From 59dd497c982c46e43f96108fccd1f04148d4f336 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Sun, 1 Apr 2018 21:37:44 +0200
Subject: [PATCH] suffix-change, simplified steps, password-recovery

---
 00.suffix.ldif.sh                  | 13 ++++++
 20.passwordhash.ldif               |  1 +
 00.root.ldif.sh => 30.root.ldif.sh |  2 +-
 90.user.ldif.sh                    |  2 +-
 99.passwordrecovery.ldif.sh        | 20 ++++++++++
 README.md                          | 64 +++++++++++++++++++++++-------
 6 files changed, 86 insertions(+), 16 deletions(-)
 create mode 100755 00.suffix.ldif.sh
 rename 00.root.ldif.sh => 30.root.ldif.sh (87%)
 create mode 100644 99.passwordrecovery.ldif.sh

diff --git a/00.suffix.ldif.sh b/00.suffix.ldif.sh
new file mode 100755
index 0000000..f254040
--- /dev/null
+++ b/00.suffix.ldif.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+basedn=`cat basedn`
+
+cat <<EOF
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: $basedn
+-
+replace: olcRootDN
+olcRootDN: cn=admin,$basedn
+EOF
diff --git a/20.passwordhash.ldif b/20.passwordhash.ldif
index 4326290..41318bb 100644
--- a/20.passwordhash.ldif
+++ b/20.passwordhash.ldif
@@ -1,4 +1,5 @@
 dn: cn=config
+changetype: modify
 add: olcPasswordHash
 olcPasswordHash: {CRYPT}
 -
diff --git a/00.root.ldif.sh b/30.root.ldif.sh
similarity index 87%
rename from 00.root.ldif.sh
rename to 30.root.ldif.sh
index db44705..36506eb 100755
--- a/00.root.ldif.sh
+++ b/30.root.ldif.sh
@@ -20,7 +20,7 @@ objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: root
 description: LDAP administrator
-userPassword:: `slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0`
+userPassword:: `/usr/sbin/slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0`
 structuralObjectClass: organizationalRole
 
 dn: ou=People,$basedn
diff --git a/90.user.ldif.sh b/90.user.ldif.sh
index 96b67f0..ba3d437 100755
--- a/90.user.ldif.sh
+++ b/90.user.ldif.sh
@@ -11,7 +11,7 @@ pw=`pwgen 8 1`
 echo "# Password: $pw" >&2
 
 cat <<EOF
-dn: cn=$1,ou=People,`cat basedn`
+dn: uid=$1,ou=People,`cat basedn`
 objectClass: top
 objectClass: simpleSecurityObject
 objectClass: organizationalPerson
diff --git a/99.passwordrecovery.ldif.sh b/99.passwordrecovery.ldif.sh
new file mode 100644
index 0000000..1d5b68d
--- /dev/null
+++ b/99.passwordrecovery.ldif.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+if ! [ 4 -eq $# ]
+then
+	echo "Usage: $0 \$userdn" >&2
+	echo "random password will be printed.  Use ldappasswd for changing it" >&2
+	exit 1
+fi
+
+user="$1"
+pw=`pwgen 8 1`
+echo "# Password: $pw" >&2
+
+cat <<EOF
+dn: $1
+changeType: modify
+replace: userPassword
+userPassword:: `/usr/sbin/slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0`
+EOF
+
diff --git a/README.md b/README.md
index df5fa55..7713ed3 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,43 @@
-Add your basedn to basedn (eg: `echo o=denkn,c=at > basedn`).
+Pre
+===
 
-For initialization, first shutdown slapd and delete the content of `/var/lib/ldap/` (you will loose all of your data!),
-then use:
+Install slapd and ldap-utils:
 
-	./00.root.ldif.sh | slapadd -b `cat basedn` -v
-	chown -R openldap:openldap /var/lib/ldap/
+	sudo aptitude install slapd ldap-utils
 
-Now you can start slapd with your fresh config.
+It will ask for eg. domain, password.
+If your domain is `example.net`, your basedn will be `dc=example,dc=net`.
+If you want to use an other basedn, for example `o=example,c=de`,
+debian/ubuntu will not provide any way to do that.
+
+Thats because while these steps your database will be lost and you can choose your basedn.
+
+Add your basedn to file `basedn`:
+
+	echo dc=example,dc=net > basedn
+
+Init
+====
+
+Usefull defaults for security (better Passwordhashes):
+
+	ldapmodify -H ldapi:// -Y EXTERNAL -f 10.acls.ldif
+	ldapmodify -H ldapi:// -Y EXTERNAL -f 20.passwordhash.ldif
+
+BaseDN
+======
+
+These steps will erase your database.
+If you do not want to change your BaseDN, skip this step.
+
+The next step will print your new password on STDERR, so note it.
+You can change it any time.
+
+	./00.suffix.ldif.sh | sudo ldapmodify -H ldapi:// -Y external
+	./30.root.ldif.sh | sudo -u openldap -i slapadd -vb `cat basedn`
+
+Clientconfig
+============
 
 Add these lines to `/etc/ldap/ldap.conf`:
 
@@ -15,19 +46,24 @@ Add these lines to `/etc/ldap/ldap.conf`:
 	URI     ldapi://
 	EOF
 
-Via `ldapadd -Y EXTERNAL` you can add any other ldif.
-
-For adding 10 and 20 use: [BROKEN, do it manually in `/etc/...`]
-
-	ldapmodify -Y EXTERNAL -f 10.acls.ldif
-	ldapmodify -Y EXTERNAL -f 20.passwordhash.ldif
+Add an user
+===========
 
 For adding an user run:
 
-	./90.user.ldif.sh username givenname surname emailaddr | ldapadd -Y EXTERNAL
+	./90.user.ldif.sh "$username" "$givenname" "$surname" "$emailaddr" | ldapadd -H ldapi:// -Y EXTERNAL
 
 It will print the password on STDERR.
 
+The DN will be uid=$username,$basedn
+
+Changing Passwords
+==================
+
 For changing password use:
 
-	ldappasswd -xASD YOURDN
+	ldappasswd -xASD $yourdn
+
+If you forgot your password, the administator can change the password via:
+
+	./99.passwordrecovery.ldif.sh $yourdn| sudo ldapmodify -H ldapi:// -Y external