mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
169 lines
5.6 KiB
Bash
Executable file
169 lines
5.6 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
tmp_backup_dir_file="/root/slapd-backup-dir.txt"
|
|
|
|
config="/usr/share/yunohost/conf/slapd/config.ldif"
|
|
db_init="/usr/share/yunohost/conf/slapd/db_init.ldif"
|
|
|
|
do_init_regen() {
|
|
|
|
do_pre_regen ""
|
|
|
|
# Drop current existing slapd data
|
|
|
|
rm -rf /var/backups/*.ldapdb
|
|
rm -rf /var/backups/slapd-*
|
|
|
|
debconf-set-selections <<EOF
|
|
slapd slapd/password1 password yunohost
|
|
slapd slapd/password2 password yunohost
|
|
slapd slapd/domain string yunohost.org
|
|
slapd shared/organization string yunohost.org
|
|
slapd slapd/allow_ldap_v2 boolean false
|
|
slapd slapd/invalid_config boolean true
|
|
slapd slapd/backend select MDB
|
|
slapd slapd/move_old_database boolean true
|
|
slapd slapd/no_configuration boolean false
|
|
slapd slapd/purge_database boolean false
|
|
EOF
|
|
|
|
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd -u
|
|
|
|
# Enforce permissions
|
|
chown -R openldap:openldap /etc/ldap/schema/
|
|
usermod -aG ssl-cert openldap
|
|
|
|
# (Re-)init data according to default ldap entries
|
|
echo ' Initializing LDAP with YunoHost DB structure'
|
|
|
|
rm -rf /etc/ldap/slapd.d
|
|
mkdir -p /etc/ldap/slapd.d
|
|
slapadd -F /etc/ldap/slapd.d -b cn=config -l "$config" 2>&1 \
|
|
| grep -v "none elapsed\|Closing DB" || true
|
|
chown -R openldap: /etc/ldap/slapd.d
|
|
|
|
rm -rf /var/lib/ldap
|
|
mkdir -p /var/lib/ldap
|
|
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "$db_init" 2>&1 \
|
|
| grep -v "none elapsed\|Closing DB" || true
|
|
chown -R openldap: /var/lib/ldap
|
|
|
|
nscd -i group || true
|
|
nscd -i passwd || true
|
|
|
|
systemctl restart slapd
|
|
}
|
|
|
|
_regenerate_slapd_conf() {
|
|
|
|
# Validate the new slapd config
|
|
# To do so, we have to use the .ldif to generate the config directory
|
|
# so we use a temporary directory slapd_new.d
|
|
rm -Rf /etc/ldap/slapd_new.d
|
|
mkdir /etc/ldap/slapd_new.d
|
|
slapadd -b cn=config -l "$config" -F /etc/ldap/slapd_new.d/ 2>&1 \
|
|
| grep -v "none elapsed\|Closing DB" || true
|
|
# Actual validation (-Q is for quiet, -u is for dry-run)
|
|
slaptest -Q -u -F /etc/ldap/slapd_new.d
|
|
|
|
# "Commit" / apply the new config (meaning we delete the old one and replace
|
|
# it with the new one)
|
|
rm -Rf /etc/ldap/slapd.d
|
|
mv /etc/ldap/slapd_new.d /etc/ldap/slapd.d
|
|
|
|
chown -R openldap:openldap /etc/ldap/slapd.d/
|
|
}
|
|
|
|
do_pre_regen() {
|
|
pending_dir=$1
|
|
|
|
# remove temporary backup file
|
|
rm -f "$tmp_backup_dir_file"
|
|
|
|
# Define if we need to migrate from hdb to mdb
|
|
curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}')
|
|
if [ -e /etc/ldap/slapd.conf ] && [ -n "$curr_backend" ] \
|
|
&& [ $curr_backend != 'mdb' ]; then
|
|
backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)"
|
|
mkdir -p "$backup_dir"
|
|
slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
|
|
echo "$backup_dir" >"$tmp_backup_dir_file"
|
|
fi
|
|
|
|
# create needed directories
|
|
ldap_dir="${pending_dir}/etc/ldap"
|
|
schema_dir="${ldap_dir}/schema"
|
|
mkdir -p "$ldap_dir" "$schema_dir"
|
|
|
|
cd /usr/share/yunohost/conf/slapd
|
|
|
|
# copy configuration files
|
|
cp -a ldap.conf "$ldap_dir"
|
|
cp -a sudo.ldif mailserver.ldif permission.ldif "$schema_dir"
|
|
|
|
mkdir -p ${pending_dir}/etc/systemd/system/slapd.service.d/
|
|
cp systemd-override.conf ${pending_dir}/etc/systemd/system/slapd.service.d/ynh-override.conf
|
|
|
|
install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
|
|
}
|
|
|
|
do_post_regen() {
|
|
regen_conf_files=$1
|
|
|
|
# fix some permissions
|
|
echo "Enforce permissions on ldap/slapd directories and certs ..."
|
|
# penldap user should be in the ssl-cert group to let it access the certificate for TLS
|
|
usermod -aG ssl-cert openldap
|
|
chown -R openldap:openldap /etc/ldap/schema/
|
|
chown -R openldap:openldap /etc/ldap/slapd.d/
|
|
|
|
# Fix weird scenarios where /etc/sudo-ldap.conf doesn't exists (yet is supposed to be
|
|
# created by the sudo-ldap package) : https://github.com/YunoHost/issues/issues/2091
|
|
[ -e /etc/sudo-ldap.conf ] || ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
|
|
|
|
# If we changed the systemd ynh-override conf
|
|
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/slapd.service.d/ynh-override.conf$"; then
|
|
systemctl daemon-reload
|
|
systemctl restart slapd
|
|
sleep 3
|
|
fi
|
|
|
|
# For some reason, old setups don't have the admins group defined...
|
|
if ! slapcat -H "ldap:///cn=admins,ou=groups,dc=yunohost,dc=org" | grep -q 'cn=admins,ou=groups,dc=yunohost,dc=org'; then
|
|
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org <<< \
|
|
"dn: cn=admins,ou=groups,dc=yunohost,dc=org
|
|
cn: admins
|
|
gidNumber: 4001
|
|
memberUid: admin
|
|
objectClass: posixGroup
|
|
objectClass: top"
|
|
chown -R openldap: /var/lib/ldap
|
|
systemctl restart slapd
|
|
nscd -i group
|
|
fi
|
|
|
|
[ -z "$regen_conf_files" ] && exit 0
|
|
|
|
# regenerate LDAP config directory from slapd.conf
|
|
echo "Regenerate LDAP config directory from config.ldif"
|
|
_regenerate_slapd_conf
|
|
|
|
# If there's a backup, re-import its data
|
|
backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true)
|
|
if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then
|
|
# regenerate LDAP config directory and import database as root
|
|
echo "Import the database using slapadd"
|
|
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
|
|
chown -R openldap:openldap /var/lib/ldap 2>&1
|
|
fi
|
|
|
|
echo "Running slapdindex"
|
|
su openldap -s "/bin/bash" -c "/usr/sbin/slapindex"
|
|
|
|
echo "Reloading slapd"
|
|
systemctl force-reload slapd
|
|
}
|
|
|
|
do_$1_regen ${@:2}
|