[ Index ]

PHP Cross Reference of Unnamed Project

title

Body

[close]

/se3master/usr/share/se3/scripts/ -> mkSlapdConf.sh (source)

   1  #!/bin/bash
   2  
   3  #
   4  ## $Id: mkSlapdConf.sh 7943 2013-11-17 00:05:18Z keyser $ ##
   5  #
   6  ##### Met en place la replication LDAP avec syncrepl #####
   7  
   8  if [ "$1" = "--help" -o "$1" = "-h" ]
   9  then
  10      echo "Met en place la replication LDAP (syncrepl)a partir des donnees de la base sql"
  11      echo "Usage : -r replace l'annuaire en annuaire local sans replication"
  12      echo "-h Cette aide"
  13      exit
  14  fi    
  15  . /usr/share/se3/includes/config.inc.sh -lm
  16  . /usr/share/se3/includes/functions.inc.sh 
  17  
  18  
  19  mkdir -p /var/se3/save/ldap/
  20      
  21  if [ -e /var/lock/syncrepl.lock ]
  22  then
  23      echo "lock trouve"
  24      logger -t "SLAPD" "Lock syncrepl.lock existant"
  25      exit 1
  26  fi    
  27  
  28  
  29  
  30  # Permettre un retour sur l'annuaire local
  31  if [ "$1" = "-r" ]
  32  then
  33          CHANGEMYSQL replica_ip ""
  34      CHANGEMYSQL replica_status "0"
  35      CHANGEMYSQL ldap_server "127.0.0.1"
  36  # 
  37  # 
  38  #         /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='' WHERE name='replica_ip'"
  39  #         /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='0' WHERE name='replica_status'"
  40  #         /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='127.0.0.1' WHERE name='ldap_server'"
  41      echo "Annuaire replace en mode annuaire local"
  42  fi
  43  
  44  #
  45  ## Version Debian
  46  if [ -e /etc/debian_version ]
  47  then
  48    DEBIAN_VERSION=`cat /etc/debian_version`
  49  fi
  50  
  51  
  52  
  53  # Verification des variables
  54  if [ "$ldap_server" = "" -o "$adminRdn" = "" ]
  55  then
  56      echo "Impossible de connaitre la base dn et/ou l'admin"
  57      echo "le script ne peut se poursuivre"
  58      exit 1
  59  fi
  60  if [ "$replica_status" = "" ]
  61  then
  62      # Si pas de valeur on le place en standalone
  63      replica_status=0
  64  fi    
  65  if [ "$ldap_server" = "" ]
  66  then
  67      ldap_server="127.0.0.1"
  68  fi
  69  if [ "$replica_status" = "1" -o "$replica_status" = "3" -o "$replica_status" = "0" ]
  70  then
  71       LDAP_LOCAL="$ldap_server"
  72  else
  73       LDAP_LOCAL="$replica_ip"
  74  fi
  75  if [ "$LDAP_LOCAL" = "" ]
  76  then
  77       LDAP_LOCAL="127.0.0.1"
  78  fi
  79            
  80  
  81  # lock
  82  touch /var/lock/syncrepl.lock
  83  
  84  # On stoppe ldap et samba
  85  if [ "$1" != "installinit" ]
  86  then
  87      service slapd stop
  88      sleep 2
  89  
  90      # On sauvegarde LDAP
  91      DATE="$(date +%d%m%Y)"
  92      SAUV_LDAP=ldap_$DATE.ldif
  93      /usr/sbin/slapcat > /var/se3/save/ldap/$SAUV_LDAP
  94  
  95      # On sauvegarde DB_CONFIG
  96      if [ -e "/var/lib/ldap/DB_CONFIG" ]
  97      then
  98          cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/
  99      else
 100          cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/
 101      fi
 102  
 103  
 104  fi
 105  
 106  #################################################################################
 107  #     On supprime l'existant                            #
 108  #################################################################################
 109  # On vire le repertoire des logs de slurpd
 110  if [ \( -d "/var/spool/slurpd/replica" \) ]
 111  then
 112      rm -Rf /var/spool/slurpd/replica
 113  fi    
 114  
 115  
 116  # On vire syncrepl.conf
 117  if [ -e "/etc/ldap/syncrepl.conf" ]
 118  then
 119      rm -f /etc/ldap/syncrepl.conf
 120  fi    
 121  
 122  
 123  #################################################################################
 124  #   Fichier de conf de slapd.conf                        #
 125  #################################################################################
 126  
 127  # On crypte le mot de passe
 128  ldap_passwd=`cat /etc/ldap.secret`
 129  # verifie la concordence avcc la base SQL
 130  if [ "$ldap_passwd" != "$adminPw" ]
 131  then
 132      # Implique un changement de mot de passe, on change donc celui de ldap.secret
 133      echo "$adminPw" > /etc/ldap.secret
