[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf
Soren Hansen
soren at ubuntu.com
Mon Jul 30 12:22:21 UTC 2007
On Sun, Jul 29, 2007 at 11:03:41AM -0700, Russ Allbery wrote:
> I thought that didn't always work in edge cases with symlinks. There
> was a bunch of discussion about that a while back.
>
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421344
>
> I'm not sure if symlinks in /etc get marked as conffiles; I'd have to do
> some experimentation.
With this in mind (I've checked, you're absolutely right), the attached
patch is the way to go. Changes since last patch:
* Add a function to slapd.scripts-common to create the symlinks for
core, nis, cosine, and inetorgperson.
* Call this function on install and on the upgrades where it makes
sense.
* Remove the same links from slapd.links.
Thanks!
--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/
-------------- next part --------------
diff -u openldap2.3-2.3.35/debian/slapd.README.Debian openldap2.3-2.3.35/debian/slapd.README.Debian
--- openldap2.3-2.3.35/debian/slapd.README.Debian
+++ openldap2.3-2.3.35/debian/slapd.README.Debian
@@ -106,6 +106,34 @@
and it will generate the files for you. You will need appropriate
privileges, of course.
+++ update-slapd-schemas and update-slapd-acl
+
+ Versions of slapd newer than 2.3.35-1 support the new update-slapd-schemas
+ and update-slapd-acl scripts. These scripts were added to make it easy for
+ other packages to add schemas and ACL stanzas to slapd.conf without touching
+ the configuration file directly.
+
+ The scripts look in /etc/ldap/schemas-enabled and /etc/ldap/acl.d,
+ respectively, and generate /etc/ldap/schemas.conf and /etc/ldap/acl.conf
+ based on the contents of these two directories. Any file in the directory
+ results in an "include /full/path/to/file" in the corresponding .conf file.
+ They are added in ASCIIbetical order.
+
+ New installations support these scripts out of the box, but if you're
+ upgrading from 2.3.35-1 or older, you'll need to edit your slapd.conf
+ manually. /etc/ldap/acl.d has been populated with the default ACL's. If you
+ haven't changed the default ACL configuration, all you need to do is remove
+ the current ACL (access to ...) stanzas from /etc/ldap/slapd.conf, and
+ replace them with:
+ include /etc/ldap/acl.conf
+
+ For schemas, /etc/ldap/schemas-enabled has been populated with symlinks to
+ the set of schemas from /etc/ldap/schemas that used to be enabled by default
+ (core.schema, cosine.schema, nis.schema, and inetorgperson.schema). If those
+ are the only ones you're using, you can replace the 4 include directives in
+ your slapd.conf with:
+ include /etc/ldap/schemas.conf
+
-- The Debian OpenLDAP maintainers
Torsten Landschoff <torsten at debian.org>
Roland Bauerschmidt <rb at debian.org>
diff -u openldap2.3-2.3.35/debian/slapd.postinst openldap2.3-2.3.35/debian/slapd.postinst
--- openldap2.3-2.3.35/debian/slapd.postinst
+++ openldap2.3-2.3.35/debian/slapd.postinst
@@ -31,6 +31,14 @@
echo done. >&2
configure_v2_protocol_support
+
+ if previous_version_older 2.3.35-1ubuntu1; then
+ db_get slapd/domain
+ local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`"
+ create_standard_acl_configuration "$basedn"
+ create_standard_schema_links
+ fi
+
if previous_version_older 2.1; then
autoconfigure_modules
fi
diff -u openldap2.3-2.3.35/debian/slapd.examples openldap2.3-2.3.35/debian/slapd.examples
--- openldap2.3-2.3.35/debian/slapd.examples
+++ openldap2.3-2.3.35/debian/slapd.examples
@@ -3,0 +4,3 @@
+debian/acl.d/restrict_password.acl
+debian/acl.d/base_read.acl
+debian/acl.d/default.acl
diff -u openldap2.3-2.3.35/debian/slapd.manpages openldap2.3-2.3.35/debian/slapd.manpages
--- openldap2.3-2.3.35/debian/slapd.manpages
+++ openldap2.3-2.3.35/debian/slapd.manpages
@@ -43,0 +44,2 @@
+debian/update-slapd-schemas.8
+debian/update-slapd-acl.8
diff -u openldap2.3-2.3.35/debian/slapd.conf openldap2.3-2.3.35/debian/slapd.conf
--- openldap2.3-2.3.35/debian/slapd.conf
+++ openldap2.3-2.3.35/debian/slapd.conf
@@ -8,10 +8,7 @@
#allow bind_v2
# Schema and objectClass definitions
-include /etc/ldap/schema/core.schema
-include /etc/ldap/schema/cosine.schema
-include /etc/ldap/schema/nis.schema
-include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schemas.conf
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
@@ -74,33 +71,7 @@
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
-# The userPassword by default can be changed
-# by the entry owning it if they are authenticated.
