summaryrefslogtreecommitdiffstats
path: root/debian/slapd.config
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:23:54 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:23:54 +0000
commitfe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173 (patch)
tree5f743c2fcc2c85b0363602a14ac3753bc5a19abc /debian/slapd.config
parentAdding upstream version 2.4.47+dfsg. (diff)
downloadopenldap-debian.tar.xz
openldap-debian.zip
Adding debian version 2.4.47+dfsg-3+deb10u7.debian/2.4.47+dfsg-3+deb10u7debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/slapd.config169
1 files changed, 169 insertions, 0 deletions
diff --git a/debian/slapd.config b/debian/slapd.config
new file mode 100644
index 0000000..8225b77
--- /dev/null
+++ b/debian/slapd.config
@@ -0,0 +1,169 @@
+#! /bin/sh
+
+set -e
+
+# Load debconf
+. /usr/share/debconf/confmodule
+
+# This will be replaced with debian/slapd.scripts-common which includes
+# various helper functions and $OLD_VERSION and $SLAPD_CONF
+#SCRIPTSCOMMON#
+
+# Check if the user wants to configure slapd manually
+want_manual_configuration() {
+ db_input medium slapd/no_configuration || true
+ db_go || true
+ db_get slapd/no_configuration
+ no_configuration="$RET"
+
+ if [ "$no_configuration" = "true" ]; then
+ return 0
+ fi
+ return 1
+}
+
+# Make sure the values entered make sense
+validate_initial_config() {
+ local invalid
+ invalid=""
+
+ # Make sure the domain name is valid
+ # The regexp doesn't work for UTF-8 domain names, but for that to
+ # work, we would also need to Base64 encode it in the LDIF; since
+ # we're not doing it at the moment, this should be fine for now
+ db_get slapd/domain
+ if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then
+ db_fset slapd/domain seen false
+ invalid=true
+ fi
+
+ # Suffix and Organization may not be empty
+ db_get shared/organization
+ if [ -z "$RET" ]; then
+ db_fset shared/organization seen false
+ invalid=true
+ fi
+
+ # Make sure the passwords match
+ local pass1 pass2
+ db_get slapd/password1
+ pass1="$RET"
+ db_get slapd/password2
+ pass2="$RET"
+
+ if [ "$pass1" != "$pass2" ]; then
+ db_fset slapd/password1 seen false
+ db_fset slapd/password2 seen false
+ invalid=true
+ fi
+
+ # Tell the user
+ if [ "$invalid" ]; then
+ db_fset slapd/invalid_config seen false
+ db_input critical slapd/invalid_config || true
+ db_go || true
+ db_get slapd/invalid_config
+ if [ "$RET" != "true" ]; then
+ db_set slapd/no_configuration true
+ invalid=
+ fi
+ fi
+
+ if [ "$invalid" ]; then
+ return 1
+ else
+ return 0
+ fi
+}
+
+# Query the information we need to create an initial directory
+query_initial_config() {
+ while true; do
+ db_input medium slapd/domain || true
+ db_input medium shared/organization || true
+ db_input high slapd/password1 || true
+ db_input high slapd/password2 || true
+ db_input low slapd/backend || true
+ db_input low slapd/purge_database || true
+ # XXX - should be done more general, but for now this should do
+ # the trick
+ if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then
+ db_input low slapd/move_old_database || true
+ fi
+ db_go || true
+
+ if validate_initial_config; then
+ break
+ fi
+ done
+}
+
+# ----- Configuration of LDIF dumping and reloading--------------------- {{{
+#
+# Dumping the database can have negative effects on the system we are
+# running on. If there is a lot of data dumping it might fill a partition
+# for example. Therefore we must give the user exact control over what we
+# are doing.
+
+configure_dumping() { # {{{
+# Ask the user for the configuration of the dumping component
+# Usage: configure_dumping
+
+ # Look if the user wants to migrate to the BDB backend
+ if ! database_dumping_enabled; then
+ return 0
+ fi
+
+ # Configure if and where to dump the LDAP databases
+ db_input medium slapd/dump_database || true
+ db_go || true
+ db_get slapd/dump_database
+
+ # Abort if the user does not want dumping
+ if [ "$RET" = never ]; then
+ return 0
+ fi
+
+ db_input medium slapd/dump_database_destdir || true
+ db_go || true
+
+ # If the user entered the empty value, go back to the default
+ db_get slapd/dump_database_destdir
+ if [ "$RET" = "" ]; then
+ db_reset slapd/dump_database_destdir
+ fi
+}
+
+# }}}
+# }}}
+
+warn_about_selfwrite_acl() { # {{{
+# Warn about databases having an acl beginning with "to * by self
+# write", installed by default in previous versions of slapd.init.ldif
+# but having possible security implications.
+ if [ -d "$SLAPD_CONF" ]; then
+ if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
+ "$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
+ db_input high slapd/unsafe_selfwrite_acl || true
+ fi
+ fi
+}
+# }}}
+
+# Create an initial directory on fresh install
+if is_initial_configuration "$@"; then
+ if ! want_manual_configuration; then
+ set_defaults_for_unseen_entries
+ query_initial_config
+ fi
+fi
+
+# Configure the dumping component if we are upgrading some older version.
+if [ "$1" = configure ] && [ -n "$2" ]; then
+ configure_dumping
+ warn_about_selfwrite_acl
+fi
+
+db_go || true
+
+exit 0