od-ssl-cert.sh

This script will setup the machine for OD SSL Support, and change the DS OD Binding script to bind via SSL. You will need to replace SERVERNAMEHERE with your web server, where your CA Certificate is located. In our case, the XServer has a real, signed, wildcard cert (*.domain.com), however we just need to add the CA-Bundle.crt file to each client, which then verifies our cert. For Self-Signed certs, just use the CA Self Cert that you created. You will just have to put that cert up on the web somewhere to be able to download it. Note: For us, this is no longer needed with 10.6, as it works by default with our cert. If you would like the script that makes the ca-bundle.crt, we use [|Curl's mk-ca-bundle.pl] which then generates the ca-bundle.crt, that I then move to the web directory. I've been thinking about automating this, but haven't needed to just yet, as our, or our signer's certs haven't expired yet. code echo "od_ssl_cert.sh - v0.1 ("`date`")" VOLUME=`mount | grep hfs | grep disk0 | cut -c 17- | cut -d " " -f1` cd /tmp if [ ! -e ${VOLUME}/etc/openldap/ca-bundle.crt ]; then echo "  ---CA Cert Bundle not found---" echo "  ---Downloading ca-bundle.crt from SERVERNAMEHERE---" perl -e "use LWP::UserAgent; my \$ua = new LWP::UserAgent; my \$req = new HTTP::Request('GET','http://SERVERNAMEHERE/ca-bundle.crt'); my \$res = \$ua->request(\$req); open(TXT,'>ca-bundle.crt'); print TXT \$res->content; close(TXT);" if [ -e ca-bundle.crt ]; then mv ca-bundle.crt ${VOLUME}/etc/openldap/ca-bundle.crt else echo "RuntimeAbortWorkflow: Error downloading ca-bundle." fi fi if [ -e ${VOLUME}/etc/openldap/ca-bundle.crt ]; then echo "  ---CA Cert Bundle Found. Checking to see if we need to modify ldap.conf---" if [ -n "`grep ${VOLUME}/etc/openldap/ldap.conf -e ^TLS_CACERT*`" ]; then echo "     ---ldap.conf already modified. No need to do anything---" else echo "     ---ldap.conf needs to be modified---" echo "        ---Inserting commands into /etc/openldap/ldap.conf to use the bundle" echo "TLS_CACERT   /etc/openldap/ca-bundle.crt" >> ${VOLUME}/etc/openldap/ldap.conf echo "  ---Done Setting up LDAP for Open Directory SSL Support---" fi else echo "RuntimeAbortWorkflow: Cannot find the CA Cert Bundle, not modifying ldap.conf" fi
 * 1) !/bin/sh
 * 1) Get Volume

if [ -e ${VOLUME}/usr/local/bin/ds_open_directory_binding.sh ]; then echo "  ---Configureing the DS OD Binding script for SSL Support---" DSODB="${VOLUME}/usr/local/bin" sed -e s/"dsconfigldap -f -a"/"dsconfigldap -x -f -a"/g -e s/"dsconfigldap -a"/"dsconfigldap -x -a"/g ${DSODB}/ds_open_directory_binding.sh > ${DSODB}/binding.sh   mv ${DSODB}/binding.sh ${DSODB}/ds_open_directory_binding.sh    chmod a+x ${DSODB}/ds_open_directory_binding.sh    if [ ! -e ${DSODB}/ds_open_directory_binding.sh ]; then echo "RuntimeAbortWorkflow: Modifying DS OD Binding Script Failed." else echo "  ---Done configuring the OD Binding Script---" fi else echo "  ---DS OD Binding Script not found, Nothing to Modify---" fi

echo "od_ssl_cert.sh - end" exit 0 code