From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Tue, 5 Nov 2019 14:49:06 -0800
Subject: [PATCH] openldap and stx source and config files

From stx 1901 openldap-2.4.44-21.el7_6.src.rpm
---
 stx-sources/ldap.conf                        |  18 +++
 stx-sources/libexec-check-config.sh          |  91 ++++++++++++
 stx-sources/libexec-convert-config.sh        |  79 ++++++++++
 stx-sources/libexec-create-certdb.sh         |  70 +++++++++
 stx-sources/libexec-functions                | 136 +++++++++++++++++
 stx-sources/libexec-generate-server-cert.sh  | 118 +++++++++++++++
 stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++
 stx-sources/libexec-upgrade-db.sh            |  40 +++++
 stx-sources/openldap.tmpfiles                |   3 +
 stx-sources/slapd.ldif                       | 148 +++++++++++++++++++
 stx-sources/slapd.service                    |  19 +++
 stx-sources/slapd.sysconfig                  |  15 ++
 stx-sources/slapd.tmpfiles                   |   2 +
 13 files changed, 881 insertions(+)
 create mode 100644 stx-sources/ldap.conf
 create mode 100755 stx-sources/libexec-check-config.sh
 create mode 100755 stx-sources/libexec-convert-config.sh
 create mode 100755 stx-sources/libexec-create-certdb.sh
 create mode 100644 stx-sources/libexec-functions
 create mode 100755 stx-sources/libexec-generate-server-cert.sh
 create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh
 create mode 100755 stx-sources/libexec-upgrade-db.sh
 create mode 100644 stx-sources/openldap.tmpfiles
 create mode 100644 stx-sources/slapd.ldif
 create mode 100644 stx-sources/slapd.service
 create mode 100644 stx-sources/slapd.sysconfig
 create mode 100644 stx-sources/slapd.tmpfiles

diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf
new file mode 100644
index 0000000..aa6f8fd
--- /dev/null
+++ b/stx-sources/ldap.conf
@@ -0,0 +1,18 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+TLS_CACERTDIR	/etc/openldap/certs
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh
new file mode 100755
index 0000000..87e377f
--- /dev/null
+++ b/stx-sources/libexec-check-config.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+	retcode=0
+	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+	if [ $? -ne 0 ]; then
+		error "Checking configuration file failed:"
+		cat $tmp_slaptest >&2
+		retcode=1
+	fi
+	rm $tmp_slaptest
+	return $retcode
+}
+
+function check_certs_perms()
+{
+	retcode=0
+	for cert in `certificates`; do
+		run_as_ldap "/usr/bin/test -e \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' was not found." "$cert"
+			retcoder=1
+			continue
+		fi
+		run_as_ldap "/usr/bin/test -r \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' is not readable." "$cert"
+			retcode=1
+		fi
+	done
+	return $retcode
+}
+
+function check_db_perms()
+{
+	retcode=0
+	for dbdir in `databases`; do
+		[ -d "$dbdir" ] || continue
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+			if [ $? -ne 0 ]; then
+				error "Read/write permissions for DB file '%s' are required." "$dbfile"
+				retcode=1
+			fi
+		done
+	done
+	return $retcode
+}
+
+function check_everything()
+{
+	retcode=0
+	check_config_syntax || retcode=1
+	# TODO: need support for Mozilla NSS, disabling temporarily
+	#check_certs_perms || retcode=1
+	check_db_perms || retcode=1
+	return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this script."
+	exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+	else
+		check_everything
+		exit $?
+	fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+	else
+		error "Warning: Usage of a configuration file is obsolete!"
+		check_everything
+		exit $?
