1 From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001
2 From: babak sarashki <babak.sarashki@windriver.com>
3 Date: Tue, 5 Nov 2019 14:49:06 -0800
4 Subject: [PATCH] openldap and stx source and config files
6 From stx 1901 openldap-2.4.44-21.el7_6.src.rpm
8 stx-sources/ldap.conf | 18 +++
9 stx-sources/libexec-check-config.sh | 91 ++++++++++++
10 stx-sources/libexec-convert-config.sh | 79 ++++++++++
11 stx-sources/libexec-create-certdb.sh | 70 +++++++++
12 stx-sources/libexec-functions | 136 +++++++++++++++++
13 stx-sources/libexec-generate-server-cert.sh | 118 +++++++++++++++
14 stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++
15 stx-sources/libexec-upgrade-db.sh | 40 +++++
16 stx-sources/openldap.tmpfiles | 3 +
17 stx-sources/slapd.ldif | 148 +++++++++++++++++++
18 stx-sources/slapd.service | 19 +++
19 stx-sources/slapd.sysconfig | 15 ++
20 stx-sources/slapd.tmpfiles | 2 +
21 13 files changed, 881 insertions(+)
22 create mode 100644 stx-sources/ldap.conf
23 create mode 100755 stx-sources/libexec-check-config.sh
24 create mode 100755 stx-sources/libexec-convert-config.sh
25 create mode 100755 stx-sources/libexec-create-certdb.sh
26 create mode 100644 stx-sources/libexec-functions
27 create mode 100755 stx-sources/libexec-generate-server-cert.sh
28 create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh
29 create mode 100755 stx-sources/libexec-upgrade-db.sh
30 create mode 100644 stx-sources/openldap.tmpfiles
31 create mode 100644 stx-sources/slapd.ldif
32 create mode 100644 stx-sources/slapd.service
33 create mode 100644 stx-sources/slapd.sysconfig
34 create mode 100644 stx-sources/slapd.tmpfiles
36 diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf
38 index 0000000..aa6f8fd
40 +++ b/stx-sources/ldap.conf
46 +# See ldap.conf(5) for details
47 +# This file should be world readable but not world writable.
49 +#BASE dc=example,dc=com
50 +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
56 +TLS_CACERTDIR /etc/openldap/certs
58 +# Turning this off breaks GSSAPI used with krb5 when rdns = false
60 diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh
62 index 0000000..87e377f
64 +++ b/stx-sources/libexec-check-config.sh
67 +# Author: Jan Vcelak <jvcelak@redhat.com>
69 +. /usr/libexec/openldap/functions
71 +function check_config_syntax()
74 + tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
75 + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
76 + if [ $? -ne 0 ]; then
77 + error "Checking configuration file failed:"
78 + cat $tmp_slaptest >&2
85 +function check_certs_perms()
88 + for cert in `certificates`; do
89 + run_as_ldap "/usr/bin/test -e \"$cert\""
90 + if [ $? -ne 0 ]; then
91 + error "TLS certificate/key/DB '%s' was not found." "$cert"
95 + run_as_ldap "/usr/bin/test -r \"$cert\""
96 + if [ $? -ne 0 ]; then
97 + error "TLS certificate/key/DB '%s' is not readable." "$cert"
104 +function check_db_perms()
107 + for dbdir in `databases`; do
108 + [ -d "$dbdir" ] || continue
109 + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
110 + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
111 + if [ $? -ne 0 ]; then
112 + error "Read/write permissions for DB file '%s' are required." "$dbfile"
120 +function check_everything()
123 + check_config_syntax || retcode=1
124 + # TODO: need support for Mozilla NSS, disabling temporarily
125 + #check_certs_perms || retcode=1
126 + check_db_perms || retcode=1
130 +if [ `id -u` -ne 0 ]; then
131 + error "You have to be root to run this script."
137 +if [ -n "$SLAPD_CONFIG_DIR" ]; then
138 + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
139 + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
146 +if [ -n "$SLAPD_CONFIG_FILE" ]; then
147 + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
148 + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
150 + error "Warning: Usage of a configuration file is obsolete!"