-# Others should not be able to see it, except the
-# admin entry below
-# These access lines apply to database #1 only
-access to attrs=userPassword,shadowLastChange
- by dn="@ADMIN@" write
- by anonymous auth
- by self write
- by * none
-
-# Ensure read access to the base for things like
-# supportedSASLMechanisms. Without this you may
-# have problems with SASL not knowing what
-# mechanisms are available and the like.
-# Note that this is covered by the 'access to *'
-# ACL below too but if you change that as people
-# are wont to do you'll still need this if you
-# want SASL (and possible other things) to work
-# happily.
-access to dn.base="" by * read
-
-# The admin dn has full write access, everyone else
-# can read everything.
-access to *
- by dn="@ADMIN@" write
- by * read
+include /etc/ldap/acl.conf
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
diff -u openldap2.3-2.3.35/debian/slapd.scripts-common openldap2.3-2.3.35/debian/slapd.scripts-common
--- openldap2.3-2.3.35/debian/slapd.scripts-common
+++ openldap2.3-2.3.35/debian/slapd.scripts-common
@@ -369,7 +369,7 @@
file=`eval echo $data`
read_slapd_conf < $file
else
- echo $command $data
+ echo "$command" "$data"
fi
done
}
@@ -643,6 +643,10 @@
move_old_database_away /var/lib/ldap
fi
create_new_slapd_conf "$basedn" "$backend"
+ create_standard_acl_configuration "$basedn"
+ create_standard_schema_links
+ update-slapd-schemas
+ update-slapd-acl
create_ldap_directories
create_new_directory "$basedn" "$dc"
@@ -654,6 +658,57 @@
wipe_admin_pass
}
# }}}
+create_standard_schema_links () { # {{{
+# Creates the new schema links
+# Usage: create_standard_schema_links
+
+ ln -s /etc/ldap/schema/core.schema /etc/ldap/schemas-enabled/110core.schema
+ ln -s /etc/ldap/schema/cosine.schema /etc/ldap/schemas-enabled/120cosine.schema
+ ln -s /etc/ldap/schema/nis.schema /etc/ldap/schemas-enabled/130nis.schema
+ ln -s /etc/ldap/schema/inetorgperson.schema /etc/ldap/schemas-enabled/140inetorgperson.schema
+
+}
+# }}}
+create_standard_acl_configuration() { # {{{
+# Creates the new ACL configuration for the suffix given
+# Usage: create_standard_acl_configuration <basedn>
+#
+ local basedn
+
+ basedn="$1"
+
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/110restrict_password.acl" \
+ "/usr/share/slapd/110restrict_password.acl"
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/120base_read.acl" \
+ "/usr/share/slapd/120base_read.acl"
+ create_acl_conf "$basedn" "/etc/ldap/acl.d/900default.acl" \
+ "/usr/share/slapd/900default.acl"
+
+}
+# }}}
+create_acl_conf() { # {{{
+# Creates a new ACL configuration file from the given template, for the suffix
+# given, and stores it in destfile.
