parent
934ba146a8
commit
a7572065e5
15
ldap.conf
Normal file
15
ldap.conf
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
#
|
||||||
|
# LDAP Defaults
|
||||||
|
#
|
||||||
|
|
||||||
|
# See ldap.conf(5) for details
|
||||||
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
|
#BASE dc=example,dc=com
|
||||||
|
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||||
|
|
||||||
|
#SIZELIMIT 12
|
||||||
|
#TIMELIMIT 15
|
||||||
|
#DEREF never
|
||||||
|
|
||||||
|
TLS_CACERTDIR /etc/openldap/certs
|
70
libexec-create-certdb.sh
Executable file
70
libexec-create-certdb.sh
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# default options
|
||||||
|
|
||||||
|
CERTDB_DIR=/etc/openldap/certs
|
||||||
|
|
||||||
|
# internals
|
||||||
|
|
||||||
|
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
|
||||||
|
RANDOM_SOURCE=/dev/urandom
|
||||||
|
PASSWORD_BYTES=32
|
||||||
|
|
||||||
|
# parse arguments
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
printf "usage: create-certdb.sh [-d certdb]\n" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
while getopts "d:" opt; do
|
||||||
|
case "$opt" in
|
||||||
|
d)
|
||||||
|
CERTDB_DIR="$OPTARG"
|
||||||
|
;;
|
||||||
|
\?)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "$OPTIND" -le "$#" ] && usage
|
||||||
|
|
||||||
|
# verify target location
|
||||||
|
|
||||||
|
if [ ! -d "$CERTDB_DIR" ]; then
|
||||||
|
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
|
||||||
|
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# create the database
|
||||||
|
|
||||||
|
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
|
||||||
|
|
||||||
|
PASSWORD_FILE="$CERTDB_DIR/password"
|
||||||
|
OLD_UMASK="$(umask)"
|
||||||
|
umask 0377
|
||||||
|
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
|
||||||
|
umask "$OLD_UMASK"
|
||||||
|
|
||||||
|
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
|
||||||
|
|
||||||
|
# load module with builtin CA certificates
|
||||||
|
|
||||||
|
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
|
||||||
|
|
||||||
|
# tune permissions
|
||||||
|
|
||||||
|
for dbfile in "$CERTDB_DIR"/*.db; do
|
||||||
|
chmod 0644 "$dbfile"
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
118
libexec-generate-server-cert.sh
Executable file
118
libexec-generate-server-cert.sh
Executable file
@ -0,0 +1,118 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# default options
|
||||||
|
|
||||||
|
CERTDB_DIR=/etc/openldap/certs
|
||||||
|
CERT_NAME="OpenLDAP Server"
|
||||||
|
PASSWORD_FILE=
|
||||||
|
HOSTNAME_FQDN="$(hostname --fqdn)"
|
||||||
|
ALT_NAMES=
|
||||||
|
ONCE=0
|
||||||
|
|
||||||
|
# internals
|
||||||
|
|
||||||
|
RANDOM_SOURCE=/dev/urandom
|
||||||
|
CERT_RANDOM_BYTES=256
|
||||||
|
CERT_KEY_TYPE=rsa
|
||||||
|
CERT_KEY_SIZE=1024
|
||||||
|
CERT_VALID_MONTHS=12
|
||||||
|
|
||||||
|
# parse arguments
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
|
||||||
|
printf " [-p password-file] [-h hostnames]\n" >&2
|
||||||
|
pritnf " [-a dns-alt-names] [-o]\n" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
while getopts "d:n:p:h:a:o" opt; do
|
||||||
|
case "$opt" in
|
||||||
|
d)
|
||||||
|
CERTDB_DIR="$OPTARG"
|
||||||
|
;;
|
||||||
|
n)
|
||||||
|
CERT_NAME="$OPTARG"
|
||||||
|
;;
|
||||||
|
p)
|
||||||
|
PASSWORD_FILE="$OPTARG"
|
||||||
|
;;
|
||||||
|
h)
|
||||||
|
HOSTNAME_FQDN="$OPTARG"
|
||||||
|
;;
|
||||||
|
a)
|
||||||
|
ALT_NAMES="$OPTARG"
|
||||||
|
;;
|
||||||
|
o)
|
||||||
|
ONCE=1
|
||||||
|
;;
|
||||||
|
\?)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "$OPTIND" -le "$#" ] && usage
|
||||||
|
|
||||||
|
# generated options
|
||||||
|
|
||||||
|
ONCE_FILE="$CERTDB_DIR/.slapd-leave"
|
||||||
|
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
|
||||||
|
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
|
||||||
|
|
||||||
|
# verify target location
|
||||||
|
|
||||||
|
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
|
||||||
|
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
|
||||||
|
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
|
||||||
|
|
||||||
|
if [ ! -r "$PASSWORD_FILE" ]; then
|
||||||
|
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
|
||||||
|
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# generate server certificate (self signed)
|
||||||
|
|
||||||
|
|
||||||
|
CERT_RANDOM=$(mktemp)
|
||||||
|
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
|
||||||
|
|
||||||
|
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
|
||||||
|
-S -x -n "$CERT_NAME" \
|
||||||
|
-s "CN=$HOSTNAME_FQDN" \
|
||||||
|
-t TC,, \
|
||||||
|
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
|
||||||
|
-v $CERT_VALID_MONTHS \
|
||||||
|
-8 "$ALT_NAMES" \
|
