Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=8e6e0b4d19505d5261cb339e6d69f700a8401ac0
commit 8e6e0b4d19505d5261cb339e6d69f700a8401ac0 Author: Krisztian VASAS <[email protected]> Date: Thu Oct 22 19:29:09 2009 +0200 openldap-2.4.19-2-i686 - added initial ldap config and tree creator script - added initial config and tree template - added template DB_CONFIG - added sysconfig config file - changed rc script to run slapd as user diff --git a/source/network-extra/openldap/DB_CONFIG b/source/network-extra/openldap/DB_CONFIG new file mode 100644 index 0000000..d3d6ab6 --- /dev/null +++ b/source/network-extra/openldap/DB_CONFIG @@ -0,0 +1,4 @@ +set_cachesize 0 2097152 0 +set_lk_max_objects 1500 +set_lk_max_locks 1500 +set_lk_max_lockers 1500 diff --git a/source/network-extra/openldap/FrugalBuild b/source/network-extra/openldap/FrugalBuild index 3e1f485..b3ea37f 100644 --- a/source/network-extra/openldap/FrugalBuild +++ b/source/network-extra/openldap/FrugalBuild @@ -3,7 +3,7 @@ pkgname=openldap pkgver=2.4.19 -pkgrel=1 +pkgrel=2 pkgdesc="A suite of the Lightweight Directory Access Protocol servers" url="http://www.openldap.org/"; groups=('network-extra') @@ -13,9 +13,15 @@ depends=('db-4.5>=4.5.20-2' 'libtool') rodepends=("libldap=$pkgver") makedepends=('tcp_wrappers' 'openssl' 'cyrus-sasl' 'groff') up2date="lynx -dump http://www.openldap.org/software/download/|grep 'United States'|sed -e 's/.*]\(.*\) \[.*/\1/'" -source=(ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/$pkgname-$pkgver.tgz rc.slapd) +source=(ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/$pkgname-$pkgver.tgz rc.slapd \ + slapd.sysconfig create_initial_ldap slapd.init.ldif slapd.init.conf DB_CONFIG) sha1sums=('4a78acae0dd6d51d22ff50eef77912e59b31779a' \ - '2cb842757c9d58686cc7957fdd00e46cce236d09') + 'cedff3902bc2169d76f7f314bbfec1e39759515a' \ + 'fe4a47065a0b3b7c61d768dd5216b28f1254ffb0' \ + '31d5ecdba5d490763fb06df5452cb48157a73871' \ + '5fc92cf30d4826be94e2ef421a951f49849dbe3c' \ + 'b176d6d6075735c89546d2d50497def889219d76' \ + '8a5d021410d00e00445a380ee65df7c14d3a3805') subpkgs=('libldap') subdescs=('OpenLDAP library.') @@ -33,7 +39,7 @@ build() --localstatedir=/var/openldap --enable-syslog --enable-dynamic \ --with-readline --with-threads --with-tls --enable-slapd \ --enable-cleartext --enable-modules --enable-rlookups \ - --enable-wrappers --enable-bdb --enable-slurpd + --enable-wrappers --enable-bdb --enable-slurpd --enable-crypt make DESTDIR=$Fdestdir install || return 1 @@ -42,6 +48,12 @@ build() chmod +x $Fdestdir/usr/lib/*so* Frcd2 slapd + Ffile slapd.sysconfig /etc/sysconfig/slapd + Ffile /usr/share/openldap/slapd.init.ldif + Ffile /usr/share/openldap/slapd.init.conf + Ffile /usr/share/openldap/DB_CONFIG + Fexe /usr/bin/create_initial_ldap + Fsplit libldap etc/openldap/ldap.conf* Fsplit libldap usr/lib/libldap* Fsplit libldap usr/lib/liblber* diff --git a/source/network-extra/openldap/create_initial_ldap b/source/network-extra/openldap/create_initial_ldap new file mode 100755 index 0000000..cdd1f03 --- /dev/null +++ b/source/network-extra/openldap/create_initial_ldap @@ -0,0 +1,681 @@ +#!/bin/bash + +set -e + +# ===== Dumping and reloading using LDIF files ========================== {{{ +# +# If incompatible changes are done to the database underlying a LDAP +# directory we need to dump the contents and reload the data into a newly +# created database after the new server was installed. The following +# functions deal with this functionality. + +# ----- Configuration of this component -------------------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +# Check if the user has enabled database dumping for the current situation. +# Return success if yes. +# Usage: if database_dumping_enabled; then ... fi +database_dumping_enabled() +{ # {{{ + dialog --radiolist "Before upgrading to a new version of the OpenLDAP server, the data from your LDAP directories can be dumped into plain text files in the standard LDAP Data Interchange Format.