#!/bin/ksh # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2017,2018,2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # 61haes_r714 src/43haes/usr/sbin/cluster/cspoc/utilities/cl_ldapsr_conf.sh 1.2 # # Licensed Materials - Property of IBM # # COPYRIGHT International Business Machines Corp. 2010,2011 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # @(#) 7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_ldapsr_conf.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM #Including source function and variables . /usr/es/sbin/cluster/cspoc/cl_federatedsec_source # #Initializing.. fsec_init fsec_ldap_init # #expect file path EXPECT_FILE= #non-ssl port to use PPORT= # #Function to create a expect script file for running mksecldap function cr_expect_ldapsrconfig { EXPECT_FILE="${FSEC_LOG_DIR}/powerha_ldapnewsr.exp.$$" echo '#! /usr/bin/expect set timeout 60 set ADMIN_DN [lindex $argv 0] set ADMIN_DNPW [lindex $argv 1] set DB2_INSTPW [lindex $argv 2] set ENCRYPT_SEED [lindex $argv 3] set BASE_DN [lindex $argv 4] set PPORT [lindex $argv 5] spawn -noecho /usr/sbin/mksecldap -s -a $ADMIN_DN -p $ADMIN_DNPW -S rfc2307aix -d $BASE_DN -n $PPORT -u NONE expect { eof { catch wait result exit [lindex $result 3] } } expect { timeout {exit 1} "New password:" } send "$DB2_INSTPW\\r" expect { timeout {exit 1} "Enter the new password again:" } send "$DB2_INSTPW\\r" expect { timeout {exit 1} "Enter an encryption seed to generate key stash files:" } send "$ENCRYPT_SEED\\r" set timeout 3600 expect { timeout {exit 1} eof {} } catch wait result exit [lindex $result 3]' > $EXPECT_FILE chmod +x $EXPECT_FILE } # # Got server kdb path from calling SERV_KDB_PATH="$6" # Getting the kdb file name SERV_KDB_FILE=`echo $SERV_KDB_PATH |awk -F"/" '{print $NF}'|/usr/bin/sed 's/\.kdb//g'` [[ -z $SERV_KDB_FILE ]] && ret_fail "Server key file not found." 1 # Getting the kdb directory name SERV_KDB_DIR=`echo $SERV_KDB_PATH |awk -F"/" '{$NF=""; print $0}'|/usr/bin/sed 's/ /\//g'` [[ -z $SERV_KDB_DIR ]] && ret_fail "Server key dir not found." 1 # Setting bit 1 if files exists else 0 KDB_BIT=0 [[ -f $SERV_KDB_PATH ]] && KDB_BIT=1 # Getting kdb password from calling SERV_KDB_PW="$7" # Setting kdb certificate label SERV_KDB_LBL=SERV_CERT # Setting kdb DN SERV_KDB_DN="cn=`hostname`,o=ibm" # Getting admin DN from calling ADMIN_DN="$1" # Getting admin DN password from calling ADMIN_DNPW="$2" # Getting db2 instance password from calling DB2_INSTPW="$9" # Getting encryption seed from calling ENCRYPT_SEED="${10}" # Getting base DN from calling BASE_DN="$4" # Setting temp ldif file name for loading tables TMP_LDIF_FILE=${FSEC_LOG_DIR}/fsecurity_tmp.