[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf
Soren Hansen
soren at ubuntu.com
Sun Jul 29 10:32:01 UTC 2007
Hi!
I'm an a situation where I need to add ACL's and schemas to slapd.conf,
and I can imagine others must have faced similar needs. Debian Policy
tells me not to touch the config file directly, so I propose the
attached patch. Summary:
* It adds two new directories to /etc/ldap
- /etc/ldap/acl.d
This will contain the "access" snippets from slapd.conf. The
default ones are added as 110restrict_password.acl,
120base_read.acl, and 900default.acl.
- /etc/ldap/schemas-enabled
This will contain symlinks to the schemas that need to be included.
* It adds update-slapd-acl and update-slapd-schemas.
- update-slapd-acl generates /etc/ldap/acl.conf containing a header
and a list of "include" statements corresponding to the files in
/etc/ldap/acl.d.
- update-slapd-schemas generates /etc/ldap/schemas.conf containing a
header and a list of "include" statements corresponding to the
symlinks in /etc/ldap/schemas-enabled.
* It adds a description to /usr/share/doc/slapd/README.Debian about
how to make use of the new update-slapd-{schemas,acl} (ie. replacing
existing "include.*\.schemas" lines with "include
/etc/ldap/schemas.conf" and a stack of symlinks in
/etc/ldap/schemas-enabled, and similar for /etc/ldap/acl.conf). I
took a stab at doing it automatically during upgrades, but I haven't
found a solution that really pleased me.
* It changes the default configuration to make use of this.
The advantage is - of course - that other packages can easily add new
schemas or ACL's to slapd's configuration without actually touching
slapd.directly. The intention is that other packages put their needed
ACL's into /etc/ldap/acl.d and runs update-slap-acl from their postinst.
Let me know what you think.
--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/
-------------- next part --------------
diff -u openldap2.3-2.3.35/debian/slapd.README.Debian openldap2.3-2.3.35/debian/slapd.README.Debian
--- openldap2.3-2.3.35/debian/slapd.README.Debian
+++ openldap2.3-2.3.35/debian/slapd.README.Debian
@@ -106,6 +106,34 @@
and it will generate the files for you. You will need appropriate
privileges, of course.
+++ update-slapd-schemas and update-slapd-acl
+
+ Versions of slapd newer than 2.3.35-1 support the new update-slapd-schemas
+ and update-slapd-acl scripts. These scripts were added to make it easy for
+ other packages to add schemas and ACL stanzas to slapd.conf without touching
+ the configuration file directly.
+
+ The scripts look in /etc/ldap/schemas-enabled and /etc/ldap/acl.d,
+ respectively, and generate /etc/ldap/schemas.conf and /etc/ldap/acl.conf
+ based on the contents of these two directories. Any file in the directory
+ results in an "include /full/path/to/file" in the corresponding .conf file.
+ They are added in ASCIIbetical order.
+
+ New installations support these scripts out of the box, but if you're
+ upgrading from 2.3.35-1 or older, you'll need to edit your slapd.conf
+ manually. /etc/ldap/acl.d has been populated with the default ACL's. If you
+ haven't changed the default ACL configuration, all you need to do is remove
+ the current ACL (access to ...) stanzas from /etc/ldap/slapd.conf, and
+ replace them with:
+ include /etc/ldap/acl.conf
+
+ For schemas, /etc/ldap/schemas-enabled has been populated with symlinks to
+ the set of schemas from /etc/ldap/schemas that used to be enabled by default
+ (core.schema, cosine.schema, nis.schema, and inetorgperson.schema). If those
+ are the only ones you're using, you can replace the 4 include directives in
+ your slapd.conf with:
+ include /etc/ldap/schemas.conf
+
-- The Debian OpenLDAP maintainers
Torsten Landschoff <torsten at debian.org>
Roland Bauerschmidt <rb at debian.org>
diff -u openldap2.3-2.3.35/debian/slapd.postinst openldap2.3-2.3.35/debian/slapd.postinst
--- openldap2.3-2.3.35/debian/slapd.postinst
