diff options
Diffstat (limited to 'confskel')
| -rw-r--r-- | confskel/Makefile.am | 5 | ||||
| -rw-r--r-- | confskel/heimdal/kdc.conf | 4 | ||||
| -rw-r--r-- | confskel/heimdal/krb5.conf | 2 | ||||
| -rw-r--r-- | confskel/openldap/ldap/slapd.conf | 4 | ||||
| -rw-r--r-- | confskel/openldap/ldif/config.ldif | 4 | ||||
| -rw-r--r-- | confskel/openldap/ldif/tde-core.ldif | 5 | ||||
| -rw-r--r-- | confskel/openldap/skel.ldif | 39 | ||||
| -rw-r--r-- | confskel/openssl/pki_extensions | 61 |
8 files changed, 115 insertions, 9 deletions
diff --git a/confskel/Makefile.am b/confskel/Makefile.am index c97578a..42f25a9 100644 --- a/confskel/Makefile.am +++ b/confskel/Makefile.am @@ -13,4 +13,7 @@ ldapldifskeldir = $(ldapskeldir)/ldif ldapldifskel_DATA = openldap/ldif/* saslskeldir = $(confskeldir)/sasl -saslskel_DATA = sasl/*
\ No newline at end of file +saslskel_DATA = sasl/* + +sslskeldir = $(confskeldir)/openssl +sslskel_DATA = openssl/*
\ No newline at end of file diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf index d3ba9c8..d7141a1 100644 --- a/confskel/heimdal/kdc.conf +++ b/confskel/heimdal/kdc.conf @@ -1,8 +1,8 @@ [kdc] logging = FILE:/var/log/heimdal-kdc.log enable-pkinit = yes - pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key - pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem + pkinit_identity = FILE:@@@KRBKDCPEMFILE@@@,@@@KRBKDCPEMKEYFILE@@@ + pkinit_anchors = FILE:@@@KRBPKIPEMFILE@@@ pkinit_allow-proxy-certificate = false acl_file = /etc/heimdal-kdc/kadmind.acl diff --git a/confskel/heimdal/krb5.conf b/confskel/heimdal/krb5.conf index e76a90f..4678173 100644 --- a/confskel/heimdal/krb5.conf +++ b/confskel/heimdal/krb5.conf @@ -3,7 +3,7 @@ default_realm = @@@REALM_UCNAME@@@ [appdefaults] - pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem + pkinit_anchors = FILE:@@@KRBPKIPEMFILE@@@ [realms] @@@REALM_UCNAME@@@ = { diff --git a/confskel/openldap/ldap/slapd.conf b/confskel/openldap/ldap/slapd.conf index 3dce739..9263350 100644 --- a/confskel/openldap/ldap/slapd.conf +++ b/confskel/openldap/ldap/slapd.conf @@ -72,8 +72,8 @@ index gidNumber eq lastmod on unique_attributes mail uid uidNumber -TLSCertificateFile /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt -TLSCertificateKeyFile /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key +TLSCertificateFile @@@LDAPPEMFILE@@@ +TLSCertificateKeyFile @@@LDAPPEMKEYFILE@@@ sasl-realm @@@REALM_UCNAME@@@ sasl-host @@@ADMINSERVER@@@ diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif index 9e05b86..8df7bdc 100644 --- a/confskel/openldap/ldif/config.ldif +++ b/confskel/openldap/ldif/config.ldif @@ -28,8 +28,8 @@ olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 -#olcTLSCertificateFile: /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt -#olcTLSCertificateKeyFile: /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key +olcTLSCertificateFile: @@@LDAPPEMFILE@@@ +olcTLSCertificateKeyFile: @@@LDAPPEMKEYFILE@@@ olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif index 52f7a80..0644264 100644 --- a/confskel/openldap/ldif/tde-core.ldif +++ b/confskel/openldap/ldif/tde-core.ldif @@ -15,6 +15,9 @@ olcAttributeTypes: {9} ( 1.3.6.1.4.1.99999.1.1.10 NAME 'badPwdCount' DESC 'Bad p olcAttributeTypes: {10} ( 1.3.6.1.4.1.99999.1.1.11 NAME 'badPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11} ( 1.3.6.1.4.1.99999.1.1.12 NAME 'lastLogon' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12} ( 1.3.6.1.4.1.99999.1.1.13 NAME 'lastLogoff' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# Used for storing sharable certificates and keys +olcAttributeTypes: {13} ( 1.3.6.1.4.1.99999.1.1.14 NAME 'publicRootCertificate' DESC 'Certificate authority root certificate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) olcObjectClasses: {0} ( 1.3.6.1.4.1.99999.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) ) -olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
\ No newline at end of file +olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount ) +olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate ) )
\ No newline at end of file diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif index 34d615b..0d17c6c 100644 --- a/confskel/openldap/skel.ldif +++ b/confskel/openldap/skel.ldif @@ -88,6 +88,16 @@ entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z +dn: cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +objectClass: namedObject +cn: TDE Realm Data +structuralObjectClass: namedObject +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z + dn: o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ cn: kerberos emsdescription: Kerberos Registry @@ -104,6 +114,22 @@ entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z +dn: o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +cn: tde +emsdescription: TDE Realm Data +emsmodelclass: EMSSecurityObject +emstype: ServicePlugin +o: tde +objectClass: organization +objectClass: emsSecurityObject +objectClass: emsIgnore +structuralObjectClass: organization +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z + dn: ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ emscontainertype: EGroupContainer emsdescription: EMS Group Container @@ -227,3 +253,16 @@ krb5EncryptionType: 23 entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z + +dn: cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +cn: certificate store +description: TDE Certificate Store +objectClass: tdeCertificateStore +objectClass: applicationProcess +tdeBuiltinAccount: TRUE +structuralObjectClass: applicationProcess +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z
\ No newline at end of file diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions new file mode 100644 index 0000000..d841890 --- /dev/null +++ b/confskel/openssl/pki_extensions @@ -0,0 +1,61 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name + +[kdc_princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:@@@REALM_UCNAME@@@ + +[ client_cert ] + +# These extensions are added when 'ca' signs a request. + +basicConstraints=CA:FALSE + +keyUsage = digitalSignature, keyEncipherment, keyAgreement + +extendedKeyUsage = 1.3.6.1.5.2.3.4 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name + + +# Copy subject details + +issuerAltName=issuer:copy + +[princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:principal_seq + +[principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:principals + +[principals] +princ1 = GeneralString:@@@KDCSERVER@@@ |