diff options
| author | Linus Nordberg <linus@nordberg.se> | 2010-05-28 15:32:31 +0200 |
|---|---|---|
| committer | Linus Nordberg <linus@nordberg.se> | 2010-05-28 15:32:31 +0200 |
| commit | daf4ee8837407d6e1194eab86caf47a9bf9faa34 (patch) | |
| tree | 114abbbbc7a65390638b746871016eaddb68d91e /tools | |
| parent | ea4f850a2412df8bc4618b98350c2f961d8202ae (diff) | |
Create tools/ directory and move shell scripts there.
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/README | 48 | ||||
| -rw-r--r-- | tools/naptr-eduroam.sh | 72 | ||||
| -rwxr-xr-x | tools/radsec-dynsrv.sh | 51 |
3 files changed, 171 insertions, 0 deletions
diff --git a/tools/README b/tools/README new file mode 100644 index 0000000..4e6d2bc --- /dev/null +++ b/tools/README @@ -0,0 +1,48 @@ +Mail[1] to the radsecproxy mailing list Wed, 14 Apr 2010 from Stefan +Winter explaining the radsec-dynsrv.sh and naptr-eduroam.sh scripts. + +------------------------------------------------------------ +Hi, + +the radsec-dynsrv.sh script right now looks up _radsec._tcp.$REALM. For +eduroam, the production discovery will rely on S-NAPTRs of "s" type and +subsequent SRVs. + +I have attached a preliminary version of the discovery script which +takes this logic into account. It could use some public scrutiny (where +"public" might very well evaluate to Kolbjørn Barmen, who wrote the SRV +script and knows much more about bash scripting than I do *cough cough*). + +As with the other script, you call + +naptr-eduroam.sh <realm> + +If you need a test case, the DNS domain restena.lu has the NAPTR and the +SRV record live in place. On my system, you get: + +> ./naptr-eduroam.sh restena.lu +server dynamic_radsec.restena.lu { +host radius-1.restena.lu:2083 +type TLS +} + +with our live DNS data (radius-1.restena.lu isn't really +production-ready yet though). + +If you're curious, the S-NAPTR for eduroam right now is + +x-eduroam:radius.tls + +with a possibility of a later IETF allocation of either + +aaa:radius.tls (probable) +eduroam:radius.tls (wishful thinking) + +, in which case changing the script to use the new ones is trivial. + +Greetings, + +Stefan Winter +------------------------------------------------------------ + +[1] https://postlister.uninett.no/sympa/arc/radsecproxy/2010-04/msg00011.html diff --git a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh new file mode 100644 index 0000000..9bc6c45 --- /dev/null +++ b/tools/naptr-eduroam.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +# Example script! +# This script looks up radsec srv records in DNS for the one +# realm given as argument, and creates a server template based +# on that. It currently ignores weight markers, but does sort +# servers on priority marker, lowest number first. +# For host command this is coloumn 5, for dig it is coloumn 1. + +usage() { + echo "Usage: ${0} <realm>" + exit 1 +} + +test -n "${1}" || usage + +REALM="${1}" +DIGCMD=$(command -v dig) +HOSTCMD=$(command -v host) + +dig_it_srv() { + ${DIGCMD} +short srv $SRV_HOST | sort -k1 | + while read line ; do + set $line ; PORT=$3 ; HOST=$4 + echo -e "\thost ${HOST%.}:${PORT}" + done +} + +dig_it_naptr() { + ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -k1 | + while read line ; do + set $line ; TYPE=$3 ; HOST=$6 + if [ "$TYPE" == "\"s\"" ]; then { + SRV_HOST=${HOST%.} + dig_it_srv; }; fi + done +} + +host_it_srv() { + ${HOSTCMD} -t srv $SRV_HOST | sort -k5 | + while read line ; do + set $line ; PORT=$7 ; HOST=$8 + echo -e "\thost ${HOST%.}:${PORT}" + done +} + +host_it_naptr() { + ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -k5 | + while read line ; do + set $line ; TYPE=$7 ; HOST=${10} + if [ "$TYPE" == "\"s\"" ]; then { + SRV_HOST=${HOST%.} + host_it_srv; }; fi + + done +} + +if test -x "${DIGCMD}" ; then + SERVERS=$(dig_it_naptr) +elif test -x "${HOSTCMD}" ; then + SERVERS=$(host_it_naptr) +else + echo "${0} requires either \"dig\" or \"host\" command." + exit 1 +fi + +if test -n "${SERVERS}" ; then + echo -e "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}" + exit 0 +fi + +exit 0 diff --git a/tools/radsec-dynsrv.sh b/tools/radsec-dynsrv.sh new file mode 100755 index 0000000..7a74b6d --- /dev/null +++ b/tools/radsec-dynsrv.sh @@ -0,0 +1,51 @@ +#! /bin/bash + +# Example script! +# This script looks up radsec srv records in DNS for the one +# realm given as argument, and creates a server template based +# on that. It currently ignores weight markers, but does sort +# servers on priority marker, lowest number first. +# For host command this is coloumn 5, for dig it is coloumn 1. + +usage() { + echo "Usage: ${0} <realm>" + exit 1 +} + +test -n "${1}" || usage + +REALM="${1}" +DIGCMD=$(command -v digaaa) +HOSTCMD=$(command -v host) + +dig_it() { + ${DIGCMD} +short srv _radsec._tcp.${REALM} | sort -k1 | + while read line ; do + set $line ; PORT=$3 ; HOST=$4 + echo -e "\thost ${HOST%.}:${PORT}" + done +} + +host_it() { + ${HOSTCMD} -t srv _radsec._tcp.${REALM} | sort -k5 | + while read line ; do + set $line ; PORT=$7 ; HOST=$8 + echo -e "\thost ${HOST%.}:${PORT}" + done +} + +if test -x "${DIGCMD}" ; then + SERVERS=$(dig_it) +elif test -x "${HOSTCMD}" ; then + SERVERS=$(host_it) +else + echo "${0} requires either \"dig\" or \"host\" command." + exit 1 +fi + +if test -n "${SERVERS}" ; then + echo -e "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}" + exit 0 +fi + +exit 0 |