157 diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh
159 index 0000000..824c3b1
161 +++ b/stx-sources/libexec-convert-config.sh
164 +# Author: Jan Vcelak <jvcelak@redhat.com>
166 +. /usr/libexec/openldap/functions
170 + error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
176 +while getopts :f:F: opt; do
179 + SLAPD_CONFIG_FILE="$OPTARG"
182 + SLAPD_CONFIG_DIR="$OPTARG"
192 +# check source, target
194 +if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
195 + error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
199 +if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
200 + SLAPD_CONFIG_FILE_FORMAT=ldif
202 + SLAPD_CONFIG_FILE_FORMAT=conf
205 +if [ -d "$SLAPD_CONFIG_DIR" ]; then
206 + if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
207 + error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
212 +# perform the conversion
214 +tmp_convert=`mktemp --tmpdir=/var/run/openldap`
216 +if [ `id -u` -eq 0 ]; then
217 + install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
218 + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
219 + run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
221 + run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
225 + error "You are not root! Permission will not be set."
226 + install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
227 + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
228 + /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
230 + /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
235 +if [ $retcode -ne 0 ]; then
236 + error "Configuration conversion failed:"
237 + cat $tmp_convert >&2
242 diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh
244 index 0000000..2377fdd
246 +++ b/stx-sources/libexec-create-certdb.sh
249 +# Author: Jan Vcelak <jvcelak@redhat.com>
255 +CERTDB_DIR=/etc/openldap/certs
259 +MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
260 +RANDOM_SOURCE=/dev/urandom
266 + printf "usage: create-certdb.sh [-d certdb]\n" >&2
270 +while getopts "d:" opt; do
273 + CERTDB_DIR="$OPTARG"
281 +[ "$OPTIND" -le "$#" ] && usage
283 +# verify target location
285 +if [ ! -d "$CERTDB_DIR" ]; then
286 + printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
290 +if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
291 + printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
295 +# create the database
297 +printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
299 +PASSWORD_FILE="$CERTDB_DIR/password"
300 +OLD_UMASK="$(umask)"
302 +dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
305 +certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
307 +# load module with builtin CA certificates
309 +echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
313 +for dbfile in "$CERTDB_DIR"/*.db; do
314 + chmod 0644 "$dbfile"
318 diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions
320 index 0000000..98c8631
322 +++ b/stx-sources/libexec-functions
324 +# Author: Jan Vcelak <jvcelak@redhat.com>
329 +SLAPD_CONFIG_CUSTOM=
330 +SLAPD_GLOBAL_OPTIONS=
331 +SLAPD_SYSCONFIG_FILE=
333 +function default_config()
336 + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
337 + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
338 + SLAPD_CONFIG_CUSTOM=
339 + SLAPD_GLOBAL_OPTIONS=
340 + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
343 +function parse_config_options()
348 + while getopts :u:f:F: opt; do
354 + config_file="$OPTARG"
357 + config_dir="$OPTARG"
364 + if [ -n "$user" ]; then
368 + if [ -n "$config_dir" ]; then
369 + SLAPD_CONFIG_DIR="$config_dir"
371 + SLAPD_CONFIG_CUSTOM=1
372 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
373 + elif [ -n "$config_file" ]; then
375 + SLAPD_CONFIG_FILE="$config_file"
376 + SLAPD_CONFIG_CUSTOM=1
377 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
381 +function uses_new_config()
383 + [ -n "$SLAPD_CONFIG_DIR" ]
387 +function run_as_ldap()
389 + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
393 +function ldif_unbreak()
395 + sed ':a;N;s/\n //;ta;P;D'
398 +function ldif_value()
403 +function databases_new()
405 + slapcat $SLAPD_GLOBAL_OPTIONS -c \
406 + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
408 + grep '^olcDbDirectory: ' | \
412 +function databases_old()
414 + awk 'begin { database="" }
415 + $1 == "database" { database=$2 }
416 + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
417 + "$SLAPD_CONFIG_FILE"
420 +function certificates_new()
422 + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
