Sync from SUSE:ALP:Source:Standard:1.0 openldap2 revision 797c98628f627d4fef10264beba567c3
This commit is contained in:
commit
8755b75907
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
12
0003-LDAPI-socket-location.dif
Normal file
12
0003-LDAPI-socket-location.dif
Normal file
@ -0,0 +1,12 @@
|
||||
diff -ur openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h
|
||||
--- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200
|
||||
+++ openldap-2.6.2/include/ldap_defaults.h 2022-05-23 12:55:05.059335200 +0200
|
||||
@@ -40,7 +40,7 @@
|
||||
|
||||
/* default ldapi:// socket */
|
||||
#ifndef LDAPI_SOCK
|
||||
-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
|
||||
+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi"
|
||||
#endif
|
||||
|
||||
/*
|
101
0005-pie-compile.dif
Normal file
101
0005-pie-compile.dif
Normal file
@ -0,0 +1,101 @@
|
||||
From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001
|
||||
From: Ralf Haferkamp <rhafer@suse.de>
|
||||
Date: Fri, 12 Nov 2010 09:39:11 +0100
|
||||
Subject: pie compile
|
||||
|
||||
|
||||
diff --git a/build/top.mk b/build/top.mk
|
||||
index 38ce146d7..d7fee4ec2 100644
|
||||
--- a/build/top.mk
|
||||
+++ b/build/top.mk
|
||||
@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@
|
||||
LTSTATIC = @LTSTATIC@
|
||||
|
||||
LTLINK = $(LIBTOOL) --mode=link \
|
||||
- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
|
||||
+ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
|
||||
|
||||
LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \
|
||||
$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
|
||||
@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
|
||||
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS)
|
||||
|
||||
LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
|
||||
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
|
||||
+ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
|
||||
|
||||
LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
|
||||
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
|
||||
@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS)
|
||||
# Our Defaults
|
||||
CC = $(AC_CC)
|
||||
DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES)
|
||||
-CFLAGS = $(AC_CFLAGS) $(DEFS)
|
||||
+CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS)
|
||||
LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS)
|
||||
LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS)
|
||||
|
||||
diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in
|
||||
index 71400ca1b..6427165c6 100644
|
||||
--- a/servers/slapd/back-ldap/Makefile.in
|
||||
+++ b/servers/slapd/back-ldap/Makefile.in
|
||||
@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||
BUILD_OPT = "--enable-ldap"
|
||||
BUILD_MOD = @BUILD_LDAP@
|
||||
|
||||
+PIE_CFLAGS="-fPIE"
|
||||
+
|
||||
mod_DEFS = -DSLAPD_IMPORT
|
||||
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
|
||||
|
||||
diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in
|
||||
index 225c8dd19..2f07c067b 100644
|
||||
--- a/servers/slapd/back-ldif/Makefile.in
|
||||
+++ b/servers/slapd/back-ldif/Makefile.in
|
||||
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||
BUILD_OPT = "--enable-ldif"
|
||||
BUILD_MOD = yes
|
||||
|
||||
+PIE_CFLAGS="-fPIE"
|
||||
+
|
||||
mod_DEFS = -DSLAPD_IMPORT
|
||||
MOD_DEFS = $(yes_DEFS)
|
||||
|
||||
diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in
|
||||
index 6d64824da..9bbf8747d 100644
|
||||
--- a/servers/slapd/back-mdb/Makefile.in
|
||||
+++ b/servers/slapd/back-mdb/Makefile.in
|
||||
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
|
||||
BUILD_OPT = "--enable-mdb"
|
||||
BUILD_MOD = @BUILD_MDB@
|
||||
|
||||
+PIE_CFLAGS="-fPIE"
|
||||
+
|
||||
mod_DEFS = -DSLAPD_IMPORT
|
||||
MOD_DEFS = $(@BUILD_MDB@_DEFS)
|
||||
MOD_LIBS = $(MDB_LIBS)
|
||||
diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in
|
||||
index 200a1c65c..6b2afffb9 100644
|
||||
--- a/servers/slapd/back-monitor/Makefile.in
|
||||
+++ b/servers/slapd/back-monitor/Makefile.in
|
||||
@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||
BUILD_OPT = "--enable-monitor"
|
||||
BUILD_MOD = yes
|
||||
|
||||
+PIE_CFLAGS="-fPIE"
|
||||
+
|
||||
mod_DEFS = -DSLAPD_IMPORT
|
||||
MOD_DEFS = $(yes_DEFS)
|
||||
|
||||
diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in
|
||||
index 71d74a171..60b44afd8 100644
|
||||
--- a/servers/slapd/back-relay/Makefile.in
|
||||
+++ b/servers/slapd/back-relay/Makefile.in
|
||||
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||
BUILD_OPT = "--enable-relay"
|
||||
BUILD_MOD = @BUILD_RELAY@
|
||||
|
||||
+PIE_CFLAGS="-fPIE"
|
||||
+
|
||||
mod_DEFS = -DSLAPD_IMPORT
|
||||
MOD_DEFS = $(@BUILD_RELAY@_DEFS)
|
@ -0,0 +1,26 @@
|
||||
From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
|
||||
From: HouzuoGuo <guohouzuo@gmail.com>
|
||||
Date: Fri, 13 Mar 2015 16:14:10 +0100
|
||||
Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
|
||||
are created for internal use only.
|
||||
|
||||
---
|
||||
servers/slapd/back-monitor/conn.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
|
||||
index 4d327f243..c4d3c6237 100644
|
||||
--- a/servers/slapd/back-monitor/conn.c
|
||||
+++ b/servers/slapd/back-monitor/conn.c
|
||||
@@ -456,6 +456,11 @@ monitor_subsys_conn_create(
|
||||
c != NULL;
|
||||
c = connection_next( c, &connindex ) )
|
||||
{
|
||||
+ /* Connection 0 is created by connection_client_setup for internal use only */
|
||||
+ if (c->c_connid == 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
monitor_entry_t *mp;
|
||||
|
||||
/* ignore outbound for now, nothing to show */
|
16
0016-Clear-shared-key-only-in-close-function.patch
Normal file
16
0016-Clear-shared-key-only-in-close-function.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
|
||||
index 6bdf3151d..56212151b 100644
|
||||
--- a/libraries/liblmdb/mdb.c
|
||||
+++ b/libraries/liblmdb/mdb.c
|
||||
@@ -4692,6 +4692,11 @@ mdb_env_close0(MDB_env *env, int excl)
|
||||
|
||||
if (env->me_flags & MDB_ENV_TXKEY) {
|
||||
pthread_key_delete(env->me_txkey);
|
||||
+
|
||||
+ // No need to call desctructor anymore, as all pid
|
||||
+ // values are cleared below.
|
||||
+ env->me_txkey = NULL;
|
||||
+
|
||||
#ifdef _WIN32
|
||||
/* Delete our key from the global list */
|
||||
for (i=0; i<mdb_tls_nkeys; i++)
|
25
README.module-loading
Normal file
25
README.module-loading
Normal file
@ -0,0 +1,25 @@
|
||||
All of the OpenLDAP backends (except back-config) and overlays are now
|
||||
compiled as dynamic modules in our packages. If you want to use any of
|
||||
these in your setup make sure to put the correct "olcModuleLoad" or
|
||||
"moduleload" statements in your configuration.
|
||||
|
||||
For details please see the slapd-config(5) and slapd.conf(5) manpages
|
||||
(depending on which config mechanism you use).
|
||||
|
||||
For a list of the included dynamic modules list all modules files:
|
||||
|
||||
ls /usr/lib*/openldap/*.so
|
||||
|
||||
Or just the backend files:
|
||||
|
||||
ls /usr/lib*/openldap/back_*.so
|
||||
|
||||
Documentations for the overlays can be found in the respective man pages or
|
||||
the OpenLDAP Administration Guide which is part of the "openldap2-doc"
|
||||
package.
|
||||
|
||||
Backend man-pages:
|
||||
man 5 slapo-<back_name>
|
||||
|
||||
Overlays man-pages:
|
||||
man 5 slapo-<name>
|
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
||||
<multibuild>
|
||||
<package>contrib</package>
|
||||
</multibuild>
|
BIN
addonschema.tar.gz
(Stored with Git LFS)
Normal file
BIN
addonschema.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
6
baselibs.conf
Normal file
6
baselibs.conf
Normal file
@ -0,0 +1,6 @@
|
||||
libldap2
|
||||
provides "openldap2-client-<targettype> = <version>"
|
||||
obsoletes "openldap2-client-<targettype> <= <version>"
|
||||
openldap2-devel
|
||||
requires -openldap2-<targettype>
|
||||
requires "libldap2-<targettype> = <version>"
|
42
fixup-modulepath.sh
Normal file
42
fixup-modulepath.sh
Normal file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
source /usr/lib/openldap/update-crc
|
||||
|
||||
conf_dir='/etc/openldap/slapd.d'
|
||||
tgt_ldif="${conf_dir}/cn=config.ldif"
|
||||
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure slapd.service is not running.
|
||||
slapd_running=1
|
||||
|
||||
# Don't check if no systemd, we could be in a container.
|
||||
if [ -f "/usr/bin/systemctl" ]; then
|
||||
/usr/bin/systemctl is-active --quiet slapd.service
|
||||
slapd_running=$?
|
||||
fi
|
||||
|
||||
if [ $slapd_running -eq 0 ]; then
|
||||
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Remove the module path.
|
||||
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
|
||||
|
||||
res=$?
