#!/bin/bash # ## $Id: mkSlapdConf.sh 7943 2013-11-17 00:05:18Z keyser $ ## # ##### Met en place la replication LDAP avec syncrepl ##### if [ "$1" = "--help" -o "$1" = "-h" ] then echo "Met en place la replication LDAP (syncrepl)a partir des donnees de la base sql" echo "Usage : -r replace l'annuaire en annuaire local sans replication" echo "-h Cette aide" exit fi . /usr/share/se3/includes/config.inc.sh -lm . /usr/share/se3/includes/functions.inc.sh mkdir -p /var/se3/save/ldap/ if [ -e /var/lock/syncrepl.lock ] then echo "lock trouve" logger -t "SLAPD" "Lock syncrepl.lock existant" exit 1 fi # Permettre un retour sur l'annuaire local if [ "$1" = "-r" ] then CHANGEMYSQL replica_ip "" CHANGEMYSQL replica_status "0" CHANGEMYSQL ldap_server "127.0.0.1" # # # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='' WHERE name='replica_ip'" # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='0' WHERE name='replica_status'" # /usr/bin/mysql -u $user -p$password -D se3db -e "UPDATE params set value='127.0.0.1' WHERE name='ldap_server'" echo "Annuaire replace en mode annuaire local" fi # ## Version Debian if [ -e /etc/debian_version ] then DEBIAN_VERSION=`cat /etc/debian_version` fi # Verification des variables if [ "$ldap_server" = "" -o "$adminRdn" = "" ] then echo "Impossible de connaitre la base dn et/ou l'admin" echo "le script ne peut se poursuivre" exit 1 fi if [ "$replica_status" = "" ] then # Si pas de valeur on le place en standalone replica_status=0 fi if [ "$ldap_server" = "" ] then ldap_server="127.0.0.1" fi if [ "$replica_status" = "1" -o "$replica_status" = "3" -o "$replica_status" = "0" ] then LDAP_LOCAL="$ldap_server" else LDAP_LOCAL="$replica_ip" fi if [ "$LDAP_LOCAL" = "" ] then LDAP_LOCAL="127.0.0.1" fi # lock touch /var/lock/syncrepl.lock # On stoppe ldap et samba if [ "$1" != "installinit" ] then service slapd stop sleep 2 # On sauvegarde LDAP DATE="$(date +%d%m%Y)" SAUV_LDAP=ldap_$DATE.ldif /usr/sbin/slapcat > /var/se3/save/ldap/$SAUV_LDAP # On sauvegarde DB_CONFIG if [ -e "/var/lib/ldap/DB_CONFIG" ] then cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/ else cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/ fi fi ################################################################################# # On supprime l'existant # ################################################################################# # On vire le repertoire des logs de slurpd if [ \( -d "/var/spool/slurpd/replica" \) ] then rm -Rf /var/spool/slurpd/replica fi # On vire syncrepl.conf if [ -e "/etc/ldap/syncrepl.conf" ] then rm -f /etc/ldap/syncrepl.conf fi ################################################################################# # Fichier de conf de slapd.conf # ################################################################################# # On crypte le mot de passe ldap_passwd=`cat /etc/ldap.secret` # verifie la concordence avcc la base SQL if [ "$ldap_passwd" != "$adminPw" ] then # Implique un changement de mot de passe, on change donc celui de ldap.secret echo "$adminPw" > /etc/ldap.secret chmod 400 /etc/ldap.secret smbpasswd -w $adminPw fi crypted_ldap_passwd=`/usr/sbin/slappasswd -h {MD5} -s $adminPw` # TLS echo " [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] OU = SE3 CN = $LDAP_LOCAL " > /etc/ldap/config.se3 PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` /usr/bin/openssl req -config /etc/ldap/config.se3 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 3650 -out $PEM2 >/dev/null 2>/dev/null cat $PEM1 > /etc/ldap/slapd.pem echo "" >> /etc/ldap/slapd.pem cat $PEM2 >> /etc/ldap/slapd.pem /bin/rm -f $PEM1 $PEM2 # Fichier slapd.conf echo "# This is the main ldapd configuration file. See slapd.conf(5) for more # info on the configuration options. # Cree pour Se3 par mkSlapdConf.sh # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ltsp.