424 + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
428 +function certificates_old()
430 + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
431 + "$SLAPD_CONFIG_FILE"
434 +function certificates()
436 + uses_new_config && certificates_new || certificates_old
439 +function databases()
441 + uses_new_config && databases_new || databases_old
447 + format="$1\n"; shift
448 + printf "$format" $@ >&2
451 +function load_sysconfig()
453 + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
455 + . "$SLAPD_SYSCONFIG_FILE"
456 + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
460 diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh
462 index 0000000..e2f4974
464 +++ b/stx-sources/libexec-generate-server-cert.sh
467 +# Author: Jan Vcelak <jvcelak@redhat.com>
473 +CERTDB_DIR=/etc/openldap/certs
474 +CERT_NAME="OpenLDAP Server"
476 +HOSTNAME_FQDN="$(hostname --fqdn)"
482 +RANDOM_SOURCE=/dev/urandom
483 +CERT_RANDOM_BYTES=256
486 +CERT_VALID_MONTHS=12
491 + printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
492 + printf " [-p password-file] [-h hostnames]\n" >&2
493 + printf " [-a dns-alt-names] [-o]\n" >&2
497 +while getopts "d:n:p:h:a:o" opt; do
500 + CERTDB_DIR="$OPTARG"
503 + CERT_NAME="$OPTARG"
506 + PASSWORD_FILE="$OPTARG"
509 + HOSTNAME_FQDN="$OPTARG"
512 + ALT_NAMES="$OPTARG"
523 +[ "$OPTIND" -le "$#" ] && usage
527 +ONCE_FILE="$CERTDB_DIR/.slapd-leave"
528 +PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
529 +ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
531 +# verify target location
533 +if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
534 + printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
538 +if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
539 + printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
543 +printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
545 +if [ ! -r "$PASSWORD_FILE" ]; then
546 + printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
550 +if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
551 + printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
555 +# generate server certificate (self signed)
558 +CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
559 +dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
561 +certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
562 + -S -x -n "$CERT_NAME" \
563 + -s "CN=$HOSTNAME_FQDN" \
565 + -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
566 + -v $CERT_VALID_MONTHS \
574 +if [ "$(id -u)" -eq 0 ]; then
575 + chgrp ldap "$PASSWORD_FILE"
576 + chmod g+r "$PASSWORD_FILE"
578 + printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
579 + printf " load it's private key from the certificate database.\n" >&2
584 diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh
586 index 0000000..a853b27
588 +++ b/stx-sources/libexec-update-ppolicy-schema.sh
591 +# This script serves one purpose, to add a possibly missing attribute
592 +# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
593 +# attribute was introduced in openldap-2.4.43 and slapd will not
594 +# start without it later on.
596 +# The script tries to update in a directory given as first parameter,
597 +# or in /etc/openldap/slapd.d implicitly.
599 +# Author: Matus Honek <mhonek@redhat.com>
600 +# Bugzilla: #1487857
603 + echo "Update dynamic configuration: " $@
608 + if [ $? -ne 0 ]; then
620 + ORIGINAL="${1:-/etc/openldap/slapd.d}"
621 + ORIGINAL="${ORIGINAL%*(/)}"
623 + ### check if necessary
624 + grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
625 + [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
628 + log "Prepare environment."
630 + TEMPDIR=$(mktemp -d)
631 + iferr "Could not create a temporary directory. Quitting." && return 1
632 + DBDIR="${TEMPDIR}/db"
633 + SUBDBDIR="${DBDIR}/cn=temporary"
636 + iferr "Could not create temporary configuration directory. Quitting." && return 1
637 + cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
638 + iferr "Could not copy configuration. Quitting." && return 1
640 + pushd "$TEMPDIR" >/dev/null
642 + cat > temp.conf <<EOF
646 +access to * by * manage
649 + SOCKET="$(pwd)/socket"
650 + LISTENER="ldapi://${SOCKET//\//%2F}"
651 + CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
653 + slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
657 + ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
659 +objectClass: olcGlobal
662 + iferr "Could not populate the temporary database. Quitting." && return 1
665 + log "Update with new pwdMaxRecordedFailure attribute."
