Home - Projects - Publications - Partners - Contact Us

S10slapd

Synopsys

#!/bin/sh 
# simple openLDAP SLAPD configuration and build
#
# OUTSTANDING ISSUE remains SASL !
mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf-$VERSION
#                                        Fixup the schema files
#

Script

echo "%Post: SLAPD LDAP Schemas"
cp /usr/share/doc/samba*/LDAP/samba.schema /etc/openldap/schema/redhat
mkdir -p /etc/openldap/schema/extra
#cp -R /mnt/source/kickstart/schema/* /etc/openldap/schema/extra
cat >/etc/openldap/schema/extra/extra.schema <<EOF
attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
              DESC 'NIS Domain'
              EQUALITY caseIgnoreIA5Match
	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)

objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject'
              SUP top AUXILIARY
	      DESC 'Associates a NIS domain with a naming context'
	      MAY ( nisDOMAIN ))
EOF
#                                        create a new SLAPD.CONF

if [ "$OS" == "rhel3" ]; then
  cat > /etc/openldap/slapd.conf<<EOF
# $DOMAINNAME slapd.conf file
# Jan 2004
EOF
elif [ "$OS" == "fc4" ]; then
  cat >/etc/openldap/slapd.conf <<EOF
# $DOMAINNAME slapd.conf file
# Jan 2004
allow	bind_anon_cred bind_v2
EOF
fi
cat >> /etc/openldap/slapd.conf <<EOF
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/redhat/autofs.schema
include		/etc/openldap/schema/redhat/samba.schema
include         /etc/openldap/schema/extra/extra.schema
#include         /etc/openldap/schema/extra/dhcp.schema
#include         /etc/openldap/schema/extra/dnszone.schema

# performance things
threads		100
idletimeout	10
timelimit	360
sizelimit	1000

# Loging stuff
loglevel	256
schemacheck 	on

# authentication things
password-hash	{SSHA}

defaultsearchbase $DITNAME
sasl-realm $DOMAINNAME
sasl-host 127.0.0.1
sasl-secprops NONE
#sasl-regexp
#          uid=(.*),cn=plain,cn=auth
#          uid=$1,ou=people,$DITNAME
#sasl-regexp "uid=(.*),cn=.*,cn=auth" "ldap:///ou=people,$DITNAME??sub?uid=$1"

database	ldbm
directory	/var/lib/ldap
mode		0600

pidfile		/var/run/slapd.pid
#argsfiles	/var/run/slapd.args

suffix	"$DITNAME"
rootdn  "cn=Directory Manager,$DITNAME"
rootpw	$PASSWD

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
index	sambaSID,sambaPrimaryGroupSID,sambaDomainName	eq

lastmod on
cachesize 	2000
dbcachesize	60000000
dbnosync	

# replication details
include /etc/openldap/replication.conf

EOF

if [ "$OS" == "fc4" ]; then
  cat >> /etc/openldap/slapd.conf <<EOF
# ACLs to allow users to update their passwords
access to attr=userPassword
         by self write
         by * auth

access to *
         by * read

EOF
fi

chmod 640 /etc/openldap/slapd.conf
chgrp ldap /etc/openldap/slapd.conf
echo "%Post: SLAPD slapd.conf built"

# slapd.conf *MUST* be a working configuration before slapadd will work
# so we'll have to primary/secondary stuff *before* populating the db
# or it'll just barf at us with silly error messages.

# SRV priority 5 == master ldap server
# SRV priority 10 == slave ldap server

# Check for an SRV record
SRV=`host -t SRV _ldap._tcp.$DOMAINNAME | grep $NODENAME`
# if we have a valid match we get
# on FC3: SRV=_ldap._tcp.$DOMAINNAME SRV 5 0 389 $NODENAME.
# on FC4: SRV=_ldap._tcp.$DOMAINNAME has SRV record 5 0 389 $NODENAME.