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/printer.schema" > /etc/ldap/slapd.conf if [ -e "/etc/ldap/schema/RADIUS-LDAPv3.schema" ] then echo "include /etc/ldap/schema/RADIUS-LDAPv3.schema" >> /etc/ldap/slapd.conf fi if [ -e "/etc/ldap/schema/apple.schema" ] then echo "include /etc/ldap/schema/apple.schema" >> /etc/ldap/slapd.conf fi echo " TLSCACertificatePath /etc/ldap/ TLSCertificateFile /etc/ldap/slapd.pem TLSCertificateKeyFile /etc/ldap/slapd.pem # Schema check allows for forcing entries to # match schemas for their objectClasses's allow bind_v2 # Where clients are refered to if no # match is found locally #referral ldap://some.other.ldap.server # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory suffix \"$ldap_base_dn\" rootdn \"$adminRdn,$ldap_base_dn\" rootpw $crypted_ldap_passwd # Where the database file are physically stored directory \"/var/lib/ldap\" checkpoint 512 30 index objectClass,uidNumber,gidNumber,uniqueMember,member eq index cn,sn,uid,displayName,l pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index sambaSIDList,sambaGroupType eq index entryCSN,entryUUID eq index default sub,eq # Save the time that the entry gets modified lastmod on # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=\".*,ou=Roaming,@SUFFIX@\" # by dnattr=owner write # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attrs=userPassword by anonymous auth by self write by * none # ACLs proposees par Bruno Bzeznic access to attrs=userpassword by self write by users none by anonymous auth access to attrs=sambaLmPassword by self write by users none by anonymous auth access to attrs=sambaNtPassword by self write by users none by anonymous auth access to attrs=printer-uri by self write by users none by anonymous auth # The admin dn has full write access access to * by * read # out put of this database using slapcat(8C), and then importing that into # # credentials=\"XXXXXX\" # End of ldapd configuration file sizelimit 3500 " >> /etc/ldap/slapd.conf ################################################################################# # Cree le fichier /etc/default/slapd # ################################################################################# echo "# Default location of the slapd.conf file or slapd.d cn=config directory. If # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to # /etc/ldap/slapd.conf). SLAPD_CONF=\"/etc/ldap/slapd.conf\" # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER=\"openldap\" # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP=\"openldap\" # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from \$SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: # SLAPD_SERVICES=\"ldap://127.0.0.1:389/ ldaps:/// ldapi:///\" SLAPD_SERVICES=\"ldap:/// ldapi:///\" # If SLAPD_NO_START is set, the init script will not start or restart # slapd (but stop will still work). Uncomment this if you are # starting slapd via some other means or if you don't want slapd normally # started at boot. #SLAPD_NO_START=1 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, # the init script will not start or restart slapd (but stop will still # work). Use this for temporarily disabling startup of slapd (when doing # maintenance, for example, or through a configuration management system) # when you don't want to edit a configuration file. SLAPD_SENTINEL_FILE=/etc/ldap/noslapd # For Kerberos authentication (via SASL), slapd by default uses the system # keytab file (/etc/krb5.keytab). To use a different keytab file, # uncomment this line and change the path. #export KRB5_KTNAME=/etc/krb5.keytab # Additional options to pass to slapd SLAPD_OPTIONS=\"\" " > /etc/default/slapd SSL="start_tls" # desactivation TLS pour contournement bug en attendant utilsation autre lib SSL="off" if [ "$replica_status" = "2" ] then SSL="off" fi # Pas de ssl si le ldap est local if [ "$replica_status" == "" -o "$replica_status" = "0" ] then if [ "$ldap_server" == "$se3ip" ] then echo "Pas de replication, LDAP local, SSL off" SSL="off" fi fi # Modification conf samba sed -i "s#ldapsam:ldap.