summaryrefslogtreecommitdiff
path: root/ldap/mkldapdb
blob: fbbdb0914fe46f29e4a3d4190a3fb5e0ed73ad5d (plain) 
    

  1. #!/bin/sh
    2. 

  2. #
    3. 

  3. # /etc/local-COMMON/ldap/mkldapdb
    4. 

  4. # Copyright 2008 Jonas Smedegaard <dr@jones.dk>
    5. 

  5. #
    6. 

  6. # Setup LDAP database from skeleton files
    7. 

  7. 

  8. set -e
    9. 

  9. 

  10. umask 066
    11. 

  11. 

  12. PRG=$(basename "$0")
    13. 

  13. 

  14. TEMP=$(getopt -s sh -o b:e:d:fh -l basedn:,enable:,disable:,force,help -n "$PRG" -- "$@")
    15. 

  15. if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi
    16. 

  16. eval set -- "$TEMP"
    17. 

  17. 

  18. getbasedn() {
    19. 

  19.     grep '^BASE\b' /etc/ldap/ldap.conf | sed -e 's/^BASE[[:space:]]\+//' -e 's/,[[:space:]]\+/,/g'
    20. 

  20. }
    21. 

  21. getdnsdomain() {
    22. 

  22.     dnsdomainname
    23. 

  23. }
    24. 

  24. getorgname() {
    25. 

  25.     if [ -r /etc/local-ORG/orgname ]; then
    26. 

  26.         head -n 1 /etc/local-ORG/orgname
    27. 

  27.     fi
    28. 

  28. }
    29. 

  29. 

  30. # config defaults as of slapd 2.4.10-3
    31. 

  31. backend="hdb"
    32. 

  32. 

  33. # extension default states (enabled/disabled)
    34. 

  34. cipux=1
    35. 

  35. horde=
    36. 

  36. 

  37. # strings above, and either functions above or strings right below,
    38. 

  38. # can be overrided locally through this config file
    39. 

  39. if [ -f /etc/local/mkldapdb.cfg ]; then
    40. 

  40.     . /etc/local/mkldapdb.cfg
    41. 

  41. fi
    42. 

  42. 

  43. basedn="${basedn:-$(getbasedn)}"
    44. 

  44. dnsdomain="${dnsdomain:-$(getdnsdomain)}"
    45. 

  45. orgname="${orgname:-$(getorgname)}"
    46. 

  46. 

  47. showhelp() {
    48. 

  48.     cat <<EOF
    49. 

  49. Usage:   $PRG [opts...] [PHASE [PHASE...]]
    50. 

  50. Setup LDAP database from skeleton files
    51. 

  51. 

  52. Options:
    53. 

  53.   -b, --basedn     LDAP Base DN (Distinguished Name) to use
    54. 

  54.                    (default: ${basedn})
    55. 

  55.   -e, --enable     Include this optional extension
    56. 

  56.   -d, --disable    Exclude this optional extension
    57. 

  57.   -t, --tempdir    Skip prep phase and use content of provided dir
    58. 

  58.   -c, --config     Include config phase
    59. 

  59.   -i, --init       Include init phase
    60. 

  60.   -f, --force      Update without asking for confirmation
    61. 

  61.   -h, --help       Show this help text
    62. 

  62. 

  63. The following extensions are available:
    64. 

  64.     cipux     CipUX admin framework ${cipux:+(enabled by default)}
    65. 

  65.     horde     HORDE web-app framework ${horde:+(enabled by default)}
    66. 

  66. 

  67. The following phases are possible:
    68. 

  68.     prep      Assemble slapd.conf and LDIF files with DIT parts
    69. 

  69.     config    Add/update LDAP server configuration file
    70. 

  70.     init      Purge any existing ldap data and initialize new core DIT
    71. 

  71.     main      Add general DIT for use with POSIX accounts
    72. 

  72.     mainpw    Apply/Change main admin password
    73. 

  73.     opt       Add optional DIT extensions
    74. 

  74.     optpw     Apply/Change passwords for accounts of optional extensions
    75. 

  75. 

  76. When no phases are supplied, all but config and init are applied
    77. 

  77. 

  78. Examples:
    79. 

  79.     $PRG
    80. 

  80.     $PRG --basedn dc=example,dc=org --enable horde prep
    81. 

  81. EOF
    82. 

  82. }
    83. 

  83. 