# Recover the priority field
if [ "$OS" == "fc4" ]; then
    PRIORITY=`echo $SRV | cut -d" " -f5`
else
    PRIORITY=`echo $SRV | cut -d" " -f3`
fi

if [ "$PRIORITY" == "5" ]; then       #i.e. we're a master

echo replogfile /var/lib/ldap/slurpd.replog >> /etc/openldap/slapd.conf
touch /etc/openldap/replication.conf

# Again we need to deal with the slight differences in the output of the 
# host command

if [ "$OS" == "fc4" ]; then
   CUTFIELD="-f8"
else
   CUTFIELD="-f6"
fi

cat >> /etc/rc.d/rc.local <<EOF
# --- $VERSION fix
# We'd like to dynamically add secondary ldap server configurations to the
# master ldap server config (/etc/openldap/replication.conf)
# For simplicity, we'll always rebuild this from scratch.

mv /etc/openldap/replication.conf /etc/openldap/replication.conf.OLD
for i in \`host -t SRV  _ldap._tcp.$DOMAINNAME | grep 10 | cut -d" " $CUTFIELD\`
do
   cat >> /etc/openldap/replication.conf <<FOO

replica host=\${i}${DOMAINNAME}:389
        suffix="$DITNAME"
	binddn="cn=Directory Manager,$DITNAME"
	credentials=\`cat /etc/ldap.secret\`
	bindmethod=simple

FOO
done;

service ldap restart

# --- END OF LDAP fix

EOF

# if the replogfile line exists in the openldap.conf, then the standard
# init script will start slurpd as well as slapd.

# slurpd runs as root
# if we let slurpd create the /var/lib/ldap/replica directory, then
# the slapd process can't write into it, and replication fails
# create it now, and it'll be chowned to ldap:ldap with the rest of the
# /var/lib/ldap tree at the end of this script
mkdir /var/lib/ldap/replica

elif [ "$PRIORITY" == "10" ]; then     #i.e. we're a secondary
   cat > /etc/openldap/replication.conf <<EOF
updatedn "cn=Directory Manager,$DITNAME"

updateref ldap://ldap.$DOMAINNAME

EOF
  
else # i.e. no matching SRV record, so not master or secondary
     touch /etc/openldap/replication.conf
fi
#
# Now we need to populate this all
#
echo "%Post: LDAP structure"
  /mnt/source/kickstart/ldif/top.sh
echo "%Post: LDAP ou=services"
  /mnt/source/kickstart/ldif/services.sh
echo "%Post: LDAP ou=software"
  /mnt/source/kickstart/ldif/software.sh
echo "%Post: LDAP ou=group"
  /mnt/source/kickstart/ldif/groups.sh
echo "%Post: LDAP ou=people"
  /mnt/source/kickstart/ldif/passwd.sh
echo "%Post: LDAP samba groups"
  /mnt/source/kickstart/ldif/samba-group.sh
echo "%Post: LDAP samba accounts"
  /mnt/source/kickstart/ldif/samba-user.sh
echo "%Post: LDAP ou=autofs"
  /mnt/source/kickstart/ldif/autofs.sh
if [ -f /usr/local/sbin/smbldap_tools.pm ] ; then
  echo "%Post: For smbldap-tools: cn=NextFreeUnixId";
  /mnt/source/kickstart/ldif/smbldap-tools.sh
fi

echo "%Post: SLAPD ldif data join built"
chown ldap:ldap /var/lib/ldap/*

echo "%Post: Startup Slapd"
chkconfig --level 2345 ldap on

Examples and Testing

#
# To Test Replication you can do this
# ldapadd -c -x -h <ldapmaster> -p 389 -a \
# -D"cn=Directory Manager,$DITNAME"\
# -w `cat /etc/ldap.secret`
#
#dn: cn=ldap,nisMapName=auto.opt,ou=autofs,$DITNAME
#objectClass: nisObject
#cn: ldap
#nisMapEntry: -nonstrict 127.0.0.1:/export/OS/fedora/opt/ldap
#nisMapName: auto.opt
# 
#
# Having done this check it is committed to the master
#
#ldapsearch -LLL  -x -h <ldapmaster> -p 389  -s one\
# -D"cn=Directory Manager,$DITNAME" -w `cat /etc/ldap.secret` \
#  -b "ou=autofs,$DITNAME" cn=ldap dn
#
# Now check this on the slave server
#ldapsearch -LLL  -x -h <ldapslave> -p 389  -s one\
# -D"cn=Directory Manager,$DITNAME" -w `cat /etc/ldap.secret` \
#  -b "ou=autofs,$DITNAME" cn=ldap dn
#
# Now Remove the test application
#
# ldapdelete -x -h <ldapmaster> -p389  \
# -D"cn=Directory Manager,$DITNAME"
# -w `cat /etc/ldap.secret`
# "cn=ldap,nisMapName=auto.opt,ou=autofs,$DITNAME"
#
#
# You can look for rejected transfers in
# /var/lib/ldap/replica/... 
#
# usually this means you have the authentication wrong.
# or the suffix wrong.
#

Marked up in XHTML - ©2005 Thoughtful Solutions Ltd.