Accepting request 354705 from home:stroeder:branches:network:ldap

Compared to my obsoleted request #339745:
1. sysconfdir now correctly is /etc/openldap
2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed)
3. added Recommends: cyrus-sasl
4. replaced README.dynamic-overlays by README.module-loading with updated text
5. added patch for OpenLDAP ITS#8336

OBS-URL: https://build.opensuse.org/request/show/354705
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146
This commit is contained in:
Howard Guo 2016-01-21 13:36:42 +00:00 committed by Git OBS Bridge
parent 429b456698
commit 605d80a7bb
24 changed files with 1919 additions and 392 deletions

View File

@ -1,35 +1,38 @@
From a8be17d4a1db1c6ee24b328f3f34e21ccb02ca3f Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Wed, 16 Jun 2010 14:05:49 +0200
Subject: slapd.conf
diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf
index 4938b85..9caf292 100644
index 4938b85..b9bec75 100644
--- a/servers/slapd/slapd.conf
+++ b/servers/slapd/slapd.conf
@@ -3,6 +3,10 @@
@@ -2,7 +2,11 @@
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include %SYSCONFDIR%/schema/core.schema
+include %SYSCONFDIR%/schema/cosine.schema
+include %SYSCONFDIR%/schema/inetorgperson.schema
+include %SYSCONFDIR%/schema/rfc2307bis.schema
+include %SYSCONFDIR%/schema/yast.schema
-include %SYSCONFDIR%/schema/core.schema
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/rfc2307bis.schema
+include /etc/openldap/schema/yast.schema
# Define global ACLs to disable default read access.
@@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema
@@ -10,13 +14,13 @@ include %SYSCONFDIR%/schema/core.schema
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
-pidfile %LOCALSTATEDIR%/run/slapd.pid
-argsfile %LOCALSTATEDIR%/run/slapd.args
+pidfile %LOCALSTATEDIR%/slapd.pid
+argsfile %LOCALSTATEDIR%/slapd.args
+pidfile /run/slapd/slapd.pid
+argsfile /run/slapd/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
-# modulepath %MODULEDIR%
+# modulepath /usr/lib/openldap
# moduleload back_bdb.la
-# moduleload back_hdb.la
+moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
@@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args
# security ssf=1 update_ssf=112 simple_bind=64
@ -75,9 +78,12 @@ index 4938b85..9caf292 100644
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
@@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args
@@ -50,8 +64,10 @@ argsfile %LOCALSTATEDIR%/run/slapd.args
# BDB database definitions
#######################################################################
database bdb
-database bdb
+database hdb
suffix "dc=my-domain,dc=com"
+checkpoint 1024 5
+cachesize 10000
@ -92,6 +98,3 @@ index 4938b85..9caf292 100644
+directory /var/lib/ldap
# Indices to maintain
index objectClass eq
--
1.7.10.4

View File

@ -1,29 +0,0 @@
From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Tue, 5 Oct 2010 14:20:22 +0200
Subject: Recover on DB version change
If the libdb Version changed try to recover the database. Note: This will
only succeed if only the format of transaction logs changed.
diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c
index ac5a6d5..fea5cb4 100644
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@@ -330,6 +330,13 @@ shm_retry:
rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
flags | do_recover, bdb->bi_dbenv_mode );
+ if ( rc == DB_VERSION_MISMATCH ) {
+ Debug( LDAP_DEBUG_ANY,
+ LDAP_XSTRING(bdb_db_open) ": bdb version change detected "
+ "trying to recover\n", 0, 0, 0 );
+ rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
+ flags | DB_RECOVER, bdb->bi_dbenv_mode );
+ }
if ( rc ) {
/* Regular open failed, probably a missing shm environment.
* Start over, do a recovery.
--
1.7.10.4

View File

@ -1,29 +0,0 @@
From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Fri, 13 Mar 2015 16:14:10 +0100
Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
are created for internal use only.
---
servers/slapd/back-monitor/conn.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
index c1995b0..2d27738 100644
--- a/servers/slapd/back-monitor/conn.c
+++ b/servers/slapd/back-monitor/conn.c
@@ -454,6 +454,11 @@ monitor_subsys_conn_create(
c != NULL;
c = connection_next( c, &connindex ) )
{
+ /* Connection 0 is created by connection_client_setup for internal use only */
+ if (c->c_connid == 0) {
+ continue;
+ }
+
monitor_entry_t *mp;
if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE
--
2.1.4

View File

@ -1,27 +0,0 @@
From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@symas.com>
Date: Sat, 12 Sep 2015 22:18:22 +0100
Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
We have never documented our use of assert, so can't expect
builders to do the right thing.
This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
The commit fixes CVE-2015-6908.
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 85c3e23..c05dcf8 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -679,7 +679,7 @@ done:
return (ber->ber_tag);
}
- assert( 0 ); /* ber structure is messed up ?*/
+ /* invalid input */
return LBER_DEFAULT;
}
--
2.6.3

View File

@ -1,19 +0,0 @@
Most of the OpenLDAP overlays are now compiled as dynamic modules in our
packages. If you want to use any of these in your setup make sure to put
the correct "olcModuleLoad" or "moduleload" statements in your configuration.
For details please see the slapd-config(5) and slapd.conf(5) manpages
(depending on which config mechanism you use).
For a list of the list of included dynamic modules see the
"/usr/lib/openldap/modules/" directory.
For convenience and backwards compatibility some overlays are are still
compiled statically into the slapd binary. To see which overlays that are
call "/usr/lib/openldap/slapd -VVV". Currently these are:
syncprov (the provider part of syncrepl replication)
ppolicy (a LDAP Password Policy implementation)
Documentations for the overlays can be found in the respective man pages
(named "slapo-<overlay-name>") or the OpenLDAP Administration Guide which
is part of the "openldap2-doc" package.

25
README.module-loading Normal file
View File

@ -0,0 +1,25 @@
All of the OpenLDAP backends (except back-config) and overlays are now
compiled as dynamic modules in our packages. If you want to use any of
these in your setup make sure to put the correct "olcModuleLoad" or
"moduleload" statements in your configuration.
For details please see the slapd-config(5) and slapd.conf(5) manpages
(depending on which config mechanism you use).
For a list of the included dynamic modules list all modules files:
ls /usr/lib*/openldap/*.so
Or just the backend files:
ls /usr/lib*/openldap/back_*.so
Documentations for the overlays can be found in the respective man pages or
the OpenLDAP Administration Guide which is part of the "openldap2-doc"
package.
Backend man-pages:
man 5 slapo-<back_name>
Overlays man-pages:
man 5 slapo-<name>

17
SuSEfirewall2.openldap Normal file
View File

@ -0,0 +1,17 @@
## Name: OpenLDAP Server
## Description: Opens ports for the OpenLDAP Server (slapd).
# space separated list of allowed TCP ports
TCP="ldap ldaps"
# space separated list of allowed UDP ports
UDP="ldap"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1a0de4fe8c80b0210a706a9e8313b3c2f8b72b2de88961acf433a4e09752a4f
size 3480

23
ldapns.schema Normal file
View File

@ -0,0 +1,23 @@
# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:eeb7b0e2c5852bfd2650e83909bb6152835c0b862fab10b63954dc1bcbba8e63
size 5645925

3
openldap-2.4.43.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:34d78e5598a2b0360d26a9050fcdbbe198c65493b013bb607839d5598b6978c8
size 5654057

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5ec6d4241cd2080d20f9d8da8d76e51cfbe88ab14cdb9cbff4fea1348ce174c4
size 4018