||||||
|
&>/dev/null
|
||||||
|
|
||||||
|
rm -f $RANDOM_DATA
|
||||||
|
|
||||||
|
# tune permissions
|
||||||
|
|
||||||
|
if [ "$(id -u)" -eq 0 ]; then
|
||||||
|
chgrp ldap "$PASSWORD_FILE"
|
||||||
|
chmod g+r "$PASSWORD_FILE"
|
||||||
|
else
|
||||||
|
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
|
||||||
|
printf " load it's private key from the certificate database.\n" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
touch "$ONCE_FILE"
|
||||||
|
exit 0
|
@ -17,10 +17,13 @@ Source2: slapd.sysconfig
|
|||||||
Source3: slapd.tmpfiles
|
Source3: slapd.tmpfiles
|
||||||
Source4: slapd.conf.obsolete
|
Source4: slapd.conf.obsolete
|
||||||
Source5: slapd.ldif
|
Source5: slapd.ldif
|
||||||
Source50: slapd-libexec-functions
|
Source6: ldap.conf
|
||||||
Source51: slapd-libexec-convert-config.sh
|
Source50: libexec-functions
|
||||||
Source52: slapd-libexec-check-config.sh
|
Source51: libexec-convert-config.sh
|
||||||
Source53: slapd-libexec-upgrade-db.sh
|
Source52: libexec-check-config.sh
|
||||||
|
Source53: libexec-upgrade-db.sh
|
||||||
|
Source54: libexec-create-certdb.sh
|
||||||
|
Source55: libexec-generate-server-cert.sh
|
||||||
Source100: README.evolution
|
Source100: README.evolution
|
||||||
|
|
||||||
# patches for 2.4
|
# patches for 2.4
|
||||||
@ -73,7 +76,7 @@ customized LDAP clients.
|
|||||||
%package servers
|
%package servers
|
||||||
Summary: LDAP server
|
Summary: LDAP server
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils, nss-utils
|
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils, nss-tools
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
Requires(post): systemd-units, systemd-sysv, chkconfig
|
Requires(post): systemd-units, systemd-sysv, chkconfig
|
||||||
Requires(preun): systemd-units
|
Requires(preun): systemd-units
|
||||||
@ -308,8 +311,7 @@ make install DESTDIR=%{buildroot} \
|
|||||||
popd
|
popd
|
||||||
|
|
||||||
# setup directories for TLS certificates
|
# setup directories for TLS certificates
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts
|
mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
|
|
||||||
|
|
||||||
# setup data and runtime directories
|
# setup data and runtime directories
|
||||||
mkdir -p %{buildroot}%{_sharedstatedir}
|
mkdir -p %{buildroot}%{_sharedstatedir}
|
||||||
@ -321,6 +323,10 @@ install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
|
|||||||
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
|
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
|
||||||
install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf
|
install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf
|
||||||
|
|
||||||
|
# install default ldap.conf (customized)
|
||||||
|
rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
|
||||||
|
install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
|
||||||
|
|
||||||
# setup maintainance scripts
|
# setup maintainance scripts
|
||||||
mkdir -p %{buildroot}%{_libexecdir}
|
mkdir -p %{buildroot}%{_libexecdir}
|
||||||
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
|
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
|
||||||
@ -328,6 +334,8 @@ install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
|
|||||||
install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
|
install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
|
||||||
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
|
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
|
||||||
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
|
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
|
||||||
|
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
|
||||||
|
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
|
||||||
|
|
||||||
# remove build root from config files and manual pages
|
# remove build root from config files and manual pages
|
||||||
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
|
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
|
||||||
@ -383,7 +391,12 @@ rm -f %{buildroot}%{_libdir}/openldap/*.so
|
|||||||
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
|
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
|
||||||
rmdir %{buildroot}%{_localstatedir}/openldap-data
|
rmdir %{buildroot}%{_localstatedir}/openldap-data
|
||||||
|
|
||||||
%post -p /sbin/ldconfig
|
%post
|
||||||
|
|
||||||
|
/sbin/ldconfig
|
||||||
|
|
||||||
|
# create certificate database
|
||||||
|
%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :
|
||||||
|
|
||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
@ -417,23 +430,8 @@ if [ $1 -eq 1 ]; then
|
|||||||
/bin/systemctl daemon-reload &>/dev/null || :
|
/bin/systemctl daemon-reload &>/dev/null || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# generate sample TLS certificates