  84. exit1() {
    85. 

  85.     echo >&2 "Error: $1"
    86. 

  86.     echo >&2 "Exiting..."
    87. 

  87.     exit 1
    88. 

  88. }
    89. 

  89. 

  90. while true ; do
    91. 

  91.     case "$1" in
    92. 

  92.         -b|--basedn) basedn="$2"; shift 2;;
    93. 

  93.         -e|--enable-extension)
    94. 

  94.             case "$2" in
    95. 

  95.                 cipux|horde) eval "$2=1";;
    96. 

  96.                 *) exit1 "Unknown extension \"$2\""
    97. 

  97.             esac
    98. 

  98.             shift 2
    99. 

  99.             ;;
    100. 

  100.         -d|--disable-extension)
    101. 

  101.             case "$2" in
    102. 

  102.                 cipux|horde) eval "$2=";;
    103. 

  103.                 *) exit1 "Unknown extension \"$2\""
    104. 

  104.             esac
    105. 

  105.             shift 2
    106. 

  106.             ;;
    107. 

  107.         -f|--force) force="1"; shift;;
    108. 

  108.         -h|--help) showhelp; exit 0;;
    109. 

  109.         --) shift; break;;
    110. 

  110.         *) exit1 "Internal error!";;
    111. 

  111.     esac
    112. 

  112. done
    113. 

  113. 

  114. # Ensure all required values are properly resolved
    115. 

  115. for var in basedn dnsdomain orgname backend; do
    116. 

  116.     if [ -z "`eval echo '$'$var`" ]; then
    117. 

  117.         exit1 "Required variable '$var' missing. Exiting...!"
    118. 

  118.     fi
    119. 

  119. done
    120. 

  120. 

  121. # concatenate files with an additional newline in between
    122. 

  122. spacecat() {
    123. 

  123.     perl -e 'foreach (@ARGV) {print "\n" if $n; $n++; open (FH, $_); print while(<FH>); close FH;}' "$@"
    124. 

  124. }
    125. 

  125. 

  126. #TODO: Somehow lookup id directly instead, as getent might be slow with
    127. 

  127. #      thousands of entries, and some NSS mechanisms drop at some limit
    128. 

  128. #      i.e. openldap by default return only first 500 entries
    129. 

  129. nextfreeid() {
    130. 

  130.     type="$1"
    131. 

  131.     id="$2"
    132. 

  132.     max="$3"
    133. 

  133.     case $type in
    134. 

  134.         uid) column="3";;
    135. 

  135.         gid) column="4";;
    136. 

  136.     esac
    137. 

  137.     while getent passwd | awk -F: "{ print \$$column }" | grep -Fqx "$id"; do
    138. 

  138.         id=$(($id + 1))
    139. 

  139.         [ -z "$max" ] || [ "$id" -lt "$max" ] || return 1
    140. 

  140.     done
    141. 

  141.     echo "$id"
    142. 

  142. }
    143. 

  143. 

  144. masterdir=/etc/local-COMMON/ldap
    145. 

  145. tempdir=`mktemp -dt slapd.XXXXXX`
    146. 

  146. 

  147. snippets="$(run-parts --list --regex '^[0-9]+_[a-z0-9-]+\.conf\.in$' "$masterdir/slapd.conf.d")"
    148. 

  148. spacecat $snippets | sed >>"$tempdir/slapd.conf" \
    149. 

  149.         -e "s/@BACKEND@/$backend/g" \
    150. 

  150.         -e "s/@SUFFIX@/$basedn/g" \
    151. 

  151.         -e "s/@ADMIN@/cn=admin,$basedn/g"
    152. 

  152. 

  153. # TODO: Better separate core from normal ldif files than "below 100"...
    154. 

  154. file=99
    155. 

  155. for section in core base cipux horde; do
    156. 

  156.     sed <"$masterdir/db/$section.ldif.in" >"$tempdir/${file}_$section.ldif" \
    157. 

  157.         -e "s/@SUFFIX@/$basedn/g" \
    158. 

  158.         -e "s/@DOMAIN@/$dnsdomain/g" \
    159. 

  159.         -e "s/@ORG@/$orgname/g"
    160. 

  160.     file=$(($file + 1))
    161. 

  161. done
    162. 

  162. 

  163. # FIXME: create cipuxadm in addition to below roles!
    164. 

  164. 

