Sync from SUSE:ALP:Source:Standard:1.0 openldap2 revision 797c98628f627d4fef10264beba567c3
This commit is contained in:
commit
8755b75907
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
12
0003-LDAPI-socket-location.dif
Normal file
12
0003-LDAPI-socket-location.dif
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -ur openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h
|
||||||
|
--- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200
|
||||||
|
+++ openldap-2.6.2/include/ldap_defaults.h 2022-05-23 12:55:05.059335200 +0200
|
||||||
|
@@ -40,7 +40,7 @@
|
||||||
|
|
||||||
|
/* default ldapi:// socket */
|
||||||
|
#ifndef LDAPI_SOCK
|
||||||
|
-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
|
||||||
|
+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
101
0005-pie-compile.dif
Normal file
101
0005-pie-compile.dif
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ralf Haferkamp <rhafer@suse.de>
|
||||||
|
Date: Fri, 12 Nov 2010 09:39:11 +0100
|
||||||
|
Subject: pie compile
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/build/top.mk b/build/top.mk
|
||||||
|
index 38ce146d7..d7fee4ec2 100644
|
||||||
|
--- a/build/top.mk
|
||||||
|
+++ b/build/top.mk
|
||||||
|
@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@
|
||||||
|
LTSTATIC = @LTSTATIC@
|
||||||
|
|
||||||
|
LTLINK = $(LIBTOOL) --mode=link \
|
||||||
|
- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
|
||||||
|
+ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
|
||||||
|
|
||||||
|
LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \
|
||||||
|
$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
|
||||||
|
@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
|
||||||
|
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS)
|
||||||
|
|
||||||
|
LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
|
||||||
|
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
|
||||||
|
+ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
|
||||||
|
|
||||||
|
LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
|
||||||
|
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
|
||||||
|
@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS)
|
||||||
|
# Our Defaults
|
||||||
|
CC = $(AC_CC)
|
||||||
|
DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES)
|
||||||
|
-CFLAGS = $(AC_CFLAGS) $(DEFS)
|
||||||
|
+CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS)
|
||||||
|
LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS)
|
||||||
|
LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in
|
||||||
|
index 71400ca1b..6427165c6 100644
|
||||||
|
--- a/servers/slapd/back-ldap/Makefile.in
|
||||||
|
+++ b/servers/slapd/back-ldap/Makefile.in
|
||||||
|
@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||||
|
BUILD_OPT = "--enable-ldap"
|
||||||
|
BUILD_MOD = @BUILD_LDAP@
|
||||||
|
|
||||||
|
+PIE_CFLAGS="-fPIE"
|
||||||
|
+
|
||||||
|
mod_DEFS = -DSLAPD_IMPORT
|
||||||
|
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in
|
||||||
|
index 225c8dd19..2f07c067b 100644
|
||||||
|
--- a/servers/slapd/back-ldif/Makefile.in
|
||||||
|
+++ b/servers/slapd/back-ldif/Makefile.in
|
||||||
|
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||||
|
BUILD_OPT = "--enable-ldif"
|
||||||
|
BUILD_MOD = yes
|
||||||
|
|
||||||
|
+PIE_CFLAGS="-fPIE"
|
||||||
|
+
|
||||||
|
mod_DEFS = -DSLAPD_IMPORT
|
||||||
|
MOD_DEFS = $(yes_DEFS)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in
|
||||||
|
index 6d64824da..9bbf8747d 100644
|
||||||
|
--- a/servers/slapd/back-mdb/Makefile.in
|
||||||
|
+++ b/servers/slapd/back-mdb/Makefile.in
|
||||||
|
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
|
||||||
|
BUILD_OPT = "--enable-mdb"
|
||||||
|
BUILD_MOD = @BUILD_MDB@
|
||||||
|
|
||||||
|
+PIE_CFLAGS="-fPIE"
|
||||||
|
+
|
||||||
|
mod_DEFS = -DSLAPD_IMPORT
|
||||||
|
MOD_DEFS = $(@BUILD_MDB@_DEFS)
|
||||||
|
MOD_LIBS = $(MDB_LIBS)
|
||||||
|
diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in
|
||||||
|
index 200a1c65c..6b2afffb9 100644
|
||||||
|
--- a/servers/slapd/back-monitor/Makefile.in
|
||||||
|
+++ b/servers/slapd/back-monitor/Makefile.in
|
||||||
|
@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||||
|
BUILD_OPT = "--enable-monitor"
|
||||||
|
BUILD_MOD = yes
|
||||||
|
|
||||||
|
+PIE_CFLAGS="-fPIE"
|
||||||
|
+
|
||||||
|
mod_DEFS = -DSLAPD_IMPORT
|
||||||
|
MOD_DEFS = $(yes_DEFS)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in
|
||||||
|
index 71d74a171..60b44afd8 100644
|
||||||
|
--- a/servers/slapd/back-relay/Makefile.in
|
||||||
|
+++ b/servers/slapd/back-relay/Makefile.in
|
||||||
|
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
|
||||||
|
BUILD_OPT = "--enable-relay"
|
||||||
|
BUILD_MOD = @BUILD_RELAY@
|
||||||
|
|
||||||
|
+PIE_CFLAGS="-fPIE"
|
||||||
|
+
|
||||||
|
mod_DEFS = -DSLAPD_IMPORT
|
||||||
|
MOD_DEFS = $(@BUILD_RELAY@_DEFS)
|
@ -0,0 +1,26 @@
|
|||||||
|
From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
|
||||||
|
From: HouzuoGuo <guohouzuo@gmail.com>
|
||||||
|
Date: Fri, 13 Mar 2015 16:14:10 +0100
|
||||||
|
Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
|
||||||
|
are created for internal use only.
|
||||||
|
|
||||||
|
---
|
||||||
|
servers/slapd/back-monitor/conn.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
|
||||||
|
index 4d327f243..c4d3c6237 100644
|
||||||
|
--- a/servers/slapd/back-monitor/conn.c
|
||||||
|
+++ b/servers/slapd/back-monitor/conn.c
|
||||||
|
@@ -456,6 +456,11 @@ monitor_subsys_conn_create(
|
||||||
|
c != NULL;
|
||||||
|
c = connection_next( c, &connindex ) )
|
||||||
|
{
|
||||||
|
+ /* Connection 0 is created by connection_client_setup for internal use only */
|
||||||
|
+ if (c->c_connid == 0) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
monitor_entry_t *mp;
|
||||||
|
|
||||||
|
/* ignore outbound for now, nothing to show */
|
16
0016-Clear-shared-key-only-in-close-function.patch
Normal file
16
0016-Clear-shared-key-only-in-close-function.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
|
||||||
|
index 6bdf3151d..56212151b 100644
|
||||||
|
--- a/libraries/liblmdb/mdb.c
|
||||||
|
+++ b/libraries/liblmdb/mdb.c
|
||||||
|
@@ -4692,6 +4692,11 @@ mdb_env_close0(MDB_env *env, int excl)
|
||||||
|
|
||||||
|
if (env->me_flags & MDB_ENV_TXKEY) {
|
||||||
|
pthread_key_delete(env->me_txkey);
|
||||||
|
+
|
||||||
|
+ // No need to call desctructor anymore, as all pid
|
||||||
|
+ // values are cleared below.
|
||||||
|
+ env->me_txkey = NULL;
|
||||||
|
+
|
||||||
|
#ifdef _WIN32
|
||||||
|
/* Delete our key from the global list */
|
||||||
|
for (i=0; i<mdb_tls_nkeys; i++)
|
25
README.module-loading
Normal file
25
README.module-loading
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
All of the OpenLDAP backends (except back-config) and overlays are now
|
||||||
|
compiled as dynamic modules in our packages. If you want to use any of
|
||||||
|
these in your setup make sure to put the correct "olcModuleLoad" or
|
||||||
|
"moduleload" statements in your configuration.
|
||||||
|
|
||||||
|
For details please see the slapd-config(5) and slapd.conf(5) manpages
|
||||||
|
(depending on which config mechanism you use).
|
||||||
|
|
||||||
|
For a list of the included dynamic modules list all modules files:
|
||||||
|
|
||||||
|
ls /usr/lib*/openldap/*.so
|
||||||
|
|
||||||
|
Or just the backend files:
|
||||||
|
|
||||||
|
ls /usr/lib*/openldap/back_*.so
|
||||||
|
|
||||||
|
Documentations for the overlays can be found in the respective man pages or
|
||||||
|
the OpenLDAP Administration Guide which is part of the "openldap2-doc"
|
||||||
|
package.
|
||||||
|
|
||||||
|
Backend man-pages:
|
||||||
|
man 5 slapo-<back_name>
|
||||||
|
|
||||||
|
Overlays man-pages:
|
||||||
|
man 5 slapo-<name>
|
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
<multibuild>
|
||||||
|
<package>contrib</package>
|
||||||
|
</multibuild>
|
BIN
addonschema.tar.gz
(Stored with Git LFS)
Normal file
BIN
addonschema.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
6
baselibs.conf
Normal file
6
baselibs.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
libldap2
|
||||||
|
provides "openldap2-client-<targettype> = <version>"
|
||||||
|
obsoletes "openldap2-client-<targettype> <= <version>"
|
||||||
|
openldap2-devel
|
||||||
|
requires -openldap2-<targettype>
|
||||||
|
requires "libldap2-<targettype> = <version>"
|
42
fixup-modulepath.sh
Normal file
42
fixup-modulepath.sh
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
source /usr/lib/openldap/update-crc
|
||||||
|
|
||||||
|
conf_dir='/etc/openldap/slapd.d'
|
||||||
|
tgt_ldif="${conf_dir}/cn=config.ldif"
|
||||||
|
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
|
||||||
|
then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure slapd.service is not running.
