1 From ceaad5c741c95c78d924cb6b179daa6c6b60bf91 Mon Sep 17 00:00:00 2001
2 From: babak sarashki <babak.sarashki@windriver.com>
3 Date: Wed, 4 Dec 2019 08:07:24 -0800
4 Subject: [PATCH] stx openldap config files
7 stx-openldap-config/LICENSE | 202 ++++++++++++++++++++++++
8 stx-openldap-config/initial_config.ldif | 80 ++++++++++
9 stx-openldap-config/initscript | 100 ++++++++++++
10 stx-openldap-config/slapd.conf | 117 ++++++++++++++
11 stx-openldap-config/slapd.service | 23 +++
12 stx-openldap-config/slapd.sysconfig | 15 ++
13 6 files changed, 537 insertions(+)
14 create mode 100644 stx-openldap-config/LICENSE
15 create mode 100644 stx-openldap-config/initial_config.ldif
16 create mode 100755 stx-openldap-config/initscript
17 create mode 100644 stx-openldap-config/slapd.conf
18 create mode 100644 stx-openldap-config/slapd.service
19 create mode 100644 stx-openldap-config/slapd.sysconfig
21 diff --git a/stx-openldap-config/LICENSE b/stx-openldap-config/LICENSE
23 index 000000000..d64569567
25 +++ b/stx-openldap-config/LICENSE
29 + Version 2.0, January 2004
30 + http://www.apache.org/licenses/
32 + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
36 + "License" shall mean the terms and conditions for use, reproduction,
37 + and distribution as defined by Sections 1 through 9 of this document.
39 + "Licensor" shall mean the copyright owner or entity authorized by
40 + the copyright owner that is granting the License.
42 + "Legal Entity" shall mean the union of the acting entity and all
43 + other entities that control, are controlled by, or are under common
44 + control with that entity. For the purposes of this definition,
45 + "control" means (i) the power, direct or indirect, to cause the
46 + direction or management of such entity, whether by contract or
47 + otherwise, or (ii) ownership of fifty percent (50%) or more of the
48 + outstanding shares, or (iii) beneficial ownership of such entity.
50 + "You" (or "Your") shall mean an individual or Legal Entity
51 + exercising permissions granted by this License.
53 + "Source" form shall mean the preferred form for making modifications,
54 + including but not limited to software source code, documentation
55 + source, and configuration files.
57 + "Object" form shall mean any form resulting from mechanical
58 + transformation or translation of a Source form, including but
59 + not limited to compiled object code, generated documentation,
60 + and conversions to other media types.
62 + "Work" shall mean the work of authorship, whether in Source or
63 + Object form, made available under the License, as indicated by a
64 + copyright notice that is included in or attached to the work
65 + (an example is provided in the Appendix below).
67 + "Derivative Works" shall mean any work, whether in Source or Object
68 + form, that is based on (or derived from) the Work and for which the
69 + editorial revisions, annotations, elaborations, or other modifications
70 + represent, as a whole, an original work of authorship. For the purposes
71 + of this License, Derivative Works shall not include works that remain
72 + separable from, or merely link (or bind by name) to the interfaces of,
73 + the Work and Derivative Works thereof.
75 + "Contribution" shall mean any work of authorship, including
76 + the original version of the Work and any modifications or additions
77 + to that Work or Derivative Works thereof, that is intentionally
78 + submitted to Licensor for inclusion in the Work by the copyright owner
79 + or by an individual or Legal Entity authorized to submit on behalf of
80 + the copyright owner. For the purposes of this definition, "submitted"
81 + means any form of electronic, verbal, or written communication sent
82 + to the Licensor or its representatives, including but not limited to
83 + communication on electronic mailing lists, source code control systems,
84 + and issue tracking systems that are managed by, or on behalf of, the
85 + Licensor for the purpose of discussing and improving the Work, but
86 + excluding communication that is conspicuously marked or otherwise
87 + designated in writing by the copyright owner as "Not a Contribution."
