2019-12-09 18:13:10 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
name="${__target_host}"
|
|
|
|
manager_dn=$(cat "${__object}/parameter/manager-dn")
|
|
|
|
manager_password_hash=$(cat "${__object}/parameter/manager-password-hash")
|
|
|
|
serverid=$(cat "${__object}/parameter/serverid")
|
|
|
|
suffix=$(cat "${__object}/parameter/suffix")
|
2019-12-10 11:49:07 +00:00
|
|
|
slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
|
2019-12-09 18:39:43 +00:00
|
|
|
schemas=$(cat "${__object}/parameter/schema")
|
2019-12-12 06:00:23 +00:00
|
|
|
slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
|
2019-12-10 11:49:07 +00:00
|
|
|
tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
|
2019-12-09 18:13:10 +00:00
|
|
|
|
|
|
|
|
2019-12-09 18:59:15 +00:00
|
|
|
os="$(cat "${__global}/explorer/os")"
|
2019-12-09 18:13:10 +00:00
|
|
|
|
|
|
|
# Setup OS-dependent vars
|
2019-12-10 11:49:07 +00:00
|
|
|
CONF_OWNER="root"
|
|
|
|
CONF_GROUP="root"
|
2019-12-09 18:59:15 +00:00
|
|
|
case "${os}" in
|
2019-12-09 18:13:10 +00:00
|
|
|
freebsd)
|
2019-12-09 18:39:43 +00:00
|
|
|
PKGS="openldap-server"
|
|
|
|
ETC="/usr/local/etc"
|
2019-12-09 18:13:10 +00:00
|
|
|
SLAPD_DIR="/usr/local/etc/openldap"
|
|
|
|
SLAPD_DATA_DIR="/var/db/openldap-data"
|
|
|
|
SLAPD_RUN_DIR="/var/run/openldap"
|
|
|
|
SLAPD_MODULE_PATH="/usr/local/libexec/openldap"
|
|
|
|
if [ -z "${slapd_modules}" ]; then
|
|
|
|
# It looks like ppolicy and syncprov must be compiled
|
|
|
|
slapd_modules="back_mdb back_monitor"
|
|
|
|
fi
|
2019-12-10 11:49:07 +00:00
|
|
|
CONF_OWNER="ldap"
|
|
|
|
CONF_GROUP="ldap"
|
|
|
|
if [ -z "${tls_cipher_suite}" ]; then
|
|
|
|
# TODO: research default for FreeBSD. 'NORMAL' appears to not work
|
|
|
|
tls_cipher_suite="HIGH:MEDIUM:+SSLv2"
|
|
|
|
fi
|
2019-12-09 18:13:10 +00:00
|
|
|
;;
|
2019-12-09 18:59:15 +00:00
|
|
|
debian|ubuntu|devuan)
|
2019-12-09 18:13:10 +00:00
|
|
|
PKGS="slapd ldap-utils"
|
2019-12-09 18:39:43 +00:00
|
|
|
ETC="/etc"
|
2019-12-09 18:13:10 +00:00
|
|
|
SLAPD_DIR="/etc/ldap"
|
|
|
|
SLAPD_DATA_DIR="/var/lib/ldap"
|
|
|
|
SLAPD_RUN_DIR="/var/run/slapd"
|
|
|
|
SLAPD_MODULE_PATH="/usr/lib/ldap"
|
|
|
|
if [ -z "${slapd_modules}" ]; then
|
|
|
|
slapd_modules="back_mdb ppolicy syncprov back_monitor"
|
|
|
|
fi
|
2019-12-10 11:49:07 +00:00
|
|
|
if [ -z "${tls_cipher_suite}" ]; then
|
|
|
|
tls_cipher_suite="NORMAL"
|
|
|
|
fi
|
2019-12-09 18:13:10 +00:00
|
|
|
;;
|
2019-12-09 18:59:15 +00:00
|
|
|
*)
|
|
|
|
echo "Don't know the openldap defaults for: $os" >&2
|
|
|
|
exit 1
|
|
|
|
;;
|
2019-12-09 18:13:10 +00:00
|
|
|
esac
|
|
|
|
|
2019-12-12 06:00:23 +00:00
|
|
|
PKG_MAIN=$(echo "${PKGS}" | awk '{print $1;}')
|
2019-12-10 11:49:07 +00:00
|
|
|
|
2019-12-09 18:13:10 +00:00
|
|
|
|
|
|
|
# Determine if __letsencrypt_cert is to be used and setup vars accordingly
|
|
|
|
if [ -f "${__object}/parameter/tls-cert" ]; then
|
|
|
|
tls_cert=$(cat "${__object}/parameter/tls-cert")
|
|
|
|
|
|
|
|
if [ ! -f "${__object}/parameter/tls-privkey" ]; then
|
|
|
|