+++ openldap2.3-2.3.35/debian/slapd.postinst
@@ -31,6 +31,15 @@
echo done. >&2
configure_v2_protocol_support
+
+ if previous_version_older 2.3.35-1ubuntu1; then
+ db_get slapd/domain
+ local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`"
+ create_standard_acl_configuration "$basedn"
+ update-slapd-acl
+ update-slapd-schemas
+ fi
+
if previous_version_older 2.1; then
autoconfigure_modules
fi
@@ -65,6 +74,8 @@
update_databases_permissions
update_permissions /var/run/slapd
update_permissions /var/spool/slurpd
+ update-slapd-schemas
+ update-slapd-acl
}
# }}}
diff -u openldap2.3-2.3.35/debian/slapd.examples openldap2.3-2.3.35/debian/slapd.examples
--- openldap2.3-2.3.35/debian/slapd.examples
+++ openldap2.3-2.3.35/debian/slapd.examples
@@ -3,0 +4,3 @@
+debian/acl.d/restrict_password.acl
+debian/acl.d/base_read.acl
+debian/acl.d/default.acl
diff -u openldap2.3-2.3.35/debian/slapd.manpages openldap2.3-2.3.35/debian/slapd.manpages
--- openldap2.3-2.3.35/debian/slapd.manpages
+++ openldap2.3-2.3.35/debian/slapd.manpages
@@ -43,0 +44,2 @@
+debian/update-slapd-schemas.8
+debian/update-slapd-acl.8
diff -u openldap2.3-2.3.35/debian/slapd.conf openldap2.3-2.3.35/debian/slapd.conf
--- openldap2.3-2.3.35/debian/slapd.conf
+++ openldap2.3-2.3.35/debian/slapd.conf
@@ -8,10 +8,7 @@
#allow bind_v2
# Schema and objectClass definitions
-include /etc/ldap/schema/core.schema
-include /etc/ldap/schema/cosine.schema
-include /etc/ldap/schema/nis.schema
-include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schemas.conf
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
@@ -74,33 +71,7 @@
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
-# The userPassword by default can be changed
-# by the entry owning it if they are authenticated.
-# Others should not be able to see it, except the
-# admin entry below
-# These access lines apply to database #1 only
-access to attrs=userPassword,shadowLastChange
- by dn="@ADMIN@" write
- by anonymous auth
- by self write
- by * none
-
-# Ensure read access to the base for things like
-# supportedSASLMechanisms. Without this you may
-# have problems with SASL not knowing what
-# mechanisms are available and the like.
-# Note that this is covered by the 'access to *'
-# ACL below too but if you change that as people
-# are wont to do you'll still need this if you
-# want SASL (and possible other things) to work
-# happily.
-access to dn.base="" by * read
-
-# The admin dn has full write access, everyone else
-# can read everything.
-access to *
- by dn="@ADMIN@" write
- by * read
+include /etc/ldap/acl.conf
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
diff -u openldap2.3-2.3.35/debian/slapd.scripts-common openldap2.3-2.3.35/debian/slapd.scripts-common
--- openldap2.3-2.3.35/debian/slapd.scripts-common
+++ openldap2.3-2.3.35/debian/slapd.scripts-common
@@ -369,7 +369,7 @@
file=`eval echo $data`
read_slapd_conf < $file
else
- echo $command $data
+ echo "$command" "$data"
fi
done
}
@@ -643,6 +643,9 @@
move_old_database_away /var/lib/ldap
fi
create_new_slapd_conf "$basedn" "$backend"
+ create_standard_acl_configuration "$basedn"
+ update-slapd-acl
+ update-slapd-schemas
create_ldap_directories
create_new_directory "$basedn" "$dc"
@@ -654,6 +657,46 @@
wipe_admin_pass
}
# }}}
+create_standard_acl_configuration() { # {{{
+# Creates the new ACL configuration for the suffix given
+# Usage: create_standard_acl_configuration <basedn>
+#
+ local basedn
+
+ basedn="$1"
+
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/110restrict_password.acl" \
+ "/usr/share/slapd/110restrict_password.acl"
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/120base_read.acl" \
+ "/usr/share/slapd/120base_read.acl"
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/900default.acl" \
+ "/usr/share/slapd/900default.acl"
+
+}
+# }}}
+create_acl_conf() { # {{{
+# Creates a new ACL configuration file from the given template, for the suffix
+# given, and stores it in destfile.