\n\nDump databases to file on upgrade?" 0 0 0 "always" "" off "when needed" "" on "never" "" off 2>/tmp/answer + RET=$(cat /tmp/answer) + case "$RET" in + always) + ;; + "when needed") + database_format_changed || return 1 + ;; + never) + return 1 + ;; + *) + echo >&2 "Unknown value for slapd/dump_database: $RET" + echo >&2 "Please report!" + exit 1 + ;; + esac +} # }}} + +# Check if the database format has changed since the old installed version +# Return success if yes. +# Usage: if database_format_changed; then +database_format_changed() +{ # {{{ + if compare-versions "$OLD_VERSION" lt 2.4.14; then + return 0 + else + return 1 + fi +} # }}} + +# Figure out the directory we are dumping the database to and create it +# if it does not exist. +# Usage: destdir=`database_dumping_destdir` +database_dumping_destdir() +{ # {{{ + local dir + dialog --inputbox "Please specify the directory where the LDAP databases will be exported. In this directory, several LDIF files will be created which correspond to the search bases located on the server. Make sure you have enough free space on the partition where the directory is located. The first occurrence of the string \"VERSION\" is replaced with the server version you are upgrading from.\n\nDirectory to use for dumped databases:" 0 0 "/var/openldap/backups/VERSION" 0 0 2>/tmp/answer + dir=`$(cat /tmp/answer) | sed -e "s/VERSION/$OLD_VERSION/"` + mkdir -p -m 700 "$dir" + echo $dir +} # }}} + +create_new_user() +{ # {{{ + if [ -z "`getent group openldap`" ]; then + groupadd -g 49 openldap + fi + if [ -z "`getent passwd openldap`" ]; then + echo -n " Creating new user openldap... " >&2 + useradd -M -u 49 -d /var/openldap/openldap-data -r -s /bin/false -g openldap openldap + echo "done." >&2 + fi +} # }}} + +create_ldap_directories() +{ # {{{ + if [ ! -d /var/openldap/openldap-data ]; then + mkdir /var/openldap/openldap-data + fi + if [ ! -d /var/openldap/run ]; then + mkdir /var/openldap/run + fi + update_permissions /var/openldap/openldap-data + update_permissions /var/openldap/run + chmod 0755 /var/openldap/run +} # }}} + +update_permissions() +{ # {{{ + dir="$1" + [ -z "${SLAPD_USER}" ] || chown -R "${SLAPD_USER}" "${dir}" + [ -z "${SLAPD_GROUP}" ] || chgrp -R "${SLAPD_GROUP}" "${dir}" + chmod -R u=rwX,g=rX,o-rwx "${dir}" +} # }}} + +update_databases_permissions() +{ # {{{ + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + update_permissions "$dbdir" + done +} # }}} + +# }}} + +# ----- Dumping and loading the data ------------------------------------ {{{ + +# If the user wants us to dump the databases they are dumped to the +# configured directory. +dump_databases() +{ # {{{ + local db suffix file dir failed slapcat_opts + + database_dumping_enabled || return 0 + + dir=`database_dumping_destdir` + echo >&2 " Dumping to $dir: " + for suffix in `get_suffix`; do + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + # Need to support slapd.d migration from preinst + if [ -f "${SLAPD_CONF}" ]; then + slapcat_opts="-f ${SLAPD_CONF}" + else + slapcat_opts="-F ${SLAPD_CONF}" + fi + slapcat ${slapcat_opts} -b "$suffix" > "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$file" + echo failed. >&2 + exit 1 + fi + echo "done." >&2 + done +} # }}} + +load_databases() +{ # {{{ + local dir file db dbdir backupdir + + dir=`database_dumping_destdir` + echo >&2 " Loading from $dir: " + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + if ! is_empty_dir "$dbdir"; then + echo >&2 \ + " Directory $dbdir for $suffix not empty, aborting." + exit 1 + fi + + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + + # If there is an old DB_CONFIG file, restore it before + # running slapadd + backupdir=`compute_backup_path -n "$dbdir" "$suffix"` + if [ -e "$backupdir"/DB_CONFIG ]; then + cp -a "$backupdir"/DB_CONFIG "$dbdir"/ + else + copy_example_DB_CONFIG "$dbdir"/ + fi + + capture_diagnostics slapadd -F "${SLAPD_CONF}" \ + -q -b "$suffix" -l "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$dbdir"/* + echo failed. >&2 + echo >&2 + cat <<-EOF + Loading the database from the LDIF dump failed with the following + error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + echo "done." >&2 + + if [ -n "$SLAPD_USER" ] || [ -n "$SLAPD_GROUP" ]; then + echo -n " - chowning database directory ($SLAPD_USER:$SLAPD_GROUP)... " + [ -z "$SLAPD_USER" ] || \ + chown -R "$SLAPD_USER" "$dbdir" + [ -z "$SLAPD_GROUP" ] || \ + chgrp -R "$SLAPD_GROUP" "$dbdir" + echo "done"; + fi + done +} # }}} + +move_incompatible_databases_away() +{ # {{{ + echo >&2 " Moving old database directories to /var/backups:" + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + move_old_database_away "$dbdir" "$suffix" + done +} # }}} + +# The following functions need to support slapd.conf installations +# as long as upgrading from slapd.conf environment is supported. +# They're used to dump database in preinst which may have a slapd.conf file. +# {{{ + +get_suffix() +{ # {{{ + if [ -f "${SLAPD_CONF}" ]; then + for f in `get_all_slapd_conf_files`; do + grep '^suffix ' ${f} | sed 's/^suffix[[:space:]]\+\(.\+\)/\1/' | sed 's/"//g' + done + else + grep -h olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase* | cut -d: -f 2 + fi +} # }}} + +get_directory() +{ # {{{ + # Returns the db directory for a given suffix + if [ -d "${SLAPD_CONF}" ] && echo `get_suffix` | grep -q "$1" ; then + grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*` | cut -d: -f 2 | sed 's/^ *//g' + elif [ -f "${SLAPD_CONF}" ]; then + # Extract the directory for the given suffix ($1) + for f in `get_all_slapd_conf_files`; do + awk ' BEGIN { DB=0; SUF=""; DIR="" } ; + /^database/ { DB=1; SUF=""; DIR="" } ; + DB==1 && /^suffix[ \t]+"?'$1'"?$/ { SUF=$2 ; } ; + DB==1 && /^directory/ { DIR=$2 ;} ; + DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" + done + else + return 1 + fi +} # }}} + +# Returns the list of all the config files: slapd.conf and included files. +get_all_slapd_conf_files() +{ # {{{ + echo ${SLAPD_CONF} + awk ' +BEGIN { I=0 } +/^include/ { + sub(/include/," "); + I=1; +} +I==1 && /^[ \t]+/ { + split($0,F) ; + for (f in F) + if (!match(F[f],/schema/)) { + print F[f] + }; + next; +} +I==1 { I=0 } +' ${SLAPD_CONF} +} # }}} + +# }}} + +# Compute the path to backup a database directory +# Usage: compute_backup_path [-n] <dir> <basedn> +compute_backup_path() +{ # {{{ + local dirname basedn ok_exists + if [ "$1" = "-n" ]; then + ok_exists=yes + shift + fi + dirname="$1" + basedn="$2" + + # Computing the name of the backup directory from the old version, + # the suffix etc. all makes me feel worried. I'd rather have a + # directory name which is not going to exist. So the simple + # scheme we are using now is to compute the filename from the + # directory name and appending date and time. And we check if it + # exists to be really sure... -- Torsten + + local target + local id + id="$OLD_VERSION" + [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` + target="/var/backups/$basedn-$id.ldapdb" + # Configuration via dpkg-reconfigure. + # The backup directory already exists when reconfigured + # twice or more: append a timestamp. + if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then + target="$target-`date +%Y%m%d-%H%M%S`" + fi + if [ -e "$target" ] && [ -z "$ok_exists" ]; then + echo >&2 + echo >&2 " Backup path $target exists. Giving up..." + exit 1 + fi + + echo "$target" +} # }}} + +# Move the old database away if it is still there +# +# In fact this function makes sure that the database directory is empty +# and can be populated with a new database. If something is in the way +# it is moved to a backup directory if the user accepted the debconf +# option slapd/move_old_database. Otherwise we output a warning and let +# the user fix it himself. +# Usage: move_old_database_away <dbdir> [<basedn>] +move_old_database_away() +{ # {{{ + local databasedir backupdir + databasedir="$1" + suffix="${2:-unknown}" + + if [ ! -e "$databasedir" ] || is_empty_dir "$databasedir"; then + return 0 + fi + + # Note that we can't just move the database dir as it might be + # a mount point. Instead me move the content which might + # include mount points as well anyway, but it's much less likely. + dialog --yesno "There are still files in $databasedir which will probably break the configuration process. If you enable this option, the maintainer scripts will move the old database files out of the way before.\n\nMove old database?" 0 0 + RET=$? + if [ $RET -eq 0 ]; then + backupdir=`compute_backup_path "$databasedir" "$suffix"` + echo -n " - directory $suffix... " >&2 + mkdir -p "$backupdir" + find "$databasedir" -mindepth 1 -maxdepth 1 \ + -exec mv {} "$backupdir" \; + echo done. >&2 + else + cat >&2 <<EOF + There are leftover files in $databasedir. This will probably break + creating the initial directory. If that's the case please move away + stuff in there and retry the configuration. +EOF + fi +} # }}} + +# Check if the user wants to configure everything himself (queries debconf) +# Returns success if yes. +manual_configuration_wanted() +{ # {{{ + dialog --defaultno --yesno "If you enable this option, no initial configuration or database will be created for you.\n\nOmit OpenLDAP server configuration?" 0 0 + RET=$? + if [ $RET -eq 0 ]; then + return 0 + else + return 1 + fi +} # }}} + +# Copy an example DB_CONFIG file +# copy_example_DB_CONFIG <directory> +copy_example_DB_CONFIG() +{ # {{{ + return 1 + local directory srcdir + + directory="$1" + srcdir="/usr/share/openldap" + + if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then + cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG" + fi +} # }}} + +# Create a new configuration and directory +create_new_configuration() +{ # {{{ + local basedn dc backend + + # For the domain really.argh.org we create the basedn + # dc=really,dc=argh,dc=org with the dc entry dc: really + dialog --inputbox "The DNS domain name is used to construct the base DN of the LDAP directory. For example, 'foo.example.org' will create the directory with 'dc=foo, dc=example, dc=org' as base DN.\n\nDNS domain name:" 0 0 2>/tmp/answer + RET=$(cat /tmp/answer) + local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`" + dc="`echo $RET | sed 's/^\.//; s/\..*$//'`" + + dialog --radiolist "The HDB backend is recommended. HDB and BDB use similar storage formats, but HDB adds support for subtrrenames. Both support the same configuration options.