echo "When tls-cert is defined, tls-privkey is also required." >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
tls_privkey=$(cat "${__object}/parameter/tls-privkey")
|
|
|
|
|
|
|
|
if [ ! -f "${__object}/parameter/tls-ca" ]; then
|
|
|
|
echo "When tls-cert is defined, tls-ca is also required." >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
tls_ca=$(cat "${__object}/parameter/tls-ca")
|
|
|
|
|
|
|
|
_skip_letsencrypt_cert="YES"
|
|
|
|
else
|
2019-12-09 18:49:05 +00:00
|
|
|
if [ ! -f "${__object}/parameter/admin-email" ]; then
|
|
|
|
echo "When using __letsencrypt_cert, admin-email is also required." >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
admin_email=$(cat "${__object}/parameter/admin-email")
|
|
|
|
|
2019-12-09 18:13:10 +00:00
|
|
|
tls_cert="${SLAPD_DIR}/sasl2/cert.pem"
|
|
|
|
tls_privkey="${SLAPD_DIR}/sasl2/privkey.pem"
|
|
|
|
tls_ca="${SLAPD_DIR}/sasl2/chain.pem"
|
|
|
|
fi
|
|
|
|
|
|
|
|
mkdir "${__object}/files"
|
|
|
|
ldapconf="${__object}/files/ldapconf"
|
|
|
|
|
|
|
|
replication=""
|
|
|
|
if [ -f "${__object}/parameter/replicate" ]; then
|
|
|
|
replication=yes
|
|
|
|
|
|
|
|
if [ ! -f "${__object}/parameter/syncrepl-searchbase" ]; then
|
|
|
|
echo "Requiring the searchbase for replication" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
syncrepl_searchbase=$(cat "${__object}/parameter/syncrepl-searchbase")
|
|
|
|
|
|
|
|
if [ ! -f "${__object}/parameter/syncrepl-credentials" ]; then
|
|
|
|
echo "Requiring credentials for replication" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
syncrepl_credentials=$(cat "${__object}/parameter/syncrepl-credentials")
|
|
|
|
|
|
|
|
if [ ! -f "${__object}/parameter/syncrepl-host" ]; then
|
|
|
|
echo "Requiring host(s) for replication" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
syncrepl_hosts=$(cat "${__object}/parameter/syncrepl-host")
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Install required packages
|
|
|
|
for pkg in ${PKGS}; do
|
2019-12-12 06:00:23 +00:00
|
|
|
__package "${pkg}"
|
2019-12-09 18:13:10 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN}" __start_on_boot slapd
|
2019-12-09 18:13:10 +00:00
|
|
|
|
2019-12-10 11:49:07 +00:00
|
|
|
# Setup -h flag for the listeners. See man slapd (-h flag).
|
2019-12-09 18:59:15 +00:00
|
|
|
case "${os}" in
|
2019-12-10 11:49:07 +00:00
|
|
|
freebsd)
|
2019-12-10 12:04:24 +00:00
|
|
|
require="__start_on_boot/slapd" __key_value \
|
2019-12-10 11:49:07 +00:00
|
|
|
--file "/etc/rc.conf" \
|
|
|
|
--key "slapd_flags" \
|
|
|
|
--value "\"-h '${slapd_urls}'\"" \
|
|
|
|
--delimiter "=" \
|
|
|
|
--comment "# LDAP Listener URLs" \
|
|
|
|
"${__target_host}__slapd_flags"
|
|
|
|
;;
|
2019-12-09 18:59:15 +00:00
|
|
|
debian|ubuntu|devuan)
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN}" __line rm_slapd_conf \
|
2019-12-09 18:59:15 +00:00
|
|
|
--file ${ETC}/default/slapd \
|
|
|
|
--regex 'SLAPD_CONF=.*' \
|
|
|
|
--state absent
|
|
|
|
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN}" __line rm_slapd_services \