+# Usage: create_acl_conf <basedn> <destfile> <template>
+
+ local basedn destfile template
+
+ basedn="$1"
+ destfile="$2"
+ template="$3"
+
+ if [ ! -e "${destfile}" ]
+ then
+ echo -n " Creating initial `basename ${destfile}` ... " >&2
+ sed <"${template}" >"${destfile}" \
+ -e "s/@SUFFIX@/$basedn/g" \
+ -e "s/@ADMIN@/cn=admin,$basedn/g"
+ # Assign same permissions as slapd.conf
+ assign_permissions "$SLAPD_CONF" "${destfile}"
+ echo "done." >&2
+ fi
+}
+# }}}
create_new_slapd_conf() { # {{{
# Creates a new slapd.conf for the suffix given
# Usage: create_new_slapd_conf <basedn> <backend>
diff -u openldap2.3-2.3.35/debian/slapd.dirs openldap2.3-2.3.35/debian/slapd.dirs
--- openldap2.3-2.3.35/debian/slapd.dirs
+++ openldap2.3-2.3.35/debian/slapd.dirs
@@ -4,0 +5,2 @@
+etc/ldap/acl.d
+etc/ldap/schemas-enabled
diff -u openldap2.3-2.3.35/debian/slapd.postrm openldap2.3-2.3.35/debian/slapd.postrm
--- openldap2.3-2.3.35/debian/slapd.postrm
+++ openldap2.3-2.3.35/debian/slapd.postrm
@@ -22,6 +22,11 @@
if [ "$1" = "purge" ]; then
echo -n "Removing slapd configuration... "
rm -f /etc/ldap/slapd.conf 2>/dev/null || true
+ rm -f /etc/ldap/schemas.conf 2>/dev/null || true
+ rm -f /etc/ldap/acl.conf 2>/dev/null || true
+ rm -f /etc/ldap/acl.d/110restrict_password.acl || true
+ rm -f /etc/ldap/acl.d/120base_read.acl || true
+ rm -f /etc/ldap/acl.d/900default.acl || true
rmdir --ignore-fail-on-non-empty /etc/ldap/schema
echo done
diff -u openldap2.3-2.3.35/debian/slapd.links openldap2.3-2.3.35/debian/slapd.links
--- openldap2.3-2.3.35/debian/slapd.links
+++ openldap2.3-2.3.35/debian/slapd.links
@@ -1,5 +1,12 @@
usr/share/doc/slapd/examples/DB_CONFIG usr/share/slapd/DB_CONFIG
usr/share/doc/slapd/examples/slapd.conf usr/share/slapd/slapd.conf
+usr/share/doc/slapd/examples/restrict_password.acl usr/share/slapd/110restrict_password.acl
+usr/share/doc/slapd/examples/base_read.acl usr/share/slapd/120base_read.acl
+usr/share/doc/slapd/examples/default.acl usr/share/slapd/900default.acl
+etc/ldap/schema/core.schema etc/ldap/schemas-enabled/110core.schema
+etc/ldap/schema/cosine.schema etc/ldap/schemas-enabled/120cosine.schema
+etc/ldap/schema/nis.schema etc/ldap/schemas-enabled/130nis.schema
+etc/ldap/schema/inetorgperson.schema etc/ldap/schemas-enabled/140inetorgperson.schema
usr/sbin/slapd usr/sbin/slapacl
usr/sbin/slapd usr/sbin/slapadd
usr/sbin/slapd usr/sbin/slapauth
diff -u openldap2.3-2.3.35/debian/slapd.install openldap2.3-2.3.35/debian/slapd.install
--- openldap2.3-2.3.35/debian/slapd.install
+++ openldap2.3-2.3.35/debian/slapd.install
@@ -9,0 +10,2 @@
+debian/update-slapd-schemas usr/sbin/
+debian/update-slapd-acl usr/sbin/
diff -u openldap2.3-2.3.35/debian/changelog openldap2.3-2.3.35/debian/changelog
--- openldap2.3-2.3.35/debian/changelog
+++ openldap2.3-2.3.35/debian/changelog
@@ -1,3 +1,12 @@
+openldap2.3 (2.3.35-1ubuntu1) gutsy; urgency=low
+
+ * Add update-slapd-{schemas,acl} allowing other packages to easily add
+ custom schemas and ACL configuration snippets to slapd's configuration.
