YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] Be able to init slapd in a chroot

Browse source
This commit is contained in:
ljf 2021-05-21 00:46:31 +02:00
parent 0f10b91fa1
commit d241db4c33
4 changed files with 137 additions and 196 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
data/hooks/conf_regen/06-slapd
View file

@ -12,16 +12,12 @@ do_init_regen() {
do_pre_regen ""
systemctl daemon-reload
systemctl restart slapd
# Drop current existing slapd data
rm -rf /var/backups/*.ldapdb
rm -rf /var/backups/slapd-*
debconf-set-selections << EOF
debconf-set-selections << EOF
slapd slapd/password1 password yunohost
slapd slapd/password2 password yunohost
slapd slapd/domain string yunohost.org
@ -45,11 +41,11 @@ EOF
chown -R openldap:openldap /etc/ldap/schema/
usermod -aG ssl-cert openldap
systemctl restart slapd
# (Re-)init data according to ldap_scheme.yaml
# (Re-)init data according to default ldap entries
slapadd -n1 -l /usr/share/yunohost/yunohost-config/moulinette/ldap_default_entries.ldif 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
yunohost tools shell -c "from yunohost.tools import tools_ldapinit; tools_ldapinit()"
}
_regenerate_slapd_conf() {

99
data/other/ldap_default_entries.ldif Normal file
View file

@ -0,0 +1,99 @@
dn: ou=users,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=domains,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: domains
dn: ou=apps,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: apps
dn: ou=permission,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: permission
dn: ou=groups,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=sudo,dc=yunohost,dc=org
objectClass: organizationalUnit
objectClass: top
ou: sudo
dn: cn=admin,ou=sudo,dc=yunohost,dc=org
cn: admin
sudoCommand: ALL
sudoUser: admin
objectClass: sudoRole
objectClass: top
sudoOption: !authenticate
sudoHost: ALL
dn: cn=admins,ou=groups,dc=yunohost,dc=org
objectClass: posixGroup
objectClass: top
memberUid: admin
gidNumber: 4001
cn: admins
dn: cn=all_users,ou=groups,dc=yunohost,dc=org
objectClass: posixGroup
objectClass: groupOfNamesYnh
gidNumber: 4002
cn: all_users
dn: cn=visitors,ou=groups,dc=yunohost,dc=org
objectClass: posixGroup
objectClass: groupOfNamesYnh
gidNumber: 4003
cn: visitors
dn: cn=mail.main,ou=permission,dc=yunohost,dc=org
groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org
cn: mail.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: E-mail
gidNumber: 5001
showTile: FALSE
authHeader: FALSE
dn: cn=xmpp.main,ou=permission,dc=yunohost,dc=org
groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org
cn: xmpp.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: XMPP
gidNumber: 5002
showTile: FALSE
authHeader: FALSE
dn: cn=ssh.main,ou=permission,dc=yunohost,dc=org
cn: ssh.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: SSH
gidNumber: 5003
showTile: FALSE
authHeader: FALSE
dn: cn=sftp.main,ou=permission,dc=yunohost,dc=org
cn: sftp.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: SFTP
gidNumber: 5004
showTile: FALSE
authHeader: FALSE

113
data/other/ldap_scheme.yml
View file

@ -1,113 +0,0 @@
parents:
ou=users:
ou: users
objectClass:
- organizationalUnit
- top
ou=domains:
ou: domains
objectClass:
- organizationalUnit
- top
ou=apps:
ou: apps
objectClass:
- organizationalUnit
- top
ou=permission:
ou: permission
objectClass:
- organizationalUnit
- top
ou=groups:
ou: groups
objectClass:
- organizationalUnit
- top
ou=sudo:
ou: sudo
objectClass:
- organizationalUnit
- top
children:
cn=admin,ou=sudo:
cn: admin
sudoUser: admin
sudoHost: ALL
sudoCommand: ALL
sudoOption: "!authenticate"
objectClass:
- sudoRole
- top
cn=admins,ou=groups:
cn: admins
gidNumber: "4001"
memberUid: admin
objectClass:
- posixGroup
- top
cn=all_users,ou=groups:
cn: all_users
gidNumber: "4002"
objectClass:
- posixGroup
- groupOfNamesYnh
cn=visitors,ou=groups:
cn: visitors
gidNumber: "4003"
objectClass:
- posixGroup
- groupOfNamesYnh
depends_children:
cn=mail.main,ou=permission:
cn: mail.main
gidNumber: "5001"
objectClass:
- posixGroup
- permissionYnh
groupPermission:
- "cn=all_users,ou=groups,dc=yunohost,dc=org"
authHeader: "FALSE"
label: "E-mail"
showTile: "FALSE"
isProtected: "TRUE"
cn=xmpp.main,ou=permission:
cn: xmpp.main
gidNumber: "5002"
objectClass:
- posixGroup
- permissionYnh
groupPermission:
- "cn=all_users,ou=groups,dc=yunohost,dc=org"
authHeader: "FALSE"
label: "XMPP"
showTile: "FALSE"
isProtected: "TRUE"
cn=ssh.main,ou=permission:
cn: ssh.main
gidNumber: "5003"
objectClass:
- posixGroup
- permissionYnh
groupPermission: []
authHeader: "FALSE"
label: "SSH"
showTile: "FALSE"
isProtected: "TRUE"
cn=sftp.main,ou=permission:
cn: sftp.main
gidNumber: "5004"
objectClass:
- posixGroup
- permissionYnh
groupPermission: []
authHeader: "FALSE"
label: "SFTP"
showTile: "FALSE"
isProtected: "TRUE"