View File

@ -0,0 +1,80 @@
diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c
index 71e3ea4..bafef72 100644
--- a/servers/slapd/back-bdb/filterindex.c
+++ b/servers/slapd/back-bdb/filterindex.c
@@ -741,7 +741,7 @@ equality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -858,7 +858,7 @@ approx_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -978,7 +978,7 @@ substring_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1095,7 +1095,7 @@ inequality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c
index 58c1cc8..20c58b7 100644
--- a/servers/slapd/back-mdb/filterindex.c
+++ b/servers/slapd/back-mdb/filterindex.c
@@ -709,7 +709,7 @@ equality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -825,7 +825,7 @@ approx_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -944,7 +944,7 @@ substring_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1060,7 +1060,7 @@ inequality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;

View File

@ -0,0 +1,25 @@
From fd7bfbc0df0ade534bea84914d385ecf2a73f678 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 8 Dec 2015 18:17:24 +0000
Subject: ITS#8336 fix page_search_root assert on FreeDB
Let "illegal" branch pages thru on the FreeDB - the condition
is only temporary and will be fixed by the time rebalance finishes.
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index fa0c9e5..a624cba 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -5279,7 +5279,11 @@ mdb_page_search_root(MDB_cursor *mc, MDB_val *key, int flags)
indx_t i;
DPRINTF(("branch page %"Z"u has %u keys", mp->mp_pgno, NUMKEYS(mp)));
- mdb_cassert(mc, NUMKEYS(mp) > 1);
+ /* Don't assert on branch pages in the FreeDB. We can get here
+ * while in the process of rebalancing a FreeDB branch page; we must
+ * let that proceed. ITS#8336
+ */
+ mdb_cassert(mc, !mc->mc_dbi || NUMKEYS(mp) > 1);
DPRINTF(("found index 0 to page %"Z"u", NODEPGNO(NODEPTR(mp, 0))));
if (flags & (MDB_PS_FIRST|MDB_PS_LAST)) {

View File

@ -1,5 +1,37 @@
-------------------------------------------------------------------
Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com
Tue Dec 8 11:36:16 UTC 2015 - michael@stroeder.com
- Upgrade to upstream 2.4.43 release with accumulated bug fixes.
- Still build on SLES12
- Loadable backend and overlay modules are now installed
into arch-specific path %{_libdir}/openldap
- All backends and overlays as modules for smaller memory footprint
on memory constrained systems
- Added extra package for back-sock
- Consequent use of %{_rundir} everywhere
- Rely on upstream ./configure script instead of any other
macro foo
- Dropped linking with libwrap
- Dropped 0004-libldap-use-gethostbyname_r.dif because this
work-around for nss_ldap is obsolete
- New sub-package openldap2-contrib with selected contrib/ overlays
- Replaced addonschema.tar.gz with separate schema sources
- Updated ldapns.schema from recent slapo-nssov source tree
- Added symbolic link to slapd executable in /usr/sbin/
- Added more complex example configuration file
/etc/openldap/slapd.conf.example
- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap
- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap
- Added patch for OpenLDAP ITS#7796 to avoid excessive
"not index" logging
- Replaced openldap-rc.tgz with single source files
- Added soft dependency (Recommends) to cyrus-sasl
- Added soft dependency (Recommends) to cyrus-sasl-devel
to openldap2-devel
- Added patch for OpenLDAP ITS#8336 (assert in liblmdb)
-------------------------------------------------------------------
Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
to fix CVE-2015-6908. (bsc#945582)
@ -36,7 +68,7 @@ Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com
check-build.sh
-------------------------------------------------------------------
Thu Oct 1 11:08:59 UTC 2015 - hguo@suse.com
Thu Oct 1 11:08:41 UTC 2015 - hguo@suse.com
- Upgrade to upstream 2.4.42 release with accumulated bug fixes.

