+++ /dev/null
-From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001
-From: babak sarashki <babak.sarashki@windriver.com>
-Date: Tue, 5 Nov 2019 14:49:06 -0800
-Subject: [PATCH] openldap and stx source and config files
-
-From stx 1901 openldap-2.4.44-21.el7_6.src.rpm
----
- stx-sources/ldap.conf | 18 +++
- stx-sources/libexec-check-config.sh | 91 ++++++++++++
- stx-sources/libexec-convert-config.sh | 79 ++++++++++
- stx-sources/libexec-create-certdb.sh | 70 +++++++++
- stx-sources/libexec-functions | 136 +++++++++++++++++
- stx-sources/libexec-generate-server-cert.sh | 118 +++++++++++++++
- stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++
- stx-sources/libexec-upgrade-db.sh | 40 +++++
- stx-sources/openldap.tmpfiles | 3 +
- stx-sources/slapd.ldif | 148 +++++++++++++++++++
- stx-sources/slapd.service | 19 +++
- stx-sources/slapd.sysconfig | 15 ++
- stx-sources/slapd.tmpfiles | 2 +
- 13 files changed, 881 insertions(+)
- create mode 100644 stx-sources/ldap.conf
- create mode 100755 stx-sources/libexec-check-config.sh
- create mode 100755 stx-sources/libexec-convert-config.sh
- create mode 100755 stx-sources/libexec-create-certdb.sh
- create mode 100644 stx-sources/libexec-functions
- create mode 100755 stx-sources/libexec-generate-server-cert.sh
- create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh
- create mode 100755 stx-sources/libexec-upgrade-db.sh
- create mode 100644 stx-sources/openldap.tmpfiles
- create mode 100644 stx-sources/slapd.ldif
- create mode 100644 stx-sources/slapd.service
- create mode 100644 stx-sources/slapd.sysconfig
- create mode 100644 stx-sources/slapd.tmpfiles
-
-diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf
-new file mode 100644
-index 0000000..aa6f8fd
---- /dev/null
-+++ b/stx-sources/ldap.conf
-@@ -0,0 +1,18 @@
-+#
-+# LDAP Defaults
-+#
-+
-+# See ldap.conf(5) for details
-+# This file should be world readable but not world writable.
-+
-+#BASE dc=example,dc=com
-+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
-+
-+#SIZELIMIT 12
-+#TIMELIMIT 15
-+#DEREF never
-+
-+TLS_CACERTDIR /etc/openldap/certs
-+
-+# Turning this off breaks GSSAPI used with krb5 when rdns = false
-+SASL_NOCANON on
-diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh
-new file mode 100755
-index 0000000..87e377f
---- /dev/null
-+++ b/stx-sources/libexec-check-config.sh
-@@ -0,0 +1,91 @@
-+#!/bin/sh
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+. /usr/libexec/openldap/functions
-+
-+function check_config_syntax()
-+{
-+ retcode=0
-+ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
-+ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
-+ if [ $? -ne 0 ]; then
-+ error "Checking configuration file failed:"
-+ cat $tmp_slaptest >&2
-+ retcode=1
-+ fi
-+ rm $tmp_slaptest
-+ return $retcode
-+}
-+
-+function check_certs_perms()
-+{
-+ retcode=0
-+ for cert in `certificates`; do
-+ run_as_ldap "/usr/bin/test -e \"$cert\""
-+ if [ $? -ne 0 ]; then
-+ error "TLS certificate/key/DB '%s' was not found." "$cert"
-+ retcoder=1
-+ continue
-+ fi
-+ run_as_ldap "/usr/bin/test -r \"$cert\""
-+ if [ $? -ne 0 ]; then
-+ error "TLS certificate/key/DB '%s' is not readable." "$cert"
-+ retcode=1
-+ fi
-+ done
-+ return $retcode
-+}
-+
-+function check_db_perms()
-+{
-+ retcode=0
-+ for dbdir in `databases`; do
-+ [ -d "$dbdir" ] || continue
-+ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
-+ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
-+ if [ $? -ne 0 ]; then
-+ error "Read/write permissions for DB file '%s' are required." "$dbfile"
-+ retcode=1
-+ fi
-+ done
-+ done
-+ return $retcode
-+}
-+
-+function check_everything()
-+{
-+ retcode=0
-+ check_config_syntax || retcode=1
-+ # TODO: need support for Mozilla NSS, disabling temporarily
-+ #check_certs_perms || retcode=1
-+ check_db_perms || retcode=1
-+ return $retcode
-+}
-+
-+if [ `id -u` -ne 0 ]; then
-+ error "You have to be root to run this script."