\n\nDatabase backend to use:" 0 0 0 BDB "" off HDB "" on 2>/tmp/answer + RET=$(cat /tmp/answer) + backend="`echo $RET|tr A-Z a-z`" + + # Looks like the following code is not needed as slapd is unconfigured + # first and stopped at that time. So no need to stop slapd at all here. + + if [ -e "/var/openldap/openldap-data" ] && ! is_empty_dir /var/openldap/openldap-data; then + echo >&2 " Moving old database directory to /var/backups:" + move_old_database_away /var/openldap/openldap-data + fi + create_ldap_directories + create_new_slapd_conf "$basedn" "$backend" + create_new_directory "$basedn" "$dc" + + # Put the right permissions on this directory. + update_permissions /var/openldap/openldap-data +} # }}} + +# Creates a new slapd.d configuration for the suffix given +# Usage: create_new_slapd_conf <basedn> <backend> +create_new_slapd_conf() +{ # {{{ + local basedn backend conf_template + + basedn="$1" + backend="$2" + + # Get the admin password for the cn=config tree + dialog --insecure --passwordbox "Enter the admin password:" 0 0 2>/tmp/answer + # adminpw can have / character which would break sed + # further down. + adminpass=$(cat /tmp/answer | sed -e 's|/|\\/|g') + adminpass=`crypt_admin_pass $adminpass` + echo -n " Creating initial slapd configuration... " >&2 + [ -e "${SLAPD_CONF}" ] && rm -rf "${SLAPD_CONF}" + if [ "${METHOD}" == "old style" ] + then + echo "ittvagyok" + conf_template="/usr/share/openldap/slapd.init.conf" + sed <"$conf_template" \ + -e "s/@RootPW@/$adminpass/g" \ + -e "s/@backend@/$backend/g" \ + -e "s/@SUFFIX@/$basedn/g" \ + -e "s/@ADMIN@/cn=admin,$basedn/g" \ + > ${SLAPD_CONF} + else + mkdir "${SLAPD_CONF}" + # Need to have a version of the backend name with the first + # letter capitalized (ex: olcBdbConfig or olcHdbConfig) to set + # the correct objectClass attribute in the db configuration. + local backend1="$(echo ${backend:0:1} | tr a-z A-Z)${backend:1}" + conf_template="/usr/share/openldap/slapd.init.ldif" + init_ldif=`mktemp /tmp/slapd_init.ldif.XXXXXXXXXX` + sed <"$conf_template" \ + -e "s/@olcRootPW@/olcRootPW: $adminpass/g" \ + -e "s/@backend@/$backend/g" \ + -e "s/@Backend@/$backend1/g" \ + -e "s/@SUFFIX@/$basedn/g" \ + -e "s/@ADMIN@/cn=admin,$basedn/g" \ + > ${init_ldif} + if [ "$adminpass" = "" ]; then + sed -i -e '/^olcRootPW: / d' ${init_ldif} + fi + capture_diagnostics slapadd -F "${SLAPD_CONF}" \ + -b "cn=config" -l ${init_ldif} || failed=1 + rm "${init_ldif}" + fi + if [ "$failed" ]; then + cat <<-EOF +Loading the initial configuration from the ldif file (${init_ldif}) failed with the following +error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + [ -f ${init_ldif} ] && rm -f ${init_ldif} + update_permissions "${SLAPD_CONF}" + echo "done." >&2 +} # }}} + +# Make the value utf8 encoded. Takes one argument and utf8 encode it. +# Usage: val=`encode_utf8 <value>` +encode_utf8() +{ # {{{ + perl -e 'use Encode; print encode_utf8($ARGV[0]);' "$1" +} # }}} + +# Create a new directory. Takes the basedn and the dc value of that entry. +# Other information is extracted from debconf. +# Usage: create_new_directory <basedn> <dc> +create_new_directory() +{ # {{{ + local basedn dc organization + basedn="$1" + dc="$2" + + # Encode to utf8 and base64 encode the organization. + dialog --inputbox "Please enter the organization to use in the base DN of your LDAP directory.\n\nOrganization name:" 0 0 2>/tmp/answer + RET=$(cat /tmp/answer) + organization=`encode_utf8 "$RET"` + + echo -n " Creating initial LDAP directory... " >&2 + init_ldif=`mktemp /tmp/slapd_init_dir.ldif.XXXXXXXXXX` + echo "dn: $basedn +objectClass: top +objectClass: dcObject +objectClass: organization +o: $organization +dc: $dc + +dn: cn=admin,$basedn +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +description: LDAP administrator +userPassword: $adminpass +" > ${init_ldif} + capture_diagnostics slapadd $confplace "${SLAPD_CONF}" -b "${basedn}" -l ${init_ldif} || failed=1 + if [ "$failed" ]; then + echo failed. >&2 + echo >&2 + cat <<-EOF +Loading the initial directory structure from the ldif file (${init_ldif}) failed with the following +error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + rm "${init_ldif}" + echo "done." >&2 +} # }}} + +# Adds the "allow bind_v2" directive to the configuration if the user decided +# he wants to have ldap v2 enabled. +configure_v2_protocol_support() +{ # {{{ + local new_conf + + dialog --defaultno --yesno "The obsolete LDAPv2 protocol is disabled by default in slapd. Programs and users should upgrade to LDAPv3. If you have old programs which can't use LDAPv3, you should select this option and 'olcAllows: bind_v2' will be added to your cn=config directory.