View File

@ -1,7 +1,7 @@
#
# spec file for package openldap2-client
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,52 +17,58 @@
%define run_test_suite 0
%define version_main 2.4.42
%define version_main 2.4.43
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd
%else
%define _rundir /var/run/slapd
%endif
Name: openldap2-client
Summary: The OpenLDAP commandline client tools
License: OLDAP-2.8
Group: Productivity/Networking/LDAP/Clients
Version: 2.4.42
Version: %{version_main}
Release: 0
Url: http://www.openldap.org
Source: openldap-%{version_main}.tgz
Source1: openldap-rc.tgz
Source2: addonschema.tar.gz
Source3: DB_CONFIG
Source4: sasl-slapd.conf
Source5: README.dynamic-overlays
Source5: README.module-loading
Source6: schema2ldif
Source7: baselibs.conf
Patch1: 0001-build-adjustments.dif
Source9: ldapns.schema
Source10: rfc2307bis.schema
Source11: yast.schema
Source12: slapd.conf.example
Source13: start
Source14: slapd.service
Source15: SuSEfirewall2.openldap
Source16: sysconfig.openldap
Patch2: 0002-slapd.conf.dif
Patch3: 0003-LDAPI-socket-location.dif
Patch4: 0004-libldap-use-gethostbyname_r.dif
#Patch4: 0004-libldap-use-gethostbyname_r.dif
Patch5: 0005-pie-compile.dif
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Patch10: openldap-re24-its7796.patch
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
Patch12: openldap-re24-its8336.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libtool
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl
%if "%{name}" == "openldap2"
BuildRequires: db-devel
BuildRequires: openslp-devel
BuildRequires: tcpd-devel
BuildRequires: unixODBC-devel
Conflicts: openldap
Requires: libldap-2_4-2 = %{version_main}
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
%if 0%{?suse_version} >= 1140
%if %{suse_version} >= 1310 && %{suse_version} != 1315
# avoid cycle with krb5
BuildRequires: krb5-mini
BuildRequires: pkgconfig(systemd)
@ -70,7 +76,6 @@ BuildRequires: pkgconfig(systemd)
%endif
%else
Conflicts: openldap-client
Requires: libldap-2_4-2 = %{version_main}
%endif
# For /usr/bin/strings
Requires(pre): binutils
@ -78,10 +83,10 @@ Requires(pre): binutils
%if "%{name}" == "openldap2"
%description
The Lightweight Directory Access Protocol (LDAP) is used to access
online directory services. It runs directly over TCP and can be used to
access a stand-alone LDAP directory service or to access a directory
service that has an X.500 back-end.
OpenLDAP is a client and server reference implementation of the
Lightweight Directory Access Protocol v3 (LDAPv3).
The server provides several database backends and overlays.
%package -n openldap2-back-perl
Summary: OpenLDAP Perl Back-End
@ -93,6 +98,16 @@ Requires: perl = %{perl_version}
The OpenLDAP Perl back-end allows you to execute Perl code specific to
different LDAP operations.
%package -n openldap2-back-sock
Summary: OpenLDAP Socket Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
%description -n openldap2-back-sock
The OpenLDAP socket back-end allows you to handle LDAP requests and
results with an external process listening on a Unix domain socket.
%package -n openldap2-back-meta
Summary: OpenLDAP Meta Back-End
Group: Productivity/Networking/LDAP/Servers
@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information
stored in a Relational (SQL) Database as an LDAP subtree without the need
to do any programming.
%package -n openldap2-contrib
Summary: OpenLDAP Contrib Modules
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
%description -n openldap2-contrib
Various overlays found in contrib/:
allop
allowed Generates attributes indicating access rights
autogroup
cloak
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
nops
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
%package -n openldap2-doc
Summary: OpenLDAP Documentation
Group: Documentation/Other
@ -126,6 +160,7 @@ BuildArch: noarch
%description -n openldap2-doc
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
Authors:
--------
The OpenLDAP Project <project@openldap.org>
@ -145,6 +180,7 @@ Obsoletes: openldap2-devel-64bit
#
Conflicts: openldap-devel
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl-devel
%description -n openldap2-devel
This package provides the OpenLDAP libraries, header files, and
@ -171,60 +207,75 @@ This package contains the OpenLDAP client libraries.
%endif
%prep
%setup -q -n openldap-%{version_main} -a1 -a2
%patch1 -p1
%setup -q -n openldap-%{version_main}
%patch2 -p1
%patch3 -p1
%patch4 -p1
#%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
cp %{SOURCE5} .
%build
%{?suse_update_config:%{suse_update_config -f build}}
libtoolize --force
autoreconf
export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE"
# %{?suse_update_config:%{suse_update_config -f build}}
#libtoolize --force
#autoreconf
# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
export STRIP=""
%configure \
--localstatedir=%{_rundir}/slapd \
--libexecdir=/usr/lib/openldap \
--enable-wrappers \
./configure \
--prefix=/usr \
--sysconfdir=%{_sysconfdir} \
--libdir=%{_libdir} \
--libexecdir=%{_libdir} \
--localstatedir=%{_rundir} \
--enable-wrappers=no \
--enable-spasswd \
--enable-modules \
--enable-shared \
--enable-dynamic \
--with-tls \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-crypt \
--enable-ipv6=yes \
%if "%{name}" == "openldap2"
--enable-aci \
--enable-bdb \
--enable-hdb \
--enable-bdb=mod \
--enable-hdb=mod \
--enable-rewrite \
--enable-ldap=yes \
--enable-ldap=mod \
--enable-meta=mod \
--enable-monitor=yes \
--enable-monitor=mod \
--enable-perl=mod \
--enable-sock=mod \
--enable-sql=mod \
--enable-mdb=yes \
--enable-mdb=mod \
--enable-relay=mod \
--enable-slp \
--enable-overlays=mod \
--enable-syncprov=yes \
--enable-ppolicy=yes \
--enable-syncprov=mod \
--enable-ppolicy=mod \
%else
--disable-slapd \
%endif
--enable-lmpasswd \
--with-yielding-select
--with-yielding-select \
|| cat config.log
make depend
make %{?_smp_mflags}
%if "%{name}" == "openldap2"
# Build selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# One more level up needed because of passwd/sha2
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
%endif
%check
%if %run_test_suite
@ -252,50 +303,67 @@ make SLAPD_DEBUG=0 test
%endif
%install
mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/
mkdir -p $RPM_BUILD_ROOT/usr/sbin
mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
make STRIP="" DESTDIR=$RPM_BUILD_ROOT install
install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start
install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so*
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so*
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif
mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
# Additional symbolic link to slapd executable in /usr/sbin/
%if "%{name}" == "openldap2"
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
%endif
%if "%{name}" == "openldap2"
# Install selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
%endif
install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
%if "%{name}" == "openldap2"
%define DOCDIR %{_defaultdocdir}/%{name}
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap
install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG
install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example
install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap
mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates
install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap
install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d`
rm -rf doc/guide/release
install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \
$RPM_BUILD_ROOT/%{DOCDIR}/images \
$RPM_BUILD_ROOT/%{DOCDIR}/drafts
install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images
install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts
install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
${RPM_BUILD_ROOT}/%{DOCDIR}/images \
${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 ANNOUNCEMENT \
COPYRIGHT \
LICENSE \
README \
CHANGES \
%{SOURCE5} \
$RPM_BUILD_ROOT/%{DOCDIR}
${RPM_BUILD_ROOT}/%{DOCDIR}
install -m 644 servers/slapd/slapd.ldif \
$RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default
rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example
rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README
rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif*
rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example
${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
# Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO
# /usr/sbin/service exists only since openSUSE 12.3:
@ -305,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd
%endif
%endif
rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5
rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
# Remove *.la files, libtool does not handle this correct
rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
#put filelists into files
cat >openldap2.filelist <<EOF
@ -328,36 +395,45 @@ cat >openldap2.filelist <<EOF
%dir /etc/openldap/schema
%config /etc/openldap/schema/*.schema
%config /etc/openldap/schema/*.ldif
%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf
%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf
%config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG
%config /var/lib/ldap/DB_CONFIG.example
%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example
%config(noreplace) /etc/sasl2/slapd.conf
%dir /usr/lib/openldap
%dir /usr/lib/openldap/modules
/usr/lib/openldap/modules/accesslog*
/usr/lib/openldap/modules/auditlog*
/usr/lib/openldap/modules/collect*
/usr/lib/openldap/modules/constraint*
/usr/lib/openldap/modules/dds*
/usr/lib/openldap/modules/deref*
/usr/lib/openldap/modules/dyngroup*
/usr/lib/openldap/modules/dynlist*
/usr/lib/openldap/modules/memberof*
/usr/lib/openldap/modules/pcache*
/usr/lib/openldap/modules/refint*
/usr/lib/openldap/modules/retcode*
/usr/lib/openldap/modules/rwm*
/usr/lib/openldap/modules/seqmod*
/usr/lib/openldap/modules/sssvlv*
/usr/lib/openldap/modules/translucent*
/usr/lib/openldap/modules/unique*
/usr/lib/openldap/modules/valsort*
/usr/lib/openldap/slapd
%dir /%{_libdir}/openldap
%{_libdir}/openldap/back_bdb*
%{_libdir}/openldap/back_hdb*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_mdb*
%{_libdir}/openldap/back_monitor*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
%{_libdir}/openldap/translucent*
%{_libdir}/openldap/unique*
%{_libdir}/openldap/valsort*
%{_libdir}/slapd
/usr/lib/openldap/start
/usr/lib/systemd/system/slapd.service
%dir %attr(0700, ldap, ldap) /var/lib/ldap
%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd
%{_unitdir}/slapd.service
%dir %attr(0750, ldap, ldap) /var/lib/ldap
%ghost %attr(0750, ldap, ldap) %{_rundir}
%doc %{_mandir}/man8/sl*
%doc %{_mandir}/man5/slapd.*
%doc %{_mandir}/man5/slapd-bdb.*
@ -417,20 +493,37 @@ cat > openldap2-devel-static.filelist <<-EOF
%_libdir/libldap*.a
EOF
cat > openldap2-back-perl.filelist <<EOF
/usr/lib/openldap/modules/back_perl*
%{_libdir}/openldap/back_perl*
%doc %{_mandir}/man5/slapd-perl.*
EOF
cat > openldap2-back-sock.filelist <<EOF
%{_libdir}/openldap/back_sock*
%doc %{_mandir}/man5/slapd-sock.*
EOF
cat > openldap2-back-meta.filelist <<EOF
/usr/lib/openldap/modules/back_meta*
%{_libdir}/openldap/back_meta*
%doc %{_mandir}/man5/slapd-meta.*
EOF
cat > openldap2-back-sql.filelist <<EOF
/usr/lib/openldap/modules/back_sql*
%{_libdir}/openldap/back_sql*
%doc %{_mandir}/man5/slapd-sql.*
%doc servers/slapd/back-sql/examples
%doc servers/slapd/back-sql/docs/bugs
%doc servers/slapd/back-sql/docs/install
EOF
cat > openldap2-contrib.filelist <<EOF
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/allop.*
%{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/nops.*
%{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
EOF
cat >openldap2-doc.filelist <<EOF
%dir %{DOCDIR}
%doc %{DOCDIR}/drafts
@ -442,20 +535,20 @@ EOF
cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \
openldap2-devel-static.filelist |
%else
cat openldap2.filelist openldap2-back-perl.filelist \
cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \
openldap2-back-meta.filelist openldap2-back-sql.filelist \
openldap2-doc.filelist compat-libldap.filelist |
openldap2-doc.filelist openldap2-contrib.filelist |
%endif
grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do
rm -rf $RPM_BUILD_ROOT$name
rm -rf ${RPM_BUILD_ROOT}${name}
done
%if "%{name}" == "openldap2"
%pre
/usr/sbin/groupadd -g 70 -o -r ldap || :
/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
touch /var/run/enable_slapd_service
touch %{_rundir}/enable_slapd_service
fi
%service_add_pre slapd.service
@ -467,7 +560,7 @@ fi
%{fillup_only -n openldap ldap}
%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
%service_add_post slapd.service
if [ -f /var/run/enable_slapd_service ]; then
if [ -f %{_rundir}/enable_slapd_service ]; then
/usr/bin/systemctl --quiet enable slapd
fi
@ -483,6 +576,9 @@ fi
%files -n openldap2-back-perl -f openldap2-back-perl.filelist
%defattr(-,root,root)
%files -n openldap2-back-sock -f openldap2-back-sock.filelist
%defattr(-,root,root)
%files -n openldap2-back-meta -f openldap2-back-meta.filelist
%defattr(-,root,root)
@ -492,6 +588,9 @@ fi
%files -n openldap2-doc -f openldap2-doc.filelist
%defattr(-,root,root)
%files -n openldap2-contrib -f openldap2-contrib.filelist
%defattr(-,root,root)
%else
%post -n libldap-2_4-2 -p /sbin/ldconfig

