certificates management improvements

Resolves: #772890
This commit is contained in:
Jan Vcelak 2012-02-14 13:35:20 +01:00
parent 934ba146a8
commit a7572065e5
5 changed files with 236 additions and 30 deletions

15
ldap.conf Normal file
View File

@ -0,0 +1,15 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs

70
libexec-create-certdb.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
# Author: Jan Vcelak <jvcelak@redhat.com>
set -e
# default options
CERTDB_DIR=/etc/openldap/certs
# internals
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
RANDOM_SOURCE=/dev/urandom
PASSWORD_BYTES=32
# parse arguments
usage() {
printf "usage: create-certdb.sh [-d certdb]\n" >&2
exit 1
}
while getopts "d:" opt; do
case "$opt" in
d)
CERTDB_DIR="$OPTARG"
;;
\?)
usage
;;
esac
done
[ "$OPTIND" -le "$#" ] && usage
# verify target location
if [ ! -d "$CERTDB_DIR" ]; then
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
exit 1
fi
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
exit 1
fi
# create the database
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
PASSWORD_FILE="$CERTDB_DIR/password"
OLD_UMASK="$(umask)"
umask 0377
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
umask "$OLD_UMASK"
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
# load module with builtin CA certificates
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
# tune permissions
for dbfile in "$CERTDB_DIR"/*.db; do
chmod 0644 "$dbfile"
done
exit 0

118
libexec-generate-server-cert.sh Executable file
View File

@ -0,0 +1,118 @@
#!/bin/bash
# Author: Jan Vcelak <jvcelak@redhat.com>
set -e
# default options
CERTDB_DIR=/etc/openldap/certs
CERT_NAME="OpenLDAP Server"
PASSWORD_FILE=
HOSTNAME_FQDN="$(hostname --fqdn)"
ALT_NAMES=
ONCE=0
# internals
RANDOM_SOURCE=/dev/urandom
CERT_RANDOM_BYTES=256
CERT_KEY_TYPE=rsa
CERT_KEY_SIZE=1024
CERT_VALID_MONTHS=12
# parse arguments
usage() {
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
printf " [-p password-file] [-h hostnames]\n" >&2
pritnf " [-a dns-alt-names] [-o]\n" >&2
exit 1
}
while getopts "d:n:p:h:a:o" opt; do
case "$opt" in
d)
CERTDB_DIR="$OPTARG"
;;
n)
CERT_NAME="$OPTARG"
;;
p)
PASSWORD_FILE="$OPTARG"
;;
h)
HOSTNAME_FQDN="$OPTARG"
;;
a)
ALT_NAMES="$OPTARG"
;;
o)
ONCE=1
;;
\?)
usage
;;
esac
done
[ "$OPTIND" -le "$#" ] && usage
# generated options
ONCE_FILE="$CERTDB_DIR/.slapd-leave"
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
# verify target location
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
exit 0
fi
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
exit 1
fi
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
if [ ! -r "$PASSWORD_FILE" ]; then
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
exit 1
fi
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
exit 1
fi
# generate server certificate (self signed)
CERT_RANDOM=$(mktemp)
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
-S -x -n "$CERT_NAME" \
-s "CN=$HOSTNAME_FQDN" \
-t TC,, \
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
-v $CERT_VALID_MONTHS \
-8 "$ALT_NAMES" \
&>/dev/null
rm -f $RANDOM_DATA
# tune permissions
if [ "$(id -u)" -eq 0 ]; then
chgrp ldap "$PASSWORD_FILE"
chmod g+r "$PASSWORD_FILE"
else
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
printf " load it's private key from the certificate database.\n" >&2
fi
touch "$ONCE_FILE"
exit 0