\n\nAllow LDAPv2 protocol?" 0 0 + RET=$? + if [ "$RET" -ne 0 ] + then + if [ -f ${SLAPD_CONF} ] + then + sed -i ${SLAPD_CONF} -e "s/#...@allow_v2@/#allow bind_v2/g" + fi + return 0 + else + echo -n " Enabling LDAPv2 support... " >&2 + + if [ -d "$SLAPD_CONF" ]; then + if ! grep -q -E '^olcAllows:[[:space:]]+bind_v2' "${SLAPD_CONF}/cn=config.ldif"; then + echo "olcAllows: bind_v2" >> "${SLAPD_CONF}/cn=config.ldif" + fi + echo "done" >&2 + return 0 + elif [ -f "${SLAPD_CONF}" ] + then + sed -i ${SLAPD_CONF} -e "s/#...@allow_v2@/allow bind_v2/g" + echo "done" >&2 + return 0 + else + return 1 + fi + fi + + echo . >&2 +} # }}} + +# Create a backup of the current configuration files. +# Usage: backup_config_once +backup_config_once() +{ # {{{ + local backupdir + + if [ -z "$FLAG_CONFIG_BACKED_UP" ]; then + backupdir=`database_dumping_destdir` + if [ -e "$SLAPD_CONF" ]; then + cp -a "$SLAPD_CONF" "$backupdir" + fi + FLAG_CONFIG_BACKED_UP=yes + fi +} # }}} + +# Store the encrypted admin password into the debconf db +# Usage: crypt_admin_pass clear_password +# XXX: This is the standard unix crypt. Maybe we can get something stronger? +crypt_admin_pass() +{ # {{{ + if [ ! -z "$1" ] + then + echo `slappasswd -h "{CRYPT}" -s "$1"` + fi +} # }}} + +# Check if a path refers to an empty directory +# Usage: if is_empty_dir "$dir"; then ... fi +is_empty_dir() +{ # {{{ + output=`find "$1" -type d -maxdepth 0 -empty 2>/dev/null` + if [ "$output" ]; then + return 0 + else + return 1 + fi +} # }}} + +# }}} + +# ----- Handling diagnostic output ------------------------------------ {{{ +# +# Often you want to run a program while you are showing progress +# information to the user. If the program you are running outputs some +# diagnostics it will mess up your screen. +# +# This is what the following functions are designed for. When running the +# program, use capture_diagnostics to store what the program outputs to +# stderr and use release_diagnostics to write out the captured output. + +# Run the command passed and capture the diagnostic output in a temporary +# file. You can dump that file using release_diagnostics. +capture_diagnostics() +{ # {{{ + # Create the temporary file + local tmpfile + tmpfile=`mktemp` + exec 7<>"$tmpfile" + rm "$tmpfile" + + # Run the program and capture stderr. If the program fails the + # function fails with the same status. + "$@" 2>&7 || return $? +} # }}} + +# Dump the diagnostic output captured via capture_diagnostics, optionally +# prefixing each line. +# Usage: release_diagnostics "prefix" +release_diagnostics() +{ # {{{ + local script + script=' + seek STDIN, 0, 0; + print "$ARGV[0]$_" while (<STDIN>);'; + perl -e "$script" "$1" <&7 +} # }}} + +# }}} + +# Configure slapd for the first time (when first installed) +# Usage: postinst_initial_configuration +postinst_initial_configuration() +{ # {{{ + if manual_configuration_wanted; then + echo " Omitting slapd configuration as requested." >&2 + else + create_new_configuration + configure_v2_protocol_support + fi +} # }}} + +# }}} + +# ===== Global variables ================================================ {{{ +# +# At some points we need to know which version we are upgrading from if +# any. More precisely we only care about the configuration and data we +# might have laying around. Some parts also want to know which mode the +# script