$$.ldif # Setting ldap instance name LDAP_INST=ldapdb2 # Getting ssl port from calling SSL_PORT_NUM="$5" # Getting ldap version to use from calling VERSION="$8" # Getting schema type from calling SCHEMA_TYPE="$3" # Setting default ldap admin port ADMIN_PORT=3538 # Setting default flag set FLAG=0 # Setting gskit required filesets set -A GSKIT_FSETS GSKit8.gskcrypt32.ppc.rte GSKit8.gskssl32.ppc.rte GSKit8.gskcrypt64.ppc.rte GSKit8.gskssl64.ppc.rte # Setting filesystems name for ldap instllation set -A TDS_DEP_FS / /usr /tmp /home /var /opt dspmsg -s 129 cspoc.cat 128 "INFO: Running ldap server configuration on %s, please wait...\n" "$(hostname)" # Checking Hardware... [[ `/usr/sbin/bootinfo -y` -eq "64" ]] && dspmsg -s 129 cspoc.cat 98 "Machine Hardware is 64 bit.\n" || { dspmsg -s 129 cspoc.cat 99 "LDAP Server requires 64bit Hardware"; exit 1; } # # Checking Kernel... [[ `/usr/sbin/bootinfo -K` -eq "64" ]] && dspmsg -s 129 cspoc.cat 100 "Kernel is 64 bit enabled.\n" || { dspmsg -s 129 cspoc.cat 101 "LDAP Server requires 64 bit kernel."; exit 1; } # # Checking DB2 installed... /usr/local/bin/db2ls -c > /dev/null || { dspmsg -s 129 cspoc.cat 149 "DB2 not installed on this machine.\n"; exit 2; } DB2_VER_LIST=`/usr/local/bin/db2ls -c|/usr/bin/sed '1d'|cut -f2 -d:` [[ -z $DB2_VER_LIST ]] && ret_fail "DB2 versions not found." 2 FLAG=0 MAX_VER=0 for X in $DB2_VER_LIST do DB2_VER_CC=`echo $X|awk -F. '{print $1 $2}'` [[ -z $DB2_VER_CC ]] && ret_fail "DB2 version not found." 2 if [[ $DB2_VER_CC -ge 97 ]] then BASE_DB2_PATH=`/usr/local/bin/db2ls -c|grep -w $X|cut -f1 -d:` [[ -z $BASE_DB2_PATH ]] && ret_fail "DB2 base path not found." 2 /usr/local/bin/db2ls -q -b $BASE_DB2_PATH|grep -w BASE_DB2_ENGINE > /dev/null || continue ${BASE_DB2_PATH}/bin/db2ilist|grep -w "ldapdb2" > /dev/null && { dspmsg -s 129 cspoc.cat 150 "Another %s instance 'ldapdb2' exists, configuration cannot be continued.\n" "DB2"; exit 2; } if [[ $MAX_VER -lt $DB2_VER_CC ]] then MAX_VER=$X fi FLAG=1 fi done DB2_VER=$MAX_VER if [[ $FLAG -eq 0 ]] then ret_fail "Installed DB2 versions are not compatible!" 2 else dspmsg -s 129 cspoc.cat 102 "DB2 Version %s installed on this system, continuing configuration...\n" "$DB2_VER" fi # # Checking GSKIT installed... /usr/bin/lslpp -l ${GSKIT_FSETS[*]} > /dev/null || { dspmsg -s 129 cspoc.cat 148 "GSKIT filesets not installed.\n"; exit 2; } # # Checking ITDS filesets installed... TDS_SRV_PATH=`/usr/bin/lslpp -f idsldap.srvbase64bit${VERSION}.rte|grep "/etc$"|/usr/bin/sed 's/\/etc//g'` [[ -z $TDS_SRV_PATH ]] && ret_fail "Server path not found." 2 TDS_SRV_VER=`${TDS_SRV_PATH}/bin/idsversion -r 2>&1|grep "TDS_SRVBASE"|cut -f2 -d#` [[ -z $TDS_SRV_VER ]] && ret_fail "Version not found." 