  165. # FIXME: fix apply passwords for roles in a sane way!
    166. 

  166. uid=10100
    167. 

  167. gid=10100
    168. 

  168. file=200
    169. 

  169. for role in admin professor assistant pupil student tutor teacher lecturer; do
    170. 

  170.     uid="$(nextfreeid uid "$uid")"
    171. 

  171.     gid="$(nextfreeid gid "$gid")"
    172. 

  172.     snippets="$masterdir/db/cipux_rolegroup.ldif.in $masterdir/db/cipux_roleuser.ldif.in"
    173. 

  173.     spacecat $snippets | sed >"$tempdir/${file}_$role.ldif" \
    174. 

  174.         -e "s/@SUFFIX@/$basedn/g" \
    175. 

  175.         -e "s/@ROLE@/$role/g" \
    176. 

  176.         -e "s/@UID@/$uid/g" \
    177. 

  177.         -e "s/@GID@/$gid/g" \
    178. 

  178.         -e "s/@DOMAIN@/$dnsdomain/g" \
    179. 

  179.         -e "s/@ORG@/$orgname/g"
    180. 

  180.     uid=$(($uid + 1))
    181. 

  181.     gid=$(($gid + 1))
    182. 

  182.     file=$(($file + 1))
    183. 

  183. done
    184. 

  184. 

  185. file=300
    186. 

  186. for db in passwd group; do
    187. 

  187.     getent $db >"$tempdir/$db.dump"
    188. 

  188.     ( cd /usr/share/migrationtools && ./migrate_$db.pl "$tempdir/$db.dump" >"$tempdir/${file}_$db.ldif" )
    189. 

  189.     file=$(($file + 1))
    190. 

  190. done
    191. 

  191. 

  192. # FIXME: Set core password using slappasswd or similar (no cleartext password!)
    193. 

  193. #invoke-rc.d slapd stop
    194. 

  194. #slapadd -l "$tempdir/99_core.ldif"
    195. 

  195. #invoke-rc.d slapd start
    196. 

  196. #ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -w supersecretpassword "cn=admin,$basedn"
    197. 

  197. for file in $(run-parts --list --regex '^1[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    198. 

  198.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    199. 

  199. done
    200. 

  200. for role in cipux horde; do
    201. 

  201.     echo "Securing $role..."
    202. 

  202.     ldappasswd -x -h localhost -D "cn=admin,$basedn" -S -W "cn=$role,ou=Entities,ou=Access Control,$basedn"
    203. 

  203. done
    204. 

  204. 

  205. # FIXME: Write addmember(), that create group as needed
    206. 

  206. #ldapmodify -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    207. 

  207. #dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    208. 

  208. #changetype: modify
    209. 

  209. #add: uniqueMember
    210. 

  210. #uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    211. 

  211. #EOF
    212. 

  212. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    213. 

  213. dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    214. 

  214. objectClass: groupOfUniqueNames
    215. 

  215. cn: DSA
    216. 

  216. description: Directory System Agent administrators
    217. 

  217. uniqueMember: cn=cipux,ou=Entities,ou=Access Control,$basedn
    218. 

  218. EOF
    219. 

  219. ldapadd -x -h localhost -D "cn=admin,$basedn" -W <<EOF
    220. 

  220. dn: cn=SAM,ou=Administrators,ou=Groups,ou=Access Control,$basedn
    221. 

  221. objectClass: groupOfUniqueNames
    222. 

  222. cn: SAM
    223. 

  223. description: Samba and NSS services administrators
    224. 

  224. uniqueMember: cn=horde,ou=Entities,ou=Access Control,$basedn
    225. 

  225. EOF
    226. 

  226. 

  227. # TODO: Add "uid=cifsdc,ou=Entities,ou=Access Control,@SUFFIX@" to group
    228. 

  228. #       "cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" for samba
    229. 

  229. 

  230. for file in $(run-parts --list --regex '^2[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    231. 

  231.     ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    232. 

  232. done
    233. 

  233. 

  234. # FIXME: Check (and maybe correct) basedn from migrationtools-generated ldifs
    235. 

  235. #for file in $(run-parts --list --regex '^3[0-9]{2}_[a-z0-9-]+\.ldif' "$tempdir"); do
    236. 

  236. #   ldapadd -x -h localhost -D "cn=admin,$basedn" -f "$file" -W
    237. 

  237. #done
    238.
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-12 21:55:34 +0000