Revert "Revert "oran-shell-release: release image for F""

[pti/rtp.git] / meta-starlingx / meta-stx-integ / recipes-support / openldap / files / 0001-stx-openldap-config-files.patch

From ceaad5c741c95c78d924cb6b179daa6c6b60bf91 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Wed, 4 Dec 2019 08:07:24 -0800
Subject: [PATCH] stx openldap config files

---
 stx-openldap-config/LICENSE             | 202 ++++++++++++++++++++++++
 stx-openldap-config/initial_config.ldif |  80 ++++++++++
 stx-openldap-config/initscript          | 100 ++++++++++++
 stx-openldap-config/slapd.conf          | 117 ++++++++++++++
 stx-openldap-config/slapd.service       |  23 +++
 stx-openldap-config/slapd.sysconfig     |  15 ++
 6 files changed, 537 insertions(+)
 create mode 100644 stx-openldap-config/LICENSE
 create mode 100644 stx-openldap-config/initial_config.ldif
 create mode 100755 stx-openldap-config/initscript
 create mode 100644 stx-openldap-config/slapd.conf
 create mode 100644 stx-openldap-config/slapd.service
 create mode 100644 stx-openldap-config/slapd.sysconfig

diff --git a/stx-openldap-config/LICENSE b/stx-openldap-config/LICENSE
new file mode 100644
index 000000000..d64569567
--- /dev/null
+++ b/stx-openldap-config/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/stx-openldap-config/initial_config.ldif b/stx-openldap-config/initial_config.ldif
new file mode 100644
index 000000000..672e364b5
--- /dev/null
+++ b/stx-openldap-config/initial_config.ldif
@@ -0,0 +1,80 @@
+#ldapadd -D "cn=ldapadmin,dc=cgcs,dc=local" -W -f /etc/openldap/initial_config.ldif
+#ldapsearch -x -b 'dc=cgcs,dc=local' '(objectclass=*)'
+dn: dc=cgcs,dc=local
+dc: cgcs
+objectClass: top
+objectClass: domain
+
+dn: ou=policies,dc=cgcs,dc=local
+ou: policies
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=People,dc=cgcs,dc=local
+ou: People
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=Group,dc=cgcs,dc=local
+ou: Group
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=SUDOers,dc=cgcs,dc=local
+objectClass: top
+objectClass: organizationalUnit
+ou: SUDOers
+
+dn: cn=users,ou=Group,dc=cgcs,dc=local
+objectClass: posixGroup
+objectClass: top
+cn: users
+userPassword: {crypt}x
+gidNumber: 100
+
+dn: cn=cgcs,ou=Group,dc=cgcs,dc=local
+objectClass: posixGroup
+objectClass: top
+cn: cgcs
+userPassword: {crypt}x
+gidNumber: 1000
+
+dn: cn=default,ou=policies,dc=cgcs,dc=local
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+objectClass: pwdPolicyChecker
+cn: default
+pwdAttribute: userPassword
+pwdMaxAge: 0
+pwdExpireWarning: 432000
+pwdInHistory: 2
+pwdCheckModule: check_password.so
+pwdCheckQuality: 1
+pwdMinLength: 7
+pwdMaxFailure: 5
+pwdLockout: TRUE
+pwdLockoutDuration: 300
+pwdFailureCountInterval: 0
+pwdMustChange: TRUE
+pwdAllowUserChange: TRUE
+pwdSafeModify: FALSE
+pwdGraceAuthNLimit: 0
+
+dn: cn=defaults,ou=SUDOers,dc=cgcs,dc=local
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOrder: 1
+
+dn: cn=admin,ou=SUDOers,dc=cgcs,dc=local
+objectClass: top
+objectClass: sudoRole
+cn: admin
+sudoUser: admin
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoCommand: ALL
+sudoOrder: 2
+sudoOption: secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
diff --git a/stx-openldap-config/initscript b/stx-openldap-config/initscript
new file mode 100755
index 000000000..d3208dd9a
--- /dev/null
+++ b/stx-openldap-config/initscript
@@ -0,0 +1,100 @@
+#! /bin/sh
+#
+# This is an init script for openembedded
+# Copy it to /etc/init.d/openldap and type
+# > update-rc.d openldap defaults 60
+#
+. /etc/init.d/functions
+
+################################################################################
+# Wait for a process to stop running.
+#
+################################################################################
+function wait_for_proc_stop()
+{
+    PROGNAME=$1
+    TIMEOUT=${2:-"5"}
+
+    for I in $(seq 1 $TIMEOUT); do
+        PID=$(pidof $PROGNAME 2> /dev/null)
+        if [ $? -ne 0 ]; then
+            ## already dead
+            return 0
+        fi
+        sleep 1
+    done
+
+    return 1
+}
+
+slapd=/usr/sbin/slapd
+test -x "$slapd" || exit 0
+
+RETVAL=0
+
+case "$1" in
+  start)
+    echo -n "Starting SLAPD: "
+    if [ -f /etc/openldap/schema/cn=config.ldif ]; then
+        start-stop-daemon --start --oknodo --quiet --exec $slapd \
+            -- -F /etc/openldap/schema/
+        RETVAL=$?
+    else
+        start-stop-daemon --start --oknodo --quiet --exec $slapd
+        RETVAL=$?
+    fi
+    if [ $RETVAL -ne 0 ]; then
+        echo "Failed to start SLAPD."
+        exit $RETVAL
+    fi
+
+    # we need to start nscd service as part of this openldap
+    # init.d script since SM manages this as a service and both
+    # daemons should be running on a controller host
+    systemctl status nscd.service
+    if [ $? -ne 0 ]; then
+        echo -n "Starting NSCD: "
+        systemctl start nscd.service
+        RETVAL=$?
+        if [ $RETVAL -ne 0 ]; then
+            echo "Failed to start NSCD."
+            exit $RETVAL
+        fi
+    fi
+
+    echo "."
+    ;;
+  stop)
