Close OpenBao OIDC admin bootstrap path

This commit is contained in:
2026-06-01 21:20:53 +02:00
parent ed2cc17165
commit c48e076429
15 changed files with 374 additions and 86 deletions

View File

@@ -68,11 +68,13 @@ fi
# ── Authenticate ──────────────────────────────────────────────────────────────
echo ""
echo "Authenticating to privacyIDEA at $PI_URL ..."
AUTH_RESPONSE=$(curl -sf -X POST "$PI_URL/auth" \
if ! AUTH_RESPONSE=$(PI_ADMIN_PASS="$PI_ADMIN_PASS" python3 -c '
import json
import os
print(json.dumps({"username": "pi-admin", "password": os.environ["PI_ADMIN_PASS"]}))
' | curl -sS -X POST "$PI_URL/auth" \
-H "Content-Type: application/json" \
-d "{\"username\":\"pi-admin\",\"password\":\"$PI_ADMIN_PASS\"}" 2>/dev/null || echo "CURL_FAILED")
if [[ "$AUTH_RESPONSE" == "CURL_FAILED" ]]; then
--data-binary @- 2>/dev/null); then
echo "ERROR: Could not reach $PI_URL — is the cluster up and privacyIDEA running?" >&2
echo " Run verify-t04.sh to diagnose." >&2
exit 1
@@ -94,10 +96,10 @@ pi_api() {
# BadRequest if Content-Type: application/json is sent on a bodyless GET.
local method="$1"; local path="$2"; local body="${3:-}"
if [[ -n "$body" ]]; then
curl -sf -X "$method" "$PI_URL$path" \
printf '%s' "$body" | curl -sf -X "$method" "$PI_URL$path" \
-H "Authorization: $PI_TOKEN" \
-H "Content-Type: application/json" \
-d "$body" 2>/dev/null || echo "CURL_FAILED"
--data-binary @- 2>/dev/null || echo "CURL_FAILED"
else
curl -sf -X "$method" "$PI_URL$path" \
-H "Authorization: $PI_TOKEN" \
@@ -136,13 +138,13 @@ echo "Step 1: Creating LDAP resolver '$RESOLVER_NAME' ..."
# LLDAP uses standard inetOrgPerson attributes.
USERINFO='{"username": "uid", "phone": "telephoneNumber", "mobile": "mobile", "email": "mail", "surname": "sn", "givenname": "givenName"}'
RESOLVER_BODY=$(python3 -c "
import json, sys
RESOLVER_BODY=$(LLDAP_BIND_PW="$LLDAP_BIND_PW" python3 -c "
import json, os
body = {
'type': 'ldapresolver',
'LDAPURI': '$(echo "$LLDAP_URL" | sed "s/'/'\\''/g")',
'BINDDN': '$(echo "$LLDAP_BIND_DN" | sed "s/'/'\\''/g")',
'BINDPW': sys.argv[1],
'BINDPW': os.environ['LLDAP_BIND_PW'],
'LDAPBASE': '$LLDAP_BASE_DN',
'LOGINNAMEATTRIBUTE': 'uid',
'LDAPSEARCHFILTER': '(objectClass=inetOrgPerson)',
@@ -153,7 +155,7 @@ body = {
'NOSCHEMAS': True
}
print(json.dumps(body))
" "$LLDAP_BIND_PW")
")
RESP=$(pi_api POST "/resolver/$RESOLVER_NAME" "$RESOLVER_BODY")
check_result "LDAP resolver '$RESOLVER_NAME' created/updated" "$RESP" || true