2 TDS_CLT_PATH=`/usr/bin/lslpp -f idsldap.cltbase${VERSION}.rte|grep "/etc$"|/usr/bin/sed 's/\/etc//g'` [[ -z $TDS_CLT_PATH ]] && ret_fail "Client path not found." 2 TDS_CLT_VER=`${TDS_CLT_PATH}/bin/idsversion -r 2>&1|grep "TDS_CLTBASE"|cut -f2 -d#` [[ -z $TDS_CLT_VER ]] && ret_fail "Version not found." 2 set -A LDAP_CL_FSETS idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.clt_max_crypto32bit${VERSION}.rte idsldap.clt_max_crypto64bit${VERSION}.rte idsldap.cltbase${VERSION}.adt idsldap.cltbase${VERSION}.rte idsldap.cltjava${VERSION}.rte idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.cltbase${VERSION}.rte set -A LDAP_SR_FSETS idsldap.srv64bit${VERSION}.rte idsldap.srv_max_cryptobase64bit${VERSION}.rte idsldap.srvbase64bit${VERSION}.rte idsldap.srvproxy64bit${VERSION}.rte idsldap.srvbase64bit${VERSION}.rte idsldap.srvproxy64bit${VERSION}.rte idsldap.msg${VERSION}.en_US /usr/bin/lslpp -l ${LDAP_SR_FSETS[*]} > /dev/null || { dspmsg -s 129 cspoc.cat 151 "ITDS server filesets were not installed.\n"; exit 2; } [[ $VERSION -ge 62 ]] && dspmsg -s 129 cspoc.cat 103 "ITDS server version %s is compatible, continuing configuration...\n" "$TDS_SRV_VER" \ || { dspmsg -s 129 cspoc.cat 104 "Incompatible ITDS server version installed!"; exit 2; } /usr/bin/lslpp -l ${LDAP_CL_FSETS[*]} > /dev/null || { dspmsg -s 129 cspoc.cat 145 "ITDS client filesets were not installed.\n"; exit 2; } [[ $VERSION -ge 62 ]] && dspmsg -s 129 cspoc.cat 105 "ITDS client version %s is compatible, continuing configuration...\n" "$TDS_CLT_VER" \ || { dspmsg -s 129 cspoc.cat 106 "Incompatible ITDS client version installed!"; exit 2; } # # Checking Filesystems size... for X in ${TDS_DEP_FS[*]} do FFS_SIZE=`df -m $X|/usr/bin/sed '1d'|awk '{print $3}'` [[ -z $FFS_SIZE ]] && ret_fail "FS size not found." 2 if [[ $FFS_SIZE -lt 1024 ]] then let TMP=1024-FFS_SIZE dspmsg -s 129 cspoc.cat 107 "Increasing %s Filesystem size...\n" "$X" /usr/sbin/chfs -a size=+${TMP}M $X || ret_fail "Filesystem $X size increase failed!" $? fi done # # Configuring LDAP now... ${TDS_SRV_PATH}/sbin/idsilist 2>&1|grep -w "ldapdb2" >/dev/null && { dspmsg -s 129 cspoc.cat 150 "Another %s instance 'ldapdb2' exists, configuration cannot be continued.\n" "TDS"; exit 2; } # ## checking listening ports ## pport=389 while [[ $pport -le 65535 ]] do if [ ! "$(${TDS_SRV_PATH}/sbin/idsilist -a 2>&1|grep -w $pport)" ] then PPORT="$pport" break fi let pport=1000+pport done [[ -z $PPORT ]] && ret_fail "Standard ldap ports exhausted." 