89 + "Contributor" shall mean Licensor and any individual or Legal Entity
90 + on behalf of whom a Contribution has been received by Licensor and
91 + subsequently incorporated within the Work.
93 + 2. Grant of Copyright License. Subject to the terms and conditions of
94 + this License, each Contributor hereby grants to You a perpetual,
95 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
96 + copyright license to reproduce, prepare Derivative Works of,
97 + publicly display, publicly perform, sublicense, and distribute the
98 + Work and such Derivative Works in Source or Object form.
100 + 3. Grant of Patent License. Subject to the terms and conditions of
101 + this License, each Contributor hereby grants to You a perpetual,
102 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
103 + (except as stated in this section) patent license to make, have made,
104 + use, offer to sell, sell, import, and otherwise transfer the Work,
105 + where such license applies only to those patent claims licensable
106 + by such Contributor that are necessarily infringed by their
107 + Contribution(s) alone or by combination of their Contribution(s)
108 + with the Work to which such Contribution(s) was submitted. If You
109 + institute patent litigation against any entity (including a
110 + cross-claim or counterclaim in a lawsuit) alleging that the Work
111 + or a Contribution incorporated within the Work constitutes direct
112 + or contributory patent infringement, then any patent licenses
113 + granted to You under this License for that Work shall terminate
114 + as of the date such litigation is filed.
116 + 4. Redistribution. You may reproduce and distribute copies of the
117 + Work or Derivative Works thereof in any medium, with or without
118 + modifications, and in Source or Object form, provided that You
119 + meet the following conditions:
121 + (a) You must give any other recipients of the Work or
122 + Derivative Works a copy of this License; and
124 + (b) You must cause any modified files to carry prominent notices
125 + stating that You changed the files; and
127 + (c) You must retain, in the Source form of any Derivative Works
128 + that You distribute, all copyright, patent, trademark, and
129 + attribution notices from the Source form of the Work,
130 + excluding those notices that do not pertain to any part of
131 + the Derivative Works; and
133 + (d) If the Work includes a "NOTICE" text file as part of its
134 + distribution, then any Derivative Works that You distribute must
135 + include a readable copy of the attribution notices contained
136 + within such NOTICE file, excluding those notices that do not
137 + pertain to any part of the Derivative Works, in at least one
138 + of the following places: within a NOTICE text file distributed
139 + as part of the Derivative Works; within the Source form or
140 + documentation, if provided along with the Derivative Works; or,
141 + within a display generated by the Derivative Works, if and
142 + wherever such third-party notices normally appear. The contents
143 + of the NOTICE file are for informational purposes only and
144 + do not modify the License. You may add Your own attribution
145 + notices within Derivative Works that You distribute, alongside
146 + or as an addendum to the NOTICE text from the Work, provided
147 + that such additional attribution notices cannot be construed
148 + as modifying the License.
150 + You may add Your own copyright statement to Your modifications and
151 + may provide additional or different license terms and conditions
152 + for use, reproduction, or distribution of Your modifications, or
153 + for any such Derivative Works as a whole, provided Your use,
154 + reproduction, and distribution of the Work otherwise complies with
155 + the conditions stated in this License.
157 + 5. Submission of Contributions. Unless You explicitly state otherwise,
158 + any Contribution intentionally submitted for inclusion in the Work
159 + by You to the Licensor shall be under the terms and conditions of
160 + this License, without any additional terms or conditions.
161 + Notwithstanding the above, nothing herein shall supersede or modify
162 + the terms of any separate license agreement you may have executed
163 + with Licensor regarding such Contributions.
165 + 6. Trademarks. This License does not grant permission to use the trade
166 + names, trademarks, service marks, or product names of the Licensor,
167 + except as required for reasonable and customary use in describing the
168 + origin of the Work and reproducing the content of the NOTICE file.
170 + 7. Disclaimer of Warranty. Unless required by applicable law or
171 + agreed to in writing, Licensor provides the Work (and each
172 + Contributor provides its Contributions) on an "AS IS" BASIS,
173 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
174 + implied, including, without limitation, any warranties or conditions
175 + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
176 + PARTICULAR PURPOSE. You are solely responsible for determining the
177 + appropriateness of using or redistributing the Work and assume any
178 + risks associated with Your exercise of permissions under this License.
