sssd-common 1.11.7-3 / usr / share / sssd / generate-config

This file is indexed.

/usr/share/sssd/generate-config is in sssd-common 1.11.7-3.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/sh

# Generate sssd.conf setup dynamically based on autodetectet LDAP
# and Kerberos server.

set -e

# See if we can find an LDAP server.  Prefer ldap.domain, but also
# accept SRV records if no ldap.domain server is found.
lookup_ldap_uri() {
    domain="$1"
    if ping -c2 ldap.$domain > /dev/null 2>&1; then
	echo ldap://ldap.$domain
    else
	host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
	if [ "$host" ] ; then
	    echo ldap://$host | sed 's/\.$//'
	fi
    fi
}

lookup_ldap_base() {
    ldapuri="$1"
    defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext  2>/dev/null | awk '/^defaultNamingContext: / { print $2}')"
    if [ -z "$defaultcontext" ] ; then
	# If there are several contexts, pick the first one with
	# posixAccount or posixGroup objects in it.
	for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \
	    -s base namingContexts 2>/dev/null | \
	    awk '/^namingContexts: / { print $2}') ; do
	    if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
		'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
		egrep -q '^dn:|^Administrative limit exceeded' ; then
		echo $context
		return
	    fi
	done
    fi
    echo $defaultcontext
}

lookup_kerberos_server() {
    domain="$1"
    if ping -c2 kerberos.$domain > /dev/null 2>&1; then
	echo kerberos.$domain
    else
	host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1)
	if [ "$host" ] ; then
	    echo $host | sed 's/\.$//'
	fi
    fi
}

lookup_kerberos_realm() {
    domain="$1"
    realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"')
    if [ -z "$realm" ] ; then
	realm=$(echo $domain | tr a-z A-Z)
    fi
    echo $realm
}


generate_config() {
    if [ "$1" ] ; then
	domain=$1
    else
	domain="$(hostname -d)"
    fi
    kerberosrealm=$(lookup_kerberos_realm $domain)
    ldapuri=$(lookup_ldap_uri "$domain")
    if [ -z "$ldapuri" ];  then
	# autodetection failed
	return
    fi

    ldapbase="$(lookup_ldap_base "$ldapuri")"
    if [ -z "$ldapbase" ];  then
	# autodetection failed
	return
    fi
    kerberosserver=$(lookup_kerberos_server "$domain")

cat <<EOF
# SSSD configuration generated using $0
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = $domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
EOF
if [ "$kerberosserver" ] ; then
    auth="krb5"
    chpass="krb5"
else
    auth="ldap"
    chpass="ldap";
fi

cat <<EOF

[domain/$domain]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = $auth
chpass_provider = $chpass

ldap_uri = $ldapuri
ldap_search_base = $ldapbase
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
EOF

if [ "$kerberosserver" ] ; then
    cat <<EOF

krb5_kdcip = $kerberosserver
krb5_realm = $kerberosrealm
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
EOF
fi
}
generate_config "$@"

APT Browse - Built by Thomas Orozco.