From bf7ea0e4dfd1c8d4d85b808230159c4b22f10a52 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Mon, 27 Jun 2011 13:12:33 +0200 Subject: [PATCH] slapd.conf as separate source, not patch --- openldap-slapd-conf.patch | 134 ------------------------------------- openldap.spec | 56 +++++++--------- slapd.conf | 135 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+), 168 deletions(-) delete mode 100644 openldap-slapd-conf.patch create mode 100644 slapd.conf diff --git a/openldap-slapd-conf.patch b/openldap-slapd-conf.patch deleted file mode 100644 index 5dadd4e..0000000 --- a/openldap-slapd-conf.patch +++ /dev/null @@ -1,134 +0,0 @@ -Updates initial slapd configuration. - ---- openldap-2.4.24.orig/servers/slapd/slapd.conf -+++ openldap-2.4.24/servers/slapd/slapd.conf -@@ -2,22 +2,71 @@ - # See slapd.conf(5) for details on configuration options. - # This file should NOT be world readable. - # --include %SYSCONFDIR%/schema/core.schema - --# Define global ACLs to disable default read access. -+include /etc/openldap/schema/corba.schema -+include /etc/openldap/schema/core.schema -+include /etc/openldap/schema/cosine.schema -+include /etc/openldap/schema/duaconf.schema -+include /etc/openldap/schema/dyngroup.schema -+include /etc/openldap/schema/inetorgperson.schema -+include /etc/openldap/schema/java.schema -+include /etc/openldap/schema/misc.schema -+include /etc/openldap/schema/nis.schema -+include /etc/openldap/schema/openldap.schema -+include /etc/openldap/schema/ppolicy.schema -+include /etc/openldap/schema/collective.schema -+ -+# Allow LDAPv2 client connections. This is NOT the default. -+allow bind_v2 - - # Do not enable referrals until AFTER you have a working directory - # service AND an understanding of referrals. - #referral ldap://root.openldap.org - --pidfile %LOCALSTATEDIR%/run/slapd.pid --argsfile %LOCALSTATEDIR%/run/slapd.args -+pidfile /var/run/openldap/slapd.pid -+argsfile /var/run/openldap/slapd.args - --# Load dynamic backend modules: --# modulepath %MODULEDIR% --# moduleload back_bdb.la --# moduleload back_hdb.la --# moduleload back_ldap.la -+# Load dynamic backend modules -+# - modulepath is architecture dependent value (32/64-bit system) -+# - back_sql.la overlay requires openldap-server-sql package -+# - dyngroup.la and dynlist.la cannot be used at the same time -+ -+# modulepath /usr/lib/openldap -+# modulepath /usr/lib64/openldap -+ -+# moduleload accesslog.la -+# moduleload auditlog.la -+# moduleload back_sql.la -+# moduleload chain.la -+# moduleload collect.la -+# moduleload constraint.la -+# moduleload dds.la -+# moduleload deref.la -+# moduleload dyngroup.la -+# moduleload dynlist.la -+# moduleload memberof.la -+# moduleload pbind.la -+# moduleload pcache.la -+# moduleload ppolicy.la -+# moduleload refint.la -+# moduleload retcode.la -+# moduleload rwm.la -+# moduleload seqmod.la -+# moduleload smbk5pwd.la -+# moduleload sssvlv.la -+# moduleload syncprov.la -+# moduleload translucent.la -+# moduleload unique.la -+# moduleload valsort.la -+ -+# The next three lines allow use of TLS for encrypting connections using a -+# dummy test certificate which you can generate by changing to -+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on -+# slapd.pem so that the ldap user or group can read it. Your client software -+# may balk at self-signed certificates, however. -+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt -+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem -+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem - - # Sample security restrictions - # Require integrity protection (prevent hijacking) -@@ -47,19 +96,42 @@ argsfile %LOCALSTATEDIR%/run/slapd.args - # rootdn can always read and write EVERYTHING! - - ####################################################################### --# BDB database definitions -+# ldbm and/or bdb database definitions - ####################################################################### - - database bdb - suffix "dc=my-domain,dc=com" -+checkpoint 1024 15 - rootdn "cn=Manager,dc=my-domain,dc=com" - # Cleartext passwords, especially for the rootdn, should --# be avoid. See slappasswd(8) and slapd.conf(5) for details. -+# be avoided. See slappasswd(8) and slapd.conf(5) for details. - # Use of strong authentication encouraged. --rootpw secret -+# rootpw secret -+# rootpw {crypt}ijFYNcSNctBYg -+ - # The database directory MUST exist prior to running slapd AND - # should only be accessible by the slapd and slap tools. - # Mode 700 recommended. --directory %LOCALSTATEDIR%/openldap-data --# Indices to maintain --index objectClass eq -+directory /var/lib/ldap -+ -+# Indices to maintain for this database -+index objectClass eq,pres -+index ou,cn,mail,surname,givenname eq,pres,sub -+index uidNumber,gidNumber,loginShell eq,pres -+index uid,memberUid eq,pres,sub -+index nisMapName,nisMapEntry eq,pres,sub -+ -+# Replicas of this database -+#replogfile /var/lib/ldap/openldap-master-replog -+#replica host=ldap-1.example.com:389 starttls=critical -+# bindmethod=sasl saslmech=GSSAPI -+# authcId=host/ldap-master.example.com@EXAMPLE.COM -+ -+ -+# enable monitoring -+database monitor -+ -+# allow onlu rootdn to read the monitor -+access to * -+ by dn.exact="cn=Manager,dc=my-domain,dc=com" read -+ by * none diff --git a/openldap.spec b/openldap.spec index 3a14b23..ddf122f 100644 --- a/openldap.spec +++ b/openldap.spec @@ -16,18 +16,18 @@ Source1: ldap.init Source2: ldap.sysconfig Source3: README.evolution Source4: ldap.tmpfiles +Source5: slapd.conf # patches for 2.4 -Patch0: openldap-slapd-conf.patch -Patch1: openldap-manpages.patch -Patch2: openldap-security-pie.patch -Patch3: openldap-sql-linking.patch -Patch4: openldap-reentrant-gethostby.patch -Patch5: openldap-export-ldif.patch -Patch6: openldap-smbk5pwd-overlay.patch -Patch7: openldap-ldaprc-currentdir.patch -Patch8: openldap-userconfig-setgid.patch -Patch9: openldap-nss-nofork.patch +Patch0: openldap-manpages.patch +Patch1: openldap-security-pie.patch +Patch2: openldap-sql-linking.patch +Patch3: openldap-reentrant-gethostby.patch +Patch4: openldap-export-ldif.patch +Patch5: openldap-smbk5pwd-overlay.patch +Patch6: openldap-ldaprc-currentdir.patch +Patch7: openldap-userconfig-setgid.patch +Patch8: openldap-nss-nofork.patch # patches for the evolution library (see README.evolution) Patch200: openldap-evolution-ntlm.patch @@ -119,16 +119,15 @@ programs needed for accessing and modifying OpenLDAP directories. pushd openldap-%{version} -%patch0 -p1 -b .config -%patch1 -p1 -b .manpages -%patch2 -p1 -b .security-pie -%patch3 -p1 -b .sql-linking -%patch4 -p1 -b .reentrant-gethostby -%patch5 -p1 -b .export-ldif -%patch6 -p1 -b .smbk5pwd-overlay -%patch7 -p1 -b .ldaprc-currentdir -%patch8 -p1 -b .userconfig-setgid -%patch9 -p1 -b .nss-nofork +%patch0 -p1 -b .manpages +%patch1 -p1 -b .security-pie +%patch2 -p1 -b .sql-linking +%patch3 -p1 -b .reentrant-gethostby +%patch4 -p1 -b .export-ldif +%patch5 -p1 -b .smbk5pwd-overlay +%patch6 -p1 -b .ldaprc-currentdir +%patch7 -p1 -b .userconfig-setgid +%patch8 -p1 -b .nss-nofork cp %{_datadir}/libtool/config/config.{sub,guess} build/ @@ -334,8 +333,8 @@ chmod 644 %{buildroot}/%{_libdir}/lib*.*a # new configuration will be generated in %post mkdir -p %{buildroot}/%{_datadir}/openldap-servers mkdir %{buildroot}/%{_sysconfdir}/openldap/slapd.d -mv %{buildroot}/%{_sysconfdir}/openldap/slapd.conf %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete -chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete +rm -f %{buildroot}/%{_sysconfdir}/openldap/slapd.conf +install -m 644 %SOURCE5 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete # move doc files out of _sysconfdir mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema @@ -485,18 +484,7 @@ if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then # convert from old style config slapd.conf mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak mkdir -p %{_sysconfdir}/openldap/slapd.d/ - lines=$(egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1) - lines=$(($lines-1)) - head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf - cat >> %{_sysconfdir}/openldap/slapd.conf << EOF -database config -rootdn "cn=admin,cn=config" -#rootpw secret -EOF - lines_r=$(wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" ") - lines_r=$(($lines_r-$lines)) - tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf - slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null + slaptest -f %{_sysconfdir}/openldap/slapd.conf.bak -F %{_sysconfdir}/openldap/slapd.d &>/dev/null chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d chmod -R 000 %{_sysconfdir}/openldap/slapd.d chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d diff --git a/slapd.conf b/slapd.conf new file mode 100644 index 0000000..7360f61 --- /dev/null +++ b/slapd.conf @@ -0,0 +1,135 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# + +include /etc/openldap/schema/corba.schema +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/duaconf.schema +include /etc/openldap/schema/dyngroup.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/java.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/openldap.schema +include /etc/openldap/schema/ppolicy.schema +include /etc/openldap/schema/collective.schema + +# Allow LDAPv2 client connections. This is NOT the default. +allow bind_v2 + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +# Load dynamic backend modules +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la overlay requires openldap-server-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time + +# modulepath /usr/lib/openldap +# modulepath /usr/lib64/openldap + +# moduleload accesslog.la +# moduleload auditlog.la +# moduleload back_sql.la +# moduleload chain.la +# moduleload collect.la +# moduleload constraint.la +# moduleload dds.la +# moduleload deref.la +# moduleload dyngroup.la +# moduleload dynlist.la +# moduleload memberof.la +# moduleload pbind.la +# moduleload pcache.la +# moduleload ppolicy.la +# moduleload refint.la +# moduleload retcode.la +# moduleload rwm.la +# moduleload seqmod.la +# moduleload smbk5pwd.la +# moduleload sssvlv.la +# moduleload syncprov.la +# moduleload translucent.la +# moduleload unique.la +# moduleload valsort.la + +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to +# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. +# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +# TLSCertificateFile /etc/pki/tls/certs/slapd.pem +# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +# enable server status monitoring (cn=monitor) +database monitor +access to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read + by dn.exact="cn=Manager,dc=my-domain,dc=com" read + by * none + +####################################################################### +# ldbm and/or bdb database definitions +####################################################################### + +database bdb +suffix "dc=my-domain,dc=com" +checkpoint 1024 15 +rootdn "cn=Manager,dc=my-domain,dc=com" +# Cleartext passwords, especially for the rootdn, should +# be avoided. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +# rootpw secret +# rootpw {crypt}ijFYNcSNctBYg + +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/ldap + +# Indices to maintain for this database +index objectClass eq,pres +index ou,cn,mail,surname,givenname eq,pres,sub +index uidNumber,gidNumber,loginShell eq,pres +index uid,memberUid eq,pres,sub +index nisMapName,nisMapEntry eq,pres,sub + +# Replicas of this database +#replogfile /var/lib/ldap/openldap-master-replog +#replica host=ldap-1.example.com:389 starttls=critical +# bindmethod=sasl saslmech=GSSAPI +# authcId=host/ldap-master.example.com@EXAMPLE.COM