| [ Index ] |
PHP Cross Reference of Unnamed Project |
[Summary view] [Print] [Text view]
1 #!/bin/bash 2 3 # 4 ## $Id: mkSlapdConf.sh 7943 2013-11-17 00:05:18Z keyser $ ## 5 # 6 ##### Met en place la replication LDAP avec syncrepl ##### 7 8 if [ "$1" = "--help" -o "$1" = "-h" ] 9 then 10 echo "Met en place la replication LDAP (syncrepl)a partir des donnees de la base sql" 11 echo "Usage : -r replace l'annuaire en annuaire local sans replication" 12 echo "-h Cette aide" 13 exit 14 fi 15 . /usr/share/se3/includes/config.inc.sh -lm 16 . /usr/share/se3/includes/functions.inc.sh 17 18 19 mkdir -p /var/se3/save/ldap/ 20 21 if [ -e /var/lock/syncrepl.lock ] 22 then 23 echo "lock trouve" 24 logger -t "SLAPD" "Lock syncrepl.lock existant" 25 exit 1 26 fi 27 28 29 30 # Permettre un retour sur l'annuaire local 31 if [ "$1" = "-r" ] 32 then 33 CHANGEMYSQL replica_ip "" 34 CHANGEMYSQL replica_status "0" 35 CHANGEMYSQL ldap_server "127.0.0.1" 36 # 37 # 38 # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='' WHERE name='replica_ip'" 39 # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='0' WHERE name='replica_status'" 40 # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='127.0.0.1' WHERE name='ldap_server'" 41 echo "Annuaire replace en mode annuaire local" 42 fi 43 44 # 45 ## Version Debian 46 if [ -e /etc/debian_version ] 47 then 48 DEBIAN_VERSION=`cat /etc/debian_version` 49 fi 50 51 52 53 # Verification des variables 54 if [ "$ldap_server" = "" -o "$adminRdn" = "" ] 55 then 56 echo "Impossible de connaitre la base dn et/ou l'admin" 57 echo "le script ne peut se poursuivre" 58 exit 1 59 fi 60 if [ "$replica_status" = "" ] 61 then 62 # Si pas de valeur on le place en standalone 63 replica_status=0 64 fi 65 if [ "$ldap_server" = "" ] 66 then 67 ldap_server="127.0.0.1" 68 fi 69 if [ "$replica_status" = "1" -o "$replica_status" = "3" -o "$replica_status" = "0" ] 70 then 71 LDAP_LOCAL="$ldap_server" 72 else 73 LDAP_LOCAL="$replica_ip" 74 fi 75 if [ "$LDAP_LOCAL" = "" ] 76 then 77 LDAP_LOCAL="127.0.0.1" 78 fi 79 80 81 # lock 82 touch /var/lock/syncrepl.lock 83 84 # On stoppe ldap et samba 85 if [ "$1" != "installinit" ] 86 then 87 service slapd stop 88 sleep 2 89 90 # On sauvegarde LDAP 91 DATE="$(date +%d%m%Y)" 92 SAUV_LDAP=ldap_$DATE.ldif 93 /usr/sbin/slapcat > /var/se3/save/ldap/$SAUV_LDAP 94 95 # On sauvegarde DB_CONFIG 96 if [ -e "/var/lib/ldap/DB_CONFIG" ] 97 then 98 cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/ 99 else 100 cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/ 101 fi 102 103 104 fi 105 106 ################################################################################# 107 # On supprime l'existant # 108 ################################################################################# 109 # On vire le repertoire des logs de slurpd 110 if [ \( -d "/var/spool/slurpd/replica" \) ] 111 then 112 rm -Rf /var/spool/slurpd/replica 113 fi 114 115 116 # On vire syncrepl.conf 117 if [ -e "/etc/ldap/syncrepl.conf" ] 118 then 119 rm -f /etc/ldap/syncrepl.conf 120 fi 121 122 123 ################################################################################# 124 # Fichier de conf de slapd.conf # 125 ################################################################################# 126 127 # On crypte le mot de passe 128 ldap_passwd=`cat /etc/ldap.secret` 129 # verifie la concordence avcc la base SQL 130 if [ "$ldap_passwd" != "$adminPw" ] 131 then 132 # Implique un changement de mot de passe, on change donc celui de ldap.secret 133 echo "$adminPw" > /etc/ldap.secret 134 chmod 400 /etc/ldap.secret 135 smbpasswd -w $adminPw 136 fi 137 crypted_ldap_passwd=`/usr/sbin/slappasswd -h {MD5} -s $adminPw` 138 139 # TLS 140 echo " 141 [ req ] 142 distinguished_name = req_distinguished_name 143 prompt = no 144 145 [ req_distinguished_name ] 146 OU = SE3 147 CN = $LDAP_LOCAL 148 " > /etc/ldap/config.se3 149 150 PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` 151 PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` 152 153 154 /usr/bin/openssl req -config /etc/ldap/config.se3 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 3650 -out $PEM2 >/dev/null 2>/dev/null 155 cat $PEM1 > /etc/ldap/slapd.pem 156 echo "" >> /etc/ldap/slapd.pem 157 cat $PEM2 >> /etc/ldap/slapd.pem 158 /bin/rm -f $PEM1 $PEM2 159 160 # Fichier slapd.conf 161 echo "# This is the main ldapd configuration file. See slapd.conf(5) for more 162 # info on the configuration options. 163 # Cree pour Se3 par mkSlapdConf.sh 164 165 # Schema and objectClass definitions 166 include /etc/ldap/schema/core.schema 167 include /etc/ldap/schema/cosine.schema 168 include /etc/ldap/schema/nis.schema 169 include /etc/ldap/schema/inetorgperson.schema 170 include /etc/ldap/schema/ltsp.schema 171 include /etc/ldap/schema/samba.schema 172 include /etc/ldap/schema/printer.schema" > /etc/ldap/slapd.conf 173 174 if [ -e "/etc/ldap/schema/RADIUS-LDAPv3.schema" ] 175 then 176 echo "include /etc/ldap/schema/RADIUS-LDAPv3.schema" >> /etc/ldap/slapd.conf 177 fi 178 179 if [ -e "/etc/ldap/schema/apple.schema" ] 180 then 181 echo "include /etc/ldap/schema/apple.schema" >> /etc/ldap/slapd.conf 182 fi 183 184 echo " 185 TLSCACertificatePath /etc/ldap/ 186 TLSCertificateFile /etc/ldap/slapd.pem 187 TLSCertificateKeyFile /etc/ldap/slapd.pem 188 189 # Schema check allows for forcing entries to 190 # match schemas for their objectClasses's 191 allow bind_v2 192 193 # Where clients are refered to if no 194 # match is found locally 195 #referral ldap://some.other.ldap.server 196 197 # Where the pid file is put. The init.d script 198 # will not stop the server if you change this. 199 pidfile /var/run/slapd/slapd.pid 200 201 # List of arguments that were passed to the server 202 argsfile /var/run/slapd/slapd.args 203 204 # Read slapd.conf(5) for possible values 205 loglevel 0 206 207 # Where the dynamically loaded modules are stored 208 modulepath /usr/lib/ldap 209 moduleload back_bdb 210 211 ####################################################################### 212 # Specific Backend Directives for bdb: 213 # Backend specific directives apply to this backend until another 214 # 'backend' directive occurs 215 backend bdb 216 # Specific Directives for database #1, of type bdb: 217 # Database specific directives apply to this databasse until another 218 # 'database' directive occurs 219 database bdb 220 221 # The base of your directory 222 suffix \"$ldap_base_dn\" 223 rootdn \"$adminRdn,$ldap_base_dn\" 224 rootpw $crypted_ldap_passwd 225 # Where the database file are physically stored 226 directory \"/var/lib/ldap\" 227 228 checkpoint 512 30 229 230 index objectClass,uidNumber,gidNumber,uniqueMember,member eq 231 index cn,sn,uid,displayName,l pres,sub,eq 232 index memberUid,mail,givenname eq,subinitial 233 index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq 234 index sambaSIDList,sambaGroupType eq 235 index entryCSN,entryUUID eq 236 index default sub,eq 237 238 # Save the time that the entry gets modified 239 lastmod on 240 241 # For Netscape Roaming support, each user gets a roaming 242 # profile for which they have write access to 243 #access to dn=\".*,ou=Roaming,@SUFFIX@\" 244 # by dnattr=owner write 245 246 # The userPassword by default can be changed 247 # by the entry owning it if they are authenticated. 