 134      chmod 400 /etc/ldap.secret
 135      smbpasswd -w $adminPw
 136  fi    
 137  crypted_ldap_passwd=`/usr/sbin/slappasswd -h {MD5} -s $adminPw`
 138  
 139  # TLS
 140  echo "
 141  [ req ]
 142  distinguished_name =  req_distinguished_name
 143  prompt = no
 144  
 145  [ req_distinguished_name ]
 146  OU = SE3
 147  CN = $LDAP_LOCAL
 148  " > /etc/ldap/config.se3
 149  
 150  PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
 151  PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
 152  
 153  
 154  /usr/bin/openssl req -config /etc/ldap/config.se3 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 3650 -out $PEM2 >/dev/null 2>/dev/null
 155  cat $PEM1 >  /etc/ldap/slapd.pem
 156  echo ""    >> /etc/ldap/slapd.pem
 157  cat $PEM2 >> /etc/ldap/slapd.pem
 158  /bin/rm -f $PEM1 $PEM2
 159  
 160  # Fichier slapd.conf
 161  echo "# This is the main ldapd configuration file. See slapd.conf(5) for more
 162  # info on the configuration options.
 163  # Cree pour Se3 par mkSlapdConf.sh
 164  
 165  # Schema and objectClass definitions
 166  include         /etc/ldap/schema/core.schema
 167  include         /etc/ldap/schema/cosine.schema
 168  include         /etc/ldap/schema/nis.schema
 169  include         /etc/ldap/schema/inetorgperson.schema
 170  include         /etc/ldap/schema/ltsp.schema
 171  include         /etc/ldap/schema/samba.schema
 172  include         /etc/ldap/schema/printer.schema" > /etc/ldap/slapd.conf 
 173  
 174  if [ -e "/etc/ldap/schema/RADIUS-LDAPv3.schema" ]
 175  then
 176  echo "include         /etc/ldap/schema/RADIUS-LDAPv3.schema" >> /etc/ldap/slapd.conf
 177  fi 
 178  
 179  if [ -e "/etc/ldap/schema/apple.schema" ]
 180  then
 181  echo "include         /etc/ldap/schema/apple.schema" >> /etc/ldap/slapd.conf
 182  fi 
 183  
 184  echo "
 185  TLSCACertificatePath /etc/ldap/
 186  TLSCertificateFile /etc/ldap/slapd.pem
 187  TLSCertificateKeyFile /etc/ldap/slapd.pem
 188  
 189  # Schema check allows for forcing entries to
 190  # match schemas for their objectClasses's
 191  allow bind_v2
 192  
 193  # Where clients are refered to if no
 194  # match is found locally
 195  #referral    ldap://some.other.ldap.server
 196  
 197  # Where the pid file is put. The init.d script
 198  # will not stop the server if you change this.
 199  pidfile        /var/run/slapd/slapd.pid
 200  
 201  # List of arguments that were passed to the server
 202  argsfile    /var/run/slapd/slapd.args
 203  
 204  # Read slapd.conf(5) for possible values
 205  loglevel    0
 206  
 207  # Where the dynamically loaded modules are stored
 208  modulepath    /usr/lib/ldap
 209  moduleload    back_bdb
 210  
 211  #######################################################################
 212  # Specific Backend Directives for bdb:
 213  # Backend specific directives apply to this backend until another
 214  # 'backend' directive occurs
 215  backend        bdb
 216  # Specific Directives for database #1, of type bdb:
 217  # Database specific directives apply to this databasse until another
 218  # 'database' directive occurs
 219  database        bdb
 220  
 221  # The base of your directory
 222  suffix        \"$ldap_base_dn\"
 223  rootdn        \"$adminRdn,$ldap_base_dn\"
 224  rootpw        $crypted_ldap_passwd
 225  # Where the database file are physically stored
 226  directory    \"/var/lib/ldap\"
 227  
 228  checkpoint 512 30
 229  
 230  index      objectClass,uidNumber,gidNumber,uniqueMember,member eq
 231  index      cn,sn,uid,displayName,l                          pres,sub,eq
 232  index      memberUid,mail,givenname                 eq,subinitial
 233  index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
 234  index      sambaSIDList,sambaGroupType                      eq
 235  index       entryCSN,entryUUID                    eq
 236  index      default                                          sub,eq
 237  
 238  # Save the time that the entry gets modified
 239  lastmod on
 240  
 241  # For Netscape Roaming support, each user gets a roaming
 242  # profile for which they have write access to
 243  #access to dn=\".*,ou=Roaming,@SUFFIX@\"
 244  #    by dnattr=owner write
 245  
 246  # The userPassword by default can be changed
 247  # by the entry owning it if they are authenticated.