+	fi
+fi
+
+exit 1
diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh
new file mode 100755
index 0000000..824c3b1
--- /dev/null
+++ b/stx-sources/libexec-convert-config.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function help()
+{
+	error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
+	exit 2
+}
+
+load_sysconfig
+
+while getopts :f:F: opt; do
+	case "$opt" in
+	f)
+		SLAPD_CONFIG_FILE="$OPTARG"
+		;;
+	F)
+		SLAPD_CONFIG_DIR="$OPTARG"
+		;;
+	*)
+		help
+		;;
+	esac
+done
+shift $((OPTIND-1))
+[ -n "$1" ] && help
+
+# check source, target
+
+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+	error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
+	exit 1
+fi
+
+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
+	SLAPD_CONFIG_FILE_FORMAT=ldif
+else
+	SLAPD_CONFIG_FILE_FORMAT=conf
+fi
+
+if [ -d "$SLAPD_CONFIG_DIR" ]; then
+	if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
+		error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
+		exit 1
+	fi
+fi
+
+# perform the conversion
+
+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
+
+if [ `id -u` -eq 0 ]; then
+	install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+		run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
+	else
+		run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
+	fi
+	retcode=$?
+else
+	error "You are not root! Permission will not be set."
+	install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+		/usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
+	else
+		/usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	fi
+	retcode=$?
+fi
+
+if [ $retcode -ne 0 ]; then
+	error "Configuration conversion failed:"
+	cat $tmp_convert >&2
+fi
+
+rm $tmp_convert
+exit $retcode
diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh
new file mode 100755
index 0000000..2377fdd
--- /dev/null
+++ b/stx-sources/libexec-create-certdb.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+
+# internals
+
+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
+RANDOM_SOURCE=/dev/urandom
+PASSWORD_BYTES=32
+
+# parse arguments
+
+usage() {
+	printf "usage: create-certdb.sh [-d certdb]\n" >&2
+	exit 1
+}
+
+while getopts "d:" opt; do
+	case "$opt" in
+	d)
+		CERTDB_DIR="$OPTARG"
+		;;
+	\?)
+		usage
+		;;
+	esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# verify target location
+
+if [ ! -d "$CERTDB_DIR" ]; then
+	printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+if [ ! "$(find "$CERTDB_DIR"  -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
+	printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+# create the database
+
+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
+
+PASSWORD_FILE="$CERTDB_DIR/password"
+OLD_UMASK="$(umask)"
+umask 0377
+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
+umask "$OLD_UMASK"
+
+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
+
+# load module with builtin CA certificates
+
+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
+
+# tune permissions
+
+for dbfile in "$CERTDB_DIR"/*.db; do
+	chmod 0644 "$dbfile"
+done
+
+exit 0
diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions
new file mode 100644
index 0000000..98c8631
--- /dev/null
+++ b/stx-sources/libexec-functions
@@ -0,0 +1,136 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+	SLAPD_USER=ldap
+	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+	SLAPD_CONFIG_CUSTOM=
+	SLAPD_GLOBAL_OPTIONS=
+	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+	user=
+	config_file=
+	config_dir=
+	while getopts :u:f:F: opt; do
+		case "$opt" in
+		u)
+			user="$OPTARG"
+			;;
+		f)
+			config_file="$OPTARG"
+			;;
+		F)
+			config_dir="$OPTARG"
+			;;
+		esac
+	done
+
+	unset OPTIND
+
+	if [ -n "$user" ]; then
+		SLAPD_USER="$user"
+	fi
+
+	if [ -n "$config_dir" ]; then
+		SLAPD_CONFIG_DIR="$config_dir"
+		SLAPD_CONFIG_FILE=
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+	elif [ -n "$config_file" ]; then
+		SLAPD_CONFIG_DIR=
+		SLAPD_CONFIG_FILE="$config_file"
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+	fi
+}
+
+function uses_new_config()
+{
+	[ -n "$SLAPD_CONFIG_DIR" ]
+	return $?
+}
+
+function run_as_ldap()
+{
+	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+	return $?