|
||||||
|
slapd_running=1
|
||||||
|
|
||||||
|
# Don't check if no systemd, we could be in a container.
|
||||||
|
if [ -f "/usr/bin/systemctl" ]; then
|
||||||
|
/usr/bin/systemctl is-active --quiet slapd.service
|
||||||
|
slapd_running=$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $slapd_running -eq 0 ]; then
|
||||||
|
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove the module path.
|
||||||
|
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
|
||||||
|
|
||||||
|
res=$?
|
||||||
|
|
||||||
|
if [ $res -ne 0 ]
|
||||||
|
then
|
||||||
|
echo "Failed to remove olcModulePath in ${tgt_ldif}"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
do_update_crc ${tgt_ldif}
|
||||||
|
echo "Updated crc of ${tgt_ldif}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
2
ldap-user.conf
Normal file
2
ldap-user.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Type Name ID GECOS [HOME]
|
||||||
|
u ldap - "User for OpenLDAP" /var/lib/ldap
|
BIN
openldap-2.6.4.tgz
(Stored with Git LFS)
Normal file
BIN
openldap-2.6.4.tgz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openldap-2.6.4.tgz.asc
Normal file
16
openldap-2.6.4.tgz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmPkFcsACgkQf2fV/Rzh
|
||||||
|
y84clA/8C30COyp5lKWvqiBIVjQHe8ZSLEWML8j6g7IbYcHm7uLIqADjzlaE0MCI
|
||||||
|
YV2SfDFjom+OUFkQmzGNmYeyjpBV5yK5n5js0M1zSF2OPoapNoSZtnv0yXIUZ/Ee
|
||||||
|
M1njsiMYuYWX0KWg4tYVbdLSm2iWH1d5zbGgyAecSQCFHZ/nQnZo+OWbRel06dCz
|
||||||
|
ewkANAlUIIrsGEkKjKUetFOOuJiwb8r8KeXpYVijig7f/csoo7H78i4Pdmi3QzJ5
|
||||||
|
D/TMHKx64ljes1n6ZHtm55lbkiuJTw3t4XnK9NhsKwr9zNlq+qI3ggJyK6xOQiQq
|
||||||
|
05IjPMVp8kV1u117Xb9SlRwlfR/00jPwTdepuAK9OyxVS3CclS8Gh6Lm8ztwwTee
|
||||||
|
C+eqwGhZNH7/twfq3TUHfWUl4LyclX02zxvljo3lcb3JIA7JWp8coi2EEeofOIlf
|
||||||
|
oXKdyR4zA0Iey8LfBuyRC/smZoggdpzr0jIE5Z5Q97hTt4Rm5U4ZDe2GRfUTR82g
|
||||||
|
Pz+VdBI/aCKlnDHqH912w4Tg62UeJiPfnLuWuCc7A0MNR2LAe7JKASdEaTb6t51N
|
||||||
|
uzmxPYOlAixvGcjCg38Sc0877FXE1ss3RUnDyx+mCK2phEsWO69SdL4uz5E9Xdve
|
||||||
|
0VbfO84pmN/+Gj5FfE93rJzTYjjySj80oANiqBAcA7P21pOttRg=
|
||||||
|
=UfjX
|
||||||
|
-----END PGP SIGNATURE-----
|
3531
openldap2.changes
Normal file
3531
openldap2.changes
Normal file
File diff suppressed because it is too large
Load Diff
2
openldap2.conf
Normal file
2
openldap2.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# openldap needs a directory in /var/lib/:
|
||||||
|
d /var/lib/ldap 0750 ldap ldap -
|
BIN
openldap2.keyring
Normal file
BIN
openldap2.keyring
Normal file
Binary file not shown.
609
openldap2.spec
Normal file
609
openldap2.spec
Normal file
@ -0,0 +1,609 @@
|
|||||||
|
#
|
||||||
|
# spec file
|
||||||
|
#
|
||||||
|
# Copyright (c) 2023 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%define run_test_suite 0
|
||||||
|
%define slapdrundir %{_rundir}/slapd
|
||||||
|
%define flavor @BUILD_FLAVOR@%{nil}
|
||||||
|
%if "%flavor" == "contrib"
|
||||||
|
%define name_suffix -%{flavor}-src
|
||||||
|
%else
|
||||||
|
%define name_suffix %{nil}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Name: openldap2%{name_suffix}
|
||||||
|
Summary: An open source implementation of the Lightweight Directory Access Protocol
|
||||||
|
License: OLDAP-2.8
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Version: 2.6.4
|
||||||
|
Release: 0
|
||||||
|
URL: https://www.openldap.org
|
||||||
|
Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
|
||||||
|
Source1: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz.asc
|
||||||
|
Source2: openldap2.keyring
|
||||||
|
Source4: sasl-slapd.conf
|
||||||
|
Source5: README.module-loading
|
||||||
|
Source6: schema2ldif
|
||||||
|
Source7: baselibs.conf
|
||||||
|
Source9: addonschema.tar.gz
|
||||||
|
Source12: slapd.conf.example
|
||||||
|
Source13: start
|
||||||
|
Source14: slapd.service
|
||||||
|
Source16: sysconfig.openldap
|
||||||
|
Source18: openldap2.conf
|
||||||
|
Source19: ldap-user.conf
|
||||||
|
Source20: fixup-modulepath.sh
|
||||||
|
Source21: slapd-ldif-update-crc.sh
|
||||||
|
Source22: update-crc.sh
|
||||||
|
Source23: slapd.conf
|
||||||
|
Source24: slapd.conf.olctemplate
|
||||||
|
Patch1: reproducible.patch
|
||||||
|
Patch3: 0003-LDAPI-socket-location.dif
|
||||||
|
Patch5: 0005-pie-compile.dif
|
||||||
|
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||||
|
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
|
||||||
|
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
BuildRequires: argon2-devel
|
||||||
|
BuildRequires: cyrus-sasl-devel
|
||||||
|
BuildRequires: db-devel
|
||||||
|
BuildRequires: groff
|
||||||
|
BuildRequires: libopenssl-devel
|
||||||
|
BuildRequires: libtool
|
||||||
|
%if 0%{?suse_version} < 1600
|
||||||
|
BuildRequires: openslp-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: sysuser-tools
|
||||||
|
BuildRequires: unixODBC-devel
|
||||||
|
# avoid cycle with krb5
|
||||||
|
BuildRequires: pkgconfig(krb5)
|
||||||
|
BuildRequires: pkgconfig(systemd)
|
||||||
|
%if "%flavor" == "contrib"
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: openldap2-devel
|
||||||
|
%endif
|
||||||
|
%if %{suse_version} < 1500
|
||||||
|
%{?systemd_requires}
|
||||||
|
%endif
|
||||||
|
Requires: /usr/bin/awk
|
||||||
|
Requires: libldap2 = %{version}
|
||||||
|
Recommends: cyrus-sasl
|
||||||
|
Conflicts: openldap
|
||||||
|
PreReq: %fillup_prereq
|
||||||
|
%sysusers_requires
|
||||||
|
|
||||||
|
%description
|
||||||
|
OpenLDAP is a client and server reference implementation of the
|
||||||
|
Lightweight Directory Access Protocol v3 (LDAPv3).
|
||||||
|
|
||||||
|
The server provides several database backends and overlays.
|
||||||
|
|
||||||
|
%package back-perl
|
||||||
|
Summary: OpenLDAP Perl Back-End
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Requires: openldap2 = %{version}
|
||||||
|
Requires: perl = %{perl_version}
|
||||||
|
|
||||||
|
%description back-perl
|
||||||
|
The OpenLDAP Perl back-end allows you to execute Perl code specific to
|
||||||
|
different LDAP operations.
|
||||||
|
|
||||||
|
%package back-sock
|
||||||
|
Summary: OpenLDAP Socket Back-End
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Requires: openldap2 = %{version}
|
||||||
|
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
|
||||||
|
|
||||||
|
%description back-sock
|
||||||
|
The OpenLDAP socket back-end allows you to handle LDAP requests and
|
||||||
|
results with an external process listening on a Unix domain socket.
|
||||||
|
|
||||||
|
%package back-meta
|
||||||
|
Summary: OpenLDAP Meta Back-End
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Requires: openldap2 = %{version}
|
||||||
|
Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz
|
||||||
|
|
||||||
|
%description back-meta
|
||||||
|
The OpenLDAP Meta back-end is able to perform basic LDAP proxying with
|
||||||
|
respect to a set of remote LDAP servers. The information contained in
|
||||||
|
these servers can be presented as belonging to a single Directory
|
||||||
|
Information Tree (DIT).
|
||||||
|
|
||||||
|
%package back-sql
|
||||||
|
Summary: OpenLDAP SQL Back-End
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Requires: openldap2 = %{version}
|
||||||
|
|
||||||
|
%description back-sql
|
||||||
|
The primary purpose of this OpenLDAP backend is to present information
|
||||||
|
stored in a Relational (SQL) Database as an LDAP subtree without the need
|
||||||
|
to do any programming.
|
||||||
|
|
||||||
|
%package -n libldap-data
|
||||||
|
Summary: Configuration file for system-wide defaults for all uses of libldap
|
||||||
|
Group: Productivity/Networking/LDAP/Clients
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description -n libldap-data
|
||||||
|
The subpackage contains a configuration file used to set system-wide defaults
|
||||||
|
to be applied with all usages of libldap.
