From d241db4c334122554658a8484ddb4ca2ce8b992b Mon Sep 17 00:00:00 2001 From: ljf Date: Fri, 21 May 2021 00:46:31 +0200 Subject: [PATCH] [fix] Be able to init slapd in a chroot --- data/hooks/conf_regen/06-slapd | 12 +-- data/other/ldap_default_entries.ldif | 99 +++++++++++++++++++++++ data/other/ldap_scheme.yml | 113 --------------------------- src/yunohost/tools.py | 109 ++++++++------------------ 4 files changed, 137 insertions(+), 196 deletions(-) create mode 100644 data/other/ldap_default_entries.ldif delete mode 100644 data/other/ldap_scheme.yml diff --git a/data/hooks/conf_regen/06-slapd b/data/hooks/conf_regen/06-slapd index e7524184c..363de81d6 100755 --- a/data/hooks/conf_regen/06-slapd +++ b/data/hooks/conf_regen/06-slapd @@ -12,16 +12,12 @@ do_init_regen() { do_pre_regen "" - systemctl daemon-reload - - systemctl restart slapd - # Drop current existing slapd data rm -rf /var/backups/*.ldapdb rm -rf /var/backups/slapd-* -debconf-set-selections << EOF + debconf-set-selections << EOF slapd slapd/password1 password yunohost slapd slapd/password2 password yunohost slapd slapd/domain string yunohost.org @@ -45,11 +41,11 @@ EOF chown -R openldap:openldap /etc/ldap/schema/ usermod -aG ssl-cert openldap - systemctl restart slapd - # (Re-)init data according to ldap_scheme.yaml + # (Re-)init data according to default ldap entries + slapadd -n1 -l /usr/share/yunohost/yunohost-config/moulinette/ldap_default_entries.ldif 2>&1 \ + | grep -v "none elapsed\|Closing DB" || true - yunohost tools shell -c "from yunohost.tools import tools_ldapinit; tools_ldapinit()" } _regenerate_slapd_conf() { diff --git a/data/other/ldap_default_entries.ldif b/data/other/ldap_default_entries.ldif new file mode 100644 index 000000000..e76edb3d6 --- /dev/null +++ b/data/other/ldap_default_entries.ldif @@ -0,0 +1,99 @@ +dn: ou=users,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: users + +dn: ou=domains,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: domains + +dn: ou=apps,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: apps + +dn: ou=permission,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: permission + +dn: ou=groups,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: groups + +dn: ou=sudo,dc=yunohost,dc=org +objectClass: organizationalUnit +objectClass: top +ou: sudo + +dn: cn=admin,ou=sudo,dc=yunohost,dc=org +cn: admin +sudoCommand: ALL +sudoUser: admin +objectClass: sudoRole +objectClass: top +sudoOption: !authenticate +sudoHost: ALL + +dn: cn=admins,ou=groups,dc=yunohost,dc=org +objectClass: posixGroup +objectClass: top +memberUid: admin +gidNumber: 4001 +cn: admins + +dn: cn=all_users,ou=groups,dc=yunohost,dc=org +objectClass: posixGroup +objectClass: groupOfNamesYnh +gidNumber: 4002 +cn: all_users + +dn: cn=visitors,ou=groups,dc=yunohost,dc=org +objectClass: posixGroup +objectClass: groupOfNamesYnh +gidNumber: 4003 +cn: visitors + +dn: cn=mail.main,ou=permission,dc=yunohost,dc=org +groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org +cn: mail.main +objectClass: posixGroup +objectClass: permissionYnh +isProtected: TRUE +label: E-mail +gidNumber: 5001 +showTile: FALSE +authHeader: FALSE + +dn: cn=xmpp.main,ou=permission,dc=yunohost,dc=org +groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org +cn: xmpp.main +objectClass: posixGroup +objectClass: permissionYnh +isProtected: TRUE +label: XMPP +gidNumber: 5002 +showTile: FALSE +authHeader: FALSE + +dn: cn=ssh.main,ou=permission,dc=yunohost,dc=org +cn: ssh.main +objectClass: posixGroup +objectClass: permissionYnh +isProtected: TRUE +label: SSH +gidNumber: 5003 +showTile: FALSE +authHeader: FALSE + +dn: cn=sftp.main,ou=permission,dc=yunohost,dc=org +cn: sftp.main +objectClass: posixGroup +objectClass: permissionYnh +isProtected: TRUE +label: SFTP +gidNumber: 5004 +showTile: FALSE +authHeader: FALSE diff --git a/data/other/ldap_scheme.yml b/data/other/ldap_scheme.yml deleted file mode 100644 index b45b3ac3a..000000000 --- a/data/other/ldap_scheme.yml +++ /dev/null @@ -1,113 +0,0 @@ -parents: - ou=users: - ou: users - objectClass: - - organizationalUnit - - top - - ou=domains: - ou: domains - objectClass: - - organizationalUnit - - top - - ou=apps: - ou: apps - objectClass: - - organizationalUnit - - top - - ou=permission: - ou: permission - objectClass: - - organizationalUnit - - top - - ou=groups: - ou: groups - objectClass: - - organizationalUnit - - top - ou=sudo: - ou: sudo - objectClass: - - organizationalUnit - - top - -children: - cn=admin,ou=sudo: - cn: admin - sudoUser: admin - sudoHost: ALL - sudoCommand: ALL - sudoOption: "!authenticate" - objectClass: - - sudoRole - - top - cn=admins,ou=groups: - cn: admins - gidNumber: "4001" - memberUid: admin - objectClass: - - posixGroup - - top - cn=all_users,ou=groups: - cn: all_users - gidNumber: "4002" - objectClass: - - posixGroup - - groupOfNamesYnh - cn=visitors,ou=groups: - cn: visitors - gidNumber: "4003" - objectClass: - - posixGroup - - groupOfNamesYnh - -depends_children: - cn=mail.main,ou=permission: - cn: mail.main - gidNumber: "5001" - objectClass: - - posixGroup - - permissionYnh - groupPermission: - - "cn=all_users,ou=groups,dc=yunohost,dc=org" - authHeader: "FALSE" - label: "E-mail" - showTile: "FALSE" - isProtected: "TRUE" - cn=xmpp.main,ou=permission: - cn: xmpp.main - gidNumber: "5002" - objectClass: - - posixGroup - - permissionYnh - groupPermission: - - "cn=all_users,ou=groups,dc=yunohost,dc=org" - authHeader: "FALSE" - label: "XMPP" - showTile: "FALSE" - isProtected: "TRUE" - cn=ssh.main,ou=permission: - cn: ssh.main - gidNumber: "5003" - objectClass: - - posixGroup - - permissionYnh - groupPermission: [] - authHeader: "FALSE" - label: "SSH" - showTile: "FALSE" - isProtected: "TRUE" - cn=sftp.main,ou=permission: - cn: sftp.main - gidNumber: "5004" - objectClass: - - posixGroup - - permissionYnh - groupPermission: [] - authHeader: "FALSE" - label: "SFTP" - showTile: "FALSE" - isProtected: "TRUE" diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index ada43edaa..2b386a277 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -67,79 +67,6 @@ def tools_versions(): return ynh_packages_version() -def tools_ldapinit(): - """ - YunoHost LDAP initialization - """ - - with open("/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml") as f: - ldap_map = yaml.load(f) - - from yunohost.utils.ldap import _get_ldap_interface - - ldap = _get_ldap_interface() - - for rdn, attr_dict in ldap_map["parents"].items(): - try: - ldap.add(rdn, attr_dict) - except Exception as e: - logger.warn( - "Error when trying to inject '%s' -> '%s' into ldap: %s" - % (rdn, attr_dict, e) - ) - - for rdn, attr_dict in ldap_map["children"].items(): - try: - ldap.add(rdn, attr_dict) - except Exception as e: - logger.warn( - "Error when trying to inject '%s' -> '%s' into ldap: %s" - % (rdn, attr_dict, e) - ) - - for rdn, attr_dict in ldap_map["depends_children"].items(): - try: - ldap.add(rdn, attr_dict) - except Exception as e: - logger.warn( - "Error when trying to inject '%s' -> '%s' into ldap: %s" - % (rdn, attr_dict, e) - ) - - admin_dict = { - "cn": ["admin"], - "uid": ["admin"], - "description": ["LDAP Administrator"], - "gidNumber": ["1007"], - "uidNumber": ["1007"], - "homeDirectory": ["/home/admin"], - "loginShell": ["/bin/bash"], - "objectClass": ["organizationalRole", "posixAccount", "simpleSecurityObject"], - "userPassword": ["yunohost"], - } - - ldap.update("cn=admin", admin_dict) - - # Force nscd to refresh cache to take admin creation into account - subprocess.call(["nscd", "-i", "passwd"]) - - # Check admin actually exists now - try: - pwd.getpwnam("admin") - except KeyError: - logger.error(m18n.n("ldap_init_failed_to_create_admin")) - raise YunohostError("installation_failed") - - try: - # Attempt to create user home folder - subprocess.check_call(["mkhomedir_helper", "admin"]) - except subprocess.CalledProcessError: - if not os.path.isdir("/home/{0}".format("admin")): - logger.warning(m18n.n("user_home_creation_failed"), exc_info=1) - - logger.success(m18n.n("ldap_initialized")) - - def tools_adminpw(new_password, check_strength=True): """ Change admin password @@ -170,7 +97,15 @@ def tools_adminpw(new_password, check_strength=True): ldap.update( "cn=admin", { - "userPassword": [new_hash], + "cn": ["admin"], + "uid": ["admin"], + "description": ["LDAP Administrator"], + "gidNumber": ["1007"], + "uidNumber": ["1007"], + "homeDirectory": ["/home/admin"], + "loginShell": ["/bin/bash"], + "objectClass": ["organizationalRole", "posixAccount", "simpleSecurityObject"], + "userPassword": [new_hash] }, ) except Exception: @@ -352,8 +287,9 @@ def tools_postinstall( domain_add(domain, dyndns) domain_main_domain(domain) - # Change LDAP admin password + # Update LDAP admin and create home dir tools_adminpw(password, check_strength=not force_password) + _create_admin_home() # Enable UPnP silently and reload firewall firewall_upnp("enable", no_refresh=True) @@ -400,6 +336,29 @@ def tools_postinstall( logger.warning(m18n.n("yunohost_postinstall_end_tip")) +def _create_admin_home(): + """ + Create admin home dir + """ + + # Force nscd to refresh cache to take admin creation into account + subprocess.call(["nscd", "-i", "passwd"]) + + # Check admin actually exists now + try: + pwd.getpwnam("admin") + except KeyError: + logger.error(m18n.n("ldap_init_failed_to_create_admin")) + raise YunohostError("installation_failed") + + try: + # Attempt to create user home folder + subprocess.check_call(["mkhomedir_helper", "admin"]) + except subprocess.CalledProcessError: + if not os.path.isdir("/home/{0}".format("admin")): + logger.warning(m18n.n("user_home_creation_failed"), exc_info=1) + + def tools_regen_conf( names=[], with_diff=False, force=False, dry_run=False, list_pending=False ):