#!/bin/sh set -e umask 066 # Resolve some defaults from other system config basedn="`grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//' -e 's/,[[:space:]]\+/,/g'`" dnsdomain="`dnsdomainname`" orgname="" if [ -r /etc/local-ORG/orgname ]; then orgname="$(head -n 1 /etc/local-ORG/orgname)" fi # config defaults as of slapd 2.4.10-3 backend="hdb" # Ensure all required values are properly resolved for var in basedn dnsdomain orgname backend; do if [ -z "`eval echo '$'$var`" ]; then echo 1>&2 "ERROR: Required variable '$var' missing. Exiting...!" exit 1 fi done # concatenate files with an additional newline in between spacecat() { perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(); close FH;}' "$@" } #TODO: Somehow lookup id directly instead, as getent might be slow with # thousands of entries, and some NSS mechanisms drop at some limit # i.e. openldap by default return only first 500 entries nextfreeid() { type="$1" id="$2" max="$3" case $type in uid) column="3";; gid) column="4";; esac while getent passwd | awk -F: "{ print \$$column }" | grep -Fqx "$id"; do id=$(($id + 1)) [ -z "$max" ] || [ "$id" -lt "$max" ] || return 1 done echo "$id" } masterdir=/etc/local-COMMON/ldap tempdir=`mktemp -dt slapd.XXXXXX` snippets="$(run-parts --list --regex '^[0-9]+_[a-z0-9-]+\.conf\.in$' "$masterdir/slapd.conf.d")" spacecat $snippets | sed >>"$tempdir/slapd.conf" \ -e "s/@BACKEND@/$backend/g" \ -e "s/@SUFFIX@/$basedn/g" \ -e "s/@ADMIN@/cn=admin,$basedn/g" # TODO: Better separate core from normal lif files than "below 100"... file=99 for section in core base cipux horde; do sed <"$masterdir/db/$section.ldif.in" >"$tempdir/${file}_$section.ldif" \ -e "s/@SUFFIX@/$basedn/g" \ -e "s/@DOMAIN@/$dnsdomain/g" \ -e "s/@ORG@/$orgname/g" file=$(($file + 1)) done # FIXME: create cipuxadm in addition to below roles! # FIXME: fix apply passwords for roles in a sane way! uid=10100 gid=10100 file=200 for role in admin professor assistant pupil student tutor teacher lecturer; do uid="$(nextfreeid uid "$uid")" gid="$(nextfreeid gid "$gid")" snippets="$masterdir/db/cipux_rolegroup.ldif.in $masterdir/db/cipux_roleuser.ldif.in" spacecat $snippets | sed >"$tempdir/${file}_$role.ldif" \ -e "s/@SUFFIX@/$basedn/g" \ -e "s/@ROLE@/$role/g" \ -e "s/@UID@/$uid/g" \ -e "s/@GID@/$gid/g" \ -e "s/@DOMAIN@/$dnsdomain/g" \ -e "s/@ORG@/$orgname/g" uid=$(($uid + 1)) gid=$(($gid + 1)) file=$(($file + 1)) done file=300 for db in passwd group; do getent $db >"$tempdir/$db.dump" ( cd /usr/share/migrationtools && ./migrate_$db.pl "$tempdir/$db.dump" >"$tempdir/${file}_$db.ldif" ) file=$(($file + 1)) done # FIXME: Set core password using slappasswd or similar (no cleartext password!) #invoke-rc.d slapd stop #slapadd -l "$tempdir/99_core.ldif" #invoke-rc.d slapd start #ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn" for file in $(run-parts --list --regex '^1[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W done for role in cipux horde; do echo "Securing $role..." ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -W "cn=$role,ou=Entities,ou=Access Control,$basedn" done # FIXME: Write addmember(), that create group as needed #ldapmodify -x -h localhost -D "cn=admin,$basedn" -W <