|
||||||
|
|
||||||
|
%package contrib
|
||||||
|
Summary: OpenLDAP Contrib Modules
|
||||||
|
Group: Productivity/Networking/LDAP/Servers
|
||||||
|
Requires: openldap2 = %{version}
|
||||||
|
|
||||||
|
%description contrib
|
||||||
|
Various overlays found in contrib/:
|
||||||
|
addpartial Intercepts ADD requests, applies changes to existing entries
|
||||||
|
allop
|
||||||
|
allowed Generates attributes indicating access rights
|
||||||
|
autogroup
|
||||||
|
authzid implements RFC 3829 support
|
||||||
|
cloak
|
||||||
|
datamorph store enumerated values and fixed size integers
|
||||||
|
denyop
|
||||||
|
lastbind writes last bind timestamp to entry
|
||||||
|
noopsrch handles no-op search control
|
||||||
|
pw-sha2 generates/validates SHA-2 password hashes
|
||||||
|
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
||||||
|
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
||||||
|
trace traces overlay invocation
|
||||||
|
variant allows attributes/values to be shared between several entries
|
||||||
|
vc implements the verify credentials extended operation
|
||||||
|
|
||||||
|
%package doc
|
||||||
|
Summary: OpenLDAP Documentation
|
||||||
|
Group: Documentation/Other
|
||||||
|
Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description doc
|
||||||
|
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
|
||||||
|
|
||||||
|
%package client
|
||||||
|
Summary: OpenLDAP client utilities
|
||||||
|
Group: Productivity/Networking/LDAP/Clients
|
||||||
|
Requires: libldap2 = %{version}
|
||||||
|
|
||||||
|
%description client
|
||||||
|
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Libraries, Header Files and Documentation for OpenLDAP
|
||||||
|
# bug437293
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
%ifarch ppc64
|
||||||
|
Obsoletes: openldap2-devel-64bit
|
||||||
|
%endif
|
||||||
|
#
|
||||||
|
Conflicts: openldap-devel
|
||||||
|
Requires: libldap2 = %{version}
|
||||||
|
Recommends: cyrus-sasl-devel
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package provides the OpenLDAP libraries, header files, and
|
||||||
|
documentation.
|
||||||
|
|
||||||
|
%package devel-static
|
||||||
|
Summary: Static libraries for the OpenLDAP libraries
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: cyrus-sasl-devel
|
||||||
|
Requires: libopenssl-devel
|
||||||
|
Requires: openldap2-devel = %version
|
||||||
|
|
||||||
|
%description devel-static
|
||||||
|
This package provides the static versions of the OpenLDAP libraries
|
||||||
|
for development.
|
||||||
|
|
||||||
|
%package -n libldap2
|
||||||
|
Summary: OpenLDAP Client Libraries
|
||||||
|
Group: Productivity/Networking/LDAP/Clients
|
||||||
|
Recommends: libldap-data >= %{version}
|
||||||
|
|
||||||
|
%description -n libldap2
|
||||||
|
This package contains the OpenLDAP client libraries.
|
||||||
|
|
||||||
|
%package -n libldapcpp-devel
|
||||||
|
Summary: C++ wrapper around openLDAP API
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libldapcpp0 = %{version}
|
||||||
|
Requires: openldap2-devel
|
||||||
|
|
||||||
|
%description -n libldapcpp-devel
|
||||||
|
This package contains files needed for development with the LDAP C++
|
||||||
|
library.
|
||||||
|
|
||||||
|
%package -n libldapcpp0
|
||||||
|
Summary: C++ wrapper around openLDAP API
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Provides: ldapcpplib = %{version}
|
||||||
|
Obsoletes: ldapcpplib <= 0.0.5
|
||||||
|
|
||||||
|
%description -n libldapcpp0
|
||||||
|
This package provides a C++ library for accessing LDAP (Version 3)
|
||||||
|
Servers
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -a 9 -n openldap-%{version}
|
||||||
|
%patch1 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
%patch16 -p1
|
||||||
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
|
%build
|
||||||
|
%if "%flavor" == "contrib"
|
||||||
|
cd contrib/ldapc++
|
||||||
|
%configure --disable-static
|
||||||
|
%make_build
|
||||||
|
%else
|
||||||
|
%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
|
||||||
|
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS"
|
||||||
|
export STRIP=""
|
||||||
|
./configure \
|
||||||
|
--prefix=/usr \
|
||||||
|
--sysconfdir=%{_sysconfdir} \
|
||||||
|
--libdir=%{_libdir} \
|
||||||
|
--libexecdir=%{_libdir} \
|
||||||
|
--localstatedir=%{slapdrundir} \
|
||||||
|
--enable-wrappers=no \
|
||||||
|
--enable-spasswd \
|
||||||
|
--enable-modules \
|
||||||
|
--enable-shared \
|
||||||
|
--enable-dynamic \
|
||||||
|
--with-tls=openssl \
|
||||||
|
--with-cyrus-sasl \
|
||||||
|
--enable-crypt \
|
||||||
|
--enable-ipv6=yes \
|
||||||
|
--enable-dynacl \
|
||||||
|
--enable-aci \
|
||||||
|
--enable-ldap=mod \
|
||||||
|
--enable-meta=mod \
|
||||||
|
--enable-perl=mod \
|
||||||
|
--enable-sock=mod \
|
||||||
|
--enable-sql=mod \
|
||||||
|
--enable-mdb=mod \
|
||||||
|
--enable-relay=mod \
|
||||||
|
%if 0%{?suse_version} < 1600
|
||||||
|
--enable-slp \
|
||||||
|
%endif
|
||||||
|
--enable-overlays=mod \
|
||||||
|
--enable-syncprov=mod \
|
||||||
|
--enable-ppolicy=mod \
|
||||||
|
--with-yielding-select \
|
||||||
|
--with-argon2=libargon2 \
|
||||||
|
|| cat config.log
|
||||||
|
make depend
|
||||||
|
%make_build
|
||||||
|
# Build selected contrib overlays
|
||||||
|
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
|
||||||
|
do
|
||||||
|
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
||||||
|
done
|
||||||
|
# slapo-smbk5pwd only for Samba password hashes
|
||||||
|
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
|
||||||
|
|
||||||
|
# Create ldap user
|
||||||
|
%sysusers_generate_pre %{SOURCE19} ldap
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%check
|
||||||
|
%if %run_test_suite
|
||||||
|
# calculate the base port to be use in the test-suite
|
||||||
|
SLAPD_BASEPORT=10000
|
||||||
|
if [ -f /.buildenv ] ; then
|
||||||
|
. /.buildenv
|
||||||
|
SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10))
|
||||||
|
fi
|
||||||
|
export SLAPD_BASEPORT
|
||||||
|
%ifnarch %arm alpha
|
||||||
|
rm -f tests/scripts/test019-syncreplication-cascade
|
||||||
|
rm -f tests/scripts/test022-ppolicy
|
||||||
|
rm -f tests/scripts/test023-refint
|
||||||
|
rm -f tests/scripts/test033-glue-syncrepl
|
||||||
|
#rm -f tests/scripts/test036-meta-concurrency
|
||||||
|
#rm -f tests/scripts/test039-glue-ldap-concurrency
|
||||||
|
rm -f tests/scripts/test043-delta-syncrepl
|
||||||
|
#rm -f tests/scripts/test045-syncreplication-proxied
|
||||||
|
rm -f tests/scripts/test048-syncrepl-multiproxy
|
||||||
|
rm -f tests/scripts/test050-syncrepl-multimaster
|
||||||
|
rm -f tests/scripts/test058-syncrepl-asymmetric
|
||||||
|
make SLAPD_DEBUG=0 test
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%install
|
||||||
|
%if "%flavor" == "contrib"