180 + 8. Limitation of Liability. In no event and under no legal theory,
181 + whether in tort (including negligence), contract, or otherwise,
182 + unless required by applicable law (such as deliberate and grossly
183 + negligent acts) or agreed to in writing, shall any Contributor be
184 + liable to You for damages, including any direct, indirect, special,
185 + incidental, or consequential damages of any character arising as a
186 + result of this License or out of the use or inability to use the
187 + Work (including but not limited to damages for loss of goodwill,
188 + work stoppage, computer failure or malfunction, or any and all
189 + other commercial damages or losses), even if such Contributor
190 + has been advised of the possibility of such damages.
192 + 9. Accepting Warranty or Additional Liability. While redistributing
193 + the Work or Derivative Works thereof, You may choose to offer,
194 + and charge a fee for, acceptance of support, warranty, indemnity,
195 + or other liability obligations and/or rights consistent with this
196 + License. However, in accepting such obligations, You may act only
197 + on Your own behalf and on Your sole responsibility, not on behalf
198 + of any other Contributor, and only if You agree to indemnify,
199 + defend, and hold each Contributor harmless for any liability
200 + incurred by, or claims asserted against, such Contributor by reason
201 + of your accepting any such warranty or additional liability.
203 + END OF TERMS AND CONDITIONS
205 + APPENDIX: How to apply the Apache License to your work.
207 + To apply the Apache License to your work, attach the following
208 + boilerplate notice, with the fields enclosed by brackets "[]"
209 + replaced with your own identifying information. (Don't include
210 + the brackets!) The text should be enclosed in the appropriate
211 + comment syntax for the file format. We also recommend that a
212 + file or class name and description of purpose be included on the
213 + same "printed page" as the copyright notice for easier
214 + identification within third-party archives.
216 + Copyright [yyyy] [name of copyright owner]
218 + Licensed under the Apache License, Version 2.0 (the "License");
219 + you may not use this file except in compliance with the License.
220 + You may obtain a copy of the License at
222 + http://www.apache.org/licenses/LICENSE-2.0
224 + Unless required by applicable law or agreed to in writing, software
225 + distributed under the License is distributed on an "AS IS" BASIS,
226 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
227 + See the License for the specific language governing permissions and
228 + limitations under the License.
229 diff --git a/stx-openldap-config/initial_config.ldif b/stx-openldap-config/initial_config.ldif
231 index 000000000..672e364b5
233 +++ b/stx-openldap-config/initial_config.ldif
235 +#ldapadd -D "cn=ldapadmin,dc=cgcs,dc=local" -W -f /etc/openldap/initial_config.ldif
236 +#ldapsearch -x -b 'dc=cgcs,dc=local' '(objectclass=*)'
237 +dn: dc=cgcs,dc=local
242 +dn: ou=policies,dc=cgcs,dc=local
245 +objectClass: organizationalUnit
247 +dn: ou=People,dc=cgcs,dc=local
250 +objectClass: organizationalUnit
252 +dn: ou=Group,dc=cgcs,dc=local
255 +objectClass: organizationalUnit
257 +dn: ou=SUDOers,dc=cgcs,dc=local
259 +objectClass: organizationalUnit
262 +dn: cn=users,ou=Group,dc=cgcs,dc=local
263 +objectClass: posixGroup
266 +userPassword: {crypt}x
269 +dn: cn=cgcs,ou=Group,dc=cgcs,dc=local
270 +objectClass: posixGroup
273 +userPassword: {crypt}x
276 +dn: cn=default,ou=policies,dc=cgcs,dc=local
279 +objectClass: pwdPolicy
280 +objectClass: pwdPolicyChecker
282 +pwdAttribute: userPassword
284 +pwdExpireWarning: 432000
286 +pwdCheckModule: check_password.so
291 +pwdLockoutDuration: 300
292 +pwdFailureCountInterval: 0
294 +pwdAllowUserChange: TRUE
295 +pwdSafeModify: FALSE
296 +pwdGraceAuthNLimit: 0
298 +dn: cn=defaults,ou=SUDOers,dc=cgcs,dc=local
300 +objectClass: sudoRole
302 +description: Default sudoOption's go here
305 +dn: cn=admin,ou=SUDOers,dc=cgcs,dc=local
307 +objectClass: sudoRole
314 +sudoOption: secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
315 diff --git a/stx-openldap-config/initscript b/stx-openldap-config/initscript
317 index 000000000..d3208dd9a
319 +++ b/stx-openldap-config/initscript
323 +# This is an init script for openembedded
324 +# Copy it to /etc/init.d/openldap and type
325 +# > update-rc.d openldap defaults 60
327 +. /etc/init.d/functions
329 +################################################################################
330 +# Wait for a process to stop running.