-+ exit 4
-+fi
-+
-+load_sysconfig
-+
-+if [ -n "$SLAPD_CONFIG_DIR" ]; then
-+ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
-+ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
-+ else
-+ check_everything
-+ exit $?
-+ fi
-+fi
-+
-+if [ -n "$SLAPD_CONFIG_FILE" ]; then
-+ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
-+ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
-+ else
-+ error "Warning: Usage of a configuration file is obsolete!"
-+ check_everything
-+ exit $?
-+ fi
-+fi
-+
-+exit 1
-diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh
-new file mode 100755
-index 0000000..824c3b1
---- /dev/null
-+++ b/stx-sources/libexec-convert-config.sh
-@@ -0,0 +1,79 @@
-+#!/bin/sh
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+. /usr/libexec/openldap/functions
-+
-+function help()
-+{
-+ error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
-+ exit 2
-+}
-+
-+load_sysconfig
-+
-+while getopts :f:F: opt; do
-+ case "$opt" in
-+ f)
-+ SLAPD_CONFIG_FILE="$OPTARG"
-+ ;;
-+ F)
-+ SLAPD_CONFIG_DIR="$OPTARG"
-+ ;;
-+ *)
-+ help
-+ ;;
-+ esac
-+done
-+shift $((OPTIND-1))
-+[ -n "$1" ] && help
-+
-+# check source, target
-+
-+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
-+ error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
-+ exit 1
-+fi
-+
-+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
-+ SLAPD_CONFIG_FILE_FORMAT=ldif
-+else
-+ SLAPD_CONFIG_FILE_FORMAT=conf
-+fi
-+
-+if [ -d "$SLAPD_CONFIG_DIR" ]; then
-+ if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
-+ error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
-+ exit 1
-+ fi
-+fi
-+
-+# perform the conversion
-+
-+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
-+
-+if [ `id -u` -eq 0 ]; then
-+ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
-+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
-+ run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
-+ else
-+ run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
-+ fi
-+ retcode=$?
-+else
-+ error "You are not root! Permission will not be set."
-+ install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
-+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
-+ /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
-+ else
-+ /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
-+ fi
-+ retcode=$?
-+fi
-+
-+if [ $retcode -ne 0 ]; then
-+ error "Configuration conversion failed:"
-+ cat $tmp_convert >&2
-+fi
-+
-+rm $tmp_convert
-+exit $retcode
-diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh
-new file mode 100755
-index 0000000..2377fdd
---- /dev/null
-+++ b/stx-sources/libexec-create-certdb.sh
-@@ -0,0 +1,70 @@
-+#!/bin/bash
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+set -e
-+
-+# default options
-+
-+CERTDB_DIR=/etc/openldap/certs
-+
-+# internals
-+
-+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
-+RANDOM_SOURCE=/dev/urandom
-+PASSWORD_BYTES=32
-+
-+# parse arguments
-+
-+usage() {
-+ printf "usage: create-certdb.sh [-d certdb]\n" >&2
-+ exit 1
-+}
-+
-+while getopts "d:" opt; do
-+ case "$opt" in
-+ d)
-+ CERTDB_DIR="$OPTARG"
-+ ;;
-+ \?)