|
||||||
|
cd contrib/ldapc++
|
||||||
|
%make_install
|
||||||
|
%else
|
||||||
|
mkdir -p %{buildroot}%{_libdir}/openldap
|
||||||
|
mkdir -p %{buildroot}/usr/lib/openldap
|
||||||
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
|
mkdir -p %{buildroot}%{_unitdir}
|
||||||
|
make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||||
|
# Additional symbolic link to slapd executable in /usr/sbin/
|
||||||
|
ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd
|
||||||
|
# Install selected contrib overlays
|
||||||
|
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
|
||||||
|
do
|
||||||
|
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||||
|
done
|
||||||
|
# slapo-smbk5pwd only for Samba password hashes
|
||||||
|
make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||||
|
install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start
|
||||||
|
install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/sasl2
|
||||||
|
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf
|
||||||
|
install -m 755 -d %{buildroot}/var/lib/ldap
|
||||||
|
chmod a+x %{buildroot}%{_libdir}/liblber.so*
|
||||||
|
chmod a+x %{buildroot}%{_libdir}/libldap.so*
|
||||||
|
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
|
||||||
|
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
||||||
|
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
|
||||||
|
mkdir -p %{buildroot}%{_sysusersdir}
|
||||||
|
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
|
||||||
|
|
||||||
|
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
|
||||||
|
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
|
||||||
|
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}%{_fillupdir}
|
||||||
|
install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap
|
||||||
|
install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema
|
||||||
|
install -m 644 *.schema %{buildroot}%{_sysconfdir}/openldap/schema
|
||||||
|
# Install default and sample configuration files
|
||||||
|
install -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/openldap
|
||||||
|
install -m 644 %{SOURCE24} %{buildroot}%{_sysconfdir}/openldap
|
||||||
|
install -m 644 %{SOURCE12} %{buildroot}%{_sysconfdir}/openldap
|
||||||
|
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
||||||
|
rm -rf doc/guide/release
|
||||||
|
|
||||||
|
%define DOCDIR %{_defaultdocdir}/%{name}
|
||||||
|
# Install default database optimisation
|
||||||
|
install -d %{buildroot}%{DOCDIR}/adminguide \
|
||||||
|
%{buildroot}%{DOCDIR}/images \
|
||||||
|
%{buildroot}%{DOCDIR}/drafts
|
||||||
|
install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide
|
||||||
|
install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images
|
||||||
|
install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts
|
||||||
|
install -m 644 ANNOUNCEMENT \
|
||||||
|
COPYRIGHT \
|
||||||
|
README \
|
||||||
|
CHANGES \
|
||||||
|
%{SOURCE5} \
|
||||||
|
%{buildroot}%{DOCDIR}
|
||||||
|
install -m 644 servers/slapd/slapd.ldif \
|
||||||
|
%{buildroot}%{DOCDIR}/slapd.ldif.default
|
||||||
|
rm -f %{buildroot}/etc/openldap/schema/README
|
||||||
|
rm -f %{buildroot}/etc/openldap/slapd.ldif*
|
||||||
|
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
|
||||||
|
|
||||||
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
|
||||||
|
|
||||||
|
rm -f %{buildroot}%{_libdir}/openldap/*.a
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-null.5
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5
|
||||||
|
rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5
|
||||||
|
# Remove *.la files, libtool does not handle this correct
|
||||||
|
# Keep .la files for modules in the openldap subdirectory, which are consumed
|
||||||
|
# in this form.
|
||||||
|
rm -f %{buildroot}%{_libdir}/*.la
|
||||||
|
|
||||||
|
# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5.
|
||||||
|
ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%pre -f ldap.pre
|
||||||
|
%service_add_pre slapd.service
|
||||||
|
|
||||||
|
%post
|
||||||
|
%{fillup_only -n openldap ldap}
|
||||||
|
%tmpfiles_create %{name}.conf
|
||||||
|
%service_add_post slapd.service
|
||||||
|
|
||||||
|
%post -n libldap2 -p /sbin/ldconfig
|
||||||
|
%postun -n libldap2 -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%service_del_preun slapd.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%service_del_postun slapd.service
|
||||||
|
|
||||||
|
%if "%flavor" == "contrib"
|
||||||
|
%files -n libldapcpp-devel
|
||||||
|
%doc contrib/ldapc++/README
|
||||||
|
%_includedir/*.h
|
||||||
|
%_libdir/libldapcpp.la
|
||||||
|
%_libdir/libldapcpp.so
|
||||||
|
|
||||||
|
%files -n libldapcpp0
|
||||||
|
%_libdir/libldapcpp.so.0
|
||||||
|
%_libdir/libldapcpp.so.0.0.0
|
||||||
|
|
||||||
|
%else
|
||||||
|
|
||||||
|
%files
|
||||||
|
%config %{_sysconfdir}/openldap/schema/*.schema
|
||||||
|
%config %{_sysconfdir}/openldap/schema/*.ldif
|
||||||
|
%config(noreplace) /etc/sasl2/slapd.conf
|
||||||
|
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf
|
||||||
|
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.olctemplate
|
||||||
|
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.default
|
||||||
|
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.example
|
||||||
|
%dir %{_libdir}/openldap
|
||||||
|
%dir /usr/lib/openldap
|
||||||
|
%dir %{_sysconfdir}/sasl2
|
||||||
|
%dir %{_sysconfdir}/openldap
|
||||||
|
%dir %attr(0770, ldap, ldap) %{_sysconfdir}/openldap/slapd.d
|
||||||
|
%dir %{_sysconfdir}/openldap/schema
|
||||||
|
%{_fillupdir}/sysconfig.openldap
|
||||||
|
%{_sbindir}/slap*
|
||||||
|
%{_sbindir}/rcslapd
|
||||||
|
%{_libdir}/openldap/back_ldap*
|
||||||
|
%{_libdir}/openldap/back_mdb*
|
||||||
|
%{_libdir}/openldap/back_relay*
|
||||||
|
%{_libdir}/openldap/accesslog*
|
||||||
|
%{_libdir}/openldap/auditlog*
|
||||||
|
%{_libdir}/openldap/autoca*
|
||||||
|
%{_libdir}/openldap/collect*
|
||||||
|
%{_libdir}/openldap/constraint*
|
||||||
|
%{_libdir}/openldap/dds*
|
||||||
|
%{_libdir}/openldap/deref*
|
||||||
|
%{_libdir}/openldap/dyngroup*
|
||||||
|
%{_libdir}/openldap/dynlist*
|
||||||
|
%{_libdir}/openldap/homedir*
|
||||||
|
%{_libdir}/openldap/memberof*
|
||||||
|
%{_libdir}/openldap/otp*
|
||||||
|
%{_libdir}/openldap/pcache*
|
||||||
|
%{_libdir}/openldap/ppolicy*
|
||||||
|
%{_libdir}/openldap/remoteauth*
|
||||||
|
%{_libdir}/openldap/refint*
|
||||||
|
%{_libdir}/openldap/retcode*
|
||||||
|
%{_libdir}/openldap/rwm*
|
||||||
|
%{_libdir}/openldap/seqmod*
|
||||||
|
%{_libdir}/openldap/sssvlv*
|
||||||
|
%{_libdir}/openldap/syncprov*
|
||||||
|
%{_libdir}/openldap/translucent*
|
||||||
|
%{_libdir}/openldap/unique*
|
||||||
|
%{_libdir}/openldap/valsort*
|
||||||
|
%{_libdir}/slapd
|
||||||
|
/usr/lib/openldap/start
|
||||||
|
/usr/lib/openldap/update-crc
|
||||||
|
/usr/lib/openldap/fixup-modulepath
|
||||||
|
%{_unitdir}/slapd.service
|
||||||
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%{_sysusersdir}/ldap-user.conf
|
||||||
|
%dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap
|
||||||
|
%ghost %attr(0750, ldap, ldap) %{slapdrundir}
|
||||||
|
%doc %{_mandir}/man8/sl*
|
||||||
|
%doc %{_mandir}/man8/lloadd.*
|
||||||
|
%doc %{_mandir}/man5/lloadd.conf.*
|
||||||
|
%doc %{_mandir}/man5/slapd.*
|
||||||
|
%doc %{_mandir}/man5/slapd-asyncmeta.*
|
||||||
|
%doc %{_mandir}/man5/slapd-config.*
|
||||||
|
%doc %{_mandir}/man5/slapd-ldap.*
|
||||||
|
%doc %{_mandir}/man5/slapd-ldif.*
|
||||||
|
%doc %{_mandir}/man5/slapd-mdb.*
|
||||||
|
%doc %{_mandir}/man5/slapd-monitor.*
|
||||||
|
%doc %{_mandir}/man5/slapd-pw-*
|
||||||
|
%doc %{_mandir}/man5/slapd-relay.*
|
||||||
|
%doc %{_mandir}/man5/slapd-wt.*
|
||||||
|
%doc %{_mandir}/man5/slapo-*
|
||||||
|
%doc %{_mandir}/man5/slappw-argon2.*
|
||||||
|
%dir %{DOCDIR}
|
||||||
|
%doc %{DOCDIR}/ANNOUNCEMENT
|
||||||
|
%doc %{DOCDIR}/COPYRIGHT
|
||||||
|
%license LICENSE
|
||||||
|
%doc %{DOCDIR}/README*
|
||||||
|
%doc %{DOCDIR}/CHANGES
|
||||||
|
%doc %{DOCDIR}/slapd.ldif.default
|
||||||
|
|
||||||
|
%files back-perl
|
||||||
|
%{_libdir}/openldap/back_perl*
|
||||||
|
%doc %{_mandir}/man5/slapd-perl.*
|
||||||
|
|
||||||
|
%files back-sock
|
||||||
|
%{_libdir}/openldap/back_sock*
|
||||||
|
%doc %{_mandir}/man5/slapd-sock.*
|
||||||
|
|
||||||
|
%files back-meta
|
||||||
|
%{_libdir}/openldap/back_meta*
|
||||||
|
%doc %{_mandir}/man5/slapd-meta.*
|
||||||
|
|
||||||
|
%files back-sql
|
||||||
|
%{_libdir}/openldap/back_sql*
|
||||||
|
%doc %{_mandir}/man5/slapd-sql.*
|
||||||
|
%doc servers/slapd/back-sql/examples
|
||||||
|
%doc servers/slapd/back-sql/docs/bugs