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
echo "Failed to remove olcModulePath in ${tgt_ldif}"
|
||||
exit 1
|
||||
else
|
||||
do_update_crc ${tgt_ldif}
|
||||
echo "Updated crc of ${tgt_ldif}"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
2
ldap-user.conf
Normal file
2
ldap-user.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Type Name ID GECOS [HOME]
|
||||
u ldap - "User for OpenLDAP" /var/lib/ldap
|
BIN
openldap-2.6.4.tgz
(Stored with Git LFS)
Normal file
BIN
openldap-2.6.4.tgz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openldap-2.6.4.tgz.asc
Normal file
16
openldap-2.6.4.tgz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmPkFcsACgkQf2fV/Rzh
|
||||
y84clA/8C30COyp5lKWvqiBIVjQHe8ZSLEWML8j6g7IbYcHm7uLIqADjzlaE0MCI
|
||||
YV2SfDFjom+OUFkQmzGNmYeyjpBV5yK5n5js0M1zSF2OPoapNoSZtnv0yXIUZ/Ee
|
||||
M1njsiMYuYWX0KWg4tYVbdLSm2iWH1d5zbGgyAecSQCFHZ/nQnZo+OWbRel06dCz
|
||||
ewkANAlUIIrsGEkKjKUetFOOuJiwb8r8KeXpYVijig7f/csoo7H78i4Pdmi3QzJ5
|
||||
D/TMHKx64ljes1n6ZHtm55lbkiuJTw3t4XnK9NhsKwr9zNlq+qI3ggJyK6xOQiQq
|
||||
05IjPMVp8kV1u117Xb9SlRwlfR/00jPwTdepuAK9OyxVS3CclS8Gh6Lm8ztwwTee
|
||||
C+eqwGhZNH7/twfq3TUHfWUl4LyclX02zxvljo3lcb3JIA7JWp8coi2EEeofOIlf
|
||||
oXKdyR4zA0Iey8LfBuyRC/smZoggdpzr0jIE5Z5Q97hTt4Rm5U4ZDe2GRfUTR82g
|
||||
Pz+VdBI/aCKlnDHqH912w4Tg62UeJiPfnLuWuCc7A0MNR2LAe7JKASdEaTb6t51N
|
||||
uzmxPYOlAixvGcjCg38Sc0877FXE1ss3RUnDyx+mCK2phEsWO69SdL4uz5E9Xdve
|
||||
0VbfO84pmN/+Gj5FfE93rJzTYjjySj80oANiqBAcA7P21pOttRg=
|
||||
=UfjX
|
||||
-----END PGP SIGNATURE-----
|
3531
openldap2.changes
Normal file
3531
openldap2.changes
Normal file
File diff suppressed because it is too large
Load Diff
2
openldap2.conf
Normal file
2
openldap2.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# openldap needs a directory in /var/lib/:
|
||||
d /var/lib/ldap 0750 ldap ldap -
|
BIN
openldap2.keyring
Normal file
BIN
openldap2.keyring
Normal file
Binary file not shown.
609
openldap2.spec
Normal file
609
openldap2.spec
Normal file
@ -0,0 +1,609 @@
|
||||
#
|
||||
# spec file
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%define run_test_suite 0
|
||||
%define slapdrundir %{_rundir}/slapd
|
||||
%define flavor @BUILD_FLAVOR@%{nil}
|
||||
%if "%flavor" == "contrib"
|
||||
%define name_suffix -%{flavor}-src
|
||||
%else
|
||||
%define name_suffix %{nil}
|
||||
%endif
|
||||
|
||||
Name: openldap2%{name_suffix}
|
||||
Summary: An open source implementation of the Lightweight Directory Access Protocol
|
||||
License: OLDAP-2.8
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Version: 2.6.4
|
||||
Release: 0
|
||||
URL: https://www.openldap.org
|
||||
Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
|
||||
Source1: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz.asc
|
||||
Source2: openldap2.keyring
|
||||
Source4: sasl-slapd.conf
|
||||
Source5: README.module-loading
|
||||
Source6: schema2ldif
|
||||
Source7: baselibs.conf
|
||||
Source9: addonschema.tar.gz
|
||||
Source12: slapd.conf.example
|
||||
Source13: start
|
||||
Source14: slapd.service
|
||||
Source16: sysconfig.openldap
|
||||
Source18: openldap2.conf
|
||||
Source19: ldap-user.conf
|
||||
Source20: fixup-modulepath.sh
|
||||
Source21: slapd-ldif-update-crc.sh
|
||||
Source22: update-crc.sh
|
||||
Source23: slapd.conf
|
||||
Source24: slapd.conf.olctemplate
|
||||
Patch1: reproducible.patch
|
||||
Patch3: 0003-LDAPI-socket-location.dif
|
||||
Patch5: 0005-pie-compile.dif
|
||||
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: argon2-devel
|
||||
BuildRequires: cyrus-sasl-devel
|
||||
BuildRequires: db-devel
|
||||
BuildRequires: groff
|
||||
BuildRequires: libopenssl-devel
|
||||
BuildRequires: libtool
|
||||
%if 0%{?suse_version} < 1600
|
||||
BuildRequires: openslp-devel
|
||||
%endif
|
||||
BuildRequires: sysuser-tools
|
||||
BuildRequires: unixODBC-devel
|
||||
# avoid cycle with krb5
|
||||
BuildRequires: pkgconfig(krb5)
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%if "%flavor" == "contrib"
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: openldap2-devel
|
||||
%endif
|
||||
%if %{suse_version} < 1500
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
Requires: /usr/bin/awk
|
||||
Requires: libldap2 = %{version}
|
||||
Recommends: cyrus-sasl
|
||||
Conflicts: openldap
|
||||
PreReq: %fillup_prereq
|
||||
%sysusers_requires
|
||||
|
||||
%description
|
||||
OpenLDAP is a client and server reference implementation of the
|
||||
Lightweight Directory Access Protocol v3 (LDAPv3).
|
||||
|
||||
The server provides several database backends and overlays.
|
||||
|
||||
%package back-perl
|
||||
Summary: OpenLDAP Perl Back-End
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Requires: openldap2 = %{version}
|
||||
Requires: perl = %{perl_version}
|
||||
|
||||
%description back-perl
|
||||
The OpenLDAP Perl back-end allows you to execute Perl code specific to
|
||||
different LDAP operations.
|
||||
|
||||
%package back-sock
|
||||
Summary: OpenLDAP Socket Back-End
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Requires: openldap2 = %{version}
|
||||
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
|
||||
|
||||
%description back-sock
|
||||
The OpenLDAP socket back-end allows you to handle LDAP requests and
|
||||
results with an external process listening on a Unix domain socket.
|
||||
|
||||
%package back-meta
|
||||
Summary: OpenLDAP Meta Back-End
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Requires: openldap2 = %{version}
|
||||
Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz
|
||||
|
||||
%description back-meta
|
||||
The OpenLDAP Meta back-end is able to perform basic LDAP proxying with
|
||||
respect to a set of remote LDAP servers. The information contained in
|
||||
these servers can be presented as belonging to a single Directory
|
||||
Information Tree (DIT).
|
||||
|
||||
%package back-sql
|
||||
Summary: OpenLDAP SQL Back-End
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Requires: openldap2 = %{version}
|
||||
|
||||
%description back-sql
|
||||
The primary purpose of this OpenLDAP backend is to present information
|
||||
stored in a Relational (SQL) Database as an LDAP subtree without the need
|
||||
to do any programming.