+}
+
+function ldif_unbreak()
+{
+	sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+	sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c \
+	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcDbDirectory: ' | \
+		ldif_value
+}
+
+function databases_old()
+{
+	awk	'begin { database="" }
+		$1 == "database" { database=$2 }
+		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+		ldif_value
+}
+
+function certificates_old()
+{
+	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+	uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+	uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+	format="$1\n"; shift
+	printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+	. "$SLAPD_SYSCONFIG_FILE"
+	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config
diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh
new file mode 100755
index 0000000..e2f4974
--- /dev/null
+++ b/stx-sources/libexec-generate-server-cert.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+CERT_NAME="OpenLDAP Server"
+PASSWORD_FILE=
+HOSTNAME_FQDN="$(hostname --fqdn)"
+ALT_NAMES=
+ONCE=0
+
+# internals
+
+RANDOM_SOURCE=/dev/urandom
+CERT_RANDOM_BYTES=256
+CERT_KEY_TYPE=rsa
+CERT_KEY_SIZE=1024
+CERT_VALID_MONTHS=12
+
+# parse arguments
+
+usage() {
+	printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
+	printf "                               [-p password-file] [-h hostnames]\n" >&2
+	printf "                               [-a dns-alt-names] [-o]\n" >&2
+	exit 1
+}
+
+while getopts "d:n:p:h:a:o" opt; do
+	case "$opt" in
+	d)
+		CERTDB_DIR="$OPTARG"
+		;;
+	n)
+		CERT_NAME="$OPTARG"
+		;;
+	p)
+		PASSWORD_FILE="$OPTARG"
+		;;
+	h)
+		HOSTNAME_FQDN="$OPTARG"
+		;;
+	a)
+		ALT_NAMES="$OPTARG"
+		;;
+	o)
+		ONCE=1
+		;;
+	\?)
+		usage
+		;;
+	esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# generated options
+
+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
+
+# verify target location
+
+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
+	printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
+	exit 0
+fi
+
+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
+	printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
+
+if [ ! -r "$PASSWORD_FILE" ]; then
+	printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
+	exit 1
+fi
+
+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
+	printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
+	exit 1
+fi
+
+# generate server certificate (self signed)
+
+
+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
+
+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
+	-S -x -n "$CERT_NAME" \
+	-s "CN=$HOSTNAME_FQDN" \
+	-t TC,, \
+	-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
+	-v $CERT_VALID_MONTHS \
+	-8 "$ALT_NAMES" \
+	&>/dev/null
+
+rm -f $CERT_RANDOM
+
+# tune permissions
+
+if [ "$(id -u)" -eq 0 ]; then
+	chgrp ldap "$PASSWORD_FILE"
+	chmod g+r "$PASSWORD_FILE"
+else
+	printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
+	printf "         load it's private key from the certificate database.\n" >&2
+fi
+
+touch "$ONCE_FILE"
+exit 0
diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh
new file mode 100755
index 0000000..a853b27
--- /dev/null
+++ b/stx-sources/libexec-update-ppolicy-schema.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+# This script serves one purpose, to add a possibly missing attribute
+# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
+# attribute was introduced in openldap-2.4.43 and slapd will not 
+# start without it later on.
+#
+# The script tries to update in a directory given as first parameter,
+# or in /etc/openldap/slapd.d implicitly.
+#
+# Author: Matus Honek <mhonek@redhat.com>
+# Bugzilla: #1487857
+
+function log {
+    echo "Update dynamic configuration: " $@
+    true
+}
+
+function iferr {
+    if [ $? -ne 0 ]; then
+	log "ERROR: " $@
+	true
+    else
+	false
+    fi
+}
+
+function update {
+    set -u
+    shopt -s extglob
+
+    ORIGINAL="${1:-/etc/openldap/slapd.d}"
+    ORIGINAL="${ORIGINAL%*(/)}"
+
+    ### check if necessary
+    grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
+    [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
+
+    ### prep
+    log "Prepare environment."
+    
+    TEMPDIR=$(mktemp -d)
+    iferr "Could not create a temporary directory. Quitting." && return 1
+    DBDIR="${TEMPDIR}/db"
+    SUBDBDIR="${DBDIR}/cn=temporary"
+
+    mkdir "${DBDIR}"
+    iferr "Could not create temporary configuration directory. Quitting." && return 1
+    cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
+    iferr "Could not copy configuration. Quitting." && return 1
+    
+    pushd "$TEMPDIR" >/dev/null
+
+    cat > temp.conf <<EOF
+database ldif
+suffix cn=temporary
+directory db
+access to * by * manage
+EOF
+    
+    SOCKET="$(pwd)/socket"
+    LISTENER="ldapi://${SOCKET//\//%2F}"
+    CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
+    
+    slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
+    SLAPDPID="$!"