|
||||||
|
%doc servers/slapd/back-sql/docs/install
|
||||||
|
|
||||||
|
%files -n libldap-data
|
||||||
|
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
|
||||||
|
%doc %{_mandir}/man5/ldap.conf*
|
||||||
|
%{_sysconfdir}/openldap/ldap.conf.default
|
||||||
|
|
||||||
|
%files doc
|
||||||
|
%dir %{DOCDIR}
|
||||||
|
%doc %{DOCDIR}/drafts
|
||||||
|
%doc %{DOCDIR}/adminguide
|
||||||
|
%doc %{DOCDIR}/images
|
||||||
|
|
||||||
|
%files contrib
|
||||||
|
%{_libdir}/openldap/addpartial.*
|
||||||
|
%{_libdir}/openldap/allop.*
|
||||||
|
%{_libdir}/openldap/allowed.*
|
||||||
|
%{_libdir}/openldap/authzid.*
|
||||||
|
%{_libdir}/openldap/autogroup.*
|
||||||
|
%{_libdir}/openldap/cloak.*
|
||||||
|
%{_libdir}/openldap/datamorph.*
|
||||||
|
%{_libdir}/openldap/denyop.*
|
||||||
|
%{_libdir}/openldap/lastbind.*
|
||||||
|
%{_libdir}/openldap/noopsrch.*
|
||||||
|
%{_libdir}/openldap/pw-pbkdf2.*
|
||||||
|
%{_libdir}/openldap/pw-sha2.*
|
||||||
|
%{_libdir}/openldap/smbk5pwd.*
|
||||||
|
%{_libdir}/openldap/trace.*
|
||||||
|
%{_libdir}/openldap/variant.*
|
||||||
|
%{_libdir}/openldap/vc.*
|
||||||
|
|
||||||
|
%files client
|
||||||
|
%doc %{_mandir}/man1/ldap*
|
||||||
|
%doc %{_mandir}/man5/ldif.*
|
||||||
|
%dir /etc/openldap
|
||||||
|
/usr/sbin/schema2ldif
|
||||||
|
/usr/bin/ldapadd
|
||||||
|
/usr/bin/ldapcompare
|
||||||
|
/usr/bin/ldapdelete
|
||||||
|
/usr/bin/ldapexop
|
||||||
|
/usr/bin/ldapmodify
|
||||||
|
/usr/bin/ldapmodrdn
|
||||||
|
/usr/bin/ldapsearch
|
||||||
|
/usr/bin/ldappasswd
|
||||||
|
/usr/bin/ldapurl
|
||||||
|
/usr/bin/ldapvc
|
||||||
|
/usr/bin/ldapwhoami
|
||||||
|
|
||||||
|
%files -n libldap2
|
||||||
|
%{_libdir}/liblber.so.*
|
||||||
|
%{_libdir}/libldap.so.*
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%doc %{_mandir}/man3/ber*
|
||||||
|
%doc %{_mandir}/man3/lber*
|
||||||
|
%doc %{_mandir}/man3/ld_errno*
|
||||||
|
%doc %{_mandir}/man3/ldap*
|
||||||
|
%{_includedir}/*.h
|
||||||
|
%{_libdir}/liblber.so
|
||||||
|
%{_libdir}/libldap*.so
|
||||||
|
%{_libdir}/pkgconfig/*.pc
|
||||||
|
|
||||||
|
%files devel-static
|
||||||
|
%_libdir/liblber.a
|
||||||
|
%_libdir/libldap*.a
|
||||||
|
|
||||||
|
%endif # !flavor:contrib
|
||||||
|
|
||||||
|
%changelog
|
13
reproducible.patch
Normal file
13
reproducible.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Index: openldap-2.6.3/build/mkversion
|
||||||
|
===================================================================
|
||||||
|
--- openldap-2.6.3.orig/build/mkversion
|
||||||
|
+++ openldap-2.6.3/build/mkversion
|
||||||
|
@@ -77,7 +77,7 @@ static const char copyright[] =
|
||||||
|
"COPYING RESTRICTIONS APPLY\n";
|
||||||
|
|
||||||
|
$static $const char $SYMBOL[] =
|
||||||
|
-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n"
|
||||||
|
+"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n"
|
||||||
|
"\t$WHOWHERE\n";
|
||||||
|
|
||||||
|
__EOF__
|
1
sasl-slapd.conf
Normal file
1
sasl-slapd.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
mech_list: gssapi digest-md5 cram-md5 external
|
53
schema2ldif
Normal file
53
schema2ldif
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This is a simple tool to convert OpenLDAP Schema files to
|
||||||
|
# LDIF suitable for usage with OpenLDAP's dynamic configuration
|
||||||
|
# backend (cn=config)
|
||||||
|
#
|
||||||
|
# usage:
|
||||||
|
# schema2ldif <input file>
|
||||||
|
#
|
||||||
|
# The generated LDIF is printed to stdout.
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
echo 'usage: schema2ldif <input file>'
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
|
||||||
|
cn=`basename $1 .schema`
|
||||||
|
|
||||||
|
echo "dn: cn=$cn,cn=schema,cn=config";
|
||||||
|
echo "objectclass: olcSchemaConfig";
|
||||||
|
echo "cn: $cn";
|
||||||
|
|
||||||
|
/usr/bin/awk '
|
||||||
|
BEGIN {
|
||||||
|
buffer = "";
|
||||||
|
width=78 ;
|
||||||
|
}
|
||||||
|
function wrap(data)
|
||||||
|
{
|
||||||
|
if (length(data) > 0) {
|
||||||
|
do {
|
||||||
|
print substr(data,0,width);
|
||||||
|
data = " " substr(data, width+1);
|
||||||
|
}
|
||||||
|
while (length(data) > 1 )
|
||||||
|
};
|
||||||
|
}
|
||||||
|
/^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; }
|
||||||
|
/^#.*$/ { wrap(buffer); buffer=""; print $0; next }
|
||||||
|
/^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; }
|
||||||
|
{
|
||||||
|
wrap(buffer);
|
||||||
|
$1 = tolower($1) ;
|
||||||
|
gsub("^objectclass$","olcObjectclasses:",$1)
|
||||||
|
gsub("^attributetype$","olcAttributeTypes:",$1)
|
||||||
|
gsub("^attributetypes$","olcAttributeTypes:",$1)
|
||||||
|
gsub("^objectidentifier$","olcObjectIdentifier:",$1)
|
||||||
|
buffer = $0;
|
||||||
|
}
|
||||||
|
END { wrap(buffer); print "" }
|
||||||
|
' "$@"
|
||||||
|
|
33
slapd-ldif-update-crc.sh
Normal file
33
slapd-ldif-update-crc.sh
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Script to fix the crc of openldap slapd.d ldifs.
|
||||||
|
source /usr/lib/openldap/update-crc
|
||||||
|
|
||||||
|
if [ -z ${1} ]; then
|
||||||
|
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${1}" ]; then
|
||||||
|
echo "File ${1} does not exist?"
|
||||||
|
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure slapd.service is not running.
|
||||||
|
slapd_running=1
|
||||||
|
|
||||||
|
# Don't check if no systemd, we could be in a container.
|
||||||
|
if [ -f "/usr/bin/systemctl" ]; then
|
||||||
|
/usr/bin/systemctl is-active --quiet slapd.service
|
||||||
|
slapd_running=$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $slapd_running -eq 0 ]; then
|
||||||
|
echo "Unable to update crc of '${1}' while slapd.service is running ..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
do_update_crc ${1}
|
||||||
|
|
||||||
|
echo "Updated crc of ${1}"
|
||||||
|
|
86
slapd.conf
Normal file
86
slapd.conf
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
|
||||||
|
#
|
||||||
|
# OpenLDAP daemon (slapd.service) supports two configuration styles:
|
||||||
|
# - Simple configuration with this file
|
||||||
|
# - Online configuration (OLC)
|
||||||
|
#
|
||||||
|
# You may choose the configuration style by setting it in:
|
||||||
|
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
|
||||||
|
# If the value is set to "files", this configuration file will be used.
|
||||||
|
# If the value is set to "ldap", this configuration file will be entirely ignored, and
|
||||||
|
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
|
||||||
|
#
|
||||||
|
# If you decide to use online configuration, please read the additional instructions in:
|
||||||
|
# /etc/openldap/slapd.conf.olctemplate
|
||||||
|
#
|
||||||
|
# Feel free to customise this file according to your needs, and start OpenLDAP
|
||||||
|
# server daemon by executing:
|
||||||
|
# systemctl start slapd.service
|
||||||
|
#
|
||||||
|
# To verify that LDAP service is running properly, try the following command:
|
||||||
|
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
|
||||||
|
|
||||||
|
#
|
||||||
|
# See slapd.conf(5) for details on configuration options.
|
||||||
|
# See /etc/openldap/slapd.conf.example for more examples.
|
||||||
|
# This file should NOT be world readable.
|
||||||
|
#
|
||||||
|
|
||||||
|
pidfile /run/slapd/slapd.pid
|
||||||
|
argsfile /run/slapd/slapd.args
|
||||||
|
|
||||||
|
# The following schema files are often useful
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
include /etc/openldap/schema/cosine.schema
|
||||||
|
include /etc/openldap/schema/inetorgperson.schema
|
||||||
|
include /etc/openldap/schema/rfc2307bis.schema
|
||||||
|
include /etc/openldap/schema/yast.schema
|
||||||
|
|
||||||
|
# Load backend modules such as database engines
|
||||||
|
moduleload back_mdb.la
|
||||||
|
|
||||||
|
# Very important: define ACL to authorise client access
|
||||||
|
# The default settings permit rootdn to read and write, while other users
|
||||||
|
# may read the entire database or change their own password.
|
||||||
|
# If no ACL is present, everyone will be allowed to read the database.
|
||||||
|
# rootdn can always read and write everything.
|
||||||
|
access to dn.base=""
|
||||||
|
by * read
|
||||||
|
|
||||||
|
access to dn.base="cn=Subschema"
|
||||||
|
by * read
|
||||||
|
|
||||||
|
access to attrs=userPassword,userPKCS12
|
||||||
|
by self write
|
||||||
|
by * auth
|
||||||
|
|
||||||
|
access to attrs=shadowLastChange
|
||||||
|
by self write
|
||||||
|
by * read
|
||||||
|
|
||||||
|
access to *
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# Define a LDAP database
|
||||||
|
database mdb
|
||||||
|
suffix "dc=my-domain,dc=com"