 248  # Others should not be able to see it, except the
 249  # admin entry below
 250  access to attrs=userPassword
 251      by anonymous auth
 252      by self write
 253      by * none
 254  
 255  # ACLs proposees par Bruno Bzeznic
 256  access to attrs=userpassword
 257      by self write
 258      by users none
 259      by anonymous auth
 260  
 261  access to attrs=sambaLmPassword
 262      by self write
 263      by users none
 264      by anonymous auth
 265  
 266  access to attrs=sambaNtPassword
 267      by self write
 268      by users none
 269      by anonymous auth
 270      
 271  access to attrs=printer-uri
 272          by self write
 273          by users none
 274          by anonymous auth
 275  
 276  
 277  # The admin dn has full write access
 278  access to *
 279      by * read
 280  
 281  # out put of this database using slapcat(8C), and then importing that into
 282  #
 283  #    credentials=\"XXXXXX\"
 284  
 285  # End of ldapd configuration file
 286  sizelimit    3500
 287  " >> /etc/ldap/slapd.conf
 288  
 289  #################################################################################
 290  # Cree le fichier /etc/default/slapd                        #
 291  #################################################################################
 292  
 293  echo "# Default location of the slapd.conf file or slapd.d cn=config directory. If
 294  # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
 295  # /etc/ldap/slapd.conf).
 296  
 297  SLAPD_CONF=\"/etc/ldap/slapd.conf\"
 298  
 299  # System account to run the slapd server under. If empty the server
 300  # will run as root.
 301  SLAPD_USER=\"openldap\"
 302  
 303  # System group to run the slapd server under. If empty the server will
 304  # run in the primary group of its user.
 305  SLAPD_GROUP=\"openldap\"
 306  
 307  # Path to the pid file of the slapd server. If not set the init.d script
 308  # will try to figure it out from \$SLAPD_CONF (/etc/ldap/slapd.conf)
 309  SLAPD_PIDFILE=
 310  
 311  # slapd normally serves ldap only on all TCP-ports 389. slapd can also
 312  # service requests on TCP-port 636 (ldaps) and requests via unix
 313  # sockets.
 314  # Example usage:
 315  # SLAPD_SERVICES=\"ldap://127.0.0.1:389/ ldaps:/// ldapi:///\"
 316  SLAPD_SERVICES=\"ldap:/// ldapi:///\"
 317  
 318  # If SLAPD_NO_START is set, the init script will not start or restart
 319  # slapd (but stop will still work).  Uncomment this if you are
 320  # starting slapd via some other means or if you don't want slapd normally
 321  # started at boot.
 322  #SLAPD_NO_START=1
 323  
 324  # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
 325  # the init script will not start or restart slapd (but stop will still
 326  # work).  Use this for temporarily disabling startup of slapd (when doing
 327  # maintenance, for example, or through a configuration management system)
 328  # when you don't want to edit a configuration file.
 329  SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
 330  
 331  # For Kerberos authentication (via SASL), slapd by default uses the system
 332  # keytab file (/etc/krb5.keytab).  To use a different keytab file,
 333  # uncomment this line and change the path.
 334  #export KRB5_KTNAME=/etc/krb5.keytab
 335  
 336  # Additional options to pass to slapd
 337  SLAPD_OPTIONS=\"\"
 338  
 339  " > /etc/default/slapd
 340  
 341  SSL="start_tls"
 342  
 343  # desactivation TLS pour contournement bug en attendant utilsation autre lib
 344  SSL="off"
 345  
 346  if [ "$replica_status" = "2" ]
 347  then
 348      SSL="off"
 349  fi
 350  # Pas de ssl si le ldap est local
 351  if [ "$replica_status" == "" -o "$replica_status" = "0" ]
 352  then    
 353      if [ "$ldap_server" == "$se3ip" ]
 354      then
 355          echo "Pas de replication, LDAP local, SSL off"
 356          SSL="off"
 357      fi
 358  fi
 359  # Modification conf samba
 360  sed -i "s#ldapsam:ldap.*#ldapsam:ldap://$ldap_server#" /etc/samba/smb.conf 2>/dev/null
 361  sed -i "s#ldap ssl.*#ldap ssl = $SSL#" /etc/samba/smb.conf 2>/dev/null
 362  
 363  #################################################################################
 364  #    Slave Syncrepl                                  #
 365  #################################################################################
