openldap: A lot of improvements.

* Add openldap user and group.
* Add a system tmpfile for /run/openldap directory.
* Add /etc/openldap/slapd.d and /var/lib/ldap as datafiles,
  to be sure they never will be removed or overwritten by pakfire.
* Add new permissions and owernships for ldap user.

* Run slapd as user "ldap".

* Add openldap.socket file to create and listen on the unix socket.
  This socket is placed in /run/openldap/ldapi.

* Enable ldapi ( the local ldap unix socket) on systemd service file.
  Also listen on the existing unix socket and use socket-based activation.

  As a result of this kind of activation we do not have longer to enable the
  openldap service on startup and so I've removed lines on the service file for
  that.

Fixes #10224.

diff --git a/openldap/openldap.nm b/openldap/openldap.nm
index 1f80a015edd4b838ddc0665bfa5b853b191213b5..f6979d39507e2c1b2e4d1d601e6f338c04e79dfe 100644 (file)
--- a/openldap/openldap.nm
+++ b/openldap/openldap.nm
@@ -5,7 +5,7 @@
 
 name       = openldap
 version    = 2.4.32
-release    = 1
+release    = 2
 
 groups     = System/Daemons
 url        = http://www.openldap.org/
@@ -33,6 +33,7 @@ build
                libtool-devel
                openssl-devel
                pth-devel
+               shadow-utils
        end
 
        configure_options += \
@@ -51,6 +52,10 @@ build
                --enable-ndb=no \
                --disable-static
 
+       prepare_cmds
+               %{create_user}
+       end
+
        install_cmds
                mv -v %{BUILDROOT}%{libdir}/slapd %{BUILDROOT}/usr/sbin/slapd
                ln -svf slapd %{BUILDROOT}/usr/sbin/slapacl
@@ -63,7 +68,9 @@ build
                ln -svf slapd %{BUILDROOT}/usr/sbin/slapschema
                ln -svf slapd %{BUILDROOT}/usr/sbin/slaptest
 
-               rm -rvf %{BUILDROOT}/var/openldap-data
+               # Remove unneeded files.
+               rm -rvf %{BUILDROOT}%{localstatedir}/openldap-data
+               rm -rvf %{BUILDROOT}%{localstatedir}/run
 
                for LINK in lber ldap ldap_r; do
                        chmod -v 0755 %{BUILDROOT}%{libdir}/$(readlink %{BUILDROOT}%{libdir}/lib${LINK}.so)
@@ -71,22 +78,50 @@ build
 
                # Install configuration
                mkdir -pv %{BUILDROOT}/etc/%{name}
-               cp -vf %{DIR_SOURCE}/slapd.conf %{BUILDROOT}/etc/%{name}/slapd.conf
-
-               mkdir -pv %{BUILDROOT}/var/lib/ldap
-               chmod 700 -Rv %{BUILDROOT}/var/lib/ldap
+               cp -vf %{DIR_SOURCE}/slapd.conf %{BUILDROOT}%{sysconfdir}/%{name}/slapd.conf
+
+               # Create directoires.
+               mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/slapd.d
+               mkdir -pv %{BUILDROOT}%{localstatedir}/%{name}
+               mkdir -pv %{BUILDROOT}%{sharedstatedir}/ldap
+
+               # Fix permissions and ownerships.
+               chown -Rv ldap:ldap %{BUILDROOT}%{sysconfdir}/%{name}
+               chown ldap:ldap %{BUILDROOT}/run/%{name}
+               chown ldap:ldap %{BUILDROOT}%{sharedstatedir}/ldap
+               chmod 700 -Rv %{BUILDROOT}%{sharedstatedir}/ldap
        end
 end
 
+create_user
+       getent group ldap >/dev/null || groupadd -r ldap
+       getent passwd ldap >/dev/null || useradd -r -g ldap \
+               -d /var/lib/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
+end
+
 packages
        package %{name}
+               prerequires += shadow-utils
+
+               script prein
+                       %{create_user}
+               end
+
+               datafiles
+                       %{sysconfdir}/%{name}/slapd.d
+                       %{sharedstatedir}/ldap
+               end
+
                script postin
                        systemctl daemon-reload >/dev/null 2>&1 || :
+                       systemctl enable openldap.socket >/dev/null 2>&1 || :
                end
 
                script preun
                        systemctl --no-reload disable openldap.service >/dev/null 2>&1 || :
+                       systemctl --no-reload disable openldap.socket >/dev/null 2>&1 || :
                        systemctl stop openldap.service >/dev/null 2>&1 || :
+                       systemctl stop openldap.socket >/dev/null 2>&1 || :
                end
 
                script postun

diff --git a/openldap/openldap.tmpfiles b/openldap/openldap.tmpfiles
new file mode 100644 (file)
index 0000000..8857aed
--- /dev/null
+++ b/openldap/openldap.tmpfiles
@@ -0,0 +1 @@
+d /run/openldap 0755 ldap ldap -

diff --git a/openldap/systemd/openldap.service b/openldap/systemd/openldap.service
index 8c2c57ba422502a555c6534e7dec6fe360b816d1..9a6e53f4d3a697c03fd6e26e027f97f1a7247673 100644 (file)
--- a/openldap/systemd/openldap.service
+++ b/openldap/systemd/openldap.service
@@ -1,10 +1,6 @@
 [Unit]
 Description=OpenLDAP
-After=basic.target
+After=basic.target sockets.target
 
 [Service]
-Type=forking
-ExecStart=/usr/sbin/slapd
-
-[Install]
-WantedBy=multi-user.target
+ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi://%2Frun%2Fopenldap%2Fldapi'

diff --git a/openldap/systemd/openldap.socket b/openldap/systemd/openldap.socket
new file mode 100644 (file)
index 0000000..1fe23ea
--- /dev/null
+++ b/openldap/systemd/openldap.socket
@@ -0,0 +1,5 @@
+[Socket]
+ListenStream=/run/openldap/ldapi
+
+[Install]
+WantedBy=sockets.target