|
# generate sample TLS certificate for server (will not replace)
|
||||||
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
|
%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :
|
||||||
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
|
|
||||||
umask 077
|
|
||||||
cat << EOF | make slapd.pem > /dev/null 2>&1
|
|
||||||
--
|
|
||||||
SomeState
|
|
||||||
SomeCity
|
|
||||||
SomeOrganization
|
|
||||||
SomeOrganizationalUnit
|
|
||||||
localhost.localdomain
|
|
||||||
root@localhost.localdomain
|
|
||||||
EOF
|
|
||||||
chown root:ldap slapd.pem
|
|
||||||
chmod 640 slapd.pem
|
|
||||||
popd
|
|
||||||
fi
|
|
||||||
|
|
||||||
# generate/upgrade configuration
|
# generate/upgrade configuration
|
||||||
if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
|
if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
|
||||||
@ -569,9 +567,10 @@ exit 0
|
|||||||
%doc openldap-%{version}/LICENSE
|
%doc openldap-%{version}/LICENSE
|
||||||
%doc openldap-%{version}/README
|
%doc openldap-%{version}/README
|
||||||
%dir %{_sysconfdir}/openldap
|
%dir %{_sysconfdir}/openldap
|
||||||
%dir %{_sysconfdir}/openldap/cacerts
|
%dir %{_sysconfdir}/openldap/certs
|
||||||
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
|
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
|
||||||
%dir %{_libexecdir}/openldap/
|
%dir %{_libexecdir}/openldap/
|
||||||
|
%{_libexecdir}/openldap/create-certdb.sh
|
||||||
%{_libdir}/liblber-2.4*.so.*
|
%{_libdir}/liblber-2.4*.so.*
|
||||||
%{_libdir}/libldap-2.4*.so.*
|
%{_libdir}/libldap-2.4*.so.*
|
||||||
%{_libdir}/libldap_r-2.4*.so.*
|
%{_libdir}/libldap_r-2.4*.so.*
|
||||||
@ -587,7 +586,6 @@ exit 0
|
|||||||
%config(noreplace) %{_sysconfdir}/openldap/schema
|
%config(noreplace) %{_sysconfdir}/openldap/schema
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/slapd
|
%config(noreplace) %{_sysconfdir}/sysconfig/slapd
|
||||||
%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf
|
%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf
|
||||||
%config(noreplace) %ghost %attr(0640,root,ldap) %{_sysconfdir}/pki/tls/certs/slapd.pem
|
|
||||||
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
|
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
|
||||||
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
|
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
|
||||||
%{_unitdir}/slapd.service
|
%{_unitdir}/slapd.service
|
||||||
@ -626,6 +624,7 @@ exit 0
|
|||||||
%{_libexecdir}/openldap/convert-config.sh
|
%{_libexecdir}/openldap/convert-config.sh
|
||||||
%{_libexecdir}/openldap/check-config.sh
|
%{_libexecdir}/openldap/check-config.sh
|
||||||
%{_libexecdir}/openldap/upgrade-db.sh
|
%{_libexecdir}/openldap/upgrade-db.sh
|
||||||
|
%{_libexecdir}/openldap/generate-server-cert.sh
|
||||||
%{_sbindir}/sl*
|
%{_sbindir}/sl*
|
||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
%{_mandir}/man5/slapd*.5*
|
%{_mandir}/man5/slapd*.5*
|
||||||
@ -658,6 +657,10 @@ exit 0
|
|||||||
+ server: buxfixes in mdb backend
|
+ server: buxfixes in mdb backend
|
||||||
+ server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
|
+ server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
|
||||||
- openldap-servers now provide ldib2ldbm (#437104)
|
- openldap-servers now provide ldib2ldbm (#437104)
|
||||||
|
- certificates management improvements
|
||||||
|
+ create empty Mozilla NSS certificate database during installation
|
||||||
|
+ enable builtin Root CA in generated database (#789088)
|
||||||
|
+ generate server certificate using Mozilla NSS tools instead of OpenSSL tools
|
||||||
|
|
||||||
* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
|
* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
|
||||||
- fix: replication (syncrepl) with TLS causes segfault (#783431)
|
- fix: replication (syncrepl) with TLS causes segfault (#783431)
|
||||||
|
@ -11,9 +11,9 @@ olcPidFile: /var/run/openldap/slapd.pid
|
|||||||
#
|
#
|
||||||
# TLS settings
|
# TLS settings
|
||||||
#
|
#
|
||||||
#olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
|
olcTLSCACertificatePath: /etc/openldap/certs
|
||||||
#olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem
|
olcTLSCertificateFile: "OpenLDAP Server"
|
||||||
#olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem
|
olcTLSCertificateKeyFile: /etc/openldap/certs/password
|
||||||
#
|
#
|
||||||
# Do not enable referrals until AFTER you have a working directory
|
# Do not enable referrals until AFTER you have a working directory
|
||||||
# service AND an understanding of referrals.
|
# service AND an understanding of referrals.
|
||||||
|
Loading…
Reference in New Issue
Block a user