|
||||||
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
||||||
|
# Please avoid using clear text for root password
|
||||||
|
# See slappasswd(8) for instructions on creating a salted+hashed password
|
||||||
|
rootpw secret
|
||||||
|
# The database directory must exist prior to the start of OpenLDAP daemon
|
||||||
|
# The directory should be owned by ldap user and permission 0700 is recommended
|
||||||
|
directory /var/lib/ldap
|
||||||
|
# Indices to maintain
|
||||||
|
index objectClass eq
|
||||||
|
|
||||||
|
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
|
||||||
|
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
|
||||||
|
# write down their paths below, make sure the files are readable by user "ldap".
|
||||||
|
# The server will then support StartTLS on standard port 389.
|
||||||
|
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
|
||||||
|
#TLSProtocolMin 3.1
|
||||||
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
||||||
|
#TLSCACertificateFile /my/ca.crt
|
||||||
|
#TLSCertificateFile /my/tls.crt
|
||||||
|
#TLSCertificateKeyFile /my/tls.key
|
354
slapd.conf.example
Normal file
354
slapd.conf.example
Normal file
@ -0,0 +1,354 @@
|
|||||||
|
############################################################################
|
||||||
|
# See slapd.conf(5) for details on configuration options.
|
||||||
|
# This file SHOULD NOT be world readable.
|
||||||
|
#
|
||||||
|
# Important note:
|
||||||
|
# You surely have to adjust some settings to meet your (security)
|
||||||
|
# requirements.
|
||||||
|
# At least you should replace suffix "dc=example,dc=com" by
|
||||||
|
# something meaningful for your setup.
|
||||||
|
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
|
||||||
|
# KDC then you MUST add decent ACLs for protecting user credentials!
|
||||||
|
#
|
||||||
|
# Read the man pages before changing something!
|
||||||
|
#
|
||||||
|
# You can debug the config by running (as root while slapd stopped):
|
||||||
|
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# slapd global parameters
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# serverID must be unique across all provider replicas
|
||||||
|
# for using multi-master replication (MMR)
|
||||||
|
serverID 99
|
||||||
|
|
||||||
|
# only alter this when you know what you're doing
|
||||||
|
#threads 4
|
||||||
|
|
||||||
|
# Run-time files
|
||||||
|
pidfile /var/run/slapd/slapd.pid
|
||||||
|
argsfile /var/run/slapd/slapd.args
|
||||||
|
|
||||||
|
# for more debugging set:
|
||||||
|
#loglevel config stats stats2
|
||||||
|
loglevel stats
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Load runtime loadable modules
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Load additional backend modules installed by package 'openldap2'
|
||||||
|
# The following backends are statically built-in and therefore don't have
|
||||||
|
# to be loaded here:
|
||||||
|
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
|
||||||
|
#moduleload back_bdb
|
||||||
|
#moduleload back_hdb
|
||||||
|
moduleload back_mdb
|
||||||
|
#moduleload back_meta
|
||||||
|
#moduleload back_sock
|
||||||
|
|
||||||
|
# Load additional overlay modules installed by package 'openldap2'
|
||||||
|
# The following overlay are statically built-in and therefore don't have
|
||||||
|
# to be loaded here:
|
||||||
|
# ppolicy, syncprov
|
||||||
|
#moduleload accesslog
|
||||||
|
#moduleload constraint
|
||||||
|
#moduleload dds
|
||||||
|
#moduleload deref
|
||||||
|
#moduleload dynlist
|
||||||
|
#moduleload memberof
|
||||||
|
moduleload refint
|
||||||
|
#moduleload sssvlv
|
||||||
|
#moduleload translucent
|
||||||
|
moduleload unique
|
||||||
|
#moduleload valsort
|
||||||
|
|
||||||
|
# Load additional overlay modules installed by package 'openldap2-contrib'
|
||||||
|
#moduleload allowed
|
||||||
|
#moduleload lastbind
|
||||||
|
#moduleload noopsrch
|
||||||
|
#moduleload pw-pbkdf2
|
||||||
|
#moduleload pw-sha2
|
||||||
|
#moduleload smbk5pwd
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Include schema files
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Schema files installed by package 'openldap2'
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
include /etc/openldap/schema/cosine.schema
|
||||||
|
include /etc/openldap/schema/inetorgperson.schema
|
||||||
|
include /etc/openldap/schema/rfc2307bis.schema
|
||||||
|
include /etc/openldap/schema/ppolicy.schema
|
||||||
|
#include /etc/openldap/schema/yast.schema
|
||||||
|
|
||||||
|
# Schema file installed by package 'dhcp-server'
|
||||||
|
#include /etc/openldap/schema/dhcp.schema
|
||||||
|
|
||||||
|
# Schema file installed by package 'samba'
|
||||||
|
#include /etc/openldap/schema/samba3.schema
|
||||||
|
|
||||||
|
# Schema file installed by package 'krb5-plugin-kdb-ldap'
|
||||||
|
#include /usr/share/doc/packages/krb5/kerberos.schema
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Transport Layer Security (TLS) configuration
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# require at least TLS 1.0 and highly secure ciphers
|
||||||
|
#TLSProtocolMin 3.1
|
||||||
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
||||||
|
|
||||||
|
# TLS certificate and key files
|
||||||
|
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
|
||||||
|
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
|
||||||
|
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
|
||||||
|
|
||||||
|
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
|
||||||
|
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Password hashing
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#password-hash {CRYPT}
|
||||||
|
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
|
||||||
|
#password-crypt-salt-format "$6$%.12s"
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Security requirements
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#disallow bind_anon
|
||||||
|
#require bind LDAPv3 strong
|
||||||
|
|
||||||
|
# SSF value for ldapi://
|
||||||
|
localSSF 256
|
||||||
|
|
||||||
|
# minimum required SSF value (security strength factor)
|
||||||
|
# Sample security restrictions
|
||||||
|
# Require integrity protection (prevent hijacking)
|
||||||
|
# Require 112-bit (3DES or better) encryption for updates
|
||||||
|
# Require 63-bit encryption for simple bind
|
||||||
|
# security ssf=1 update_ssf=112 simple_bind=64
|
||||||
|
#security ssf=128 update_ssf=256 simple_bind=128
|
||||||
|
security ssf=0
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Global access control (ACLs)
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Root DSE: allow anyone to read it
|
||||||
|
access to
|
||||||
|
dn.base=""
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# Sub schema sub entry: allow anyone to read it
|
||||||
|
access to
|
||||||
|
dn.base="cn=Subschema"
|
||||||
|
by * read
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Authz-DN mappings
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
||||||
|
# System user root is mapped to the rootdn in database dc=example,dc=com
|
||||||
|
# which has also read access on config and monitor databases
|
||||||
|
authz-regexp
|
||||||
|
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||||
|
"cn=root,dc=example,dc=com"
|
||||||
|
|
||||||
|
# Map local system user to LDAP entry
|
||||||
|
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
||||||
|
authz-regexp
|
||||||
|
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
|
||||||
|
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
|
||||||
|
|
||||||
|
# this maps the attribute uid to a LDAP entry
|
||||||
|
# if one of the typical password-based SASL mechs was used
|
||||||
|
authz-regexp
|
||||||
|
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
|
||||||
|
"ldap:///dc=example,dc=com??sub?(uid=$1)"
|
||||||
|
|
||||||
|
# this maps the attribute uid to a LDAP entry
|
||||||
|
# if one of the Kerberos based SASL mechs was used
|
||||||
|
#authz-regexp
|
||||||
|
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
|
||||||
|
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
|
||||||
|
|
||||||
|
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
|
||||||
|
#authz-regexp
|
||||||
|
# "(.+)"
|
||||||
|
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
|
||||||
|
|
||||||
|
|
||||||
|
#===========================================================================
|
||||||
|
# Database specific configuration sections below
|
||||||
|
# Required order of databases:
|
||||||
|
# config (first), ...others..., monitor (last)
|
||||||
|
#===========================================================================
|
||||||
|
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# cn=config // Configuration database (always first!)
|
||||||
|
# see slapd-config(5)
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
database config
|
||||||
|
|
||||||
|
# Cleartext passwords, especially for the rootdn, should
|
||||||
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
||||||
|
# Best thing is not to set rootpw at all!
|
||||||
|
# For local config access by root use LDAPI with SASL/EXTERNAL instead
|
||||||
|
# (see above).
|
||||||
|
#rootpw secret
|
||||||
|
|
||||||
|
access to
|
||||||
|
dn.subtree="cn=config"
|
||||||
|
by dn.exact="cn=root,dc=example,dc=com" manage
|
||||||
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
|
||||||
|
by * none
|
||||||
|
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# dc=example,dc=com // Example MDB database to be used by normal clients
|
||||||
|
# see slapd-mdb(5)
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
database mdb
|
||||||
|
|
||||||
|
suffix "dc=example,dc=com"
|
||||||
|
|
||||||
|
# rootdn has to be set for overlays' internal operations
|
||||||
|
rootdn "cn=root,dc=example,dc=com"
