6 files changed, 181 insertions, 0 deletions

diff --git a/confskel/heimdal/heimdal.defaults b/confskel/heimdal/heimdal.defaults
new file mode 100644
index 0000000..4916c5f
--- /dev/null
+++ b/confskel/heimdal/heimdal.defaults
@@ -0,0 +1,11 @@
+# Zivios Heimdal Configuration file.
+START="yes"
+
+KDC_ENABLED="yes"
+KDC_PARAMS=""
+
+KPASSWDD_ENABLED="yes"
+KPASSWDD_PARAMS=""
+
+KADMIND_ENABLED="yes"
+KADMIND_PARAMS=""
diff --git a/confskel/heimdal/kadmind.acl b/confskel/heimdal/kadmind.acl
new file mode 100644
index 0000000..27fe007
--- /dev/null
+++ b/confskel/heimdal/kadmind.acl
@@ -0,0 +1,2 @@
+kadmin/@@@ROOTUSER@@@@@@@REALM_UCNAME@@@    all
+@@@ADMINUSER@@@@@@@REALM_UCNAME@@@          all
diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf
new file mode 100644
index 0000000..67aa0e0
--- /dev/null
+++ b/confskel/heimdal/kdc.conf
@@ -0,0 +1,8 @@
+[kdc]
+logging = FILE:/var/log/heimdal-kdc.log
+enable-pkinit = yes
+pki-identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key
+pki-anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
+pki-allow-proxy-certificate = false
+acl_file = /etc/kadmind.acl
+
diff --git a/confskel/heimdal/krb5.conf b/confskel/heimdal/krb5.conf
new file mode 100644
index 0000000..adf55df
--- /dev/null
+++ b/confskel/heimdal/krb5.conf
@@ -0,0 +1,40 @@
+[libdefaults]
+    ticket_lifetime = 86400
+    default_realm = @@@REALM_UCNAME@@@
+    default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
+    default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
+
+[appdefaults]
+    pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
+
+[realms]
+    @@@REALM_UCNAME@@@ = {
+        kdc = @@@KDCSERVER@@@:@@@KDCPORT@@@
+        admin_server = @@@ADMINSERVER@@@:@@@ADMINPORT@@@
+        pkinit_require_eku = @@@PKINIT_REQUIRE_EKU@@@
+        pkinit_require_krbtgt_otherName = @@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@
+        win2k_pkinit = @@@WIN2K_PKINIT@@@
+        win2k_pkinit_require_binding = @@@WIN2K_PKINIT_REQUIRE_BINDING@@@
+   }
+
+[domain_realm]
+    @@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@
+    .@@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@
+
+[kdc]
+    enable-pkinit = yes
+    pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key
+    pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
+    pkinit_allow-proxy-certificate = false
+
+    database = {
+        dbname = ldap:@@@REALM_DCNAME@@@
+        acl_file = /etc/kadmind.acl
+    }
+
+[logging]
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmin.log
+    default = FILE:/var/log/krb5lib.log
+
+
diff --git a/confskel/openldap/ldap/slapd.conf b/confskel/openldap/ldap/slapd.conf
new file mode 100644
index 0000000..35e8bf2
--- /dev/null
+++ b/confskel/openldap/ldap/slapd.conf
@@ -0,0 +1,95 @@
+#
+# TDE slapd.conf template
+#
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/rfc2307bis.schema
+include /etc/ldap/schema/rfc2739.schema
+include /etc/ldap/schema/samba.schema
+include /etc/ldap/schema/qmail.schema
+include /etc/ldap/schema/hdb.schema
+include /etc/ldap/schema/dlz.schema
+include /etc/ldap/schema/dhcp.schema
+include /etc/ldap/schema/amavis.schema
+include /etc/ldap/schema/ppolicy.schema
+
+pidfile /opt/zivios/openldap/var/run/slapd.pid
+argsfile /opt/zivios/openldap/var/run/slapd.args
+
+allow bind_v2
+loglevel 256
+
+modulepath /usr/lib/ldap
+moduleload back_hdb
+moduleload syncprov
+moduleload back_monitor
+moduleload auditlog
+moduleload smbk5pwd
+moduleload unique
+moduleload ppolicy
+
+sizelimit 500
+tool-threads 1
+
+backend hdb
+
+database monitor
+database config
+rootdn cn=config
+rootpw {SHA}@@@ROOTPW_SHA@@@
+
+database hdb
+overlay syncprov
+overlay auditlog
+overlay smbk5pwd
+overlay unique
+overlay ppolicy
+
+auditlog "/var/log/realmauditlog.txt"
+suffix "@@@REALM_DCNAME@@@"
+rootdn "cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@"
+rootpw {SHA}@@@ROOTPW_SHA@@@
+
+checkpoint 512 30
+directory "/var/ldap-realm-database"
+
+dbconfig set_cachesize 0 2097152 0
+dbconfig set_lk_max_objects 1500
+dbconfig set_lk_max_locks 1500
+dbconfig set_lk_max_lockers 1500
+
+index accountStatus eq
+index mailHost eq
+index cn eq,pres,subinitial
+index mail eq,pres
+index mailAlternateAddress eq,pres
+index objectClass eq
+index uid pres,eq
+index uidNumber eq
+index gidNumber eq
+
+lastmod on
+unique_attributes mail uid uidNumber
+
+TLSCertificateFile /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt
+TLSCertificateKeyFile /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key
+
+sasl-realm @@@REALM_UCNAME@@@
+sasl-host @@@ADMINSERVER@@@
+sasl-secprops minssf=0
+
+authz-regexp uid=(.*),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth ldap:///@@@REALM_DCNAME@@@??sub?(&(uid=$1)(objectClass=posixAccount))
+authz-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth" "uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
+
+#
+# ACL Section
+#
+access to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags
+ by dn="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
+ by sockurl.regex="^ldapi:///$" write
+ by anonymous auth
+ by self write
+ by * none
+
+access to dn="" by * read
diff --git a/confskel/openldap/ldap/slapd.defaults b/confskel/openldap/ldap/slapd.defaults
new file mode 100644
index 0000000..91ddb31
--- /dev/null
+++ b/confskel/openldap/ldap/slapd.defaults
@@ -0,0 +1,25 @@
+###
+# Enable the daemon.
+###
+START="yes"
+
+###
+# Keytab
+###
+export KRB5_KTNAME=/etc/ldap/ldap.keytab
+
+###
+# Services
+###
+SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+###
+# Additional Options
+# @todo: pass user & group for service.
+###
+SLAPD_OPTIONS=""
+
+###
+# SLAPD Configuration
+###
+SLAPD_CONF="/etc/ldap/slapd.d"