248 # Others should not be able to see it, except the 249 # admin entry below 250 access to attrs=userPassword 251 by anonymous auth 252 by self write 253 by * none 254 255 # ACLs proposees par Bruno Bzeznic 256 access to attrs=userpassword 257 by self write 258 by users none 259 by anonymous auth 260 261 access to attrs=sambaLmPassword 262 by self write 263 by users none 264 by anonymous auth 265 266 access to attrs=sambaNtPassword 267 by self write 268 by users none 269 by anonymous auth 270 271 access to attrs=printer-uri 272 by self write 273 by users none 274 by anonymous auth 275 276 277 # The admin dn has full write access 278 access to * 279 by * read 280 281 # out put of this database using slapcat(8C), and then importing that into 282 # 283 # credentials=\"XXXXXX\" 284 285 # End of ldapd configuration file 286 sizelimit 3500 287 " >> /etc/ldap/slapd.conf 288 289 ################################################################################# 290 # Cree le fichier /etc/default/slapd # 291 ################################################################################# 292 293 echo "# Default location of the slapd.conf file or slapd.d cn=config directory. If 294 # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to 295 # /etc/ldap/slapd.conf). 296 297 SLAPD_CONF=\"/etc/ldap/slapd.conf\" 298 299 # System account to run the slapd server under. If empty the server 300 # will run as root. 301 SLAPD_USER=\"openldap\" 302 303 # System group to run the slapd server under. If empty the server will 304 # run in the primary group of its user. 305 SLAPD_GROUP=\"openldap\" 306 307 # Path to the pid file of the slapd server. If not set the init.d script 308 # will try to figure it out from \$SLAPD_CONF (/etc/ldap/slapd.conf) 309 SLAPD_PIDFILE= 310 311 # slapd normally serves ldap only on all TCP-ports 389. slapd can also 312 # service requests on TCP-port 636 (ldaps) and requests via unix 313 # sockets. 314 # Example usage: 315 # SLAPD_SERVICES=\"ldap://127.0.0.1:389/ ldaps:/// ldapi:///\" 316 SLAPD_SERVICES=\"ldap:/// ldapi:///\" 317 318 # If SLAPD_NO_START is set, the init script will not start or restart 319 # slapd (but stop will still work). Uncomment this if you are 320 # starting slapd via some other means or if you don't want slapd normally 321 # started at boot. 322 #SLAPD_NO_START=1 323 324 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, 325 # the init script will not start or restart slapd (but stop will still 326 # work). Use this for temporarily disabling startup of slapd (when doing 327 # maintenance, for example, or through a configuration management system) 328 # when you don't want to edit a configuration file. 329 SLAPD_SENTINEL_FILE=/etc/ldap/noslapd 330 331 # For Kerberos authentication (via SASL), slapd by default uses the system 332 # keytab file (/etc/krb5.keytab). To use a different keytab file, 333 # uncomment this line and change the path. 334 #export KRB5_KTNAME=/etc/krb5.keytab 335 336 # Additional options to pass to slapd 337 SLAPD_OPTIONS=\"\" 338 339 " > /etc/default/slapd 340 341 SSL="start_tls" 342 343 # desactivation TLS pour contournement bug en attendant utilsation autre lib 344 SSL="off" 345 346 if [ "$replica_status" = "2" ] 347 then 348 SSL="off" 349 fi 350 # Pas de ssl si le ldap est local 351 if [ "$replica_status" == "" -o "$replica_status" = "0" ] 352 then 353 if [ "$ldap_server" == "$se3ip" ] 354 then 355 echo "Pas de replication, LDAP local, SSL off" 356 SSL="off" 357 fi 358 fi 359 # Modification conf samba 360 sed -i "s#ldapsam:ldap.*#ldapsam:ldap://$ldap_server#" /etc/samba/smb.conf 2>/dev/null 361 sed -i "s#ldap ssl.