|
||||
|
||||
%package -n libldap-data
|
||||
Summary: Configuration file for system-wide defaults for all uses of libldap
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n libldap-data
|
||||
The subpackage contains a configuration file used to set system-wide defaults
|
||||
to be applied with all usages of libldap.
|
||||
|
||||
%package contrib
|
||||
Summary: OpenLDAP Contrib Modules
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Requires: openldap2 = %{version}
|
||||
|
||||
%description contrib
|
||||
Various overlays found in contrib/:
|
||||
addpartial Intercepts ADD requests, applies changes to existing entries
|
||||
allop
|
||||
allowed Generates attributes indicating access rights
|
||||
autogroup
|
||||
authzid implements RFC 3829 support
|
||||
cloak
|
||||
datamorph store enumerated values and fixed size integers
|
||||
denyop
|
||||
lastbind writes last bind timestamp to entry
|
||||
noopsrch handles no-op search control
|
||||
pw-sha2 generates/validates SHA-2 password hashes
|
||||
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
||||
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
||||
trace traces overlay invocation
|
||||
variant allows attributes/values to be shared between several entries
|
||||
vc implements the verify credentials extended operation
|
||||
|
||||
%package doc
|
||||
Summary: OpenLDAP Documentation
|
||||
Group: Documentation/Other
|
||||
Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README
|
||||
BuildArch: noarch
|
||||
|
||||
%description doc
|
||||
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
|
||||
|
||||
%package client
|
||||
Summary: OpenLDAP client utilities
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Requires: libldap2 = %{version}
|
||||
|
||||
%description client
|
||||
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
|
||||
|
||||
%package devel
|
||||
Summary: Libraries, Header Files and Documentation for OpenLDAP
|
||||
# bug437293
|
||||
Group: Development/Libraries/C and C++
|
||||
%ifarch ppc64
|
||||
Obsoletes: openldap2-devel-64bit
|
||||
%endif
|
||||
#
|
||||
Conflicts: openldap-devel
|
||||
Requires: libldap2 = %{version}
|
||||
Recommends: cyrus-sasl-devel
|
||||
|
||||
%description devel
|
||||
This package provides the OpenLDAP libraries, header files, and
|
||||
documentation.
|
||||
|
||||
%package devel-static
|
||||
Summary: Static libraries for the OpenLDAP libraries
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: cyrus-sasl-devel
|
||||
Requires: libopenssl-devel
|
||||
Requires: openldap2-devel = %version
|
||||
|
||||
%description devel-static
|
||||
This package provides the static versions of the OpenLDAP libraries
|
||||
for development.
|
||||
|
||||
%package -n libldap2
|
||||
Summary: OpenLDAP Client Libraries
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Recommends: libldap-data >= %{version}
|
||||
|
||||
%description -n libldap2
|
||||
This package contains the OpenLDAP client libraries.
|
||||
|
||||
%package -n libldapcpp-devel
|
||||
Summary: C++ wrapper around openLDAP API
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libldapcpp0 = %{version}
|
||||
Requires: openldap2-devel
|
||||
|
||||
%description -n libldapcpp-devel
|
||||
This package contains files needed for development with the LDAP C++
|
||||
library.
|
||||
|
||||
%package -n libldapcpp0
|
||||
Summary: C++ wrapper around openLDAP API
|
||||
Group: Development/Libraries/C and C++
|
||||
Provides: ldapcpplib = %{version}
|
||||
Obsoletes: ldapcpplib <= 0.0.5
|
||||
|
||||
%description -n libldapcpp0
|
||||
This package provides a C++ library for accessing LDAP (Version 3)
|
||||
Servers
|
||||
|
||||
%prep
|
||||
%setup -q -a 9 -n openldap-%{version}
|
||||
%patch1 -p1
|
||||
%patch3 -p1
|
||||
%patch5 -p1
|
||||
%patch8 -p1
|
||||
%patch16 -p1
|
||||
cp %{SOURCE5} .
|
||||
|
||||
%build
|
||||
%if "%flavor" == "contrib"
|
||||
cd contrib/ldapc++
|
||||
%configure --disable-static
|
||||
%make_build
|
||||
%else
|
||||
%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
|
||||
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS"
|
||||
export STRIP=""
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--sysconfdir=%{_sysconfdir} \
|
||||
--libdir=%{_libdir} \
|
||||
--libexecdir=%{_libdir} \
|
||||
--localstatedir=%{slapdrundir} \
|
||||
--enable-wrappers=no \
|
||||
--enable-spasswd \
|
||||
--enable-modules \
|
||||
--enable-shared \
|
||||
--enable-dynamic \
|
||||
--with-tls=openssl \
|
||||
--with-cyrus-sasl \
|
||||
--enable-crypt \
|
||||
--enable-ipv6=yes \
|
||||
--enable-dynacl \
|
||||
--enable-aci \
|
||||
--enable-ldap=mod \
|
||||
--enable-meta=mod \
|
||||
--enable-perl=mod \
|
||||
--enable-sock=mod \
|
||||
--enable-sql=mod \
|
||||
--enable-mdb=mod \
|
||||
--enable-relay=mod \
|
||||
%if 0%{?suse_version} < 1600
|
||||
--enable-slp \
|
||||
%endif
|
||||
--enable-overlays=mod \
|
||||
--enable-syncprov=mod \
|
||||
--enable-ppolicy=mod \
|
||||
--with-yielding-select \
|
||||
--with-argon2=libargon2 \
|
||||
|| cat config.log
|
||||
make depend
|
||||
%make_build
|
||||
# Build selected contrib overlays
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
|
||||
do
|
||||
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
||||
done
|
||||
# slapo-smbk5pwd only for Samba password hashes
|
||||
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
|
||||
|
||||
# Create ldap user
|
||||
%sysusers_generate_pre %{SOURCE19} ldap
|
||||
%endif
|
||||
|
||||
%check
|
||||
%if %run_test_suite
|
||||
# calculate the base port to be use in the test-suite
|
||||
SLAPD_BASEPORT=10000
|
||||
if [ -f /.buildenv ] ; then
|
||||
. /.buildenv
|
||||
SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10))
|
||||
fi
|
||||
export SLAPD_BASEPORT
|
||||
%ifnarch %arm alpha
|
||||
rm -f tests/scripts/test019-syncreplication-cascade
|
||||
rm -f tests/scripts/test022-ppolicy
|
||||
rm -f tests/scripts/test023-refint
|
||||
rm -f tests/scripts/test033-glue-syncrepl
|
||||
#rm -f tests/scripts/test036-meta-concurrency
|
||||
#rm -f tests/scripts/test039-glue-ldap-concurrency
|
||||
rm -f tests/scripts/test043-delta-syncrepl
|
||||
#rm -f tests/scripts/test045-syncreplication-proxied
|
||||
rm -f tests/scripts/test048-syncrepl-multiproxy
|
||||
rm -f tests/scripts/test050-syncrepl-multimaster
|
||||
rm -f tests/scripts/test058-syncrepl-asymmetric
|
||||
make SLAPD_DEBUG=0 test
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%install
|
||||
%if "%flavor" == "contrib"
