From 8bd37126ac724b2988682f4e7f6d7b7a317b5ba2 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Fri, 25 Nov 2011 23:14:25 +0100 Subject: [PATCH] configuration initialization from LDIF file --- openldap.spec | 7 +- slapd-libexec-convert-config.sh | 18 +++- slapd.conf | 141 -------------------------------- slapd.ldif | 2 +- 4 files changed, 22 insertions(+), 146 deletions(-) delete mode 100644 slapd.conf diff --git a/openldap.spec b/openldap.spec index 1049230..75153f3 100644 --- a/openldap.spec +++ b/openldap.spec @@ -15,7 +15,8 @@ Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version Source1: slapd.service Source2: slapd.sysconfig Source3: slapd.tmpfiles -Source4: slapd.conf +Source4: slapd.conf.obsolete +Source5: slapd.ldif Source50: slapd-libexec-functions Source51: slapd-libexec-convert-config.sh Source52: slapd-libexec-check-config.sh @@ -359,8 +360,10 @@ chmod 0644 %{buildroot}%{_libdir}/lib*.*a mkdir -p %{buildroot}%{_datadir} install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.conf.obsolete +install -m 0644 %SOURCE5 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf +rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif # move doc files out of _sysconfdir mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema @@ -440,7 +443,7 @@ if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then %{_libexecdir}/slapd/convert-config.sh &>/dev/null mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak else - %{_libexecdir}/slapd/convert-config.sh -f %{_datadir}/openldap-servers/slapd.conf.obsolete &>/dev/null + %{_libexecdir}/slapd/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null fi fi diff --git a/slapd-libexec-convert-config.sh b/slapd-libexec-convert-config.sh index b3f0656..17025bf 100755 --- a/slapd-libexec-convert-config.sh +++ b/slapd-libexec-convert-config.sh @@ -34,6 +34,12 @@ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then exit 1 fi +if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then + SLAPD_CONFIG_FILE_FORMAT=ldif +else + SLAPD_CONFIG_FILE_FORMAT=conf +fi + if [ -d "$SLAPD_CONFIG_DIR" ]; then if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" @@ -47,12 +53,20 @@ tmp_convert=`mktemp` if [ `id -u` -eq 0 ]; then install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert - run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert + else + run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert + fi retcode=$? else error "You are not root! Permission will not be set." install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert - /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert + else + /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert + fi retcode=$? fi diff --git a/slapd.conf b/slapd.conf deleted file mode 100644 index 6def6d2..0000000 --- a/slapd.conf +++ /dev/null @@ -1,141 +0,0 @@ -# -# See slapd.conf(5) for details on configuration options. -# This file should NOT be world readable. -# - -include /etc/openldap/schema/corba.schema -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/duaconf.schema -include /etc/openldap/schema/dyngroup.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/java.schema -include /etc/openldap/schema/misc.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/openldap.schema -include /etc/openldap/schema/ppolicy.schema -include /etc/openldap/schema/collective.schema - -# Allow LDAPv2 client connections. This is NOT the default. -allow bind_v2 - -# Do not enable referrals until AFTER you have a working directory -# service AND an understanding of referrals. -#referral ldap://root.openldap.org - -pidfile /var/run/openldap/slapd.pid -argsfile /var/run/openldap/slapd.args - -# Load dynamic backend modules -# - modulepath is architecture dependent value (32/64-bit system) -# - back_sql.la overlay requires openldap-server-sql package -# - dyngroup.la and dynlist.la cannot be used at the same time - -# modulepath /usr/lib/openldap -# modulepath /usr/lib64/openldap - -# moduleload accesslog.la -# moduleload auditlog.la -# moduleload back_sql.la -# moduleload chain.la -# moduleload collect.la -# moduleload constraint.la -# moduleload dds.la -# moduleload deref.la -# moduleload dyngroup.la -# moduleload dynlist.la -# moduleload memberof.la -# moduleload pbind.la -# moduleload pcache.la -# moduleload ppolicy.la -# moduleload refint.la -# moduleload retcode.la -# moduleload rwm.la -# moduleload seqmod.la -# moduleload smbk5pwd.la -# moduleload sssvlv.la -# moduleload syncprov.la -# moduleload translucent.la -# moduleload unique.la -# moduleload valsort.la - -# The next three lines allow use of TLS for encrypting connections using a -# dummy test certificate which you can generate by changing to -# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on -# slapd.pem so that the ldap user or group can read it. Your client software -# may balk at self-signed certificates, however. -# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt -# TLSCertificateFile /etc/pki/tls/certs/slapd.pem -# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem - -# Sample security restrictions -# Require integrity protection (prevent hijacking) -# Require 112-bit (3DES or better) encryption for updates -# Require 63-bit encryption for simple bind -# security ssf=1 update_ssf=112 simple_bind=64 - -# Sample access control policy: -# Root DSE: allow anyone to read it -# Subschema (sub)entry DSE: allow anyone to read it -# Other DSEs: -# Allow self write access -# Allow authenticated users read access -# Allow anonymous users to authenticate -# Directives needed to implement policy: -# access to dn.base="" by * read -# access to dn.base="cn=Subschema" by * read -# access to * -# by self write -# by users read -# by anonymous auth -# -# if no access controls are present, the default policy -# allows anyone and everyone to read anything but restricts -# updates to rootdn. (e.g., "access to * by * read") -# -# rootdn can always read and write EVERYTHING! - -# enable on-the-fly configuration (cn=config) -database config -access to * - by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage - by * none - -# enable server status monitoring (cn=monitor) -database monitor -access to * - by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read - by dn.exact="cn=Manager,dc=my-domain,dc=com" read - by * none - -####################################################################### -# database definitions -####################################################################### - -database hdb -suffix "dc=my-domain,dc=com" -checkpoint 1024 15 -rootdn "cn=Manager,dc=my-domain,dc=com" -# Cleartext passwords, especially for the rootdn, should -# be avoided. See slappasswd(8) and slapd.conf(5) for details. -# Use of strong authentication encouraged. -# rootpw secret -# rootpw {crypt}ijFYNcSNctBYg - -# The database directory MUST exist prior to running slapd AND -# should only be accessible by the slapd and slap tools. -# Mode 700 recommended. -directory /var/lib/ldap - -# Indices to maintain for this database -index objectClass eq,pres -index ou,cn,mail,surname,givenname eq,pres,sub -index uidNumber,gidNumber,loginShell eq,pres -index uid,memberUid eq,pres,sub -index nisMapName,nisMapEntry eq,pres,sub - -# Replicas of this database -#replogfile /var/lib/ldap/openldap-master-replog -#replica host=ldap-1.example.com:389 starttls=critical -# bindmethod=sasl saslmech=GSSAPI -# authcId=host/ldap-master.example.com@EXAMPLE.COM diff --git a/slapd.ldif b/slapd.ldif index 7f0fa1b..9904767 100644 --- a/slapd.ldif +++ b/slapd.ldif @@ -1,5 +1,5 @@ # -# See slapd.d(5) for details on configuration options. +# See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config