openldap: Enable ldaps on default.

* Enable ldaps at default.
* Add a script to generate the required certificates.

diff --git a/openldap/ldapcert.sh b/openldap/ldapcert.sh
new file mode 100644 (file)
index 0000000..614a8b9
--- /dev/null
+++ b/openldap/ldapcert.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# This is a temporary script to generate a self-signet certificate for the openLDAP service.
+#
+LDAPCERTDIR=/etc/openldap/certs
+
+# Check if a server key allready exists.
+if [ ! -f $LDAPCERTDIR/server.key ]; then
+       echo "Generating openLDAP server key."
+       openssl genrsa -out $LDAPCERTDIR/server.key 2048
+
+       # Fix ownership and permissions.
+       chown ldap:ldap $LDAPCERTDIR/server.key
+       chmod 0600 $LDAPCERTDIR/server.key
+fi
+
+# Check if the certificate allready exists.
+if [ ! -f $LDAPCERTDIR/server.pem ]; then
+       echo "Generating CSR"
+       openssl req -new -key $LDAPCERTDIR/server.key \
+               -out $LDAPCERTDIR/server.csr
+
+       echo "Signing certificate"
+       openssl x509 -req -days 365 -in \
+               $LDAPCERTDIR/server.csr -signkey $LDAPCERTDIR/server.key \
+               -out $LDAPCERTDIR/server.pem
+
+       # Remove unneeded csr file.
+       rm -rvf $LDAPCERTDIR/server.csr
+
+       # Fix ownership and file permissions.
+       chown ldap:ldap $LDAPCERTDIR/server.pem
+       chmod 0600 $LDAPCERTDIR/server.pem
+fi

diff --git a/openldap/openldap-conf.ldif b/openldap/openldap-conf.ldif
index a34fa040106cfd07a7fb16e72fc7a9a9d900269e..c6604341fd65b6192d2991e2c7cd0e93926a856e 100644 (file)
--- a/openldap/openldap-conf.ldif
+++ b/openldap/openldap-conf.ldif
@@ -11,8 +11,8 @@ olcPidFile: /run/openldap/slapd.pid
 # TLS settings
 #
 #olcTLSCACertificateFile: /etc/pki/CA/cacert.pem
-#olcTLSCertificateFile: /etc/openldap/certs/server.pem
-#olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem
+olcTLSCertificateFile: /etc/openldap/certs/server.pem
+olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
 #
 # Do not enable referrals until AFTER you have a working directory
 # service AND an understanding of referrals.

diff --git a/openldap/openldap.nm b/openldap/openldap.nm
index a0fdd968b101c2797ec7af3d7acbfd3bb3a3d5f3..25880615effdc8a5d60f16c5130c2e0603963526 100644 (file)
--- a/openldap/openldap.nm
+++ b/openldap/openldap.nm
@@ -5,7 +5,7 @@
 
 name       = openldap
 version    = 2.4.32
-release    = 4
+release    = 5
 
 groups     = System/Daemons
 url        = http://www.openldap.org/
@@ -84,8 +84,13 @@ build
                cp -vf %{DIR_SOURCE}/openldap-conf.ldif \
                         %{BUILDROOT}%{datadir}/%{name}/
 
+               # Install ldapcert.sh script.
+               install -m 0755 %{DIR_SOURCE}/ldapcert.sh \
+                       %{BUILDROOT}%{datadir}/%{name}/
+
                # Create directoires.
                mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/slapd.d
+               mkdir -pv %{BUILDROOT}%{sysconfdir}/%{name}/certs
                mkdir -pv %{BUILDROOT}/run/%{name}
                mkdir -pv %{BUILDROOT}%{sharedstatedir}/ldap
 
@@ -105,7 +110,10 @@ end
 
 packages
        package %{name}
-               prerequires += shadow-utils
+               prerequires
+                       openssl
+                       shadow-utils
+               end
 
                script prein
                        %{create_user}
@@ -113,6 +121,7 @@ packages
 
                datafiles
                        %{sysconfdir}/%{name}/slapd.d
+                       %{sysconfdir}/%{name}/certs
                        %{sharedstatedir}/ldap
                end
 

diff --git a/openldap/systemd/openldap.service b/openldap/systemd/openldap.service
index a6960d3f3e9a83107dc7d841096a16e11a13f908..c21bd3ac8ec35439f4b156e6fae9a504ddd179df 100644 (file)
--- a/openldap/systemd/openldap.service
+++ b/openldap/systemd/openldap.service
@@ -3,4 +3,5 @@ Description=OpenLDAP
 After=basic.target sockets.target
 
 [Service]
-ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi://'
+Type=forking
+ExecStart=/usr/sbin/slapd -u ldap -h 'ldapi:// ldaps://'