ba2e4625b7
new SLAPD_LDAP option to turn off listening on ldap:/// fixed checking of SSL Resolves: #292591, #273581
258 lines
6.3 KiB
Bash
258 lines
6.3 KiB
Bash
#!/bin/bash
|
|
#
|
|
# ldap This shell script takes care of starting and stopping
|
|
# ldap servers (slapd and slurpd).
|
|
#
|
|
# chkconfig: - 27 73
|
|
# description: LDAP stands for Lightweight Directory Access Protocol, used \
|
|
# for implementing the industry standard directory services.
|
|
# processname: slapd
|
|
# config: /etc/openldap/slapd.conf
|
|
# pidfile: /var/run/openldap/slapd.pid
|
|
|
|
# Source function library.
|
|
. /etc/init.d/functions
|
|
|
|
# Source networking configuration and check that networking is up.
|
|
if [ -r /etc/sysconfig/network ] ; then
|
|
. /etc/sysconfig/network
|
|
[ ${NETWORKING} = "no" ] && exit 1
|
|
fi
|
|
|
|
# Define default values of options allowed in /etc/sysconfig/ldap
|
|
SLAPD_LDAP="yes"
|
|
SLAPD_LDAPI="no"
|
|
SLAPD_LDAPS="no"
|
|
# OPTIONS, SLAPD_OPTIONS, SLURPD_OPTIONS and KTB5_KTNAME are not defined
|
|
|
|
# Source an auxiliary options file if we have one
|
|
if [ -r /etc/sysconfig/ldap ] ; then
|
|
. /etc/sysconfig/ldap
|
|
fi
|
|
|
|
slapd=/usr/sbin/slapd
|
|
slurpd=/usr/sbin/slurpd
|
|
slaptest=/usr/sbin/slaptest
|
|
[ -x ${slapd} ] || exit 1
|
|
[ -x ${slurpd} ] || exit 1
|
|
|
|
RETVAL=0
|
|
|
|
#
|
|
# Pass commands given in $2 and later to "test" run as user given in $1.
|
|
#
|
|
function testasuser() {
|
|
local user= cmd=
|
|
user="$1"
|
|
shift
|
|
cmd="$@"
|
|
if test x"$user" != x ; then
|
|
if test x"$cmd" != x ; then
|
|
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Check for read-access errors for the user given in $1 for a service named $2.
|
|
# If $3 is specified, the command is run if "klist" can't be found.
|
|
#
|
|
function checkkeytab() {
|
|
local user= service= klist= default=
|
|
user="$1"
|
|
service="$2"
|
|
default="${3:-false}"
|
|
if test -x /usr/kerberos/bin/klist ; then
|
|
klist=/usr/kerberos/bin/klist
|
|
elif test -x /usr/bin/klist ; then
|
|
klist=/usr/bin/klist
|
|
fi
|
|
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
|
|
export KRB5_KTNAME
|
|
if test -s "$KRB5_KTNAME" ; then
|
|
if test x"$klist" != x ; then
|
|
if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
|
|
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
|
|
true
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
$default
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
}
|
|
|
|
function configtest() {
|
|
local user= ldapuid= dbdir= file=
|
|
# Check for simple-but-common errors.
|
|
user=ldap
|
|
prog=`basename ${slapd}`
|
|
ldapuid=`id -u $user`
|
|
# Unaccessible database files.
|
|
slaptestflags=
|
|
for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | sed s,^directory,,` ; do
|
|
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
|
|
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
|
|
done
|
|
if ! test -s ${dbdir}/id2entry.dbb ; then
|
|
if ! test -s ${dbdir}/id2entry.gdbm ; then
|
|
if ! test -s ${dbdir}/id2entry.bdb ; then
|
|
slaptestflags=-u
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
# Unaccessible keytab with an "ldap" key.
|
|
if checkkeytab $user ldap ; then
|
|
file=${KRB5_KTNAME:-/etc/krb5.keytab}
|
|
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
fi
|
|
# Unaccessible TLS configuration files.
|
|
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'`
|
|
for file in $tlsconfigs ; do
|
|
if ! testasuser $user -r $file ; then
|
|
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
fi
|
|
done
|
|
# Check the configuration file.
|
|
slaptestout=`/sbin/runuser -m -s "$slaptest" -- "$user" $slaptestflags 2>&1`
|
|
slaptestexit=$?