332 +################################################################################
333 +function wait_for_proc_stop()
338 + for I in $(seq 1 $TIMEOUT); do
339 + PID=$(pidof $PROGNAME 2> /dev/null)
340 + if [ $? -ne 0 ]; then
350 +slapd=/usr/sbin/slapd
351 +test -x "$slapd" || exit 0
357 + echo -n "Starting SLAPD: "
358 + if [ -f /etc/openldap/schema/cn=config.ldif ]; then
359 + start-stop-daemon --start --oknodo --quiet --exec $slapd \
360 + -- -F /etc/openldap/schema/
363 + start-stop-daemon --start --oknodo --quiet --exec $slapd
366 + if [ $RETVAL -ne 0 ]; then
367 + echo "Failed to start SLAPD."
371 + # we need to start nscd service as part of this openldap
372 + # init.d script since SM manages this as a service and both
373 + # daemons should be running on a controller host
374 + systemctl status nscd.service
375 + if [ $? -ne 0 ]; then
376 + echo -n "Starting NSCD: "
377 + systemctl start nscd.service
379 + if [ $RETVAL -ne 0 ]; then
380 + echo "Failed to start NSCD."
388 + echo -n "Stopping NSCD: "
389 + systemctl stop nscd.service
390 + rm -f /var/run/nscd/nscd.pid
392 + echo -n "Stopping SLAPD: "
393 + start-stop-daemon --retry 60 --stop --oknodo --quiet --pidfile /var/run/slapd.pid
395 + wait_for_proc_stop $slapd 10
397 + while [ $WRETVAL -eq 1 ]; do
399 + wait_for_proc_stop $slapd 10
402 + rm -f /var/run/slapd.pid
407 + [ $? -eq 0 ] || exit $?
408 + systemctl status nscd.service
409 + [ $? -eq 0 ] || exit $?
416 + echo "Usage: /etc/init.d/openldap {start|stop|status|restart}"
421 diff --git a/stx-openldap-config/slapd.conf b/stx-openldap-config/slapd.conf
423 index 000000000..3b6fcc545
425 +++ b/stx-openldap-config/slapd.conf
428 +# See slapd.conf(5) for details on configuration options.
429 +# This file should NOT be world readable.
431 +include /etc/openldap/schema/core.schema
432 +include /etc/openldap/schema/cosine.schema
433 +include /etc/openldap/schema/inetorgperson.schema
434 +include /etc/openldap/schema/nis.schema
435 +include /etc/openldap/schema/ppolicy.schema
436 +include /etc/openldap/schema/sudo.schema
438 +# Define global ACLs to disable default read access.
440 +# Do not enable referrals until AFTER you have a working directory
441 +# service AND an understanding of referrals.