*#ldapsam:ldap://$ldap_server#" /etc/samba/smb.conf 2>/dev/null sed -i "s#ldap ssl.*#ldap ssl = $SSL#" /etc/samba/smb.conf 2>/dev/null ################################################################################# # Slave Syncrepl # ################################################################################# if [ "$replica_status" = "4" ] then # On supprime la base if [ -e "/var/se3/save/ldap/DB_CONFIG" ] then cp /var/se3/save/ldap/DB_CONFIG /var/lib/ldap/ else mkdir -p /var/se3/save/ldap/ cp /var/lib/ldap/DB_CONFIG /var/se3/save/ldap/ fi rm -f /var/lib/ldap/* echo "syncrepl rid=0 provider=ldap://$ldap_server:389 type=refreshOnly interval=00:00:01:00 searchbase=\"$ldap_base_dn\" scope=sub schemachecking=off bindmethod=simple binddn=\"cn=admin,$ldap_base_dn\" credentials=$ldap_passwd" > /etc/ldap/syncrepl.conf # Ajout de l'include dans slapd.conf echo "# Replication Slave Syncrepl include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf # Modiife les differents fichiers de conf serveurs="$ldap_server $LDAP_LOCAL" fi ################################################################################# # Master Syncrepl # ################################################################################# if [ "$replica_status" = "3" ] then serveurs="$ldap_server $replica_ip" # touch syncrepl vide pour indiquer la methode echo "moduleload syncprov overlay syncprov syncprov-checkpoint 50 5 syncprov-sessionlog 50" > /etc/ldap/syncrepl.conf # Ajout de l'include dans slapd.conf echo "# Replication Slave Syncrepl include /etc/ldap/syncrepl.conf" >> /etc/ldap/slapd.conf fi ################################################################################# # Pas de replication # ################################################################################# if [ "$replica_status" = "0" ] then # Modiife les differents fichiers de conf serveurs="$ldap_server" fi ################################################################################# # Creation de : libnss-ldap.conf pam_ldap.conf ldap.conf # ################################################################################# echo "ldap_version 3 base $ldap_base_dn rootbinddn $adminRdn,$ldap_base_dn #bindpw host $serveurs #scope sub # ssl start_tls # tls_checkpeer no bind_policy soft nss_initgroups_ignoreusers root,openldap,plugdev,disk,kmem,tape,audio,daemon,lp,rdma,fuse,video,dialout,floppy,cdrom,tty" > /etc/libnss-ldap.conf # Creation de pam_ldap.conf echo "ldap_version 3 base $ldap_base_dn rootbinddn $adminRdn,$ldap_base_dn #bindpw host $serveurs pam_crypt local # ssl start_tls # tls_checkpeer no " > /etc/pam_ldap.conf # Creation de ldap.conf echo "HOST $serveurs BASE $ldap_base_dn # TLS_REQCERT never # TLS_CACERTDIR /etc/ldap/ # TLS_CACERT /etc/ldap/slapd.pem " > /etc/ldap/ldap.conf ################################################################################# # Fin de la conf # ################################################################################# chmod 640 /etc/ldap/slapd.conf chmod 644 /etc/ldap/slapd.pem if [ "$1" == "index" ] then # chown root /var/lib/ldap/* slapindex 2>/dev/null # chown openldap /var/lib/ldap/* fi chown -R openldap:openldap /etc/ldap chown -R openldap:openldap /var/lib/ldap chown openldap:openldap /var/run/slapd [ "$1" != "installinit" ] && service slapd start sleep 1 [ "$1" != "installinit" ] && /etc/init.d/samba reload # Supprime le lock rm -f /var/lock/syncrepl.lock