|
||||||
|
|
||||||
|
# Cleartext passwords, especially for the rootdn, should
|
||||||
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
||||||
|
# Best thing is not to set rootpw at all!
|
||||||
|
rootpw secret
|
||||||
|
|
||||||
|
# The database directory MUST exist prior to running slapd and
|
||||||
|
# SHOULD only be accessible by the slapd user 'ldap'.
|
||||||
|
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
|
||||||
|
directory /var/lib/ldap/example-db
|
||||||
|
|
||||||
|
# Permissions of database files created
|
||||||
|
mode 0600
|
||||||
|
|
||||||
|
# extra information to be available in cn=monitor for this database
|
||||||
|
monitoring on
|
||||||
|
|
||||||
|
# Perform ACL checks on the content of a new entry being added
|
||||||
|
add_content_acl on
|
||||||
|
|
||||||
|
# backend-specific database parameters
|
||||||
|
checkpoint 1024 5
|
||||||
|
# 100 MB (you can raise the limit later)
|
||||||
|
maxsize 104857600
|
||||||
|
|
||||||
|
# Indices to maintain
|
||||||
|
#
|
||||||
|
# Whenever you change indexing configuration you have to re-run slapindex
|
||||||
|
# while slapd being stopped!
|
||||||
|
# Don't forget to fix ownership/permissions of newly generated index files
|
||||||
|
# afterwards!
|
||||||
|
|
||||||
|
# set always!
|
||||||
|
index objectClass eq
|
||||||
|
|
||||||
|
# for typical address book use
|
||||||
|
index cn,sn,givenName,mail eq,sub
|
||||||
|
|
||||||
|
# for user management
|
||||||
|
index uid,uidNumber,gidNumber eq
|
||||||
|
|
||||||
|
# for authz-regexp mapping of Kerberos principal name
|
||||||
|
#index krbPrincipalName,krbPrincipalAlias eq
|
||||||
|
|
||||||
|
# for authz-regexp mapping of client cert subject DNs
|
||||||
|
#index seeAlso eq
|
||||||
|
|
||||||
|
# for syncrepl
|
||||||
|
index entryUUID,entryCSN eq
|
||||||
|
|
||||||
|
# access control lists (ACLs) for dc=example,dc=com
|
||||||
|
# see slapd.access(5) for details on access control lists (ACLs)
|
||||||
|
|
||||||
|
# full read access also to 'userPassword' for group of replicas
|
||||||
|
# and control is forwarded to subsequent ACLs
|
||||||
|
access to
|
||||||
|
dn.subtree=dc=example,dc=com
|
||||||
|
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
|
||||||
|
by * break
|
||||||
|
|
||||||
|
# write-only access to 'userPassword' for user, auth access else
|
||||||
|
access to
|
||||||
|
attrs=userPassword
|
||||||
|
by self =w
|
||||||
|
by * auth
|
||||||
|
|
||||||
|
# 'userPKCS' must only be accessible by self
|
||||||
|
access to
|
||||||
|
attrs=userPKCS12
|
||||||
|
by self write
|
||||||
|
by * none
|
||||||
|
|
||||||
|
# No access to history of passwords
|
||||||
|
#access to
|
||||||
|
# attrs=pwdHistory
|
||||||
|
# by * none
|
||||||
|
|
||||||
|
# Catch-all ACL for the rest
|
||||||
|
access to
|
||||||
|
dn.subtree=dc=example,dc=com
|
||||||
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
|
||||||
|
by self read
|
||||||
|
by users read
|
||||||
|
by * auth
|
||||||
|
|
||||||
|
# see slapo-ppolicy(5)
|
||||||
|
overlay ppolicy
|
||||||
|
# Default password policy entry
|
||||||
|
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
|
||||||
|
# Hash clear-text userPassword values sent in with add/modify operations
|
||||||
|
#ppolicy_hash_cleartext
|
||||||
|
# Return AccountLocked error code to client
|
||||||
|
#ppolicy_use_lockout
|
||||||
|
|
||||||
|
# see slapo-refint(5)
|
||||||
|
overlay refint
|
||||||
|
refint_attributes member seeAlso
|
||||||
|
refint_nothing cn=dummy
|
||||||
|
|
||||||
|
# Check sub-tree wide uniqueness of certain attributes
|
||||||
|
# see slapo-unique(5)
|
||||||
|
# you have to add eq-index for efficient uniqueness check!
|
||||||
|
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
|
||||||
|
overlay unique
|
||||||
|
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
|
||||||
|
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
|
||||||
|
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
|
||||||
|
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
|
||||||
|
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
|
||||||
|
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
|
||||||
|
|
||||||
|
#overlay syncprov
|
||||||
|
#mirrormode on
|
||||||
|
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# cn=monitor // Monitoring database (always last!)
|
||||||
|
# see slapd-monitor(5)
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
database monitor
|
||||||
|
|
||||||
|
access to
|
||||||
|
dn.subtree="cn=monitor"
|
||||||
|
by dn.exact="cn=root,dc=example,dc=com" write
|
||||||
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
|
||||||
|
by users read
|
46
slapd.conf.olctemplate
Normal file
46
slapd.conf.olctemplate
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
# This file (slapd.conf.olctemplate) is a template for creating the initial
|
||||||
|
# online configuration for OpenLDAP server daemon.
|
||||||
|
#
|
||||||
|
# In order to use online configuration for OpenLDAP server daemon, make sure to set:
|
||||||
|
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="ldap"
|
||||||
|
#
|
||||||
|
# Before starting the OpenLDAP daemon (slapd.conf) with onlne configuration for
|
||||||
|
# the very first time, you have to prepare the online configuration directory
|
||||||
|
# from this template file - first, make necessary customisations if you wish, and then
|
||||||
|
# run:
|
||||||
|
# cd /etc/openldap && slaptest -f slapd.conf.olctemplate -F slapd.d
|
||||||
|
#
|
||||||
|
# Then you may start OpenLDAP daemon:
|
||||||
|
# systemctl start slapd.service
|
||||||
|
#
|
||||||
|
# To verify that LDAP service is running properly, try the following command:
|
||||||
|
# ldapsearch -x -D cn=admin,cn=config -w secret -b cn=config
|
||||||
|
|
||||||
|
#
|
||||||
|
# See slapd.conf(5) for details on configuration options.
|
||||||
|
# See /etc/openldap/slapd.conf.example for more examples.
|
||||||
|
# This file should NOT be world readable.
|
||||||
|
#
|
||||||
|
|
||||||
|
pidfile /run/slapd/slapd.pid
|
||||||
|
argsfile /run/slapd/slapd.args
|
||||||
|
|
||||||
|
# The following schema files are often useful
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
include /etc/openldap/schema/cosine.schema
|
||||||
|
include /etc/openldap/schema/inetorgperson.schema
|
||||||
|
include /etc/openldap/schema/rfc2307bis.schema
|
||||||
|
include /etc/openldap/schema/yast.schema
|
||||||
|
|
||||||
|
# Load backend modules such as database engines
|
||||||
|
# modulepath /usr/lib64/openldap
|
||||||
|
# moduleload back_mdb.la
|
||||||
|
# moduleload back_hdb.la
|
||||||
|
# moduleload back_bdb.la
|
||||||
|
|
||||||
|
# Define the config database that holds all online configurations
|
||||||
|
database config
|
||||||
|
rootdn "cn=admin,cn=config"
|
||||||
|
# Please avoid using clear text for root password
|
||||||
|
# See slappasswd(8) for instructions on creating a salted+hashed password
|
||||||
|
rootpw secret
|
28
slapd.service
Normal file
28
slapd.service
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=OpenLDAP Server Daemon
|
||||||
|
After=syslog.target network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
ExecStart=/usr/lib/openldap/start
|
||||||
|
|
||||||
|
# Hardening to prevent security escalation.
|
||||||
|
## Future hardening for FS protection.
|
||||||
|
# ProtectSystem=full
|
||||||
|
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
|
||||||
|
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
174
start
Normal file
174
start
Normal file
@ -0,0 +1,174 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
|
||||||
|
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
|
||||||
|
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
|
#
|
||||||
|
# Author: Carsten Hoeger
|
||||||
|
# Ralf Haferkamp
|
||||||
|
#
|
||||||
|
|
||||||
|
test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
|
||||||
|
|
||||||
|
SLAPD_BIN=/usr/sbin/slapd
|
||||||
|
LDAP_URLS=""
|
||||||
|
LDAPS_URLS=""
|
||||||
|
LDAPI_URLS=""
|
||||||
|
SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
|
||||||
|
SLAPD_PID_DIR="/var/run/slapd/"
|
||||||
|
|
||||||
|
test -x $SLAPD_BIN || exit 5
|
||||||
|
|
||||||
|
function init_ldap_listener_urls(){
|
||||||
|
case "$OPENLDAP_START_LDAP" in
|
||||||
|
[Yy][Ee][Ss])
|
||||||
|
if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
|
||||||
|
then
|
||||||
|
for iface in $OPENLDAP_LDAP_INTERFACES ;do
|
||||||
|
LDAP_URLS="$LDAP_URLS ldap://$iface"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
LDAP_URLS="ldap:///"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
function init_ldapi_listener_urls(){
|
||||||
|
case "$OPENLDAP_START_LDAPI" in
|
||||||
|
[Yy][Ee][Ss])
|
||||||
|
if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
|
||||||
|
then
|
||||||
|
for iface in $OPENLDAP_LDAPI_INTERFACES ;do
|
||||||
|
esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
|
||||||
|
LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
LDAPI_URLS="ldapi:///"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
function init_ldaps_listener_urls(){
|
||||||
|
case "$OPENLDAP_START_LDAPS" in
|
||||||
|
[Yy][Ee][Ss])
|
||||||
|
if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
|
||||||
|
then
|
||||||
|
for iface in $OPENLDAP_LDAPS_INTERFACES ;do
|
||||||
|
LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
LDAPS_URLS="ldaps:///"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_connection(){
|
||||||
|
SLAPD_TIMEOUT=10
|
||||||
|
START=$( date +%s)
|
||||||
|
while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
|
||||||
|
ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
|
||||||
|
LDAPSEARCH_RC=$?
