#! /bin/sh set -e # Load debconf . /usr/share/debconf/confmodule # This will be replaced with debian/slapd.scripts-common which includes # various helper functions and $OLD_VERSION and $SLAPD_CONF #SCRIPTSCOMMON# # Check if the user wants to configure slapd manually want_manual_configuration() { db_input medium slapd/no_configuration || true db_go || true db_get slapd/no_configuration no_configuration="$RET" if [ "$no_configuration" = "true" ]; then return 0 fi return 1 } # Make sure the values entered make sense validate_initial_config() { local invalid invalid="" # Make sure the domain name is valid # The regexp doesn't work for UTF-8 domain names, but for that to # work, we would also need to Base64 encode it in the LDIF; since # we're not doing it at the moment, this should be fine for now db_get slapd/domain if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then db_fset slapd/domain seen false invalid=true fi # Suffix and Organization may not be empty db_get shared/organization if [ -z "$RET" ]; then db_fset shared/organization seen false invalid=true fi # Make sure the passwords match local pass1 pass2 db_get slapd/password1 pass1="$RET" db_get slapd/password2 pass2="$RET" if [ "$pass1" != "$pass2" ]; then db_fset slapd/password1 seen false db_fset slapd/password2 seen false invalid=true fi # Tell the user if [ "$invalid" ]; then db_fset slapd/invalid_config seen false db_input critical slapd/invalid_config || true db_go || true db_get slapd/invalid_config if [ "$RET" != "true" ]; then db_set slapd/no_configuration true invalid= fi fi if [ "$invalid" ]; then return 1 else return 0 fi } # Query the information we need to create an initial directory query_initial_config() { while true; do db_input medium slapd/domain || true db_input medium shared/organization || true db_input high slapd/password1 || true db_input high slapd/password2 || true db_input low slapd/backend || true db_input low slapd/purge_database || true # XXX - should be done more general, but for now this should do # the trick if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then db_input low slapd/move_old_database || true fi db_go || true if validate_initial_config; then break fi done } # ----- Configuration of LDIF dumping and reloading--------------------- {{{ # # Dumping the database can have negative effects on the system we are # running on. If there is a lot of data dumping it might fill a partition # for example. Therefore we must give the user exact control over what we # are doing. configure_dumping() { # {{{ # Ask the user for the configuration of the dumping component # Usage: configure_dumping # Look if the user wants to migrate to the BDB backend if ! database_dumping_enabled; then return 0 fi # Configure if and where to dump the LDAP databases db_input medium slapd/dump_database || true db_go || true db_get slapd/dump_database # Abort if the user does not want dumping if [ "$RET" = never ]; then return 0 fi db_input medium slapd/dump_database_destdir || true db_go || true # If the user entered the empty value, go back to the default db_get slapd/dump_database_destdir if [ "$RET" = "" ]; then db_reset slapd/dump_database_destdir fi } # }}} # }}} warn_about_selfwrite_acl() { # {{{ # Warn about databases having an acl beginning with "to * by self # write", installed by default in previous versions of slapd.init.ldif # but having possible security implications. if [ -d "$SLAPD_CONF" ]; then if grep -q '^olcAccess: {[0-9]*}to \* by self write' \ "$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then db_input high slapd/unsafe_selfwrite_acl || true fi fi } # }}} # Create an initial directory on fresh install if is_initial_configuration "$@"; then if ! want_manual_configuration; then set_defaults_for_unseen_entries query_initial_config fi fi # Configure the dumping component if we are upgrading some older version. if [ "$1" = configure ] && [ -n "$2" ]; then configure_dumping warn_about_selfwrite_acl fi db_go || true exit 0