2 if [ "$(${TDS_SRV_PATH}/sbin/idsilist -a 2>&1|grep -w $SSL_PORT_NUM)" ] then ret_fail "Specified SSL port already in use." 2 fi ############################# cr_expect_ldapsrconfig dspmsg -s 129 cspoc.cat 129 "INFO: Running mksecldap on %s, it may take quite a bit of time...\n" "$(hostname)" $EXPECT_FILE "$ADMIN_DN" "$ADMIN_DNPW" "$DB2_INSTPW" "$ENCRYPT_SEED" "$BASE_DN" "$PPORT" > ${FSEC_LOG_DIR}/mksecldap.log.$$ RETCODE=$? run_on_allnode "echo 1 > /tmp/global_FLAG" if [[ $RETCODE -ne 0 ]] then dspmsg -s 129 cspoc.cat 154 "LDAP server configuration failed, cleaning...\n" ${HA_BASE_PATH}/cspoc/cl_ldapsr_alldel "$TDS_SRV_PATH" "$VERSION" "$SERV_KDB_PATH" "$KDB_BIT" exit 1 fi # Successfully configured LDAP server. # Generating SSL keys... FLAG=0 [[ -f ${SERV_KDB_DIR}/${SERV_KDB_FILE}.kdb ]] && { dspmsg -s 129 cspoc.cat 95 "Keys and certificates exists...\n"; FLAG=1; } if [[ $FLAG -eq 0 ]] then mkdir -p $SERV_KDB_DIR /usr/bin/gsk8capicmd_64 -keydb -create -db ${SERV_KDB_DIR}/${SERV_KDB_FILE}.kdb -pw ${SERV_KDB_PW} -type cms -stash \ || ret_fail "Server -keydb -create -db failed!" $? /usr/bin/gsk8capicmd_64 -cert -create -db ${SERV_KDB_DIR}/${SERV_KDB_FILE}.kdb -pw ${SERV_KDB_PW} -label ${SERV_KDB_LBL} -dn ${SERV_KDB_DN} -default_cert yes \ || ret_fail "Server -cert -create -db failed!" $? /usr/bin/gsk8capicmd_64 -cert -extract -db ${SERV_KDB_DIR}/${SERV_KDB_FILE}.kdb -pw ${SERV_KDB_PW} -label ${SERV_KDB_LBL} \ -target ${SERV_KDB_DIR}/${SERV_KDB_FILE}.arm || ret_fail "Server -cert -extract -db failed!" $? fi # # Configuring server for SSL... echo "dn: cn=SSL,cn=Configuration" > $TMP_LDIF_FILE echo "changetype: modify" >> $TMP_LDIF_FILE echo "replace: ibm-slapdSecurePort" >> $TMP_LDIF_FILE echo "ibm-slapdSecurePort: $SSL_PORT_NUM" >> $TMP_LDIF_FILE echo "-" >> $TMP_LDIF_FILE echo "replace: ibm-slapdSslAuth" >> $TMP_LDIF_FILE echo "ibm-slapdSslAuth: serverAuth" >> $TMP_LDIF_FILE echo "-" >> $TMP_LDIF_FILE echo "replace: ibm-slapdSecurity" >> $TMP_LDIF_FILE echo "ibm-slapdSecurity: SSL" >> $TMP_LDIF_FILE echo "" >> $TMP_LDIF_FILE echo "dn: cn=SSL,cn=Configuration" >> $TMP_LDIF_FILE echo "changetype: modify" >> $TMP_LDIF_FILE echo "replace: ibm-slapdSSLKeyDatabase" >> $TMP_LDIF_FILE echo "ibm-slapdSSLKeyDatabase: ${SERV_KDB_DIR}/${SERV_KDB_FILE}.kdb" >> $TMP_LDIF_FILE echo "-" >> $TMP_LDIF_FILE echo "replace:ibm-slapdSslCertificate" >> $TMP_LDIF_FILE echo "ibm-slapdSslCertificate: ${SERV_KDB_LBL}" >> $TMP_LDIF_FILE echo "-" >> $TMP_LDIF_FILE echo "replace: ibm-slapdSSLKeyDatabasePW" >> $TMP_LDIF_FILE echo "ibm-slapdSSLKeyDatabasePW: ${SERV_KDB_PW}" >> $TMP_LDIF_FILE # # Modifying ldap conf file for SSL access... ${TDS_SRV_PATH}/bin/idsldapmodify -D $ADMIN_DN -w $ADMIN_DNPW -p $PPORT -i $TMP_LDIF_FILE -c >/dev/null \ || ret_fail "SSL config failed!" $? SRV_ST_LOG=${FSEC_LOG_DIR}/sr_startstop.log.