+    echo -n "Stopping NSCD: "
+    systemctl stop nscd.service
+    rm -f /var/run/nscd/nscd.pid
+
+    echo -n "Stopping SLAPD: "
+    start-stop-daemon --retry 60 --stop --oknodo --quiet --pidfile /var/run/slapd.pid
+    RETVAL=$?
+    wait_for_proc_stop $slapd 10
+    WRETVAL=$?
+    while [ $WRETVAL -eq 1 ]; do
+      killproc $slapd
+      wait_for_proc_stop $slapd 10
+      WRETVAL=$?
+    done
+    rm -f /var/run/slapd.pid
+    echo "."
+    ;;
+  status)
+    status $slapd
+    [ $? -eq 0 ] || exit $?
+    systemctl status nscd.service
+    [ $? -eq 0 ] || exit $?
+    ;;
+  restart)
+    $0 stop
+    $0 start
+    ;;
+  *)
+    echo "Usage: /etc/init.d/openldap {start|stop|status|restart}"
+    exit 1
+esac
+
+exit $RETVAL
diff --git a/stx-openldap-config/slapd.conf b/stx-openldap-config/slapd.conf
new file mode 100644
index 000000000..3b6fcc545
--- /dev/null
+++ b/stx-openldap-config/slapd.conf
@@ -0,0 +1,117 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include         /etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include         /etc/openldap/schema/inetorgperson.schema
+include         /etc/openldap/schema/nis.schema
+include         /etc/openldap/schema/ppolicy.schema
+include         /etc/openldap/schema/sudo.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral       ldap://root.openldap.org
+
+pidfile         /var/run/slapd.pid
+argsfile        /var/run/slapd.args
+
+# uniquely identifies this server
+serverID 001
+
+# Load dynamic backend modules:
+modulepath      /usr/libexec/openldap
+moduleload      back_mdb.la
+moduleload      ppolicy.la
+moduleload      syncprov.la
+
+# Sample security restrictions
+#       Require integrity protection (prevent hijacking)
+#       Require 112-bit (3DES or better) encryption for updates
+#       Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#       Root DSE: allow anyone to read it
+#       Subschema (sub)entry DSE: allow anyone to read it
+#       Other DSEs:
+#               Allow self write access
+#               Allow authenticated users read access
+#               Allow anonymous users to authenticate
+#       Directives needed to implement policy:
+#access to dn.base="" by * read
+#access to dn.base="cn=Subschema" by * read
+#access to *
+#       by self write
+#       by anonymous auth
+#       by * read
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database        mdb
+suffix          "dc=cgcs,dc=local"
+rootdn          "cn=ldapadmin,dc=cgcs,dc=local"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw          _LDAPADMIN_PW_
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory       /var/lib/openldap-data
+# Maximum size
+maxsize 1073741824
+# Indices to maintain
+index   cn              eq
+index   objectClass     eq
+index   uid             eq,pres,sub
+index   uidNumber       eq
+index   gidNumber       eq
+index   memberUid       eq
+index   sudoUser        eq,sub
+
+access to *
+       by self write
+       by * read
+
+loglevel none
+
+overlay ppolicy
+ppolicy_default "cn=default,ou=policies,dc=cgcs,dc=local"
+ppolicy_use_lockout
+
+# NOTE: 
+# syncrepl directives for each of the other masters
+syncrepl rid=000 
+  provider=ldap://controller-1
+  type=refreshAndPersist
+  retry="5 5 300 +" 
+  searchbase="dc=cgcs,dc=local"
+  attrs="*,+"
+  bindmethod=simple
+  binddn="cn=ldapadmin,dc=cgcs,dc=local"
+  credentials=_LDAPADMIN_PW_
+
+# syncprov specific indexing (add others as required)
+index entryCSN eq
+index entryUUID eq 
+# ...
+# # mirror mode essential to allow writes
+# # and must appear after all syncrepl directives
+mirrormode TRUE
+#
+# # define the provider to use the syncprov overlay
+# # (last directives in database section)
+overlay syncprov
+# # contextCSN saved to database every 100 updates or ten minutes
+syncprov-checkpoint 1 1
diff --git a/stx-openldap-config/slapd.service b/stx-openldap-config/slapd.service
new file mode 100644
index 000000000..24b39380a
--- /dev/null
+++ b/stx-openldap-config/slapd.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+Before=rsyncd.service
+After=network.target syslog-ng.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+PIDFile=/var/run/slapd.pid
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
+EnvironmentFile=/etc/sysconfig/slapd
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/etc/init.d/openldap start
+ExecStop=/etc/init.d/openldap stop
+ExecReload=/etc/init.d/openldap restart
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/stx-openldap-config/slapd.sysconfig b/stx-openldap-config/slapd.sysconfig
new file mode 100644
index 000000000..573486da4
--- /dev/null
+++ b/stx-openldap-config/slapd.sysconfig
@@ -0,0 +1,15 @@
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+# - ldapi:/// is required for on-the-fly configuration using client tools
+#   (use SASL with EXTERNAL mechanism for authentication)
+# - default: ldapi:/// ldap:///
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:///"
+
+# Any custom options
+SLAPD_OPTIONS=""
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
-- 
2.17.1