+# Usage: create_acl_conf <basedn> <destfile> <template>
+
+ local basedn destfile template
+
+ basedn="$1"
+ destfile="$2"
+ template="$3"
+
+ if [ ! -e "${destfile}" ]
+ then
+ echo -n " Creating initial `basename ${destfile}` ... " >&2
+ sed <"${template}" >"${destfile}" \
+ -e "s/@SUFFIX@/$basedn/g" \
+ -e "s/@ADMIN@/cn=admin,$basedn/g"
+ # Assign same permissions as slapd.conf
+ assign_permissions "$SLAPD_CONF" "${destfile}"
+ echo "done." >&2
+ fi
+}
+# }}}
create_new_slapd_conf() { # {{{
# Creates a new slapd.conf for the suffix given
# Usage: create_new_slapd_conf <basedn> <backend>
diff -u openldap2.3-2.3.35/debian/slapd.dirs openldap2.3-2.3.35/debian/slapd.dirs
--- openldap2.3-2.3.35/debian/slapd.dirs
+++ openldap2.3-2.3.35/debian/slapd.dirs
@@ -4,0 +5,2 @@
+etc/ldap/acl.d
+etc/ldap/schemas-enabled
diff -u openldap2.3-2.3.35/debian/slapd.postrm openldap2.3-2.3.35/debian/slapd.postrm
--- openldap2.3-2.3.35/debian/slapd.postrm
+++ openldap2.3-2.3.35/debian/slapd.postrm
@@ -22,6 +22,11 @@
if [ "$1" = "purge" ]; then
echo -n "Removing slapd configuration... "
rm -f /etc/ldap/slapd.conf 2>/dev/null || true
+ rm -f /etc/ldap/schemas.conf 2>/dev/null || true
+ rm -f /etc/ldap/acl.conf 2>/dev/null || true
+ rm -f /etc/ldap/acl.d/110restrict_password.acl || true
+ rm -f /etc/ldap/acl.d/120base_read.acl || true
+ rm -f /etc/ldap/acl.d/900default.acl || true
rmdir --ignore-fail-on-non-empty /etc/ldap/schema
echo done
diff -u openldap2.3-2.3.35/debian/control openldap2.3-2.3.35/debian/control
diff -u openldap2.3-2.3.35/debian/slapd.init openldap2.3-2.3.35/debian/slapd.init
--- openldap2.3-2.3.35/debian/slapd.init
+++ openldap2.3-2.3.35/debian/slapd.init
@@ -176,10 +176,16 @@
--exec /usr/sbin/slurpd 2>&1`"
}
-# Start the OpenLDAP daemons
+# Run update-slapd-{schemas,acl}
+run_update_scripts() {
+ update-slapd-schemas
+ update-slapd-acl
+}
+
start() {
echo -n "Starting OpenLDAP:"
trap 'report_failure' 0
+ run_update_scripts
start_slapd
start_slurpd
trap "-" 0
diff -u openldap2.3-2.3.35/debian/slapd.links openldap2.3-2.3.35/debian/slapd.links
--- openldap2.3-2.3.35/debian/slapd.links
+++ openldap2.3-2.3.35/debian/slapd.links
@@ -1,5 +1,8 @@
usr/share/doc/slapd/examples/DB_CONFIG usr/share/slapd/DB_CONFIG
usr/share/doc/slapd/examples/slapd.conf usr/share/slapd/slapd.conf
+usr/share/doc/slapd/examples/restrict_password.acl usr/share/slapd/110restrict_password.acl
+usr/share/doc/slapd/examples/base_read.acl usr/share/slapd/120base_read.acl
+usr/share/doc/slapd/examples/default.acl usr/share/slapd/900default.acl
usr/sbin/slapd usr/sbin/slapacl
usr/sbin/slapd usr/sbin/slapadd
usr/sbin/slapd usr/sbin/slapauth
diff -u openldap2.3-2.3.35/debian/slapd.install openldap2.3-2.3.35/debian/slapd.install
--- openldap2.3-2.3.35/debian/slapd.install
+++ openldap2.3-2.3.35/debian/slapd.install
@@ -9,0 +10,2 @@
+debian/update-slapd-schemas usr/sbin/
+debian/update-slapd-acl usr/sbin/
diff -u openldap2.3-2.3.35/debian/slapd.default openldap2.3-2.3.35/debian/slapd.default
--- openldap2.3-2.3.35/debian/slapd.default
+++ openldap2.3-2.3.35/debian/slapd.default
@@ -25,6 +25,10 @@
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+# If set to "true" the update-slapd-{acl,schemas} scripts
+# will not check if the proper includes are in $SLAPD_CONF.
+NO_INCLUDE_CHECK=false
+
# Additional options to pass to slapd and slurpd
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
diff -u openldap2.3-2.3.35/debian/changelog openldap2.3-2.3.35/debian/changelog
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas.8
+++ openldap2.3-2.3.35/debian/update-slapd-schemas.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-SCHEMAS 8 "Jul 2007"
+.SH NAME
+update-slapd-schemas \- Regenerate schemas.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-schemas
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-schemas
+command.