View File

@ -17,10 +17,13 @@ Source2: slapd.sysconfig
Source3: slapd.tmpfiles Source3: slapd.tmpfiles
Source4: slapd.conf.obsolete Source4: slapd.conf.obsolete
Source5: slapd.ldif Source5: slapd.ldif
Source50: slapd-libexec-functions Source6: ldap.conf
Source51: slapd-libexec-convert-config.sh Source50: libexec-functions
Source52: slapd-libexec-check-config.sh Source51: libexec-convert-config.sh
Source53: slapd-libexec-upgrade-db.sh Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
Source54: libexec-create-certdb.sh
Source55: libexec-generate-server-cert.sh
Source100: README.evolution Source100: README.evolution
# patches for 2.4 # patches for 2.4
@ -73,7 +76,7 @@ customized LDAP clients.
%package servers %package servers
Summary: LDAP server Summary: LDAP server
License: OpenLDAP License: OpenLDAP
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils, nss-utils Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils, nss-tools
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd-units, systemd-sysv, chkconfig Requires(post): systemd-units, systemd-sysv, chkconfig
Requires(preun): systemd-units Requires(preun): systemd-units
@ -308,8 +311,7 @@ make install DESTDIR=%{buildroot} \
popd popd
# setup directories for TLS certificates # setup directories for TLS certificates
mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
# setup data and runtime directories # setup data and runtime directories
mkdir -p %{buildroot}%{_sharedstatedir} mkdir -p %{buildroot}%{_sharedstatedir}
@ -321,6 +323,10 @@ install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf
# install default ldap.conf (customized)
rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
# setup maintainance scripts # setup maintainance scripts
mkdir -p %{buildroot}%{_libexecdir} mkdir -p %{buildroot}%{_libexecdir}
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
@ -328,6 +334,8 @@ install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
# remove build root from config files and manual pages # remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
@ -383,7 +391,12 @@ rm -f %{buildroot}%{_libdir}/openldap/*.so
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data rmdir %{buildroot}%{_localstatedir}/openldap-data
%post -p /sbin/ldconfig %post
/sbin/ldconfig
# create certificate database
%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
@ -417,23 +430,8 @@ if [ $1 -eq 1 ]; then
/bin/systemctl daemon-reload &>/dev/null || : /bin/systemctl daemon-reload &>/dev/null || :
fi fi
# generate sample TLS certificates # generate sample TLS certificate for server (will not replace)
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then %{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
umask 077
cat << EOF | make slapd.pem > /dev/null 2>&1
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
localhost.localdomain
root@localhost.localdomain
EOF
chown root:ldap slapd.pem
chmod 640 slapd.pem
popd
fi
# generate/upgrade configuration # generate/upgrade configuration
if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
@ -569,9 +567,10 @@ exit 0
%doc openldap-%{version}/LICENSE %doc openldap-%{version}/LICENSE
%doc openldap-%{version}/README %doc openldap-%{version}/README
%dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/cacerts %dir %{_sysconfdir}/openldap/certs
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf %config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/ %dir %{_libexecdir}/openldap/
%{_libexecdir}/openldap/create-certdb.sh
%{_libdir}/liblber-2.4*.so.* %{_libdir}/liblber-2.4*.so.*
%{_libdir}/libldap-2.4*.so.* %{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.* %{_libdir}/libldap_r-2.4*.so.*
@ -587,7 +586,6 @@ exit 0
%config(noreplace) %{_sysconfdir}/openldap/schema %config(noreplace) %{_sysconfdir}/openldap/schema
%config(noreplace) %{_sysconfdir}/sysconfig/slapd %config(noreplace) %{_sysconfdir}/sysconfig/slapd
%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf %config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf
%config(noreplace) %ghost %attr(0640,root,ldap) %{_sysconfdir}/pki/tls/certs/slapd.pem
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap %dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
%{_unitdir}/slapd.service %{_unitdir}/slapd.service
@ -626,6 +624,7 @@ exit 0
%{_libexecdir}/openldap/convert-config.sh %{_libexecdir}/openldap/convert-config.sh
%{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh %{_libexecdir}/openldap/upgrade-db.sh
%{_libexecdir}/openldap/generate-server-cert.sh
%{_sbindir}/sl* %{_sbindir}/sl*
%{_mandir}/man8/* %{_mandir}/man8/*
%{_mandir}/man5/slapd*.5* %{_mandir}/man5/slapd*.5*
@ -658,6 +657,10 @@ exit 0
+ server: buxfixes in mdb backend + server: buxfixes in mdb backend
+ server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm) + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
- openldap-servers now provide ldib2ldbm (#437104) - openldap-servers now provide ldib2ldbm (#437104)
- certificates management improvements
+ create empty Mozilla NSS certificate database during installation
+ enable builtin Root CA in generated database (#789088)
+ generate server certificate using Mozilla NSS tools instead of OpenSSL tools
* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3 * Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
- fix: replication (syncrepl) with TLS causes segfault (#783431) - fix: replication (syncrepl) with TLS causes segfault (#783431)

View File

@ -11,9 +11,9 @@ olcPidFile: /var/run/openldap/slapd.pid
# #
# TLS settings # TLS settings
# #
#olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem olcTLSCertificateKeyFile: /etc/openldap/certs/password
# #
# Do not enable referrals until AFTER you have a working directory # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals. # service AND an understanding of referrals.