|
2019-12-09 18:59:15 +00:00
|
|
|
--file ${ETC}/default/slapd \
|
|
|
|
--regex 'SLAPD_SERVICES=.*' \
|
|
|
|
--state absent
|
|
|
|
|
|
|
|
require="__line/rm_slapd_conf" __line add_slapd_conf \
|
|
|
|
--file ${ETC}/default/slapd \
|
2019-12-12 06:00:23 +00:00
|
|
|
--line "SLAPD_CONF=${SLAPD_DIR}/slapd.conf" \
|
2019-12-09 18:59:15 +00:00
|
|
|
--state present
|
|
|
|
|
|
|
|
require="__line/rm_slapd_services" __line add_slapd_services \
|
|
|
|
--file ${ETC}/default/slapd \
|
2019-12-10 11:49:07 +00:00
|
|
|
--line "SLAPD_SERVICES=\"${slapd_urls}\"" \
|
2019-12-09 18:59:15 +00:00
|
|
|
--state present
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
# Nothing to do here, move on.
|
|
|
|
;;
|
|
|
|
esac
|
2019-12-09 18:13:10 +00:00
|
|
|
|
|
|
|
|
|
|
|
if [ -z "${_skip_letsencrypt_cert}" ]; then
|
|
|
|
if [ -f "${__object}/parameter/staging" ]; then
|
|
|
|
staging="--staging"
|
|
|
|
else
|
|
|
|
staging=""
|
|
|
|
fi
|
|
|
|
|
2020-04-22 21:21:34 +00:00
|
|
|
# shellcheck disable=SC2086
|
2019-12-09 18:49:05 +00:00
|
|
|
__letsencrypt_cert "${name}" --admin-email "${admin_email}" \
|
2019-12-09 18:13:10 +00:00
|
|
|
--renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \
|
|
|
|
--automatic-renewal ${staging}
|
|
|
|
fi
|
|
|
|
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN}" __directory ${SLAPD_DIR}/slapd.d --state absent
|
2019-12-09 18:13:10 +00:00
|
|
|
|
|
|
|
if [ -z "${_skip_letsencrypt_cert}" ]; then
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN} __letsencrypt_cert/${name}" \
|
|
|
|
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
|
2019-12-09 18:13:10 +00:00
|
|
|
--source "${ldapconf}"
|
|
|
|
else
|
2019-12-10 11:49:07 +00:00
|
|
|
require="__package/${PKG_MAIN}" \
|
|
|
|
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
|
2019-12-09 18:13:10 +00:00
|
|
|
--source "${ldapconf}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Start slapd.conf
|
|
|
|
cat << EOF > "${ldapconf}"
|
|
|
|
pidfile ${SLAPD_RUN_DIR}/slapd.pid
|
|
|
|
argsfile ${SLAPD_RUN_DIR}/slapd.args
|
|
|
|
|
2019-12-10 11:49:07 +00:00
|
|
|
TLSCipherSuite ${tls_cipher_suite}
|
2019-12-09 18:13:10 +00:00
|
|
|
TLSCertificateFile ${tls_cert}
|
|
|
|
TLSCertificateKeyFile ${tls_privkey}
|
|
|
|
TLSCACertificateFile ${tls_ca}
|
|
|
|
|
|
|
|
disallow bind_anon
|
|
|
|
require bind
|
|
|
|
security tls=1
|
|
|
|
EOF
|
|
|
|
|
2019-12-09 18:39:43 +00:00
|
|
|
# Add specified schemas
|
|
|
|
for schema in ${schemas}; do
|
|
|
|
echo "include ${SLAPD_DIR}/schema/${schema}.schema" >> "${ldapconf}"
|
|
|
|
done
|
|
|
|
|
2019-12-09 18:13:10 +00:00
|
|
|
# Add specified modules
|
2019-12-09 18:39:43 +00:00
|
|
|
echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
|
2019-12-09 18:13:10 +00:00
|
|
|
for module in ${slapd_modules}; do
|
|
|
|
echo "moduleload ${module}.la" >> "${ldapconf}"
|
|
|
|
done
|
|
|
|
|
|
|
|
# Rest of the config
|
|
|
|
cat << EOF >> "${ldapconf}"
|
|
|
|
loglevel 1024
|
|
|
|
|
|
|
|
database mdb
|
|
|
|
maxsize 1073741824
|
|
|
|
|
|
|
|
suffix "${suffix}"
|
|
|
|
directory ${SLAPD_DATA_DIR}
|
|
|
|
rootdn "${manager_dn}"
|
|
|
|
rootpw "${manager_password_hash}"
|
|
|
|
|
|
|
|
index objectClass eq,pres
|
|
|
|
index ou,cn,mail,surname,givenname eq,pres,sub
|
|
|
|
index uidNumber,gidNumber,loginShell eq,pres
|
|
|
|
index uid,memberUid eq,pres,sub
|
|
|
|
index nisMapName,nisMapEntry eq,pres,sub
|
|
|
|
index entryCSN,entryUUID eq
|
|
|
|
|
|
|
|
serverid ${serverid}
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Setup replication
|
|
|
|
if [ "${replication}" ]; then
|
|
|
|
rid=1;
|
|
|
|
for syncrepl in ${syncrepl_hosts}; do
|
|
|
|
cat <<EOF >> "${ldapconf}"
|
|
|
|
syncrepl rid=${rid}
|
|
|
|
provider=ldap://${syncrepl}
|
|
|
|
bindmethod=simple
|
|
|
|
starttls=yes
|
|
|
|
binddn="${manager_dn}"
|
|
|
|
credentials=${syncrepl_credentials}
|
|
|
|
searchbase="${syncrepl_searchbase}"
|
|
|
|
type=refreshAndPersist
|
|
|
|
retry="5 + 5 +"
|
|
|
|
interval=00:00:00:05
|
|
|
|
EOF
|
|
|
|
rid=$((rid + 1))
|
|
|
|
done
|
|
|
|
cat <<EOF >> "${ldapconf}"
|
|
|
|
mirrormode true
|
|
|
|
overlay syncprov
|
|
|
|
syncprov-checkpoint 100 5
|
|
|
|
syncprov-sessionlog 100
|
|
|
|
|
|
|
|
database monitor
|
|
|
|
limits dn.exact="${manager_dn}" time=unlimited size=unlimited
|
|
|
|
EOF
|
|
|
|
fi
|