|
||||||
|
if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
|
||||||
|
else sleep 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
depth=0;
|
||||||
|
|
||||||
|
function chown_database_dirs_bconfig() {
|
||||||
|
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
|
||||||
|
for dir in $(realpath ${ldapdir}); do
|
||||||
|
if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
|
||||||
|
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||||
|
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||||
|
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||||
|
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||||
|
else
|
||||||
|
echo "Skipping chown -h of external directory for security reasons. You must manually run:"
|
||||||
|
echo "# chown -h -R $OPENLDAP_USER $dir"
|
||||||
|
echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
function chown_database_dirs() {
|
||||||
|
ldapdir=`grep ^directory $1 | awk '{print $2}'`
|
||||||
|
for dir in $ldapdir; do
|
||||||
|
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||||
|
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||||
|
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||||
|
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||||
|
done
|
||||||
|
includes=`grep ^include $1 | awk '{print $2}'`
|
||||||
|
if [ $depth -le 50 ]; then
|
||||||
|
depth=$(( $depth + 1 ));
|
||||||
|
for i in $includes; do
|
||||||
|
chown_database_dirs "$i" ;
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
USER_CMD=""
|
||||||
|
GROUP_CMD=""
|
||||||
|
[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
|
||||||
|
[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
|
||||||
|
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
|
||||||
|
|
||||||
|
|
||||||
|
# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
|
||||||
|
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
|
||||||
|
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
|
||||||
|
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
|
||||||
|
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||||
|
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||||
|
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||||
|
# assume back-config usage if slapd.conf is not present but slapd.d is
|
||||||
|
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
|
||||||
|
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||||
|
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||||
|
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||||
|
else
|
||||||
|
chown_database_dirs "/etc/openldap/slapd.conf"
|
||||||
|
chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
|
||||||
|
fi
|
||||||
|
if test -f /etc/sasl2/slapd.conf ; then
|
||||||
|
chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
|
||||||
|
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
|
||||||
|
fi
|
||||||
|
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
||||||
|
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
|
||||||
|
if test -f $keytabfile ; then
|
||||||
|
chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
|
||||||
|
chmod g+r $keytabfile 2>/dev/null
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
||||||
|
export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
|
||||||
|
fi
|
||||||
|
case "$OPENLDAP_REGISTER_SLP" in
|
||||||
|
[Yy][Ee][Ss])
|
||||||
|
SLAPD_SLP_REG="-o slp=on"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
SLAPD_SLP_REG="-o slp=off"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
init_ldap_listener_urls
|
||||||
|
init_ldapi_listener_urls
|
||||||
|
init_ldaps_listener_urls
|
||||||
|
|
||||||
|
if [ ! -d $SLAPD_PID_DIR ]; then
|
||||||
|
mkdir -p $SLAPD_PID_DIR
|
||||||
|
chown -h ldap:ldap $SLAPD_PID_DIR
|
||||||
|
fi
|
||||||
|
echo -n "Starting ldap-server"
|
||||||
|
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
|
||||||
|
$SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
|
||||||
|
$OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG
|
||||||
|
|
158
sysconfig.openldap
Normal file
158
sysconfig.openldap
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
## Path: Network/LDAP
|
||||||
|
## Description: Basic Configuration of the OpenLDAP Directory Server
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: yes
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If set to "no" the LDAP server will not accept any "normal" LDAP connections
|
||||||
|
# but just connections over "ldaps" or "ldapi". Setting this to "no" does only
|
||||||
|
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
|
||||||
|
# "yes".
|
||||||
|
#
|
||||||
|
OPENLDAP_START_LDAP="yes"
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: no
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
|
||||||
|
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options
|
||||||
|
# to the /etc/openldap/slapd.conf (man slapd.conf).
|
||||||
|
# Note: Don't confuse this with "START_TLS", the preferred method for
|
||||||
|
# making encrypted LDAP connections, which is enabled as soon as You
|
||||||
|
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
|
||||||
|
# file
|
||||||
|
#
|
||||||
|
OPENLDAP_START_LDAPS="no"
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: no
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If set to "yes", "ldap over IPC" feature of slapd will be enabled.
|
||||||
|
# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
OPENLDAP_START_LDAPI="yes"
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If not empty, additional parameters for slapd daemon.
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
OPENLDAP_SLAPD_PARAMS=""
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ldap
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# specifies a user, as which the openldap server should be executed
|
||||||
|
# Default: ldap
|
||||||
|
#
|
||||||
|
OPENLDAP_USER="ldap"
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ldap
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# specifies a group, as which the openldap server should be executed
|
||||||
|
# Default: ldap
|
||||||
|
#
|
||||||
|
OPENLDAP_GROUP="ldap"
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: yes
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If set to "yes" the init scripts will change the owner/group of the
|
||||||
|
# different backend database directories (e.g. /var/lib/ldap) to the
|
||||||
|
# user/group specified above
|
||||||
|
#
|
||||||
|
OPENLDAP_CHOWN_DIRS="yes"
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Use this to specify the interfaces that the server such accept
|
||||||
|
# LDAP connections from. The values are specified in the format
|
||||||
|
# <address>:<port>, where address is an IP address and port is the
|
||||||
|
# portnumber, the daemon should listen to (defaulting to 389). If this
|
||||||
|
# parameter is empty the server will attach to all interfaces. This
|
||||||
|
# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
|
||||||
|
# "yes"
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
OPENLDAP_LDAP_INTERFACES=""
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Use this to specify the interfaces that the server such accept
|
||||||
|
# LDAPS connections from. The values are specified in the format
|
||||||
|
# <address>:<port>, where address is an IP address and port is the
|
||||||
|
# portnumber, the daemon should listen to (defaulting to 636). If this
|
||||||
|
# parameter is empty the server will attach to all interfaces. This
|
||||||
|
# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
|
||||||
|
# "yes"
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
OPENLDAP_LDAPS_INTERFACES=""
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Use this to specify the paths of the Unix Domain Sockets that
|
||||||
|
# the server should create an accept incoming LDAPI connections
|
||||||
|
# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
|
||||||
|
# is set to "yes".
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
OPENLDAP_LDAPI_INTERFACES=""
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: "yes"
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# If set to "no" the LDAP server will not try itself at a running SLP
|
||||||
|
# daemon.
|
||||||
|
# Default: "yes"
|
||||||
|
#
|
||||||
|
OPENLDAP_REGISTER_SLP="no"
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Set this to the name of the keytab, if you want to use a non-default
|
||||||
|
# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
|
||||||
|
# this file will be changed so that the group OPENLDAP_GROUP has read
|
||||||
|
# access to the file.
|
||||||
|
# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
OPENLDAP_KRB5_KEYTAB=""
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: "files"
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Here you can configure which of the configuration backends you want to
|
||||||
|
# use. Possible values are "files" for slapd.conf(5) styleconfiguration or
|
||||||
|
# "ldap" for the slapd-config(5) LDAP based configuration backend.
|
||||||
|
#
|
||||||
|
OPENLDAP_CONFIG_BACKEND="files"
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: "yes"
|
||||||
|
## ServiceRestart: ldap
|
||||||
|
#
|
||||||
|
# Here you can configure if the slapd shall start with or without memory limit.
|
||||||
|
#
|
||||||
|
OPENLDAP_MEMORY_LIMIT="yes"
|
||||||
|
|
67
update-crc.sh
Normal file
67
update-crc.sh
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Script to fix the crc of openldap slapd.d ldifs.
|
||||||
|
|
||||||
|
do_update_crc () {
|
||||||
|
if [ -z ${1} ]; then
|
||||||
|
echo "Invalid call to do_update_crc() - no filename provided"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
tgt_ldif=$1
|
||||||
|
|
||||||
|
if [ ! -f "${tgt_ldif}" ]; then
|
||||||
|
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "${tgt_ldif}.crcbak"
|
||||||
|
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
|
||||||
|
|
||||||
|
/usr/bin/awk '
|
||||||
|
BEGIN {
|
||||||
|
# CRC-32 ZIP polynomial in reversed bit order.
|
||||||
|
POLY = 0xedb88320
|
||||||
|
|
||||||
|
# 8-bit character -> ordinal table.
|
||||||
|
for (i = 0; i < 256; i++)
|
||||||
|
ORD[sprintf("%c", i)] = i
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# Remember each input line.
|
||||||
|
input[NR] = $0
|
||||||
|
|
||||||
|
# Verify the file header.
|
||||||
|
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
|
||||||
|
exit 1
|
||||||
|
if (NR == 2 && $0 !~ /# CRC32 ......../)
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Calculate CRC-32.
|
||||||
|
function crc32(crc, string, i, j, c) {
|
||||||
|
crc = and(compl(crc), 0xffffffff)
|
||||||
|
for (i = 1; i <= length(string); i++) {
|
||||||
|
c = substr(string, i, 1)
|
||||||
|
crc = xor(crc, ORD[c])
|
||||||
|
for (j = 0; j < 8; j++)
|
||||||
|
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
|
||||||
|
}
|
||||||
|
crc = and(compl(crc), 0xffffffff)
|
||||||
|
return crc
|
||||||
|
}
|
||||||
|
|
||||||
|
END {
|
||||||
|
# Calculate CRC-32 of the file and update it in the header.
|
||||||
|
crc = 0
|
||||||
|
for (i = 3; i <= length(input); i++)
|
||||||
|
crc = crc32(crc, input[i] "\n")
|
||||||
|
input[2] = "# CRC32 " sprintf("%08x", crc)
|
||||||
|
|
||||||
|
# Print the output.
|
||||||
|
for (i = 1; i <= length(input); i++)
|
||||||
|
print input[i]
|
||||||
|
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user