-+ usage
-+ ;;
-+ esac
-+done
-+
-+[ "$OPTIND" -le "$#" ] && usage
-+
-+# verify target location
-+
-+if [ ! -d "$CERTDB_DIR" ]; then
-+ printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
-+ exit 1
-+fi
-+
-+if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
-+ printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
-+ exit 1
-+fi
-+
-+# create the database
-+
-+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
-+
-+PASSWORD_FILE="$CERTDB_DIR/password"
-+OLD_UMASK="$(umask)"
-+umask 0377
-+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
-+umask "$OLD_UMASK"
-+
-+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
-+
-+# load module with builtin CA certificates
-+
-+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
-+
-+# tune permissions
-+
-+for dbfile in "$CERTDB_DIR"/*.db; do
-+ chmod 0644 "$dbfile"
-+done
-+
-+exit 0
-diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions
-new file mode 100644
-index 0000000..98c8631
---- /dev/null
-+++ b/stx-sources/libexec-functions
-@@ -0,0 +1,136 @@
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+SLAPD_USER=
-+SLAPD_CONFIG_FILE=
-+SLAPD_CONFIG_DIR=
-+SLAPD_CONFIG_CUSTOM=
-+SLAPD_GLOBAL_OPTIONS=
-+SLAPD_SYSCONFIG_FILE=
-+
-+function default_config()
-+{
-+ SLAPD_USER=ldap
-+ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
-+ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
-+ SLAPD_CONFIG_CUSTOM=
-+ SLAPD_GLOBAL_OPTIONS=
-+ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
-+}
-+
-+function parse_config_options()
-+{
-+ user=
-+ config_file=
-+ config_dir=
-+ while getopts :u:f:F: opt; do
-+ case "$opt" in
-+ u)
-+ user="$OPTARG"
-+ ;;
-+ f)
-+ config_file="$OPTARG"
-+ ;;
-+ F)
-+ config_dir="$OPTARG"
-+ ;;
-+ esac
-+ done
-+
-+ unset OPTIND
-+
-+ if [ -n "$user" ]; then
-+ SLAPD_USER="$user"
-+ fi
-+
-+ if [ -n "$config_dir" ]; then
-+ SLAPD_CONFIG_DIR="$config_dir"
-+ SLAPD_CONFIG_FILE=
-+ SLAPD_CONFIG_CUSTOM=1
-+ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
-+ elif [ -n "$config_file" ]; then
-+ SLAPD_CONFIG_DIR=
-+ SLAPD_CONFIG_FILE="$config_file"
-+ SLAPD_CONFIG_CUSTOM=1
-+ SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
-+ fi
-+}
-+
-+function uses_new_config()
-+{
-+ [ -n "$SLAPD_CONFIG_DIR" ]
-+ return $?
-+}
-+
-+function run_as_ldap()
-+{
-+ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
-+ return $?
-+}
-+
-+function ldif_unbreak()
-+{
-+ sed ':a;N;s/\n //;ta;P;D'
-+}
-+
-+function ldif_value()
-+{
-+ sed 's/^[^:]*: //'
-+}
-+
-+function databases_new()
-+{
-+ slapcat $SLAPD_GLOBAL_OPTIONS -c \
-+ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
-+ ldif_unbreak | \
-+ grep '^olcDbDirectory: ' | \
-+ ldif_value
-+}
-+
-+function databases_old()
-+{
-+ awk 'begin { database="" }
-+ $1 == "database" { database=$2 }
-+ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
-+ "$SLAPD_CONFIG_FILE"
-+}
-+
-+function certificates_new()
-+{
-+ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
-+ ldif_unbreak | \
-+ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
-+ ldif_value
-+}
-+
-+function certificates_old()
-+{
-+ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
-+ "$SLAPD_CONFIG_FILE"
-+}
-+
-+function certificates()
-+{
-+ uses_new_config && certificates_new || certificates_old
-+}
-+
-+function databases()
-+{
-+ uses_new_config && databases_new || databases_old
-+}
-+
-+
-+function error()
-+{
-+ format="$1\n"; shift
-+ printf "$format" $@ >&2
-+}
-+
-+function load_sysconfig()
-+{
-+ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
-+
-+ . "$SLAPD_SYSCONFIG_FILE"
-+ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
-+}
-+
-+default_config
-diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh
-new file mode 100755
-index 0000000..e2f4974
---- /dev/null
-+++ b/stx-sources/libexec-generate-server-cert.sh
-@@ -0,0 +1,118 @@
-+#!/bin/bash
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+set -e
-+
-+# default options
-+
-+CERTDB_DIR=/etc/openldap/certs
-+CERT_NAME="OpenLDAP Server"
-+PASSWORD_FILE=
-+HOSTNAME_FQDN="$(hostname --fqdn)"
-+ALT_NAMES=
-+ONCE=0
-+
-+# internals
-+
-+RANDOM_SOURCE=/dev/urandom
-+CERT_RANDOM_BYTES=256
-+CERT_KEY_TYPE=rsa
-+CERT_KEY_SIZE=1024
-+CERT_VALID_MONTHS=12
-+
-+# parse arguments
-+
-+usage() {
-+ printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
-+ printf " [-p password-file] [-h hostnames]\n" >&2
-+ printf " [-a dns-alt-names] [-o]\n" >&2
-+ exit 1
-+}
-+
-+while getopts "d:n:p:h:a:o" opt; do
-+ case "$opt" in
-+ d)
-+ CERTDB_DIR="$OPTARG"
-+ ;;
-+ n)
-+ CERT_NAME="$OPTARG"
-+ ;;
-+ p)
-+ PASSWORD_FILE="$OPTARG"
-+ ;;
-+ h)
-+ HOSTNAME_FQDN="$OPTARG"
-+ ;;
-+ a)
-+ ALT_NAMES="$OPTARG"
-+ ;;
-+ o)
-+ ONCE=1
-+ ;;
-+ \?)
-+ usage
-+ ;;
-+ esac
-+done
-+
-+[ "$OPTIND" -le "$#" ] && usage
-+
-+# generated options
-+
-+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
-+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
-+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
-+
-+# verify target location
-+
-+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
-+ printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
-+ exit 0
-+fi
-+
-+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
-+ printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
-+ exit 1
-+fi
-+
-+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
-+
-+if [ ! -r "$PASSWORD_FILE" ]; then
-+ printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
-+ exit 1
-+fi
-+
-+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
-+ printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
-+ exit 1
-+fi
-+
-+# generate server certificate (self signed)
-+
-+
-+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
-+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
-+
-+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
-+ -S -x -n "$CERT_NAME" \
-+ -s "CN=$HOSTNAME_FQDN" \
-+ -t TC,, \
-+ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
-+ -v $CERT_VALID_MONTHS \
-+ -8 "$ALT_NAMES" \
-+ &>/dev/null
-+
-+rm -f $CERT_RANDOM
-+
-+# tune permissions
-+
-+if [ "$(id -u)" -eq 0 ]; then
-+ chgrp ldap "$PASSWORD_FILE"
-+ chmod g+r "$PASSWORD_FILE"
-+else
-+ printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
-+ printf " load it's private key from the certificate database.\n" >&2
-+fi
-+
-+touch "$ONCE_FILE"
-+exit 0
-diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh
-new file mode 100755
-index 0000000..a853b27
---- /dev/null
-+++ b/stx-sources/libexec-update-ppolicy-schema.sh
-@@ -0,0 +1,142 @@
-+#!/bin/bash
-+# This script serves one purpose, to add a possibly missing attribute
-+# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
-+# attribute was introduced in openldap-2.4.43 and slapd will not
-+# start without it later on.
-+#
-+# The script tries to update in a directory given as first parameter,
-+# or in /etc/openldap/slapd.d implicitly.
-+#
-+# Author: Matus Honek <mhonek@redhat.com>
-+# Bugzilla: #1487857
-+
-+function log {
-+ echo "Update dynamic configuration: " $@
-+ true
-+}
-+
-+function iferr {
-+ if [ $? -ne 0 ]; then
-+ log "ERROR: " $@
-+ true
-+ else
-+ false
-+ fi
-+}
-+
-+function update {
-+ set -u
-+ shopt -s extglob
-+
-+ ORIGINAL="${1:-/etc/openldap/slapd.d}"
-+ ORIGINAL="${ORIGINAL%*(/)}"
-+
-+ ### check if necessary
-+ grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
-+ [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
-+
-+ ### prep
-+ log "Prepare environment."
