summaryrefslogtreecommitdiff
path: root/ldap/mkldapdb
blob: 229abc9dad47a4a6d611f85eae0df86129825352 (plain) 
    

  1. #!/bin/sh
    2. 

  2. 

  3. set -e
    4. 

  4. 

  5. umask 066
    6. 

  6. 

  7. # Resolve some defaults from other system config
    8. 

  8. basedn="`grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//' -e 's/,[[:space:]]\+/,/g'`"
    9. 

  9. dnsdomain="`dnsdomainname`"
    10. 

  10. orgname=""
    11. 

  11. if [ -r /etc/local-ORG/orgname ]; then
    12. 

  12.     orgname="$(head -n 1 /etc/local-ORG/orgname)"
    13. 

  13. fi
    14. 

  14. 

  15. # config defaults as of slapd 2.4.10-3
    16. 

  16. backend="hdb"
    17. 

  17. 

  18. exit1() {
    19. 

  19.     echo >&2 "Error: $1"
    20. 

  20.     echo >&2 "Exiting..."
    21. 

  21.     exit 1
    22. 

  22. }
    23. 

  23. 

  24. # Ensure all required values are properly resolved
    25. 

  25. for var in basedn dnsdomain orgname backend; do
    26. 

  26.     if [ -z "`eval echo '$'$var`" ]; then
    27. 

  27.         exit1 "Required variable '$var' missing. Exiting...!"
    28. 

  28.     fi
    29. 

  29. done
    30. 

  30. 

  31. # concatenate files with an additional newline in between
    32. 

  32. spacecat() {
    33. 

  33.     perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(<FH>); close FH;}' "$@"
    34. 

  34. }
    35. 

  35. 

  36. #TODO: Somehow lookup id directly instead, as getent might be slow with
    37. 

  37. #      thousands of entries, and some NSS mechanisms drop at some limit
    38. 

  38. #      i.e. openldap by default return only first 500 entries
    39. 

  39. nextfreeid() {
    40. 

  40.     type="$1"
    41. 

  41.     id="$2"
    42. 

  42.     max="$3"
    43. 

  43.     case $type in
    44. 

  44.         uid) column="3";;
    45. 

  45.         gid) column="4";;
    46. 

  46.     esac
    47. 

  47.     while getent passwd | awk -F: "{ print \$$column }" | grep -Fqx "$id"; do
    48. 

  48.         id=$(($id + 1))
    49. 

  49.         [ -z "$max" ] || [ "$id" -lt "$max" ] || return 1
    50. 

  50.     done
    51. 

  51.     echo "$id"
    52. 

  52. }
    53. 

  53. 

  54. masterdir=/etc/local-COMMON/ldap
    55. 

  55. tempdir=`mktemp -dt slapd.XXXXXX`
    56. 

  56. 

  57. snippets="$(run-parts --list --regex '^[0-9]+_[a-z0-9-]+\.conf\.in$' "$masterdir/slapd.conf.d")"
    58. 

  58. spacecat $snippets | sed >>"$tempdir/slapd.conf" \
    59. 

  59.         -e "s/@BACKEND@/$backend/g" \
    60. 

  60.         -e "s/@SUFFIX@/$basedn/g" \
    61. 

  61.         -e "s/@ADMIN@/cn=admin,$basedn/g"
    62. 

  62. 

  63. # TODO: Better separate core from normal lif files than "below 100"...
    64. 

  64. file=99
    65. 

  65. for section in core base cipux horde; do
    66. 

  66.     sed <"$masterdir/db/$section.ldif.in" >"$tempdir/${file}_$section.ldif" \
    67. 

  67.         -e "s/@SUFFIX@/$basedn/g" \
    68. 

  68.         -e "s/@DOMAIN@/$dnsdomain/g" \
    69. 

  69.         -e "s/@ORG@/$orgname/g"
    70. 

  70.     file=$(($file + 1))
    71. 

  71. done
    72. 

  72. 

