summaryrefslogtreecommitdiff
path: root/ldap/mkldapdb
blob: 77cb6d5b1ec0dbe5950f7de376b808e6bdbfe2dc (plain) 
    

  1. #!/bin/sh
    2. 

  2. 

  3. set -e
    4. 

  4. 

  5. umask 066
    6. 

  6. 

  7. # Resolve some defaults from other system config
    8. 

  8. basedn="`grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//' -e 's/,[[:space:]]\+/,/g'`"
    9. 

  9. dnsdomain="`dnsdomainname`"
    10. 

  10. orgname=""
    11. 

  11. if [ -r /etc/local-ORG/orgname ]; then
    12. 

  12.     orgname="$(head -n 1 /etc/local-ORG/orgname)"
    13. 

  13. fi
    14. 

  14. 

  15. # config defaults as of slapd 2.4.10-3
    16. 

  16. backend="hdb"
    17. 

  17. 

  18. # Ensure all required values are properly resolved
    19. 

  19. for var in basedn dnsdomain orgname backend; do
    20. 

  20.     if [ -z "`eval echo '$'$var`" ]; then
    21. 

  21.         echo 1>&2 "ERROR: Required variable '$var' missing. Exiting...!"
    22. 

  22.         exit 1
    23. 

  23.     fi
    24. 

  24. done
    25. 

  25. 

  26. # concatenate files with an additional newline in between
    27. 

  27. spacecat() {
    28. 

  28.     perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(<FH>); close FH;}' "$@"
    29. 

  29. }
    30. 

  30. 

  31. #TODO: Somehow lookup id directly instead, as getent might be slow with
    32. 

  32. #      thousands of entries, and some NSS mechanisms drop at some limit
    33. 

  33. #      i.e. openldap by default return only first 500 entries
    34. 

  34. nextfreeid() {
    35. 

  35.     type="$1"
    36. 

  36.     id="$2"
    37. 

  37.     max="$3"
    38. 

  38.     case $type in
    39. 

  39.         uid) column="3";;
    40. 

  40.         gid) column="4";;
    41. 

  41.     esac
    42. 

  42.     while getent passwd | awk -F: "{ print \$$column }" | grep -Fqx "$id"; do
    43. 

  43.         id=$(($id + 1))
    44. 

  44.         [ -z "$max" ] || [ "$id" -lt "$max" ] || return 1
    45. 

  45.     done
    46. 

  46.     echo "$id"
    47. 

  47. }
    48. 

  48. 

  49. masterdir=/etc/local-COMMON/ldap
    50. 

  50. tempdir=`mktemp -dt slapd.XXXXXX`
    51. 

  51. 

  52. snippets="$(run-parts --list --regex '^[0-9]+_[a-z0-9-]+\.conf\.in$' "$masterdir/slapd.conf.d")"
    53. 

  53. spacecat $snippets | sed >>"$tempdir/slapd.conf" \
    54. 

  54.         -e "s/@BACKEND@/$backend/g" \
    55. 

  55.         -e "s/@SUFFIX@/$basedn/g" \
    56. 

  56.         -e "s/@ADMIN@/cn=admin,$basedn/g"
    57. 

  57. 

  58. # TODO: Better separate core from normal lif files than "below 100"...
    59. 

  59. file=99
    60. 

  60. for section in core base cipux horde; do
    61. 

  61.     sed <"$masterdir/db/$section.ldif.in" >"$tempdir/${file}_$section.ldif" \
    62. 

  62.         -e "s/@SUFFIX@/$basedn/g" \
    63. 

  63.         -e "s/@DOMAIN@/$dnsdomain/g" \
    64. 

  64.         -e "s/@ORG@/$orgname/g"
    65. 

  65.     file=$(($file + 1))
    66. 

  66. done
    67. 

  67. 

  68. # FIXME: create cipuxadm in addition to below roles!
    69. 

  69. 

