aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '12e0a3aaec'
${ noResults }
boundary/enos/modules/aws_rdp_domain_controller/scripts/setup_ldaps.ps1

78 lines
2.8 KiB
Raw Blame History

# Copyright IBM Corp. 2020, 2025
# SPDX-License-Identifier: BUSL-1.1
# Wait for AD Web Services to be available
$timeout = 600
$elapsed = 0
$interval = 15
while ($elapsed -lt $timeout) {
try {
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Write-Host "Domain is ready: $($domain.Name)"
break
} catch {
Write-Host "Domain not ready, waiting..."
Start-Sleep -Seconds $interval
$elapsed += $interval
}
}
if ($elapsed -ge $timeout) {
Write-Host "Timeout waiting for domain readiness"
exit 1
}
$dnsName = $env:computername + '.' + "${active_directory_domain}"
$now = Get-Date
# Create self-signed certificate for LDAPS. Since it's not signed by a trusted
# CA, all LDAPS clients will have to allow insecure TLS.
#
# The -TextExtension is required. 2.5.29.37 is the OID for "Enhanced Key Usage"
# and we need to set it to 1.3.6.1.5.5.7.3.1 which is the OID for server
# authentication.
$cert = New-SelfSignedCertificate `
-DnsName $dnsName `
-NotAfter $now.AddYears(1) `
-KeyUsage DigitalSignature, KeyEncipherment `
-Type SSLServerAuthentication `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `
-Provider "Microsoft Strong Cryptographic Provider" `
-HashAlgorithm "SHA256"
# Copy certificate thumbprint to NTDS service store so that AD can use it.
$thumbprint = ($cert.Thumbprint | Out-String).Trim()
$certDestPath = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certDestPath)) { New-Item $certDestPath -Force }
Copy-Item `
-Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint `
-Destination $certDestPath
# Signal NTDS that we have a new server certificate for use using an LDIF file.
$sb = [System.Text.StringBuilder]::new()
[void]$sb.AppendLine('dn:')
[void]$sb.AppendLine('changetype: modify')
[void]$sb.AppendLine('add: renewServerCertificate')
[void]$sb.AppendLine('renewServerCertificate: 1')
[void]$sb.AppendLine('-')
$sb.ToString() | Out-File -FilePath "rsc.ldif" -Encoding ASCII
ldifde -i -f rsc.ldif
# Create Vault user and add it to the domain administrators group for RDP
# access.
New-ADUser `
-Enabled 1 `
-Name ${vault_ldap_user} `
-DisplayName ${vault_ldap_user} `
-SamAccountName ${vault_ldap_user} `
-PasswordNotRequired 1
Add-ADGroupMember -Identity 'Domain Admins' -Members ${vault_ldap_user}
# From here, a Vault LDAP engine can be configured to bind to the AD LDAPS
# server using the domain controller's credentials and then a static role
# for the Vault user above can be created. Additionally, a dynamic role
# can also be created using LDIF templates.
# The static/dynamic roles can then be used to RDP into the member server
# via Boundary Vault LDAP credential library.
Reference in new issue View Git Blame Copy Permalink