74
74
if [ -z "`getent passwd openldap`" ]; then
75
75
echo -n " Creating new user openldap... " >&2
76
adduser --quiet --system --home /var/lib/ldap --shell /bin/false \
76
adduser --quiet --system --home /nonexistent --shell /bin/false \
77
77
--ingroup openldap --disabled-password --disabled-login \
78
78
--gecos "OpenLDAP Server Account" openldap
83
create_ldap_directories() { # {{{
84
if [ ! -d /var/lib/ldap ]; then
87
if [ ! -d /var/run/slapd ]; then
90
update_permissions /var/lib/ldap
91
update_permissions /var/run/slapd
92
chmod 0755 /var/run/slapd
95
83
update_permissions() { # {{{
97
85
[ -z "${SLAPD_USER}" ] || chown -R "${SLAPD_USER}" "${dir}"
369
357
create_new_configuration() { # {{{
370
358
# Create a new configuration and directory
372
local basedn dc backend
374
# For the domain really.argh.org we create the basedn
375
# dc=really,dc=argh,dc=org with the dc entry dc: really
377
local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`"
378
dc="`echo $RET | sed 's/^\.//; s/\..*$//'`"
381
backend="`echo $RET|tr A-Z a-z`"
383
# Looks like the following code is not needed as slapd is unconfigured
384
# first and stopped at that time. So no need to stop slapd at all here.
386
if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then
387
echo >&2 " Moving old database directory to /var/backups:"
388
move_old_database_away /var/lib/ldap
360
if [ ! -d /var/lib/ldap ]; then
390
create_ldap_directories
391
create_new_slapd_conf "$basedn" "$backend"
392
create_new_directory "$basedn" "$dc"
394
# Put the right permissions on this directory.
395
363
update_permissions /var/lib/ldap
397
# Now that we created the new directory we don't need the passwords in the
398
# debconf database anymore. So wipe them.
402
create_new_slapd_conf() { # {{{
403
# Creates a new slapd.d configuration for the suffix given
404
# Usage: create_new_slapd_conf <basedn> <backend>
406
local adminpass basedn backend conf_template
411
conf_template="/usr/share/slapd/slapd.init.ldif"
412
# Get the admin password for the cn=config tree
413
db_get slapd/internal/adminpw
414
# adminpw can have / character which would break sed
416
adminpass=$(echo $RET | sed -e 's|/|\\/|g')
365
if [ ! -d /var/run/slapd ]; then
368
update_permissions /var/run/slapd
369
# update_permissions doesn't allow a world readable dir.
370
# slapd run dir has the slapi socket and thus needs
371
# to be world accessible.
372
chmod 0755 /var/run/slapd
375
init_ldif="/usr/share/slapd/slapd.init.ldif"
417
376
echo -n " Creating initial slapd configuration... " >&2
418
[ -e "${SLAPD_CONF}" ] && rm -rf "${SLAPD_CONF}"
377
rm -rf "${SLAPD_CONF}"
419
378
mkdir "${SLAPD_CONF}"
420
# Need to have a version of the backend name with the first
421
# letter capitalized (ex: olcBdbConfig or olcHdbConfig) to set
422
# the correct objectClass attribute in the db configuration.
423
local backend1="$(echo ${backend:0:1} | tr a-z A-Z)${backend:1}"
424
init_ldif=`mktemp /tmp/slapd_init.ldif.XXXXXXXXXX`
425
sed <"$conf_template" \
426
-e "s/@olcRootPW@/olcRootPW: $adminpass/g" \
427
-e "s/@backend@/$backend/g" \
428
-e "s/@Backend@/$backend1/g" \
429
-e "s/@SUFFIX@/$basedn/g" \
430
-e "s/@ADMIN@/cn=admin,$basedn/g" \
432
if [ "$adminpass" = "" ]; then
433
sed -i -e '/^olcRootPW: / d' ${init_ldif}
435
379
capture_diagnostics slapadd -F "${SLAPD_CONF}" \
436
380
-b "cn=config" -l ${init_ldif} || failed=1
437
381
if [ "$failed" ]; then
442
386
release_diagnostics " "
446
389
update_permissions "${SLAPD_CONF}"
452
# Make the value utf8 encoded. Takes one argument and utf8 encode it.
453
# Usage: val=`encode_utf8 <value>`
454
perl -e 'use Encode; print encode_utf8($ARGV[0]);' "$1"
456
create_new_directory() { # {{{
457
# Create a new directory. Takes the basedn and the dc value of that entry.
458
# Other information is extracted from debconf.
459
# Usage: create_new_directory <basedn> <dc>
461
local basedn dc organization adminpass
465
# Encode to utf8 and base64 encode the organization.
466
db_get shared/organization
467
organization=`encode_utf8 "$RET"`
468
db_get slapd/internal/adminpw
471
echo -n " Creating initial LDAP directory... " >&2
472
init_ldif=`mktemp /tmp/slapd_init_dir.ldif.XXXXXXXXXX`
475
objectClass: dcObject
476
objectClass: organization
481
objectClass: simpleSecurityObject
482
objectClass: organizationalRole
484
description: LDAP administrator
485
userPassword: $adminpass
487
capture_diagnostics slapadd -F "${SLAPD_CONF}" \
488
-b "${basedn}" -l ${init_ldif} || failed=1
489
if [ "$failed" ]; then
493
Loading the initial directory structure from the ldif file (${init_ldif}) failed with the following
494
error while running slapadd:
496
release_diagnostics " "
503
394
configure_v2_protocol_support() { # {{{
504
395
# Adds the "allow bind_v2" directive to the configuration if the user decided
505
396
# he wants to have ldap v2 enabled.
509
398
db_get slapd/allow_ldap_v2
510
399
if [ "$RET" != "true" ]; then return 0; fi
544
# Set up the defaults for our templates
545
set_defaults_for_unseen_entries() # {{{
547
DOMAIN=`hostname -d 2>/dev/null` || true
548
if [ -z "$DOMAIN" ]; then DOMAIN='nodomain'; fi
550
db_fget slapd/domain seen
551
if [ "$RET" = false ]; then
552
db_set slapd/domain "$DOMAIN"
555
db_fget shared/organization seen
556
if [ "$RET" = false ]; then
557
db_set shared/organization "$DOMAIN"
562
crypt_admin_pass() { # {{{
563
# Store the encrypted admin password into the debconf db
564
# Usage: crypt_admin_pass clear_password
565
# XXX: This is the standard unix crypt. Maybe we can get something stronger?
567
if [ ! -z "$1" ]; then
568
db_set slapd/internal/adminpw {crypt}`create_password_hash "$1"`
573
# Remove passwords after creating the initial ldap database.
574
# Usage: wipe_admin_pass
575
db_set slapd/password1 ""
576
db_set slapd/password2 ""
577
db_set slapd/internal/adminpw ""
581
create_password_hash() { # {{{
582
# Create the password hash for the given password
583
# Usage: hash=`create_password_hash "$password"`
589
local ($char, $data, @chars);
590
@chars = split(//, "abcdefghijklmnopqrstuvwxyz"
591
. "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
593
open(RD, "</dev/urandom") or die "Failed to open random source";
596
read(RD, $char, 1) == 1 or die "Failed to read random data";
597
$data .= $chars[ord($char) % @chars];
603
print crypt($ARGV[0], GenRandom(2));
609
433
previous_version_older() { # {{{
610
434
# Check if the previous version is newer than the reference version passed.
611
435
# If we are not upgrading the previous version is assumed to be newer than