|
||||
cd contrib/ldapc++
|
||||
%make_install
|
||||
%else
|
||||
mkdir -p %{buildroot}%{_libdir}/openldap
|
||||
mkdir -p %{buildroot}/usr/lib/openldap
|
||||
mkdir -p %{buildroot}%{_sbindir}
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||
# Additional symbolic link to slapd executable in /usr/sbin/
|
||||
ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd
|
||||
# Install selected contrib overlays
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
|
||||
do
|
||||
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||
done
|
||||
# slapo-smbk5pwd only for Samba password hashes
|
||||
make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||
install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/sasl2
|
||||
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf
|
||||
install -m 755 -d %{buildroot}/var/lib/ldap
|
||||
chmod a+x %{buildroot}%{_libdir}/liblber.so*
|
||||
chmod a+x %{buildroot}%{_libdir}/libldap.so*
|
||||
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
||||
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
|
||||
mkdir -p %{buildroot}%{_sysusersdir}
|
||||
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
|
||||
|
||||
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
|
||||
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
|
||||
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
|
||||
|
||||
mkdir -p %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap
|
||||
install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema
|
||||
install -m 644 *.schema %{buildroot}%{_sysconfdir}/openldap/schema
|
||||
# Install default and sample configuration files
|
||||
install -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/openldap
|
||||
install -m 644 %{SOURCE24} %{buildroot}%{_sysconfdir}/openldap
|
||||
install -m 644 %{SOURCE12} %{buildroot}%{_sysconfdir}/openldap
|
||||
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
||||
rm -rf doc/guide/release
|
||||
|
||||
%define DOCDIR %{_defaultdocdir}/%{name}
|
||||
# Install default database optimisation
|
||||
install -d %{buildroot}%{DOCDIR}/adminguide \
|
||||
%{buildroot}%{DOCDIR}/images \
|
||||
%{buildroot}%{DOCDIR}/drafts
|
||||
install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide
|
||||
install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images
|
||||
install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts
|
||||
install -m 644 ANNOUNCEMENT \
|
||||
COPYRIGHT \
|
||||
README \
|
||||
CHANGES \
|
||||
%{SOURCE5} \
|
||||
%{buildroot}%{DOCDIR}
|
||||
install -m 644 servers/slapd/slapd.ldif \
|
||||
%{buildroot}%{DOCDIR}/slapd.ldif.default
|
||||
rm -f %{buildroot}/etc/openldap/schema/README
|
||||
rm -f %{buildroot}/etc/openldap/slapd.ldif*
|
||||
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
|
||||
|
||||
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
|
||||
|
||||
rm -f %{buildroot}%{_libdir}/openldap/*.a
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-null.5
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5
|
||||
rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5
|
||||
# Remove *.la files, libtool does not handle this correct
|
||||
# Keep .la files for modules in the openldap subdirectory, which are consumed
|
||||
# in this form.
|
||||
rm -f %{buildroot}%{_libdir}/*.la
|
||||
|
||||
# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5.
|
||||
ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
|
||||
%endif
|
||||
|
||||
%pre -f ldap.pre
|
||||
%service_add_pre slapd.service
|
||||
|
||||
%post
|
||||
%{fillup_only -n openldap ldap}
|
||||
%tmpfiles_create %{name}.conf
|
||||
%service_add_post slapd.service
|
||||
|
||||
%post -n libldap2 -p /sbin/ldconfig
|
||||
%postun -n libldap2 -p /sbin/ldconfig
|
||||
|
||||
%preun
|
||||
%service_del_preun slapd.service
|
||||
|
||||
%postun
|
||||
%service_del_postun slapd.service
|
||||
|
||||
%if "%flavor" == "contrib"
|
||||
%files -n libldapcpp-devel
|
||||
%doc contrib/ldapc++/README
|
||||
%_includedir/*.h
|
||||
%_libdir/libldapcpp.la
|
||||
%_libdir/libldapcpp.so
|
||||
|
||||
%files -n libldapcpp0
|
||||
%_libdir/libldapcpp.so.0
|
||||
%_libdir/libldapcpp.so.0.0.0
|
||||
|
||||
%else
|
||||
|
||||
%files
|
||||
%config %{_sysconfdir}/openldap/schema/*.schema
|
||||
%config %{_sysconfdir}/openldap/schema/*.ldif
|
||||
%config(noreplace) /etc/sasl2/slapd.conf
|
||||
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf
|
||||
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.olctemplate
|
||||
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.default
|
||||
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.example
|
||||
%dir %{_libdir}/openldap
|
||||
%dir /usr/lib/openldap
|
||||
%dir %{_sysconfdir}/sasl2
|
||||
%dir %{_sysconfdir}/openldap
|
||||
%dir %attr(0770, ldap, ldap) %{_sysconfdir}/openldap/slapd.d
|
||||
%dir %{_sysconfdir}/openldap/schema
|
||||
%{_fillupdir}/sysconfig.openldap
|
||||
%{_sbindir}/slap*
|
||||
%{_sbindir}/rcslapd
|
||||
%{_libdir}/openldap/back_ldap*
|
||||
%{_libdir}/openldap/back_mdb*
|
||||
%{_libdir}/openldap/back_relay*
|
||||
%{_libdir}/openldap/accesslog*
|
||||
%{_libdir}/openldap/auditlog*
|
||||
%{_libdir}/openldap/autoca*
|
||||
%{_libdir}/openldap/collect*
|
||||
%{_libdir}/openldap/constraint*
|
||||
%{_libdir}/openldap/dds*
|
||||
%{_libdir}/openldap/deref*
|
||||
%{_libdir}/openldap/dyngroup*
|
||||
%{_libdir}/openldap/dynlist*
|
||||
%{_libdir}/openldap/homedir*
|
||||
%{_libdir}/openldap/memberof*
|
||||
%{_libdir}/openldap/otp*
|
||||
%{_libdir}/openldap/pcache*
|
||||
%{_libdir}/openldap/ppolicy*
|
||||
%{_libdir}/openldap/remoteauth*
|
||||
%{_libdir}/openldap/refint*
|
||||
%{_libdir}/openldap/retcode*
|
||||
%{_libdir}/openldap/rwm*
|
||||
%{_libdir}/openldap/seqmod*
|
||||
%{_libdir}/openldap/sssvlv*
|
||||
%{_libdir}/openldap/syncprov*
|
||||
%{_libdir}/openldap/translucent*
|
||||
%{_libdir}/openldap/unique*
|
||||
%{_libdir}/openldap/valsort*
|
||||
%{_libdir}/slapd
|
||||
/usr/lib/openldap/start
|
||||
/usr/lib/openldap/update-crc
|
||||
/usr/lib/openldap/fixup-modulepath
|
||||
%{_unitdir}/slapd.service
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
%{_sysusersdir}/ldap-user.conf
|
||||
%dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap
|
||||
%ghost %attr(0750, ldap, ldap) %{slapdrundir}
|
||||
%doc %{_mandir}/man8/sl*
|
||||
%doc %{_mandir}/man8/lloadd.*
|
||||
%doc %{_mandir}/man5/lloadd.conf.*
|
||||
%doc %{_mandir}/man5/slapd.*
|
||||
%doc %{_mandir}/man5/slapd-asyncmeta.*
|
||||
%doc %{_mandir}/man5/slapd-config.*
|
||||
%doc %{_mandir}/man5/slapd-ldap.*
|
||||
%doc %{_mandir}/man5/slapd-ldif.*
|
||||
%doc %{_mandir}/man5/slapd-mdb.*
|
||||
%doc %{_mandir}/man5/slapd-monitor.*
|
||||
%doc %{_mandir}/man5/slapd-pw-*
|
||||
%doc %{_mandir}/man5/slapd-relay.*
|
||||
%doc %{_mandir}/man5/slapd-wt.*
|
||||
%doc %{_mandir}/man5/slapo-*
|
||||
%doc %{_mandir}/man5/slappw-argon2.*
|
||||
%dir %{DOCDIR}
|
||||
%doc %{DOCDIR}/ANNOUNCEMENT
|
||||
%doc %{DOCDIR}/COPYRIGHT
|
||||
%license LICENSE
|
||||
%doc %{DOCDIR}/README*
|
||||
%doc %{DOCDIR}/CHANGES
|
||||
%doc %{DOCDIR}/slapd.ldif.default
|
||||
|
||||
%files back-perl
|
||||
%{_libdir}/openldap/back_perl*
|
||||
%doc %{_mandir}/man5/slapd-perl.*
|
||||
|
||||
%files back-sock
|
||||
%{_libdir}/openldap/back_sock*
|
||||
%doc %{_mandir}/man5/slapd-sock.*
|
||||
|
||||
%files back-meta
|
||||
%{_libdir}/openldap/back_meta*
|
||||
%doc %{_mandir}/man5/slapd-meta.*
|
||||
|
||||
%files back-sql
|
||||
%{_libdir}/openldap/back_sql*
|
||||
%doc %{_mandir}/man5/slapd-sql.*
|
||||
%doc servers/slapd/back-sql/examples
|
||||
%doc servers/slapd/back-sql/docs/bugs
|
||||
%doc servers/slapd/back-sql/docs/install