View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Tue Dec 8 11:36:16 UTC 2015 - michael@stroeder.com
- Upgrade to upstream 2.4.43 release with accumulated bug fixes.
- Still build on SLES12
- Loadable backend and overlay modules are now installed
into arch-specific path %{_libdir}/openldap
- All backends and overlays as modules for smaller memory footprint
on memory constrained systems
- Added extra package for back-sock
- Consequent use of %{_rundir} everywhere
- Rely on upstream ./configure script instead of any other
macro foo
- Dropped linking with libwrap
- Dropped 0004-libldap-use-gethostbyname_r.dif because this
work-around for nss_ldap is obsolete
- New sub-package openldap2-contrib with selected contrib/ overlays
- Replaced addonschema.tar.gz with separate schema sources
- Updated ldapns.schema from recent slapo-nssov source tree
- Added symbolic link to slapd executable in /usr/sbin/
- Added more complex example configuration file
/etc/openldap/slapd.conf.example
- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap
- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap
- Added patch for OpenLDAP ITS#7796 to avoid excessive
"not index" logging
- Replaced openldap-rc.tgz with single source files
- Added soft dependency (Recommends) to cyrus-sasl
- Added soft dependency (Recommends) to cyrus-sasl-devel
to openldap2-devel
- Added patch for OpenLDAP ITS#8336 (assert in liblmdb)
-------------------------------------------------------------------
Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package openldap2
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,52 +17,58 @@
%define run_test_suite 0
%define version_main 2.4.42
%define version_main 2.4.43
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd
%else
%define _rundir /var/run/slapd
%endif
Name: openldap2
Summary: The OpenLDAP Server
License: OLDAP-2.8
Group: Productivity/Networking/LDAP/Clients
Version: 2.4.42
Version: %{version_main}
Release: 0
Url: http://www.openldap.org
Source: openldap-%{version_main}.tgz
Source1: openldap-rc.tgz
Source2: addonschema.tar.gz
Source3: DB_CONFIG
Source4: sasl-slapd.conf
Source5: README.dynamic-overlays
Source5: README.module-loading
Source6: schema2ldif
Source7: baselibs.conf
Patch1: 0001-build-adjustments.dif
Source9: ldapns.schema
Source10: rfc2307bis.schema
Source11: yast.schema
Source12: slapd.conf.example
Source13: start
Source14: slapd.service
Source15: SuSEfirewall2.openldap
Source16: sysconfig.openldap
Patch2: 0002-slapd.conf.dif
Patch3: 0003-LDAPI-socket-location.dif
Patch4: 0004-libldap-use-gethostbyname_r.dif
#Patch4: 0004-libldap-use-gethostbyname_r.dif
Patch5: 0005-pie-compile.dif
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Patch10: openldap-re24-its7796.patch
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
Patch12: openldap-re24-its8336.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libtool
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl
%if "%{name}" == "openldap2"
BuildRequires: db-devel
BuildRequires: openslp-devel
BuildRequires: tcpd-devel
BuildRequires: unixODBC-devel
Conflicts: openldap
Requires: libldap-2_4-2 = %{version_main}
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
%if 0%{?suse_version} >= 1140
%if %{suse_version} >= 1310 && %{suse_version} != 1315
# avoid cycle with krb5
BuildRequires: krb5-mini
BuildRequires: pkgconfig(systemd)
@ -70,7 +76,6 @@ BuildRequires: pkgconfig(systemd)
%endif
%else
Conflicts: openldap-client
Requires: libldap-2_4-2 = %{version_main}
%endif
# For /usr/bin/strings
Requires(pre): binutils
@ -78,10 +83,10 @@ Requires(pre): binutils
%if "%{name}" == "openldap2"
%description
The Lightweight Directory Access Protocol (LDAP) is used to access
online directory services. It runs directly over TCP and can be used to
access a stand-alone LDAP directory service or to access a directory
service that has an X.500 back-end.
OpenLDAP is a client and server reference implementation of the
Lightweight Directory Access Protocol v3 (LDAPv3).
The server provides several database backends and overlays.
%package -n openldap2-back-perl
Summary: OpenLDAP Perl Back-End
@ -93,6 +98,16 @@ Requires: perl = %{perl_version}
The OpenLDAP Perl back-end allows you to execute Perl code specific to
different LDAP operations.
%package -n openldap2-back-sock
Summary: OpenLDAP Socket Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
%description -n openldap2-back-sock
The OpenLDAP socket back-end allows you to handle LDAP requests and
results with an external process listening on a Unix domain socket.
%package -n openldap2-back-meta
Summary: OpenLDAP Meta Back-End
Group: Productivity/Networking/LDAP/Servers
@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information
stored in a Relational (SQL) Database as an LDAP subtree without the need
to do any programming.
%package -n openldap2-contrib
Summary: OpenLDAP Contrib Modules
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
%description -n openldap2-contrib
Various overlays found in contrib/:
allop
allowed Generates attributes indicating access rights
autogroup
cloak
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
nops
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
%package -n openldap2-doc
Summary: OpenLDAP Documentation
Group: Documentation/Other
@ -126,6 +160,7 @@ BuildArch: noarch
%description -n openldap2-doc
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
Authors:
--------
The OpenLDAP Project <project@openldap.org>
@ -145,6 +180,7 @@ Obsoletes: openldap2-devel-64bit
#
Conflicts: openldap-devel
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl-devel
%description -n openldap2-devel
This package provides the OpenLDAP libraries, header files, and
@ -171,61 +207,74 @@ This package contains the OpenLDAP client libraries.
%endif
%prep
%setup -q -n openldap-%{version_main} -a1 -a2
%patch1 -p1
%setup -q -n openldap-%{version_main}
%patch2 -p1
%patch3 -p1
%patch4 -p1
#%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
cp %{SOURCE5} .
%build
%{?suse_update_config:%{suse_update_config -f build}}
libtoolize --force
autoreconf
export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE"
# %{?suse_update_config:%{suse_update_config -f build}}
#libtoolize --force
#autoreconf
# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
export STRIP=""
%configure \
--localstatedir=%{_rundir}/slapd \
--libexecdir=/usr/lib/openldap \
--enable-wrappers \
./configure \
--prefix=/usr \
--sysconfdir=%{_sysconfdir} \
--libdir=%{_libdir} \
--libexecdir=%{_libdir} \
--localstatedir=%{_rundir} \
--enable-wrappers=no \
--enable-spasswd \
--enable-modules \
--enable-shared \
--enable-dynamic \
--with-tls \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-crypt \
--enable-ipv6=yes \
%if "%{name}" == "openldap2"
--enable-aci \
--enable-bdb \
--enable-hdb \
--enable-bdb=mod \
--enable-hdb=mod \
--enable-rewrite \
--enable-ldap=yes \
--enable-ldap=mod \
--enable-meta=mod \
--enable-monitor=yes \
--enable-monitor=mod \
--enable-perl=mod \
--enable-sock=mod \
--enable-sql=mod \
--enable-mdb=yes \
--enable-mdb=mod \
--enable-relay=mod \
--enable-slp \
--enable-overlays=mod \
--enable-syncprov=yes \
--enable-ppolicy=yes \
--enable-syncprov=mod \
--enable-ppolicy=mod \
%else
--disable-slapd \
%endif
--enable-lmpasswd \
--with-yielding-select
--with-yielding-select \
|| cat config.log
make depend
make %{?_smp_mflags}
%if "%{name}" == "openldap2"
# Build selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# One more level up needed because of passwd/sha2
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
%endif
%check
@ -254,50 +303,67 @@ make SLAPD_DEBUG=0 test
%endif
%install
mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/
mkdir -p $RPM_BUILD_ROOT/usr/sbin
mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
make STRIP="" DESTDIR=$RPM_BUILD_ROOT install