667 + FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
668 + FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
669 + FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
671 + RES=$(ldapsearch ${CONN_PARAMS[@]} \
672 + -b cn=schema,cn=config,cn=temporary \
676 + dn olcObjectClasses \
679 + DN=$(printf "$RES" | grep '^dn:')
680 + OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
681 + NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
683 + test $(echo "$DN" | wc -l) = 1
684 + iferr "Received more than one DN. Cannot continue. Quitting." && return 1
685 + test "$NEWOC" != "$OC"
686 + iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
688 + ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
691 +add: olcAttributeTypes
692 +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
693 + e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
694 + 1466.115.121.1.27 SINGLE-VALUE )
696 +delete: olcObjectClasses
699 +add: olcObjectClasses
702 + iferr "Updating with new attribute failed. Quitting." && return 1
707 + log "Apply changes."
708 + cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
709 + iferr "Backing up old configuration failed. Quitting." && return 1
710 + cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
711 + iferr "Applying new configuration failed. Quitting." && return 1
724 +if [ $? -ne 0 ]; then
732 diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh
734 index 0000000..1543c80
736 +++ b/stx-sources/libexec-upgrade-db.sh
739 +# Author: Jan Vcelak <jvcelak@redhat.com>
741 +. /usr/libexec/openldap/functions
743 +if [ `id -u` -ne 0 ]; then
744 + error "You have to be root to run this command."
751 +for dbdir in `databases`; do
752 + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
753 + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
755 + # skip uninitialized database
756 + [ -z "$bdb_files"] || continue
758 + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
760 + # perform the update
762 + "/usr/bin/db_recover -v -h \"$dbdir\"" \
763 + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
764 + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
766 + printf "Executing: %s\n" "$command" &>>$upgrade_log
767 + run_as_ldap "$command" &>>$upgrade_log
769 + printf "Exit code: %d\n" $result >>"$upgrade_log"
770 + if [ $result -ne 0 ]; then
771 + printf "Upgrade failed: %d\n" $result
778 diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles
780 index 0000000..aa0e805
782 +++ b/stx-sources/openldap.tmpfiles
784 +# OpenLDAP TLSMC runtime directories
785 +x /tmp/openldap-tlsmc-*
786 +X /tmp/openldap-tlsmc-*
787 diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif
789 index 0000000..7b7f328
791 +++ b/stx-sources/slapd.ldif
794 +# See slapd-config(5) for details on configuration options.
795 +# This file should NOT be world readable.
799 +objectClass: olcGlobal
801 +olcArgsFile: /var/run/openldap/slapd.args
802 +olcPidFile: /var/run/openldap/slapd.pid
806 +olcTLSCACertificatePath: /etc/openldap/certs
807 +olcTLSCertificateFile: "OpenLDAP Server"
808 +olcTLSCertificateKeyFile: /etc/openldap/certs/password
810 +# Do not enable referrals until AFTER you have a working directory
811 +# service AND an understanding of referrals.
813 +#olcReferral: ldap://root.openldap.org
815 +# Sample security restrictions
816 +# Require integrity protection (prevent hijacking)
817 +# Require 112-bit (3DES or better) encryption for updates
818 +# Require 64-bit encryption for simple bind
820 +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
824 +# Load dynamic backend modules:
825 +# - modulepath is architecture dependent value (32/64-bit system)
826 +# - back_sql.la backend requires openldap-servers-sql package
827 +# - dyngroup.la and dynlist.la cannot be used at the same time
830 +#dn: cn=module,cn=config
831 +#objectClass: olcModuleList
833 +#olcModulepath: /usr/lib/openldap
834 +#olcModulepath: /usr/lib64/openldap
835 +#olcModuleload: accesslog.la
836 +#olcModuleload: auditlog.la
837 +#olcModuleload: back_dnssrv.la
838 +#olcModuleload: back_ldap.la
839 +#olcModuleload: back_mdb.la
840 +#olcModuleload: back_meta.la
841 +#olcModuleload: back_null.la
842 +#olcModuleload: back_passwd.la
843 +#olcModuleload: back_relay.la
844 +#olcModuleload: back_shell.la
845 +#olcModuleload: back_sock.la
846 +#olcModuleload: collect.la
847 +#olcModuleload: constraint.la
848 +#olcModuleload: dds.la
849 +#olcModuleload: deref.la
850 +#olcModuleload: dyngroup.la
851 +#olcModuleload: dynlist.la
852 +#olcModuleload: memberof.la
853 +#olcModuleload: pcache.la
854 +#olcModuleload: ppolicy.la
855 +#olcModuleload: refint.la
856 +#olcModuleload: retcode.la
857 +#olcModuleload: rwm.la
858 +#olcModuleload: seqmod.la
859 +#olcModuleload: smbk5pwd.la
860 +#olcModuleload: sssvlv.la
861 +#olcModuleload: syncprov.la
862 +#olcModuleload: translucent.la
863 +#olcModuleload: unique.la
864 +#olcModuleload: valsort.la
871 +dn: cn=schema,cn=config
872 +objectClass: olcSchemaConfig
875 +include: file:///etc/openldap/schema/core.ldif
881 +dn: olcDatabase=frontend,cn=config
882 +objectClass: olcDatabaseConfig
883 +objectClass: olcFrontendConfig
884 +olcDatabase: frontend
886 +# Sample global access control policy:
887 +# Root DSE: allow anyone to read it
888 +# Subschema (sub)entry DSE: allow anyone to read it
890 +# Allow self write access
891 +# Allow authenticated users read access
892 +# Allow anonymous users to authenticate
894 +#olcAccess: to dn.base="" by * read
895 +#olcAccess: to dn.base="cn=Subschema" by * read
901 +# if no access controls are present, the default policy
902 +# allows anyone and everyone to read anything but restricts
903 +# updates to rootdn. (e.g., "access to * by * read")
905 +# rootdn can always read and write EVERYTHING!
909 +# Configuration database
912 +dn: olcDatabase=config,cn=config
913 +objectClass: olcDatabaseConfig
915 +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
916 + n=auth" manage by * none
919 +# Server status monitoring
922 +dn: olcDatabase=monitor,cn=config
923 +objectClass: olcDatabaseConfig
924 +olcDatabase: monitor
925 +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
926 + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
929 +# Backend database definitions
932 +dn: olcDatabase=hdb,cn=config
933 +objectClass: olcDatabaseConfig
934 +objectClass: olcHdbConfig
936 +olcSuffix: dc=my-domain,dc=com
937 +olcRootDN: cn=Manager,dc=my-domain,dc=com
938 +olcDbDirectory: /var/lib/ldap
939 +olcDbIndex: objectClass eq,pres
940 +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
941 diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service
943 index 0000000..8a3a722
945 +++ b/stx-sources/slapd.service
948 +Description=OpenLDAP Server Daemon
949 +After=syslog.target network-online.target
950 +Documentation=man:slapd
951 +Documentation=man:slapd-config
952 +Documentation=man:slapd-hdb
953 +Documentation=man:slapd-mdb
954 +Documentation=file:///usr/share/doc/openldap-servers/guide.html
958 +PIDFile=/var/run/openldap/slapd.pid
959 +Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
960 +EnvironmentFile=/etc/sysconfig/slapd
961 +ExecStartPre=/usr/libexec/openldap/check-config.sh
962 +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
965 +WantedBy=multi-user.target
966 diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig
968 index 0000000..68091a5
970 +++ b/stx-sources/slapd.sysconfig
972 +# OpenLDAP server configuration
973 +# see 'man slapd' for additional information
975 +# Where the server will run (-h option)
976 +# - ldapi:/// is required for on-the-fly configuration using client tools
977 +# (use SASL with EXTERNAL mechanism for authentication)
978 +# - default: ldapi:/// ldap:///
979 +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
980 +SLAPD_URLS="ldapi:/// ldap:///"
982 +# Any custom options
985 +# Keytab location for GSSAPI Kerberos authentication
986 +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
987 diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles
989 index 0000000..56aa32e
991 +++ b/stx-sources/slapd.tmpfiles
993 +# openldap runtime directory for slapd.arg and slapd.pid
994 +d /var/run/openldap 0755 ldap ldap -