+    sleep 2
+
+    ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+dn: cn=temporary
+objectClass: olcGlobal
+cn: temporary
+EOF
+    iferr "Could not populate the temporary database. Quitting." && return 1
+    
+    ### update
+    log "Update with new pwdMaxRecordedFailure attribute."
+    FILTER="(&"
+    FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
+    FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
+    FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
+    FILTER+=")"
+    RES=$(ldapsearch ${CONN_PARAMS[@]} \
+		     -b cn=schema,cn=config,cn=temporary \
+		     -LLL \
+		     -o ldif-wrap=no \
+		     "$FILTER" \
+		     dn olcObjectClasses \
+		     2>/dev/null \
+	      | sed '/^$/d')
+    DN=$(printf "$RES" | grep '^dn:')
+    OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
+    NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
+
+    test $(echo "$DN" | wc -l) = 1
+    iferr "Received more than one DN. Cannot continue. Quitting." && return 1
+    test "$NEWOC" != "$OC"
+    iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
+
+    ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+$DN
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
+ e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.27 SINGLE-VALUE )
+-
+delete: olcObjectClasses
+$OC
+-
+add: olcObjectClasses
+$NEWOC
+EOF
+    iferr "Updating with new attribute failed. Quitting." && return 1
+
+    popd >/dev/null
+
+    ### apply
+    log "Apply changes."
+    cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
+    iferr "Backing up old configuration failed. Quitting." && return 1
+    cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
+    iferr "Applying new configuration failed. Quitting." && return 1
+    
+    ### clean up
+    log "Clean up."
+    kill "$SLAPDPID"
+    SLAPDPID=
+    rm -rf "$TEMPDIR"
+    TEMPDIR=
+}
+
+SLAPDPID=
+TEMPDIR=
+update "$1"
+if [ $? -ne 0 ]; then
+    log "Clean up."
+    echo "$SLAPDPID"
+    echo "$TEMPDIR"
+    kill "$SLAPDPID"
+    rm -rf "$TEMPDIR"
+fi
+log "Finished."
diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh
new file mode 100755
index 0000000..1543c80
--- /dev/null
+++ b/stx-sources/libexec-upgrade-db.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this command."
+	exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+	# skip uninitialized database
+	[ -z "$bdb_files"]  || continue
+
+	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+	# perform the update
+	for command in \
+		"/usr/bin/db_recover -v -h \"$dbdir\"" \
+		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+	; do
+		printf "Executing: %s\n" "$command" &>>$upgrade_log
+		run_as_ldap "$command" &>>$upgrade_log
+		result=$?
+		printf "Exit code: %d\n" $result >>"$upgrade_log"
+		if [ $result -ne 0 ]; then
+			printf "Upgrade failed: %d\n" $result
+			retcode=1
+		fi
+	done
+done
+
+exit $retcode
diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles
new file mode 100644
index 0000000..aa0e805
--- /dev/null
+++ b/stx-sources/openldap.tmpfiles
@@ -0,0 +1,3 @@
+# OpenLDAP TLSMC runtime directories
+x /tmp/openldap-tlsmc-*
+X /tmp/openldap-tlsmc-*
diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif
new file mode 100644
index 0000000..7b7f328
--- /dev/null
+++ b/stx-sources/slapd.ldif
@@ -0,0 +1,148 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+#
+# TLS settings
+#
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: "OpenLDAP Server"
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath:	/usr/lib/openldap
+#olcModulepath:	/usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service
new file mode 100644
index 0000000..8a3a722
--- /dev/null
+++ b/stx-sources/slapd.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+PIDFile=/var/run/openldap/slapd.pid
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
+EnvironmentFile=/etc/sysconfig/slapd
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig
new file mode 100644
index 0000000..68091a5
--- /dev/null
+++ b/stx-sources/slapd.sysconfig
@@ -0,0 +1,15 @@
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+# - ldapi:/// is required for on-the-fly configuration using client tools
+#   (use SASL with EXTERNAL mechanism for authentication)
+# - default: ldapi:/// ldap:///
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:///"
+
+# Any custom options
+#SLAPD_OPTIONS=""
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles
new file mode 100644
index 0000000..56aa32e
--- /dev/null
+++ b/stx-sources/slapd.tmpfiles
@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /var/run/openldap 0755 ldap ldap -
-- 
2.17.1