install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start
install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so*
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so*
chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif
mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
# Additional symbolic link to slapd executable in /usr/sbin/
%if "%{name}" == "openldap2"
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
%endif
%if "%{name}" == "openldap2"
# Install selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
%endif
install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
%if "%{name}" == "openldap2"
%define DOCDIR %{_defaultdocdir}/%{name}
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap
install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG
install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example
install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap
mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates
install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap
install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d`
rm -rf doc/guide/release
install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \
$RPM_BUILD_ROOT/%{DOCDIR}/images \
$RPM_BUILD_ROOT/%{DOCDIR}/drafts
install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images
install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts
install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
${RPM_BUILD_ROOT}/%{DOCDIR}/images \
${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 ANNOUNCEMENT \
COPYRIGHT \
LICENSE \
README \
CHANGES \
%{SOURCE5} \
$RPM_BUILD_ROOT/%{DOCDIR}
${RPM_BUILD_ROOT}/%{DOCDIR}
install -m 644 servers/slapd/slapd.ldif \
$RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default
rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example
rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README
rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif*
rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example
${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
# Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO
# /usr/sbin/service exists only since openSUSE 12.3:
@ -307,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd
%endif
%endif
rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5
rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5
rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
# Remove *.la files, libtool does not handle this correct
rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
#put filelists into files
cat >openldap2.filelist <<EOF
@ -330,36 +395,45 @@ cat >openldap2.filelist <<EOF
%dir /etc/openldap/schema
%config /etc/openldap/schema/*.schema
%config /etc/openldap/schema/*.ldif
%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf
%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf
%config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG
%config /var/lib/ldap/DB_CONFIG.example
%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example
%config(noreplace) /etc/sasl2/slapd.conf
%dir /usr/lib/openldap
%dir /usr/lib/openldap/modules
/usr/lib/openldap/modules/accesslog*
/usr/lib/openldap/modules/auditlog*
/usr/lib/openldap/modules/collect*
/usr/lib/openldap/modules/constraint*
/usr/lib/openldap/modules/dds*
/usr/lib/openldap/modules/deref*
/usr/lib/openldap/modules/dyngroup*
/usr/lib/openldap/modules/dynlist*
/usr/lib/openldap/modules/memberof*
/usr/lib/openldap/modules/pcache*
/usr/lib/openldap/modules/refint*
/usr/lib/openldap/modules/retcode*
/usr/lib/openldap/modules/rwm*
/usr/lib/openldap/modules/seqmod*
/usr/lib/openldap/modules/sssvlv*
/usr/lib/openldap/modules/translucent*
/usr/lib/openldap/modules/unique*
/usr/lib/openldap/modules/valsort*
/usr/lib/openldap/slapd
%dir /%{_libdir}/openldap
%{_libdir}/openldap/back_bdb*
%{_libdir}/openldap/back_hdb*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_mdb*
%{_libdir}/openldap/back_monitor*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
%{_libdir}/openldap/translucent*
%{_libdir}/openldap/unique*
%{_libdir}/openldap/valsort*
%{_libdir}/slapd
/usr/lib/openldap/start
/usr/lib/systemd/system/slapd.service
%dir %attr(0700, ldap, ldap) /var/lib/ldap
%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd
%{_unitdir}/slapd.service
%dir %attr(0750, ldap, ldap) /var/lib/ldap
%ghost %attr(0750, ldap, ldap) %{_rundir}
%doc %{_mandir}/man8/sl*
%doc %{_mandir}/man5/slapd.*
%doc %{_mandir}/man5/slapd-bdb.*
@ -380,11 +454,6 @@ cat >openldap2.filelist <<EOF
%doc %{DOCDIR}/CHANGES
%doc %{DOCDIR}/slapd.ldif.default
EOF
%if %suse_version < 1130
cat >>openldap2.filelist <<EOF
/usr/sbin/openldap-2.3-slapcat
EOF
%endif
#
#
cat > openldap2-client.filelist <<EOF
@ -424,20 +493,37 @@ cat > openldap2-devel-static.filelist <<-EOF
%_libdir/libldap*.a
EOF
cat > openldap2-back-perl.filelist <<EOF
/usr/lib/openldap/modules/back_perl*
%{_libdir}/openldap/back_perl*
%doc %{_mandir}/man5/slapd-perl.*
EOF
cat > openldap2-back-sock.filelist <<EOF
%{_libdir}/openldap/back_sock*
%doc %{_mandir}/man5/slapd-sock.*
EOF
cat > openldap2-back-meta.filelist <<EOF
/usr/lib/openldap/modules/back_meta*
%{_libdir}/openldap/back_meta*
%doc %{_mandir}/man5/slapd-meta.*
EOF
cat > openldap2-back-sql.filelist <<EOF
/usr/lib/openldap/modules/back_sql*
%{_libdir}/openldap/back_sql*
%doc %{_mandir}/man5/slapd-sql.*
%doc servers/slapd/back-sql/examples
%doc servers/slapd/back-sql/docs/bugs
%doc servers/slapd/back-sql/docs/install
EOF
cat > openldap2-contrib.filelist <<EOF
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/allop.*
%{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/nops.*
%{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
EOF
cat >openldap2-doc.filelist <<EOF
%dir %{DOCDIR}
%doc %{DOCDIR}/drafts
@ -449,32 +535,20 @@ EOF
cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \
openldap2-devel-static.filelist |
%else
cat openldap2.filelist openldap2-back-perl.filelist \
cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \
openldap2-back-meta.filelist openldap2-back-sql.filelist \
openldap2-doc.filelist
openldap2-doc.filelist openldap2-contrib.filelist |
%endif
grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do
rm -rf $RPM_BUILD_ROOT$name
rm -rf ${RPM_BUILD_ROOT}${name}
done
%if "%{name}" == "openldap2"
%pre
/usr/sbin/groupadd -g 70 -o -r ldap || :
/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
# try to figure out if a db update is needed
if [ ${1:-0} -gt 1 ] && [ -f /usr/lib/openldap/slapd ] &&
/usr/bin/strings /usr/lib/openldap/slapd | \
grep "slapd 2.3" 2>&1 > /dev/null;
then
# create a backup of the schema shipped with 2.3
# at least core.schema changed between 2.3 and 2.4
TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX`
echo "Schema backup created in $TEMPDIR"
cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR
echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ;
fi
/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
touch /var/run/enable_slapd_service
touch %{_rundir}/enable_slapd_service
fi
%service_add_pre slapd.service
@ -486,7 +560,7 @@ fi
%{fillup_only -n openldap ldap}
%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
%service_add_post slapd.service
if [ -f /var/run/enable_slapd_service ]; then
if [ -f %{_rundir}/enable_slapd_service ]; then
/usr/bin/systemctl --quiet enable slapd
fi
@ -502,6 +576,9 @@ fi
%files -n openldap2-back-perl -f openldap2-back-perl.filelist
%defattr(-,root,root)
%files -n openldap2-back-sock -f openldap2-back-sock.filelist
%defattr(-,root,root)
%files -n openldap2-back-meta -f openldap2-back-meta.filelist
%defattr(-,root,root)
@ -511,6 +588,9 @@ fi
%files -n openldap2-doc -f openldap2-doc.filelist
%defattr(-,root,root)
%files -n openldap2-contrib -f openldap2-contrib.filelist
%defattr(-,root,root)
%else
%post -n libldap-2_4-2 -p /sbin/ldconfig