442 +#referral ldap://root.openldap.org
444 +pidfile /var/run/slapd.pid
445 +argsfile /var/run/slapd.args
447 +# uniquely identifies this server
450 +# Load dynamic backend modules:
451 +modulepath /usr/libexec/openldap
452 +moduleload back_mdb.la
453 +moduleload ppolicy.la
454 +moduleload syncprov.la
456 +# Sample security restrictions
457 +# Require integrity protection (prevent hijacking)
458 +# Require 112-bit (3DES or better) encryption for updates
459 +# Require 63-bit encryption for simple bind
460 +# security ssf=1 update_ssf=112 simple_bind=64
462 +# Sample access control policy:
463 +# Root DSE: allow anyone to read it
464 +# Subschema (sub)entry DSE: allow anyone to read it
466 +# Allow self write access
467 +# Allow authenticated users read access
468 +# Allow anonymous users to authenticate
469 +# Directives needed to implement policy:
470 +#access to dn.base="" by * read
471 +#access to dn.base="cn=Subschema" by * read
477 +# if no access controls are present, the default policy
478 +# allows anyone and everyone to read anything but restricts
479 +# updates to rootdn. (e.g., "access to * by * read")
481 +# rootdn can always read and write EVERYTHING!
483 +#######################################################################
484 +# BDB database definitions
485 +#######################################################################
488 +suffix "dc=cgcs,dc=local"
489 +rootdn "cn=ldapadmin,dc=cgcs,dc=local"
490 +# Cleartext passwords, especially for the rootdn, should
491 +# be avoid. See slappasswd(8) and slapd.conf(5) for details.
492 +# Use of strong authentication encouraged.
493 +rootpw _LDAPADMIN_PW_
494 +# The database directory MUST exist prior to running slapd AND
495 +# should only be accessible by the slapd and slap tools.
496 +# Mode 700 recommended.
497 +directory /var/lib/openldap-data
500 +# Indices to maintain
502 +index objectClass eq
503 +index uid eq,pres,sub
507 +index sudoUser eq,sub
516 +ppolicy_default "cn=default,ou=policies,dc=cgcs,dc=local"
520 +# syncrepl directives for each of the other masters
522 + provider=ldap://controller-1
523 + type=refreshAndPersist
525 + searchbase="dc=cgcs,dc=local"
528 + binddn="cn=ldapadmin,dc=cgcs,dc=local"
529 + credentials=_LDAPADMIN_PW_
531 +# syncprov specific indexing (add others as required)
535 +# # mirror mode essential to allow writes
536 +# # and must appear after all syncrepl directives
539 +# # define the provider to use the syncprov overlay
540 +# # (last directives in database section)
542 +# # contextCSN saved to database every 100 updates or ten minutes
543 +syncprov-checkpoint 1 1
544 diff --git a/stx-openldap-config/slapd.service b/stx-openldap-config/slapd.service
546 index 000000000..24b39380a
548 +++ b/stx-openldap-config/slapd.service
551 +Description=OpenLDAP Server Daemon
552 +Before=rsyncd.service
553 +After=network.target syslog-ng.target
554 +Documentation=man:slapd
555 +Documentation=man:slapd-config
556 +Documentation=man:slapd-hdb
557 +Documentation=man:slapd-mdb
558 +Documentation=file:///usr/share/doc/openldap-servers/guide.html
562 +PIDFile=/var/run/slapd.pid
563 +Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
564 +EnvironmentFile=/etc/sysconfig/slapd
565 +ExecStartPre=/usr/libexec/openldap/check-config.sh
566 +ExecStart=/etc/init.d/openldap start
567 +ExecStop=/etc/init.d/openldap stop
568 +ExecReload=/etc/init.d/openldap restart
572 +WantedBy=multi-user.target
573 diff --git a/stx-openldap-config/slapd.sysconfig b/stx-openldap-config/slapd.sysconfig
575 index 000000000..573486da4
577 +++ b/stx-openldap-config/slapd.sysconfig
579 +# OpenLDAP server configuration
580 +# see 'man slapd' for additional information
582 +# Where the server will run (-h option)
583 +# - ldapi:/// is required for on-the-fly configuration using client tools
584 +# (use SASL with EXTERNAL mechanism for authentication)
585 +# - default: ldapi:/// ldap:///
586 +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
587 +SLAPD_URLS="ldapi:/// ldap:///"
589 +# Any custom options
592 +# Keytab location for GSSAPI Kerberos authentication
593 +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"