109
src/yunohost/tools.py
View file

@ -67,79 +67,6 @@ def tools_versions():
return ynh_packages_version()
def tools_ldapinit():
"""
YunoHost LDAP initialization
"""
with open("/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml") as f:
ldap_map = yaml.load(f)
from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface()
for rdn, attr_dict in ldap_map["parents"].items():
try:
ldap.add(rdn, attr_dict)
except Exception as e:
logger.warn(
"Error when trying to inject '%s' -> '%s' into ldap: %s"
% (rdn, attr_dict, e)
)
for rdn, attr_dict in ldap_map["children"].items():
try:
ldap.add(rdn, attr_dict)
except Exception as e:
logger.warn(
"Error when trying to inject '%s' -> '%s' into ldap: %s"
% (rdn, attr_dict, e)
)
for rdn, attr_dict in ldap_map["depends_children"].items():
try:
ldap.add(rdn, attr_dict)
except Exception as e:
logger.warn(
"Error when trying to inject '%s' -> '%s' into ldap: %s"
% (rdn, attr_dict, e)
)
admin_dict = {
"cn": ["admin"],
"uid": ["admin"],
"description": ["LDAP Administrator"],
"gidNumber": ["1007"],
"uidNumber": ["1007"],
"homeDirectory": ["/home/admin"],
"loginShell": ["/bin/bash"],
"objectClass": ["organizationalRole", "posixAccount", "simpleSecurityObject"],
"userPassword": ["yunohost"],
}
ldap.update("cn=admin", admin_dict)
# Force nscd to refresh cache to take admin creation into account
subprocess.call(["nscd", "-i", "passwd"])
# Check admin actually exists now
try:
pwd.getpwnam("admin")
except KeyError:
logger.error(m18n.n("ldap_init_failed_to_create_admin"))
raise YunohostError("installation_failed")
try:
# Attempt to create user home folder
subprocess.check_call(["mkhomedir_helper", "admin"])
except subprocess.CalledProcessError:
if not os.path.isdir("/home/{0}".format("admin")):
logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)
logger.success(m18n.n("ldap_initialized"))
def tools_adminpw(new_password, check_strength=True):
"""
Change admin password
@ -170,7 +97,15 @@ def tools_adminpw(new_password, check_strength=True):
ldap.update(
"cn=admin",
{
"userPassword": [new_hash],
"cn": ["admin"],
"uid": ["admin"],
"description": ["LDAP Administrator"],
"gidNumber": ["1007"],
"uidNumber": ["1007"],
"homeDirectory": ["/home/admin"],
"loginShell": ["/bin/bash"],
"objectClass": ["organizationalRole", "posixAccount", "simpleSecurityObject"],
"userPassword": [new_hash]
},
)
except Exception:
@ -352,8 +287,9 @@ def tools_postinstall(
domain_add(domain, dyndns)
domain_main_domain(domain)
# Change LDAP admin password
# Update LDAP admin and create home dir
tools_adminpw(password, check_strength=not force_password)
_create_admin_home()
# Enable UPnP silently and reload firewall
firewall_upnp("enable", no_refresh=True)
@ -400,6 +336,29 @@ def tools_postinstall(
logger.warning(m18n.n("yunohost_postinstall_end_tip"))
def _create_admin_home():
"""
Create admin home dir
"""
# Force nscd to refresh cache to take admin creation into account
subprocess.call(["nscd", "-i", "passwd"])
# Check admin actually exists now
try:
pwd.getpwnam("admin")
except KeyError:
logger.error(m18n.n("ldap_init_failed_to_create_admin"))
raise YunohostError("installation_failed")
try:
# Attempt to create user home folder
subprocess.check_call(["mkhomedir_helper", "admin"])
except subprocess.CalledProcessError:
if not os.path.isdir("/home/{0}".format("admin")):
logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)
def tools_regen_conf(
names=[], with_diff=False, force=False, dry_run=False, list_pending=False
):