|
||||
|
||||
%files -n libldap-data
|
||||
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
|
||||
%doc %{_mandir}/man5/ldap.conf*
|
||||
%{_sysconfdir}/openldap/ldap.conf.default
|
||||
|
||||
%files doc
|
||||
%dir %{DOCDIR}
|
||||
%doc %{DOCDIR}/drafts
|
||||
%doc %{DOCDIR}/adminguide
|
||||
%doc %{DOCDIR}/images
|
||||
|
||||
%files contrib
|
||||
%{_libdir}/openldap/addpartial.*
|
||||
%{_libdir}/openldap/allop.*
|
||||
%{_libdir}/openldap/allowed.*
|
||||
%{_libdir}/openldap/authzid.*
|
||||
%{_libdir}/openldap/autogroup.*
|
||||
%{_libdir}/openldap/cloak.*
|
||||
%{_libdir}/openldap/datamorph.*
|
||||
%{_libdir}/openldap/denyop.*
|
||||
%{_libdir}/openldap/lastbind.*
|
||||
%{_libdir}/openldap/noopsrch.*
|
||||
%{_libdir}/openldap/pw-pbkdf2.*
|
||||
%{_libdir}/openldap/pw-sha2.*
|
||||
%{_libdir}/openldap/smbk5pwd.*
|
||||
%{_libdir}/openldap/trace.*
|
||||
%{_libdir}/openldap/variant.*
|
||||
%{_libdir}/openldap/vc.*
|
||||
|
||||
%files client
|
||||
%doc %{_mandir}/man1/ldap*
|
||||
%doc %{_mandir}/man5/ldif.*
|
||||
%dir /etc/openldap
|
||||
/usr/sbin/schema2ldif
|
||||
/usr/bin/ldapadd
|
||||
/usr/bin/ldapcompare
|
||||
/usr/bin/ldapdelete
|
||||
/usr/bin/ldapexop
|
||||
/usr/bin/ldapmodify
|
||||
/usr/bin/ldapmodrdn
|
||||
/usr/bin/ldapsearch
|
||||
/usr/bin/ldappasswd
|
||||
/usr/bin/ldapurl
|
||||
/usr/bin/ldapvc
|
||||
/usr/bin/ldapwhoami
|
||||
|
||||
%files -n libldap2
|
||||
%{_libdir}/liblber.so.*
|
||||
%{_libdir}/libldap.so.*
|
||||
|
||||
%files devel
|
||||
%doc %{_mandir}/man3/ber*
|
||||
%doc %{_mandir}/man3/lber*
|
||||
%doc %{_mandir}/man3/ld_errno*
|
||||
%doc %{_mandir}/man3/ldap*
|
||||
%{_includedir}/*.h
|
||||
%{_libdir}/liblber.so
|
||||
%{_libdir}/libldap*.so
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
|
||||
%files devel-static
|
||||
%_libdir/liblber.a
|
||||
%_libdir/libldap*.a
|
||||
|
||||
%endif # !flavor:contrib
|
||||
|
||||
%changelog
|
13
reproducible.patch
Normal file
13
reproducible.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: openldap-2.6.3/build/mkversion
|
||||
===================================================================
|
||||
--- openldap-2.6.3.orig/build/mkversion
|
||||
+++ openldap-2.6.3/build/mkversion
|
||||
@@ -77,7 +77,7 @@ static const char copyright[] =
|
||||
"COPYING RESTRICTIONS APPLY\n";
|
||||
|
||||
$static $const char $SYMBOL[] =
|
||||
-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n"
|
||||
+"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n"
|
||||
"\t$WHOWHERE\n";
|
||||
|
||||
__EOF__
|
1
sasl-slapd.conf
Normal file
1
sasl-slapd.conf
Normal file
@ -0,0 +1 @@
|
||||
mech_list: gssapi digest-md5 cram-md5 external
|
53
schema2ldif
Normal file
53
schema2ldif
Normal file
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# This is a simple tool to convert OpenLDAP Schema files to
|
||||
# LDIF suitable for usage with OpenLDAP's dynamic configuration
|
||||
# backend (cn=config)
|
||||
#
|
||||
# usage:
|
||||
# schema2ldif <input file>
|
||||
#
|
||||
# The generated LDIF is printed to stdout.
|
||||
#
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
echo 'usage: schema2ldif <input file>'
|
||||
exit;
|
||||
fi
|
||||
|
||||
cn=`basename $1 .schema`
|
||||
|
||||
echo "dn: cn=$cn,cn=schema,cn=config";
|
||||
echo "objectclass: olcSchemaConfig";
|
||||
echo "cn: $cn";
|
||||
|
||||
/usr/bin/awk '
|
||||
BEGIN {
|
||||
buffer = "";
|
||||
width=78 ;
|
||||
}
|
||||
function wrap(data)
|
||||
{
|
||||
if (length(data) > 0) {
|
||||
do {
|
||||
print substr(data,0,width);
|
||||
data = " " substr(data, width+1);
|
||||
}
|
||||
while (length(data) > 1 )
|
||||
};
|
||||
}
|
||||
/^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; }
|
||||
/^#.*$/ { wrap(buffer); buffer=""; print $0; next }
|
||||
/^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; }
|
||||
{
|
||||
wrap(buffer);
|
||||
$1 = tolower($1) ;
|
||||
gsub("^objectclass$","olcObjectclasses:",$1)
|
||||
gsub("^attributetype$","olcAttributeTypes:",$1)
|
||||
gsub("^attributetypes$","olcAttributeTypes:",$1)
|
||||
gsub("^objectidentifier$","olcObjectIdentifier:",$1)
|
||||
buffer = $0;
|
||||
}
|
||||
END { wrap(buffer); print "" }
|
||||
' "$@"
|
||||
|
33
slapd-ldif-update-crc.sh
Normal file
33
slapd-ldif-update-crc.sh
Normal file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
# Script to fix the crc of openldap slapd.d ldifs.
|
||||
source /usr/lib/openldap/update-crc
|
||||
|
||||
if [ -z ${1} ]; then
|
||||
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "${1}" ]; then
|
||||
echo "File ${1} does not exist?"
|
||||
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Make sure slapd.service is not running.
|
||||
slapd_running=1
|
||||
|
||||
# Don't check if no systemd, we could be in a container.
|
||||
if [ -f "/usr/bin/systemctl" ]; then
|
||||
/usr/bin/systemctl is-active --quiet slapd.service
|
||||
slapd_running=$?
|
||||
fi
|
||||
|
||||
if [ $slapd_running -eq 0 ]; then
|
||||
echo "Unable to update crc of '${1}' while slapd.service is running ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
do_update_crc ${1}
|
||||
|
||||
echo "Updated crc of ${1}"
|
||||
|
86
slapd.conf
Normal file
86
slapd.conf
Normal file
@ -0,0 +1,86 @@
|
||||
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
|
||||
#
|
||||
# OpenLDAP daemon (slapd.service) supports two configuration styles:
|
||||
# - Simple configuration with this file
|
||||
# - Online configuration (OLC)
|
||||
#
|
||||
# You may choose the configuration style by setting it in:
|
||||
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
|
||||
# If the value is set to "files", this configuration file will be used.
|
||||
# If the value is set to "ldap", this configuration file will be entirely ignored, and
|
||||
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
|
||||
#
|
||||
# If you decide to use online configuration, please read the additional instructions in:
|
||||
# /etc/openldap/slapd.conf.olctemplate
|
||||
#
|
||||
# Feel free to customise this file according to your needs, and start OpenLDAP
|
||||
# server daemon by executing:
|
||||
# systemctl start slapd.service
|
||||
#
|
||||
# To verify that LDAP service is running properly, try the following command:
|
||||
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
|
||||
|
||||
#
|
||||
# See slapd.conf(5) for details on configuration options.
|
||||
# See /etc/openldap/slapd.conf.example for more examples.
|
||||
# This file should NOT be world readable.
|
||||
#
|
||||
|
||||
pidfile /run/slapd/slapd.pid
|
||||
argsfile /run/slapd/slapd.args
|
||||
|
||||
# The following schema files are often useful
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/rfc2307bis.schema
|
||||
include /etc/openldap/schema/yast.schema
|
||||
|
||||
# Load backend modules such as database engines
|
||||
moduleload back_mdb.la
|
||||
|
||||
# Very important: define ACL to authorise client access
|
||||
# The default settings permit rootdn to read and write, while other users
|
||||
# may read the entire database or change their own password.
|
||||
# If no ACL is present, everyone will be allowed to read the database.
|
||||
# rootdn can always read and write everything.
|
||||
access to dn.base=""
|
||||
by * read
|
||||
|
||||
access to dn.base="cn=Subschema"
|
||||
by * read
|
||||
|
||||
access to attrs=userPassword,userPKCS12
|
||||
by self write
|
||||
by * auth
|
||||
|
||||
access to attrs=shadowLastChange
|
||||
by self write
|
||||
by * read
|
||||
|
||||
access to *
|
||||
by * read
|
||||
|
||||
# Define a LDAP database
|
||||
database mdb
|
||||
suffix "dc=my-domain,dc=com"
|
||||
rootdn "cn=Manager,dc=my-domain,dc=com"