-+
-+ TEMPDIR=$(mktemp -d)
-+ iferr "Could not create a temporary directory. Quitting." && return 1
-+ DBDIR="${TEMPDIR}/db"
-+ SUBDBDIR="${DBDIR}/cn=temporary"
-+
-+ mkdir "${DBDIR}"
-+ iferr "Could not create temporary configuration directory. Quitting." && return 1
-+ cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
-+ iferr "Could not copy configuration. Quitting." && return 1
-+
-+ pushd "$TEMPDIR" >/dev/null
-+
-+ cat > temp.conf <<EOF
-+database ldif
-+suffix cn=temporary
-+directory db
-+access to * by * manage
-+EOF
-+
-+ SOCKET="$(pwd)/socket"
-+ LISTENER="ldapi://${SOCKET//\//%2F}"
-+ CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
-+
-+ slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
-+ SLAPDPID="$!"
-+ sleep 2
-+
-+ ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
-+dn: cn=temporary
-+objectClass: olcGlobal
-+cn: temporary
-+EOF
-+ iferr "Could not populate the temporary database. Quitting." && return 1
-+
-+ ### update
-+ log "Update with new pwdMaxRecordedFailure attribute."
-+ FILTER="(&"
-+ FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
-+ FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
-+ FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
-+ FILTER+=")"
-+ RES=$(ldapsearch ${CONN_PARAMS[@]} \
-+ -b cn=schema,cn=config,cn=temporary \
-+ -LLL \
-+ -o ldif-wrap=no \
-+ "$FILTER" \
-+ dn olcObjectClasses \
-+ 2>/dev/null \
-+ | sed '/^$/d')
-+ DN=$(printf "$RES" | grep '^dn:')
-+ OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
-+ NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
-+
-+ test $(echo "$DN" | wc -l) = 1
-+ iferr "Received more than one DN. Cannot continue. Quitting." && return 1
-+ test "$NEWOC" != "$OC"
-+ iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
-+
-+ ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
-+$DN
-+changetype: modify
-+add: olcAttributeTypes
-+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
-+ e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
-+ 1466.115.121.1.27 SINGLE-VALUE )
-+-
-+delete: olcObjectClasses
-+$OC
-+-
-+add: olcObjectClasses
-+$NEWOC
-+EOF
-+ iferr "Updating with new attribute failed. Quitting." && return 1
-+
-+ popd >/dev/null
-+
-+ ### apply
-+ log "Apply changes."
-+ cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
-+ iferr "Backing up old configuration failed. Quitting." && return 1
-+ cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
-+ iferr "Applying new configuration failed. Quitting." && return 1
-+
-+ ### clean up
-+ log "Clean up."
-+ kill "$SLAPDPID"
-+ SLAPDPID=
-+ rm -rf "$TEMPDIR"
-+ TEMPDIR=
-+}
-+
-+SLAPDPID=
-+TEMPDIR=
-+update "$1"
-+if [ $? -ne 0 ]; then
-+ log "Clean up."
-+ echo "$SLAPDPID"
-+ echo "$TEMPDIR"
-+ kill "$SLAPDPID"
-+ rm -rf "$TEMPDIR"
-+fi
-+log "Finished."
-diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh
-new file mode 100755
-index 0000000..1543c80
---- /dev/null
-+++ b/stx-sources/libexec-upgrade-db.sh
-@@ -0,0 +1,40 @@
-+#!/bin/sh
-+# Author: Jan Vcelak <jvcelak@redhat.com>
-+
-+. /usr/libexec/openldap/functions
-+
-+if [ `id -u` -ne 0 ]; then
-+ error "You have to be root to run this command."