is running in. + +# Source the init script configuration +# See example file debian/slapd.default for variables defined here +if [ -f "/etc/sysconfig/slapd" ]; then + . /etc/sysconfig/slapd +fi + +adminpass= + +dialog --radiolist "Which configuration method do you want to use:" 0 0 0 "old style" "" on "new style" "" off 2>/tmp/answer +METHOD=$(cat /tmp/answer) + +# Load the default location of the slapd config file +if [ "$METHOD" == "old style" ] +then + SLAPD_CONF="/etc/openldap/slapd.conf" + confplace="-f" +else + SLAPD_CONF="/etc/openldap/slapd.d/" + confplace="-F" +fi + +# Create a new user. Don't create the user, however, if the local +# administrator has already customized slapd to run as a different user. +is_user_exist=$(getent passwd openldap | wc -l) +if [ "openldap" = "$SLAPD_USER" ] && [ $is_user_exist -eq 0 ]; then + create_new_user +fi + +postinst_initial_configuration + +# }}} + +# vim: set sw=8 foldmethod=marker: diff --git a/source/network-extra/openldap/rc.slapd b/source/network-extra/openldap/rc.slapd index d09e716..3dd2b78 100644 --- a/source/network-extra/openldap/rc.slapd +++ b/source/network-extra/openldap/rc.slapd @@ -5,6 +5,7 @@ # distributed under GPL License source /lib/initscripts/functions +source /etc/sysconfig/slapd # chkconfig: 2345 39 61 # description: LDAP stands for Lightweight Directory Access Protocol, used \ @@ -19,7 +20,7 @@ rc_start() { start_msg if [ -z "$(eval $pid)" ]; then - /usr/libexec/slapd 2> /dev/null + /usr/libexec/slapd -u ${SLAPD_USER} -g ${SLAPD_GROUP} 2> /dev/null ok $? else ok 999 diff --git a/source/network-extra/openldap/slapd.init.conf b/source/network-extra/openldap/slapd.init.conf new file mode 100644 index 0000000..bef09fb --- /dev/null +++ b/source/network-extra/openldap/slapd.init.conf @@ -0,0 +1,99 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +ServerID 1 + +# Features to permit +...@allow_v2@ + +# Schema and objectClass definitions +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/inetorgperson.schema + +# Schema check allows for forcing entries to +# match schemas for their objectClasses's +#schemacheck off + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/openldap/run/slapd.pid + +# List of arguments that were passed to the server +#argsfile /var/openldap/run/slapd.args + +# Read slapd.conf(5) for possible values +#loglevel 0 + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload ba...@backend@ + +sizelimit 500 + +####################################################################### +# Specific Backend Directives for bdb: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend @backend@ + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend <other> + +####################################################################### +# Specific Directives for database #1, of type bdb: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database @backend@ + +# The base of your directory in database #1 +suffix "@SUFFIX@" +rootdn "@ADMIN@" + +# Where the database file are physically stored for database #1 +directory "/var/openldap/openldap-data" + +# Indexing options for database #1 +index objectClass eq +index userPassword eq,pres +index entryUUID eq,pres +index entryCSN eq,pres + +cachesize 1000000 +#dbcachesize 100000 + +# Save the time that the entry gets modified, for database #1 +lastmod on + +rootdn "@ADMIN@" +rootpw @RootPW@ + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword by dn.regex="@ADMIN@" write by anonymous auth by self write by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * by dn.regex="@ADMIN@" write by * read + diff --git a/source/network-extra/openldap/slapd.init.ldif b/source/network-extra/openldap/slapd.init.ldif new file mode 100644 index 0000000..2a5cb5c --- /dev/null +++ b/source/network-extra/openldap/slapd.init.ldif @@ -0,0 +1,105 @@ +# Global config: +dn: cn=config +objectClass: olcGlobal +cn: config +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +olcPidFile: /var/openldap/run/slapd.pid +# List of arguments that were passed to the server +olcArgsFile: /var/openldap/run/slapd.args +# Read slapd.conf(5) for possible values +olcLogLevel: none +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +olcToolThreads: 1 + +# Load dynamic backend modules +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulepath: /usr/lib/ldap +olcModuleload: ba...@backend@ + +# Load schemas +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif +include: file:///etc/openldap/schema/cosine.ldif +include: file:///etc/openldap/schema/nis.ldif +include: file:///etc/openldap/schema/inetorgperson.ldif + +# Frontend settings +dn: olcDatabase={-1}frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: {-1}frontend +# The maximum number of entries that is returned for a search operation +olcSizeLimit: 500 + +# Config db settings +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcRootDN: cn=admin,cn=config +...@olcrootpw@ + +# Database settings +dn: olcdataba...@backend@,cn=config +objectClass: olcDatabaseConfig +objectClass: o...@backend@Config +olcDatabase: @backend@ +# The base of your directory +olcSuffix: @SUFFIX@ +# rootdn directive for specifying a superuser on the database. This is needed +# for syncrepl. +# olcRootDN: @ADMIN@ +# @olcRootPW@ +# Where the database file are physically stored +olcDbDirectory: /var/openldap/openldap-data +# The dbconfig settings are used to generate a DB_CONFIG file the first +# time slapd starts. They do NOT override existing an existing DB_CONFIG +# file. You should therefore change these settings in DB_CONFIG directly +# or remove DB_CONFIG and restart slapd for changes to take effect. +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +olcDbConfig: set_cachesize 0 2097152 0 +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. +# Number of objects that can be locked at the same time. +olcDbConfig: set_lk_max_objects 1500 +# Number of locks (both requested and granted) +olcDbConfig: set_lk_max_locks 1500 +# Number of lockers +olcDbConfig: set_lk_max_lockers 1500 +# Indexing options +olcDbIndex: objectClass eq +# Save the time that the entry gets modified +olcLastMod: TRUE +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +olcDbCheckpoint: 512 30 +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +olcAccess: to attrs=userPassword,shadowLastChange by dn="@ADMIN@" write by anonymous auth by self write by * none +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +olcAccess: to dn.base="" by * read +# The admin dn has full write access, everyone else +# can read everything. +olcAccess: to * by dn="@ADMIN@" write by * read +# For Netscape Roaming support, each user gets a roaming +# profile for which they have write access to +#olcAccess: to dn=".*,ou=Roaming,o=morsnet" by dn="@ADMIN@" write by dnattr=owner write diff --git a/source/network-extra/openldap/slapd.sysconfig b/source/network-extra/openldap/slapd.sysconfig new file mode 100644 index 0000000..cbe548d --- /dev/null +++ b/source/network-extra/openldap/slapd.sysconfig @@ -0,0 +1,47 @@ +# Location of the slapd configuration to use. If using the cn=config +# backend to store configuration in LDIF, set this variable to the +# directory containing the cn=config data; otherwise set it to the location +# of your slapd.conf file. If empty, use the compiled-in default +# (/etc/openldap/slapd.conf). +SLAPD_CONF=/etc/openldap/slapd.conf + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/openldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