*#ldap ssl = $SSL#" /etc/samba/smb.conf 2>/dev/null 362 363 ################################################################################# 364 # Slave Syncrepl # 365 ################################################################################# 366 if [ "$replica_status" = "4" ] 367 then 368 # On supprime la base 369 370 if [ -e "/var/se3/save/ldap/DB_CONFIG" ] 371 then 372 373 cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/ 374 else 375 mkdir -p /var/se3/save/ldap/ 376 cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/ 377 378 fi 379 rm -f /var/lib/ldap/* 380 381 echo "syncrepl rid=0 382 provider=ldap://$ldap_server:389 383 type=refreshOnly 384 interval=00:00:01:00 385 searchbase=\"$ldap_base_dn\" 386 scope=sub 387 schemachecking=off 388 bindmethod=simple 389 binddn=\"cn=admin,$ldap_base_dn\" 390 credentials=$ldap_passwd" > /etc/ldap/syncrepl.conf 391 392 # Ajout de l'include dans slapd.conf 393 echo "# Replication Slave Syncrepl 394 include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf 395 396 # Modiife les differents fichiers de conf 397 serveurs="$ldap_server $LDAP_LOCAL" 398 fi 399 400 ################################################################################# 401 # Master Syncrepl # 402 ################################################################################# 403 if [ "$replica_status" = "3" ] 404 then 405 serveurs="$ldap_server $replica_ip" 406 407 # touch syncrepl vide pour indiquer la methode 408 409 echo "moduleload syncprov 410 overlay syncprov 411 syncprov-checkpoint 50 5 412 syncprov-sessionlog 50" > /etc/ldap/syncrepl.conf 413 414 # Ajout de l'include dans slapd.conf 415 echo "# Replication Slave Syncrepl 416 include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf 417 418 419 420 fi 421 422 ################################################################################# 423 # Pas de replication # 424 ################################################################################# 425 if [ "$replica_status" = "0" ] 426 then 427 # Modiife les differents fichiers de conf 428 serveurs="$ldap_server" 429 fi 430 431 432 ################################################################################# 433 # Creation de : libnss-ldap.conf pam_ldap.conf ldap.conf # 434 ################################################################################# 435 echo "ldap_version 3 436 base $ldap_base_dn 437 rootbinddn $adminRdn,$ldap_base_dn 438 #bindpw 439 host $serveurs 440 #scope sub 441 442 # ssl start_tls 443 # tls_checkpeer no 444 bind_policy soft 445 nss_initgroups_ignoreusers root,openldap,plugdev,disk,kmem,tape,audio,daemon,lp,rdma,fuse,video,dialout,floppy,cdrom,tty" > /etc/libnss-ldap.conf 446 447 # Creation de pam_ldap.conf 448 echo "ldap_version 3 449 base $ldap_base_dn 450 rootbinddn $adminRdn,$ldap_base_dn 451 #bindpw 452 host $serveurs 453 pam_crypt local 454 # ssl start_tls 455 # tls_checkpeer no 456 " > /etc/pam_ldap.conf 457 458 # Creation de ldap.conf 459 echo "HOST $serveurs 460 BASE $ldap_base_dn 461 # TLS_REQCERT never 462 # TLS_CACERTDIR /etc/ldap/ 463 # TLS_CACERT /etc/ldap/slapd.pem 464 " > /etc/ldap/ldap.conf 465 466 ################################################################################# 467 # Fin de la conf # 468 ################################################################################# 469 470 chmod 640 /etc/ldap/slapd.conf 471 chmod 644 /etc/ldap/slapd.pem 472 473 474 475 if [ "$1" == "index" ] 476 then 477 # chown root /var/lib/ldap/* 478 slapindex 2>/dev/null 479 # chown openldap /var/lib/ldap/* 480 fi 481 482 483 chown -R openldap:openldap /etc/ldap 484 chown -R openldap:openldap /var/lib/ldap 485 chown openldap:openldap /var/run/slapd 486 487 488 [ "$1" != "installinit" ] && service slapd start 489 sleep 1 490 [ "$1" != "installinit" ] && /etc/init.d/samba reload 491 492 # Supprime le lock 493 rm -f /var/lock/syncrepl.lock
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Tue Mar 17 22:47:18 2015 | Cross-referenced by PHPXref 0.7.1 |