-+ exit 4
-+fi
-+
-+load_sysconfig
-+retcode=0
-+
-+for dbdir in `databases`; do
-+ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
-+ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
-+
-+ # skip uninitialized database
-+ [ -z "$bdb_files"] || continue
-+
-+ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
-+
-+ # perform the update
-+ for command in \
-+ "/usr/bin/db_recover -v -h \"$dbdir\"" \
-+ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
-+ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
-+ ; do
-+ printf "Executing: %s\n" "$command" &>>$upgrade_log
-+ run_as_ldap "$command" &>>$upgrade_log
-+ result=$?
-+ printf "Exit code: %d\n" $result >>"$upgrade_log"
-+ if [ $result -ne 0 ]; then
-+ printf "Upgrade failed: %d\n" $result
-+ retcode=1
-+ fi
-+ done
-+done
-+
-+exit $retcode
-diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles
-new file mode 100644
-index 0000000..aa0e805
---- /dev/null
-+++ b/stx-sources/openldap.tmpfiles
-@@ -0,0 +1,3 @@
-+# OpenLDAP TLSMC runtime directories
-+x /tmp/openldap-tlsmc-*
-+X /tmp/openldap-tlsmc-*
-diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif
-new file mode 100644
-index 0000000..7b7f328
---- /dev/null
-+++ b/stx-sources/slapd.ldif
-@@ -0,0 +1,148 @@
-+#
-+# See slapd-config(5) for details on configuration options.
-+# This file should NOT be world readable.
-+#
-+
-+dn: cn=config
-+objectClass: olcGlobal
-+cn: config
-+olcArgsFile: /var/run/openldap/slapd.args
-+olcPidFile: /var/run/openldap/slapd.pid
-+#
-+# TLS settings
-+#
-+olcTLSCACertificatePath: /etc/openldap/certs
-+olcTLSCertificateFile: "OpenLDAP Server"
-+olcTLSCertificateKeyFile: /etc/openldap/certs/password
-+#
-+# Do not enable referrals until AFTER you have a working directory
-+# service AND an understanding of referrals.
-+#
-+#olcReferral: ldap://root.openldap.org
-+#
-+# Sample security restrictions
-+# Require integrity protection (prevent hijacking)
-+# Require 112-bit (3DES or better) encryption for updates
-+# Require 64-bit encryption for simple bind
-+#
-+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
-+
-+
-+#
-+# Load dynamic backend modules:
-+# - modulepath is architecture dependent value (32/64-bit system)
-+# - back_sql.la backend requires openldap-servers-sql package
-+# - dyngroup.la and dynlist.la cannot be used at the same time
-+#
-+
-+#dn: cn=module,cn=config
-+#objectClass: olcModuleList
-+#cn: module
-+#olcModulepath: /usr/lib/openldap
-+#olcModulepath: /usr/lib64/openldap
-+#olcModuleload: accesslog.la
-+#olcModuleload: auditlog.la
-+#olcModuleload: back_dnssrv.la
-+#olcModuleload: back_ldap.la
-+#olcModuleload: back_mdb.la
-+#olcModuleload: back_meta.la
-+#olcModuleload: back_null.la
-+#olcModuleload: back_passwd.la
-+#olcModuleload: back_relay.la
-+#olcModuleload: back_shell.la
-+#olcModuleload: back_sock.la
-+#olcModuleload: collect.la
-+#olcModuleload: constraint.la
-+#olcModuleload: dds.la
-+#olcModuleload: deref.la
-+#olcModuleload: dyngroup.la
-+#olcModuleload: dynlist.la
-+#olcModuleload: memberof.la
-+#olcModuleload: pcache.la
-+#olcModuleload: ppolicy.la
-+#olcModuleload: refint.la
-+#olcModuleload: retcode.la
-+#olcModuleload: rwm.la
-+#olcModuleload: seqmod.la
-+#olcModuleload: smbk5pwd.la
-+#olcModuleload: sssvlv.la
-+#olcModuleload: syncprov.la
-+#olcModuleload: translucent.la
-+#olcModuleload: unique.la
-+#olcModuleload: valsort.la
-+
-+
-+#
-+# Schema settings
-+#
-+
-+dn: cn=schema,cn=config
-+objectClass: olcSchemaConfig
-+cn: schema
-+
-+include: file:///etc/openldap/schema/core.ldif
-+
-+#
-+# Frontend settings
-+#
-+
-+dn: olcDatabase=frontend,cn=config
-+objectClass: olcDatabaseConfig
-+objectClass: olcFrontendConfig
-+olcDatabase: frontend
-+#
-+# Sample global access control policy:
-+# Root DSE: allow anyone to read it
-+# Subschema (sub)entry DSE: allow anyone to read it
-+# Other DSEs:
-+# Allow self write access
-+# Allow authenticated users read access
-+# Allow anonymous users to authenticate
-+#
-+#olcAccess: to dn.base="" by * read
-+#olcAccess: to dn.base="cn=Subschema" by * read
-+#olcAccess: to *
-+# by self write
-+# by users read
-+# by anonymous auth
-+#
-+# if no access controls are present, the default policy
-+# allows anyone and everyone to read anything but restricts
-+# updates to rootdn. (e.g., "access to * by * read")
-+#
-+# rootdn can always read and write EVERYTHING!
