Initial Commit

templates/ca-cert.tmpl.j2

@@ -0,0 +1,10 @@
+organization = "{{ organization }}"
+unit = "IT"
+locality = "{{ locality }}"
+state = "{{ state }}"
+country = "{{ country }}"
+cn = "{{ organization }} ROOT CA"
+expiration_days = -1
+ca
+cert_signing_key
+crl_signing_key

templates/fd-init-config.ldif.j2

@@ -0,0 +1,49 @@
+dn: ou=fusiondirectory,{{ base_dn }}
+objectClass: organizationalUnit
+ou: fusiondirectory
+
+dn: cn=config,ou=fusiondirectory,{{ base_dn }}
+objectClass: fusionDirectoryConf
+fdLanguage: {{ language }}
+fdTheme: breezy
+fdTimezone: {{ timezone }}
+fusionConfigMd5: {{ fd_config_hash.stat.md5 }}
+fdLdapSizeLimit: 200
+fdModificationDetectionAttribute: entryCSN
+fdLogging: TRUE
+fdSchemaCheck: TRUE
+fdEnableSnapshots: TRUE
+fdSnapshotBase: ou=snapshots,{{ base_dn }}
+fdPasswordDefaultHash: ssha
+fdForcePasswordDefaultHash: FALSE
+fdPasswordMinLength: 8
+fdHandleExpiredAccounts: FALSE
+fdLoginAttribute: uid
+fdForceSSL: FALSE
+fdWarnSSL: TRUE
+fdSessionLifeTime: 1800
+fdHttpAuthActivated: FALSE
+fdHttpHeaderAuthActivated: FALSE
+fdHttpHeaderAuthHeaderName: AUTH_USER
+fdSslKeyPath: /etc/ldap/ssl/{{ domain }}.key
+fdSslCertPath: /etc/ssl/certs/ca-certificates.crt
+fdSslCaCertPath: /etc/ldap/ssl/{{ domain }}.crt
+fdCasActivated: FALSE
+fdCasServerCaCertPath: /etc/ssl/certs/ca-certificates.crt
+fdCasHost: localhost
+fdCasPort: 443
+fdCasContext: /cas
+fdAccountPrimaryAttribute: uid
+fdCnPattern: %givenName% %sn%
+fdStrictNamingRules: FALSE
+fdUserRDN: ou=people
+fdAclRoleRDN: ou=aclroles
+fdRestrictRoleMembers: FALSE
+fdSplitPostalAddress: FALSE
+fdDisplayErrors: FALSE
+fdLdapStats: FALSE
+fdDebugLevel: 0
+fdListSummary: TRUE
+fdAclTabOnObjects: FALSE
+fdDisplayHookOutput: FALSE
+cn: config

templates/fd-migrate-default-acl.ldif.j2

@@ -0,0 +1,21 @@
+dn: cn=manager,ou=aclroles,{{ base_dn }}
+cn: manager
+description: Give all rights on users in the given branch
+objectClass: top
+objectClass: gosaRole
+gosaAclTemplate: 0:user/user;cmdrw,user/posixAccount;cmdrw
+
+dn: cn=editowninfos,ou=aclroles,{{ base_dn }}
+cn: editowninfos
+description: Allow users to edit their own information (main tab and posix u
+ se only on base)
+objectClass: top
+objectClass: gosaRole
+gosaAclTemplate: 0:user/user;srw,user/posixAccount;srw
+
+dn: cn=editownpwd,ou=aclroles,{{ base_dn }}
+cn: editownpwd
+description: Allow users to edit their own password (use only on base)
+objectClass: top
+objectClass: gosaRole
+gosaAclTemplate: 0:user/user;s#userPassword;rw

templates/fd-migrate-object-classes.ldif.j2

@@ -0,0 +1,10 @@
+dn: {{ base_dn }}
+changetype: modify
+add: objectClass
+objectClass: gosaDepartment
+-
+add: ou
+ou: {{ description }}
+-
+add: description
+description: {{ description }}

templates/fd-service_accounts_acl.ldif.j2

@@ -0,0 +1,38 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcAccess
+-
+add: olcAccess
+olcAccess: {0}to dn.subtree="{{ base_dn }}" attrs=userPassword
+  by self write
+  by dn.base="cn=admin,{{ base_dn }}" write
+  by dn.children="ou=dsa,{{ base_dn }}" write
+  by anonymous auth
+  by * none
+-
+add: olcAccess
+olcAccess: {1}to dn.subtree="ou=people,{{ base_dn }}"
+  by self read
+  by dn.base="uid=test.user,ou=people,{{ base_dn }}" write
+  by dn.base="cn=admin,{{ base_dn }}" write
+  by dn.children="ou=dsa,{{ base_dn }}" read
+  by anonymous auth
+  by * none
+-
+add: olcAccess
+olcAccess: {2}to attrs=userPassword,shadowLastChange
+  by self write
+  by anonymous auth
+  by dn="cn=admin,{{ base_dn }}" write
+  by * none
+-
+add: olcAccess
+olcAccess: {3}to dn.subtree="{{ base_dn }}"
+  by self read
+  by dn.base="cn=admin,{{ base_dn }}" write
+  by dn.children="ou=dsa,{{ base_dn }}" write
+  by * none
+-
+add: olcAccess
+olcAccess: {4}to dn.base=""
+  by * none