|
|
# print warning if slaptest passed but reports some problems
|
|
if test $slaptestexit == 0 -a -n "$slaptestout" ; then
|
|
echo -n $"Checking configuration files for $prog: " ; warning ; echo
|
|
echo "$slaptestout"
|
|
fi
|
|
# report error if configuration file is wrong
|
|
if test $slaptestexit != 0 ; then
|
|
echo -n $"Checking configuration files for $prog: " ; failure ; echo
|
|
echo "$slaptestout"
|
|
if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
|
|
dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | awk '{print $2}'`
|
|
for directory in $dirs ; do
|
|
if test -r $directory/__db.001 ; then
|
|
echo -n $"stale lock files may be present in $directory" ; warning ; echo
|
|
fi
|
|
done
|
|
fi
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function start() {
|
|
configtest
|
|
# Define a couple of local variables which we'll need. Maybe.
|
|
user=ldap
|
|
prog=`basename ${slapd}`
|
|
harg=""
|
|
if test x$LDAPD_LDAP = xyes ; then
|
|
harg="ldap:///"
|
|
fi
|
|
if test x$SLAPD_LDAPS = xyes ; then
|
|
harg="$harg ldaps:///"
|
|
fi
|
|
if test x$SLAPD_LDAPI = xyes ; then
|
|
harg="$harg ldapi:///"
|
|
fi
|
|
# Start daemons.
|
|
echo -n $"Starting $prog: "
|
|
daemon --check=$prog ${slapd} -h "\"$harg\"" -u ${user} $OPTIONS $SLAPD_OPTIONS
|
|
RETVAL=$?
|
|
echo
|
|
if [ $RETVAL -eq 0 ]; then
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
|
|
prog=`basename ${slurpd}`
|
|
i=1;
|
|
for replogfile in `grep "^replogfile" /etc/openldap/slapd.conf`
|
|
do
|
|
if [ "$replogfile" != "replogfile" ]
|
|
then
|
|
echo -n $"Starting $prog: "
|
|
daemon ${slurpd} -r $replogfile -n $i $SLURPD_OPTIONS
|
|
# make the return value nozero if any of the slurpd failed
|
|
RET=$?
|
|
if [ $RET -ne 0 ] ; then
|
|
RETVAL=$RET
|
|
fi
|
|
i=$[i+1]
|
|
echo
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
|
|
return $RETVAL
|
|
}
|
|
|
|
function stop() {
|
|
# Stop daemons.
|
|
prog=`basename ${slapd}`
|
|
echo -n $"Stopping $prog: "
|
|
killproc ${slapd}
|
|
RETVAL=$?
|
|
echo
|
|
if [ $RETVAL -eq 0 ]; then
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
|
|
prog=`basename ${slurpd}`
|
|
echo -n $"Stopping $prog: "
|
|
killproc ${slurpd}
|
|
RETVAL=$?
|
|
echo
|
|
fi
|
|
fi
|
|
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
|
|
return $RETVAL
|
|
}
|
|
|
|
# See how we were called.
|
|
case "$1" in
|
|
configtest)
|
|
configtest
|
|
;;
|
|
start)
|
|
start
|
|
RETVAL=$?
|
|
;;
|
|
stop)
|
|
stop
|
|
RETVAL=$?
|
|
;;
|
|
status)
|
|
status ${slapd}
|
|
RETVAL=$?
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf ; then
|
|
status ${slurpd}
|
|
RET=$?
|
|
if [ $RET -ne 0 ] ; then
|
|
RETVAL=$RET;
|
|
fi
|
|
fi
|
|
;;
|
|
restart)
|
|
stop
|
|
start
|
|
RETVAL=$?
|
|
;;
|
|
condrestart)
|
|
if [ -f /var/lock/subsys/ldap ] ; then
|
|
stop
|
|
start
|
|
RETVAL=$?
|
|
fi
|
|
;;
|
|
*)
|
|
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
|
|
RETVAL=1
|
|
esac
|
|
|
|
exit $RETVAL
|