~asommer/openldap/apport-hook

Viewing changes to debian/slapd.scripts-common

Committer: Bazaar Package Importer
Author(s): Mathias Gug
Date: 2009-08-11 14:48:56 UTC
Revision ID: james.westby@ubuntu.com-20090811144856-lj7263i2kb2h7ayt

Tags: 2.4.17-1ubuntu3

* Install a minimal slapd configuration instead of creating a default
   database with a default DIT:
   + Move openldap user home from /var/lib/ldap to /nonexistent.
   + Remove all code and templates dealing with the default database and DIT
     creation.
   + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
     grant all access to the latter in the cn=config database as well as the
     default backend configuration.
* Add cn=localroot,cn=config authz mapping on upgrades.

Show diffs side-by-side

added added

removed removed

debian/slapd.scripts-common

if [ -z "`getent passwd openldap`" ]; then

echo -n " Creating new user openldap... " >&2

adduser --quiet --system --home /var/lib/ldap --shell /bin/false \

adduser --quiet --system --home /nonexistent --shell /bin/false \

--ingroup openldap --disabled-password --disabled-login \

--gecos "OpenLDAP Server Account" openldap

echo "done." >&2

}

# }}}

create_ldap_directories() { # {{{

if [ ! -d /var/lib/ldap ]; then

mkdir /var/lib/ldap

if [ ! -d /var/run/slapd ]; then

mkdir /var/run/slapd

update_permissions /var/lib/ldap

update_permissions /var/run/slapd

chmod 0755 /var/run/slapd

}

# }}}

update_permissions() { # {{{

dir="$1"

[ -z "${SLAPD_USER}" ] || chown -R "${SLAPD_USER}" "${dir}"

369

357

create_new_configuration() { # {{{

370

358

# Create a new configuration and directory

371

359

372

local basedn dc backend

373

374

# For the domain really.argh.org we create the basedn

375

# dc=really,dc=argh,dc=org with the dc entry dc: really

376

db_get slapd/domain

377

local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`"

378

dc="`echo $RET | sed 's/^\.//; s/\..*$//'`"

379

380

db_get slapd/backend

381

backend="`echo $RET|tr A-Z a-z`"

382

383

# Looks like the following code is not needed as slapd is unconfigured

384

# first and stopped at that time. So no need to stop slapd at all here.

385

386

if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then

387

echo >&2 " Moving old database directory to /var/backups:"

388

move_old_database_away /var/lib/ldap

360

if [ ! -d /var/lib/ldap ]; then

361

mkdir /var/lib/ldap

389

362

390

create_ldap_directories

391

create_new_slapd_conf "$basedn" "$backend"

392

create_new_directory "$basedn" "$dc"

393

394

# Put the right permissions on this directory.

395

363

update_permissions /var/lib/ldap

396

364

397

# Now that we created the new directory we don't need the passwords in the

398

# debconf database anymore. So wipe them.

399

wipe_admin_pass

400

}

401

# }}}

402

create_new_slapd_conf() { # {{{

403

# Creates a new slapd.d configuration for the suffix given

404

# Usage: create_new_slapd_conf <basedn> <backend>

405

406

local adminpass basedn backend conf_template

407

408

basedn="$1"

409

backend="$2"

410

411

conf_template="/usr/share/slapd/slapd.init.ldif"

412

# Get the admin password for the cn=config tree

413

db_get slapd/internal/adminpw

414

# adminpw can have / character which would break sed

415

# further down.

416

adminpass=$(echo $RET | sed -e 's|/|\\/|g')

365

if [ ! -d /var/run/slapd ]; then

366

mkdir /var/run/slapd

367

368

update_permissions /var/run/slapd

369

# update_permissions doesn't allow a world readable dir.

370

# slapd run dir has the slapi socket and thus needs

371

# to be world accessible.

372

chmod 0755 /var/run/slapd

373

374

local init_ldif

375

init_ldif="/usr/share/slapd/slapd.init.ldif"

417

376

echo -n " Creating initial slapd configuration... " >&2

418

[ -e "${SLAPD_CONF}" ] && rm -rf "${SLAPD_CONF}"

377

rm -rf "${SLAPD_CONF}"

419

378

mkdir "${SLAPD_CONF}"

420

# Need to have a version of the backend name with the first

421

# letter capitalized (ex: olcBdbConfig or olcHdbConfig) to set

422

# the correct objectClass attribute in the db configuration.

423

local backend1="$(echo ${backend:0:1} | tr a-z A-Z)${backend:1}"

424

init_ldif=`mktemp /tmp/slapd_init.ldif.XXXXXXXXXX`

425

sed <"$conf_template" \

426

-e "s/@olcRootPW@/olcRootPW: $adminpass/g" \

427

-e "s/@backend@/$backend/g" \

428

-e "s/@Backend@/$backend1/g" \

429

-e "s/@SUFFIX@/$basedn/g" \

430

-e "s/@ADMIN@/cn=admin,$basedn/g" \

431

> ${init_ldif}

432

if [ "$adminpass" = "" ]; then

433

sed -i -e '/^olcRootPW: / d' ${init_ldif}

434

435

379

capture_diagnostics slapadd -F "${SLAPD_CONF}" \

436

380

-b "cn=config" -l ${init_ldif} || failed=1

437

381

if [ "$failed" ]; then

442

386

release_diagnostics " "