|
||||
# Please avoid using clear text for root password
|
||||
# See slappasswd(8) for instructions on creating a salted+hashed password
|
||||
rootpw secret
|
||||
# The database directory must exist prior to the start of OpenLDAP daemon
|
||||
# The directory should be owned by ldap user and permission 0700 is recommended
|
||||
directory /var/lib/ldap
|
||||
# Indices to maintain
|
||||
index objectClass eq
|
||||
|
||||
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
|
||||
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
|
||||
# write down their paths below, make sure the files are readable by user "ldap".
|
||||
# The server will then support StartTLS on standard port 389.
|
||||
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
|
||||
#TLSProtocolMin 3.1
|
||||
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
||||
#TLSCACertificateFile /my/ca.crt
|
||||
#TLSCertificateFile /my/tls.crt
|
||||
#TLSCertificateKeyFile /my/tls.key
|
354
slapd.conf.example
Normal file
354
slapd.conf.example
Normal file
@ -0,0 +1,354 @@
|
||||
############################################################################
|
||||
# See slapd.conf(5) for details on configuration options.
|
||||
# This file SHOULD NOT be world readable.
|
||||
#
|
||||
# Important note:
|
||||
# You surely have to adjust some settings to meet your (security)
|
||||
# requirements.
|
||||
# At least you should replace suffix "dc=example,dc=com" by
|
||||
# something meaningful for your setup.
|
||||
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
|
||||
# KDC then you MUST add decent ACLs for protecting user credentials!
|
||||
#
|
||||
# Read the man pages before changing something!
|
||||
#
|
||||
# You can debug the config by running (as root while slapd stopped):
|
||||
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
|
||||
############################################################################
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# slapd global parameters
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# serverID must be unique across all provider replicas
|
||||
# for using multi-master replication (MMR)
|
||||
serverID 99
|
||||
|
||||
# only alter this when you know what you're doing
|
||||
#threads 4
|
||||
|
||||
# Run-time files
|
||||
pidfile /var/run/slapd/slapd.pid
|
||||
argsfile /var/run/slapd/slapd.args
|
||||
|
||||
# for more debugging set:
|
||||
#loglevel config stats stats2
|
||||
loglevel stats
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Load runtime loadable modules
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# Load additional backend modules installed by package 'openldap2'
|
||||
# The following backends are statically built-in and therefore don't have
|
||||
# to be loaded here:
|
||||
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
|
||||
#moduleload back_bdb
|
||||
#moduleload back_hdb
|
||||
moduleload back_mdb
|
||||
#moduleload back_meta
|
||||
#moduleload back_sock
|
||||
|
||||
# Load additional overlay modules installed by package 'openldap2'
|
||||
# The following overlay are statically built-in and therefore don't have
|
||||
# to be loaded here:
|
||||
# ppolicy, syncprov
|
||||
#moduleload accesslog
|
||||
#moduleload constraint
|
||||
#moduleload dds
|
||||
#moduleload deref
|
||||
#moduleload dynlist
|
||||
#moduleload memberof
|
||||
moduleload refint
|
||||
#moduleload sssvlv
|
||||
#moduleload translucent
|
||||
moduleload unique
|
||||
#moduleload valsort
|
||||
|
||||
# Load additional overlay modules installed by package 'openldap2-contrib'
|
||||
#moduleload allowed
|
||||
#moduleload lastbind
|
||||
#moduleload noopsrch
|
||||
#moduleload pw-pbkdf2
|
||||
#moduleload pw-sha2
|
||||
#moduleload smbk5pwd
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Include schema files
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# Schema files installed by package 'openldap2'
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/rfc2307bis.schema
|
||||
include /etc/openldap/schema/ppolicy.schema
|
||||
#include /etc/openldap/schema/yast.schema
|
||||
|
||||
# Schema file installed by package 'dhcp-server'
|
||||
#include /etc/openldap/schema/dhcp.schema
|
||||
|
||||
# Schema file installed by package 'samba'
|
||||
#include /etc/openldap/schema/samba3.schema
|
||||
|
||||
# Schema file installed by package 'krb5-plugin-kdb-ldap'
|
||||
#include /usr/share/doc/packages/krb5/kerberos.schema
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Transport Layer Security (TLS) configuration
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# require at least TLS 1.0 and highly secure ciphers
|
||||
#TLSProtocolMin 3.1
|
||||
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
||||
|
||||
# TLS certificate and key files
|
||||
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
|
||||
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
|
||||
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
|
||||
|
||||
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
|
||||
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Password hashing
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
#password-hash {CRYPT}
|
||||
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
|
||||
#password-crypt-salt-format "$6$%.12s"
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Security requirements
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
#disallow bind_anon
|
||||
#require bind LDAPv3 strong
|
||||
|
||||
# SSF value for ldapi://
|
||||
localSSF 256
|
||||
|
||||
# minimum required SSF value (security strength factor)
|
||||
# Sample security restrictions
|
||||
# Require integrity protection (prevent hijacking)
|
||||
# Require 112-bit (3DES or better) encryption for updates
|
||||
# Require 63-bit encryption for simple bind
|
||||
# security ssf=1 update_ssf=112 simple_bind=64
|
||||
#security ssf=128 update_ssf=256 simple_bind=128
|
||||
security ssf=0
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Global access control (ACLs)
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# Root DSE: allow anyone to read it
|
||||
access to
|
||||
dn.base=""
|
||||
by * read
|
||||
|
||||
# Sub schema sub entry: allow anyone to read it
|
||||
access to
|
||||
dn.base="cn=Subschema"
|
||||
by * read
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Authz-DN mappings
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
||||
# System user root is mapped to the rootdn in database dc=example,dc=com
|
||||
# which has also read access on config and monitor databases
|
||||
authz-regexp
|
||||
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||
"cn=root,dc=example,dc=com"
|
||||
|
||||
# Map local system user to LDAP entry
|
||||
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
||||
authz-regexp
|
||||
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
|
||||
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
|
||||
|
||||
# this maps the attribute uid to a LDAP entry
|
||||
# if one of the typical password-based SASL mechs was used
|
||||
authz-regexp
|
||||
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
|
||||
"ldap:///dc=example,dc=com??sub?(uid=$1)"
|
||||
|
||||
# this maps the attribute uid to a LDAP entry
|
||||
# if one of the Kerberos based SASL mechs was used
|
||||
#authz-regexp
|
||||
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
|
||||
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
|
||||
|
||||
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
|
||||
#authz-regexp
|
||||
# "(.+)"
|
||||
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
|
||||
|
||||
|
||||
#===========================================================================
|
||||
# Database specific configuration sections below
|
||||
# Required order of databases:
|
||||
# config (first), ...others..., monitor (last)
|
||||
#===========================================================================
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# cn=config // Configuration database (always first!)
|
||||
# see slapd-config(5)
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
database config
|
||||
|
||||
# Cleartext passwords, especially for the rootdn, should
|
||||
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
||||
# Best thing is not to set rootpw at all!
|
||||
# For local config access by root use LDAPI with SASL/EXTERNAL instead
|
||||
# (see above).
|
||||
#rootpw secret
|
||||
|
||||
access to
|
||||
dn.subtree="cn=config"
|
||||
by dn.exact="cn=root,dc=example,dc=com" manage
|
||||
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
|
||||
by * none
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# dc=example,dc=com // Example MDB database to be used by normal clients
|
||||
# see slapd-mdb(5)
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
database mdb
|
||||
|
||||
suffix "dc=example,dc=com"
|
||||
|
||||
# rootdn has to be set for overlays' internal operations
|
||||
rootdn "cn=root,dc=example,dc=com"