templates/fd-vhost-ssl.conf.j2

@@ -0,0 +1,42 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName auth.{{ domain }}
+    ServerAdmin webmaster@{{ domain }}
+    DocumentRoot /usr/share/fusiondirectory/html
+    ErrorLog ${APACHE_LOG_DIR}/fd-error.log
+    CustomLog ${APACHE_LOG_DIR}/fd-access.log combined
+
+    <IfModule mod_php5.c>
+    <Location />
+        php_admin_flag engine on
+        php_admin_flag register_globals off
+        php_admin_flag allow_call_time_pass_reference off
+        php_admin_flag expose_php off
+        php_admin_flag zend.ze1_compatibility_mode off
+        php_admin_flag register_long_arrays off
+        php_admin_value upload_tmp_dir /var/spool/fusiondirectory/
+        php_admin_value session.cookie_lifetime 0
+        #Include /etc/fusiondirectory/fusiondirectory.secrets
+    </Location>
+    </IfModule>
+
+    <Directory /usr/share/fusiondirectory/html/>
+        Order Allow,Deny
+        # Insert your public IPs here
+        {% for ip_address in allowed_ips %}
+        Allow from {{ ip_address }}
+        {% endfor %}
+    </Directory>
+
+    Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
+    <Directory "/var/www/html/">
+        AllowOverride None
+        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+        Require method GET POST OPTIONS
+    </Directory>
+
+    SSLCertificateFile /etc/letsencrypt/live/auth.{{ domain }}/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/auth.{{ domain }}/privkey.pem
+    Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>

templates/fd-vhost.conf.j2

@@ -0,0 +1,41 @@
+<VirtualHost *:80>
+    ServerName auth.{{ domain }}
+    ServerAdmin webmaster@{{ domain }}
+    DocumentRoot /usr/share/fusiondirectory/html
+    ErrorLog ${APACHE_LOG_DIR}/fd-error.log
+    CustomLog ${APACHE_LOG_DIR}/fd-access.log combined
+
+    <IfModule mod_php5.c>
+    <Location />
+        php_admin_flag engine on
+        php_admin_flag register_globals off
+        php_admin_flag allow_call_time_pass_reference off
+        php_admin_flag expose_php off
+        php_admin_flag zend.ze1_compatibility_mode off
+        php_admin_flag register_long_arrays off
+        php_admin_value upload_tmp_dir /var/spool/fusiondirectory/
+        php_admin_value session.cookie_lifetime 0
+        #Include /etc/fusiondirectory/fusiondirectory.secrets
+    </Location>
+    </IfModule>
+
+    <Directory /usr/share/fusiondirectory/html/>
+        Order Allow,Deny
+        # Insert your public IPs here
+    {% for ip_address in allowed_ips %}
+    Allow from {{ ip_address }}
+    {% endfor %}
+
+    </Directory>
+
+    Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
+    <Directory "/var/www/html/">
+        AllowOverride None
+        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+        Require method GET POST OPTIONS
+    </Directory>
+
+    #RewriteEngine on
+    #RewriteCond %{SERVER_NAME} =auth.{{ domain }}
+    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+</VirtualHost>

templates/fusiondirectory.conf.j2

@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+<conf>
+  <!-- Main section **********************************************************
+       The main section defines global settings, which might be overridden by
+       each location definition inside.
+
+       For more information about the configuration parameters, take a look at
+       the FusionDirectory.conf(5) manual page.
+  -->
+  <main default="default"
+        logging="TRUE"
+        displayErrors="FALSE"
+        forceSSL="FALSE"
+        templateCompileDirectory="/var/spool/fusiondirectory/"
+        debugLevel="0"
+    >
+
+    <!-- Location definition -->
+    <location name="default"
+        ldapTLS="FALSE"
+    >
+        <referral URI="ldap://auth.{{ domain }}:389/{{ base_dn }}"
+                        adminDn="{{ ldap_admin_dn }}"
+                        adminPassword="{{ ldap_admin_pass }}" />
+    </location>
+  </main>
+</conf>

templates/ldap-cert.tmpl.j2

@@ -0,0 +1,8 @@
+organization = "{{ organization }}"
+unit = "IT"
+locality = "{{ locality }}"
+state = "{{ state }}"
+country = "{{ country }}"
+cn = "auth.{{ domain }}"
+expiration_days = 3650
+encryption_key

templates/olcSSL.ldif.j2

@@ -0,0 +1,10 @@
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/{{ domain }}.key
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/{{ domain }}.crt