443

387

exit 1

444

388

445

rm "${init_ldif}"

446

389

update_permissions "${SLAPD_CONF}"

447

390

echo "done." >&2

448

391

449

}

450

# }}}

451

encode_utf8() { #{{{

452

# Make the value utf8 encoded. Takes one argument and utf8 encode it.

453

# Usage: val=`encode_utf8 <value>`

454

perl -e 'use Encode; print encode_utf8($ARGV[0]);' "$1"

455

} #}}}

456

create_new_directory() { # {{{

457

# Create a new directory. Takes the basedn and the dc value of that entry.

458

# Other information is extracted from debconf.

459

# Usage: create_new_directory <basedn> <dc>

460

461

local basedn dc organization adminpass

462

basedn="$1"

463

dc="$2"

464

465

# Encode to utf8 and base64 encode the organization.

466

db_get shared/organization

467

organization=`encode_utf8 "$RET"`

468

db_get slapd/internal/adminpw

469

adminpass="$RET"

470

471

echo -n " Creating initial LDAP directory... " >&2

472

init_ldif=`mktemp /tmp/slapd_init_dir.ldif.XXXXXXXXXX`

473

echo "dn: $basedn

474

objectClass: top

475

objectClass: dcObject

476

objectClass: organization

477

o: $organization

478

dc: $dc

479

480

dn: cn=admin,$basedn

481

objectClass: simpleSecurityObject

482

objectClass: organizationalRole

483

cn: admin

484

description: LDAP administrator

485

userPassword: $adminpass

486

" > ${init_ldif}

487

capture_diagnostics slapadd -F "${SLAPD_CONF}" \

488

-b "${basedn}" -l ${init_ldif} || failed=1

489

if [ "$failed" ]; then

490

echo failed. >&2

491

echo >&2

492

cat <<-EOF

493

Loading the initial directory structure from the ldif file (${init_ldif}) failed with the following

494

error while running slapadd:

495

EOF

496

release_diagnostics " "

497

exit 1

498

499

rm "${init_ldif}"

500

echo "done." >&2

501

}

392

}

502

393

# }}}

503

394

configure_v2_protocol_support() { # {{{

504

395

# Adds the "allow bind_v2" directive to the configuration if the user decided

505

396

# he wants to have ldap v2 enabled.

506

397

507

local new_conf

508

509

398

db_get slapd/allow_ldap_v2

510

399

if [ "$RET" != "true" ]; then return 0; fi

511

400

541

430

# }}}

542

431

543

432

544

# Set up the defaults for our templates

545

set_defaults_for_unseen_entries() # {{{

546

{

547

DOMAIN=`hostname -d 2>/dev/null` || true

548

if [ -z "$DOMAIN" ]; then DOMAIN='nodomain'; fi

549

550

db_fget slapd/domain seen

551

if [ "$RET" = false ]; then

552

db_set slapd/domain "$DOMAIN"

553

554

555

db_fget shared/organization seen

556

if [ "$RET" = false ]; then

557

db_set shared/organization "$DOMAIN"

558

559

}

560

# }}}

561

562

crypt_admin_pass() { # {{{

563

# Store the encrypted admin password into the debconf db

564

# Usage: crypt_admin_pass clear_password

565

# XXX: This is the standard unix crypt. Maybe we can get something stronger?

566

567

if [ ! -z "$1" ]; then

568

db_set slapd/internal/adminpw {crypt}`create_password_hash "$1"`

569

570

}

571

572

wipe_admin_pass() {

573

# Remove passwords after creating the initial ldap database.

574

# Usage: wipe_admin_pass

575

db_set slapd/password1 ""

576

db_set slapd/password2 ""

577

db_set slapd/internal/adminpw ""

578

}

579

580

# }}}

581

create_password_hash() { # {{{

582

# Create the password hash for the given password

583

# Usage: hash=`create_password_hash "$password"`

584

585

perl - "$1" <<'EOF'

586

# ---------------

587

sub GenRandom {

588

local ($len) = @_;

589

local ($char, $data, @chars);

590

@chars = split(//, "abcdefghijklmnopqrstuvwxyz"

591

. "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");

592

593

open(RD, "</dev/urandom") or die "Failed to open random source";

594

$data = "";

595

while ($len--) {

596

read(RD, $char, 1) == 1 or die "Failed to read random data";

597

$data .= $chars[ord($char) % @chars];

598

}

599

600

close(RD);

601

return $data;

602

}

603

print crypt($ARGV[0], GenRandom(2));

604

EOF

605

# --------------

606

}

607

608

# }}}

609

433

previous_version_older() { # {{{

610

434

# Check if the previous version is newer than the reference version passed.

611

435

# If we are not upgrading the previous version is assumed to be newer than

Older »