|
||||
|
||||
# Cleartext passwords, especially for the rootdn, should
|
||||
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
||||
# Best thing is not to set rootpw at all!
|
||||
rootpw secret
|
||||
|
||||
# The database directory MUST exist prior to running slapd and
|
||||
# SHOULD only be accessible by the slapd user 'ldap'.
|
||||
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
|
||||
directory /var/lib/ldap/example-db
|
||||
|
||||
# Permissions of database files created
|
||||
mode 0600
|
||||
|
||||
# extra information to be available in cn=monitor for this database
|
||||
monitoring on
|
||||
|
||||
# Perform ACL checks on the content of a new entry being added
|
||||
add_content_acl on
|
||||
|
||||
# backend-specific database parameters
|
||||
checkpoint 1024 5
|
||||
# 100 MB (you can raise the limit later)
|
||||
maxsize 104857600
|
||||
|
||||
# Indices to maintain
|
||||
#
|
||||
# Whenever you change indexing configuration you have to re-run slapindex
|
||||
# while slapd being stopped!
|
||||
# Don't forget to fix ownership/permissions of newly generated index files
|
||||
# afterwards!
|
||||
|
||||
# set always!
|
||||
index objectClass eq
|
||||
|
||||
# for typical address book use
|
||||
index cn,sn,givenName,mail eq,sub
|
||||
|
||||
# for user management
|
||||
index uid,uidNumber,gidNumber eq
|
||||
|
||||
# for authz-regexp mapping of Kerberos principal name
|
||||
#index krbPrincipalName,krbPrincipalAlias eq
|
||||
|
||||
# for authz-regexp mapping of client cert subject DNs
|
||||
#index seeAlso eq
|
||||
|
||||
# for syncrepl
|
||||
index entryUUID,entryCSN eq
|
||||
|
||||
# access control lists (ACLs) for dc=example,dc=com
|
||||
# see slapd.access(5) for details on access control lists (ACLs)
|
||||
|
||||
# full read access also to 'userPassword' for group of replicas
|
||||
# and control is forwarded to subsequent ACLs
|
||||
access to
|
||||
dn.subtree=dc=example,dc=com
|
||||
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
|
||||
by * break
|
||||
|
||||
# write-only access to 'userPassword' for user, auth access else
|
||||
access to
|
||||
attrs=userPassword
|
||||
by self =w
|
||||
by * auth
|
||||
|
||||
# 'userPKCS' must only be accessible by self
|
||||
access to
|
||||
attrs=userPKCS12
|
||||
by self write
|
||||
by * none
|
||||
|
||||
# No access to history of passwords
|
||||
#access to
|
||||
# attrs=pwdHistory
|
||||
# by * none
|
||||
|
||||
# Catch-all ACL for the rest
|
||||
access to
|
||||
dn.subtree=dc=example,dc=com
|
||||
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
|
||||
by self read
|
||||
by users read
|
||||
by * auth
|
||||
|
||||
# see slapo-ppolicy(5)
|
||||
overlay ppolicy
|
||||
# Default password policy entry
|
||||
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
|
||||
# Hash clear-text userPassword values sent in with add/modify operations
|
||||
#ppolicy_hash_cleartext
|
||||
# Return AccountLocked error code to client
|
||||
#ppolicy_use_lockout
|
||||
|
||||
# see slapo-refint(5)
|
||||
overlay refint
|
||||
refint_attributes member seeAlso
|
||||
refint_nothing cn=dummy
|
||||
|
||||
# Check sub-tree wide uniqueness of certain attributes
|
||||
# see slapo-unique(5)
|
||||
# you have to add eq-index for efficient uniqueness check!
|
||||
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
|
||||
overlay unique
|
||||
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
|
||||
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
|
||||
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
|
||||
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
|
||||
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
|
||||
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
|
||||
|
||||
#overlay syncprov
|
||||
#mirrormode on
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# cn=monitor // Monitoring database (always last!)
|
||||
# see slapd-monitor(5)
|
||||
#---------------------------------------------------------------------------
|
||||
|
||||
database monitor
|
||||
|
||||
access to
|
||||
dn.subtree="cn=monitor"
|
||||
by dn.exact="cn=root,dc=example,dc=com" write
|
||||
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
|
||||
by users read
|
46
slapd.conf.olctemplate
Normal file
46
slapd.conf.olctemplate
Normal file
@ -0,0 +1,46 @@
|
||||
# This file (slapd.conf.olctemplate) is a template for creating the initial
|
||||
# online configuration for OpenLDAP server daemon.
|
||||
#
|
||||
# In order to use online configuration for OpenLDAP server daemon, make sure to set:
|
||||
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="ldap"
|
||||
#
|
||||
# Before starting the OpenLDAP daemon (slapd.conf) with onlne configuration for
|
||||
# the very first time, you have to prepare the online configuration directory
|
||||
# from this template file - first, make necessary customisations if you wish, and then
|
||||
# run:
|
||||
# cd /etc/openldap && slaptest -f slapd.conf.olctemplate -F slapd.d
|
||||
#
|
||||
# Then you may start OpenLDAP daemon:
|
||||
# systemctl start slapd.service
|
||||
#
|
||||
# To verify that LDAP service is running properly, try the following command:
|
||||
# ldapsearch -x -D cn=admin,cn=config -w secret -b cn=config
|
||||
|
||||
#
|
||||
# See slapd.conf(5) for details on configuration options.
|
||||
# See /etc/openldap/slapd.conf.example for more examples.
|
||||
# This file should NOT be world readable.
|
||||
#
|
||||
|
||||
pidfile /run/slapd/slapd.pid
|
||||
argsfile /run/slapd/slapd.args
|
||||
|
||||
# The following schema files are often useful
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/rfc2307bis.schema
|
||||
include /etc/openldap/schema/yast.schema
|
||||
|
||||
# Load backend modules such as database engines
|
||||
# modulepath /usr/lib64/openldap
|
||||
# moduleload back_mdb.la
|
||||
# moduleload back_hdb.la
|
||||
# moduleload back_bdb.la
|
||||
|
||||
# Define the config database that holds all online configurations
|
||||
database config
|
||||
rootdn "cn=admin,cn=config"
|
||||
# Please avoid using clear text for root password
|
||||
# See slappasswd(8) for instructions on creating a salted+hashed password
|
||||
rootpw secret
|
28
slapd.service
Normal file
28
slapd.service
Normal file
@ -0,0 +1,28 @@
|
||||
[Unit]
|
||||
Description=OpenLDAP Server Daemon
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStart=/usr/lib/openldap/start
|
||||
|
||||
# Hardening to prevent security escalation.
|
||||
## Future hardening for FS protection.
|
||||
# ProtectSystem=full
|
||||
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
|
||||
|
||||
RestrictSUIDSGID=true
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
MemoryDenyWriteExecute=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
174
start
Normal file
174
start
Normal file
@ -0,0 +1,174 @@
|
||||
#! /bin/bash
|
||||
# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
|
||||
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
|
||||
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# Author: Carsten Hoeger
|
||||
# Ralf Haferkamp
|
||||
#
|
||||
|
||||
test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
|
||||
|
||||
SLAPD_BIN=/usr/sbin/slapd
|
||||
LDAP_URLS=""
|
||||
LDAPS_URLS=""
|
||||
LDAPI_URLS=""
|
||||
SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
|
||||
SLAPD_PID_DIR="/var/run/slapd/"
|
||||
|
||||
test -x $SLAPD_BIN || exit 5
|
||||
|
||||
function init_ldap_listener_urls(){
|
||||
case "$OPENLDAP_START_LDAP" in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
|
||||
then
|
||||
for iface in $OPENLDAP_LDAP_INTERFACES ;do
|
||||
LDAP_URLS="$LDAP_URLS ldap://$iface"
|
||||
done
|
||||
else
|
||||
LDAP_URLS="ldap:///"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function init_ldapi_listener_urls(){
|
||||
case "$OPENLDAP_START_LDAPI" in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
|
||||
then
|
||||
for iface in $OPENLDAP_LDAPI_INTERFACES ;do
|
||||
esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
|
||||
LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
|
||||
done
|
||||
else
|
||||
LDAPI_URLS="ldapi:///"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function init_ldaps_listener_urls(){
|
||||
case "$OPENLDAP_START_LDAPS" in
|
||||
[Yy][Ee][Ss])
|
||||
if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
|
||||
then
|
||||
for iface in $OPENLDAP_LDAPS_INTERFACES ;do
|
||||
LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
|
||||
done
|
||||
else
|
||||
LDAPS_URLS="ldaps:///"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function check_connection(){
|
||||
SLAPD_TIMEOUT=10
|
||||
START=$( date +%s)
|
||||
while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
|
||||
ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
|
||||
LDAPSEARCH_RC=$?
