From: Stefan Schantl Date: Sun, 31 Mar 2013 18:50:24 +0000 (+0200) Subject: openldap: Enable ldaps on default. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2dfd5778e2494e16376ef4535422d3d17783370;p=ipfire-3.x.git openldap: Enable ldaps on default. * Enable ldaps at default. * Add a script to generate the required certificates. --- diff --git a/openldap/ldapcert.sh b/openldap/ldapcert.sh new file mode 100644 index 000000000..614a8b945 --- /dev/null +++ b/openldap/ldapcert.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# This is a temporary script to generate a self-signet certificate for the openLDAP service. +# +LDAPCERTDIR=/etc/openldap/certs + +# Check if a server key allready exists. +if [ ! -f $LDAPCERTDIR/server.key ]; then + echo "Generating openLDAP server key." + openssl genrsa -out $LDAPCERTDIR/server.key 2048 + + # Fix ownership and permissions. + chown ldap:ldap $LDAPCERTDIR/server.key + chmod 0600 $LDAPCERTDIR/server.key +fi + +# Check if the certificate allready exists. +if [ ! -f $LDAPCERTDIR/server.pem ]; then + echo "Generating CSR" + openssl req -new -key $LDAPCERTDIR/server.key \ + -out $LDAPCERTDIR/server.csr + + echo "Signing certificate" + openssl x509 -req -days 365 -in \ + $LDAPCERTDIR/server.csr -signkey $LDAPCERTDIR/server.key \ + -out $LDAPCERTDIR/server.pem + + # Remove unneeded csr file. + rm -rvf $LDAPCERTDIR/server.csr + + # Fix ownership and file permissions. + chown ldap:ldap $LDAPCERTDIR/server.pem + chmod 0600 $LDAPCERTDIR/server.pem +fi diff --git a/openldap/openldap-conf.ldif b/openldap/openldap-conf.ldif index a34fa0401..c6604341f 100644 --- a/openldap/openldap-conf.ldif +++ b/openldap/openldap-conf.ldif @@ -11,8 +11,8 @@ olcPidFile: /run/openldap/slapd.pid # TLS settings # #olcTLSCACertificateFile: /etc/pki/CA/cacert.pem -#olcTLSCertificateFile: /etc/openldap/certs/server.pem -#olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem +olcTLSCertificateFile: /etc/openldap/certs/server.pem +olcTLSCertificateKeyFile: /etc/openldap/certs/server.key # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. diff --git a/openldap/openldap.nm b/openldap/openldap.nm index a0fdd968b..25880615e 100644 --- a/openldap/openldap.nm +++ b/openldap/openldap.nm @@ -5,7 +5,7 @@ name = openldap version = 2.4.32 -release = 4 +release = 5 groups = System/Daemons url = http://www.openldap.org/ @@ -84,8 +84,13 @@ build cp -vf %{DIR_SOURCE}/openldap-conf.ldif \ %{BUILDROOT}%{datadir}/%{name}/ + # Install ldapcert.sh script. + install -m 0755 %{DIR_SOURCE}/ldapcert.sh \ + %{BUILDROOT}%{datadir}/%{name}/ + # Create directoires. mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/slapd.d + mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/certs mkdir -pv %{BUILDROOT}/run/%{name} mkdir -pv %{BUILDROOT}%{sharedstatedir}/ldap @@ -105,7 +110,10 @@ end packages package %{name} - prerequires += shadow-utils + prerequires + openssl + shadow-utils + end script prein %{create_user} @@ -113,6 +121,7 @@ packages datafiles %{sysconfdir}/%{name}/slapd.d + %{sysconfdir}/%{name}/certs %{sharedstatedir}/ldap end diff --git a/openldap/systemd/openldap.service b/openldap/systemd/openldap.service index a6960d3f3..c21bd3ac8 100644 --- a/openldap/systemd/openldap.service +++ b/openldap/systemd/openldap.service @@ -3,4 +3,5 @@ Description=OpenLDAP After=basic.target sockets.target [Service] -ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi://' +Type=forking +ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi:// ldaps://'