  73. # FIXME: create cipuxadm in addition to below roles!
    74. 

  74. 

  75. # FIXME: fix apply passwords for roles in a sane way!
    76. 

  76. uid=10100
    77. 

  77. gid=10100
    78. 

  78. file=200
    79. 

  79. for role in admin professor assistant pupil student tutor teacher lecturer; do
    80. 

  80.     uid="$(nextfreeid uid "$uid")"
    81. 

  81.     gid="$(nextfreeid gid "$gid")"
    82. 

  82.     snippets="$masterdir/db/cipux_rolegroup.ldif.in $masterdir/db/cipux_roleuser.ldif.in"
    83. 

  83.     spacecat $snippets | sed >"$tempdir/${file}_$role.ldif" \
    84. 

  84.         -e "s/@SUFFIX@/$basedn/g" \
    85. 

  85.         -e "s/@ROLE@/$role/g" \
    86. 

  86.         -e "s/@UID@/$uid/g" \
    87. 

  87.         -e "s/@GID@/$gid/g" \
    88. 

  88.         -e "s/@DOMAIN@/$dnsdomain/g" \
    89. 

  89.         -e "s/@ORG@/$orgname/g"
    90. 

  90.     uid=$(($uid + 1))
    91. 

  91.     gid=$(($gid + 1))
    92. 

  92.     file=$(($file + 1))
    93. 

  93. done
    94. 

  94. 

  95. file=300
    96. 

  96. for db in passwd group; do
    97. 

  97.     getent $db >"$tempdir/$db.dump"
    98. 

  98.     ( cd /usr/share/migrationtools && ./migrate_$db.pl "$tempdir/$db.dump" >"$tempdir/${file}_$db.ldif" )
    99. 

  99.     file=$(($file + 1))
    100. 

  100. done
    101. 

  101. 

  102. # FIXME: Set core password using slappasswd or similar (no cleartext password!)
    103. 

  103. #invoke-rc.d slapd stop
    104. 

  104. #slapadd -l "$tempdir/99_core.ldif"
    105. 

  105. #invoke-rc.d slapd start
    106. 

  106. #ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn"
    107. 

  107. for file in $(run-parts --list --regex '^1[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    108. 

  108.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    109. 

  109. done
    110. 

  110. for role in cipux horde; do
    111. 

  111.     echo "Securing $role..."
    112. 

  112.     ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -W "cn=$role,ou=Entities,ou=Access Control,$basedn"
    113. 

  113. done
    114. 

  114. 

  115. # FIXME: Write addmember(), that create group as needed
    116. 

  116. #ldapmodify -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    117. 

  117. #dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    118. 

  118. #changetype: modify
    119. 

  119. #add: uniqueMember
    120. 

  120. #uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    121. 

  121. #EOF
    122. 

  122. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    123. 

  123. dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    124. 

  124. objectClass: groupOfUniqueNames
    125. 

  125. cn: DSA
    126. 

  126. description: Directory System Agent administrators
    127. 

  127. uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    128. 

  128. EOF
    129. 

  129. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    130. 

  130. dn: cn=SAM,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    131. 

  131. objectClass: groupOfUniqueNames
    132. 

  132. cn: SAM
    133. 

  133. description: Samba and NSS services administrators
    134. 

  134. uniqueMember: cn=horde,ou=Entities,ou=Access Control,$basedn
    135. 

  135. EOF
    136. 

  136. 

  137. # TODO: Add "uid=cifsdc,ou=Entities,ou=Access Control,@SUFFIX@" to group
    138. 

  138. #       "cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" for samba
    139. 

  139. 

  140. for file in $(run-parts --list --regex '^2[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    141. 

  141.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    142. 

  142. done
    143. 

  143. 

  144. # FIXME: Check (and maybe correct) basedn from migrationtools-generated ldifs
    145. 

  145. #for file in $(run-parts --list --regex '^3[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    146. 

  146. #   ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    147. 

  147. #done
    148.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 22:58:15 +0000