1 files changed, 55 insertions, 17 deletions

diff --git a/ldap/mkldapdb b/ldap/mkldapdb
index 374e4cd..4e297c3 100755
--- a/ldap/mkldapdb
+++ b/ldap/mkldapdb
@@ -5,39 +5,41 @@ set -e
 umask 066
 
 # Resolve some defaults from other system config
-basedn="`grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//'`"
+basedn="`grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//' -e 's/,[[:space:]]\+/,/g'`"
 dnsdomain="`dnsdomainname`"
 orgname=""
-# Grab some defaults from /var/lib/dpkg/info/slapd.postinst
-checkpoint="checkpoint 512 30"
-backend="bdb"
-backendoptions="# For the Debian package we use 2MB as default but be sure to update this\n# value if you have plenty of RAM\ndbconfig set_cachesize 0 2097152 0\n\n# Sven Hartge reported that he had to set this value incredibly high\n# to get slapd running at all. See http:\/\/bugs.debian.org\/303057\n# for more information.\n\n# Number of objects that can be locked at the same time.\ndbconfig set_lk_max_objects 1500\n# Number of locks (both requested and granted)\ndbconfig set_lk_max_locks 1500\n# Number of lockers\ndbconfig set_lk_max_lockers 1500"
-
-if [ -r /etc/local/org.conf ]; then
-	. /etc/local/org.conf
+if [ -r /etc/local-ORG/orgname ]; then
+	orgname="$(head -n 1 /etc/local-ORG/orgname)"
 fi
 
+# config defaults as of slapd 2.4.10-3
+backend="hdb"
+
+# Ensure all required values are properly resolved
 for var in basedn dnsdomain orgname backend; do
 	if [ -z "`eval echo '$'$var`" ]; then
-		echo 2> "ERROR: Required variable '$var' missing. Exiting...!"
+		echo 1>&2 "ERROR: Required variable '$var' missing. Exiting...!"
 		exit 1
 	fi
 done
 
 masterdir=/etc/local-COMMON/ldap/db
 tempdir=`mktemp -dt slapd.XXXXXX`
-cfgdir=/etc/ldap
-dbdir=/var/lib/ldap
 
-for section in base; do
+snippets="$(LANG=C find "$masterdir" -type f -name '*.conf.in' | sort)"
+# concatenate files with an additional newline in between
+# (perl could replace sed too, but multiline perl inside shell is ugly)
+perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(<FH>); close FH;}' $snippets \
+	| sed >>"$tempdir/slapd.conf" \
+		-e "s/@BACKEND@/$backend/g" \
+		-e "s/@SUFFIX@/$basedn/g" \
+		-e "s/@ADMIN@/cn=admin,$basedn/g"
+
+for section in core base cipux horde; do
 	sed <"$masterdir/$section.ldif.in" >"$tempdir/$section.ldif" \
 		-e "s/@SUFFIX@/$basedn/g" \
 		-e "s/@DOMAIN@/$dnsdomain/g" \
-		-e "s/@ORG@/$orgname/g" \
-		-e "s/@ADMIN@/cn=admin,$basedn/g" \
-		-e "s/@CHECKPOINT@/$checkpoint/g" \
-		-e "s/@BACKEND@/$backend/g" \
-		-e "s/@BACKENDOPTIONS@/$backendoptions/g"
+		-e "s/@ORG@/$orgname/g"
 done
 
 for db in passwd group; do
@@ -45,3 +47,39 @@ for db in passwd group; do
 	( cd /usr/share/migrationtools && ./migrate_passwd.pl "$tempdir/$db.dump" >"$tempdir/$db.ldif" )
 done
 
+#invoke-rc.d slapd stop
+#slapadd -l "$tempdir/core.ldif"
+#invoke-rc.d slapd start
+#ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn"
+for section in base cipux horde; do
+	ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$tempdir/$section.ldif" -W
+done
+for role in cipux horde; do
+	echo "Securing $role..."
+	ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -W "cn=$role,ou=Entities,ou=Access Control,$basedn"
+done
+
+# FIXME: Write addmember(), that create group as needed
+#ldapmodify -x -h localhost -D "cn=admin,$basedn" -W <<EOF
+#dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
+#changetype: modify
+#add: uniqueMember
+#uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
+#EOF
+ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
+dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
+objectClass: groupOfUniqueNames
+cn: DSA
+description: Directory System Agent administrators
+uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
+EOF
+ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
+dn: cn=SAM,ou=Administrators,ou=Groups,ou=Access Control,$basedn
+objectClass: groupOfUniqueNames
+cn: SAM
+description: Samba and NSS services administrators
+uniqueMember: cn=horde,ou=Entities,ou=Access Control,$basedn
+EOF
+
+# TODO: Add "uid=cifsdc,ou=Entities,ou=Access Control,@SUFFIX@" to group
+#       "cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" for samba