From: Stefan Schantl Date: Sat, 23 Mar 2013 20:48:00 +0000 (+0100) Subject: openldap: Switch to ldif based configuration. X-Git-Url: http://git.ipfire.org/?p=people%2Fms%2Fipfire-3.x.git;a=commitdiff_plain;h=8fed81c8f4a54c2233d5037601414d814d9fc840 openldap: Switch to ldif based configuration. * Remove old slapd.conf file and add a ldif based template. * Compile in backends for hdb and monitor. * Put ldapi socket to /run/ldapi. --- diff --git a/openldap/openldap-conf.ldif b/openldap/openldap-conf.ldif new file mode 100644 index 000000000..a34fa0401 --- /dev/null +++ b/openldap/openldap-conf.ldif @@ -0,0 +1,149 @@ +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /run/openldap/slapd.args +olcPidFile: /run/openldap/slapd.pid +# +# TLS settings +# +#olcTLSCACertificateFile: /etc/pki/CA/cacert.pem +#olcTLSCertificateFile: /etc/openldap/certs/server.pem +#olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_hdb.so +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif +include: file:///etc/openldap/schema/cosine.ldif +include: file:///etc/openldap/schema/nis.ldif +include: file:///etc/openldap/schema/inetorgperson.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +#dn: olcDatabase=monitor,cn=config +#objectClass: olcDatabaseConfig +#olcDatabase: monitor +#olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb +olcSuffix: @SUFFIX@ +olcRootDN: cn=admin,@SUFFIX@ +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/openldap/openldap.nm b/openldap/openldap.nm index 8d054b3b2..a0fdd968b 100644 --- a/openldap/openldap.nm +++ b/openldap/openldap.nm @@ -5,7 +5,7 @@ name = openldap version = 2.4.32 -release = 3 +release = 4 groups = System/Daemons url = http://www.openldap.org/ @@ -50,6 +50,8 @@ build --enable-overlays=mod \ --enable-sql=no \ --enable-ndb=no \ + --enable-hdb=yes \ + --enable-monitor=yes \ --disable-static prepare_cmds @@ -69,6 +71,7 @@ build ln -svf slapd %{BUILDROOT}/usr/sbin/slaptest # Remove unneeded files. + rm -rvf %{BUILDROOT}%{sysconfidir}/slapd.{conf,ldif} rm -rvf %{BUILDROOT}%{localstatedir}/openldap-data rm -rvf %{BUILDROOT}%{localstatedir}/run @@ -76,9 +79,10 @@ build chmod -v 0755 %{BUILDROOT}%{libdir}/$(readlink %{BUILDROOT}%{libdir}/lib${LINK}.so) done - # Install configuration - mkdir -pv %{BUILDROOT}/etc/%{name} - cp -vf %{DIR_SOURCE}/slapd.conf %{BUILDROOT}%{sysconfdir}/%{name}/slapd.conf + # Install configuration file. + mkdir -pv %{BUILDROOT}%{datadir}/%{name} + cp -vf %{DIR_SOURCE}/openldap-conf.ldif \ + %{BUILDROOT}%{datadir}/%{name}/ # Create directoires. mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/slapd.d diff --git a/openldap/slapd.conf b/openldap/slapd.conf deleted file mode 100644 index cfb95d080..000000000 --- a/openldap/slapd.conf +++ /dev/null @@ -1,59 +0,0 @@ -# _ ___ _ -# (_) / __|_) -# _ ____ | |__ _ ____ ____ -# | | _ \| __) |/ ___) _ ) -# | | | | | | | | | ( (/ / -# |_| ||_/|_| |_|_| \____) -# |_| -# -# OpenLDAP configuration -# -# www.ipfire.org - Licensed under the GPLv3 -# - -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema - -pidfile /var/run/slapd.pid -argsfile /var/run/slapd.args - -loglevel 2048 - -####################################################################### -# Load modules -####################################################################### - -moduleload back_hdb.so - -####################################################################### -# ACL -####################################################################### - -access to attrs=userPassword,userPKCS12 - by self write - by * auth -access to attrs=shadowLastChange - by self write - by * read -access to * - by * read - -####################################################################### -# BDB database definitions -####################################################################### - -database hdb -suffix "dc=my-domain,dc=com" -rootdn "cn=Manager,dc=my-domain,dc=com" -rootpw secret - -directory /var/lib/ldap - -# Indices to maintain for this database -index objectClass eq,pres -index ou,cn,mail,surname,givenname eq,pres,sub -index uidNumber,gidNumber,loginShell eq,pres -index uid,memberUid eq,pres,sub -index nisMapName,nisMapEntry eq,pres,sub diff --git a/openldap/systemd/openldap.service b/openldap/systemd/openldap.service index 9a6e53f4d..a6960d3f3 100644 --- a/openldap/systemd/openldap.service +++ b/openldap/systemd/openldap.service @@ -3,4 +3,4 @@ Description=OpenLDAP After=basic.target sockets.target [Service] -ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi://%2Frun%2Fopenldap%2Fldapi' +ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi://' diff --git a/openldap/systemd/openldap.socket b/openldap/systemd/openldap.socket index 1fe23eaec..b9eb387bf 100644 --- a/openldap/systemd/openldap.socket +++ b/openldap/systemd/openldap.socket @@ -1,5 +1,5 @@ [Socket] -ListenStream=/run/openldap/ldapi +ListenStream=/run/ldapi [Install] WantedBy=sockets.target