+.PP
+.B update-slapd-schemas
+is a program that generates
+.B /etc/ldap/schemas.conf
+based on the files in \fB/etc/ldap/schemas-enabled\fR.
+.B update-slapd-schemas
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-schemas
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5), /usr/share/slapd/README.Debian
+.SH AUTHOR
+update-slapd-schemas was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl
+++ openldap2.3-2.3.35/debian/update-slapd-acl
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# update-slapd-acl: utility to add/remove ACL files to/from slapd's config
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+# update-slapd-acl is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# update-slapd-acl is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with update-slapd-acl; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+test -f /etc/default/slapd && . /etc/default/slapd
+
+check_include() {
+ if ! grep -qxE 'include[[:space:]]*/etc/ldap/acl.conf' /etc/ldap/slapd.conf
+ then
+ echo
+ echo "WARNING: Your /etc/ldap/slapd.conf does not support"
+ echo " update-ldap-acl. See /usr/share/doc/slapd/README.Debian"
+ echo " for more information. You can disable this check by"
+ echo " setting NO_INCLUDE_CHECK=true in /etc/default/slapd"
+ fi
+}
+
+if [ ${NO_INCLUDE_CHECK} != "true" ]
+then
+ check_include
+fi
+
+extraconf="/etc/ldap/acl.conf"
+confdir="/etc/ldap/acl.d"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-acl(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+ for acl in ${confdir}/*
+ do
+ if ! echo "$acl" | grep -qE '\.dpkg-(new|old)$'
+ then
+ echo "include ${acl}"
+ fi
+ done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas
+++ openldap2.3-2.3.35/debian/update-slapd-schemas
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# update-slapd-schemas: utility to update list of included schemas in slapd.conf
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+# update-slapd-schemas is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as published
+# by the Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# update-slapd-schemas is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with update-slapd-schemas; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+# USA.
+
+test -f /etc/default/slapd && . /etc/default/slapd
+
+check_include() {
+ if ! grep -qxE 'include[[:space:]]*/etc/ldap/schemas.conf' /etc/ldap/slapd.conf
+ then
+ echo
+ echo "WARNING: Your /etc/ldap/slapd.conf does not support"
+ echo " update-ldap-schemas. See /usr/share/doc/slapd/README.Debian"
+ echo " for more information. You can disable this check by"
+ echo " setting NO_INCLUDE_CHECK=true in /etc/default/slapd"
+ fi
+}
+
+if [ ${NO_INCLUDE_CHECK} != "true" ]
+then
+ check_include
+fi
+
+extraconf="/etc/ldap/schemas.conf"
+confdir="/etc/ldap/schemas-enabled"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-schemas(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+ for schema in ${confdir}/*
+ do
+ if ! echo "$schema" | grep -qE '\.dpkg-(new|old)$'
+ then
+ echo "include ${schema}"
+ fi
+ done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/default.acl
+++ openldap2.3-2.3.35/debian/acl.d/default.acl
@@ -0,0 +1,6 @@
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+ by dn="@ADMIN@" write
+ by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/restrict_password.acl
+++ openldap2.3-2.3.35/debian/acl.d/restrict_password.acl
@@ -0,0 +1,12 @@
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+ by dn="@ADMIN@" write
+ by anonymous auth
+ by self write
+ by * none
+
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/base_read.acl
+++ openldap2.3-2.3.35/debian/acl.d/base_read.acl
@@ -0,0 +1,11 @@
+# Ensure read access to the base for things like
+# supportedSASLMechanisms. Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl.8
+++ openldap2.3-2.3.35/debian/update-slapd-acl.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-ACL 8 "Jul 2007"
+.SH NAME
+update-slapd-acl \- Regenerate acl.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-acl
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-acl
+command.
+.PP
+.B update-slapd-acl
+is a program that generates
+.B /etc/ldap/acl.conf
+based on the files in \fB/etc/ldap/acl.d\fR.
+.B update-slapd-acl
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-acl
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5),
+.SH AUTHOR
+update-slapd-acl was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20070730/a61da12c/attachment.pgp
More information about the Pkg-openldap-devel
mailing list