diff --git a/series b/series deleted file mode 100644 index 1ddf570..0000000 --- a/series +++ /dev/null @@ -1,13 +0,0 @@ -openldap-slapd-conf.patch -openldap-manpages.patch -openldap-security-pie.patch -openldap-sql-linking.patch -openldap-reentrant-gethostby.patch -openldap-export-ldif.patch -openldap-smbk5pwd-overlay.patch -openldap-ldaprc-currentdir.patch -openldap-userconfig-setgid.patch -openldap-nss-nofork.patch -openldap-nss-null-pointer.patch -openldap-slapadd-hang.patch -openldap-evolution-ntlm.patch diff --git a/slapd-libexec-check-config.sh b/slapd-libexec-check-config.sh new file mode 100755 index 0000000..1f9189f --- /dev/null +++ b/slapd-libexec-check-config.sh @@ -0,0 +1,90 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/slapd/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/slapd-libexec-convert-config.sh b/slapd-libexec-convert-config.sh new file mode 100755 index 0000000..b3f0656 --- /dev/null +++ b/slapd-libexec-convert-config.sh @@ -0,0 +1,65 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/slapd/functions + +function help() +{ + error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" + exit 2 +} + +load_sysconfig + +while getopts :f:F: opt; do + case "$opt" in + f) + SLAPD_CONFIG_FILE="$OPTARG" + ;; + F) + SLAPD_CONFIG_DIR="$OPTARG" + ;; + *) + help + ;; + esac +done +shift $((OPTIND-1)) +[ -n "$1" ] && help + +# check source, target + +if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" + exit 1 +fi + +if [ -d "$SLAPD_CONFIG_DIR" ]; then + if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then + error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" + exit 1 + fi +fi + +# perform the conversion + +tmp_convert=`mktemp` + +if [ `id -u` -eq 0 ]; then + install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert + retcode=$? +else + error "You are not root! Permission will not be set." + install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert + retcode=$? +fi + +if [ $retcode -ne 0 ]; then + error "Configuration conversion failed:" + cat $tmp_convert >&2 +fi + +rm $tmp_convert +exit $retcode diff --git a/slapd-libexec-functions b/slapd-libexec-functions new file mode 100644 index 0000000..958c772 --- /dev/null +++ b/slapd-libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /bin/su --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/slapd-libexec-upgrade-db.sh b/slapd-libexec-upgrade-db.sh new file mode 100755 index 0000000..589cdd1 --- /dev/null +++ b/slapd-libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/slapd/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode