From ceaad5c741c95c78d924cb6b179daa6c6b60bf91 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Wed, 4 Dec 2019 08:07:24 -0800 Subject: [PATCH] stx openldap config files --- stx-openldap-config/LICENSE | 202 ++++++++++++++++++++++++ stx-openldap-config/initial_config.ldif | 80 ++++++++++ stx-openldap-config/initscript | 100 ++++++++++++ stx-openldap-config/slapd.conf | 117 ++++++++++++++ stx-openldap-config/slapd.service | 23 +++ stx-openldap-config/slapd.sysconfig | 15 ++ 6 files changed, 537 insertions(+) create mode 100644 stx-openldap-config/LICENSE create mode 100644 stx-openldap-config/initial_config.ldif create mode 100755 stx-openldap-config/initscript create mode 100644 stx-openldap-config/slapd.conf create mode 100644 stx-openldap-config/slapd.service create mode 100644 stx-openldap-config/slapd.sysconfig diff --git a/stx-openldap-config/LICENSE b/stx-openldap-config/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/stx-openldap-config/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/stx-openldap-config/initial_config.ldif b/stx-openldap-config/initial_config.ldif new file mode 100644 index 000000000..672e364b5 --- /dev/null +++ b/stx-openldap-config/initial_config.ldif @@ -0,0 +1,80 @@ +#ldapadd -D "cn=ldapadmin,dc=cgcs,dc=local" -W -f /etc/openldap/initial_config.ldif +#ldapsearch -x -b 'dc=cgcs,dc=local' '(objectclass=*)' +dn: dc=cgcs,dc=local +dc: cgcs +objectClass: top +objectClass: domain + +dn: ou=policies,dc=cgcs,dc=local +ou: policies +objectClass: top +objectClass: organizationalUnit + +dn: ou=People,dc=cgcs,dc=local +ou: People +objectClass: top +objectClass: organizationalUnit + +dn: ou=Group,dc=cgcs,dc=local +ou: Group +objectClass: top +objectClass: organizationalUnit + +dn: ou=SUDOers,dc=cgcs,dc=local +objectClass: top +objectClass: organizationalUnit +ou: SUDOers + +dn: cn=users,ou=Group,dc=cgcs,dc=local +objectClass: posixGroup +objectClass: top +cn: users +userPassword: {crypt}x +gidNumber: 100 + +dn: cn=cgcs,ou=Group,dc=cgcs,dc=local +objectClass: posixGroup +objectClass: top +cn: cgcs +userPassword: {crypt}x +gidNumber: 1000 + +dn: cn=default,ou=policies,dc=cgcs,dc=local +objectClass: top +objectClass: device +objectClass: pwdPolicy +objectClass: pwdPolicyChecker +cn: default +pwdAttribute: userPassword +pwdMaxAge: 0 +pwdExpireWarning: 432000 +pwdInHistory: 2 +pwdCheckModule: check_password.so +pwdCheckQuality: 1 +pwdMinLength: 7 +pwdMaxFailure: 5 +pwdLockout: TRUE +pwdLockoutDuration: 300 +pwdFailureCountInterval: 0 +pwdMustChange: TRUE +pwdAllowUserChange: TRUE +pwdSafeModify: FALSE +pwdGraceAuthNLimit: 0 + +dn: cn=defaults,ou=SUDOers,dc=cgcs,dc=local +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOrder: 1 + +dn: cn=admin,ou=SUDOers,dc=cgcs,dc=local +objectClass: top +objectClass: sudoRole +cn: admin +sudoUser: admin +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 2 +sudoOption: secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin diff --git a/stx-openldap-config/initscript b/stx-openldap-config/initscript new file mode 100755 index 000000000..d3208dd9a --- /dev/null +++ b/stx-openldap-config/initscript @@ -0,0 +1,100 @@ +#! /bin/sh +# +# This is an init script for openembedded +# Copy it to /etc/init.d/openldap and type +# > update-rc.d openldap defaults 60 +# +. /etc/init.d/functions + +################################################################################ +# Wait for a process to stop running. +# +################################################################################ +function wait_for_proc_stop() +{ + PROGNAME=$1 + TIMEOUT=${2:-"5"} + + for I in $(seq 1 $TIMEOUT); do + PID=$(pidof $PROGNAME 2> /dev/null) + if [ $? -ne 0 ]; then + ## already dead + return 0 + fi + sleep 1 + done + + return 1 +} + +slapd=/usr/sbin/slapd +test -x "$slapd" || exit 0 + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting SLAPD: " + if [ -f /etc/openldap/schema/cn=config.ldif ]; then + start-stop-daemon --start --oknodo --quiet --exec $slapd \ + -- -F /etc/openldap/schema/ + RETVAL=$? + else + start-stop-daemon --start --oknodo --quiet --exec $slapd + RETVAL=$? + fi + if [ $RETVAL -ne 0 ]; then + echo "Failed to start SLAPD." + exit $RETVAL + fi + + # we need to start nscd service as part of this openldap + # init.d script since SM manages this as a service and both + # daemons should be running on a controller host + systemctl status nscd.service + if [ $? -ne 0 ]; then + echo -n "Starting NSCD: " + systemctl start nscd.service + RETVAL=$? + if [ $RETVAL -ne 0 ]; then + echo "Failed to start NSCD." + exit $RETVAL + fi + fi + + echo "." + ;; + stop) + echo -n "Stopping NSCD: " + systemctl stop nscd.service + rm -f /var/run/nscd/nscd.pid + + echo -n "Stopping SLAPD: " + start-stop-daemon --retry 60 --stop --oknodo --quiet --pidfile /var/run/slapd.pid + RETVAL=$? + wait_for_proc_stop $slapd 10 + WRETVAL=$? + while [ $WRETVAL -eq 1 ]; do + killproc $slapd + wait_for_proc_stop $slapd 10 + WRETVAL=$? + done + rm -f /var/run/slapd.pid + echo "." + ;; + status) + status $slapd + [ $? -eq 0 ] || exit $? + systemctl status nscd.service + [ $? -eq 0 ] || exit $? + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: /etc/init.d/openldap {start|stop|status|restart}" + exit 1 +esac + +exit $RETVAL diff --git a/stx-openldap-config/slapd.conf b/stx-openldap-config/slapd.conf new file mode 100644 index 000000000..3b6fcc545 --- /dev/null +++ b/stx-openldap-config/slapd.conf @@ -0,0 +1,117 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/ppolicy.schema +include /etc/openldap/schema/sudo.schema + +# Define global ACLs to disable default read access. + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /var/run/slapd.pid +argsfile /var/run/slapd.args + +# uniquely identifies this server +serverID 001 + +# Load dynamic backend modules: +modulepath /usr/libexec/openldap +moduleload back_mdb.la +moduleload ppolicy.la +moduleload syncprov.la + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +#access to dn.base="" by * read +#access to dn.base="cn=Subschema" by * read +#access to * +# by self write +# by anonymous auth +# by * read +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +####################################################################### +# BDB database definitions +####################################################################### + +database mdb +suffix "dc=cgcs,dc=local" +rootdn "cn=ldapadmin,dc=cgcs,dc=local" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw _LDAPADMIN_PW_ +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/openldap-data +# Maximum size +maxsize 1073741824 +# Indices to maintain +index cn eq +index objectClass eq +index uid eq,pres,sub +index uidNumber eq +index gidNumber eq +index memberUid eq +index sudoUser eq,sub + +access to * + by self write + by * read + +loglevel none + +overlay ppolicy +ppolicy_default "cn=default,ou=policies,dc=cgcs,dc=local" +ppolicy_use_lockout + +# NOTE: +# syncrepl directives for each of the other masters +syncrepl rid=000 + provider=ldap://controller-1 + type=refreshAndPersist + retry="5 5 300 +" + searchbase="dc=cgcs,dc=local" + attrs="*,+" + bindmethod=simple + binddn="cn=ldapadmin,dc=cgcs,dc=local" + credentials=_LDAPADMIN_PW_ + +# syncprov specific indexing (add others as required) +index entryCSN eq +index entryUUID eq +# ... +# # mirror mode essential to allow writes +# # and must appear after all syncrepl directives +mirrormode TRUE +# +# # define the provider to use the syncprov overlay +# # (last directives in database section) +overlay syncprov +# # contextCSN saved to database every 100 updates or ten minutes +syncprov-checkpoint 1 1 diff --git a/stx-openldap-config/slapd.service b/stx-openldap-config/slapd.service new file mode 100644 index 000000000..24b39380a --- /dev/null +++ b/stx-openldap-config/slapd.service @@ -0,0 +1,23 @@ +[Unit] +Description=OpenLDAP Server Daemon +Before=rsyncd.service +After=network.target syslog-ng.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html + +[Service] +Type=forking +PIDFile=/var/run/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/etc/init.d/openldap start +ExecStop=/etc/init.d/openldap stop +ExecReload=/etc/init.d/openldap restart +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/stx-openldap-config/slapd.sysconfig b/stx-openldap-config/slapd.sysconfig new file mode 100644 index 000000000..573486da4 --- /dev/null +++ b/stx-openldap-config/slapd.sysconfig @@ -0,0 +1,15 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldapi:/// ldap:///" + +# Any custom options +SLAPD_OPTIONS="" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" -- 2.17.1