#!/bin/bash set -e tmp_backup_dir_file="/tmp/slapd-backup-dir.txt" do_init_regen() { if [[ $EUID -ne 0 ]]; then echo "You must be root to run this script" 1>&2 exit 1 fi do_pre_regen "" # fix some permissions chown root:openldap /etc/ldap/slapd.conf chown -R openldap:openldap /etc/ldap/schema/ usermod -aG ssl-cert openldap # check the slapd config file at first slaptest -Q -u -f /etc/ldap/slapd.conf # regenerate LDAP config directory from slapd.conf rm -Rf /etc/ldap/slapd.d mkdir /etc/ldap/slapd.d slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1 chown -R openldap:openldap /etc/ldap/slapd.d/ service slapd restart } do_pre_regen() { pending_dir=$1 cd /usr/share/yunohost/templates/slapd # create needed directories ldap_dir="${pending_dir}/etc/ldap" schema_dir="${ldap_dir}/schema" mkdir -p "$ldap_dir" "$schema_dir" # remove legacy configuration file [ ! -f /etc/ldap/slapd-yuno.conf ] \ || touch "${pending_dir}/etc/ldap/slapd-yuno.conf" # remove temporary backup file rm -f "$tmp_backup_dir_file" # retrieve current and new backends curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}') new_backend=$(grep '^database' slapd.conf | awk '{print $2}') # save current database before any conf changes if [[ -n "$curr_backend" && "$curr_backend" != "$new_backend" ]]; then backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)" mkdir -p "$backup_dir" slapcat -b dc=yunohost,dc=org \ -l "${backup_dir}/dc=yunohost-dc=org.ldif" echo "$backup_dir" > "$tmp_backup_dir_file" fi # copy configuration files cp -a ldap.conf slapd.conf "$ldap_dir" cp -a sudo.schema mailserver.schema yunohost.schema "$schema_dir" install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd" } do_post_regen() { regen_conf_files=$1 # ensure that slapd.d exists mkdir -p /etc/ldap/slapd.d # fix some permissions echo "Making sure we have the right permissions needed ..." # penldap user should be in the ssl-cert group to let it access the certificate for TLS usermod -aG ssl-cert openldap chown root:openldap /etc/ldap/slapd.conf chown -R openldap:openldap /etc/ldap/schema/ chown -R openldap:openldap /etc/ldap/slapd.d/ chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/ chmod o-rwx /etc/yunohost/certs/yunohost.org/ [ -z "$regen_conf_files" ] && exit 0 # check the slapd config file at first slaptest -Q -u -f /etc/ldap/slapd.conf # check if a backup should be restored backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true) if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then # regenerate LDAP config directory and import database as root # since the admin user may be unavailable echo "Regenerate LDAP config directory and import the database using slapadd" sh -c "rm -Rf /etc/ldap/slapd.d; mkdir /etc/ldap/slapd.d; slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d; chown -R openldap:openldap /etc/ldap/slapd.d; slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \ -l '${backup_dir}/dc=yunohost-dc=org.ldif'; chown -R openldap:openldap /var/lib/ldap" 2>&1 else # regenerate LDAP config directory from slapd.conf echo "Regenerate LDAP config directory from slapd.conf" rm -Rf /etc/ldap/slapd.d mkdir /etc/ldap/slapd.d slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1 chown -R openldap:openldap /etc/ldap/slapd.d/ fi echo "Running slapdindex" su openldap -s "/bin/bash" -c "/usr/sbin/slapindex" echo "Reloading slapd" service slapd force-reload # on slow hardware/vm this regen conf would exit before the admin user that # is stored in ldap is available because ldap seems to slow to restart # so we'll wait either until we are able to log as admin or until a timeout # is reached # we need to do this because the next hooks executed after this one during # postinstall requires to run as admin thus breaking postinstall on slow # hardware which mean yunohost can't be correctly installed on those hardware # and this sucks # wait a maximum time of 5 minutes # yes, force-reload behave like a restart number_of_wait=0 while ! sudo su admin -c '' && ((number_of_wait < 60)) do sleep 5 ((number_of_wait += 1)) done } FORCE=${2:-0} DRY_RUN=${3:-0} case "$1" in pre) do_pre_regen $4 ;; post) do_post_regen $4 ;; init) do_init_regen ;; *) echo "hook called with unknown argument \`$1'" >&2 exit 1 ;; esac exit 0