  70. # FIXME: fix apply passwords for roles in a sane way!
    71. 

  71. uid=10100
    72. 

  72. gid=10100
    73. 

  73. file=200
    74. 

  74. for role in admin professor assistant pupil student tutor teacher lecturer; do
    75. 

  75.     uid="$(nextfreeid uid "$uid")"
    76. 

  76.     gid="$(nextfreeid gid "$gid")"
    77. 

  77.     snippets="$masterdir/db/cipux_rolegroup.ldif.in $masterdir/db/cipux_roleuser.ldif.in"
    78. 

  78.     spacecat $snippets | sed >"$tempdir/${file}_$role.ldif" \
    79. 

  79.         -e "s/@SUFFIX@/$basedn/g" \
    80. 

  80.         -e "s/@ROLE@/$role/g" \
    81. 

  81.         -e "s/@UID@/$uid/g" \
    82. 

  82.         -e "s/@GID@/$gid/g" \
    83. 

  83.         -e "s/@DOMAIN@/$dnsdomain/g" \
    84. 

  84.         -e "s/@ORG@/$orgname/g"
    85. 

  85.     uid=$(($uid + 1))
    86. 

  86.     gid=$(($gid + 1))
    87. 

  87.     file=$(($file + 1))
    88. 

  88. done
    89. 

  89. 

  90. file=300
    91. 

  91. for db in passwd group; do
    92. 

  92.     getent $db >"$tempdir/$db.dump"
    93. 

  93.     ( cd /usr/share/migrationtools && ./migrate_$db.pl "$tempdir/$db.dump" >"$tempdir/${file}_$db.ldif" )
    94. 

  94.     file=$(($file + 1))
    95. 

  95. done
    96. 

  96. 

  97. # FIXME: Set core password using slappasswd or similar (no cleartext password!)
    98. 

  98. #invoke-rc.d slapd stop
    99. 

  99. #slapadd -l "$tempdir/99_core.ldif"
    100. 

  100. #invoke-rc.d slapd start
    101. 

  101. #ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn"
    102. 

  102. for file in $(run-parts --list --regex '^1[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    103. 

  103.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    104. 

  104. done
    105. 

  105. for role in cipux horde; do
    106. 

  106.     echo "Securing $role..."
    107. 

  107.     ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -W "cn=$role,ou=Entities,ou=Access Control,$basedn"
    108. 

  108. done
    109. 

  109. 

  110. # FIXME: Write addmember(), that create group as needed
    111. 

  111. #ldapmodify -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    112. 

  112. #dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    113. 

  113. #changetype: modify
    114. 

  114. #add: uniqueMember
    115. 

  115. #uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    116. 

  116. #EOF
    117. 

  117. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    118. 

  118. dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    119. 

  119. objectClass: groupOfUniqueNames
    120. 

  120. cn: DSA
    121. 

  121. description: Directory System Agent administrators
    122. 

  122. uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    123. 

  123. EOF
    124. 

  124. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    125. 

  125. dn: cn=SAM,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    126. 

  126. objectClass: groupOfUniqueNames
    127. 

  127. cn: SAM
    128. 

  128. description: Samba and NSS services administrators
    129. 

  129. uniqueMember: cn=horde,ou=Entities,ou=Access Control,$basedn
    130. 

  130. EOF
    131. 

  131. 

  132. # TODO: Add "uid=cifsdc,ou=Entities,ou=Access Control,@SUFFIX@" to group
    133. 

  133. #       "cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" for samba
    134. 

  134. 

  135. for file in $(run-parts --list --regex '^2[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    136. 

  136.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    137. 

  137. done
    138. 

  138. 

  139. # FIXME: Check (and maybe correct) basedn from migrationtools-generated ldifs
    140. 

  140. #for file in $(run-parts --list --regex '^3[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    141. 

  141. #   ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    142. 

  142. #done
    143.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 23:22:08 +0000