$$ ADMIN_PORT=`${TDS_SRV_PATH}/sbin/idsilist -a 2>&1|grep -p -w $LDAP_INST|grep -w "Admin Server Port"|cut -f2 -d:` [[ -z $ADMIN_PORT ]] && ret_fail "Admin port not found." 2 # Stopping ibmslapd... timer=0 while [[ $timer -le 60 ]] do ps -eo 'args'|grep ibmslapd|gre -vw grep|grep -w $LDAP_INST > /dev/null || break if [[ $? -eq 0 ]] && [[ $timer == 0 ]] then ${TDS_SRV_PATH}/bin/ibmdirctl -D $ADMIN_DN -w $ADMIN_DNPW -p $ADMIN_PORT stop >> $SRV_ST_LOG 2>&1 || ret_fail "Not able to stop ibmslapd." $? fi let timer=timer+1 sleep 1 done if [[ $timer == 61 ]] then ret_fail "ibmslapd failed to stop." 2 fi # # Stopping ibmdiradm... timer=0 while [[ $timer -le 60 ]] do ps -eo 'args'|grep ibmdiradm|grep -vw grep|grep -w $LDAP_INST > /dev/null || break if [[ $? -eq 0 ]] && [[ $timer == 0 ]] then ${TDS_SRV_PATH}/bin/ibmdirctl -D $ADMIN_DN -w $ADMIN_DNPW -p $ADMIN_PORT admstop >> $SRV_ST_LOG 2>&1 || ret_fail "Not able to stop ibmdiradm" $? fi let timer=timer+1 sleep 1 done if [[ $timer == 61 ]] then ret_fail "ibmdiradm failed to stop." 2 fi # # Starting LDAP administrator daemon... timer=0 while [[ $timer -le 60 ]] do ${TDS_SRV_PATH}/bin/ibmdirctl -D $ADMIN_DN -w $ADMIN_DNPW -p $ADMIN_PORT status >/dev/null 2>&1 && break if [[ $timer == 0 ]] then ${TDS_SRV_PATH}/sbin/ibmdiradm -I $LDAP_INST >> $SRV_ST_LOG 2>&1 || ret_fail "Not able to start ibmdiradm" $? fi let timer=timer+1 sleep 1 done if [[ $timer == 61 ]] then ret_fail "ibmdiradm failed to start." 2 fi # # Starting LDAP server daemon... timer=0 while [[ $timer -le 60 ]] do ${TDS_SRV_PATH}/bin/ldapsearch -p $PPORT -b "" -s base "objectclass=*" 2>/dev/null |grep -w "ldapdb2" >/dev/null 2>&1 && break if [[ $timer == 0 ]] then ${TDS_SRV_PATH}/sbin/ibmslapd -n -I $LDAP_INST >> $SRV_ST_LOG 2>&1 || ret_fail "Not able to start ibmslapd" $? fi let timer=timer+1 sleep 1 done if [[ $timer == 61 ]] then ret_fail "ibmslapd failed to start." 2 fi # # setting index reorganizing value for db2 to auto on . /home/${LDAP_INST}/sqllib/db2profile /home/${LDAP_INST}/sqllib/bin/db2 CONNECT TO $LDAP_INST user $LDAP_INST using $DB2_INSTPW >/dev/null || ret_fail "DB2 connect failed." $? /home/${LDAP_INST}/sqllib/bin/db2 UPDATE DATABASE CONFIGURATION FOR $LDAP_INST USING AUTO_REORG ON >/dev/null || ret_fail "DB2 databse update failed." $? /home/${LDAP_INST}/sqllib/bin/db2 CONNECT RESET >/dev/null || ret_fail "DB2 databse reset failed." $? ################################################ rm -r $EXPECT_FILE $TMP_LDIF_FILE run_on_allnode "rm -rf $FSEC_LOG_DIR" || ret_fail "Removing log directory failed." $? exit 0