Account 23498,OU=Accounts,DC=locale2,DC=example,DC=corp" + +RCT_ALIAS_4928234="DEV" +RCT_LDAPSERVER_4928234=ldaps://locale2.example.corp +# the "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration," will be added to this: +RCT_LDAPBASE_4928234="DC=locale2,DC=example,DC=corp" +# because i struggled with escaped spaces around this stuff +RCT_LDAPAUTH1_4928234="-x -w $( printf '%s' 'SecurityHatesMe' | base64 -d )" +RCT_LDAPAUTH2_4928234="-D CN=Service Account 5822,OU=Accounts,DC=locale2,DC=example,DC=corp" diff --git a/read-cert-template.sh b/read-cert-template.sh old mode 100644 new mode 100755 index 5006bd5..902a4de --- a/read-cert-template.sh +++ b/read-cert-template.sh @@ -7,6 +7,7 @@ # Title: Read cert template # Purpose: read certificate and print cert tempalte name if discoverable # History: +# 2024-07-23 added to support RCT_LDAPSERVER_1234567 values in the conf file for domain-specific connection info # Usage: # Reference: see blog post # Improve: @@ -19,7 +20,7 @@ test -f "${RCT_CONF}" && . "${RCT_CONF}" # use RCT_IN env var or first parameter, or else standard input RCT_IN="${RCT_IN:-${1}}" -RCT_IN="${RCT_IN:-/dev/stdin}" +RCT_IN="${RTC_IN:-/dev/stdin}" if echo "${RCT_IN}" | grep -qE -e '^-$|^stdin$' ; then @@ -28,6 +29,26 @@ else _input="$( cat "${RCT_IN}" )" fi -oid="$( echo "${_input}" | openssl x509 -in /dev/stdin -noout -text -certopt no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,ext_parse | sed -n -r -e '/1.3.6.1.4.1.311.21.7/,+2p' | awk '/OBJECT/{print $NF}' | sed -r -e 's/^://;' )" -test -n "${VERBOSE}" && printf 'oid=%s\n' "${oid}" 1>&2 -LDAPTLS_REQCERT=never ldapsearch -LLL -o ldif-wrap=9000 -H "${RCT_LDAPSERVER}" ${RCT_LDAPAUTHUNQUOTED} "${RCT_LDAPAUTHQUOTED}" -b "CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration,${RCT_LDAPBASE}" "(msPKI-Cert-Template-OID=${oid})" CN | awk '$1~/cn:/{$1="";print;}' | sed -r -e 's/^ +| +$//g;' +oid="$( echo "${_input}" | openssl x509 -in /dev/stdin -noout -text -certopt no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,ext_parse | sed -n -r -e '/1.3.6.1.4.1.311.21.7|Microsoft certificate template/,+2p' | awk '/OBJECT/{print $NF}' | sed -r -e 's/^://;' )" +# domain oid segment +_d="$( echo "${oid}" | awk -F'.' '$0~/1\.3\.6\.1\.4\.1\.311\.21\.8/{print $10}' )" +# Load RCT_ALIAS_1234567 where 1234567=domain oid segment +for word in ALIAS LDAPSERVER LDAPBASE LDAPAUTH1 LDAPAUTH2 ; +do + eval test -n \"\${RCT_${word}_${_d}}\" && eval RCT_${word}=\"\${RCT_${word}_${_d}}\" +done +test -n "${VERBOSE}" && { + printf 'oid=%s\n' "${oid}" + printf 'domain=%s\n' "${RCT_ALIAS}" +} 1>&2 + +# look up template +LDAPTLS_REQCERT=never ldapsearch -LLL -o ldif-wrap=9000 -H "${RCT_LDAPSERVER}" ${RCT_LDAPAUTH1} "${RCT_LDAPAUTH2}" -b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,${RCT_LDAPBASE}" "(msPKI-Cert-Template-OID=${oid})" CN | awk '$1~/cn:/{$1="";print;}' | sed -r -e 's/^ +| +$//g;' | { + if test -n "${RCT_ALIAS}" ; + then + # append alias on end + sed -r -e "s/ *$/ (${RCT_ALIAS})/g;" + else + cat + fi +} -- cgit