288
rfc2307bis.schema Normal file
View File

@ -0,0 +1,288 @@
# builtin
#
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
# DESC 'An integer uniquely identifying a user in an administrative domain'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
# SINGLE-VALUE )
# builtin
#
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
# DESC 'An integer uniquely identifying a group in an
# administrative domain'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
# SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
DESC 'The GECOS field; the common name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
DESC 'The absolute path to the home directory'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
DESC 'The path to the login shell'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
DESC 'Service port number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
DESC 'Service protocol name'
SUP name )
attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
DESC 'IP protocol number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
DESC 'ONC RPC number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
DESC 'IPv4 addresses as a dotted decimal omitting leading
zeros or IPv6 addresses as defined in RFC2373'
SUP name )
attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
DESC 'IP network as a dotted decimal, eg. 192.168,
omitting leading zeros'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
omitting leading zeros'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
DESC 'MAC address in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
DESC 'Boot image name'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
DESC 'Name of a A generic NIS map'
SUP name )
attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
DESC 'A generic NIS entry'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
DESC 'NIS public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
DESC 'NIS secret key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
DESC 'NIS domain'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
DESC 'Automount information'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $
description ) )
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
DESC 'Additional attributes for shadow passwords'
MUST uid
MAY ( userPassword $ description $
shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag ) )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
DESC 'Abstraction of a group of accounts'
MUST gidNumber
MAY ( userPassword $ memberUid $
description ) )
objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service.
Maps an IP port and protocol (such as tcp or udp)
to one or more names; the distinguished value of
the cn attribute denotes the services canonical
name'
MUST ( cn $ ipServicePort $ ipServiceProtocol )
MAY description )
objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number
to one or more names. The distinguished value of the cn
attribute denotes the protocols canonical name'
MUST ( cn $ ipProtocolNumber )
MAY description )
objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC)
[RFC1057] Remote Procedure Call (RPC) binding.
This class maps an ONC RPC number to a name.
The distinguished value of the cn attribute denotes
the RPC services canonical name'
MUST ( cn $ oncRpcNumber )
MAY description )
objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
DESC 'Abstraction of a host, an IP device. The distinguished
value of the cn attribute denotes the hosts canonical
name. Device SHOULD be used as a structural class'
MUST ( cn $ ipHostNumber )
MAY ( userPassword $ l $ description $ manager ) )
objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
DESC 'Abstraction of a network. The distinguished value of
the cn attribute denotes the networks canonical name'
MUST ipNetworkNumber
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other netgroups'
MUST cn
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
DESC 'A generic abstraction of a NIS map'
MUST nisMapName
MAY description )
objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
DESC 'An entry in a NIS map'
MUST ( cn $ nisMapEntry $ nisMapName )
MAY description )
objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
DESC 'A device with a MAC address; device SHOULD be
used as a structural class'
MAY macAddress )
objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
DESC 'A device with boot parameters; device SHOULD be
used as a structural class'
MAY ( bootFile $ bootParameter ) )
objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
DESC 'An object with a public and secret key'
MUST ( cn $ nisPublicKey $ nisSecretKey )
MAY ( uidNumber $ description ) )
objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
DESC 'Associates a NIS domain with a naming context'
MUST nisDomain )
objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )
objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
DESC 'Automount information'
MUST ( automountKey $ automountInformation )
MAY description )
## namedObject is needed for groups without members
objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
STRUCTURAL MAY cn )