 366  if [ "$replica_status" = "4" ]
 367  then
 368      # On supprime la base 
 369      
 370      if [ -e "/var/se3/save/ldap/DB_CONFIG" ]
 371          then
 372          
 373          cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/
 374      else
 375          mkdir -p /var/se3/save/ldap/
 376          cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/
 377      
 378      fi
 379    rm -f /var/lib/ldap/*
 380  
 381  echo "syncrepl rid=0
 382   provider=ldap://$ldap_server:389
 383   type=refreshOnly
 384   interval=00:00:01:00
 385   searchbase=\"$ldap_base_dn\"
 386   scope=sub
 387   schemachecking=off
 388   bindmethod=simple
 389   binddn=\"cn=admin,$ldap_base_dn\"
 390   credentials=$ldap_passwd" > /etc/ldap/syncrepl.conf
 391  
 392  # Ajout de l'include dans slapd.conf
 393  echo "# Replication Slave Syncrepl
 394  include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf 
 395  
 396  # Modiife les differents fichiers de conf
 397  serveurs="$ldap_server $LDAP_LOCAL"
 398  fi
 399  
 400  #################################################################################
 401  # Master Syncrepl                                #
 402  #################################################################################
 403  if [ "$replica_status" = "3" ]
 404  then
 405      serveurs="$ldap_server $replica_ip"
 406      
 407      # touch syncrepl vide pour indiquer la methode
 408      
 409  echo "moduleload syncprov
 410  overlay syncprov
 411  syncprov-checkpoint 50 5
 412  syncprov-sessionlog 50" > /etc/ldap/syncrepl.conf
 413      
 414  # Ajout de l'include dans slapd.conf
 415  echo "# Replication Slave Syncrepl
 416  include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf
 417  
 418      
 419  
 420  fi
 421  
 422  ################################################################################# 
 423  #        Pas de replication                         #
 424  #################################################################################
 425  if [ "$replica_status" = "0" ]
 426  then
 427      # Modiife les differents fichiers de conf
 428      serveurs="$ldap_server"
 429  fi
 430  
 431  
 432  #################################################################################
 433  #         Creation de : libnss-ldap.conf pam_ldap.conf ldap.conf        #
 434  #################################################################################
 435  echo "ldap_version 3
 436  base $ldap_base_dn
 437  rootbinddn $adminRdn,$ldap_base_dn
 438  #bindpw 
 439  host $serveurs
 440  #scope sub
 441  
 442  # ssl start_tls
 443  # tls_checkpeer no
 444  bind_policy soft
 445  nss_initgroups_ignoreusers root,openldap,plugdev,disk,kmem,tape,audio,daemon,lp,rdma,fuse,video,dialout,floppy,cdrom,tty" > /etc/libnss-ldap.conf
 446  
 447  # Creation de pam_ldap.conf
 448  echo "ldap_version 3
 449  base $ldap_base_dn
 450  rootbinddn $adminRdn,$ldap_base_dn
 451  #bindpw 
 452  host $serveurs
 453  pam_crypt local
 454  # ssl start_tls
 455  # tls_checkpeer no
 456  " > /etc/pam_ldap.conf
 457  
 458  # Creation de ldap.conf
 459  echo "HOST $serveurs
 460  BASE $ldap_base_dn
 461  # TLS_REQCERT never
 462  # TLS_CACERTDIR /etc/ldap/
 463  # TLS_CACERT /etc/ldap/slapd.pem
 464  " > /etc/ldap/ldap.conf
 465  
 466  #################################################################################
 467  #         Fin de la conf                            #
 468  #################################################################################
 469  
 470  chmod 640 /etc/ldap/slapd.conf
 471  chmod 644 /etc/ldap/slapd.pem
 472  
 473  
 474  
 475  if [ "$1" == "index" ] 
 476      then
 477  #             chown root /var/lib/ldap/* 
 478          slapindex 2>/dev/null
 479  #         chown openldap /var/lib/ldap/* 
 480      fi
 481  
 482  
 483  chown -R openldap:openldap /etc/ldap
 484  chown -R openldap:openldap /var/lib/ldap
 485  chown openldap:openldap /var/run/slapd
 486  
 487  
 488  [ "$1" != "installinit" ] && service slapd start
 489  sleep 1
 490  [ "$1" != "installinit" ] && /etc/init.d/samba reload
 491  
 492  # Supprime le lock
 493  rm -f /var/lock/syncrepl.lock


Generated: Tue Mar 17 22:47:18 2015 Cross-referenced by PHPXref 0.7.1