|
||||
if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
|
||||
else sleep 1
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
depth=0;
|
||||
|
||||
function chown_database_dirs_bconfig() {
|
||||
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
|
||||
for dir in $(realpath ${ldapdir}); do
|
||||
if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
|
||||
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||
else
|
||||
echo "Skipping chown -h of external directory for security reasons. You must manually run:"
|
||||
echo "# chown -h -R $OPENLDAP_USER $dir"
|
||||
echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function chown_database_dirs() {
|
||||
ldapdir=`grep ^directory $1 | awk '{print $2}'`
|
||||
for dir in $ldapdir; do
|
||||
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||
done
|
||||
includes=`grep ^include $1 | awk '{print $2}'`
|
||||
if [ $depth -le 50 ]; then
|
||||
depth=$(( $depth + 1 ));
|
||||
for i in $includes; do
|
||||
chown_database_dirs "$i" ;
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
USER_CMD=""
|
||||
GROUP_CMD=""
|
||||
[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
|
||||
[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
|
||||
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
|
||||
|
||||
|
||||
# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
|
||||
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
|
||||
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
|
||||
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
|
||||
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||
# assume back-config usage if slapd.conf is not present but slapd.d is
|
||||
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
|
||||
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||
else
|
||||
chown_database_dirs "/etc/openldap/slapd.conf"
|
||||
chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
|
||||
fi
|
||||
if test -f /etc/sasl2/slapd.conf ; then
|
||||
chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
|
||||
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
|
||||
fi
|
||||
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
||||
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
|
||||
if test -f $keytabfile ; then
|
||||
chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
|
||||
chmod g+r $keytabfile 2>/dev/null
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
||||
export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
|
||||
fi
|
||||
case "$OPENLDAP_REGISTER_SLP" in
|
||||
[Yy][Ee][Ss])
|
||||
SLAPD_SLP_REG="-o slp=on"
|
||||
;;
|
||||
*)
|
||||
SLAPD_SLP_REG="-o slp=off"
|
||||
;;
|
||||
esac
|
||||
|
||||
init_ldap_listener_urls
|
||||
init_ldapi_listener_urls
|
||||
init_ldaps_listener_urls
|
||||
|
||||
if [ ! -d $SLAPD_PID_DIR ]; then
|
||||
mkdir -p $SLAPD_PID_DIR
|
||||
chown -h ldap:ldap $SLAPD_PID_DIR
|
||||
fi
|
||||
echo -n "Starting ldap-server"
|
||||
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
|
||||
$SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
|
||||
$OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG
|
||||
|
158
sysconfig.openldap
Normal file
158
sysconfig.openldap
Normal file
@ -0,0 +1,158 @@
|
||||
## Path: Network/LDAP
|
||||
## Description: Basic Configuration of the OpenLDAP Directory Server
|
||||
|
||||
## Type: yesno
|
||||
## Default: yes
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If set to "no" the LDAP server will not accept any "normal" LDAP connections
|
||||
# but just connections over "ldaps" or "ldapi". Setting this to "no" does only
|
||||
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
|
||||
# "yes".
|
||||
#
|
||||
OPENLDAP_START_LDAP="yes"
|
||||
|
||||
## Type: yesno
|
||||
## Default: no
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
|
||||
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options
|
||||
# to the /etc/openldap/slapd.conf (man slapd.conf).
|
||||
# Note: Don't confuse this with "START_TLS", the preferred method for
|
||||
# making encrypted LDAP connections, which is enabled as soon as You
|
||||
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
|
||||
# file
|
||||
#
|
||||
OPENLDAP_START_LDAPS="no"
|
||||
|
||||
## Type: yesno
|
||||
## Default: no
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If set to "yes", "ldap over IPC" feature of slapd will be enabled.
|
||||
# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
|
||||
# Default: no
|
||||
#
|
||||
OPENLDAP_START_LDAPI="yes"
|
||||
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If not empty, additional parameters for slapd daemon.
|
||||
# Default: ""
|
||||
#
|
||||
OPENLDAP_SLAPD_PARAMS=""
|
||||
|
||||
## Type: string
|
||||
## Default: ldap
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# specifies a user, as which the openldap server should be executed
|
||||
# Default: ldap
|
||||
#
|
||||
OPENLDAP_USER="ldap"
|
||||
|
||||
## Type: string
|
||||
## Default: ldap
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# specifies a group, as which the openldap server should be executed
|
||||
# Default: ldap
|
||||
#
|
||||
OPENLDAP_GROUP="ldap"
|
||||
|
||||
## Type: yesno
|
||||
## Default: yes
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If set to "yes" the init scripts will change the owner/group of the
|
||||
# different backend database directories (e.g. /var/lib/ldap) to the
|
||||
# user/group specified above
|
||||
#
|
||||
OPENLDAP_CHOWN_DIRS="yes"
|
||||
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Use this to specify the interfaces that the server such accept
|
||||
# LDAP connections from. The values are specified in the format
|
||||
# <address>:<port>, where address is an IP address and port is the
|
||||
# portnumber, the daemon should listen to (defaulting to 389). If this
|
||||
# parameter is empty the server will attach to all interfaces. This
|
||||
# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
|
||||
# "yes"
|
||||
# Default: ""
|
||||
#
|
||||
OPENLDAP_LDAP_INTERFACES=""
|
||||
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Use this to specify the interfaces that the server such accept
|
||||
# LDAPS connections from. The values are specified in the format
|
||||
# <address>:<port>, where address is an IP address and port is the
|
||||
# portnumber, the daemon should listen to (defaulting to 636). If this
|
||||
# parameter is empty the server will attach to all interfaces. This
|
||||
# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
|
||||
# "yes"
|
||||
# Default: ""
|
||||
#
|
||||
OPENLDAP_LDAPS_INTERFACES=""
|
||||
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Use this to specify the paths of the Unix Domain Sockets that
|
||||
# the server should create an accept incoming LDAPI connections
|
||||
# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
|
||||
# is set to "yes".
|
||||
# Default: ""
|
||||
#
|
||||
OPENLDAP_LDAPI_INTERFACES=""
|
||||
|
||||
## Type: yesno
|
||||
## Default: "yes"
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# If set to "no" the LDAP server will not try itself at a running SLP
|
||||
# daemon.
|
||||
# Default: "yes"
|
||||
#
|
||||
OPENLDAP_REGISTER_SLP="no"
|
||||
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Set this to the name of the keytab, if you want to use a non-default
|
||||
# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
|
||||
# this file will be changed so that the group OPENLDAP_GROUP has read
|
||||
# access to the file.
|
||||
# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
|
||||
# Default: ""
|
||||
#
|
||||
OPENLDAP_KRB5_KEYTAB=""
|
||||
|
||||
## Type: string
|
||||
## Default: "files"
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Here you can configure which of the configuration backends you want to
|
||||
# use. Possible values are "files" for slapd.conf(5) styleconfiguration or
|
||||
# "ldap" for the slapd-config(5) LDAP based configuration backend.
|
||||
#
|
||||
OPENLDAP_CONFIG_BACKEND="files"
|
||||
|
||||
## Type: yesno
|
||||
## Default: "yes"
|
||||
## ServiceRestart: ldap
|
||||
#
|
||||
# Here you can configure if the slapd shall start with or without memory limit.
|
||||
#
|
||||
OPENLDAP_MEMORY_LIMIT="yes"
|
||||
|
67
update-crc.sh
Normal file
67
update-crc.sh
Normal file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
# Script to fix the crc of openldap slapd.d ldifs.
|
||||
|
||||
do_update_crc () {
|
||||
if [ -z ${1} ]; then
|
||||
echo "Invalid call to do_update_crc() - no filename provided"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tgt_ldif=$1
|
||||
|
||||
if [ ! -f "${tgt_ldif}" ]; then
|
||||
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -f "${tgt_ldif}.crcbak"
|
||||
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
|
||||
|
||||
/usr/bin/awk '
|
||||
BEGIN {
|
||||
# CRC-32 ZIP polynomial in reversed bit order.
|
||||
POLY = 0xedb88320
|
||||
|
||||
# 8-bit character -> ordinal table.
|
||||
for (i = 0; i < 256; i++)
|
||||
ORD[sprintf("%c", i)] = i
|
||||
}
|
||||
|
||||
{
|
||||
# Remember each input line.
|
||||
input[NR] = $0
|
||||
|
||||
# Verify the file header.
|
||||
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
|
||||
exit 1
|
||||
if (NR == 2 && $0 !~ /# CRC32 ......../)
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Calculate CRC-32.
|
||||
function crc32(crc, string, i, j, c) {
|
||||
crc = and(compl(crc), 0xffffffff)
|
||||
for (i = 1; i <= length(string); i++) {
|
||||
c = substr(string, i, 1)
|
||||
crc = xor(crc, ORD[c])
|
||||
for (j = 0; j < 8; j++)
|
||||
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
|
||||
}
|
||||
crc = and(compl(crc), 0xffffffff)
|
||||
return crc
|
||||
}
|
||||
|
||||
END {
|
||||
# Calculate CRC-32 of the file and update it in the header.
|
||||
crc = 0
|
||||
for (i = 3; i <= length(input); i++)
|
||||
crc = crc32(crc, input[i] "\n")
|
||||
input[2] = "# CRC32 " sprintf("%08x", crc)
|
||||
|
||||
# Print the output.
|
||||
for (i = 1; i <= length(input); i++)
|
||||
print input[i]
|
||||
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user