-+#
-+
-+#
-+# Configuration database
-+#
-+
-+dn: olcDatabase=config,cn=config
-+objectClass: olcDatabaseConfig
-+olcDatabase: config
-+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
-+ n=auth" manage by * none
-+
-+#
-+# Server status monitoring
-+#
-+
-+dn: olcDatabase=monitor,cn=config
-+objectClass: olcDatabaseConfig
-+olcDatabase: monitor
-+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
-+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
-+
-+#
-+# Backend database definitions
-+#
-+
-+dn: olcDatabase=hdb,cn=config
-+objectClass: olcDatabaseConfig
-+objectClass: olcHdbConfig
-+olcDatabase: hdb
-+olcSuffix: dc=my-domain,dc=com
-+olcRootDN: cn=Manager,dc=my-domain,dc=com
-+olcDbDirectory: /var/lib/ldap
-+olcDbIndex: objectClass eq,pres
-+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
-diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service
-new file mode 100644
-index 0000000..8a3a722
---- /dev/null
-+++ b/stx-sources/slapd.service
-@@ -0,0 +1,19 @@
-+[Unit]
-+Description=OpenLDAP Server Daemon
-+After=syslog.target network-online.target
-+Documentation=man:slapd
-+Documentation=man:slapd-config
-+Documentation=man:slapd-hdb
-+Documentation=man:slapd-mdb
-+Documentation=file:///usr/share/doc/openldap-servers/guide.html
-+
-+[Service]
-+Type=forking
-+PIDFile=/var/run/openldap/slapd.pid
-+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
-+EnvironmentFile=/etc/sysconfig/slapd
-+ExecStartPre=/usr/libexec/openldap/check-config.sh
-+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
-+
-+[Install]
-+WantedBy=multi-user.target
-diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig
-new file mode 100644
-index 0000000..68091a5
---- /dev/null
-+++ b/stx-sources/slapd.sysconfig
-@@ -0,0 +1,15 @@
-+# OpenLDAP server configuration
-+# see 'man slapd' for additional information
-+
-+# Where the server will run (-h option)
-+# - ldapi:/// is required for on-the-fly configuration using client tools
-+# (use SASL with EXTERNAL mechanism for authentication)
-+# - default: ldapi:/// ldap:///
-+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
-+SLAPD_URLS="ldapi:/// ldap:///"
-+
-+# Any custom options
-+#SLAPD_OPTIONS=""
-+
-+# Keytab location for GSSAPI Kerberos authentication
-+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
-diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles
-new file mode 100644
-index 0000000..56aa32e
---- /dev/null
-+++ b/stx-sources/slapd.tmpfiles
-@@ -0,0 +1,2 @@
-+# openldap runtime directory for slapd.arg and slapd.pid
-+d /var/run/openldap 0755 ldap ldap -
---
-2.17.1
-
Code Review / pti / rtp.git / blobdiff