354
slapd.conf.example Normal file
View File

@ -0,0 +1,354 @@
############################################################################
# See slapd.conf(5) for details on configuration options.
# This file SHOULD NOT be world readable.
#
# Important note:
# You surely have to adjust some settings to meet your (security)
# requirements.
# At least you should replace suffix "dc=example,dc=com" by
# something meaningful for your setup.
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
# KDC then you MUST add decent ACLs for protecting user credentials!
#
# Read the man pages before changing something!
#
# You can debug the config by running (as root while slapd stopped):
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
############################################################################
#---------------------------------------------------------------------------
# slapd global parameters
#---------------------------------------------------------------------------
# serverID must be unique across all provider replicas
# for using multi-master replication (MMR)
serverID 99
# only alter this when you know what you're doing
#threads 4
# Run-time files
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# for more debugging set:
#loglevel config stats stats2
loglevel stats
#---------------------------------------------------------------------------
# Load runtime loadable modules
#---------------------------------------------------------------------------
# Load additional backend modules installed by package 'openldap2'
# The following backends are statically built-in and therefore don't have
# to be loaded here:
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
#moduleload back_
#moduleload back_
#moduleload back_mdb
#moduleload back_meta
#moduleload back_sock
# Load additional overlay modules installed by package 'openldap2'
# The following overlay are statically built-in and therefore don't have
# to be loaded here:
# ppolicy, syncprov
#moduleload accesslog
#moduleload constraint
#moduleload dds
#moduleload deref
#moduleload dynlist
#moduleload memberof
moduleload refint
#moduleload sssvlv
#moduleload translucent
moduleload unique
#moduleload valsort
# Load additional overlay modules installed by package 'openldap2-contrib'
#moduleload allowed
#moduleload lastbind
#moduleload noopsrch
#moduleload pw-pbkdf2
#moduleload pw-sha2
#moduleload smbk5pwd
#---------------------------------------------------------------------------
# Include schema files
#---------------------------------------------------------------------------
# Schema files installed by package 'openldap2'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/yast.schema
# Schema file installed by package 'dhcp-server'
#include /etc/openldap/schema/dhcp.schema
# Schema file installed by package 'samba'
#include /etc/openldap/schema/samba3.schema
# Schema file installed by package 'krb5-plugin-kdb-ldap'
#include /usr/share/doc/packages/krb5/kerberos.schema
#---------------------------------------------------------------------------
# Transport Layer Security (TLS) configuration
#---------------------------------------------------------------------------
# require at least TLS 1.0 and highly secure ciphers
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
# TLS certificate and key files
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
#---------------------------------------------------------------------------
# Password hashing
#---------------------------------------------------------------------------
#password-hash {CRYPT}
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
#password-crypt-salt-format "$6$%.12s"
#---------------------------------------------------------------------------
# Security requirements
#---------------------------------------------------------------------------
#disallow bind_anon
#require bind LDAPv3 strong
# SSF value for ldapi://
localSSF 256
# minimum required SSF value (security strength factor)
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=128 update_ssf=256 simple_bind=128
security ssf=0
#---------------------------------------------------------------------------
# Global access control (ACLs)
#---------------------------------------------------------------------------
# Root DSE: allow anyone to read it
access to
dn.base=""
by * read
# Sub schema sub entry: allow anyone to read it
access to
dn.base="cn=Subschema"
by * read
#---------------------------------------------------------------------------
# Authz-DN mappings
#---------------------------------------------------------------------------
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
# Map local system user to LDAP entry
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
authz-regexp
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
# this maps the attribute uid to a LDAP entry
# if one of the typical password-based SASL mechs was used
authz-regexp
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
"ldap:///dc=example,dc=com??sub?(uid=$1)"
# this maps the attribute uid to a LDAP entry
# if one of the Kerberos based SASL mechs was used
#authz-regexp
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
#authz-regexp
# "(.+)"
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
#===========================================================================
# Database specific configuration sections below
# Required order of databases:
# config (first), ...others..., monitor (last)
#===========================================================================
#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret
access to
dn.subtree="cn=config"
by dn.exact="cn=root,dc=example,dc=com" manage
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
by * none
#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
# rootdn has to be set for overlays' internal operations
rootdn "cn=root,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
rootpw secret
# The database directory MUST exist prior to running slapd and
# SHOULD only be accessible by the slapd user 'ldap'.
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
directory /var/lib/ldap/example-db
# Permissions of database files created
mode 0600
# extra information to be available in cn=monitor for this database
monitoring on
# Perform ACL checks on the content of a new entry being added
add_content_acl on
# backend-specific database parameters
checkpoint 1024 5
# 100 MB (you can raise the limit later)
maxsize 104857600
# Indices to maintain
#
# Whenever you change indexing configuration you have to re-run slapindex
# while slapd being stopped!
# Don't forget to fix ownership/permissions of newly generated index files
# afterwards!
# set always!
index objectClass eq
# for typical address book use
index cn,sn,givenName,mail eq,sub
# for user management
index uid,uidNumber,gidNumber eq
# for authz-regexp mapping of Kerberos principal name
#index krbPrincipalName,krbPrincipalAlias eq
# for authz-regexp mapping of client cert subject DNs
#index seeAlso eq
# for syncrepl
index entryUUID,entryCSN eq
# access control lists (ACLs) for dc=example,dc=com
# see slapd.access(5) for details on access control lists (ACLs)
# full read access also to 'userPassword' for group of replicas
# and control is forwarded to subsequent ACLs
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
by * break
# write-only access to 'userPassword' for user, auth access else
access to
attrs=userPassword
by self =w
by * auth
# 'userPKCS' must only be accessible by self
access to
attrs=userPKCS12
by self write
by * none
# No access to history of passwords
#access to
# attrs=pwdHistory
# by * none
# Catch-all ACL for the rest
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
by self read
by users read
by * auth
# see slapo-ppolicy(5)
overlay ppolicy
# Default password policy entry
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
# Hash clear-text userPassword values sent in with add/modify operations
#ppolicy_hash_cleartext
# Return AccountLocked error code to client
#ppolicy_use_lockout
# see slapo-refint(5)
overlay refint
refint_attributes member seeAlso
refint_nothing cn=dummy
# Check sub-tree wide uniqueness of certain attributes
# see slapo-unique(5)
# you have to add eq-index for efficient uniqueness check!
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
overlay unique
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
#overlay syncprov
#mirrormode on
#---------------------------------------------------------------------------
# cn=monitor // Monitoring database (always last!)
# see slapd-monitor(5)
#---------------------------------------------------------------------------
database monitor
access to
dn.subtree="cn=monitor"
by dn.exact="cn=root,dc=example,dc=com" write
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
by users read

11
slapd.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/lib/openldap/start
[Install]
WantedBy=multi-user.target

208
start Normal file
View File

@ -0,0 +1,208 @@
#! /bin/sh
# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# Author: Carsten Hoeger
# Ralf Haferkamp
#
# /etc/init.d/ldap
#
### BEGIN INIT INFO
# Provides: ldap
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: OpenLDAP Server (slapd)
# Description: Start and Stop the OpenLDAP Server (slapd) to
# provide LDAP directory services.
### END INIT INFO
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
SLAPD_BIN=/usr/sbin/slapd
LDAP_URLS=""
LDAPS_URLS=""
LDAPI_URLS=""
SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
SLAPD_PID_DIR="/var/run/slapd/"
test -x $SLAPD_BIN || exit 5
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
function init_ldap_listener_urls(){
case "$OPENLDAP_START_LDAP" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
then
for iface in $OPENLDAP_LDAP_INTERFACES ;do
LDAP_URLS="$LDAP_URLS ldap://$iface"
done
else
LDAP_URLS="ldap:///"
fi
;;
esac
}
function init_ldapi_listener_urls(){
case "$OPENLDAP_START_LDAPI" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPI_INTERFACES ;do
esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
done
else
LDAPI_URLS="ldapi:///"
fi
;;
esac
}
function init_ldaps_listener_urls(){
case "$OPENLDAP_START_LDAPS" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPS_INTERFACES ;do
LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
done
else
LDAPS_URLS="ldaps:///"
fi
;;
esac
}
function check_connection(){
SLAPD_TIMEOUT=10
START=$( date +%s)
while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
LDAPSEARCH_RC=$?
if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
else sleep 1
fi
done
}
depth=0;
function chown_database_dirs_bconfig() {
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
for dir in $ldapdir; do
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
done
}
function chown_database_dirs() {
ldapdir=`grep ^directory $1 | awk '{print $2}'`
for dir in $ldapdir; do
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
done
includes=`grep ^include $1 | awk '{print $2}'`
if [ $depth -le 50 ]; then
depth=$(( $depth + 1 ));
for i in $includes; do
chown_database_dirs "$i" ;
done
fi
}
USER_CMD=""
GROUP_CMD=""
[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
if [ -f /etc/openldap/UPDATE_NEEDED ]; then
rc_failed 6
echo " The configuration of your LDAP server needs to be updated."
echo " Please see /usr/share/doc/packages/openldap2/README.update"
echo " for details."
echo " After the update please remove the file:"
echo " /etc/openldap/UPDATE_NEEDED"
rc_status -v
exit
fi
# chown backend directories if OPENLDAP_CHOWN_DIRS ist set
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
# assume back-config usage if slapd.conf is not present but slapd.d is
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
else
chown_database_dirs "/etc/openldap/slapd.conf"
chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
fi
if test -f /etc/sasl2/slapd.conf ; then
chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
if test -f $keytabfile ; then
chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null
chmod g+r $keytabfile 2>/dev/null
fi
fi
fi
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
fi
case "$OPENLDAP_REGISTER_SLP" in
[Yy][Ee][Ss])
SLAPD_SLP_REG="-o slp=on"
;;
*)
SLAPD_SLP_REG="-o slp=off"
;;
esac
init_ldap_listener_urls
init_ldapi_listener_urls
init_ldaps_listener_urls
if [ ! -d $SLAPD_PID_DIR ]; then
mkdir -p $SLAPD_PID_DIR
chown ldap:ldap $SLAPD_PID_DIR
fi
echo -n "Starting ldap-server"
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
$SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
$OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG

158
sysconfig.openldap Normal file
View File

@ -0,0 +1,158 @@
## Path: Network/LDAP
## Description: Basic Configuration of the OpenLDAP Directory Server
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not accept any "normal" LDAP connections
# but just connections over "ldaps" or "ldapi". Setting this to "no" does only
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
# "yes".
#
OPENLDAP_START_LDAP="yes"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options
# to the /etc/openldap/slapd.conf (man slapd.conf).
# Note: Don't confuse this with "START_TLS", the preferred method for
# making encrypted LDAP connections, which is enabled as soon as You
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
# file
#
OPENLDAP_START_LDAPS="no"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes", "ldap over IPC" feature of slapd will be enabled.
# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
# Default: no
#
OPENLDAP_START_LDAPI="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# If not empty, additional parameters for slapd daemon.
# Default: ""
#
OPENLDAP_SLAPD_PARAMS=""
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a user, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_USER="ldap"
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a group, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_GROUP="ldap"
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "yes" the init scripts will change the owner/group of the
# different backend database directories (e.g. /var/lib/ldap) to the
# user/group specified above
#
OPENLDAP_CHOWN_DIRS="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAP connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 389). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAP_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAPS connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 636). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAPS_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the paths of the Unix Domain Sockets that
# the server should create an accept incoming LDAPI connections
# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
# is set to "yes".
# Default: ""
#
OPENLDAP_LDAPI_INTERFACES=""
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not try itself at a running SLP
# daemon.
# Default: "yes"
#
OPENLDAP_REGISTER_SLP="no"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Set this to the name of the keytab, if you want to use a non-default
# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
# this file will be changed so that the group OPENLDAP_GROUP has read
# access to the file.
# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
# Default: ""
#
OPENLDAP_KRB5_KEYTAB=""
## Type: string
## Default: "files"
## ServiceRestart: ldap
#
# Here you can configure which of the configuration backends you want to
# use. Possible values are "files" for slapd.conf(5) styleconfiguration or
# "ldap" for the slapd-config(5) LDAP based configuration backend.
#
OPENLDAP_CONFIG_BACKEND=""
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# Here you can configure if the slapd shall start with or without memory limit.
#
OPENLDAP_MEMORY_LIMIT="yes"

202
yast.schema Normal file
View File

@ -0,0 +1,202 @@
## Some macros
objectidentifier SUSE 1.3.6.1.4.1.7057
objectidentifier SUSE.YaST SUSE:10.1
objectidentifier SUSE.YaST.ModuleConfig SUSE:10.1.2
objectidentifier SUSE.YaST.ModuleConfig.OC SUSE.YaST.ModuleConfig:1
objectidentifier SUSE.YaST.ModuleConfig.Attr SUSE.YaST.ModuleConfig:2
# Attributes
# deprecated
#
#attributetype ( SUSE.YaST.ModuleConfig.Attr:1 NAME ( 'userConfigDn' )
# DESC 'Where is the configuration for user management stored'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:2 NAME ( 'suseDefaultBase' )
DESC 'Base DN where new Objects should be created by default'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:3 NAME ( 'suseNextUniqueId' )
DESC 'Next unused unique ID, can be used to generate directory wide uniqe IDs'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:4 NAME ( 'suseMinUniqueId' )
DESC 'lower Border for Unique IDs'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:5 NAME ( 'suseMaxUniqueId' )
DESC 'upper Border for Unique IDs'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:6 NAME ( 'suseDefaultTemplate' )
DESC 'The DN of a template that should be used by default'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:7 NAME ( 'suseSearchFilter' )
DESC 'Search filter to localize Objects'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# deprecated
#
#attributetype ( SUSE.YaST.ModuleConfig.Attr:8 NAME ( 'DefaultObjectClass' )
# DESC 'ObjectClass that new Objects should use'
# EQUALITY caseIgnoreIA5Match
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
#attributetype ( SUSE.YaST.ModuleConfig.Attr:9 NAME ( 'suseRequiredAttribute' )
# DESC ''
# EQUALITY caseIgnoreIA5Match
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
#attributetype ( SUSE.YaST.ModuleConfig.Attr:10 NAME ( 'allowedAttribute' )
# DESC ''
# EQUALITY caseIgnoreIA5Match
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:11 NAME ( 'suseDefaultValue' )
DESC 'an Attribute-Value-Assertions to define defaults for specific Attributes'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:12 NAME ( 'suseNamingAttribute' )
DESC 'AttributeType that should be used as the RDN'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:15 NAME ( 'suseSecondaryGroup' )
DESC 'seconday group DN'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:16 NAME ( 'suseMinPasswordLength' )
DESC 'minimum Password length for new users'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:17 NAME ( 'suseMaxPasswordLength' )
DESC 'maximum Password length for new users'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:18 NAME ( 'susePasswordHash' )
DESC 'Hash method to use for new users'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:19 NAME ( 'suseSkelDir' )
DESC ''
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:20 NAME ( 'susePlugin' )
DESC 'plugin to use upon user/ group creation'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:21 NAME ( 'suseMapAttribute' )
DESC ''
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( SUSE.YaST.ModuleConfig.Attr:22 NAME ( 'suseImapServer' )
DESC ''
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:23 NAME ( 'suseImapAdmin' )
DESC ''
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:24 NAME ( 'suseImapDefaultQuota' )
DESC ''
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( SUSE.YaST.ModuleConfig.Attr:25 NAME ( 'suseImapUseSsl' )
DESC ''
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# ObjectClasses
objectClass ( SUSE.YaST.ModuleConfig.OC:2 NAME 'suseModuleConfiguration'
SUP top STRUCTURAL
DESC 'Contains configuration of Management Modules'
MUST ( cn )
MAY ( suseDefaultBase ))
objectClass ( SUSE.YaST.ModuleConfig.OC:3 NAME 'suseUserConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of user management tools'
MAY ( suseMinPasswordLength $ suseMaxPasswordLength $
susePasswordHash $ suseSkelDir $ suseNextUniqueId $ suseMinUniqueId $
suseMaxUniqueId $ suseDefaultTemplate $ suseSearchFilter $
suseMapAttribute ))
objectClass ( SUSE.YaST.ModuleConfig.OC:4 NAME 'suseObjectTemplate'
SUP top STRUCTURAL
DESC 'Base Class for Object-Templates'
MUST ( cn )
MAY ( susePlugin $ suseDefaultValue $ suseNamingAttribute ))
objectClass ( SUSE.YaST.ModuleConfig.OC:5 NAME 'suseUserTemplate'
SUP suseObjectTemplate STRUCTURAL
DESC 'User object template'
MUST ( cn )
MAY ( suseSecondaryGroup ))
objectClass ( SUSE.YaST.ModuleConfig.OC:6 NAME 'suseGroupTemplate'
SUP suseObjectTemplate STRUCTURAL
DESC 'Group object template'
MUST ( cn ))
objectClass ( SUSE.YaST.ModuleConfig.OC:7 NAME 'suseGroupConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of user management tools'
MAY ( suseNextUniqueId $ suseMinUniqueId $ suseMaxUniqueId $
suseDefaultTemplate $ suseSearchFilter $ suseMapAttribute ))
objectClass ( SUSE.YaST.ModuleConfig.OC:8 NAME 'suseCaConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of CA management tools')
objectClass ( SUSE.YaST.ModuleConfig.OC:9 NAME 'suseDnsConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of mail server management tools')
objectClass ( SUSE.YaST.ModuleConfig.OC:10 NAME 'suseDhcpConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of DHCP server management tools')
objectClass ( SUSE.YaST.ModuleConfig.OC:11 NAME 'suseMailConfiguration'
SUP suseModuleConfiguration STRUCTURAL
DESC 'Configuration of IMAP user management tools'
MUST ( suseImapServer $ suseImapAdmin $ suseImapDefaultQuota $
suseImapUseSsl ))