+ * debian/slapd.conf:
+ - Add include directives to support update-slapd-{schemas,acl}
+
+ -- Soren Hansen <soren at ubuntu.com> Thu, 26 Jul 2007 13:17:38 +0200
+
openldap2.3 (2.3.35-1) unstable; urgency=low
* New upstream release with many bug fixes.
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas.8
+++ openldap2.3-2.3.35/debian/update-slapd-schemas.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-SCHEMAS 8 "Jul 2007"
+.SH NAME
+update-slapd-schemas \- Regenerate schemas.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-schemas
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-schemas
+command.
+.PP
+.B update-slapd-schemas
+is a program that generates
+.B /etc/ldap/schemas.conf
+based on the files in \fB/etc/ldap/schemas-enabled\fR.
+.B update-slapd-schemas
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-schemas
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5), /usr/share/slapd/README.Debian
+.SH AUTHOR
+update-slapd-schemas was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl
+++ openldap2.3-2.3.35/debian/update-slapd-acl
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# update-slapd-acl: utility to add/remove ACL files to/from slapd's config
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+# update-slapd-acl is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# update-slapd-acl is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with update-slapd-acl; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+check_include() {
+ if ! grep -qxE 'include.*/etc/ldap/acl.conf' /etc/ldap/slapd.conf
+ then
+ echo "Warning: Your /etc/ldap/slapd.conf does not support update-ldap-acl."
+ echo "Warning: See /usr/share/doc/slapd/README.Debian for more information."
+ fi
+}
+
+check_include
+
+extraconf="/etc/ldap/acl.conf"
+confdir="/etc/ldap/acl.d"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-acl(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+ for acl in ${confdir}/*
+ do
+ echo "include ${acl}"
+ done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas
+++ openldap2.3-2.3.35/debian/update-slapd-schemas
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# update-slapd-schemas: utility to update list of included schemas in slapd.conf
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+# update-slapd-schemas is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as published
+# by the Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# update-slapd-schemas is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with update-slapd-schemas; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+# USA.
+
+check_include() {
+ if ! grep -qxE 'include.*/etc/ldap/schemas.conf' /etc/ldap/slapd.conf
+ then
+ echo "Warning: Your /etc/ldap/slapd.conf does not support update-ldap-schemas."
+ echo "Warning: See /usr/share/doc/slapd/README.Debian for more information."
+ fi
+}
+
+check_include
+extraconf="/etc/ldap/schemas.conf"
+confdir="/etc/ldap/schemas-enabled"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-schemas(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+ for schema in ${confdir}/*
+ do
+ echo "include ${schema}"
+ done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/default.acl
+++ openldap2.3-2.3.35/debian/acl.d/default.acl
@@ -0,0 +1,6 @@
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by dn="@ADMIN@" write
+ by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/restrict_password.acl
+++ openldap2.3-2.3.35/debian/acl.d/restrict_password.acl
@@ -0,0 +1,12 @@
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by dn="@ADMIN@" write
+ by anonymous auth
+ by self write
+ by * none
+
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/base_read.acl
+++ openldap2.3-2.3.35/debian/acl.d/base_read.acl
@@ -0,0 +1,11 @@
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl.8
+++ openldap2.3-2.3.35/debian/update-slapd-acl.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-ACL 8 "Jul 2007"
+.SH NAME
+update-slapd-acl \- Regenerate acl.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-acl
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-acl
+command.
+.PP
+.B update-slapd-acl
+is a program that generates
+.B /etc/ldap/acl.conf
+based on the files in \fB/etc/ldap/acl.d\fR.
+.B update-slapd-acl
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-acl
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5),
+.SH AUTHOR
+update-slapd-acl was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20070729/18cb19c4/attachment.pgp
More information about the Pkg-openldap-devel
mailing list