generated from coulomb/repo-seed
Close OpenBao OIDC admin bootstrap path
This commit is contained in:
@@ -68,11 +68,13 @@ fi
|
||||
# ── Authenticate ──────────────────────────────────────────────────────────────
|
||||
echo ""
|
||||
echo "Authenticating to privacyIDEA at $PI_URL ..."
|
||||
AUTH_RESPONSE=$(curl -sf -X POST "$PI_URL/auth" \
|
||||
if ! AUTH_RESPONSE=$(PI_ADMIN_PASS="$PI_ADMIN_PASS" python3 -c '
|
||||
import json
|
||||
import os
|
||||
print(json.dumps({"username": "pi-admin", "password": os.environ["PI_ADMIN_PASS"]}))
|
||||
' | curl -sS -X POST "$PI_URL/auth" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"username\":\"pi-admin\",\"password\":\"$PI_ADMIN_PASS\"}" 2>/dev/null || echo "CURL_FAILED")
|
||||
|
||||
if [[ "$AUTH_RESPONSE" == "CURL_FAILED" ]]; then
|
||||
--data-binary @- 2>/dev/null); then
|
||||
echo "ERROR: Could not reach $PI_URL — is the cluster up and privacyIDEA running?" >&2
|
||||
echo " Run verify-t04.sh to diagnose." >&2
|
||||
exit 1
|
||||
@@ -94,10 +96,10 @@ pi_api() {
|
||||
# BadRequest if Content-Type: application/json is sent on a bodyless GET.
|
||||
local method="$1"; local path="$2"; local body="${3:-}"
|
||||
if [[ -n "$body" ]]; then
|
||||
curl -sf -X "$method" "$PI_URL$path" \
|
||||
printf '%s' "$body" | curl -sf -X "$method" "$PI_URL$path" \
|
||||
-H "Authorization: $PI_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$body" 2>/dev/null || echo "CURL_FAILED"
|
||||
--data-binary @- 2>/dev/null || echo "CURL_FAILED"
|
||||
else
|
||||
curl -sf -X "$method" "$PI_URL$path" \
|
||||
-H "Authorization: $PI_TOKEN" \
|
||||
@@ -136,13 +138,13 @@ echo "Step 1: Creating LDAP resolver '$RESOLVER_NAME' ..."
|
||||
# LLDAP uses standard inetOrgPerson attributes.
|
||||
USERINFO='{"username": "uid", "phone": "telephoneNumber", "mobile": "mobile", "email": "mail", "surname": "sn", "givenname": "givenName"}'
|
||||
|
||||
RESOLVER_BODY=$(python3 -c "
|
||||
import json, sys
|
||||
RESOLVER_BODY=$(LLDAP_BIND_PW="$LLDAP_BIND_PW" python3 -c "
|
||||
import json, os
|
||||
body = {
|
||||
'type': 'ldapresolver',
|
||||
'LDAPURI': '$(echo "$LLDAP_URL" | sed "s/'/'\\''/g")',
|
||||
'BINDDN': '$(echo "$LLDAP_BIND_DN" | sed "s/'/'\\''/g")',
|
||||
'BINDPW': sys.argv[1],
|
||||
'BINDPW': os.environ['LLDAP_BIND_PW'],
|
||||
'LDAPBASE': '$LLDAP_BASE_DN',
|
||||
'LOGINNAMEATTRIBUTE': 'uid',
|
||||
'LDAPSEARCHFILTER': '(objectClass=inetOrgPerson)',
|
||||
@@ -153,7 +155,7 @@ body = {
|
||||
'NOSCHEMAS': True
|
||||
}
|
||||
print(json.dumps(body))
|
||||
" "$LLDAP_BIND_PW")
|
||||
")
|
||||
|
||||
RESP=$(pi_api POST "/resolver/$RESOLVER_NAME" "$RESOLVER_BODY")
|
||||
check_result "LDAP resolver '$RESOLVER_NAME' created/updated" "$RESP" || true
|
||||
|
||||
56
sso-mfa/k8s/privacyidea/repair-realm-live.sh
Executable file
56
sso-mfa/k8s/privacyidea/repair-realm-live.sh
Executable file
@@ -0,0 +1,56 @@
|
||||
#!/usr/bin/env bash
|
||||
# repair-realm-live.sh - attended repair for privacyIDEA realm bootstrap state.
|
||||
#
|
||||
# This wrapper prompts for live passwords, writes them only to a private
|
||||
# temporary directory, runs the idempotent realm bootstrap, and removes the
|
||||
# temporary files on exit.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)
|
||||
SSO_MFA_K8S_DIR=$(cd -- "$SCRIPT_DIR/.." && pwd)
|
||||
PI_URL="${PI_URL:-https://pink.coulomb.social}"
|
||||
|
||||
if [[ ! -t 0 ]]; then
|
||||
echo "ERROR: repair-realm-live.sh needs an interactive terminal for password prompts." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export PATH="/home/worsch/.local/bin:$PATH"
|
||||
umask 077
|
||||
|
||||
tmp="$(mktemp -d)"
|
||||
cleanup() {
|
||||
rm -rf "$tmp"
|
||||
unset PI_ADMIN_PASSWORD LLDAP_LDAP_USER_PASS
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
mkdir -p "$tmp/privacyidea" "$tmp/lldap"
|
||||
|
||||
printf "privacyIDEA pi-admin password: " >&2
|
||||
read -rs PI_ADMIN_PASSWORD
|
||||
printf "\n" >&2
|
||||
printf "LLDAP bind/admin password: " >&2
|
||||
read -rs LLDAP_LDAP_USER_PASS
|
||||
printf "\n" >&2
|
||||
|
||||
printf "PI_ADMIN_PASSWORD=%q\n" "$PI_ADMIN_PASSWORD" > "$tmp/privacyidea/secrets.env"
|
||||
printf "LLDAP_LDAP_USER_PASS=%q\n" "$LLDAP_LDAP_USER_PASS" > "$tmp/lldap/secrets.env"
|
||||
|
||||
bash "$SCRIPT_DIR/bootstrap-realm.sh" "$tmp" "$PI_URL"
|
||||
|
||||
if ! bash "$SSO_MFA_K8S_DIR/verify-t06.sh" "$tmp"; then
|
||||
cat >&2 <<'WARN'
|
||||
|
||||
[WARN] verify-t06 still reports failures. If realm, resolver, policies, and
|
||||
self-service pass but KeyCape token checks fail, run the KeyCape privacyIDEA
|
||||
MFA token repair action after platform-root enrollment.
|
||||
WARN
|
||||
fi
|
||||
|
||||
cat <<'OK'
|
||||
|
||||
[OK] privacyIDEA coulomb realm repair command finished. Enroll or re-enroll
|
||||
platform-root TOTP in privacyIDEA next.
|
||||
OK
|
||||
Reference in New Issue
Block a user